Windows Analysis Report
18in SPA-198-2024.exe

Overview

General Information

Sample name:	18in SPA-198-2024.exe
Analysis ID:	1545922
MD5:	9ca6ee6dda005563c3d04249c85188e7
SHA1:	cd1a00bc5ff84d7c24a8f06cb84cbf98183e2da2
SHA256:	cfbea36edccb76c40ccc6f01d8cbf2d467533ecb1f3e7c7c709532998518b8d9
Tags:	exeuser-Maciej8910871
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sigma detected: Suspicious Creation with Colorcpl

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: 18in SPA-198-2024.exe

ReversingLabs: Detection: 39%

Yara detected FormBook

Source: Yara match	File source: 4.2.18in SPA-198-2024.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.18in SPA-198-2024.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.4472767569.0000000005070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4474644674.0000000005800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2247487130.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4472840073.00000000050C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2248027115.0000000001130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4471298397.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2249648463.0000000002A30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4472773196.0000000004020000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 18in SPA-198-2024.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: 18in SPA-198-2024.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 18in SPA-198-2024.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: colorcpl.pdbGCTL source: 18in SPA-198-2024.exe, 00000004.00000002.2247875967.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, tWcBthnLrDi.exe, 00000005.00000002.4472197747.0000000000F7E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: colorcpl.pdb source: 18in SPA-198-2024.exe, 00000004.00000002.2247875967.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, tWcBthnLrDi.exe, 00000005.00000002.4472197747.0000000000F7E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: tWcBthnLrDi.exe, 00000005.00000000.2159334939.0000000000E5E000.00000002.00000001.01000000.0000000C.sdmp, tWcBthnLrDi.exe, 00000008.00000000.2323289194.0000000000E5E000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: wntdll.pdbUGP source: 18in SPA-198-2024.exe, 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4472983432.000000000535E000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4472983432.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000003.2251630098.0000000005017000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000003.2249890288.0000000004E69000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 18in SPA-198-2024.exe, 18in SPA-198-2024.exe, 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, colorcpl.exe, 00000007.00000002.4472983432.000000000535E000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4472983432.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000003.2251630098.0000000005017000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000003.2249890288.0000000004E69000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 7_2_0330C3B0 FindFirstFileW,FindNextFileW,FindClose,

7_2_0330C3B0

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4x nop then xor eax, eax		7_2_032F9DC0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4x nop then mov ebx, 00000004h		7_2_055104E0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49893 -> 141.193.213.10:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49794 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49881 -> 141.193.213.10:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49910 -> 141.193.213.10:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49969 -> 8.210.3.99:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49983 -> 8.210.3.99:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49994 -> 162.0.215.244:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50007 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49998 -> 162.0.231.203:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50015 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50006 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49957 -> 8.210.3.99:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49990 -> 8.210.3.99:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50008 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50025 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49991 -> 162.0.215.244:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49997 -> 162.0.231.203:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49996 -> 162.0.231.203:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49925 -> 141.193.213.10:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50019 -> 38.88.82.56:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50011 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50018 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50034 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49999 -> 103.71.154.12:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50029 -> 178.79.184.196:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50009 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50020 -> 38.88.82.56:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50003 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50000 -> 103.71.154.12:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50031 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50027 -> 178.79.184.196:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50028 -> 178.79.184.196:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50021 -> 38.88.82.56:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50030 -> 178.79.184.196:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50014 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50005 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50024 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50023 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49993 -> 162.0.215.244:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49992 -> 162.0.215.244:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50012 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50013 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50026 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50002 -> 103.71.154.12:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50033 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50004 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50022 -> 38.88.82.56:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50001 -> 103.71.154.12:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50010 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49995 -> 162.0.231.203:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50016 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50017 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50032 -> 188.114.97.3:80

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 141.193.213.10 141.193.213.10
Source: Joe Sandbox View	IP Address: 141.193.213.10 141.193.213.10

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: DV-PRIMARY-ASN1US DV-PRIMARY-ASN1US
Source: Joe Sandbox View	ASN Name: ACPCA ACPCA
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /up8i/?1Zgl=FonQAt5G6G0h5a/+Am3eqIyjBFdIhrbRfG5nxPFgUs1csnhs+lBXewxt89Cj5Voixu7jLVxWB2hHsNPmnpQd8jl3rIdXyfOz7R8oVB6YJtxbdf5wDUy9RxP636EXq/xHTA==&w6=2vdPP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.ladylawher.orgUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /9g6s/?1Zgl=l/X+t9hb8CWGjOR1O2ZzXFDzhtuUnyzAQ4EIxPlc4MjqsNc2fQ5FEV3oB4t5s/ThvfRNUBaEClSQ3k3rscZvHeg0TpQiQ+GxS8ts4a8QVaH5DaPjZQFNvIogjfSTI3KXDA==&w6=2vdPP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.meanttobebroken.orgUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /li8d/?1Zgl=sm+xvlFNJ8Jn1MAvBLHfFbmpWDRmMBXnhYuDtN4QDuuoOIQ72IBR7vtXSrP0imT8uQD+i024Jy05gJvrsmbroocsQ5/sNLlweHoyZNleSM2rCzfY5hv0qSgJrhCITOEEHg==&w6=2vdPP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.jexiz.shopUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /3lre/?1Zgl=/6Vdp+1Y21llHWrnJFgTkMelxgdakbST517P2ezUMEZQpYm2I4KB95g+5G1ZwATxC5oRicPrlKz7UaUXu7WnWVF0YU8xlLcjqFiWcTqSDyUhRRfYLZXOVM1ZwNUIzk+NCQ==&w6=2vdPP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.prediksipreman.fyiUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /855d/?1Zgl=2B0ERzH0P28lwthSCfczi4+l4RSaGiycEDtAIyO4xBEaITWb1iLHHs/q7NYM0I/g8MkSYcfxzku7nIYL4eoS8eZDgAyht6z65PzZnN779aUYRwuiIRWQuovW44/rxTRHXQ==&w6=2vdPP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.givora.siteUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /jx6k/?1Zgl=beqWGJ7SP2hkLKuH8Xmdr/HDPWeS3cMOlVU3zrC7D+GWWG+2bEVKgJQW/9jqYGl3wiT++u8kPbwe1lvFRaGrQmwW5G4wa8+lbGyMUfdWvdM0+8z00F7HMhpKv8gPeACQcQ==&w6=2vdPP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.2925588.comUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /6o8s/?1Zgl=xHDOnX+lWlIEr4hpJa7vJ+Ai0eztjiZ58G8B7DId8TM/qnePyNRX8+3i62aVr9vdoGnKMYHj9baJVFQ0pmQfJSNjzKPDt8hcfoZjjjTuXP86Dx4dRnWR0YG+vtOimu0PrA==&w6=2vdPP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.wrl-llc.netUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /l5ty/?1Zgl=q+OYZAje5TGGPxrh2f4udvzeWAEqGa5tlfgg+KmPc/5JdZ3+06LBf09NB5PeZCRMfA3Rwmt3pN3KnHXg/BNAYr426YnMJAy4Y/PCGFK03Rpxpi13xz0yDihesG1rii3hcQ==&w6=2vdPP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.7fh27o.vipUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /7n9v/?w6=2vdPP&1Zgl=5Ps3YXPo0Vj4JhRGre7eusiYM6VqaJdXpTrzI5rt8FAfia/wVGxKw+cKGzuZcepElfg31D2wj7kRRQ+omDm5eEZM56pgjuD4M6hDNIlUQpNxKD0Ll6OMyYftw5tyQwWC0A== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.rebel.tiendaUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /izfe/?1Zgl=ZqR1VSau/njxt8ya9FYdrisRnPwESR8PWK+oFQcVqsUu7dENmwaUoGLSs5vyS4FhQGGlB6r8hHtwTYfK8h1233SUSY5+fAIxnLEAPxNpmpufjlKG3bng8CVsKsGNybcU1g==&w6=2vdPP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.ila.beautyUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /lk0h/?w6=2vdPP&1Zgl=6gjDnw5yzGoGzEh3mjJB1T6RyTIMcIq1/sFM8kPHd8kBOmP5HGhCeqzML2uvlXpT0wvdsm4ji4CabuXPMFeElEmTDOsUVTaZy7krB/rdHBCDX+Ht0YGWoHEVrkeyh8Ng2A== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.college-help.infoUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /17h7/?1Zgl=+i5q+uzPXmftyZtNZWFr8MC7YoCmvyBt3jjX/X3oRNPJ70eO25N0w4zqWgP4747OpVXsIhnZv7nMmjeXISBtoaIRC/e00OgY88L+a0UDDIyF3kq1BSJhp/lI21Ai+QA6UQ==&w6=2vdPP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.owinvip.netUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /x3by/?w6=2vdPP&1Zgl=Gq0m/cYr7UOoL/rfxlXcWcb0PFgu3v+6IQg5KkZ1GbFCfXnP9OdFnXsg+153ZunkN9E3pnQymCUHBFpvF3MPrj7bwNIl4rM9hQX9D40sB8Q0fvNSVLrWgvNkuIucpqHerw== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.gucciqueen.shopUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /3p0l/?1Zgl=4Jzo6X1Gluc/SF20pEVAyAZrEiE76xvvY+EfZYFlmMajnWRT/uq2dkdTzHDiVdaw3QhDvVFcv5rBuyftUViEMVRHp90uGCn944ajrH63wHv4zzWs5+CZDXB+Ld7sX0D68A==&w6=2vdPP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.timizoasisey.shopUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2

Source: global traffic	DNS traffic detected: DNS query: www.ladylawher.org
Source: global traffic	DNS traffic detected: DNS query: www.meanttobebroken.org
Source: global traffic	DNS traffic detected: DNS query: www.jexiz.shop
Source: global traffic	DNS traffic detected: DNS query: www.prediksipreman.fyi
Source: global traffic	DNS traffic detected: DNS query: www.givora.site
Source: global traffic	DNS traffic detected: DNS query: www.2925588.com
Source: global traffic	DNS traffic detected: DNS query: www.wrl-llc.net
Source: global traffic	DNS traffic detected: DNS query: www.7fh27o.vip
Source: global traffic	DNS traffic detected: DNS query: www.rebel.tienda
Source: global traffic	DNS traffic detected: DNS query: www.ila.beauty
Source: global traffic	DNS traffic detected: DNS query: www.college-help.info
Source: global traffic	DNS traffic detected: DNS query: www.owinvip.net
Source: global traffic	DNS traffic detected: DNS query: www.gucciqueen.shop
Source: global traffic	DNS traffic detected: DNS query: www.xtelify.tech
Source: global traffic	DNS traffic detected: DNS query: www.timizoasisey.shop

Source: unknown

HTTP traffic detected: POST /9g6s/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.5Content-Type: application/x-www-form-urlencodedContent-Length: 205Cache-Control: no-cacheConnection: closeHost: www.meanttobebroken.orgOrigin: http://www.meanttobebroken.orgReferer: http://www.meanttobebroken.org/9g6s/User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2Data Raw: 31 5a 67 6c 3d 6f 39 2f 65 75 4a 74 44 6f 41 32 50 33 38 78 61 56 58 70 54 4d 32 43 77 6b 59 4c 68 72 58 76 6f 55 4f 45 7a 71 65 42 4c 34 4e 36 4f 68 36 67 4c 65 6b 77 71 61 46 4b 41 66 59 67 70 36 38 47 72 75 39 64 73 63 7a 79 58 4f 55 36 35 70 6c 6a 55 69 76 67 4b 4d 6f 34 73 51 6f 39 2f 4d 39 32 36 5a 73 42 71 32 4a 78 67 65 50 43 6e 49 4b 43 71 63 44 4e 35 6b 70 4e 6d 6a 4b 37 30 63 48 4c 46 63 32 61 65 72 2f 48 43 31 4d 4a 75 61 42 52 51 37 34 58 70 39 55 45 4f 68 37 4e 59 37 4e 36 57 62 58 6d 74 73 76 65 4e 39 54 46 6a 53 46 7a 41 57 2f 6b 44 4f 34 37 4a 4e 47 6b 5a 4e 34 51 2b 75 72 67 76 4d 36 45 3d Data Ascii: 1Zgl=o9/euJtDoA2P38xaVXpTM2CwkYLhrXvoUOEzqeBL4N6Oh6gLekwqaFKAfYgp68Gru9dsczyXOU65pljUivgKMo4sQo9/M926ZsBq2JxgePCnIKCqcDN5kpNmjK70cHLFc2aer/HC1MJuaBRQ74Xp9UEOh7NY7N6WbXmtsveN9TFjSFzAW/kDO47JNGkZN4Q+urgvM6E=

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 31 Oct 2024 09:25:45 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingVary: Accept-Encodingx-powered-by: WP EngineExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://meanttobebroken.org/wp-json/>; rel="https://api.w.org/"CF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 8db299807a8ae7bf-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 31 36 65 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d4 3c db 72 db 38 96 cf f6 57 c0 4c 8d 2d 4e 78 d7 c5 b6 24 3a dd 49 a7 a7 b2 db e9 f4 76 9c 9a da 8a 53 2e 88 84 28 d8 24 c1 06 20 cb 1a b5 5e f6 2f f6 69 7f 71 3f 61 eb 00 94 44 c9 94 ac d8 9e dd da 54 b7 6d 02 e7 8e 73 0e 6e 3c ec 1f c5 2c 92 d3 82 a0 91 cc d2 8b c3 3e fc 42 29 ce 93 d0 20 b9 fd e5 b3 01 6d 04 c7 17 87 07 fd 8c 48 8c a2 11 e6 82 c8 d0 f8 72 f9 b3 7d 66 2c db 73 9c 91 d0 b8 a3 64 52 30 2e 0d 14 b1 5c 92 5c 86 c6 84 c6 72 14 c6 e4 8e 46 c4 56 0f 16 a2 39 95 14 a7 b6 88 70 4a 42 5f 51 49 69 7e 8b 38 49 43 a3 e0 6c 48 53 62 a0 11 27 c3 d0 18 49 59 88 ae eb 26 59 91 38 8c 27 ee fd 30 77 fd 4d 24 21 a7 29 11 23 42 e4 26 de 58 10 07 54 bc a5 d2 c9 89 74 59 cc 4e 87 f4 c6 89 84 30 2e 0e d7 88 e0 a2 48 89 2d d9 38 1a d9 34 62 b9 81 04 fd 07 11 a1 e1 9f 79 f7 fe 99 57 25 dd 75 dd 8c e0 5c 4a 36 20 03 ce 6e 49 ae 84 9b 14 76 a9 ba 2b 47 24 23 c2 c5 64 90 49 39 70 87 f8 0e 68 ba 9b 4c 9c 22 4f 36 94 d1 bc 41 e8 d0 a0 19 4e 88 0b 30 0b 61 9a c1 7d 33 78 11 51 ca df b6 a2 f8 dd 72 f8 9d 7b bf f3 a2 72 28 8a 35 72 64 38 a7 43 22 e4 8b 30 13 54 12 67 42 06 4b a2 9b bc c4 6d 39 f8 2f c1 0c 0f 31 a7 76 41 f3 9c c4 b6 c4 03 47 dc 25 10 1d 29 e3 a1 f1 aa 3d 18 e0 b8 bd 19 45 99 00 1f a1 11 96 94 e5 f6 25 4d c9 3b 80 af 04 d5 ab e1 30 6a 79 f1 26 a2 12 c2 8e 1e 02 c3 3f e5 ec 07 fd 23 db 46 7f 63 2c 49 09 ba c4 09 fa 88 73 9c 10 8e 6c fb e2 10 21 84 fa 22 e2 b4 90 17 8d e1 38 8f 80 7f 63 62 c5 96 b0 52 8b 9a b3 c9 d7 f4 5b 08 3f fe fc f3 eb b7 1e fc e1 14 63 31 6a cc 4e 12 99 39 42 62 2e 4f ba 8a 4c 4e 26 e8 27 2c 49 c3 74 12 22 2f 69 46 1a a6 45 ee 48 2e bb 0a f6 46 9c cc cd de 1d e6 68 18 c6 00 f2 3e 25 19 c9 a5 78 3b bd c4 c9 af 38 23 0d 61 7e f5 be 59 8a da 4d 18 3b 11 27 58 92 12 ac 21 4c 2b 4e c3 f4 28 3c 89 b1 c4 bf e0 29 e1 27 6f 4e 8e d3 f0 e4 75 da 3d 39 e9 dd 38 58 4c f3 28 94 7c 4c 7a 37 8e e0 51 a8 28 9d 2c b2 c2 64 32 71 12 65 06 89 93 4c 1b c1 89 58 e6 6a e9 de d0 38 3c 79 4d 5f c7 69 6f e8 14 98 93 5c fe ca 62 e2 d0 5c 10 2e df 92 21 e3 a4 71 63 0d cd 9e 22 3b 37 1b 13 9a c7 6c 62 c5 2c 1a 83 84 d6 89 36 e4 89 55 91 d0 3a f9 db e5 47 fb e3 bf fe db e9 d9 df 4f Data Ascii: 16ef<r8WL-Nx$:IvS.($ ^/iq?aDTmsn<,>B) mHr}f,sdR0.\\rFV9pJB_QIi~8IClHSb'IY&Y8'0wM$!)#B&XTtYN0.H-84byW%u\J6 nIv+G
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 31 Oct 2024 09:25:48 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingVary: Accept-Encodingx-powered-by: WP EngineExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://meanttobebroken.org/wp-json/>; rel="https://api.w.org/"CF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 8db2999068662d29-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 31 36 65 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d4 3c db 72 db 38 96 cf f6 57 c0 4c 8d 2d 4e 78 d7 c5 b6 24 3a dd 49 a7 a7 b2 db e9 f4 76 9c 9a da 8a 53 2e 88 84 28 d8 24 c1 06 20 cb 1a b5 5e f6 2f f6 69 7f 71 3f 61 eb 00 94 44 c9 94 ac d8 9e dd da 54 b7 6d 02 e7 8e 73 0e 6e 3c ec 1f c5 2c 92 d3 82 a0 91 cc d2 8b c3 3e fc 42 29 ce 93 d0 20 b9 fd e5 b3 01 6d 04 c7 17 87 07 fd 8c 48 8c a2 11 e6 82 c8 d0 f8 72 f9 b3 7d 66 2c db 73 9c 91 d0 b8 a3 64 52 30 2e 0d 14 b1 5c 92 5c 86 c6 84 c6 72 14 c6 e4 8e 46 c4 56 0f 16 a2 39 95 14 a7 b6 88 70 4a 42 5f 51 49 69 7e 8b 38 49 43 a3 e0 6c 48 53 62 a0 11 27 c3 d0 18 49 59 88 ae eb 26 59 91 38 8c 27 ee fd 30 77 fd 4d 24 21 a7 29 11 23 42 e4 26 de 58 10 07 54 bc a5 d2 c9 89 74 59 cc 4e 87 f4 c6 89 84 30 2e 0e d7 88 e0 a2 48 89 2d d9 38 1a d9 34 62 b9 81 04 fd 07 11 a1 e1 9f 79 f7 fe 99 57 25 dd 75 dd 8c e0 5c 4a 36 20 03 ce 6e 49 ae 84 9b 14 76 a9 ba 2b 47 24 23 c2 c5 64 90 49 39 70 87 f8 0e 68 ba 9b 4c 9c 22 4f 36 94 d1 bc 41 e8 d0 a0 19 4e 88 0b 30 0b 61 9a c1 7d 33 78 11 51 ca df b6 a2 f8 dd 72 f8 9d 7b bf f3 a2 72 28 8a 35 72 64 38 a7 43 22 e4 8b 30 13 54 12 67 42 06 4b a2 9b bc c4 6d 39 f8 2f c1 0c 0f 31 a7 76 41 f3 9c c4 b6 c4 03 47 dc 25 10 1d 29 e3 a1 f1 aa 3d 18 e0 b8 bd 19 45 99 00 1f a1 11 96 94 e5 f6 25 4d c9 3b 80 af 04 d5 ab e1 30 6a 79 f1 26 a2 12 c2 8e 1e 02 c3 3f e5 ec 07 fd 23 db 46 7f 63 2c 49 09 ba c4 09 fa 88 73 9c 10 8e 6c fb e2 10 21 84 fa 22 e2 b4 90 17 8d e1 38 8f 80 7f 63 62 c5 96 b0 52 8b 9a b3 c9 d7 f4 5b 08 3f fe fc f3 eb b7 1e fc e1 14 63 31 6a cc 4e 12 99 39 42 62 2e 4f ba 8a 4c 4e 26 e8 27 2c 49 c3 74 12 22 2f 69 46 1a a6 45 ee 48 2e bb 0a f6 46 9c cc cd de 1d e6 68 18 c6 00 f2 3e 25 19 c9 a5 78 3b bd c4 c9 af 38 23 0d 61 7e f5 be 59 8a da 4d 18 3b 11 27 58 92 12 ac 21 4c 2b 4e c3 f4 28 3c 89 b1 c4 bf e0 29 e1 27 6f 4e 8e d3 f0 e4 75 da 3d 39 e9 dd 38 58 4c f3 28 94 7c 4c 7a 37 8e e0 51 a8 28 9d 2c b2 c2 64 32 71 12 65 06 89 93 4c 1b c1 89 58 e6 6a e9 de d0 38 3c 79 4d 5f c7 69 6f e8 14 98 93 5c fe ca 62 e2 d0 5c 10 2e df 92 21 e3 a4 71 63 0d cd 9e 22 3b 37 1b 13 9a c7 6c 62 c5 2c 1a 83 84 d6 89 36 e4 89 55 91 d0 3a f9 db e5 47 fb e3 bf fe db e9 d9 df 4f Data Ascii: 16e5<r8WL-Nx$:IvS.($ ^/iq?aDTmsn<,>B) mHr}f,sdR0.\\rFV9pJB_QIi~8IClHSb'IY&Y8'0wM$!)#B&XTtYN0.H-84byW%u\J6 nIv+G
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 31 Oct 2024 09:25:50 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingVary: Accept-Encodingx-powered-by: WP EngineExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://meanttobebroken.org/wp-json/>; rel="https://api.w.org/"CF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 8db299a049526c7f-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 31 36 65 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d4 3c db 72 db 38 96 cf f6 57 c0 4c 8d 2d 4e 78 d7 c5 b6 24 3a dd 49 a7 a7 b2 db e9 f4 76 9c 9a da 8a 53 2e 88 84 28 d8 24 c1 06 20 cb 1a b5 5e f6 2f f6 69 7f 71 3f 61 eb 00 94 44 c9 94 ac d8 9e dd da 54 b7 6d 02 e7 8e 73 0e 6e 3c ec 1f c5 2c 92 d3 82 a0 91 cc d2 8b c3 3e fc 42 29 ce 93 d0 20 b9 fd e5 b3 01 6d 04 c7 17 87 07 fd 8c 48 8c a2 11 e6 82 c8 d0 f8 72 f9 b3 7d 66 2c db 73 9c 91 d0 b8 a3 64 52 30 2e 0d 14 b1 5c 92 5c 86 c6 84 c6 72 14 c6 e4 8e 46 c4 56 0f 16 a2 39 95 14 a7 b6 88 70 4a 42 5f 51 49 69 7e 8b 38 49 43 a3 e0 6c 48 53 62 a0 11 27 c3 d0 18 49 59 88 ae eb 26 59 91 38 8c 27 ee fd 30 77 fd 4d 24 21 a7 29 11 23 42 e4 26 de 58 10 07 54 bc a5 d2 c9 89 74 59 cc 4e 87 f4 c6 89 84 30 2e 0e d7 88 e0 a2 48 89 2d d9 38 1a d9 34 62 b9 81 04 fd 07 11 a1 e1 9f 79 f7 fe 99 57 25 dd 75 dd 8c e0 5c 4a 36 20 03 ce 6e 49 ae 84 9b 14 76 a9 ba 2b 47 24 23 c2 c5 64 90 49 39 70 87 f8 0e 68 ba 9b 4c 9c 22 4f 36 94 d1 bc 41 e8 d0 a0 19 4e 88 0b 30 0b 61 9a c1 7d 33 78 11 51 ca df b6 a2 f8 dd 72 f8 9d 7b bf f3 a2 72 28 8a 35 72 64 38 a7 43 22 e4 8b 30 13 54 12 67 42 06 4b a2 9b bc c4 6d 39 f8 2f c1 0c 0f 31 a7 76 41 f3 9c c4 b6 c4 03 47 dc 25 10 1d 29 e3 a1 f1 aa 3d 18 e0 b8 bd 19 45 99 00 1f a1 11 96 94 e5 f6 25 4d c9 3b 80 af 04 d5 ab e1 30 6a 79 f1 26 a2 12 c2 8e 1e 02 c3 3f e5 ec 07 fd 23 db 46 7f 63 2c 49 09 ba c4 09 fa 88 73 9c 10 8e 6c fb e2 10 21 84 fa 22 e2 b4 90 17 8d e1 38 8f 80 7f 63 62 c5 96 b0 52 8b 9a b3 c9 d7 f4 5b 08 3f fe fc f3 eb b7 1e fc e1 14 63 31 6a cc 4e 12 99 39 42 62 2e 4f ba 8a 4c 4e 26 e8 27 2c 49 c3 74 12 22 2f 69 46 1a a6 45 ee 48 2e bb 0a f6 46 9c cc cd de 1d e6 68 18 c6 00 f2 3e 25 19 c9 a5 78 3b bd c4 c9 af 38 23 0d 61 7e f5 be 59 8a da 4d 18 3b 11 27 58 92 12 ac 21 4c 2b 4e c3 f4 28 3c 89 b1 c4 bf e0 29 e1 27 6f 4e 8e d3 f0 e4 75 da 3d 39 e9 dd 38 58 4c f3 28 94 7c 4c 7a 37 8e e0 51 a8 28 9d 2c b2 c2 64 32 71 12 65 06 89 93 4c 1b c1 89 58 e6 6a e9 de d0 38 3c 79 4d 5f c7 69 6f e8 14 98 93 5c fe ca 62 e2 d0 5c 10 2e df 92 21 e3 a4 71 63 0d cd 9e 22 3b 37 1b 13 9a c7 6c 62 c5 2c 1a 83 84 d6 89 36 e4 89 55 91 d0 3a f9 db e5 47 fb e3 bf fe db e9 d9 df 4f Data Ascii: 16ef<r8WL-Nx$:IvS.($ ^/iq?aDTmsn<,>B) mHr}f,sdR0.\\rFV9pJB_QIi~8IClHSb'IY&Y8'0wM$!)#B&XTtYN0.H-84byW%u\J6 nIv+G
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Thu, 31 Oct 2024 09:26:19 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a eb 92 e2 4a 72 fe 7f 9e 02 b7 c3 f6 6e 68 7a 74 05 a4 de ee d9 d5 0d 49 80 84 24 10 20 1c 8e 13 42 77 74 45 77 d8 f0 03 f9 35 fc 64 2e d1 dd d3 34 d3 7d 66 d6 e1 1f ae f9 d1 a8 2e 59 59 99 5f 66 d6 64 d6 6f bf fd f6 f8 4f dc 82 5d 99 2a 3f 08 aa 24 fe f6 db e3 f3 9f 01 68 8f 81 6b 39 df 7e bb fc 4c dc ca 02 33 aa fc de 3d d6 61 f3 74 c7 66 69 e5 a6 d5 7d 75 ca dd bb 81 fd fc f5 74 57 b9 5d 05 f7 24 fe 32 b0 03 ab 28 dd ea a9 ae bc 7b f2 ee 53 3a 96 1d b8 f7 fd fa 22 8b af 08 a5 d9 bd dd 0f 7d ba 50 2d 2c 3f b1 fe 91 15 7c 97 87 85 5b 5e 2d 41 de 51 4f ad c4 7d ba 6b 42 b7 cd b3 a2 ba 9a d6 86 4e 15 3c 39 6e 13 da ee fd e5 e3 cb 20 4c c3 2a b4 e2 fb d2 b6 62 f7 09 fd fa 9d 54 15 56 b1 fb 8d 40 88 81 92 55 83 49 56 a7 ce 23 fc dc f9 2c ca b2 3a c5 ee a0 97 db 8b b8 ec b2 7c e1 a3 17 f5 3e 73 4e 83 bf 5f a6 f6 9f 7d f3 80 74 ee 3d 2b 09 e3 d3 c3 80 2e c0 b6 5f 06 a2 1b 37 6e 15 da d6 97 41 69 a5 e5 7d e9 16 a1 f7 97 1f 97 95 e1 d9 7d 18 a0 44 de bd 1f 8c c3 d4 bd 0f dc d0 0f 2a 30 fc 95 c0 c8 e1 18 25 30 ea fd ac bd 65 47 7e d1 9f 01 a8 28 ce 8a 87 c1 3f 7b 97 f6 7e da eb 18 36 c1 31 1c 79 3f 96 5b 8e 13 a6 fe c3 e0 a6 3f b1 0a 3f 4c df 75 ff e7 77 f6 4b d7 ae c2 2c fd 02 8e 9e 55 6e 71 23 0f 27 2c f3 d8 02 b2 d8 c7 99 1d fd 1f 6c f7 b5 c7 9f 05 24 72 bb d3 33 93 f7 b1 eb 01 29 59 75 95 bd df ec 65 b8 78 96 e2 8f e3 6f 67 1f a0 c8 b5 06 de 4e fa 15 20 32 cf d2 d2 bd 0f 53 2f bb 39 e8 ab 5c d9 4b 7b db fb 6a 79 59 59 55 5d 02 ed 38 ee cd e2 0b 6a 9e d5 3f 44 90 7f f9 a3 d5 85 6b 95 59 fa f9 7a 6c 78 bd be 87 e4 67 2a b8 e2 ec 22 53 bb ba 9c eb cb 77 cd 82 f3 f6 7b dd f7 8e e2 66 c3 d7 d3 22 97 f6 21 bf 3d 96 7a 60 00 c3 fb 40 5c 57 68 2d dc dc b5 80 ce 80 1b 79 fe f9 46 ae 67 ff 6a e6 eb ae 18 85 d3 04 fd 7e da eb d8 e4 d2 de c6 ae 4e 79 cb 91 f5 c9 a1 7e 9d c4 7d 58 b9 49 79 43 e6 3b 92 30 80 a3 1f 4c 29 4c df 4c 99 c2 3f 01 da b5 3e 6e a8 bf e0 78 9f 55 55 96 3c 0c fa 3d de 0e db cb eb 0a 4b e8 e8 7a f0 4a 12 ef e8 df 8a a1 57 f7 bd e3 da 59 61 f5 fa 7b 18 00 97 e2 16 bd 13 7a bf d1 ab c4 81 3f 62 d8 2b 6d 7c ba cf 43 90 35 6e 71 85 af f7 6c 3c 78 99 5d 97 9f 0f 5b c0 cf 34 b7 96 f3 ca 04 46 8f 08 6a f4 c6 e0 15 13 9f a3 f8 d5 af 7d a4 a8 5f 10 63 1d df e8 e6 bb a5 85 e9 c5 67 7f e0 f3 e2 b0 ac ee 2f 61 a5 07 7c ea 0e b2 ba 2a 43 e0 10 fa 8f 37 f6 7b 45 be 72 77 e3 8c bf c3 eb aa ff ed b4 80 a7 38 bc 61 cb 8b b3 de be 7a cf f8 7e 87 8b a6 ad 38 f4 81 92 6d 70 43 70 8b b7 f1 37 92 5f 6f ec e6 05 f4 1f ed 74 09 b8 20 46 7d e6 c3 7a 47 70 1f 26 96 7f ab c6 ef 87 fa d4 f7 5e 96 f6 b7 1c 10 a0 6e cf d7 c7 dc f6 25 3e ee b3 d8 79 3b 45 2f c7 eb 53 fe 28 83 36 2b 9c fb 3d c0 48 04 62 54 ff e7 de 8a e3 f7 04 7e e9 54 20 a8 03 70 0f 80 a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkeddate: Thu, 31 Oct 2024 09:26:21 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 32 37 38 36 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 31 Oct 2024 09:26:27 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 31 Oct 2024 09:26:29 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 31 Oct 2024 09:26:32 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 31 Oct 2024 09:26:34 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 31 Oct 2024 09:26:40 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 31 Oct 2024 09:26:43 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 31 Oct 2024 09:26:46 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 31 Oct 2024 09:26:48 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 31 Oct 2024 09:28:02 GMTServer: ApacheLast-Modified: Wed, 30 Oct 2024 18:34:18 GMTETag: "49d-625b5f32466a6"Accept-Ranges: bytesContent-Length: 1181Content-Type: text/htmlConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 77 68 69 74 65 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 7b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 32 35 30 70 78 3b 0d 0a 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 35 70 78 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 70 78 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 62 6c 61 63 6b 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 20 62 6f 74 74 6f 6d 2c 20 20 72 67 62 61 28 31 33 35 2c 31 33 35 2c 31 33 35 2c 31 29 20 30 25 2c 72 67 62 61 28 30 2c 30 2c 30 2c 31 29 20 31 30 30 25 29 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 38 70 78 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 30 70 78 3b 0d 0a 7d 0d 0a 2e 73 70 65 61 63 68 62 75 62 62 6c 65 3a 61 66 74 65 72 20 7b 0d 0a 20 20 20 20 63 6f 6e 74 65 6e 74 3a 20 22 22 3b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0d 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 2d 31 38 70 78 3b 0d 0a 20 20 20 20 6c 65 66 74 3a 20 31 30 32 70 78 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 73 74 79 6c 65 3a 20 73 6f 6c 69 64 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 77 69 64 74 68 3a 20 31 38 70 78 20 32 31 70 78 20 30 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 62 6c 61 63 6b 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 0d 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 30 3b 0d 0a 20 20 20 20 7a 2d 69 6e 64 65 78 3a 20 31 3b 0d 0a 7d 0d 0a 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 73 70 61 6e 20 7b 0d 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 0d 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0d 0a 20 20 20 20 66 6f 6e 74 3a 37 32 70 78 20 61 72 69 61 6c 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 77 68 69 74 65 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a 31 30 70 78 3b 0d 0a 20 20 20 20 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 34 70 78 20 34 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 2e 33 29 3b 0d 0a 7d 0d 0a 2e 6d 65 73 73 61 67 65 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 3a 32 34 70 78 20 61 72 69 61 6c 3b 0d 0a 20 20 20 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 31 Oct 2024 09:28:05 GMTServer: ApacheLast-Modified: Wed, 30 Oct 2024 18:34:18 GMTETag: "49d-625b5f32466a6"Accept-Ranges: bytesContent-Length: 1181Content-Type: text/htmlConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 77 68 69 74 65 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 7b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 32 35 30 70 78 3b 0d 0a 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 35 70 78 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 70 78 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 62 6c 61 63 6b 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 20 62 6f 74 74 6f 6d 2c 20 20 72 67 62 61 28 31 33 35 2c 31 33 35 2c 31 33 35 2c 31 29 20 30 25 2c 72 67 62 61 28 30 2c 30 2c 30 2c 31 29 20 31 30 30 25 29 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 38 70 78 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 30 70 78 3b 0d 0a 7d 0d 0a 2e 73 70 65 61 63 68 62 75 62 62 6c 65 3a 61 66 74 65 72 20 7b 0d 0a 20 20 20 20 63 6f 6e 74 65 6e 74 3a 20 22 22 3b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0d 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 2d 31 38 70 78 3b 0d 0a 20 20 20 20 6c 65 66 74 3a 20 31 30 32 70 78 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 73 74 79 6c 65 3a 20 73 6f 6c 69 64 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 77 69 64 74 68 3a 20 31 38 70 78 20 32 31 70 78 20 30 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 62 6c 61 63 6b 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 0d 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 30 3b 0d 0a 20 20 20 20 7a 2d 69 6e 64 65 78 3a 20 31 3b 0d 0a 7d 0d 0a 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 73 70 61 6e 20 7b 0d 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 0d 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0d 0a 20 20 20 20 66 6f 6e 74 3a 37 32 70 78 20 61 72 69 61 6c 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 77 68 69 74 65 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a 31 30 70 78 3b 0d 0a 20 20 20 20 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 34 70 78 20 34 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 2e 33 29 3b 0d 0a 7d 0d 0a 2e 6d 65 73 73 61 67 65 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 3a 32 34 70 78 20 61 72 69 61 6c 3b 0d 0a 20 20 20 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 31 Oct 2024 09:28:07 GMTServer: ApacheLast-Modified: Wed, 30 Oct 2024 18:34:18 GMTETag: "49d-625b5f32466a6"Accept-Ranges: bytesContent-Length: 1181Content-Type: text/htmlConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 77 68 69 74 65 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 7b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 32 35 30 70 78 3b 0d 0a 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 35 70 78 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 70 78 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 62 6c 61 63 6b 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 20 62 6f 74 74 6f 6d 2c 20 20 72 67 62 61 28 31 33 35 2c 31 33 35 2c 31 33 35 2c 31 29 20 30 25 2c 72 67 62 61 28 30 2c 30 2c 30 2c 31 29 20 31 30 30 25 29 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 38 70 78 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 30 70 78 3b 0d 0a 7d 0d 0a 2e 73 70 65 61 63 68 62 75 62 62 6c 65 3a 61 66 74 65 72 20 7b 0d 0a 20 20 20 20 63 6f 6e 74 65 6e 74 3a 20 22 22 3b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0d 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 2d 31 38 70 78 3b 0d 0a 20 20 20 20 6c 65 66 74 3a 20 31 30 32 70 78 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 73 74 79 6c 65 3a 20 73 6f 6c 69 64 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 77 69 64 74 68 3a 20 31 38 70 78 20 32 31 70 78 20 30 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 62 6c 61 63 6b 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 0d 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 30 3b 0d 0a 20 20 20 20 7a 2d 69 6e 64 65 78 3a 20 31 3b 0d 0a 7d 0d 0a 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 73 70 61 6e 20 7b 0d 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 0d 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0d 0a 20 20 20 20 66 6f 6e 74 3a 37 32 70 78 20 61 72 69 61 6c 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 77 68 69 74 65 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a 31 30 70 78 3b 0d 0a 20 20 20 20 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 34 70 78 20 34 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 2e 33 29 3b 0d 0a 7d 0d 0a 2e 6d 65 73 73 61 67 65 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 3a 32 34 70 78 20 61 72 69 61 6c 3b 0d 0a 20 20 20 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 31 Oct 2024 09:28:10 GMTServer: ApacheLast-Modified: Wed, 30 Oct 2024 18:34:18 GMTETag: "49d-625b5f32466a6"Accept-Ranges: bytesContent-Length: 1181Content-Type: text/htmlConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 77 68 69 74 65 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 7b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 32 35 30 70 78 3b 0d 0a 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 35 70 78 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 70 78 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 62 6c 61 63 6b 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 20 62 6f 74 74 6f 6d 2c 20 20 72 67 62 61 28 31 33 35 2c 31 33 35 2c 31 33 35 2c 31 29 20 30 25 2c 72 67 62 61 28 30 2c 30 2c 30 2c 31 29 20 31 30 30 25 29 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 38 70 78 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 30 70 78 3b 0d 0a 7d 0d 0a 2e 73 70 65 61 63 68 62 75 62 62 6c 65 3a 61 66 74 65 72 20 7b 0d 0a 20 20 20 20 63 6f 6e 74 65 6e 74 3a 20 22 22 3b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0d 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 2d 31 38 70 78 3b 0d 0a 20 20 20 20 6c 65 66 74 3a 20 31 30 32 70 78 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 73 74 79 6c 65 3a 20 73 6f 6c 69 64 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 77 69 64 74 68 3a 20 31 38 70 78 20 32 31 70 78 20 30 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 62 6c 61 63 6b 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 0d 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 30 3b 0d 0a 20 20 20 20 7a 2d 69 6e 64 65 78 3a 20 31 3b 0d 0a 7d 0d 0a 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 73 70 61 6e 20 7b 0d 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 0d 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0d 0a 20 20 20 20 66 6f 6e 74 3a 37 32 70 78 20 61 72 69 61 6c 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 77 68 69 74 65 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a 31 30 70 78 3b 0d 0a 20 20 20 20 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 34 70 78 20 34 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 2e 33 29 3b 0d 0a 7d 0d 0a 2e 6d 65 73 73 61 67 65 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 3a 32 34 70 78 20 61 72 69 61 6c 3b 0d 0a 20 20 20 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 31 Oct 2024 09:28:29 GMTServer: Apache/2.4.62 (Debian)Content-Length: 281Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 36 32 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 67 75 63 63 69 71 75 65 65 6e 2e 73 68 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.62 (Debian) Server at www.gucciqueen.shop Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 31 Oct 2024 09:28:32 GMTServer: Apache/2.4.62 (Debian)Content-Length: 281Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 36 32 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 67 75 63 63 69 71 75 65 65 6e 2e 73 68 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.62 (Debian) Server at www.gucciqueen.shop Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 31 Oct 2024 09:28:34 GMTServer: Apache/2.4.62 (Debian)Content-Length: 281Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 36 32 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 67 75 63 63 69 71 75 65 65 6e 2e 73 68 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.62 (Debian) Server at www.gucciqueen.shop Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 31 Oct 2024 09:28:37 GMTServer: Apache/2.4.62 (Debian)Content-Length: 281Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 36 32 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 67 75 63 63 69 71 75 65 65 6e 2e 73 68 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.62 (Debian) Server at www.gucciqueen.shop Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 31 Oct 2024 09:28:51 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qtOpCwyehXoIXy1FVgwGym%2F2vXk2v7yXR4wLy2d9CLw8Saum5vZDI%2FdU%2FKIBpDpVHSaT%2BShHWMUPtjJN1NjDdnj4ZZP9IkvvGjBhsAu2SnKa0YAXze5qgymz8Xef77MupJKdovq09dM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8db29e089b744768-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1905&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=731&delivery_rate=0&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 54 90 c1 6e c2 30 10 44 ef f9 8a 29 e7 96 85 8a a3 65 a9 25 41 20 a5 14 55 e1 d0 a3 c1 5b 6c 29 d8 d4 d9 14 e5 ef ab 98 4a 6d af b3 6f 76 67 56 dd 95 af cb e6 7d 57 61 dd bc d4 d8 ed 9f eb cd 12 93 07 a2 4d d5 ac 88 ca a6 bc 4d 1e a7 33 a2 6a 3b d1 85 72 72 6e b5 72 6c ac 2e 94 78 69 59 2f 66 0b 6c a3 60 15 fb 60 15 dd c4 42 51 86 d4 21 da 61 f4 cd f5 1f c6 cd 75 a1 2e ba 71 8c c4 9f 3d 77 c2 16 fb b7 1a 57 d3 21 44 c1 c7 c8 21 06 88 f3 1d 3a 4e 5f 9c a6 8a 2e d9 f6 64 ad 17 1f 83 69 db e1 1e 06 ff 02 14 9c 52 4c 79 11 87 63 ec 83 70 62 8b ab f3 2d 43 d2 e0 c3 09 12 d1 77 0c 13 50 8d 70 19 8f fd 99 83 8c ba 33 c1 8e e0 6f b2 9f b3 94 8b 28 ca 0f f8 06 00 00 ff ff e3 02 00 59 3c e4 fe 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f5Tn0D)e%A U[l)JmovgV}WaMM3j;rrnrl.xiY/fl``BQ!au.q=wW!D!:N_.diRLycpb-CwPp3o(Y<;0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 31 Oct 2024 09:28:54 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sg5Hakm8o66qk7UEfdmIuUv5j8%2FFGetbZs%2BVFQNHxNTVerJ0rDKHMXmqTmziwKbyk5hCelsGt%2BWylfqTe%2FN5B%2FI2Z1nS23mVVAsG2O3XJi4NvwOGcBK2Wmw6oRZJzmRqPPgPkl6JEBI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8db29e18889ee9ce-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1090&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=751&delivery_rate=0&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 54 90 c1 6e c2 30 10 44 ef f9 8a 29 e7 96 85 8a a3 65 a9 25 41 20 a5 14 55 e1 d0 a3 c1 5b 6c 29 d8 d4 d9 14 e5 ef ab 98 4a 6d af b3 6f 76 67 56 dd 95 af cb e6 7d 57 61 dd bc d4 d8 ed 9f eb cd 12 93 07 a2 4d d5 ac 88 ca a6 bc 4d 1e a7 33 a2 6a 3b d1 85 72 72 6e b5 72 6c ac 2e 94 78 69 59 2f 66 0b 6c a3 60 15 fb 60 15 dd c4 42 51 86 d4 21 da 61 f4 cd f5 1f c6 cd 75 a1 2e ba 71 8c c4 9f 3d 77 c2 16 fb b7 1a 57 d3 21 44 c1 c7 c8 21 06 88 f3 1d 3a 4e 5f 9c a6 8a 2e d9 f6 64 ad 17 1f 83 69 db e1 1e 06 ff 02 14 9c 52 4c 79 11 87 63 ec 83 70 62 8b ab f3 2d 43 d2 e0 c3 09 12 d1 77 0c 13 50 8d 70 19 8f fd 99 83 8c ba 33 c1 8e e0 6f b2 9f b3 94 8b 28 ca 0f f8 06 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 59 3c e4 fe 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: eaTn0D)e%A U[l)JmovgV}WaMM3j;rrnrl.xiY/fl``BQ!au.q=wW!D!:N_.diRLycpb-CwPp3o(bY<;0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 31 Oct 2024 09:28:56 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lpg4hFaN%2FymN5chz8DbJoUR%2Fjxz3HHHeUOv6y6Sk2CscH%2BC5thizAlJF6StLKu21DAYyXNBi00qqkdyvJZSUYBC1zeufwlbnvbBq1MxA08aZRuDLRW6KANkwkYlPZ9nCLbnYC2VDphE%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8db29e28bd76cb76-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1574&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1768&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 54 90 c1 6e c2 30 10 44 ef f9 8a 29 e7 96 85 8a a3 65 a9 25 41 20 a5 14 55 e1 d0 a3 c1 5b 6c 29 d8 d4 d9 14 e5 ef ab 98 4a 6d af b3 6f 76 67 56 dd 95 af cb e6 7d 57 61 dd bc d4 d8 ed 9f eb cd 12 93 07 a2 4d d5 ac 88 ca a6 bc 4d 1e a7 33 a2 6a 3b d1 85 72 72 6e b5 72 6c ac 2e 94 78 69 59 2f 66 0b 6c a3 60 15 fb 60 15 dd c4 42 51 86 d4 21 da 61 f4 cd f5 1f c6 cd 75 a1 2e ba 71 8c c4 9f 3d 77 c2 16 fb b7 1a 57 d3 21 44 c1 c7 c8 21 06 88 f3 1d 3a 4e 5f 9c a6 8a 2e d9 f6 64 ad 17 1f 83 69 db e1 1e 06 ff 02 14 9c 52 4c 79 11 87 63 ec 83 70 62 8b ab f3 2d 43 d2 e0 c3 09 12 d1 77 0c 13 50 8d 70 19 8f fd 99 83 8c ba 33 c1 8e e0 6f b2 9f b3 94 8b 28 ca 0f f8 06 00 00 ff ff e3 02 00 59 3c e4 fe 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f5Tn0D)e%A U[l)JmovgV}WaMM3j;rrnrl.xiY/fl``BQ!au.q=wW!D!:N_.diRLycpb-CwPp3o(Y<;0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 31 Oct 2024 09:28:59 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R4WskpB4gzjhxF%2FwLimhq3Hc0Eg%2BVCEikYc%2FyYJ%2BvKvf3iwbo7nDGQOCwkSWrukp1XQwGvpQEVldEgAJ3b0RbWODV4PO7et5MSLsYkdwqy8%2FfW9Mlz0oIwRCKcYOlEgE5EpZxLYYxCQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8db29e3b3b4aeaa4-DFWalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1090&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=462&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 31 0d 0a 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 13a<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>10

Source: colorcpl.exe, 00000007.00000002.4473670706.000000000617A000.00000004.10000000.00040000.00000000.sdmp, tWcBthnLrDi.exe, 00000008.00000002.4472994884.0000000003C6A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
Source: colorcpl.exe, 00000007.00000002.4473670706.0000000005E56000.00000004.10000000.00040000.00000000.sdmp, tWcBthnLrDi.exe, 00000008.00000002.4472994884.0000000003946000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://meanttobebroken.org/9g6s/?1Zgl=l/X
Source: 18in SPA-198-2024.exe	String found in binary or memory: http://tempuri.org/Gamee.xsd7PoisonRoulette.GameResource
Source: tWcBthnLrDi.exe, 00000008.00000002.4474644674.0000000005867000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.timizoasisey.shop
Source: tWcBthnLrDi.exe, 00000008.00000002.4474644674.0000000005867000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.timizoasisey.shop/3p0l/
Source: colorcpl.exe, 00000007.00000003.2443067407.00000000086E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: colorcpl.exe, 00000007.00000003.2443067407.00000000086E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: colorcpl.exe, 00000007.00000003.2443067407.00000000086E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: colorcpl.exe, 00000007.00000003.2443067407.00000000086E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: colorcpl.exe, 00000007.00000003.2443067407.00000000086E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: colorcpl.exe, 00000007.00000003.2443067407.00000000086E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: colorcpl.exe, 00000007.00000003.2443067407.00000000086E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: colorcpl.exe, 00000007.00000002.4471538704.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4471538704.000000000340A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: colorcpl.exe, 00000007.00000002.4471538704.000000000340A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: colorcpl.exe, 00000007.00000002.4471538704.00000000033EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: colorcpl.exe, 00000007.00000002.4471538704.000000000340A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
Source: colorcpl.exe, 00000007.00000002.4471538704.00000000033EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: colorcpl.exe, 00000007.00000002.4471538704.00000000033EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: colorcpl.exe, 00000007.00000002.4471538704.000000000340A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: colorcpl.exe, 00000007.00000003.2432278249.0000000008620000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: colorcpl.exe, 00000007.00000003.2443067407.00000000086E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: colorcpl.exe, 00000007.00000002.4473670706.0000000006954000.00000004.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4475520630.00000000082F0000.00000004.00000800.00020000.00000000.sdmp, tWcBthnLrDi.exe, 00000008.00000002.4472994884.0000000004444000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: colorcpl.exe, 00000007.00000003.2443067407.00000000086E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: tWcBthnLrDi.exe, 00000008.00000002.4472994884.0000000003AD8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.jexiz.shop/li8d/?1Zgl=sm

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 4.2.18in SPA-198-2024.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.18in SPA-198-2024.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.4472767569.0000000005070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4474644674.0000000005800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2247487130.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4472840073.00000000050C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2248027115.0000000001130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4471298397.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2249648463.0000000002A30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4472773196.0000000004020000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Contains functionality to call native functions

Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0042C433 NtClose,	4_2_0042C433
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0040A9E3 NtDelayExecution,	4_2_0040A9E3
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252B60 NtClose,LdrInitializeThunk,	4_2_01252B60
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_01252DF0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_01252C70
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012535C0 NtCreateMutant,LdrInitializeThunk,	4_2_012535C0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01254340 NtSetContextThread,	4_2_01254340
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01254650 NtSuspendThread,	4_2_01254650
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252BA0 NtEnumerateValueKey,	4_2_01252BA0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252B80 NtQueryInformationFile,	4_2_01252B80
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252BE0 NtQueryValueKey,	4_2_01252BE0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252BF0 NtAllocateVirtualMemory,	4_2_01252BF0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252AB0 NtWaitForSingleObject,	4_2_01252AB0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252AF0 NtWriteFile,	4_2_01252AF0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252AD0 NtReadFile,	4_2_01252AD0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252D30 NtUnmapViewOfSection,	4_2_01252D30
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252D00 NtSetInformationFile,	4_2_01252D00
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252D10 NtMapViewOfSection,	4_2_01252D10
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252DB0 NtEnumerateKey,	4_2_01252DB0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252DD0 NtDelayExecution,	4_2_01252DD0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252C00 NtQueryInformationProcess,	4_2_01252C00
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252C60 NtCreateKey,	4_2_01252C60
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252CA0 NtQueryInformationToken,	4_2_01252CA0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252CF0 NtOpenProcess,	4_2_01252CF0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252CC0 NtQueryVirtualMemory,	4_2_01252CC0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252F30 NtCreateSection,	4_2_01252F30
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252F60 NtCreateProcessEx,	4_2_01252F60
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252FA0 NtQuerySection,	4_2_01252FA0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252FB0 NtResumeThread,	4_2_01252FB0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252F90 NtProtectVirtualMemory,	4_2_01252F90
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252FE0 NtCreateFile,	4_2_01252FE0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252E30 NtWriteVirtualMemory,	4_2_01252E30
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252EA0 NtAdjustPrivilegesToken,	4_2_01252EA0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252E80 NtReadVirtualMemory,	4_2_01252E80
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252EE0 NtQueueApcThread,	4_2_01252EE0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01253010 NtOpenDirectoryObject,	4_2_01253010
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01253090 NtSetValueKey,	4_2_01253090
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012539B0 NtGetContextThread,	4_2_012539B0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01253D10 NtOpenProcessToken,	4_2_01253D10
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01253D70 NtOpenThread,	4_2_01253D70
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05234650 NtSuspendThread,LdrInitializeThunk,	7_2_05234650
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05234340 NtSetContextThread,LdrInitializeThunk,	7_2_05234340
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232D30 NtUnmapViewOfSection,LdrInitializeThunk,	7_2_05232D30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232D10 NtMapViewOfSection,LdrInitializeThunk,	7_2_05232D10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232DF0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_05232DF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232DD0 NtDelayExecution,LdrInitializeThunk,	7_2_05232DD0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232C60 NtCreateKey,LdrInitializeThunk,	7_2_05232C60
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232C70 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_05232C70
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232CA0 NtQueryInformationToken,LdrInitializeThunk,	7_2_05232CA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232F30 NtCreateSection,LdrInitializeThunk,	7_2_05232F30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232FB0 NtResumeThread,LdrInitializeThunk,	7_2_05232FB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232FE0 NtCreateFile,LdrInitializeThunk,	7_2_05232FE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232E80 NtReadVirtualMemory,LdrInitializeThunk,	7_2_05232E80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232EE0 NtQueueApcThread,LdrInitializeThunk,	7_2_05232EE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232B60 NtClose,LdrInitializeThunk,	7_2_05232B60
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232BA0 NtEnumerateValueKey,LdrInitializeThunk,	7_2_05232BA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232BE0 NtQueryValueKey,LdrInitializeThunk,	7_2_05232BE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_05232BF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232AF0 NtWriteFile,LdrInitializeThunk,	7_2_05232AF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232AD0 NtReadFile,LdrInitializeThunk,	7_2_05232AD0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052335C0 NtCreateMutant,LdrInitializeThunk,	7_2_052335C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052339B0 NtGetContextThread,LdrInitializeThunk,	7_2_052339B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232D00 NtSetInformationFile,	7_2_05232D00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232DB0 NtEnumerateKey,	7_2_05232DB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232C00 NtQueryInformationProcess,	7_2_05232C00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232CF0 NtOpenProcess,	7_2_05232CF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232CC0 NtQueryVirtualMemory,	7_2_05232CC0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232F60 NtCreateProcessEx,	7_2_05232F60
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232FA0 NtQuerySection,	7_2_05232FA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232F90 NtProtectVirtualMemory,	7_2_05232F90
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232E30 NtWriteVirtualMemory,	7_2_05232E30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232EA0 NtAdjustPrivilegesToken,	7_2_05232EA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232B80 NtQueryInformationFile,	7_2_05232B80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232AB0 NtWaitForSingleObject,	7_2_05232AB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05233010 NtOpenDirectoryObject,	7_2_05233010
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05233090 NtSetValueKey,	7_2_05233090
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05233D10 NtOpenProcessToken,	7_2_05233D10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05233D70 NtOpenThread,	7_2_05233D70
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_03318EC0 NtCreateFile,	7_2_03318EC0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_03319320 NtAllocateVirtualMemory,	7_2_03319320
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_03319120 NtDeleteFile,	7_2_03319120
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_033191C0 NtClose,	7_2_033191C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_03319030 NtReadFile,	7_2_03319030

Detected potential crypto function

Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 0_2_00B4DB8C	0_2_00B4DB8C
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 0_2_088BA8B0	0_2_088BA8B0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 0_2_088B7868	0_2_088B7868
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 0_2_088B6190	0_2_088B6190
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 0_2_088B0378	0_2_088B0378
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 0_2_088BA8A0	0_2_088BA8A0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 0_2_088B7859	0_2_088B7859
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 0_2_088BAB39	0_2_088BAB39
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 0_2_088BAB48	0_2_088BAB48
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 0_2_088B9CA0	0_2_088B9CA0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 0_2_088B6181	0_2_088B6181
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 0_2_088B0369	0_2_088B0369
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_004183D3	4_2_004183D3
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_00401110	4_2_00401110
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0040E13B	4_2_0040E13B
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0042EAD3	4_2_0042EAD3
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_00402370	4_2_00402370
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0040FCC3	4_2_0040FCC3
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_00416613	4_2_00416613
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0040FEE3	4_2_0040FEE3
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0040DF63	4_2_0040DF63
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_00402710	4_2_00402710
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_00402FD0	4_2_00402FD0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01210100	4_2_01210100
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012BA118	4_2_012BA118
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012A8158	4_2_012A8158
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012E01AA	4_2_012E01AA
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012D41A2	4_2_012D41A2
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012D81CC	4_2_012D81CC
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012B2000	4_2_012B2000
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012DA352	4_2_012DA352
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012E03E6	4_2_012E03E6
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0122E3F0	4_2_0122E3F0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012C0274	4_2_012C0274
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012A02C0	4_2_012A02C0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01220535	4_2_01220535
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012E0591	4_2_012E0591
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012C4420	4_2_012C4420
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012D2446	4_2_012D2446
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012CE4F6	4_2_012CE4F6
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01220770	4_2_01220770
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01244750	4_2_01244750
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0121C7C0	4_2_0121C7C0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0123C6E0	4_2_0123C6E0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01236962	4_2_01236962
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012229A0	4_2_012229A0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012EA9A6	4_2_012EA9A6
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01222840	4_2_01222840
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0122A840	4_2_0122A840
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012068B8	4_2_012068B8
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124E8F0	4_2_0124E8F0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012DAB40	4_2_012DAB40
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012D6BD7	4_2_012D6BD7
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0121EA80	4_2_0121EA80
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0122AD00	4_2_0122AD00
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012BCD1F	4_2_012BCD1F
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01238DBF	4_2_01238DBF
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0121ADE0	4_2_0121ADE0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01220C00	4_2_01220C00
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012C0CB5	4_2_012C0CB5
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01210CF2	4_2_01210CF2
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01262F28	4_2_01262F28
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01240F30	4_2_01240F30
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012C2F30	4_2_012C2F30
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01294F40	4_2_01294F40
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0129EFA0	4_2_0129EFA0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0122CFE0	4_2_0122CFE0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01212FC8	4_2_01212FC8
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012DEE26	4_2_012DEE26
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01220E59	4_2_01220E59
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01232E90	4_2_01232E90
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012DCE93	4_2_012DCE93
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012DEEDB	4_2_012DEEDB
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012EB16B	4_2_012EB16B
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0125516C	4_2_0125516C
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0120F172	4_2_0120F172
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0122B1B0	4_2_0122B1B0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012D70E9	4_2_012D70E9
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012DF0E0	4_2_012DF0E0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012CF0CC	4_2_012CF0CC
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012270C0	4_2_012270C0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012D132D	4_2_012D132D
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0120D34C	4_2_0120D34C
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0126739A	4_2_0126739A
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012252A0	4_2_012252A0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012C12ED	4_2_012C12ED
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0123B2C0	4_2_0123B2C0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012D7571	4_2_012D7571
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012BD5B0	4_2_012BD5B0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012DF43F	4_2_012DF43F
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01211460	4_2_01211460
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012DF7B0	4_2_012DF7B0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01265630	4_2_01265630
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012D16CC	4_2_012D16CC
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012B5910	4_2_012B5910
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01229950	4_2_01229950
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0123B950	4_2_0123B950
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0128D800	4_2_0128D800
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012238E0	4_2_012238E0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012DFB76	4_2_012DFB76
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0123FB80	4_2_0123FB80
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01295BF0	4_2_01295BF0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0125DBF9	4_2_0125DBF9
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01293A6C	4_2_01293A6C
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012DFA49	4_2_012DFA49
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012D7A46	4_2_012D7A46
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01265AA0	4_2_01265AA0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012BDAAC	4_2_012BDAAC
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012C1AA3	4_2_012C1AA3
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012CDAC6	4_2_012CDAC6
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012D7D73	4_2_012D7D73
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01223D40	4_2_01223D40
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012D1D5A	4_2_012D1D5A
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0123FDC0	4_2_0123FDC0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01299C32	4_2_01299C32
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012DFCF2	4_2_012DFCF2
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012DFF09	4_2_012DFF09
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012DFFB1	4_2_012DFFB1
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01221F92	4_2_01221F92
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_011E3FD5	4_2_011E3FD5
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_011E3FD2	4_2_011E3FD2
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01229EB0	4_2_01229EB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05200535	7_2_05200535
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052C0591	7_2_052C0591
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A4420	7_2_052A4420
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052B2446	7_2_052B2446
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052AE4F6	7_2_052AE4F6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05200770	7_2_05200770
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05224750	7_2_05224750
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_051FC7C0	7_2_051FC7C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0521C6E0	7_2_0521C6E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_051F0100	7_2_051F0100
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0529A118	7_2_0529A118
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05288158	7_2_05288158
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052C01AA	7_2_052C01AA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052B41A2	7_2_052B41A2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052B81CC	7_2_052B81CC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05292000	7_2_05292000
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052BA352	7_2_052BA352
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052C03E6	7_2_052C03E6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0520E3F0	7_2_0520E3F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A0274	7_2_052A0274
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052802C0	7_2_052802C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0520AD00	7_2_0520AD00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0529CD1F	7_2_0529CD1F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05218DBF	7_2_05218DBF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_051FADE0	7_2_051FADE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05200C00	7_2_05200C00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A0CB5	7_2_052A0CB5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_051F0CF2	7_2_051F0CF2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05242F28	7_2_05242F28
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05220F30	7_2_05220F30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2F30	7_2_052A2F30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05274F40	7_2_05274F40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0527EFA0	7_2_0527EFA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0520CFE0	7_2_0520CFE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_051F2FC8	7_2_051F2FC8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052BEE26	7_2_052BEE26
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05200E59	7_2_05200E59
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05212E90	7_2_05212E90
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052BCE93	7_2_052BCE93
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052BEEDB	7_2_052BEEDB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05216962	7_2_05216962
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052029A0	7_2_052029A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052CA9A6	7_2_052CA9A6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0520A840	7_2_0520A840
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05202840	7_2_05202840
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_051E68B8	7_2_051E68B8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0522E8F0	7_2_0522E8F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052BAB40	7_2_052BAB40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052B6BD7	7_2_052B6BD7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_051FEA80	7_2_051FEA80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052B7571	7_2_052B7571
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0529D5B0	7_2_0529D5B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052C95C3	7_2_052C95C3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052BF43F	7_2_052BF43F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_051F1460	7_2_051F1460
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052BF7B0	7_2_052BF7B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05245630	7_2_05245630
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052B16CC	7_2_052B16CC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052CB16B	7_2_052CB16B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0523516C	7_2_0523516C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_051EF172	7_2_051EF172
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0520B1B0	7_2_0520B1B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052B70E9	7_2_052B70E9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052BF0E0	7_2_052BF0E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052070C0	7_2_052070C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052AF0CC	7_2_052AF0CC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052B132D	7_2_052B132D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_051ED34C	7_2_051ED34C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0524739A	7_2_0524739A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052052A0	7_2_052052A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A12ED	7_2_052A12ED
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0521B2C0	7_2_0521B2C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052B7D73	7_2_052B7D73
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05203D40	7_2_05203D40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052B1D5A	7_2_052B1D5A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0521FDC0	7_2_0521FDC0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05279C32	7_2_05279C32
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052BFCF2	7_2_052BFCF2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052BFF09	7_2_052BFF09
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052BFFB1	7_2_052BFFB1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05201F92	7_2_05201F92
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05209EB0	7_2_05209EB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05295910	7_2_05295910
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05209950	7_2_05209950
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0521B950	7_2_0521B950
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0526D800	7_2_0526D800
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052038E0	7_2_052038E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052BFB76	7_2_052BFB76
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0521FB80	7_2_0521FB80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05275BF0	7_2_05275BF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0523DBF9	7_2_0523DBF9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05273A6C	7_2_05273A6C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052BFA49	7_2_052BFA49
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052B7A46	7_2_052B7A46
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05245AA0	7_2_05245AA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0529DAAC	7_2_0529DAAC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A1AA3	7_2_052A1AA3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052ADAC6	7_2_052ADAC6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_03301B10	7_2_03301B10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_032FCA50	7_2_032FCA50
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_032FAEC8	7_2_032FAEC8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_032FCC70	7_2_032FCC70
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_032FACF0	7_2_032FACF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_033033A0	7_2_033033A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_03305160	7_2_03305160
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0331B860	7_2_0331B860
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0551E75C	7_2_0551E75C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0551E3C6	7_2_0551E3C6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0551E2A4	7_2_0551E2A4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0551D828	7_2_0551D828

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: String function: 0129F290 appears 105 times
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: String function: 01267E54 appears 105 times
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: String function: 01255130 appears 58 times
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: String function: 0120B970 appears 280 times
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: String function: 0128EA12 appears 86 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 0526EA12 appears 86 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 0527F290 appears 105 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 051EB970 appears 280 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 05247E54 appears 111 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 05235130 appears 58 times

Sample file is different than original file name gathered from version info

Source: 18in SPA-198-2024.exe, 00000000.00000002.2036780152.000000000067E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 18in SPA-198-2024.exe
Source: 18in SPA-198-2024.exe, 00000000.00000000.2009888899.0000000000152000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamegmsd.exe@ vs 18in SPA-198-2024.exe
Source: 18in SPA-198-2024.exe, 00000000.00000002.2042358078.0000000007450000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs 18in SPA-198-2024.exe
Source: 18in SPA-198-2024.exe, 00000004.00000002.2247875967.0000000000F38000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamecolorcpl.exej% vs 18in SPA-198-2024.exe
Source: 18in SPA-198-2024.exe, 00000004.00000002.2248135325.000000000130D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 18in SPA-198-2024.exe
Source: 18in SPA-198-2024.exe	Binary or memory string: OriginalFilenamegmsd.exe@ vs 18in SPA-198-2024.exe

Uses 32bit PE files

Source: 18in SPA-198-2024.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 18in SPA-198-2024.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, zLHKqjWatRJ6bmYn2g.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, zLHKqjWatRJ6bmYn2g.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, dWr9Yd1rel0FF9GRB2.cs	Security API names: _0020.SetAccessControl
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, dWr9Yd1rel0FF9GRB2.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, dWr9Yd1rel0FF9GRB2.cs	Security API names: _0020.AddAccessRule
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, dWr9Yd1rel0FF9GRB2.cs	Security API names: _0020.SetAccessControl
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, dWr9Yd1rel0FF9GRB2.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, dWr9Yd1rel0FF9GRB2.cs	Security API names: _0020.AddAccessRule
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, zLHKqjWatRJ6bmYn2g.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, dWr9Yd1rel0FF9GRB2.cs	Security API names: _0020.SetAccessControl
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, dWr9Yd1rel0FF9GRB2.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, dWr9Yd1rel0FF9GRB2.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@9/2@18/11

Source: C:\Users\user\Desktop\18in SPA-198-2024.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\18in SPA-198-2024.exe.log

Source: unknown	Process created: C:\Users\user\Desktop\18in SPA-198-2024.exe "C:\Users\user\Desktop\18in SPA-198-2024.exe"
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process created: C:\Users\user\Desktop\18in SPA-198-2024.exe "C:\Users\user\Desktop\18in SPA-198-2024.exe"
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process created: C:\Users\user\Desktop\18in SPA-198-2024.exe "C:\Users\user\Desktop\18in SPA-198-2024.exe"
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe "C:\Windows\SysWOW64\colorcpl.exe"
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process created: C:\Users\user\Desktop\18in SPA-198-2024.exe "C:\Users\user\Desktop\18in SPA-198-2024.exe"	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process created: C:\Users\user\Desktop\18in SPA-198-2024.exe "C:\Users\user\Desktop\18in SPA-198-2024.exe"	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe "C:\Windows\SysWOW64\colorcpl.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: colorui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: 0.2.18in SPA-198-2024.exe.35e5ad0.0.raw.unpack, XlF5VlCIHRSQX8M5eh.cs	.Net Code: _200C_200C_202D_206C_200B_206A_206D_200B_200D_200C_202D_206A_206D_202A_206A_206B_202B_206C_202D_200B_202E_202B_202A_206C_206A_206D_202D_206B_206D_206B_200D_202B_202D_206C_206F_206C_200B_202B_206A_206D_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, dWr9Yd1rel0FF9GRB2.cs	.Net Code: ec5Q35THmM System.Reflection.Assembly.Load(byte[])
Source: 0.2.18in SPA-198-2024.exe.35c5ab0.2.raw.unpack, XlF5VlCIHRSQX8M5eh.cs	.Net Code: _200C_200C_202D_206C_200B_206A_206D_200B_200D_200C_202D_206A_206D_202A_206A_206B_202B_206C_202D_200B_202E_202B_202A_206C_206A_206D_202D_206B_206D_206B_200D_202B_202D_206C_206F_206C_200B_202B_206A_206D_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, dWr9Yd1rel0FF9GRB2.cs	.Net Code: ec5Q35THmM System.Reflection.Assembly.Load(byte[])
Source: 0.2.18in SPA-198-2024.exe.4c50000.4.raw.unpack, XlF5VlCIHRSQX8M5eh.cs	.Net Code: _200C_200C_202D_206C_200B_206A_206D_200B_200D_200C_202D_206A_206D_202A_206A_206B_202B_206C_202D_200B_202E_202B_202A_206C_206A_206D_202D_206B_206D_206B_200D_202B_202D_206C_206F_206C_200B_202B_206A_206D_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, dWr9Yd1rel0FF9GRB2.cs	.Net Code: ec5Q35THmM System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_00406155 push ss; retf	4_2_00406160
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_00403270 push eax; ret	4_2_00403272
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0040227F pushad ; retf	4_2_00402280
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0040BB30 push eax; ret	4_2_0040BB31
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_00404DCD push ebx; iretd	4_2_00404DD8
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_004066BD push edx; iretd	4_2_004066BF
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_00413F7E pushad ; retf	4_2_00414025
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_00413FC5 pushad ; retf	4_2_00414025
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_011E225F pushad ; ret	4_2_011E27F9
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_011E27FA pushad ; ret	4_2_011E27F9
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012109AD push ecx; mov dword ptr [esp], ecx	4_2_012109B6
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_011E283D push eax; iretd	4_2_011E2858
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_011E1368 push eax; iretd	4_2_011E1369
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_051C27FA pushad ; ret	7_2_051C27F9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_051C225F pushad ; ret	7_2_051C27F9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_051F09AD push ecx; mov dword ptr [esp], ecx	7_2_051F09B6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_051C283D push eax; iretd	7_2_051C2858
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0330221C push esi; ret	7_2_03302274
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0330220A push esi; ret	7_2_03302274
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0330224F push esi; ret	7_2_03302274
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0330C156 push ss; retf	7_2_0330C158
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_033021F5 push esi; ret	7_2_03302274
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_032F88BD push eax; ret	7_2_032F88BE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_032F2EE2 push ss; retf	7_2_032F2EED
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0330EDE0 push edi; retf	7_2_0330EDE8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_032F344A push edx; iretd	7_2_032F344C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_032F1B5A push ebx; iretd	7_2_032F1B65
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0551C447 push cs; ret	7_2_0551C44B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0551019B pushfd ; iretd	7_2_0551019C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05513D46 pushad ; ret	7_2_05513D47
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0551CF48 push ebx; iretd	7_2_0551CF49

Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, EYZf1BVBlUIdgVOkxp.cs	High entropy of concatenated method names: 'LZn5TlPioI', 'NNv59raBWU', 'UL5jd6y7CU', 'cWnjDW859J', 'HIqjSChVRr', 'iO9jvNB4xF', 'vHGjGXj2dP', 'GMJj7wciiY', 'MScj6HbFWk', 'gLdjpkpo8f'
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, ITm1vDuxd8RRc9FmM9.cs	High entropy of concatenated method names: 'zAQRn5rjar', 'MirRNKUn16', 'OKHRjleuBC', 'Xr0R5XW16h', 'FvXRqEtahP', 'OC3RkpLXU4', 'YfMR1LjXHk', 'GjvRKnwJ48', 'WL3RrqAe32', 'VeVRm9krDd'
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, vYAvVI0RBteOh8J0bu.cs	High entropy of concatenated method names: 'egNgpEYUBE', 'zw1gPGXUe6', 'wSKg0ufEBM', 'femgl2AJtZ', 'Bamgs6YKGY', 'AV4gdAxm8f', 'nYKgD8GohQ', 'L6xgS6dHNM', 'JHSgv7xiHi', 'iQ2gGcM96c'
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, tfu54QQB1LN3Ms64Et.cs	High entropy of concatenated method names: 'idLIkLHKqj', 'VtRI1J6bmY', 'JDrIrC9SVB', 'yMEImeUYZf', 'FOkIgxpVV9', 'x9gIFVejx6', 'hHpD9KoDdKpSZPtcaq', 'QAoRPDcSPwyUIU25Ns', 'tC2IIFcTM2', 'bJeIxMVPCK'
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, dWr9Yd1rel0FF9GRB2.cs	High entropy of concatenated method names: 'WT5xbCVukZ', 'IWaxni1F80', 'ur9xNOkxps', 'LuxxjIbRLy', 'K3Dx5BMhcP', 'zZdxqWI77V', 'tNoxkq029D', 'mRkx1Hgv3p', 'mDvxKGlJF6', 'MFBxrCvxmw'
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, rBi4mna82yfoVKeIX4.cs	High entropy of concatenated method names: 'I42euSWOG4', 'xlLeMBv81y', 'nI7ROldTyK', 'xKrRI3VWPS', 'RuDeJviLnI', 'bnMeP8nUPF', 'cmfe4bt7i3', 'Jgde0RN5PH', 'KTSeloH3YO', 'FvKewWa2LY'
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, xqZ7CSMfYruwuEEAOs.cs	High entropy of concatenated method names: 'QkDHIWIwSI', 'Xo0HxMsO86', 'Ws7HQVfJjK', 'zglHnqVJiu', 'q0aHNJrfqf', 'c3KH5qn7eQ', 'JmFHqBfgDt', 'ltRRXZvFYx', 'mIyRuxoBLa', 'LOdRtobKfP'
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, FV9c9gCVejx6fBgfjq.cs	High entropy of concatenated method names: 'R5aqb4xM4F', 'tSxqN2qUKt', 'VQGq5gh7uE', 'QxOqkZi3TC', 'ORwq174Isd', 'WZn5ZTZMu9', 'DeH5aAGdTJ', 'Te25XmvuZc', 'jFl5ulmeIV', 'lOy5tRIQ1S'
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, hMil0iIxjNOw3HhNatX.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QVGo0Bqsla', 'QW4ol9Mgjp', 'o2jowkhkDa', 'eoIoEHE1NM', 'IeNoZByFEQ', 'weBoa1wfDC', 'Yk5oX6Juut'
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, oeQTW92UgH2ooeP3SY.cs	High entropy of concatenated method names: 'Xcw396mt0', 'tdqLUMv9Q', 'nH1hSOZEt', 'R679w30Ht', 'yhtUO0Rij', 'A7GVsejPE', 'suHrYvfQsVoxFQu8rO', 'sVDU3y6X2SGmfclgvZ', 'feiRfSdv4', 'Q7XonikCp'
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, PjZYa7IICUMqel4FibB.cs	High entropy of concatenated method names: 'ToString', 'xBioxVu5TL', 'ckhoQyNlG1', 'LlHobYYnf2', 'XMronPcwqZ', 'fPjoNU1OL3', 'cXKojkeZtu', 'Ow6o5s3wrL', 'FkkiPKKXrej7sFEVkqv', 'PQTCR2KLyloHvv5p9DH'
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, zLHKqjWatRJ6bmYn2g.cs	High entropy of concatenated method names: 'E9ZN0xd1YS', 'swONlSeVOQ', 'cCjNwfAv00', 'x2FNEFPXKu', 'NXtNZwJFVH', 'AESNaf4lso', 'KXbNXk4OkR', 'AxJNub2nWA', 'ymCNtOSjCI', 'kLoNMAxuIV'
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, mF13sSUDrC9SVB8MEe.cs	High entropy of concatenated method names: 'NEAjLW9s7r', 'Vvkjhk329O', 'bxZjWsLix6', 'pFpjUNUogq', 'ANXjgsxXnB', 'pjDjFIyxNo', 'A8njeMIO1L', 'MjcjRUvVmU', 'S4JjHwbgtQ', 'gdyjoUZixv'
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, KN2Ad8tHJFhl5JDVxp.cs	High entropy of concatenated method names: 'WFLRCylCmY', 'QHQRsYHOSZ', 'v46RdWmkAN', 'yhuRDGW55H', 'TrlR0SwUAw', 'o5aRS36E4W', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, pssBojGTjgJe70oti5.cs	High entropy of concatenated method names: 'Sd8knl0fcD', 'UBhkjvV2AD', 'aCJkqqQjYr', 'ugrqMdl72S', 'rrGqztyHRZ', 'EotkOPpE1r', 'RLekIP6Nct', 'Kcok2A0wBr', 'VnfkxjHXsb', 'jM5kQqoDJL'
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, kL7NDV4rIWAXTBk6wb.cs	High entropy of concatenated method names: 'yv5iWrKUGQ', 'IPPiUYFCmc', 'tYWiCeq3sW', 'kxZisdmq0P', 'tXCiDpSbXQ', 'e11iSjKBBM', 'y44iGxc7KY', 'gwTi7IyHkT', 'wuQipChybD', 'qHUiJmTwYx'
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, nLmKepIO9XravPCTaGP.cs	High entropy of concatenated method names: 'YFLHcsqftP', 'aUKH8BE8NL', 'mSpH3HMlqt', 'SuxHLYMKtZ', 'eV0HTHKkKv', 'Fr0Hhe0AEf', 'IZKH9ZukgI', 'WEUHW4GleN', 'Y3BHUTToGw', 'F5rHVcW2c5'
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, OcMcBJEaukSEJBahQ9.cs	High entropy of concatenated method names: 'auJer09phu', 'fI7emcnE6e', 'ToString', 'xkjenPcYIu', 'ekSeNP22gn', 'IJ4ejprklr', 'Dxee5Uu8BD', 'mGPeqQFD16', 'DCYeksyP1v', 'TyHe1mfHQV'
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, qfoPjU6bBvLtRFNxR6.cs	High entropy of concatenated method names: 'sFCkcCvHQ2', 'dCqk8epRQW', 'dOdk3r6UAC', 'vPqkLgZ3tk', 'vXIkTjYr2X', 'OvCkhcdDc2', 'Jynk9dvq1k', 'rgLkWb49ol', 'IBJkUvfGXj', 'd7qkVMd1ey'
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, yb2okLzZ0im5gYCiCP.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QG0HiFHVBU', 'ovoHgttlyb', 'UQ0HFEQyoN', 'soKHeUgQJH', 'ukSHRTcx29', 'd2cHHone3H', 'A31HoBHR7Y'
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, F5O936N4KqAUPM287L.cs	High entropy of concatenated method names: 'Dispose', 'dANItEJwnU', 'Vsg2sal0JR', 'BGqLLnBftx', 'bDTIMm1vDx', 'H8RIzRc9Fm', 'ProcessDialogKey', 'Y9v2ON2Ad8', 'sJF2Ihl5JD', 'Fxp22YqZ7C'
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, EYZf1BVBlUIdgVOkxp.cs	High entropy of concatenated method names: 'LZn5TlPioI', 'NNv59raBWU', 'UL5jd6y7CU', 'cWnjDW859J', 'HIqjSChVRr', 'iO9jvNB4xF', 'vHGjGXj2dP', 'GMJj7wciiY', 'MScj6HbFWk', 'gLdjpkpo8f'
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, ITm1vDuxd8RRc9FmM9.cs	High entropy of concatenated method names: 'zAQRn5rjar', 'MirRNKUn16', 'OKHRjleuBC', 'Xr0R5XW16h', 'FvXRqEtahP', 'OC3RkpLXU4', 'YfMR1LjXHk', 'GjvRKnwJ48', 'WL3RrqAe32', 'VeVRm9krDd'
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, vYAvVI0RBteOh8J0bu.cs	High entropy of concatenated method names: 'egNgpEYUBE', 'zw1gPGXUe6', 'wSKg0ufEBM', 'femgl2AJtZ', 'Bamgs6YKGY', 'AV4gdAxm8f', 'nYKgD8GohQ', 'L6xgS6dHNM', 'JHSgv7xiHi', 'iQ2gGcM96c'
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, tfu54QQB1LN3Ms64Et.cs	High entropy of concatenated method names: 'idLIkLHKqj', 'VtRI1J6bmY', 'JDrIrC9SVB', 'yMEImeUYZf', 'FOkIgxpVV9', 'x9gIFVejx6', 'hHpD9KoDdKpSZPtcaq', 'QAoRPDcSPwyUIU25Ns', 'tC2IIFcTM2', 'bJeIxMVPCK'
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, dWr9Yd1rel0FF9GRB2.cs	High entropy of concatenated method names: 'WT5xbCVukZ', 'IWaxni1F80', 'ur9xNOkxps', 'LuxxjIbRLy', 'K3Dx5BMhcP', 'zZdxqWI77V', 'tNoxkq029D', 'mRkx1Hgv3p', 'mDvxKGlJF6', 'MFBxrCvxmw'
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, rBi4mna82yfoVKeIX4.cs	High entropy of concatenated method names: 'I42euSWOG4', 'xlLeMBv81y', 'nI7ROldTyK', 'xKrRI3VWPS', 'RuDeJviLnI', 'bnMeP8nUPF', 'cmfe4bt7i3', 'Jgde0RN5PH', 'KTSeloH3YO', 'FvKewWa2LY'
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, xqZ7CSMfYruwuEEAOs.cs	High entropy of concatenated method names: 'QkDHIWIwSI', 'Xo0HxMsO86', 'Ws7HQVfJjK', 'zglHnqVJiu', 'q0aHNJrfqf', 'c3KH5qn7eQ', 'JmFHqBfgDt', 'ltRRXZvFYx', 'mIyRuxoBLa', 'LOdRtobKfP'
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, FV9c9gCVejx6fBgfjq.cs	High entropy of concatenated method names: 'R5aqb4xM4F', 'tSxqN2qUKt', 'VQGq5gh7uE', 'QxOqkZi3TC', 'ORwq174Isd', 'WZn5ZTZMu9', 'DeH5aAGdTJ', 'Te25XmvuZc', 'jFl5ulmeIV', 'lOy5tRIQ1S'
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, hMil0iIxjNOw3HhNatX.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QVGo0Bqsla', 'QW4ol9Mgjp', 'o2jowkhkDa', 'eoIoEHE1NM', 'IeNoZByFEQ', 'weBoa1wfDC', 'Yk5oX6Juut'
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, oeQTW92UgH2ooeP3SY.cs	High entropy of concatenated method names: 'Xcw396mt0', 'tdqLUMv9Q', 'nH1hSOZEt', 'R679w30Ht', 'yhtUO0Rij', 'A7GVsejPE', 'suHrYvfQsVoxFQu8rO', 'sVDU3y6X2SGmfclgvZ', 'feiRfSdv4', 'Q7XonikCp'
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, PjZYa7IICUMqel4FibB.cs	High entropy of concatenated method names: 'ToString', 'xBioxVu5TL', 'ckhoQyNlG1', 'LlHobYYnf2', 'XMronPcwqZ', 'fPjoNU1OL3', 'cXKojkeZtu', 'Ow6o5s3wrL', 'FkkiPKKXrej7sFEVkqv', 'PQTCR2KLyloHvv5p9DH'
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, zLHKqjWatRJ6bmYn2g.cs	High entropy of concatenated method names: 'E9ZN0xd1YS', 'swONlSeVOQ', 'cCjNwfAv00', 'x2FNEFPXKu', 'NXtNZwJFVH', 'AESNaf4lso', 'KXbNXk4OkR', 'AxJNub2nWA', 'ymCNtOSjCI', 'kLoNMAxuIV'
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, mF13sSUDrC9SVB8MEe.cs	High entropy of concatenated method names: 'NEAjLW9s7r', 'Vvkjhk329O', 'bxZjWsLix6', 'pFpjUNUogq', 'ANXjgsxXnB', 'pjDjFIyxNo', 'A8njeMIO1L', 'MjcjRUvVmU', 'S4JjHwbgtQ', 'gdyjoUZixv'
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, KN2Ad8tHJFhl5JDVxp.cs	High entropy of concatenated method names: 'WFLRCylCmY', 'QHQRsYHOSZ', 'v46RdWmkAN', 'yhuRDGW55H', 'TrlR0SwUAw', 'o5aRS36E4W', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, pssBojGTjgJe70oti5.cs	High entropy of concatenated method names: 'Sd8knl0fcD', 'UBhkjvV2AD', 'aCJkqqQjYr', 'ugrqMdl72S', 'rrGqztyHRZ', 'EotkOPpE1r', 'RLekIP6Nct', 'Kcok2A0wBr', 'VnfkxjHXsb', 'jM5kQqoDJL'
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, kL7NDV4rIWAXTBk6wb.cs	High entropy of concatenated method names: 'yv5iWrKUGQ', 'IPPiUYFCmc', 'tYWiCeq3sW', 'kxZisdmq0P', 'tXCiDpSbXQ', 'e11iSjKBBM', 'y44iGxc7KY', 'gwTi7IyHkT', 'wuQipChybD', 'qHUiJmTwYx'
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, nLmKepIO9XravPCTaGP.cs	High entropy of concatenated method names: 'YFLHcsqftP', 'aUKH8BE8NL', 'mSpH3HMlqt', 'SuxHLYMKtZ', 'eV0HTHKkKv', 'Fr0Hhe0AEf', 'IZKH9ZukgI', 'WEUHW4GleN', 'Y3BHUTToGw', 'F5rHVcW2c5'
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, OcMcBJEaukSEJBahQ9.cs	High entropy of concatenated method names: 'auJer09phu', 'fI7emcnE6e', 'ToString', 'xkjenPcYIu', 'ekSeNP22gn', 'IJ4ejprklr', 'Dxee5Uu8BD', 'mGPeqQFD16', 'DCYeksyP1v', 'TyHe1mfHQV'
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, qfoPjU6bBvLtRFNxR6.cs	High entropy of concatenated method names: 'sFCkcCvHQ2', 'dCqk8epRQW', 'dOdk3r6UAC', 'vPqkLgZ3tk', 'vXIkTjYr2X', 'OvCkhcdDc2', 'Jynk9dvq1k', 'rgLkWb49ol', 'IBJkUvfGXj', 'd7qkVMd1ey'
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, yb2okLzZ0im5gYCiCP.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QG0HiFHVBU', 'ovoHgttlyb', 'UQ0HFEQyoN', 'soKHeUgQJH', 'ukSHRTcx29', 'd2cHHone3H', 'A31HoBHR7Y'
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, F5O936N4KqAUPM287L.cs	High entropy of concatenated method names: 'Dispose', 'dANItEJwnU', 'Vsg2sal0JR', 'BGqLLnBftx', 'bDTIMm1vDx', 'H8RIzRc9Fm', 'ProcessDialogKey', 'Y9v2ON2Ad8', 'sJF2Ihl5JD', 'Fxp22YqZ7C'
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, EYZf1BVBlUIdgVOkxp.cs	High entropy of concatenated method names: 'LZn5TlPioI', 'NNv59raBWU', 'UL5jd6y7CU', 'cWnjDW859J', 'HIqjSChVRr', 'iO9jvNB4xF', 'vHGjGXj2dP', 'GMJj7wciiY', 'MScj6HbFWk', 'gLdjpkpo8f'
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, ITm1vDuxd8RRc9FmM9.cs	High entropy of concatenated method names: 'zAQRn5rjar', 'MirRNKUn16', 'OKHRjleuBC', 'Xr0R5XW16h', 'FvXRqEtahP', 'OC3RkpLXU4', 'YfMR1LjXHk', 'GjvRKnwJ48', 'WL3RrqAe32', 'VeVRm9krDd'
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, vYAvVI0RBteOh8J0bu.cs	High entropy of concatenated method names: 'egNgpEYUBE', 'zw1gPGXUe6', 'wSKg0ufEBM', 'femgl2AJtZ', 'Bamgs6YKGY', 'AV4gdAxm8f', 'nYKgD8GohQ', 'L6xgS6dHNM', 'JHSgv7xiHi', 'iQ2gGcM96c'
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, tfu54QQB1LN3Ms64Et.cs	High entropy of concatenated method names: 'idLIkLHKqj', 'VtRI1J6bmY', 'JDrIrC9SVB', 'yMEImeUYZf', 'FOkIgxpVV9', 'x9gIFVejx6', 'hHpD9KoDdKpSZPtcaq', 'QAoRPDcSPwyUIU25Ns', 'tC2IIFcTM2', 'bJeIxMVPCK'
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, dWr9Yd1rel0FF9GRB2.cs	High entropy of concatenated method names: 'WT5xbCVukZ', 'IWaxni1F80', 'ur9xNOkxps', 'LuxxjIbRLy', 'K3Dx5BMhcP', 'zZdxqWI77V', 'tNoxkq029D', 'mRkx1Hgv3p', 'mDvxKGlJF6', 'MFBxrCvxmw'
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, rBi4mna82yfoVKeIX4.cs	High entropy of concatenated method names: 'I42euSWOG4', 'xlLeMBv81y', 'nI7ROldTyK', 'xKrRI3VWPS', 'RuDeJviLnI', 'bnMeP8nUPF', 'cmfe4bt7i3', 'Jgde0RN5PH', 'KTSeloH3YO', 'FvKewWa2LY'
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, xqZ7CSMfYruwuEEAOs.cs	High entropy of concatenated method names: 'QkDHIWIwSI', 'Xo0HxMsO86', 'Ws7HQVfJjK', 'zglHnqVJiu', 'q0aHNJrfqf', 'c3KH5qn7eQ', 'JmFHqBfgDt', 'ltRRXZvFYx', 'mIyRuxoBLa', 'LOdRtobKfP'
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, FV9c9gCVejx6fBgfjq.cs	High entropy of concatenated method names: 'R5aqb4xM4F', 'tSxqN2qUKt', 'VQGq5gh7uE', 'QxOqkZi3TC', 'ORwq174Isd', 'WZn5ZTZMu9', 'DeH5aAGdTJ', 'Te25XmvuZc', 'jFl5ulmeIV', 'lOy5tRIQ1S'
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, hMil0iIxjNOw3HhNatX.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QVGo0Bqsla', 'QW4ol9Mgjp', 'o2jowkhkDa', 'eoIoEHE1NM', 'IeNoZByFEQ', 'weBoa1wfDC', 'Yk5oX6Juut'
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, oeQTW92UgH2ooeP3SY.cs	High entropy of concatenated method names: 'Xcw396mt0', 'tdqLUMv9Q', 'nH1hSOZEt', 'R679w30Ht', 'yhtUO0Rij', 'A7GVsejPE', 'suHrYvfQsVoxFQu8rO', 'sVDU3y6X2SGmfclgvZ', 'feiRfSdv4', 'Q7XonikCp'
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, PjZYa7IICUMqel4FibB.cs	High entropy of concatenated method names: 'ToString', 'xBioxVu5TL', 'ckhoQyNlG1', 'LlHobYYnf2', 'XMronPcwqZ', 'fPjoNU1OL3', 'cXKojkeZtu', 'Ow6o5s3wrL', 'FkkiPKKXrej7sFEVkqv', 'PQTCR2KLyloHvv5p9DH'
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, zLHKqjWatRJ6bmYn2g.cs	High entropy of concatenated method names: 'E9ZN0xd1YS', 'swONlSeVOQ', 'cCjNwfAv00', 'x2FNEFPXKu', 'NXtNZwJFVH', 'AESNaf4lso', 'KXbNXk4OkR', 'AxJNub2nWA', 'ymCNtOSjCI', 'kLoNMAxuIV'
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, mF13sSUDrC9SVB8MEe.cs	High entropy of concatenated method names: 'NEAjLW9s7r', 'Vvkjhk329O', 'bxZjWsLix6', 'pFpjUNUogq', 'ANXjgsxXnB', 'pjDjFIyxNo', 'A8njeMIO1L', 'MjcjRUvVmU', 'S4JjHwbgtQ', 'gdyjoUZixv'
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, KN2Ad8tHJFhl5JDVxp.cs	High entropy of concatenated method names: 'WFLRCylCmY', 'QHQRsYHOSZ', 'v46RdWmkAN', 'yhuRDGW55H', 'TrlR0SwUAw', 'o5aRS36E4W', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, pssBojGTjgJe70oti5.cs	High entropy of concatenated method names: 'Sd8knl0fcD', 'UBhkjvV2AD', 'aCJkqqQjYr', 'ugrqMdl72S', 'rrGqztyHRZ', 'EotkOPpE1r', 'RLekIP6Nct', 'Kcok2A0wBr', 'VnfkxjHXsb', 'jM5kQqoDJL'
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, kL7NDV4rIWAXTBk6wb.cs	High entropy of concatenated method names: 'yv5iWrKUGQ', 'IPPiUYFCmc', 'tYWiCeq3sW', 'kxZisdmq0P', 'tXCiDpSbXQ', 'e11iSjKBBM', 'y44iGxc7KY', 'gwTi7IyHkT', 'wuQipChybD', 'qHUiJmTwYx'
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, nLmKepIO9XravPCTaGP.cs	High entropy of concatenated method names: 'YFLHcsqftP', 'aUKH8BE8NL', 'mSpH3HMlqt', 'SuxHLYMKtZ', 'eV0HTHKkKv', 'Fr0Hhe0AEf', 'IZKH9ZukgI', 'WEUHW4GleN', 'Y3BHUTToGw', 'F5rHVcW2c5'
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, OcMcBJEaukSEJBahQ9.cs	High entropy of concatenated method names: 'auJer09phu', 'fI7emcnE6e', 'ToString', 'xkjenPcYIu', 'ekSeNP22gn', 'IJ4ejprklr', 'Dxee5Uu8BD', 'mGPeqQFD16', 'DCYeksyP1v', 'TyHe1mfHQV'
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, qfoPjU6bBvLtRFNxR6.cs	High entropy of concatenated method names: 'sFCkcCvHQ2', 'dCqk8epRQW', 'dOdk3r6UAC', 'vPqkLgZ3tk', 'vXIkTjYr2X', 'OvCkhcdDc2', 'Jynk9dvq1k', 'rgLkWb49ol', 'IBJkUvfGXj', 'd7qkVMd1ey'
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, yb2okLzZ0im5gYCiCP.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QG0HiFHVBU', 'ovoHgttlyb', 'UQ0HFEQyoN', 'soKHeUgQJH', 'ukSHRTcx29', 'd2cHHone3H', 'A31HoBHR7Y'
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, F5O936N4KqAUPM287L.cs	High entropy of concatenated method names: 'Dispose', 'dANItEJwnU', 'Vsg2sal0JR', 'BGqLLnBftx', 'bDTIMm1vDx', 'H8RIzRc9Fm', 'ProcessDialogKey', 'Y9v2ON2Ad8', 'sJF2Ihl5JD', 'Fxp22YqZ7C'

Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88ED7E4
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44

Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Memory allocated: B40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Memory allocated: 25A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Memory allocated: 23B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Memory allocated: 8AB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Memory allocated: 9AB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Memory allocated: 9CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Memory allocated: ACC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Memory allocated: B0E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Memory allocated: C0E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Memory allocated: D0E0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe	Window / User API: threadDelayed 1164			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Window / User API: threadDelayed 8809			Jump to behavior

Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\colorcpl.exe	API coverage: 2.7 %

Source: C:\Users\user\Desktop\18in SPA-198-2024.exe TID: 6084	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 1992	Thread sleep count: 1164 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 1992	Thread sleep time: -2328000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 1992	Thread sleep count: 8809 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 1992	Thread sleep time: -17618000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe TID: 360	Thread sleep time: -80000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe TID: 360	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe TID: 360	Thread sleep time: -57000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe TID: 360	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe TID: 360	Thread sleep time: -40000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\colorcpl.exe	Last function: Thread delayed

Source: tWcBthnLrDi.exe, 00000008.00000002.4472218440.000000000147F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllW
Source: Ea64OHKq.7.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Ea64OHKq.7.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: Ea64OHKq.7.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Ea64OHKq.7.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Ea64OHKq.7.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: Ea64OHKq.7.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Ea64OHKq.7.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Ea64OHKq.7.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Ea64OHKq.7.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Ea64OHKq.7.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: Ea64OHKq.7.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Ea64OHKq.7.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Ea64OHKq.7.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Ea64OHKq.7.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Ea64OHKq.7.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: colorcpl.exe, 00000007.00000002.4471538704.00000000033DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Ea64OHKq.7.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Ea64OHKq.7.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: firefox.exe, 00000009.00000002.2559807774.00000216144DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll{{
Source: Ea64OHKq.7.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Ea64OHKq.7.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Ea64OHKq.7.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: Ea64OHKq.7.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: Ea64OHKq.7.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Ea64OHKq.7.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Ea64OHKq.7.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Ea64OHKq.7.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Ea64OHKq.7.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Ea64OHKq.7.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Ea64OHKq.7.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Ea64OHKq.7.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: Ea64OHKq.7.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: Ea64OHKq.7.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtAllocateVirtualMemory: Direct from: 0x76EF48EC	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtQueryAttributesFile: Direct from: 0x76EF2E6C	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtQueryVolumeInformationFile: Direct from: 0x76EF2F2C	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtQuerySystemInformation: Direct from: 0x76EF48CC	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtOpenSection: Direct from: 0x76EF2E0C	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtDeviceIoControlFile: Direct from: 0x76EF2AEC	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BEC	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtQueryInformationToken: Direct from: 0x76EF2CAC	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtCreateFile: Direct from: 0x76EF2FEC	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtOpenFile: Direct from: 0x76EF2DCC	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtTerminateThread: Direct from: 0x76EF2FCC	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtOpenKeyEx: Direct from: 0x76EF2B9C	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtSetInformationProcess: Direct from: 0x76EF2C5C	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtProtectVirtualMemory: Direct from: 0x76EF2F9C	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtWriteVirtualMemory: Direct from: 0x76EF2E3C	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtNotifyChangeKey: Direct from: 0x76EF3C2C	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtCreateMutant: Direct from: 0x76EF35CC	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtResumeThread: Direct from: 0x76EF36AC	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtMapViewOfSection: Direct from: 0x76EF2D1C	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BFC	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtQuerySystemInformation: Direct from: 0x76EF2DFC	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtReadFile: Direct from: 0x76EF2ADC	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtDelayExecution: Direct from: 0x76EF2DDC	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtQueryInformationProcess: Direct from: 0x76EF2C26	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtResumeThread: Direct from: 0x76EF2FBC	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtCreateUserProcess: Direct from: 0x76EF371C	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtAllocateVirtualMemory: Direct from: 0x76EF3C9C	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtWriteVirtualMemory: Direct from: 0x76EF490C	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtSetInformationThread: Direct from: 0x76EE63F9	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtClose: Direct from: 0x76EF2B6C
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtSetInformationThread: Direct from: 0x76EF2B4C	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtReadVirtualMemory: Direct from: 0x76EF2E8C	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtCreateKey: Direct from: 0x76EF2C6C	Jump to behavior

Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Section loaded: NULL target: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Section loaded: NULL target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: NULL target: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: NULL target: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Source: tWcBthnLrDi.exe, 00000005.00000002.4472412537.0000000001501000.00000002.00000001.00040000.00000000.sdmp, tWcBthnLrDi.exe, 00000005.00000000.2159475025.0000000001501000.00000002.00000001.00040000.00000000.sdmp, tWcBthnLrDi.exe, 00000008.00000000.2324199284.0000000001A31000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: tWcBthnLrDi.exe, 00000005.00000002.4472412537.0000000001501000.00000002.00000001.00040000.00000000.sdmp, tWcBthnLrDi.exe, 00000005.00000000.2159475025.0000000001501000.00000002.00000001.00040000.00000000.sdmp, tWcBthnLrDi.exe, 00000008.00000000.2324199284.0000000001A31000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: tWcBthnLrDi.exe, 00000005.00000002.4472412537.0000000001501000.00000002.00000001.00040000.00000000.sdmp, tWcBthnLrDi.exe, 00000005.00000000.2159475025.0000000001501000.00000002.00000001.00040000.00000000.sdmp, tWcBthnLrDi.exe, 00000008.00000000.2324199284.0000000001A31000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: tWcBthnLrDi.exe, 00000005.00000002.4472412537.0000000001501000.00000002.00000001.00040000.00000000.sdmp, tWcBthnLrDi.exe, 00000005.00000000.2159475025.0000000001501000.00000002.00000001.00040000.00000000.sdmp, tWcBthnLrDi.exe, 00000008.00000000.2324199284.0000000001A31000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Queries volume information: C:\Users\user\Desktop\18in SPA-198-2024.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
141.193.213.10	www.meanttobebroken.org	United States	396845	DV-PRIMARY-ASN1US	true
162.0.215.244	prediksipreman.fyi	Canada	35893	ACPCA	true
13.248.169.48	www.ila.beauty	United States	16509	AMAZON-02US	true
162.0.231.203	www.givora.site	Canada	22612	NAMECHEAP-NETUS	true
188.114.97.3	www.timizoasisey.shop	European Union	13335	CLOUDFLARENETUS	true
38.88.82.56	www.college-help.info	United States	174	COGENT-174US	true
178.79.184.196	gucciqueen.shop	United Kingdom	63949	LINODE-APLinodeLLCUS	true
103.71.154.12	www.2925588.com	Hong Kong	132325	LEMON-AS-APLEMONTELECOMMUNICATIONSLIMITEDHK	true
199.59.243.227	www.rebel.tienda	United States	395082	BODIS-NJUS	true
3.33.130.190	7fh27o.vip	United States	8987	AMAZONEXPANSIONGB	true
8.210.3.99	jexiz.shop	Singapore	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	true

Windows Analysis Report 18in SPA-198-2024.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
18in SPA-198-2024.exe

Malware Threat Intel
Provided by

Name	Malicious	Reputation
http://www.college-help.info/lk0h/	true	unknown
http://www.owinvip.net/17h7/?1Zgl=+i5q+uzPXmftyZtNZWFr8MC7YoCmvyBt3jjX/X3oRNPJ70eO25N0w4zqWgP4747OpVXsIhnZv7nMmjeXISBtoaIRC/e00OgY88L+a0UDDIyF3kq1BSJhp/lI21Ai+QA6UQ==&w6=2vdPP	true	unknown
http://www.7fh27o.vip/l5ty/	true	unknown
http://www.jexiz.shop/li8d/?1Zgl=sm+xvlFNJ8Jn1MAvBLHfFbmpWDRmMBXnhYuDtN4QDuuoOIQ72IBR7vtXSrP0imT8uQD+i024Jy05gJvrsmbroocsQ5/sNLlweHoyZNleSM2rCzfY5hv0qSgJrhCITOEEHg==&w6=2vdPP	true	unknown
http://www.owinvip.net/17h7/	true	unknown
http://www.gucciqueen.shop/x3by/?w6=2vdPP&1Zgl=Gq0m/cYr7UOoL/rfxlXcWcb0PFgu3v+6IQg5KkZ1GbFCfXnP9OdFnXsg+153ZunkN9E3pnQymCUHBFpvF3MPrj7bwNIl4rM9hQX9D40sB8Q0fvNSVLrWgvNkuIucpqHerw==	true	unknown
http://www.givora.site/855d/	true	unknown
http://www.2925588.com/jx6k/	true	unknown
http://www.timizoasisey.shop/3p0l/?1Zgl=4Jzo6X1Gluc/SF20pEVAyAZrEiE76xvvY+EfZYFlmMajnWRT/uq2dkdTzHDiVdaw3QhDvVFcv5rBuyftUViEMVRHp90uGCn944ajrH63wHv4zzWs5+CZDXB+Ld7sX0D68A==&w6=2vdPP	true	unknown
http://www.2925588.com/jx6k/?1Zgl=beqWGJ7SP2hkLKuH8Xmdr/HDPWeS3cMOlVU3zrC7D+GWWG+2bEVKgJQW/9jqYGl3wiT++u8kPbwe1lvFRaGrQmwW5G4wa8+lbGyMUfdWvdM0+8z00F7HMhpKv8gPeACQcQ==&w6=2vdPP	true	unknown
http://www.prediksipreman.fyi/3lre/?1Zgl=/6Vdp+1Y21llHWrnJFgTkMelxgdakbST517P2ezUMEZQpYm2I4KB95g+5G1ZwATxC5oRicPrlKz7UaUXu7WnWVF0YU8xlLcjqFiWcTqSDyUhRRfYLZXOVM1ZwNUIzk+NCQ==&w6=2vdPP	true	unknown
http://www.meanttobebroken.org/9g6s/	true	unknown
http://www.prediksipreman.fyi/3lre/	true	unknown
http://www.timizoasisey.shop/3p0l/	true	unknown
http://www.jexiz.shop/li8d/	true	unknown
http://www.wrl-llc.net/6o8s/	true	unknown
http://www.ila.beauty/izfe/?1Zgl=ZqR1VSau/njxt8ya9FYdrisRnPwESR8PWK+oFQcVqsUu7dENmwaUoGLSs5vyS4FhQGGlB6r8hHtwTYfK8h1233SUSY5+fAIxnLEAPxNpmpufjlKG3bng8CVsKsGNybcU1g==&w6=2vdPP	true	unknown
http://www.rebel.tienda/7n9v/	true	unknown
http://www.gucciqueen.shop/x3by/	true	unknown
http://www.givora.site/855d/?1Zgl=2B0ERzH0P28lwthSCfczi4+l4RSaGiycEDtAIyO4xBEaITWb1iLHHs/q7NYM0I/g8MkSYcfxzku7nIYL4eoS8eZDgAyht6z65PzZnN779aUYRwuiIRWQuovW44/rxTRHXQ==&w6=2vdPP	true	unknown
http://www.ila.beauty/izfe/	true	unknown

ID:	1545922
Product:	CloudBasic
Start time:	10:24:04
Start date:	31.10.2024
Sample:	18in SPA-198-2024.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	9ca6ee6dda005563c3d04249c85188e7
SHA1:	cd1a00bc5ff84d7c24a8f06cb84cbf98183e2da2
SHA256:	cfbea36edccb76c40ccc6f01d8cbf2d467533ecb1f3e7c7c709532998518b8d9
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\18in SPA-198-2024.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Temp\Ea64OHKq	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8	D87270D0039ED3A5A72E7082EA71E305	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA